Han Xu to
(Associate Researcher at the School of Law, East China University of Political Science and Law)
· This article comes from "Local Legislative Research" No. 3, 2022
Articles 29 and 30 of the "Personal Information Protection Law" specifically stipulate for the first time in law that the notification and consent of the processing of sensitive personal information is specifically stipulated. At present, on the one hand, some theoretical achievements in the protection and notification and consent rules for sensitive personal information have been abandoned by legislation; on the other hand, some theoretical achievements cannot directly explain this new legal norm. In this regard, it is necessary to explain the informed and consent of the processing of sensitive personal information based on the normative purpose of the two clauses. In terms of special notification matters for sensitive personal information processing, the necessary notification should demonstrate the inevitable connection between the processing of personal information and the provision of relevant specific services/functions. The notification of the impact of personal rights and interests should be based on the results of the assessment of the impact of personal information protection. As far as the consent rules for processing sensitive personal information are concerned, in order to meet the requirements of separate consent, the consent for processing sensitive personal information and general personal information should be independent of each other, and a package of consent cannot be adopted. Written consent is a form of a consent requirement based on separate consent, and can be made in the form of contract, letter, telegram, telex, fax, etc. Although the rules for informed consent in the processing of sensitive personal information are important, they are by no means indispensable. In certain circumstances, processing sensitive personal information does not require any consent, and informing consent does not necessarily give legality to the processing of sensitive personal information.
1. Problems and methods
Various informed consent theoretical models for the processing of sensitive personal information have been abandoned by legislation. For example, many scholars argue that information processors should obtain the express consent of the information subject after clear and clear notification, and build a corresponding consent withdrawal mechanism. In my country's "Personal Information Protection Law", these special claims on the notification and consent of sensitive personal information have been upgraded to the general requirement of notification and consent. It is worth analyzing whether the scenario theory that advocates dynamic analysis based on the specific scenarios, processing purposes and processing methods of information processing can be directly used to explain the informed consent norms for processing sensitive personal information. In the definition of sensitive personal information, some scholars advocate "taking into account the situation and purpose of using sensitive personal information." In response to the notification and consent of sensitive personal information processing, a theory of layered consent and dynamic consent has been formed, advocating the "transformation from uniform consent to stratified consent based on information classification and scenario-based risk assessment, and from one-time consent to continuous information disclosure and dynamic consent."
scenario theory conflicts with the institutional logic of my country's sensitive personal information protection. On the one hand, scene theory has been misread a lot and has become synonymous with "specific analysis of specific problems". The "situational integrity theory" proposed by Helen Nissenbaum aims to deconstruct the concept of privacy in American law from the perspective of community norms. Direct application of scenario theory will conflict with the legal definition of sensitive personal information in my country. According to Article 28, paragraph 1 of the Personal Information Protection Law, there is a prerequisite for determining the risk judgment of sensitive personal information, that is, "once it is leaked or used illegally", the specific information processing scenario is no longer relevant at this time. It is concerned with the corresponding "high probability of infringement of rights and interests" after the information leaves the original processing scenario. On the other hand, the basic logic of stratified consent and dynamic consent does not comply with my country's laws. The consent in the "Personal Information Protection Law" is an opt-in mechanism, which applies layered or dynamically the "opt-out" of "formulated consent" and "conditional broad consent + right of exit" does not meet the statutory requirements of consent. In the sense of interpretation, distinguishing sensitive personal information from general personal information and corresponding to different notification and consent requirements is the only classification method of notification and consent recognized by the legislation.
The informed consent for processing sensitive personal information must return to the normative purpose of the provisions to explore appropriate explanation paths. The consent for the processing of sensitive personal information is stipulated in Article 29 of the Personal Information Protection Law. The purpose of this article is to strengthen individuals' cognition and control over the processing of sensitive personal information, so as to ultimately achieve full protection of sensitive personal information.The distinction between the consent for sensitive personal information processing and the consent for general personal information processing will serve as a warning, so that the information subject can fully recognize the situation of sensitive personal information processing. At this time, the information subject can only agree to the processing of general personal information, without expressing consent to the processing of sensitive personal information, and also respect the information subject's right to decide. In addition, individual consent actually increases the obligation requirements of information processors. In practice, every time the consent pop-up appears, the company will lose certain customers. Since the general rules on consent in the "Personal Information Protection Law" are express consent, in order to better protect sensitive personal information closely related to the personal dignity of natural persons and the safety of personal and property, the law stipulates higher requirements for separate consent and written consent.
The notification of sensitive personal information processing is stipulated in Article 30 of the Personal Information Protection Law. The purpose of this article is to realize the principles of openness and transparency, protect the information subject's right to know, and enable the information subject to make a consent decision on the premise of full notification. The purpose of informing "a public legal obligation of information processors" is to ensure that the exercise of "private legal personal information self-determination rights" is agreed to. Especially the matters of informing the necessity and impact on individual rights and interests will help individuals make decisions after comprehensively considering and fully measuring the pros and cons. Even if the legal basis for processing sensitive personal information is other statutory reasons other than consent, special notification regulations can also play a role in improving personal vigilance and strengthening precautions.
In addition, Article 1 of the "Personal Information Protection Law" states the legislative purpose of "protecting personal information rights, regulating personal information processing activities, and promoting the rational use of personal information." From a comparative perspective, my country's regulations on the notification and consent of sensitive personal information are relatively strict. For example, our general requirements for notifications have covered all notification matters specifically listed in Article 15 of the Biometric Information Privacy Act (BIPA) of the State of Illinois. The requirement of separate consent and written consent is obviously stronger than the explicit consent requirement in Article 9, paragraph 2, item a of the General Data Protection Regulation (GDPR). The protection of personal information must not be restricted from the cost of information flow. The interpretation and application of sensitive personal information protection specifications must balance the relationship between sensitive personal information protection and the rational use of information.
Under the above understanding, this article will analyze Articles 29 and 30 of the Personal Information Protection Law from the standpoint of legal doctrine to further clarify three basic issues: one is the normative connotation of two special notification matters, that is, how information processors should fulfill their special notification obligations for handling sensitive personal information. The second is the implementation path of separate consent and written consent for processing sensitive personal information, that is, the requirements for the content, object and method of consent for processing sensitive personal information. The third is the legal limit for informing and consent to sensitive personal information, that is, when can we exclude inform and consent, and in what circumstances can obtain inform and consent to illegally process sensitive personal information.
2. The normative connotation of special notification matters
Necessity and impact on personal rights and interests are the two contents of Article 30 of the "Personal Information Protection Law" in addition to the five notification matters stipulated in Article 17, paragraph 1 of the Law, and special notification matters stipulated in the handling of sensitive personal information. Among them, the notification of necessity is closely linked to the necessity requirements for the processing of sensitive personal information, and the inevitable connection between personal information processing and the provision of relevant specific services/functions should be demonstrated. The notification of the impact of personal rights and interests should be based on the results of the assessment of the impact of personal information protection, and should fully consider specific factors such as the possible consequences of leakage or illegal use, application scenarios/industry of information processing, and the information collection ability/cost of information processors.
(I) One of the special notification matters: necessity of processing
Necessity notification requirements come from the principle of necessity. Emphasizing the necessity notification shows a special logical structure for processing sensitive personal information based on "information of consent", that is, unnecessary sensitive personal information cannot be processed through "information of consent". For general personal information, if an information processor wishes to process non-essential information related to business functions, it must inform the user and obtain his consent.Paragraph 26 of the "Guidelines for the Self-evaluation of App Illegal and Regular Collection and Use of Personal Information" states that "when the personal information collected by the App operator exceeds the necessary information scope, the user should be clearly stated to the purpose of the collected personal information and the user's independent choice and consent should be made." At this time, informing consent is the only feasible basis for the legality of processing non-essential personal information. However, for sensitive personal information, Article 28, paragraph 2 of the Personal Information Protection Law clearly states that "specific purpose and sufficient necessity" itself is an important prerequisite for the legal processing of information processors. Announcement that emphasizes necessity does not mean that sensitive personal information can be processed on the grounds of "information and consent" without meeting the premise of sufficient necessity.
informs the necessity of processing sensitive personal information, and obviously requires the information processor to evaluate the necessity first, but this does not mean that the right to judge whether the necessity is sufficient or not is left to the information processor for self-decision. Many years ago, based on the logic of privacy protection, some courts directly determined whether the employer had health information such as hepatitis B virus and whether he had genetic defects during the entry physical examination without analyzing whether the employer belonged to a special industry, and that the employer had health information such as hepatitis B virus during the entry physical examination was legal because the information was not leaked. In fact, this move has the effect of interfering with the necessary access to health information by the employer to judge it by himself. In the specifications of the "Personal Information Protection Law", the relevant judgments are worthy of re-reflection. The necessity of processing personal information is objective. Theoretically, in order to realize the requirements of "full necessity" in Article 28, paragraph 2 of the Personal Information Protection Law, sensitive personal information processing is subject to the principle of proportion, and relevant information processing "should maintain the greatest restraint." Employers must clearly inform workers about their legitimate reasons and what kind of health information they must obtain. If an individual believes that the processing of relevant personal information is unnecessary or insufficient after receiving the necessary notification, he or she may disagree with the processing of relevant information, thereby fully protecting the individual's right to know and decision-making. For information processors, when fulfilling their obligation to inform necessity, they must also have a clear understanding of the necessity of processing sensitive personal information.
Simply put, the necessity of processing sensitive personal information requires that "collecting sensitive personal information is extremely necessary to achieve specific processing purposes." If relevant processing is not carried out, the information processor will be unable to provide relevant services, or be unable to fulfill relevant legal obligations and protect relevant legitimate interests. Taking the necessity of providing relevant services as an example, it can be determined based on the "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications". According to Article 3 of the provisions, "necessary personal information refers to the personal information necessary to ensure the normal operation of the basic functional services of the App. Without this information, the App cannot realize basic functional services. Specifically, it refers to the personal information of the consumer side user, which does not include the personal information of the service supply side user." Article 5 of this regulation further stipulates in detail the necessary personal information scope of 39 types of common types of apps.
Necessary notifications also need to comply with the requirements of Article 17, Paragraph 1 of the Personal Information Protection Law, "clear, easy to understand" and "true, accurate and complete". Therefore, the necessary notification cannot be a simple statement that “if there is no sensitive personal information, the relevant services cannot be provided.” The notification of necessity should at least show the logical relationship between the processing of sensitive personal information and the provision of relevant specific services/functions, and analyze the necessity. Some scholars have described the necessity notification requirements from the perspective of "data life cycle" and pointed out that when collecting, it is necessary to indicate that in order to achieve legal and specific purposes, the information processing solution is sufficient, relevant and not excessive, and there are no other alternative ways to have less impact on individuals; when storing, it is necessary to inform whether the processing purpose can be achieved without storing information, whether anonymous information can be used, and whether it can be stored for a shorter time; when publicizing, it is necessary to indicate that non-disclosure, desensitization, and disclosure within a certain range are not sufficient to achieve the processing purpose. Only in this way can we fully demonstrate the necessity of information processing to individuals.
(II) Special notification matters 2: Impact on personal rights and interests
Article 28, paragraph 1 of the "Personal Information Protection Law" defines sensitive personal information from the perspective of "it is easy to cause the personal dignity of natural persons to be infringed upon or personal and property safety to be harmed", and pays great attention to the impact of processing sensitive personal information on personal rights and interests. The impact on individual rights and interests is broad. On the one hand, personal rights and interests include all legally recognized rights and interests, including personal and property rights and interests in private law, as well as basic rights such as personal dignity and personal freedom in public law; on the other hand, the impact also includes the actual impact and the possible adverse consequences. Article 12, paragraph 1 of the "Regulations on the Management of Human Genetic Resources", Article 14, paragraph 2 of the "Regulations on the Management of Credit Reporting Industry", Article 5.2.2 of the "Guidelines for the Protection of Personal Information of Public and Commercial Service Information Systems" (GB/Z 28828-2012) respectively put forward requirements on different circumstances to inform "the possible impact on health and personal privacy protection measures", "the possible adverse consequences of providing this information", "the possible risks after providing personal information", and "the possible consequences of personal information subject not providing personal information".
Specifically, information processors should fulfill relevant notification obligations to the information subject based on the results of the impact assessment of personal information protection. According to Article 55 of the Personal Information Protection Law, when processing sensitive personal information, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing situation. According to Article 56 of the Personal Information Protection Law, "Impact on Personal Rights and Interests and Security Risks" itself is an important part of the assessment of the impact of personal information protection. Referring to the provisions of the "Guidelines for Impact Assessment of Personal Information Security" (GB/T 39335-2020), the degree of impact of the rights and interests of personal information subjects can be evaluated from four dimensions: "affecting individual's right to decide independently", "inducing differential treatment", "impaired personal reputation and suffering from mental stress", and "damage of personal property", and the degree of impact can be divided into four levels: "severe", "high", "medium" and "low". For example, the leakage and abuse of health physiological information may have a serious impact on individuals' physiological and psychological factors. In addition, in combination with the definition of sensitive personal information in Article 28, paragraph 1 of the Personal Information Protection Law, the impact on personal rights and interests should be further judged from the perspective of leakage or illegal use. Information processors must inform individuals of the relevant impact in a comprehensive and detailed manner.
It is worth noting that the impact on personal rights and interests must also be judged in accordance with specific factors such as application scenarios/industry, information collection ability/cost of information processors. In different application scenarios, the impact of processing sensitive personal information is very different. With the development of information processing technology and the improvement of information processing capabilities, even anonymous information may be converted into personal information. In addition, consistent with the necessity notification, the notification of the impact of personal rights and interests also needs to comply with the basic requirements of Article 17, Paragraph 1 of the Personal Information Protection Law, and will not be repeated here.
(III) Special notification form
notification form requirements help solve the problem of information asymmetry and enable the information subject to effectively read and understand related content. The form of informing sensitive personal information processing by local legislation, national standards and other normative documents is usually stipulated as "more prominent or prominent". For example, Article 14, paragraph 2 of the Shenzhen Special Economic Zone Data Regulations stipulates that the processing of sensitive personal data should be "notified in a more prominent form of identification or highlighting." Referring to the 8th point of the "Guidelines for the Self-evaluation of the Collecting and Use of Personal Information for the Illegal and Regular Collecting and Use of Personal Information on Apps", "Significant Identification" means "Bolding Fonts, Asterisks, Underlines, Italics, Colors, etc.". In 2020, the Yuhang District People's Procuratorate of Hangzhou City, Zhejiang Province filed a civil public interest lawsuit against a short video app that "can allow children to register an account without informing the child guardian in a significant and clear manner and obtaining the express consent of the child guardian" and collecting relevant children's personal information, and finally mediated and closed the case.
Although the "Personal Information Protection Law" does not directly stipulate the form of informing sensitive personal information, it can be seen from the special provisions on consent to sensitive personal information that it should be distinguished from the notification of processing sensitive personal information based on consent to processing sensitive personal information based on other legal basis. More significant or prominent notifications for processing sensitive personal information based on other legal basis can meet the formal requirements. Notification based on the consent to process sensitive personal information should be a separate notification corresponding to the individual consent. If only the highlighted notification method is adopted, it is difficult to achieve separate consent, and the other is to "reduce the effectiveness of the system, which is contrary to the original intention of legislation." At this time, more prominent or prominent requirements have been upgraded to the requirement of separate notification, that is, the processing of sensitive personal information will be independent of the notification of general personal information, and the content of the processed sensitive personal information cannot be separately informed of the package of notification and consent.
In the "Guo v. Hangzhou Wildlife World Case", known as the "first case of facial recognition", Guo's first lawsuit request was to confirm that the relevant store notices for collecting sensitive personal information were invalid. According to the Contract Law and the Consumer Rights Protection Law, the first instance court held that "the store notice informs the card purchaser in conspicuous text that the card purchaser needs to provide some personal information, including fingerprints," and "no provisions on excluding or restricting consumer rights, reducing or exempting operators' responsibilities, and aggravating consumer responsibilities" are unfair and unreasonable for consumers." It is not invalid content. The second instance court also believed that Guo "accepted to apply for an annual fingerprint card after knowing the matter, and his right to choose was not restricted." Although the "Personal Information Protection Law" has not been issued at the time of trial, it does not hinder the re-analysis of the case. As mentioned earlier, in this case, the notification content of the store notice processing sensitive personal information is mixed with other content, and simple highlighting cannot meet the formal requirements of separate notifications. In terms of the notification content, the store notice involved in the case also did not provide a comprehensive notification of the seven matters listed in Articles 17 and 30 of the Personal Information Protection Law. Therefore, if similar cases are tried now, completely different conclusions will be drawn. In addition, the importance of reviewing informed matters is that in the framework of informed consent, the direct consequence of failing to fulfill the informed obligation is that the consent made by the information subject is invalid. According to Article 14 of the "Personal Information Protection Law", valid consent " shall be made voluntarily and clearly by the individual on the premise of full knowledge". The invalidity of the notification will inevitably lead to the invalidity of the consent due to the failure to meet the premise of full knowledge.
Specifically, information processors can effectively realize separate notifications through specific interactive interfaces or designs. Referring to the "App Personal Information Security Assessment Specifications (Draft for Comments)" point 6.5.2.3.1 and "App Personal Information Security Prevention Guidelines (Draft for Comments)" point 6.1.4.2.1, separate notifications of sensitive personal information can be made in separate pop-up windows, interfaces, prompt bars, prompt sounds, etc., and inform them before processing the relevant information. For example, when using a map-like app for the first time, the user will receive a separate pop-up window to inform him that the location information will be collected and ask whether he agrees. In addition, notifications during information processing do not fall within the scope specified in the Personal Information Protection Law. Some scholars mistakenly believe that "providing prompts to users with immediate notification during use" as a special method of notification, and use the notification of iOS system as an example to illustrate. However, the notification of the iOS system is usually not an notification of the information processor, but a prompt from the device system to the processing of personal information by third parties. More importantly, this "instant notification" does not meet the time requirement for informing personal information before processing of personal information in Article 17, paragraph 1 of the Personal Information Protection Law.
3. Implementation path of consent after notification
According to Article 29 of the "Personal Information Protection Law", if the individual agrees to process sensitive personal information based on the individual's consent, the consent should not only be made voluntarily and clearly by the individual on the premise of full knowledge, but also must be agreed separately. Separate consent is the concretization of general consent, which refers to obtaining the consent of the information subject specifically for a specific matter.In order to meet the requirements of separate consent, the consent of processing sensitive personal information and general personal information should be independent of each other. The information processor obtains the consent of the information subject separately for the processing of sensitive personal information, and cannot adopt the method of consenting
in a package.
In addition, the written consent for processing sensitive personal information should be determined in accordance with laws and administrative regulations. Written consent means consent made in the form of contract, letter, telegram, telex, fax, etc. that can tangibly express the content contained. Written consent is a formal requirement for consent based on separate consent, and it should itself meet the requirements of separate consent.
(I) Separate consent: Basic requirements for content, objects and methods
Separate consent for sensitive personal information processing means that the information processor must obtain the "clear and voluntary" consent of the information subject for the specific sensitive personal information processing behavior itself. Individual consent puts higher demands on the specificization of the content of the consent, also known as "independent and clear special consent", rather than a generalized, packaged consent.
First, in terms of the content targeted, the individual consent requires only the processing of sensitive personal information itself, and cannot be agreed in a package with general information processing. Before the "Personal Information Protection Law" was passed, it was often obtained through a unified personal information protection policy in practice, which was that it did not meet the requirements of "single consent". It must be clarified that the individual consent of sensitive personal information never requires that "the information processor must obtain separate consent and item by item for each sensitive personal information of each type." This misunderstanding stems from the provisions of Article 13, Paragraph 2 of the "Regulations on Supervision and Administration of Online Transactions" on item-by-item consent for sensitive personal information. Article 73, Paragraph 8 of the "Regulations on Network Data Security Management (Draft for Comments)" also mistakenly understands individual consent as item by item. This explanation does not meet the literal interpretation of separate consent. It is actually a higher requirement based on separate consent, which is a limited interpretation. For the interpretation of restriction, there must be reasonable reasons for practical and legal systems. However, it is difficult to operate and implement in practice to require information processors to inform and agree on each sensitive personal information processing individually. When users face the continuous pop-up of consent, they will also eliminate the role of individual consent, which is inconsistent with the normative purpose of individual consent. What is more important is that this interpretation does not conform to the systematic interpretation of the "Personal Information Protection Law". On the one hand, the separate consent in Article 23 of the Personal Information Protection Law is a separate consent for "the name or name of the recipient, contact information, purpose of processing, processing method and type of personal information" as a whole, rather than giving notification and consent to each of the contents separately, nor is it consent for each of the personal information involved in the type of personal information. Similarly, Article 39 of the Personal Information Protection Law on the cross-border individual information can only be interpreted as separate consent for the separate notification matters stipulated in this article. On the other hand, from the definition of sensitive personal information, the personal information of children under the age of 14 is itself sensitive personal information, and the requirement of item-by-item consent cannot be applied to the processing of children's information. If item-by-item consent is adopted, the guardian will need to agree to all types of children's personal information processing one by one; not only in fact, it is difficult for the guardian to complete such cumbersome consent operations, but the information processor is also unable to determine all types of children's personal information based on a clear content division standard for the guardian to agree item-by-item consent. Judging from the enumeration items on sensitive personal information in Article 28, paragraph 1 of the Personal Information Protection Law, the biggest difference between children's personal information and other enumeration items is that the subject standards are adopted without taking content standards. Starting from the special subject of children, children's personal information itself is a holistic concept. The consent of the child's parents or other guardians as stipulated in Article 31 of the Personal Information Protection Law is itself a separate consent for the processing of children's personal information as a whole. Only in this way can we understand that Articles 29 and 31 of the Personal Information Protection Law be harmonious in the system.
Second, in terms of the processing behavior targeted by consent, individual consent is manifested as consent for specific information processing behaviors, rather than general consent for future information processing behaviors. However, this does not mean that "one processing" corresponds to "one agreement". First of all, each processing purpose requires consent, which does not mean that one processing purpose corresponds to a consent. Consent must be made for specific processing purposes, processing methods and types of personal information processed, which is itself a general requirement of consent. Accordingly, if relevant matters stipulated in Article 14, paragraph 2 of the Personal Information Protection Law are changed, personal consent shall be obtained again. Article 32 of the preamble to GDPR also states that "consent should cover all data processing activities carried out for the same one or more purposes. Data processing involves multiple purposes, and each purpose must be subject to the consent of the data subject." None of these provisions excludes that the information subject can make an agreement for multiple processing purposes or processing methods after clearly informing the relevant matters. Secondly, specific information processing behaviors do not equal a single information processing behavior. Similar sensitive personal information processing behaviors carried out in the same business scenario only require a separate consent during the initial processing. The general consent objected to individual consent refers to a blank, unclear consent made for possible information processing activities, rather than a negation of consent for all future information processing activities. Prior consent is originally aimed at the upcoming information processing behavior. In the same business scenario, the purpose of processing, method of processing and the types of personal information processed have not changed, so there is no need to re-obtain consent in accordance with Article 14, paragraph 2 of the Personal Information Protection Law. Taking the face recognition login of mobile apps as an example, you only need to obtain separate consent when using it for the first time. Unless the relevant information processing changes, there is no need to repeat the prompts.
Third, in the form of separate consent, separate consent is made after separate notification. For specific consent methods, please refer to Article 9.1 of the "Guidelines for Personal Information Notification and Consent (Draft for Comments)", and use an interactive interface to set up, the personal information subject actively fills in and enters personal information to express their willingness, the personal information subject can open the API (application programming interface) permission to collect personal information to express their willingness, the personal information subject can express their willingness through paper or electronic written statements and signature confirmation, the personal information subject can express their willingness through electronic signature, and the personal information subject can express their willingness through telephone recording, video recording, etc. Among them, based on the clearness of consent, referring to Article 32 of the GDPR, silence, pre-ticking or inaction should not constitute consent.
That is to say, based on the content of the consent, the processing behavior targeted by the consent, and the method of consent, it can be determined whether the relevant behavior constitutes a separate consent for the processing of sensitive personal information. For example, in the aforementioned "First Face Recognition Case", one of the controversies is whether Guo and his wife went to the "Annual Card Center" to take photos constituted consent to the wild animal world to collect facial recognition information. In this case, the first instance court and the second instance court both believed that the photography behavior did not constitute consent to collect sensitive personal information. The same conclusion can be drawn by reviewing the facts of this case from the perspective of the Personal Information Protection Law. First of all, judging from the content of consent, the photography behavior does not clearly point to the content of sensitive personal information processing. There is a difference between photos and facial information. Referring to Article 51 of the Preamble of GDPR, facial information processing is only if the facial features of natural persons are uniquely recognized or certified through specific technical means. Guo has never clearly agreed to the specific sensitive personal information processing content of facial recognition. Secondly, from the perspective of the processing behaviors that are agreed to target, agreeing to take photos does not mean agreeing to use the photos for other processing purposes. As the second instance court ruled, although the "annual card processing process" involves taking photos, "the photos are provided only for the use of fingerprint annual card, and should not be deemed to be authorized to agree to the Wildlife World to use photos for facial recognition." Finally, from the perspective of consent, the consent expressed by taking photos is not clear enough and cannot clearly point to the processing of sensitive personal information.Therefore, the Wildlife World in this case did not obtain valid separate consent.
(II) Written consent: Further restrictions on appearance form
Written consent as a special separate consent is not the first in my country's legislation. In extraterritorial law, there are also provisions on written consent for sensitive personal information. Article 15, paragraph b, item 1 of BIPA states that the collection, storage and purchase of personal biometric information requires the information subject to be informed in writing and written consent. Article 8, paragraph 7 of the United States Unified Persons Data Protection Act (UDPA, no legal effect) passed by the United States Unified Law Commission in 2021 further emphasized the signature of written consent, pointing out that "controllers shall not process sensitive data of data subjects in a way that is incompatible with data practices, unless each data practice is obtained from the explicit consent of the data subject and signed records." Article 6, Paragraph 1, Paragraph 6 of the provisions of the Personal Data Protection Law in Taiwan, my country limits the consent for the processing of sensitive personal information to written consent.
Written consent emphasizes that consent is in writing, but it does not mean paper consent. Some scholars interpreted the written consent in Article 29 of the Personal Information Protection Law as "a paper consent form signed by a person in person to express consent for the processing of his sensitive personal information." This view is debatable. On the one hand, written form only corresponds to oral form, and electronic means are not excluded. Refer to the provisions of Article 469, paragraphs 2 to 3 of the Civil Code to judge the written form requirements in the law. The article points out that "written form is a form in which contracts, letters, telegrams, telexes, faxes, etc. can tangibly express the content. The content can be tangibly expressed through electronic data exchange, emails, etc., and data telegrams that can be retrieved at any time will be deemed to be written." On the other hand, personal information processing is mostly carried out electronically. Some extraterritorial legislation even excludes unstructured and non-electronic information processing from the personal information protection system. It is impossible and difficult to require the information subject to sign the paper consent form. The written consent of the information subject through electronic signature on the electronic document shall be judged in accordance with the Electronic Signature Law. Article 14 of the Implementation Rules for the Protection of Personal Data in Taiwan also states that "the method of written consent can be made by electronic documents according to the provisions of the electronic signature law." Taking inquiry of personal information from credit reporting agencies as an example, although paper signatures may be required when handling business at the bank counter, they are all conducted through electronic authentication in mobile banking, online banking, and various personal financial apps. In practice, these methods are considered to comply with the requirements of Article 18, paragraph 1 of the "Credit Reporting Industry Management Regulations" "Get the written consent of the information subject himself and agreed upon for the purpose."
Written consent is a stronger formal requirement based on separate consent, reflecting the key protection of specific sensitive personal information by laws and administrative regulations. Written consent is a form of compulsory and is considered to have four functions: alleviating information asymmetry, exhorting to act cautiously, ensuring clear and firm consent, and fixing evidence. In the notification and consent for the processing of sensitive personal information, written consent often corresponds to written notification. At the same time, a package of consent cannot be made in writing. Written consent must meet the requirements of separate consent. If individual consent is circumvented in writing, it will directly conflict with the normative purpose of written consent.
Article 29 of the "Personal Information Protection Law" limits the written consent for the processing of sensitive personal information to the provisions of laws and administrative regulations. The current relevant regulations reflect restrictions on the processing of sensitive personal information of special types and the processing of sensitive personal information in special industries. On the one hand, through genetic testing, a series of information such as gender, race, genetic diseases, other potential health risks, and potential personality characteristics can be obtained. The leakage or illegal use of genetic information can easily lead to genetic discrimination, and special protection is necessary. Article 12, paragraph 1 of the Regulations on the Management of Human Genetic Resources stipulates that the collection of human genetic resources should be "required for written consent of the human genetic resources provider."On the other hand, the role of credit information is to evaluate personal credit, which has a direct impact on personal loan interest rates, insurance premium rates, transaction opportunities, etc. It may have serious adverse effects on individuals in the joint punishment for breach of trust and the digital credit co-governance mechanism, and there is also a need for special restrictions. Article 14, paragraph 2 of the "Credit Reporting Industry Management Regulations" (2013) stipulates that credit reporting agencies shall not collect information on income, deposits, securities, commercial insurance, real estate and tax amount information unless written consent is obtained. Article 18, paragraph 1, Article 28, paragraph 2, and Article 29, paragraph 2 also provide for written consent for specific information processing. In the "Shenzhen Guoyin Shengda Financing Guarantee Co., Ltd. and Huang Mouyong's Tort Liability Dispute Case", after the guarantee company compensated Huang Mouyong's loan, it submitted Huang Mouyong's bad credit record information to the credit reporting agency. However, since the guarantee company did not obtain Huang Mouyong's written consent on submitting credit information in advance, the court ruled that the guarantee company constituted infringement in accordance with the aforementioned provisions.
4. Legal limits for informing consent
Although the rules for informing consent in the processing of sensitive personal information are important, they are by no means indispensable. On the one hand, in specific circumstances, laws and administrative regulations exempt information processors from informing their obligations; when processing sensitive personal information based on legality other than consent, there is no room for informing consent. On the other hand, informing consent does not necessarily give legality to sensitive personal information processing, and judgments must be made in light of other legal requirements.
(I) No need to inform the situation of consent
On the one hand, it is not absolute to handle the notification of sensitive personal information. According to Articles 18, 30 and 35 of the Personal Information Protection Law, there are three situations where there is no need to be informed: First, laws and administrative regulations stipulate that confidentiality should be kept or not required (Article 18, Paragraph 1 of the Personal Information Protection Law). Although Article 30 of the Personal Information Protection Law adopts the expression "in accordance with this Law", this provision in Article 18, paragraph 1 of the Personal Information Protection Law extends the relevant exceptions to laws and administrative regulations. For example, relevant agencies take technical investigation measures in accordance with Article 16 of the People's Police Law and Article 45 of the Counter-Terrorism Law, and investigate suspicious transaction activities in accordance with Article 8 of the Counter-Money Laundering Law, without informing the information subject. Article 15 of the "Credit Reporting Industry Management Regulations" also points out that information providers provide credit reporting agencies with disclosed bad information in accordance with laws and administrative regulations without informing the information subject. Second, in case of emergency, if you cannot promptly inform individuals to protect the life, health and property safety of natural persons, you may temporarily fail to fulfill your obligation to inform them, but the information processor shall promptly inform them after the emergency is eliminated (Article 18, Paragraph 2 of the Personal Information Protection Law). For example, when a medical institution processes its medical record materials to rescue patients, it may temporarily fail to fulfill its obligation to inform them, but it should promptly inform the patient of the relevant health information processing afterwards. Third, if an informing state organs are in the performance of their statutory duties, there is no need to inform (Article 35 of the Personal Information Protection Law). For example, the tax authorities, in accordance with Article 54, item 1 of the Tax Collection Administration Law, "check the taxpayer's books, accounting vouchers, reports and relevant information, and check the withholding agent's withholding and collecting tax books, accounting vouchers and relevant information." At this time, inform yourself in advance that individuals may transfer, tamper with or destroy relevant information, which seriously hinders the tax authorities from performing their statutory duties of tax collection and management.
On the other hand, the legal basis of sensitive personal information processing is not limited to consent. Article 29 of the "Personal Information Protection Law" deleted the first half of the sentence "processing sensitive personal information based on personal consent" in the "Personal Information Protection Law (Second Draft)". On April 22, 2021, a spokesperson for the Legal Affairs Committee said that "sensitive personal information can only be processed under specific purposes and sufficient necessity, and the individual's separate consent or written consent should be obtained to conduct a risk assessment in advance", it seems that consent will be paralleled with other conditions for the processing of sensitive personal information.Article 22 of the Shanghai Data Regulations also stipulates in the same article that the processing of biometric information should have specific purposes and sufficient necessity, and strict protection measures should be taken, and individual consent should be obtained. All of this has led some practical workers to mistakenly believe that legislators will agree to the only legal basis for the processing of sensitive personal information. This understanding is obviously incorrect. The premise for the application of Article 29 of the Personal Information Protection Law is based on the situation of consent to the processing of sensitive personal information. Even if the relevant statements are deleted during the legislative process, this premise is self-evident. The individual consent or written consent for the processing of sensitive personal information is itself a special consent, and consent is only one of the basis for the legality of personal information processing. From an extraterritorial law, the legal circumstances for processing sensitive personal information in Article 9, paragraph 2 of GDPR are not limited to consent, but also include the performance of legal responsibilities, the protection of the significant interests of the data subject or other person, the data processing of charitable institutions or non-profit institutions, the data clearly disclosed by the data subject, the data processing in judicial activities, reasons for having significant public interests, other reasons for processing sensitive data, etc. Article 22 of the German Federal Data Protection Law (BDSG) stipulates the processing of sensitive personal information completely outside of consent. In order to fulfill legal obligations, safeguard public interests, maintain public safety and other purposes, and meet specific restrictions, sensitive personal information can be processed.
Specifically, according to the legality basis of Article 13, paragraph 1, items 2, 3, 4, 5 and 7 of the Personal Information Protection Law, the information subject can process sensitive personal information without personal consent: First, it is necessary for contracting or performing the contract. For example, an employer sets up a provident fund account for employees and processes relevant financial account information. Second, it is necessary to perform statutory duties or obligations. For example, according to Article 132 of the Criminal Procedure Law, investigators extract fingerprint information of the suspect and collect biological samples such as blood, urine, etc., obviously without obtaining personal consent. Third, it is necessary to respond to public health emergencies or emergencies. For example, for the purpose of epidemic prevention and control, when it is really necessary, relevant medical and health information and whereabouts can be processed without consent. In the spring of 2022, the epidemic in Shanghai broke out, and some citizens received text messages to remind "according to the relevant big data investigation, you may have the risk of direct or indirect contact with people infected with the new coronavirus in the near future", which is the case. Fourth, implement news reporting, public opinion supervision and other behaviors for the public interest. For example, in the "Shi Moumou and others sued Xu Moumou for portrait rights, reputation rights, and privacy rights dispute case", a third party blurred the photos of the child's injury and posted them on Weibo to report the adoptive father's abuse of the child, and then took them down. The court held that although the third party’s disclosure of children’s information was not agreed, it was in line with the principle of maximizing the public interests of society and children’s interests and did not constitute infringement. Fifth, other circumstances stipulated by laws and administrative regulations. For example, the legal basis for the aforementioned epidemic period comes not only from Article 13, Paragraph 1, Item 4 of the Personal Information Protection Law, but also from Article 12 of the Infectious Disease Prevention and Control Law, where individuals need to truthfully provide relevant information to disease control institutions and medical institutions; as well as the obligations of reporting units and individuals in Article 21, Article 36, and Article 40 of the "Emergency Regulations on Public Health Emergencies", the power of investigative professional and technical institutions, and the provisions of streets, townships, residents' committees and villagers' committees assisting the health administrative departments and other relevant departments and medical institutions in collecting and reporting epidemic information. At the same time, laws and administrative regulations such as the "Practicing Physician Law", "Regulations on the Prevention and Control of Acquired Immune Deficiency Syndromes", and "Regulations on the Prevention and Control of AIDS" all stipulate the obligation to submit and report relevant health information. The European Data Protection Committee pointed out that in order to respond to the COVID-19 epidemic, countries can process health information based on various legal reasons in Article 9, paragraph 2 of the GDPR. In US law, there is also a "partner notification" provision to ensure the right of third parties to know about infectious disease information. In summary, in addition to consent, there are many cases where sensitive personal information is legally processed.
It is worth noting that although the processing of sensitive personal information in the above situations does not require consent, it must also comply with the premise requirements of Article 28, paragraph 2 of the Personal Information Protection Law, that is, meet the three conditions of specific purposes, sufficient necessity, and strict protection measures. At the same time, lack of consent does not mean that there is no need to inform. The general requirements for notification in the "Personal Information Protection Law" (Article 17), the requirements for notification when transferring personal information due to merger, division, dissolution, and bankruptcy (Article 22), the requirements for prompting installation of image collection and personal identity identification equipment in public places (Article 26), and the obligation for notification when performing statutory duties of state organs to handle personal information (Article 35). Notification is a general requirement before the processing of personal information, and there is no need to inform only in the statutory circumstances described above.
(II) Informed consent ≠ Legal processing
The nature of informed consent determines that it complies with Articles 29 and 30 of the "Personal Information Protection Law", and does not necessarily give legality to the processing of sensitive personal information. Theoretically, there are many controversies about the nature of consent, at least there are many views, including the expression of intention that is a legal act, the authorization of data trusts, the statutory reasons for exemption, the way of exercising personal information rights, restricted private rights disposal, and the licensing and use of similar intellectual property rights. In fact, consent in the personal information protection system should be a quasi-legal act. From Article 1036 of the Civil Code to Article 1036 of the Civil Code to Article 13 of the Personal Information Protection Law to Article 13 of the Personal Information Protection Law to stipulate that the legality of personal information processing, the results of legality of information processing are all derived from the direct provisions of the law. Consent is not an act of authorization/setting rights and cannot directly lead to the legality of information processing. Whether the information processing behavior is legal must be judged in accordance with the specific provisions of the law. As some scholars said, "The principle of informing consent is limited by freedom of communication and the constitutional right to secret communication, by privacy, by the principle of purpose and necessary." The processing of sensitive personal information is more considered to be a prominent manifestation of the limits of the effectiveness of informing consent.
First, according to Article 1035, paragraph 1 of the Civil Code, consent is one of the conditions for personal information processing. The processing of personal information must also follow the principles of legality, legitimateness and necessity, and must not be over-processed, and the rules for processing information are disclosed, and the purpose, method and scope of processing information are clearly stated, and the provisions of laws, administrative regulations and agreements between the two parties are not violated. The processing of sensitive personal information must comply with the premise requirements of Article 28, paragraph 2 of the Personal Information Protection Law, that is, it has specific purposes and sufficient necessity, and strict protection measures must be taken. If the above provisions do not comply with the above provisions, even if separate consent is obtained, the relevant handling behavior will be illegal. Article 6, Paragraph 1, Paragraph 6 of the provisions of the Personal Data Protection Law in Taiwan, my country also clearly states that "overtaking the necessary scope of a specific purpose or other legal restrictions shall not be collected, processed or utilized solely with the written consent of the parties."
Second, in the processing of specific sensitive personal information, laws and administrative regulations exclude the application of informed consent. In combination with the provisions of Article 14, Paragraph 1 and Paragraph 2 of the "Credit Reporting Industry Management Regulations", it can be seen that "credit reporting agencies clearly inform the information subject of possible adverse consequences of providing the information and obtain their written consent" after collecting "information of income, deposits, securities, commercial insurance, real estate and tax amount information" listed in paragraph 2. Even if they obtain personal consent, they cannot collect "religious beliefs, genes, fingerprints, blood type, disease and medical history information prohibited by paragraph 1, as well as other personal information prohibited by laws and administrative regulations." In extraterritorial law, there are also provisions on excluding consent rules. Article 9, paragraph 2, item a of GDPR states that the EU or member states may pass laws to exclude consent from the basis of the legality of the processing of sensitive personal information.
Third, in specific sensitive personal information processing situations, the informed consent mechanism is often difficult to effectively play a role. For example, facial recognition is often used in an environment with unequal power/status, and it is difficult to ensure consent to comply with Article 14 of the Personal Information Protection Law "to make voluntarily and clearly on the premise of full knowledge."The British Information Commissioner also said that it is difficult to obtain legality by consent in the face of face recognition automatically performed by unspecified subjects. In the first case of Sweden's GDPR application in 2019, the school involved adopted facial recognition attendance and obtained the student's consent. The Swedish Data Protection Agency believed that "consent is not a valid legal basis in view of the imbalance between the information subject and the information controller", and finally issued a ticket of 10 million Swedish kroner to the school. Therefore, it is necessary to judge the legality of the processing of sensitive personal information based on the premise of handling sensitive personal information, special provisions in laws and administrative regulations, the effectiveness of consent, etc.
Conclusion
Articles 29 and 30 of the "Personal Information Protection Law" have clarified the notification and consent standards for sensitive personal information processing for the first time in our laws, which will surely have a profound impact on my country's personal information protection practice. Although sensitive personal information processing has multiple legal basis, business practices often find it difficult to meet the requirements of other legal basis. At this time, informing consent will definitely become the most effective and common path for information processors to use sensitive personal information. In addition, with the deepening of practice and understanding, the standards for informing and consenting the processing of sensitive personal information will also be further improved. Combined with Article 32 and Article 62, Paragraph 2 of the Personal Information Protection Law, it can be seen that laws, administrative regulations and the rules and standards formulated by the national Internet Information Department can make detailed provisions on the notification and consent of the processing of sensitive personal information. At present, the judicial judgment citing this clause and the authoritative interpretation of this clause have not appeared. This article has sorted out and analyzed the special notification matters, separate consent and written consent, and exceptions of sensitive personal information in accordance with the legal doctrine, hoping to help the implementation of the "Personal Information Protection Law" and serve to improve the level of personal information protection. Perhaps, "let the bullets fly for a while", many controversies will have clearer answers.
"Digital Rule of Law" special topic was specially provided by the Digital Rule of Law Research Institute of East China University of Political Science and Law, and the topic is coordinated: Qin Qiansong
