| Under the context of big data processing, the exploration, abuse and infringement are commonly seen in the process of information collection, integration, analysis and reservation. The protection of individual information faces unprecedented challenge. Firstly, with the prosperity of mobile internet, the common use of mobile equipment, the development of tracking technology in internet and the collecting of individual information becoming increasingly intensive and concealing, the Privacy Policy of “Do not track” becomes a “Gentleman's agreement” to protect individual information and is hardly effective. Secondly, public authority forces businesses to store user's individual information. The large amount of information renders Governments and business institutions exchanging their data, to make comparisons and verifications of personal information. Such mechanisms can real-time tracks and monitors individuals' behaviors both online and offline. Because of the existence of multinational monitoring, the people's right of personal information can be damaged severely. The “Safe Harbor Agreement” which provides a legal basis for international data transferring between the EU and the US was invalidated by European Court of Justice, for the court held that the US has not meet the requirement of full protection of EU citizens' information. Thirdly, the predictive analysis contains value judgment and reasoning concept of designer. However, due process is missing in the data analysis and utilization. Therefore, distinction and discrimination are common. Fourthly, the Cloud storage of information and common “backdoor program” weakened the individual control of personal information, for individuals have little knowledge about the storage, processing, disclosure and commercial use of information. Fifthly, individual information has been regarded as “new oil” in modern economic. Driven by its business value, the mining, using and selling of such information has formed an illegal business chain. The buy and sell of personal information became easy along the chain, which severely crippled the protection of personal information.Under traditional framework, the legal protection of personal information is confined to the definition of personal information, the common definitive standard of which is ‘identifiability'. Though it is a legally open definition, since 1970 s when Personal Information Protection Law initially came into being, information with ‘identifiability' was quite limited. Such way of definition could only meet the requirement of that time. The principles of personal information protection can also provide effective guides for the regulations of information protection. However, with the advent of big data era, the denotation of personal identifiable information is increasingly widened with the reform of technology, common sharing of information and re-recognition of data. Therefore, the boundary of legal protection blurred and it is hard to accurately define the limit of personal information protection. If the definition is too narrow, the risk in data usage in big data environment cannot be regulated; if too wide, it is hard to balance the promotion of technology and the protection of rights of individuals. At the same time, the traditional means of regulation of information protection, the inform-consent, anonymization technique gradually lost its effectiveness. Currently, there is no easy way to stop the behavior of digging up users' real identity from anonymized data, nor effective measures to solve the deficiency of ‘inform-consent' framework. The lurking value in data information induces governments and companies to hungrily pursue for personal information. By using new methodology, they avoid the current way of personal information protection regulation. The information controllers and processers effectively bypass current supervisions, which destroyed the data subjects' control of their own personal information. Stimulated by economic interest, the principle of information protection is generally violated, performing practically little function, and it is more difficult to find out who is to blame. In the mean time, the current legal system and the self-discipline of industry are far lagging behind the advancement of information technology. In big data era, the traditional personal information protection framework cannot effectively deal with the challenge of the new technology.Theory is an important guideline of practice. Nowadays, most influential information protection doctrines are presented by the Anglo-American academy. Generally, there are four categories. First one is Personal Information Control Right Theory. The second one is Property Protection of Personal Information Rights Theory. The third one is Economics Theory of Privacy. The fourth one is Reasonable Expectation of Privacy Theory. Personal Information Control Rights Theory put person in the center of personal information usage, which embodies the principle of autonomy of liberalism. But self-determination of information also has its limits. The barriers from public accountability, political rationality and business practices make it difficult to achieve information isolation. Property Protection of Personal Information Rights Theory tries to explore alternative information privacy protection scheme from property law and property theory, enabling individuals to profit from the current information exchange market, and achieving the regression of the right to control personal information. The personal information is not competitive; at the same time, market failures and its attribute of public goods are main objective opinions of such theory. Economics Theory of Privacy suggests that something appears in the name of privacy is just trying to hide the shameful aspects of one's behavior to increase his opportunities of business and networking. The motivation of such so-called privacy is to mislead others, which will increase the transaction costs. Reasonable Expectation of Privacy Theory requires analyzing the public expectations about the privacy and the value of information from the overall perspective of a nation or a society. Its disadvantage is that applicable standards are flexible and the facts are complex. The execution of such theory is based on individual judgment, political and social environment and others uncertainties. It will result in obstruction in its practice. For the protection of information, all of the four theories have their own merits. But they also have shortcomings in the new stage of social-economic, scientific and cultural environment. The inadequacies of theories are characterized of inadequate protection of the information in modern era. Nevertheless, no matter what kind of defect they have, all of these four theories had played a crucial role in the process of constructing information protection systems.The EU has launched a new round of legislative reforms to protect information, which indicates that both of personal information rights and current regulatory mechanisms are facing crisis. The reform presents a concern for protection of the rights of personal information in the following aspects.First, strengthening the status of data subject. For example, strengthening the rules on consent and presenting two new controlling rights: the right of data portability and the right to be forgotten. At the present stage, both rights exhibit the value of advocacy. Second, making clear the obligations and the responsibilities of personal information protection. The processing of information should meet the reasonable expectation of data subject. When the obligations and responsibilities of data controller and data processor are not clear, they should bear joint and several liabilities. Third, trying to depart from the traditional “consent and reasonable use” dichotomy, and introducing a risk-based approach to protect information to take the place of traditional dichotomy. Fourth, improving the implementation of data protection and the rule of procedure. By delimitating the category of information, trying to protect personal information in varying degrees. Introducing the accountability system. Making clear the default settings requirements for protection of personal information. Introducing information protection impact assessment system. Fifth, enduing the regulatory authorities with more power. Introducing joint action from information protection agencies and applying more severe penalties. The United States' Consumer Privacy Bill strengthened the framework of ‘inform and consent'. It emphasized the company's responsibilities in information protection, data accuracy, accessing rights and data collecting and controlling. Meanwhile it also updated provisions of accountability. US's other activities of legislation embodies the strict protection of particularly sensitive information. In judicial practice, the European Court of Justice confirmed the right to be forgotten. But at this stage, a general ‘right to be forgotten' in a broad sense does not exist. Its application should be confined in specific areas, where the revealing and using of past negative information of subject should be limited.In the big data era, how to find a balance between the protection of personal information and the free flow of information became the focus of legislators in different countries. No matter takes liberalism's or authoritarian's stance, personal information protection will lead to systemic risk. The protection of personal information does not mean that standing against the improvement of knowledge and social progress. On the contrary, it is a symbol of liberal democratic political system and the cornerstone of innovation. Protection of personal information in private law should seek a breakthrough and improvement in the following areas.First, establishing the value target of personal information protection. Respect for individual human dignity and freedom, protect the privacy of citizens, avoid moving forward along the old traditional common values, cultivate citizens' critical spirit and promote the social construction of free, democratic and pluralistic should be the value of personal information protection. Second, delimiting the range of personal information protection. Big data makes the boundaries of personal information protection increasingly blurred and the scope has been expending. The concept of ‘personally identifiable information' has become the cornerstone of Personal Information Protection Law and determined the scope of protection of personal information. Although such concept is difficult to define, it cannot be abandoned. We need to avoid the definition of ‘personally identifiable information' coming to the American reductionist direction, and we also need to avoid the expansionist direction of EU-style development. Third, making adjustment of the basic principles of personal information protection. The basic principle is in effect the fundamental rules of the Personal Information Protection Law. Collection Limitation Principle, Data Quality Principle, Purpose Specification Principle, Use Limitation Principle, Security Safeguards Principle, Openness Principle, Individual Participation Principle and Accountability Principle established by OCED are most influential and most representative. But the information technology is ever-developing nowadays and even the most basic principles also have their own limits. The use of Collection Limitation Principle should depend on different situation, and the Purpose Specification Principle should be changed by Respect for Context Principle. Fourth, enriching the content of the right to personal information and strengthen the main responsibility for obligatory subject and establishing the right to be forgotten and the rights of data portability when suitable. Strengthening the requirements of transparency of protection of personal information. Introducing the Personal Information Protection's default design state and Information Protection's assessment system. In addition, because data subject has obstacle to identify who is in charge of the information processing, the law should make clear the situations when obligatory subject should bear joint and several liabilities. Fifth, to explore the property right path of personal information protection. When the personal information has become necessary for the social development and become the valuable resources which were scrambled by business institutions, it is the right time for the establishment for commercialization of personal information and the setting up of the free market for such information. Information industry almost snatched all the property interests from personal information, while in theory the data subject should be the initial legitimate subject of such interest. Property formation and initial distribution theory provides a theoretical support for personal information's property rights protection. At this stage, we need to decide the ownership of information property rights, explore the useful mode of personal information property. To limit the right of personal information usage and transferring, to set up the default rules of prior consent, set up independent exit right; establish compensation system and public supervision are five indispensables aspects of personal information property protection. Sixth, building up a due process of personal information protection. Predictive analysis is the core of big data, but there is blind zone in data analysis. The data which come from analysis is not always perfect and is not entirely consistent with the facts. When decisions based on the analysis of big data will affect the vital interests and important opportunities of data subject, we should provide relief for individuals to question the logic of big data analysis and the results.We should change our mind about personal information protection when we are in big data era. Legal protection of personal information should pay more attention to information processing and the danger of data use, instead of focusing on whether the collection of information is or not through normal channels. On the mode of thinking, we need to transfer from emphasizing the individuals' informed permission to emphasizing the responsibility of information controller and processor. The mission of information protection is balancing the risk and interest in processing of personal data by substantive principles and procedural provisions, to ensure that the interests in data processing be legally used, and quarantine out possible negative effects to individuals and the society. |
PDF Full Text Request