The concept of data sharing is mainly used at the level of institutions and platforms. It refers to the data exchange between different institutions and platforms, but generally does not include the data disclosure behavior of the government. In the civil code being formulated in China, it is necessary to set special rules to regulate data sharing and strengthen the protection of personal information rights. The main reasons are as follows: First, a large amount of data involves personal information and privacy, even personal sensitive information and core privacy. Second, data sharing includes the collection and transmission of personal information. Once the lack of norms leads to uncontrolled data collection and transmission, a large amount of personal information will be misused or even leaked. Third, in addition to the fact that sharing itself is the reuse of personal information, the shared person may reprocess, utilize, or even share the information data after obtaining the information data.
Personal information in data sharing still belongs to the information right holder
The collection, development and utilization of information and data shall be based on the protection of personal information rights and privacy rights. The informed consent rules for information collection should be applicable to all personal information collection activities, not limited to the initial collection of personal information. The main reasons are:
First, informed consent itself is the specific embodiment of the right of information obligee to control his personal information. Even though the data developer has collected and developed personal information with the consent of the obligee, the consent and authorization of the party concerned must be obtained before sharing the data with others.
Second, the personal information right takes the personal interests enjoyed by the subject on his personal information as the object. The personal interests are personal in nature and not transferable.
Third, the right holder of information allows information collection, which does not mean that information sharing is allowed. Without the consent of the information obligee, the sharing of legally authorized information may also infringe the rights of the information obligee, because for the information obligee, there is no essential difference between the information sharing behavior and the re collection of personal information, and in principle, their consent should be obtained.
Fourth, it is necessary to ensure that the information obligee controls the process of personal information circulation. No matter to whom the information is shared, within the scope of sharing, it should be informed and agreed by the information right holder.
Even under special circumstances, information sharing behavior is difficult to fully realize the informed consent of individuals, and special rules should be adopted to strengthen the protection of information rights holders to make up for the inadequacy of the application of informed consent rules. American law introduces the concept of "reasonable expectation", that is, in some cases, whether there is privacy infringement should be judged by whether the data collector and processor have done their reasonable duty of care, and whether they meet the general expectation of the data collector recognized by the society.
Data sharing must be authorized by the right holder of personal information
The authorization behavior of the information subject should be effectively standardized. Data sharing does not mean data reselling. The fundamental difference between the two is whether the information subject has obtained authorization. The authorization of information sharing should pay attention to the following aspects:
First, once personal information is involved in data sharing, it should be explicitly authorized by the information subject. Although China's General Principles of Civil Law stipulates that personal information should be collected and used according to law, it does not stipulate the legal and illegal situations. Article 817 of the Civil Code's various subparts (drafts) stipulates that "personal information shall not be provided to others without the consent of the collector", but does not state whether the express consent of the information obligee is required. China should learn from the experience of the European Union. If the terms of authorization are not clearly written, even if individual consent is obtained, it cannot be considered as authorization.
Second, personal authorization should be obtained when collecting and using personal information, and data sharing should also obtain special authorization from the information subject. From the perspective of judicial practice in China, some courts have also adopted this position.
Third, the application of the general authorization clause should be strictly restricted when regulating data sharing. Personal information is closely related to the personal interests of the information subject. Summarizing the authorization may cause the information subject to lose control of personal information completely, thus bringing about an impact beyond its reasonable expectations.
Fourth, the situations that do not need authorization should be clearly stipulated and listed by the law, which can not only protect individual information rights, but also provide clear behavioral standards and development expectations for the development of the data industry. Article 816 of the Civil Code Draft is too broad, so it is necessary to make detailed provisions.
After obtaining the information, the sharer shall use it within the authorization scope of the information subject. Data sharing should be strictly limited to the scope of authorization. In addition to the special authorization of the information subject to the sharee, the rights of the sharee to the relevant information shall not exceed the scope of the rights of the information sharer; To enable the information right holder to control the process of information sharing, the information sharer should share information within the scope of authorization.
Data sharing shall follow the principle of legality, legitimacy, necessity and minimum use. The collection, use and sharing of personal information should also follow the "principle of minimum use", that is, when personal information can or can not be used in a specific activity, try not to use it; When it is necessary to use and obtain the permission of the obligee, use as little as possible. In addition, other relevant rights of information obligees should be respected in the process of data sharing.
(The author Wang Liming is the executive vice president and professor of Renmin University of China)
