近年来,尤其是去年的疫情催化,世界经济加快数字化转型,平台经济作为数字经济的典型代表亦得以快速发展。然而,平台经济的发展中也出现了一些问题,近期,相关平台过度收集个人信息的话题便屡屡成为公众讨论议题。
目前,许多中国应用程序供应商普遍要求用户与其分享非必要的个人信息,否则用户将被拒绝访问这些应用程序。今年五月,国家互联网信息办公室通报,包括搜狗输入法、讯飞输入法、百度输入法、高德地图、百度地图等总计33款手机应用程序存在违法违规收集使用个人信息问题,并给予运营商十天的时间进行整改。
针对上述情况,监管部门近期陆续出台了一系列政策。
今年三月底,国家互联网信息办公室、工信部、公安部、国家市场监督管理总局联合制定了《常见类型移动互联网应用程序必要个人信息范围规定》,明确移动互联网应用程序运营者不得因用户不同意收集非必要个人信息,而拒绝用户使用应用程序基本功能服务,进一步细化了APP收集用户个人信息需遵循的要求。
四月,《个人信息保护法(草案)》二审稿的公布,进一步明确规定,不得通过“胁迫”方式处理个人信息;处理个人信息应当限于实现处理目的所必要的最小范围、采取对个人权益影响最小的方式;处理个人信息应当公开处理规则,明示处理目的、方式和范围,并应当保证个人信息的质量,避免因个人信息不准确、不完整对个人权益造成不利影响。
监管部门接连出台涉及平台经济数据合规的举措,释放出加强平台经济监管的强烈信号。
汇业律师事务所高级合伙人黄春林律师告诉ALB,对平台个人信息的保护,有利于强化平台的公平竞争意识,严禁滥用数据优势,非法收集和使用个人信息,破坏市场竞争环境,损害消费者合法权益。这些举措强化了应用商店等应用分发平台的治理责任,要求分发平台加强应用上线前检测和上线后监管。
同时,新规也“明确了自动驾驶、车联网、人工智能等大型平台的数据本地化责任”,黄春林律师说。
平台经济需自查合规
“基于目前的立法趋势,平台企业有必要对核心的业务模式进行系统的合规审计,发现合规差距,及时进行整改。”中伦律师事务所权益合伙人陈际红律师告诉ALB。
根据近期发布的一系列新规,通商律师事务所合伙人黄凯律师告诉ALB,当互联网平台的业务类型、服务类型或用户数量符合一定条件时,其面临的合规监管将比其他数据处理者的更加严格,平台需要承担一些特别义务。
他解释道,此类特别义务包括,“成立主要由外部成员组成的独立机构,对其数据处理活动进行监督;定期发布个人信息保护社会责任报告;治理、监督平台内第三方的数据处理活动等”。
黄凯律师认为,对数据依赖性强的平台业务,例如个性化展示、智能风控等,其发展可能因平台履行新规下特别义务而受到阻碍。海量数据资源及其支撑下的数据分析技术,是互联网平台开展上述业务的重要优势。而平台履行特别义务,将增强平台内数据处理行为的合规性,但同时也会限制平台利用数据与技术的自由度,削弱平台数据优势。
其次,履行新规下特别义务,将提高平台运营方的数据合规成本。黄凯律师解释道,一方面,平台需要投入更多资源,调整数据处理相关业务或制度缺陷,以响应独立监督机构的建议,并避免其在社会责任报告中暴露。另一方面,若平台承担治理平台内第三方数据处理活动的义务,则意味着需要额外追加治理制度与技术措施,例如修改平台规则、限制系统权限调用及持续进行技术监测等。
黄春林律师也认为,近期的高频立法和执法活动,短期内可能会加大平台经济的合规成本,影响平台经济的现有业务模式。但长期来看,有利于净化市场竞争环境,培养和提高全民网络素养,推动企业常态化合规建设,为企业数字化转型保驾护航,推动数字经济可持续发展。
平台“守门人”
整体而言,上述立法与执法背景有利于“数字中国”战略的长远发展,充分体现了监管部门根据产业发展的不同阶段,在发展中平衡个人信息保护与数据合理流动的价值取向。同时,也体现了监管部门首先着力于解决社会关切度高、行业影响较大的重大问题,例如敏感个人信息治理、APP及SDK违法违规治理等,对于其他非紧迫问题适度宽容监管的监管思路。
而监管的另一种新思路,在黄凯律师看来,则是要求平台在此新规下分担部分数据监管职责,发挥“守门人”作用。
数据处理活动普遍存在于日常生活中,监管机关难以对海量数据处理者逐一进行监管。因此,立法机构将部分监管职责分配给平台,如应用程序分发平台、操作系统、大型平台APP。这些平台实际上控制着平台内处理者提供产品、服务所依赖的技术资源、技术环境或运营环境,具备监管平台内第三方处理者的资源和能力。
“新规要求大型互联网平台提高数据处理与治理活动的透明度,使其处于社会各方监督之下。”黄凯律师说。
因此,“企业应密切关注平台经济相关的立法情况,关注监管部门的执法动态,持续开展自检自查,避免合规风险”,陈际红律师提醒道。
黄凯律师则建议,“平台运营方,应注意结合其业务与服务类型、用户数量等因素,判断其是否属于新规的规制对象。若是,则建议针对平台内第三方数据治理职责,做好制定专门规则并采取相应技术措施的准备。同时,也建议运营方增进自身实施的数据处理活动的合规性。”
他接着说道,“平台内的第三方处理者,应意识到针对平台内数据处理活动,平台可能获得更高的治理权限。”例如,根据《移动互联网应用程序个人信息保护管理暂行规定(征求意见稿)》,APP分发平台应对APP进行个人信息处理活动规范性审核,并根据审核结果进行更新或者清理。因此,他建议第三方处理者关注平台规则更新情况,或平台发出的数据合规相关通知,按其要求,及时进行数据合规改进。
机遇与挑战
谈及律所应该如何在监管新场景下为企业提供合规服务,黄凯律师认为,“律师为企业提供法律服务时,应注意判断企业是否参与、以何种角色参与了平台经济”。
他解释道,若企业为平台运营方,则律师应识别、提示其可能需承担的特别义务,并向其提供关于落实上述特别义务的建议。若企业为平台内第三方,则律师需注意帮助其理解平台的治理与权限,并提示客户关注数据处理活动治理相关平台规则或通知发布情况。
“在为平台运营企业提供合规服务时,律所应协助企业梳理平台内数据处理活动,识别相关各方合规义务,提供平台自身业务合规与第三方治理两方面的合规建议;协助企业建立独立监督机构;以及协助企业起草社会责任报告,完成法定披露义务。”黄凯律师说。
而为平台内第三方提供合规服务时,“我们将扩大关注的合规要求范围,除法律、法规、规范性文件及标准外,还会关注主要平台的数据治理相关规则的更新,以及时提示企业进行合规调整。若企业收到平台发出合规整改通知,我们将协助其进行合规改进及与平台沟通”,他说。
黄春林律师补充道 ,“企业和律师应当紧跟国家立法与政策新动向,预判立法与执法新趋势,准确把握监管执法尺度和行业最佳实践,适时调整业务模式及技术路径,有效平衡法律风险、合规成本与技术可行性。”
陈际红律师则认为,在平台经济监管新场景下,企业和律所均面临新的挑战和机遇。他指出, “律师应持续关注立法、执法动态,结合企业在新监管形势下的合规需求,为客户提供系统和定制化的合规解决方案”。
他表示,在数据合规方面,律所应帮助平台企业构建数据合规体系,协助企业开展数字产品的合规审计,并协助企业进行有效的整改,帮助企业建立个人信息影响风险评估机制,并协助企业不断展开优化提升。
最后,陈律师总结道:“对律师而言,一方面要提升自身业务能力,抓住契机,获得更多的业务机会;另一方面,应消化融合各项规定,为企业提供更优质的服务,协助企业系统地落地实施合规方案。”
Strengthening Protection
In recent years, especially in response to the COVID-19 pandemic, economies around the world have undergone accelerated digital transformations. The platform economy, a subset of the digital economy, has also grown rapidly and given rise to a number of data protection issues, which China is looking to tackle through a series of policy measures.
Currently, many service providers in China require their users to share irrelevant personal information or face the likelihood of being denied access to mobile apps. In May, the Cyberspace Administration of China said 33 mobile apps, including Sougou Pinyin, iFlytek, Baidu Input, Gaode Map and Baidu Map, collected excessive personal data without the consent of users, and gave their developers 10 days to rectify any unauthorized data collection.
This is just one of the ways that regulators having been looking to address the challenges to data protection. Another example: In late March, four regulators jointly released the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications. The provisions stipulate that mobile app developers must not deny users basic services if they refuse to share unnecessary personal data, which further refine the requirements for mobile app developers on collecting personal information from users.
In April, the second draft of the Personal Information Protection Law was promulgated, and further stipulated that personal information must not be collected through coercion. The collection and handling of personal information must be limited to the minimum scope necessary to achieve the goals of handling the information and do it in such a way to minimize the impact on the rights and interests of individuals. Developers must also disclose the rules for handling personal information; clarify any goals, methods and scope of the handling; and ensure the quality of personal information to avoid causing negative impact on individuals' rights and interests from inaccurate or incomplete information.
A series of regulatory moves targeting the platform economy has sent a strong signal that regulators are tightening scrutiny over the sector.
Ramon Huang, senior partner at Hui Ye Law Firm, tells ALB that the protection of personal information will help raise awareness of fair competition among platform operators. Companies are not allowed to abuse data or illegally collecting and using personal information, which disrupts market competition and harms the rights and interests of consumers. These measures strengthen the corporate accountability of app distribution platforms, including app stores, and require distribution platforms to strengthen pre-launch inspection and post-launch supervision.
“They stipulate that large platforms that span across sectors such as auto-driving, vehicle networking and artificial intelligence should be responsible for data localization,” he says.
SELF-INSPECTION
But lawyers feel companies should make the first move by ensuring they themselves are compliant. “Given the current regulatory trend, platform companies should conduct a systematic compliance audits of their core business model and rectify any compliance violations,” says Chen Jihong, equity partner at Zhong Lun Law Firm.
Based on the recent new rules, Internet platforms are expected to face stricter compliance regulations than other data companies and fulfil special obligations when their business, service, or number of users meet certain thresholds, points out Kevin Huang, partner at Commerce & Finance Law Offices.
He explains that these obligations include “establishing an independent body that is mainly made of external members to supervise the platform’s handling of data; publishing social responsibility reports on personal information protection on a regular basis, and governing and supervising third-party data processors on the platform.”
Platform services that depend heavily on data, such as personalized display and smart risk controls, maybe impeded as companies have to fulfil the special obligations required by the new rules, Kevin Huang says. Massive data resources and the data analytic technologies supported by these resources are important leverages for platform companies to provide these services. Fulfilling these special obligations will enhance the companies’ compliance in data processing but also restrict their freedom in using data and technologies, which will undermine their competitive advantage enabled by data.
Furthermore, fulfilling these obligations will increase the cost of data compliance. Kevin Huang explains that companies need to invest more resources in rectifying their business and institutional flaws related to data processing to answer to the independent supervisory body and to avoid disclosing these flaws in their social responsibility reports. On the other hand, if companies fulfil the obligation to govern third-party data processing on the platform, they need to impose more rules on data governance and more technical measures, such as modifying the platform rules, restricting system authorizations and staying committed to monitoring the technologies used.
Ramon Huang also believes that the intensified legislation and law enforcement efforts may increase the cost of compliance for the platform economy sector in the short term and impact current business models. But in the long run, these efforts will keep competition healthy, cultivate digital literacy and prompt companies to keep a compliance regime in place and undergo digital transformation, which will promote the sustainable development of the digital economy.
GATEKEEPERS
Overall, the promulgation and enforcement of data compliance rules can contribute to the development of “digital China” in the long term. The move indicates regulators’ intention to balance the protection of personal information and the flow of data as the industry grows. It also shows that regulators prioritize issues that gravely concern society and industry, such as sensitive personal information processing and the illegal behavior associated with apps and software development kits, while easing regulation on other less urgent issues.
Kevin Huang believes that under the new rules, platform companies will share part of the responsibilities of data regulation and serve as “gatekeepers.”
Supervising a large number of data processors has been challenging for regulators since data processing activities are embedded in everyday life. As a result, the legislature offloads part of the regulatory responsibilities to platform companies, such as operators of application distribution platforms, operating systems and large-scale apps. These platform operators control the technical resources and operating environment that data processors on the platform depend on in order to provide products and services, which give them the resources and capability to supervise third-party processors.
Meanwhile, Chen suggests that “companies should pay close attention to the laws for the platform economy and regulatory updates, and keep inspecting their operations to avoid compliance risks.”
Kevin Huang has another suggestion. “Platform operators should assess if they are subject to the new regulations based on their business, services and number of users. If this is the case, they should formulate rules and impose technical measures to supervise data processing by third parties. They should also improve compliance of their own data processing,” he says.
OPPORTUNITIES AND CHALLENGES
Speaking of how law firms should provide compliance services to companies under the new rules, Kevin Huang believes lawyers should assess if companies are engaged in the platform economy and what roles they play when providing legal services.
He explains that for platform operators, lawyers should identify and point out the special obligations that they may need to fulfill and advise them on how to do so. If the company is a third party on the platform, lawyers should help them understand the platform’s management rules and authority. They should also remind their clients to keep an eye on the rules and notices on data processing issued by the platform operator.
Sharing a similar view, Ramon Huang says, “Both companies and lawyers should pay close attention to the latest development of the country’s regulations and policy to predict new regulatory and law enforcement trends. They should understand the scope of regulations and law enforcement as well as industry best practices to refine the companies’ business models and technical measures to balance legal risks, the costs of compliance and technical feasibility.”
In Chen’s view, both companies and law firms face challenges and opportunities under the new compliance rules. He says law firms should help platform companies create a data compliance regime and conduct compliance audits of their digital products. They should also help companies conduct rectification, build a system for personal information impact assessment and constantly improve their operations.
“On one hand, lawyers should upskill themselves and seize the opportunities to win more business. On the other hand, they should study thoroughly every regulation to provide better services for their clients to implement compliance systematically,” Chen concludes.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.