The Reconstruction Of The Path Of Personal Information Protection Under Contextual And Risk-based Theory

In addition to the interests of personal information subjects,there are also the interests of information processors and social public interests.If large-scale personal information processing behavior are all based on the consent of personal information subjects,it will unreasonablely hinders the efficiency of personal information processing behavior.The situation of personal information processing is increasing in the context of the big data era,and problems such as falseing and consent fatigue are beginning to emerge.Technology are providing convenient life when it increases the risk of personal information infringement.Complex data processing behaviors makes it difficult for personal information subjects to accurately judge specific risks.In view of the above reasons,the traditional protection path of personal information with the principle of informed consent as the core is difficult to effectively coordinate the conflict of interest between information protection and utilization and effectively safeguard the security of personal information.It is urgent to introduce new ideas to reconstruct the personal information protection path to meet the real needs.Spiros Simitis proposed the context-oriented rules in the survey of the implementation of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,arguing that the sensitivity of personal information needed to be considered in a context.Helen Nissenbaum further proposed contextual integrity theory that personal information collected in a particular context should not be processed beyond that context.In order to ensure that the risk of personal information processing is within the foreseeable scope of the personal information subjects,information processors need to carry out risk assessment before processing of personal information.Although the contextual integrity theory and risk management theory are different,they are committed to providing reasonable protection for the interests of personal information subjects.Therefore,the scholars combine contextual integrity theory with risk management theory,which is called the contextual and riskbased theory.The core idea of the contextual and risk-based theory is that the risk of personal information processing activities is in the process of changing in different situations.In judging the legitimacy of personal information processing behaviors,it is necessary to consider a core issue based on the three key elements of actors,information types and transmission principles: whether the risk of personal information processing exceeds the reasonable expectation of the personal information subject.Contextual and risk-based theory has gained worldwide recognition and been adopted in the Consumer Privacy Bill of Rights recently released by the US and General Data Protection Regulation approved by the EU.The above-mentioned bills distinguishes the context to apply the principle of informed consent,expands the interpretation of the principle of purpose limit,increases the legal basis for the processing of personal information to coordinate conflicts between the protection and use of personal information,and ensures the security of personal information processing by clarifying the risk management responsibilities of information processors and strengthening external law enforcement deterrence.But because neither of these bills really implements the contextual and risk-based theory,it is difficult to get rid of the limitations of the traditional protection path of personal information.The core idea of contextual and risk-based theory has been embodied in the judicial practice of China.In legislation,we can refer to extraterritorial experience and introduce contextual and risk-based theory to reconstruct the path of personal information protection.The law shall clearly inform the application path of principle of informed consent,and when the personal information processing behavior carried out by information processors exceeds the reasonable expectation of the information subjects,the information processing behavior shall be risk-assessed and the consent of the personal information subjects should be solicited.When the personal information processing behavior conforms to the reasonable expectations of the information subjects,the behavior can be processed directly without consent.At the same time,the law will regard safeguard the public interest,information processors to perform the statutory obligations and the performance of contractual obligations necessary to exempt as the legal basis to start personal information processing behavior.Because the risk of personal information processing is increasing day by day and difficult to detect by the information subjects,the law needs to build a systematic risk management system for personal information processing.The information processors should assume the main risk management responsibility,and the remaining risk management responsibility should be reasonably assigned to law enforcement agencies,judicial organs,trade associations and other multiple social subjects,to achieve a win-win situation in the protection of and the use of personal information.