In the era of big data, we have become increasingly "transparent", and the attendant risk of personal information disclosure is constantly provoking our nerves. From the "3.15" incident, which revealed that some businesses illegally seized face recognition information and violated personal information security, to the highly publicized "Face Recognition First Case", which involved whether animals must "brush their faces" in the zoo, a final judgment was issued. The defendant Hangzhou Wildlife World was sentenced to delete facial feature information, including photos, and fingerprint identification information submitted by the plaintiff Guo Bing when handling fingerprint annual cards. Illegal access to personal information has been severely punished by relevant departments, but it is still repeatedly prohibited.

 

 

With the advent of the Internet era, we have lived in a two-dimensional era where traditional society and network society coexist, with data and information becoming the most valuable resources. Recently, a publicly disclosed "vehicle original data" was sent to a "hot search". Does the publicly disclosed "vehicle original data" belong to personal information and violate personal privacy? What principles should operators follow when handling automotive related data?

 

 

1、 How does the law define "personal information"

 

 

 

Article 1034, paragraphs 1 and 2, of the Civil Code stipulates that "The personal information of natural persons is protected by law. The so-called" personal information "refers to various information recorded in electronic or other ways that can identify a specific natural person individually or in combination with other information, including the name, date of birth, ID number, biometric information, address, telephone number, e-mail, health information, whereabouts information, etc.".

 

 

Article 76 of the Network Security Law of the People's Republic of China provides a broad definition of "personal information", which refers to "various information recorded in electronic or other ways that can identify the personal identity of a natural person alone or in combination with other information", including but not limited to: the name, date of birth, ID number, personal biometric information, address, telephone number, etc. of the natural person.

 

 

Article 4 of the Draft Personal Information Protection Law (Draft) stipulates that personal information is various information related to identified or identifiable natural persons recorded electronically or otherwise, excluding information processed anonymously. "The processing of personal information includes activities such as the collection, storage, use, processing, transmission, provision, and disclosure of personal information.". Article 14 stipulates: "Article 14 stipulates:" Consent to the processing of personal information shall be made voluntarily and explicitly by individuals with full knowledge. If laws and administrative regulations require individual consent or written consent to the processing of personal information, such provisions shall apply. If the purpose, method, and type of personal information processed have changed, personal consent shall be obtained again. ".

 

 

The General Data Protection Regulation (GDRP) of the European Union, which was formally implemented on May 25, 2018, applies to the processing of "personal data", which is broadly defined as "any information related to an identified or identifiable natural person". In addition, the GDRP imposes an obligation to process "special categories of personal data," including: disclosure of racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health data, sexual life or orientation data, or personal genetic or biometric data. China's network security law also adopts a similar broad definition of "personal information", which refers to "various information recorded in electronic or other ways that can individually or in combination with other information to identify the personal identity of a natural person", including but not limited to: the name, date of birth, ID number, personal biometric information, address, telephone number, etc. of the natural person. Both the GDPR and the Network Security Law stipulate that individuals have the right to request correction and deletion of their personal data/information.

 

 

To sum up, various information recorded electronically or in other ways that can identify the personal identity of a natural person alone or in combination with other information belongs to "personal information".

 

2、 Is the disclosed "vehicle original data" personal information? Is it an invasion of personal privacy?

 

 

In order to strengthen the protection of personal information and important data, and standardize automobile data processing activities, the National Internet Information Office issued the Several Provisions on the Safety Management of Automobile Data (Draft for Comments) on May 12, 2021 (hereinafter referred to as the "Draft for Automobile Data Management"), which covers all aspects of automobile design, production, sales, service, and operation. The term "personal information" as used in this provision refers to personal information including car owners, drivers, passengers, pedestrians, and various types of information that can be used to infer personal identity and describe personal behavior.

 

 

At the same time, the definition of "personal information" in the Civil Code and the Network Security Law of China is "various information that can be recorded electronically or in combination with other information to identify a natural person's personal identity, including but not limited to: the name, date of birth, ID number, personal biometric information, address, telephone number, etc. of the natural person.". Based on this, the author believes that the vehicle frame number in the disclosed data belongs to "personal information", because information such as the name, gender, and ID number of the relevant vehicle owner can be obtained from the vehicle frame number through specific query channels. The vehicle owner's name, ID card number and other information are personal information protected by laws in China.

 

 

The data that intelligent Internet of Things vehicles can generate are mainly divided into four categories: (1) vehicle performance data, such as driving mileage, fuel consumption, etc; (2) Driving data, such as driver driving habits and personal entertainment information setting data obtained through in-car camera monitoring; (3) Location information, such as real-time location information, and driving trajectory; (4) Peripheral data, such as the surrounding environment of the vehicle, traffic signs, etc. The "Automotive Data Management Draft" is the first regulatory document to be issued after the release of the "Data Security Law (Second Review Draft)", which contains a clear range of important data in the industry, and for the first time clarifies the scope of important data related to automobiles. The so-called "important data" includes: (1) data on the flow of people and vehicles in important and sensitive areas such as military administrative zones, national defense science and engineering, and other units involving state secrets, and party and government organs at or above the county level; (2) Surveying and mapping data that are higher than the accuracy of maps publicly released by the state; (3) Operation data of vehicle charging network; (4) Data such as vehicle type and vehicle flow on the road; (5) Audio and video data outside the vehicle including face, voice, license plate, etc; (6) Other data that may affect national security and public interests as specified by the national network information department and relevant departments of the State Council. The vehicle driving data released by automobile sales companies include data such as vehicle speed, time to press the brake pedal, vehicle driving number, physical movement signal of the brake pedal, and brake master cylinder pressure. The "vehicle driving data" disclosed does not include driving data or location data. Therefore, the author believes that the disclosed "vehicle original data" does not belong to "personal information" in the legal sense. So, does the disclosed information violate personal privacy?

 

 

Article 1032, paragraph 2, of the Civil Code stipulates: "Privacy is a private space, private activity, and private information that a natural person enjoys a peaceful private life and does not want to be known to others.". Based on this, the author believes that privacy and personal information should be distinguished, and personal information is object information that is independently protected in addition to privacy. The protection perspective of privacy and personal information is different. The purpose of legal protection of privacy is to protect the private life of natural persons from prying eyes. The legal protection of personal information is based on the identification ability of personal information and the response to threats posed to information subjects by automated and large-scale development and utilization of personal information. In summary, the author believes that the disclosed "vehicle original data" does not constitute an infringement of the privacy rights of natural persons.

 

 

3、 With the rapid development of intelligent vehicles, ensuring the safety of intelligent vehicle data has become a new and important topic. The "Automotive Data Management Draft" clarifies the requirements for the details of automotive data processing, and provides a practical operational direction for the practice of automotive related industries

 

 

First, clearly inform personal information collection

 

Article 7 of the Automotive Data Management Draft stipulates that operators should inform the person responsible for processing user rights and interests of their effective contact information through user manuals, on-board display panels, or other appropriate means, as well as the type of data collected, including vehicle location, biometrics, driving habits, audio and video, And provide the following information: (1) the trigger conditions for collecting each type of data and the method for stopping collection; (2) Purpose and purpose of collecting various types of data; (3) Data storage location and duration, or rules for determining storage location and duration; (4) The method steps of deleting personal information already provided to the outside of the vehicle and requesting the deletion of personal information inside the vehicle.

 

 

Secondly, determine the requirements for operators to collect and process personal information

 

Article 8 of the Automotive Data Management Draft stipulates that operators should meet the following requirements when collecting and providing sensitive personal information outside the vehicle, including vehicle location, driver or passenger audio and video, as well as data that can be used to judge illegal driving: (1) For the purpose of directly serving the driver or passenger, including enhancing driving safety, assisting driving, navigation, entertainment, etc; (2) The default is not to collect, and the driver's consent and authorization should be obtained each time. After the driving is completed (the driver leaves the driver's seat), this authorization will automatically expire; (3) Inform the driver and passengers that sensitive personal information is being collected through the display panel or voice in the vehicle; (4) Drivers can easily terminate the collection at any time; (5) Allow car owners to easily view and structurally query the collected sensitive personal information; (6) When the driver requests the operator to delete it, the operator should delete it within 2 weeks.

 

 

Third, personal information collection should obtain authorization and consent

 

 

Article 9 of the "Automobile Data Management Draft" stipulates that operators should obtain the consent of the collected person to collect personal information, except where laws and regulations require no personal consent. If it is difficult to achieve in practice (such as collecting audio and video information outside the vehicle through a camera) and it is really necessary to provide it, anonymization or desensitization processing should be carried out, including deleting images that can identify natural people, or performing local contouring processing on faces in these images.

 

 

Fourth, the necessity principle of biometric data collection

 

 

Article 10 of the Automotive Data Management Draft stipulates that biometric data such as driver fingerprints, voiceprints, faces, and heart rhythms can only be collected for the purpose of facilitating user use and increasing the security of vehicle electronics and information systems. At the same time, alternative biometric methods should be provided. The author believes that according to this provision, operators should follow the principle of necessity in collecting personal biometric data during the design, production, sales, operation and maintenance, and management of vehicles within the territory of the People's Republic of China. Article 41 of the Network Security Law of the People's Republic of China also stipulates that operators should follow the necessary principles in collecting and using personal information. According to the interpretation, this article contains two contents: "purpose specific" and "collection and use restrictions": the former refers to the collection, processing, and utilization of personal information should be conducted based on specific and clear purposes. For the public sector, the collection of personal information can only be for the specific purpose of performing its duties, and for the private sector, the collection of personal information must be related to the services it provides; The latter requires that the collection and use of personal information should be limited to the necessary limits and not exceed the reasonable scope for a specific purpose. Information Security Technology - Personal Information Security Specification (GB/T 35273-2017), Section 5.2, Minimum Requirements for Collecting Personal Information. The requirements for personal information controllers include: (1) The type of personal information collected should be directly related to the business function of the product or service being implemented. Direct correlation refers to the inability to achieve the functionality of a product or service without the participation of this information; (2) The frequency of automatic collection of personal information should be the minimum frequency necessary to achieve the business functions of the product or service; (3) The amount of indirect access to personal information should be the minimum necessary to achieve the business functions of the product or service. It can be seen from this that there is a direct correlation, minimum frequency, and minimum quantity relationship between the collection of personal information and the realization of the business functions of a product or service.

 

 

As can be seen from the above provisions, the collection and utilization of user information by service providers should follow the principles of legality, legitimacy, and necessity, with the consent of the recipient. In addition, the main international legal texts on the protection of personal information, such as the European Union's General Data Protection Regulation (GDRP), also stipulate that the commercial use of personal information must be informed to users and obtain their consent. Therefore, the collection and utilization of user personal information by service providers must be premised on obtaining user consent, which is also a general business ethics that enterprises should observe when using user information.

 

 

With the rapid development of Internet technology, data value is particularly important in the information society. For enterprises, data has become a kind of commercial capital and an important economic input. The scientific use of data can create new economic benefits. Therefore, the acquisition and use of data can not only become a source of competitive advantage for enterprises, but also create more economic benefits for enterprises. It is an important competitive advantage and commercial resource for operators. Therefore, when a service provider collects personal information such as the name, date of birth, ID number, personal biometric information, address, phone number, consumption preferences, consumption habits, and other personal information of a natural person, and uses and processes the collected information, it will involve relevant legally protected personal information in the process of collecting the aforementioned information, The service provider should ensure that the above data are collected with the consent of the natural person and used with the consent of the natural person.

 

(This article is translated by software translator for reference only.)