Privacy protection urgently needed in digital economy
Technicians inspect telecommunication equipments to ensure information security in Chuzhou City, Anhui Province, on June 27. Photo: CFP
The digital economy refers to a broad range of economic activities that use digitized information and knowledge as key factors of production, digital technology as the driving force, and modern information networks as the carrier. With the rapid development of related industries such as e-commerce, the Internet of Things, and big data, the contribution of digital economy to China’s economy continues to rise.
According to the latest White Paper on China’s Digital Economy Development released by the China Academy of Information and Communications Technology in April, 2021, the scale of China’s digital economy reached 39.2 trillion yuan last year, accounting for 38.6% of the GDP, which effectively supported epidemic prevention and control, as well as economic development. Moreover, the growth rate of the digital economy was more than three times that of the GDP, thus playing a pivotal role in spurring economic development.
Why it matters
Data is a strategic resource of the digital economy. Internet companies collect a large amount of users’ private data, which leads to many problems such as big data pricing and internet fraud, severely hindering the sustainable and healthy development of the digital economy. On the one hand, the rapid development of digital economy requires a large amount of user data to achieve a scale effect. On the other hand, excessive collection of users’ data increases the risk of personal information leakage. Therefore, in the development of digital economy, user privacy protection has attracted attention from all walks of life.
For example, the EU General Data Protection Regulation, that went into effect in 2018, was designed to increase data privacy for EU citizens by levying steep fines on organizations that don’t follow the law. On Aug. 20, China passed the Personal Information Protection Law (PIPL), which complements the recently enacted Data Security Law. The PIPL, which began to take effect on Nov. 1, is the first comprehensive national law in China governing how organizations and individuals handle the personal information of individuals in China and imposes significant penalties for violations.
In July, the Cyberspace Administration of China ordered the removal of 25 apps, including “Didi Travel” owned by ride-hailing service provider Didi Global Inc., from app stores, citing severe violations of rules against collecting personal data. It also demonstrated the Chinese government’s determination to protect citizens’ privacy and ensure the healthy and sustainable development of digital economy.
Various forms of privacy leakage pose severe challenges to the existing privacy protection framework. As scholars point out, the difficulty of privacy protection is three-fold. One is the extreme asymmetry of information between data collectors and users. Users do not know when and how their private data is being collected or what private information will be used for. The second is that privacy is almost impossible to recover. As digital information can be copied, stored, and spread easily, users’ privacy cannot be recovered once it is leaked. Third, the damage of privacy leakage is difficult to measure. Due to the lack of a unified judgment on the value of users’ personal information, the punishment and compensation policies for privacy leakage lack a quantitative standard, adding uncertainties to the privacy protection policies.
In addition, the problem of privacy leakage under the context of cross-border data flow is further exacerbated. Cross-border data flow poses a threat to national security, but China has no special laws to regulate cross-border data flow at the current stage.
What to do
Personal information has a public attribute. The development of digital economy is inseparable from the rational use of personal information. The protection of individual privacy is the prerequisite of and guarantee for the high-quality development of digital economy. In this light, the following aspects need to be highlighted.
First, it is important to improve the relevant laws and regulations on privacy protection. At present, China has issued a systematic and specialized personal information protection law, which needs the support of the judicial system and law enforcement to make it a basic law in the digital era that safeguards individual rights and interests. To safeguard national information security and protect citizens’ privacy, laws should be adopted to clarify the rights, responsibilities, and behavior boundaries of information users and regulate cross-border data transmission.
Given the law lag and differences between industries, privacy protection needs to be accompanied by more specific industry regulations. Based on the characteristics of the industry, specific industry regulations should be formulated to standardize the order of information collection and use within the industry. Not only that, the company’s internal information management and privacy protection system are also essential to reduce the risk of privacy disclosure.
Second, we need to balance the interests of various parties. The contradiction between information use and privacy protection centers on interest, thus the fundamental solution lies in the balance among multiple subjects. For the use and protection of information, each subject has its own considerations. Enterprises put emphasis on revenue, user accumulation, and corporate reputation. Data mining helps enterprises optimize business strategies, attract potential consumers, provide personalized services, and fully release market dividends.
For individuals, privacy is associated with personal and property security. In case of information leakage or illegal exploitation, there will be certain economic and emotional losses.
For the government, the development of digital economy and the protection of personal privacy are both essential. Therefore, the use and protection of personal information needs to balance the interests of each subject and find an equilibrium for all parties.
To put it simply, users provide personal information to enjoy personalized services but bear corresponding risks. While users’ personal information brings benefits to enterprises, they need to promise to take various measures to protect user privacy. The government needs to play a regulatory and moderating role, to clarify the boundaries, responsibilities, and obligations of enterprise information collection, and at the same time intervene in the storage and transmission of citizens’ private data.
Third, we should carry out layered protection. The indiscriminate protection of various personal information will reduce the efficiency and effect of information use, cause information barriers, and seriously hinder the development of digital economy. Therefore, it is necessary to create hierarchical rights and interest rules to protect personal information.
According to the sensitivity of information, the information with low sensitivity is regarded as general personal information, and the information with medium sensitivity is regarded as important information, while the information with high sensitivity is regarded as private information. The information can also be divided into identifiable information and unidentifiable information based on its identifiability.
In addition, the information can be further subdivided according to different industry characteristics and development stages. Different rights and interest rules need to be set accordingly. For example, enterprises are allowed to collect general personal information with low confidentiality and unidentifiable information that is difficult to pinpoint, and this kind of personal information can be allowed high flow under the premise of not harming personal interests.
Meanwhile, enterprises should be strictly prohibited from collecting highly confidential private information and identifiable information that can be used to pinpoint and locate individuals. If certain information has to be obtained, the consent of the information owner is a must and the use and saving of such information must be carried out with caution.
That said, we should give priority to the protection of private and identifiable information; improve relevant laws, regulations, and supervision rules; explicitly grant individuals the right of supervision, the right to know, the right to consent, and other rights; and use the rights granted by law to protect individual privacy.
Fourth, in the era of big data, privacy protection should not only improve the legal framework, achieve the balance of interests, and create hierarchical rights and interest rules, but also realize the organic combination of personal prevention, enterprise self-discipline, and government supervision.
On the one hand, in the spirit of inclusiveness, enterprises should be given some autonomy to innovate new forms of business, new technologies, and new models against the backdrop of the rapidly developing digital economy. On the other hand, we should strictly stick to the bottom line, strengthen supervision of areas with high risk, and severely crack down on behavior that endangers privacy security and violates laws and regulations.
The industry should adopt self-discipline and form an atmosphere to protect information security. Enterprises should formulate internal rules and regulations and set up special supervision departments or supervision personnel to strictly protect information security. Enterprises should carry out regular internal reviews to assess the status of information protection and security levels.
Enterprises should fully realize that privacy protection is not only to protect the interest of the public, but also to help their own development. Enterprises’ full protection of personal privacy is conducive to improving corporate reputation. The public is more inclined to provide information to trusted enterprises to help them improve service quality and form a benign circle. Enterprises should consciously comply with the ethical and legal norms to collect and use data, consciously assume the responsibility of privacy protection and security, and achieve their own long-term development and the healthy development of the market.
The government should adapt to the changes of the times and accelerate the construction of information governance systems and capacity. In the end, government supervision is to combine with individual’s self-protection and enterprise self-discipline to better protect users’ personal information.
Finally, privacy protection also needs the supervision of the public to ensure that citizens can fully exercise their legal rights and protect personal privacy. For the general public, establishing privacy protection awareness and actively exercising the right to know and supervise, and other legal rights, can effectively reduce the risk of privacy leakage. Therefore, it is necessary to strengthen publicity and education for the public, especially for minors and middle-aged and elderly people, to improve the awareness of privacy protection and rights protection.
In the era of digital economy, data has become the basic element of economic growth and value creation. The booming digital economy needs to better leverage the value of personal information while protecting personal privacy. Achieving a balance between privacy protection and the use of personal information is the only way for the healthy and sustainable development of the digital economy. To this end, it is necessary to constantly improve laws and regulations, establish a diversified regulatory system, and through the joint efforts of individuals, enterprises, industries, and governments, create a safe and open digital economy market environment, so as to promote the sustainable and healthy development of the digital economy.
Wang Le and Sun Zao are from the School of Economics and Finance at Xi’an Jiaotong University.
Edited by YANG XUE