YU Wenguang* & ZHENG Zixuan**

 

Abstract: The protection of personal information plays an extremely important role in the construction of digital government. The duty to inform is a prerequisite core obligation that the government should fulfill in processing personal information, a concrete expression of the right to self-determination of personal information, and a prerequisite for the right to protection of personal information that works as a fundamental right to defense the intrusion from the government, as well as a procedural regulatory tool to restrain the government’s information power and prevent the risk of infringement. As the rules on the processing of personal information and the duty to inform have both the nature of public law, the government’s processing of personal information is also public law in nature, especially because of the constitutional value and power control function of the duty to inform, the construction of a system for the duty to inform cannot be copied from the rules applicable to private subjects, but should be tailored to the public law characteristics of the government’s processing of personal information, overcoming the shortcomings of the current rough and fragmented legislation, and set up a systematic regulation based on the public law in term of the legal subject, procedure, content, consequences of obligation violations and legal protection.

 

Keywords: protection of personal information · government’s processing of personal information · duty to inform · theoretical basis · system construction

 

China has entered the digital age and the comprehensive digitalization of all areas of life is under way. The construction of a digital government is in full swing. For example, such pilot reform measures as “all-in-one online office,” “instant approval” and “instant handling” of government affairs, “electronic ID card” have effectively enhanced the efficiency, precision and intelligence of government and social governance, and promoted smart and convenient services for the people. But it should not be ignored that the digital government system collects, stores, and processes massive amounts of personal information of citizens. Once such comprehensive, true, and massive personal information is disclosed or abused, it will threaten the personal, property and information security of individuals and may endanger public security and even the overall security of the country. It can be said that data security is the lifeblood of a digital government, and protection of personal information is the bottom line of the digital economy.¹ In the digital age, we must strengthen the legal rules on the government’s processing of personal information and establish corresponding special rules, because the government processes personal information mainly to perform legal duties or obligations, or provide public services. The legal basis for their processing of personal information, the legal relationship with the information subject and the nature of the government’s information processing are all different from those of the personal information processing by private entities.² Therefore, the informed consent rules on the government’s processing of personal information have their own particularities, which cannot completely copy the rules of private law subjects’ processing of personal information. It is necessary to carry out theoretical and normative legal construction based on the characteristics of public law. The Personal Information Protection Law(hereinafter referred to as “Information Protection Law”), which came into effect on November 1, 2021, covers the processing of personal information by both private entities and state organs. Although, in Chapter II “Regulations for Personal Information Processing”, there is a section with stipulations on the processing of personal information by state organs, it simply specifies the general application of the “informed consent” rule, and does not fully emphasize the particularity of public law for the government to process personal information, except the provisions on minor exceptions. The criticism of the informed consent rule in the theoretical circle mostly comes from civil law scholars, and is mainly targeted at the problems arising from the processing of personal information by private entities according to the rule, such as the inherent defects of the rule, alienation phenomenon, conflict with the social nature of personal information and the development of the big data economy.³ From the perspective of public law, this paper focuses on the duty to inform for the government’s processing of personal information. Starting from practical problems, it explains the theoretical basis, discusses how to regulate the government, the largest personal information processor, from the perspective of the duty to inform based on the newly implemented protection of personal information law, thus effectively protecting the lawful rights and interests of information subjects, and ensuring that the digital government operates on the track of the rule of law.

 

 

Informing in relation to personal information processing means “providing the information related to personal information processing to the personal information subject, so that it can understand the relevant rules of personal information processing.”⁴ Informing is the core component of the “informed consent” system. The informed consent system refers to the system whereby the personal information processor is obliged to fully inform the information subject about the collection, processing and utilization of personal information during the collection of personal information, and obtain the explicit consent of the information subject.⁵ Informed consent is seen as the cornerstone of protection of personal information and the concrete expression of the right to self-determination of personal information.⁶ That is, based on the idea of self-determination, an individual has the right to decide when and to what extent his personal information can be disclosed. The right to self-determination of personal information aims to ensure that individuals have the right to decide whether their personal information can be disclosed or used.⁷ As a core rule, informed consent has been established in the Information Protection Law and is applicable to the government, but there are still many issues to be discussed on to how to implement it. Due to limited space, this paper only discusses some issues about the duty to inform. In general, there are many inadequacies in the system of the duty to inform in relation to the government’s processing of personal information both in legal norms and in administrative practice.

 

First, the current legal norms neither regulate the duty to inform for the government’s processing of personal information systematically and comprehensively, nor highlight the public law characteristics of the government’s processing of personal information. Article 17 of the Information Protection Law stipulates how and what information should be disclosed, but it is a general regulation that applies to both non-government personal information processors and the government. Although Article 35 of the Information Protection Law emphasizes that state organs shall perform the duty to inform when processing personal information in order to perform their statutory duties, it only stipulates the circumstances where confidentiality shall be kept and where disclosure will hinder the state organs from performing their statutory duties, and does not make systematic, specific and detailed provisions for the particularity of the government’s processing of personal information in terms of the disclosure subject, procedures, methods, legal responsibility and ways of relief. Other existing regulations are also cursory. For example, Article 41 of the Cybersecurity Law only provides in general terms that network operators shall “disclose the rules on collection and use, explicitly state the purposes, means, and scope for collecting or using information,” but it does not stipulate specific rules and possible exceptions about various elements of the duty to inform. Besides, there are no special provisions on the duty of the government to inform when processing personal information which is different from that of private law subjects in other existing laws. Even if there are special provisions, they are relatively fragmented and not very practical. For example, the E-commerce Law only stipulates the permissible use of personal information by the government, that is, the government should “abide by the provisions of laws and administrative regulations on the protection of personal information”; although Article 111 of the Civil Code stipulates that the subject of the duty to protect personal information is “any organization or individual,” including government and other state organs, it has few specific provisions on the duty to inform, and does not clarify the differences between governmental and non-governmental entities in the rules of personal information processing such as the duty to inform. In practice, these rough or scattered legal provisions will increase the difficulty of the government’s duty to inform and reduce the operability of duty performance and supervision.

 

Second, there are many problems in the administrative practice of the government’s processing of personal information because of the lack of explicit and specific legal provisions and awareness of protecting citizens’ personal information, such as the non-standard performance of the duty to inform, or little or no disclosure. According to the research of scholars, the operation of many huge government databases is neither open or transparent, nor restricted by laws or administrative regulations on the protection of individual rights. The personal information of citizens is often collected, stored, disclosed, or shared without their knowledge, and their fundamental rights such as the right of privacy, personal dignity and even personal freedom are infringed upon. For example, personal information errors in police work may lead to wrongful arrest or compulsory administrative measures.⁸ The 2020 national census has raised concerns among the public about the protection of personal information because of its collection of sensitive personal information such as ID card numbers and housing information.⁹ According to our personal experience, census takers did not use electronic collection devices that can encrypt and protect data when they collected personal information, but filled in paper forms. Besides, they neither disclosed the purpose and legal basis of the census, and rights and duties of census objects in accordance with Article 23 of the Regulations on Population Census of China, nor answered our questions about the retention period of sensitive personal information. For another example, when we scanned the code for personal information registration through the Health Kit applet, it only displayed the following prompt message: “Your personal information will be saved in the government cloud of XX city, and only be used for government epidemic prevention tracing and related work. The place where the code is scanned for information registration only shows your personal information that is not sensitive.” However, the legal basis, rights and duties of the information subjects, information retention period and other important content were not disclosed.

 

Certainly, based on the technical characteristics of big data processing, it may be difficult for the government to fulfill its duty to inform in some cases in the big data age, which highlights the dilemma of protection of personal information in the use of big data. Data and traditional factors such as land, labor, capital, and technology are listed as the five major factors of production in China¹⁰. The efficient allocation of data factors is a key link to promote the development of digital economy. Big data plays an important role in social governance and the construction of a digital government.¹¹ The wide application of big data in various fields has posed great challenges to the original mechanism for the protection of personal information, i.e., the informed consent system. Because the value of data mainly lies in the secondary utilization and aggregate analysis of the original information and data, and will be anonymized and desensitized, it is difficult for the data processor to inform the information subject and obtain the subject’s consent. If specific personal information must be identified from the highly fused data, the cost will be extremely high. According to Article 42 of the Cybersecurity Law and Article 4 of the Information Protection Law, anonymized information is no longer personal information and will not be constrained by the rules of personal information processing. However, it must be pointed out that based on the rapid development of data technology, data anonymization is just a strategy in the era of small data. In the era of big data, different databases integrate with each other, so it is not hard to find out personal information and figure out the personality profile with it through big data analytics.¹² Thus, anonymization cannot eliminate the risk of personal information rights and interests being infringed on. How to balance the rational use of personal information and the protection of personal information rights and interests in the era of big data and escape from the dilemma of the informed consent rules is a worldwide problem that must be solved in legislative practice and theoretical research. 

 

In order to fundamentally solve the prominent problems in the above legislation and administrative practice, and systematically establish a system of duty to inform that conforms to public law characteristics for the government’s processing of personal information, it is necessary to deeply explore the theoretical basis of the duty to inform for the government’s processing of personal information, so as to provide theoretical guidance and support for the system construction 

 

 

From a theoretical perspective, the government’s processing of personal information is different from that by private entities and has distinct nature of public law, which are reflected in the following four aspects: The public law nature of “general prohibition and exception permission” of personal information processing, the public law characteristics of the government’s processing of personal information, the fundamental right protection function of the duty to inform, and the value of the duty to inform as a procedural tool to restrict the government’s information power, which will be described respectively below:

 

 

Article 13 of the Information Protection Law of China clearly stipulates the general rules for personal information processing, that is, personal information can be processed only in the seven circumstances listed in the law. Article 6 of the GDPR has similar provisions. In legal dogmatics, this provision belongs to the “general prohibition with permission conditions” in the public law, that is, the processing of personal information is prohibited under general circumstances, and only permitted when the legal circumstances are met.¹³ This is obviously different from the principle of autonomy of will in private law and the basic code of conduct in private law, that is, what is not prohibited by the law is permitted. The fundamental reason for this general prohibition is that the right to personal information is regarded as a fundamental right, which is strictly protected by the Constitution and the law as well as the principle of legal reservation.¹⁴ The implementation of such strict protection of “general prohibition, exceptional permission” in public law can be attributed to the main motivation of protection of personal information legislation in all countries in history. That is, with the application of the super computer technology in the 1960s, the ability and scope of the government’s automatic processing of personal information has increased dramatically. The huge database established can collect, store and process personal information on a large scale, which poses a great threat to the right to privacy of citizens. In order to restrict the government’s abuse of its information power and protect citizens’ fundamental rights, European and North American countries enacted privacy laws or protection of personal information laws one after another in the 1970s, such as the 1970 Personal Information Protection Law of Hessen, Germany, the 1973 Personal Information Protection Law of Sweden, and the 1973 Privacy Law of the United States. These protection of personal information laws are all targeted at government departments, and their main purpose is to regulate and limit the collection and use of personal data by public departments.¹⁵ In short, the main reason for enacting the protection of personal information law is to prevent the government from infringing on the fundamental rights of individuals when collecting and processing personal information. The right to personal information has gradually been upgraded from a civil right to privacy to a fundamental constitutional right.¹⁶ According to the basic principles of a country under the rule of law, the government should not interfere with fundamental rights without legal authorization and legitimacy. Therefore, the protection of personal information rules on the protection of fundamental rights have the nature of public law, and the processing of personal information is generally prohibited unless there is a lawful exception permission. Lawful exception permission is generally based on the consent of the information subject or legal authorization. Namely, for the subject of private law, its processing of personal information must be based on the consent of the information subject or necessary for the conclusion and performance of a contract. For the government, legal authorization is the legal basis for personal information processing. For example, the processing of personal information is for the purpose of fulfilling a statutory duty or duty, responding to a public health emergency, or protecting life, health, property, or other vital legal interests in emergency. Informing is the premise of consent, the guarantee of the information subject’s right to know, and the duty to be performed by all personal information processors. It does not have the negotiation space based on autonomy of will, and naturally has the nature of public law.

 

 

Different from the processing of personal information by private entities such as e-commerce, online social media or mobile app operators, the government’s processing of personal information has the distinct nature of public law.¹⁷ The main differences between the two are as follows: First, they have different legal bases for personal information processing. A government processes personal information mainly based on legal authorization, with the aim of performing its legal duties or obligations, while the subject of private law processes personal information based on the consent of the information subject according to the principle of autonomy of will. Second, the nature of the legal relationship with the information subject is different. A government’s processing of personal information according to its statutory authority is an act of exercising the administrative power of information, characterized by unidirectionality and authority. It has an unequal administrative legal relationship with the information subject and is conducted for administrative purposes or the legitimate purpose of maintaining public interests. Generally, it does not require the consent of the information subject. Instead, sometimes the information subject needs to work with it. For example, Article 4 and Article 16 of the Regulations on Population Census of China stipulate that census objects shall provide information for the census in a truthful, accurate, complete, and timely manner, and shall not refuse to do so. Also, Article 24 of the Regulations also specifies the legal liability of census objects for refusing to provide information or providing untrue and incomplete information. However, the subject of private law processes personal information with the consent of the information subject, which is a kind of independent activity of the civil subject. There is an equal civil legal relationship between the two.¹⁸ Third, in terms of the nature of information processing, the government’s processing of personal information is a kind of administrative activity, which can be regarded as a special administrative factual behavior. Generally, it does not directly affect the substantive rights and duties of the information subject. Moreover, such factual behaviors are often invisible from the outside, especially in automated decision-making using big data analytics or algorithms. In administrative law dogmatics, it can be included and systematically regulated by expanding the concept of pure administrative activity or administrative factual behavior.¹⁹ The processing of personal information by the subject of private law is a civil legal act of both parties based on “consent”. In view of the above-mentioned three aspects of essential differences between the government and the subject of private law in the processing of personal information, different regulation methods and intensity levels should be used for the two.²⁰ Therefore, when building the system of the duty to inform for the government’s personal information processing, the disclosure rules applicable to the subject of private law should not be copied directly, but a systematic structure should be established under the framework of public law.

 

 

It is of great significance that the first article in the third draft of the Information Protection Law added the provision “in accordance with the Constitution,” which suggests that the protected rights and interests of personal information are civil rights and fundamental rights protected by the Constitution, thus responding to the consensus gradually reached in the field of public law: The right to personal information or protection of personal information is a fundamental right.²¹ Although the right to personal information is not clearly stipulated in the constitutional text in China, it can also be justified that the right to personal information is a fundamental constitutional right in China through the explanation and logic deduction of existing clauses and general rights clauses. First, the clause on personal dignity in Article 38 of the Constitution can serve as a constitutional basis for the right to personal information. Although there are still disputes in the academic community as to whether this clause is a specific fundamental rights clause or a principled rights protection clause, it does not affect the interpretation of the new fundamental right of protection of personal information in this clause according to the “Penumbra Theory”²² in American constitutional law, because human dignity itself contains the meaning that people have fundamental rights on the one hand; and on the other hand, human dignity is the logical starting point and value connotation for fundamental constitutional rights. Besides, based on the general clauses on the protection of human rights in Article 33 of the Constitution, it provides room for the right to personal information to be included in the list of unenumerated fundamental rights as a fundamental human right.²³

 

The primary function of fundamental rights is to defend against state interference, restriction and infringement of civil rights and freedoms.²⁴ Theoretically, it is based on the “negative status” defined by Jellinek in the four relations between the state and its citizens, that is, the negative status of individuals free from state interference.²⁵ Specifically, the defense function of fundamental rights refers to that “citizens may request the state not to infringe upon their interests protected by fundamental rights. When the state infringes upon such interests, citizens may directly request the state to stop the infringement according to the provisions of fundamental rights.”²⁶ As a fundamental right, the right to personal information also has the defense right function. The subject of the information right may request the government to passively not infringe on personal information rights and interests of citizens by inaction, or request it to stop the behavior or eliminate the influence when the infringement occurs. But citizens must know when and how the government processes their personal information before they exercise the defense right. Namely, informing is the prerequisite for the defense function of fundamental rights to be exerted. Only by informing the information subject, can we ensure that the information subject knows the information processing behavior and infringement, so that targeted requests can be made. To put it bluntly, in the context of protection of personal information, the right to know is often exercised in a passive way. If the information processor does not actively inform the information subject, the information subject will not be able to exercise the right to know, nor the right to defense.²⁷ Therefore, all information processors must fulfill the duty to inform, which is an essential prerequisite for the legitimacy of personal information processing. The duty to inform is of greater significance for the government to process personal information, because it is also an effective procedural tool to restrict administrative power.

 

 

As mentioned above, the government’s processing of personal information is an embodiment of their exercise of information administrative power, which is a kind of information administrative behavior and a special administrative factual behavior.²⁸ Moreover, with the promotion of e-government and digital government in the era of big data and artificial intelligence, as the largest personal information processor, the government is at great risk of abusing its administrative power to infringe on the personal information rights and interests of citizens. Therefore, it is necessary to regulate the information administration in all aspects. Among them, the most effective regulatory tool is the principle of due process. That is, the government must inform the information subject or disclose the relevant algorithmic logic of automated administration before processing the information, to prevent any risk of infringement and restrict administrative power at the source. The due process principle in administrative law also keeps pace with the times and a technological due process theory is established to cope with the challenge posed by automated administration and algorithms to the traditional due process theory. While affirming the advantages of automated administration and other information processing behaviors, this theory establishes a set of “technological due processes.” Specifically, algorithms should be open and transparent and characterized by process consistency; algorithms should be interpretable and can provide relevant logic and substantive information for decision making; decisions can be questioned. With the aid of professionals, algorithms can be reviewed and corrected if there are any errors. In short, technological due processes that are fair, transparent and accountable can be used to regulate automated administration and protect individual procedural rights such as the right to know, the right to dissent and the right to participate.²⁹ When processing personal information through automated administrative procedures, the government should follow the above technological due process, inform the counterpart of the information processing behavior and comply with the relevant algorithm disclosure rules.

 

The logic of informing procedure restricting administrative power lies in the alleviation of information asymmetry between the government and the information subject. Information asymmetry is also one of the main reasons why the current consent system is often criticized. For example, for many of the huge government databases mentioned above, the information subject does not know when personal information is collected, how it is collected and how it will be used, so the information subject cannot judge the legality and rationality of the government’s processing of information. If the duty to inform is not strengthened as a power control tool, the personal information rights and interests of citizens can hardly be protected well only by the government’s self-regulation. Meanwhile, the informing procedure also reflects the Individual Participation Principle³⁰, and highlights the subjective status and self-determination right of citizens in the big data age by protecting the participation right of the information subject. On the one hand, the information subject must participate in information processing activities and exercise the right to information self-determination under the premise of full knowledge, while the full knowledge is based on the premise of the information processor’s active informing. Therefore, the duty to inform is the logical starting point to guarantee the information subject’s effective participation in administration and subject’s exercising of the right to personal information self-determination. On the other hand, only on the basis of informing, the information subject can exercise the right of defense and other rights in a targeted manner, such as the right of refusal, the right of inquiry or the right of deletion in law, so as to prevent the risk of infringement in time and effectively.³¹

 

 

Exactly because of the public law nature of the personal information processing rules, the public law characteristics of the duty to inform, and the public law nature of the government’s processing of personal information, especially the constitutional value of the duty to inform (that is, the duty to inform is a prerequisite for exerting the defense function of the right to personal information, as a fundamental constitutional right, and an effective procedural tool to restrict the information power of the government and prevent the risk of infringement), in view of the public law characteristics of the government’s processing of personal information, we should make up for the defects of the current cursory and fragmented legislation, and establish a system of the duty to inform for the government’s processing of personal information in a systematic way on the basis of absorbing the reasonable components of basic rules applicable to the processing of personal information by private entities. Combined with the Information Protection Law, the following text will make a comprehensive study and discussion from the aspects of legal subjects, procedures, content, exceptions of notification, consequences of violation and relief.

 

 

 

The subject performing the duty to inform generally refers to the actual processor of personal information. “Actual processor” is highlighted mainly due to the following two considerations: First, the “processing” of personal information is a prerequisite for the duty to inform. When individuals appear in public places, their physical appearance and other personal information will also be exposed, but regulating such situations that do not involve information processing is not necessary and may increase the costs and disputes of legislation and compliance.³² Second, actual processors include administrative organs in the narrow sense and organizations authorized by laws and regulations and organizations entrusted by administrative organs, rather than limited to “personal information processors” stipulated in the Information Protection Law, ³³ because administrative organs do not always process personal information by themselves. Many government databases are authorized by laws and regulations or entrusted by administrative organs to process citizens’ personal information, so the subject performing the duty to inform should also include authorized or entrusted organizations, which are confirmed in Articles 37³⁴ and 59³⁵ of the Information Protection Law.

 

Another issue that needs to be noted is the duty to inform in the situation where the government obtains personal information from a third party or provides personal information to other agencies by data sharing. In the above two cases, the government is the actual processor of personal information and is required to fulfill the duty to inform. The Information Security Technology: Guidelines for Personal Information Notice and Consent (Draft for Comments) (hereinafter referred to as “Guidelines for Notice and Consent”) issued on January 12, 2020 provides detailed provisions in this regard, which can be used for reference.³⁶

 

 

The object of notification, that is, the recipient of the notified content, usually refers to the subject of personal information. As mentioned above, the government’s processing of personal information can be regarded as an administrative factual behavior, which should also comply with the rules of administrative procedures and the government should inform the affected information subject.

 

Additionally, in order to fully protect minors, the academic community has basically reached a consensus that when processing the personal information of minors, their guardians should be informed. It is worth noting that although the Information Protection Law shows the legislative intention that the government should actively know the age of the information subject, such a requirement is likely to be ignored because it is too difficult.³⁷ Based on whether minors are the main audience of the products or services provided, Appendix A of the Guidelines for Notice and Consent provides different verification methods, which are feasible to some extent and can be referred to.

 

 

 

The duty to inform should not just exist before the collection of information, but throughout the life cycle of information processing. Once the purpose of information processing changes, the information subject should be informed so as to realize the principle of purpose limitation. Specifically, the information subject should be informed on the following occasions:

 

First, before the processing of personal information. Collection is the premise for implementing other information processing activities. In most cases, it is the same subject who collects and implements the subsequent information processing activities. In principle, it is only needed to fulfill the duty to inform during the collection of personal information. The time of notification should be no later than the time of information collection. In this way, the participation of information subjects can be guaranteed to the greatest extent, the subjectivity of individuals can be demonstrated, and the whole-process supervision of the administrative power of the government can be truly realized. If a new government agency is involved in the information processing, it should also perform the duty to inform by the time the information is processed at the latest.

 

Second, when the content of notification changes. The value of personal information is highly amplified in the process of aggregation and reuse, but what is supposed to be informed may change. In order to protect the information subject’s rights to know and to participate, the information subject should be re-informed of the latest information. It is worth noting that such notification does not have to be made prior to the change. Unless in case of providing personal information to others or processing information beyond the minimum utilization principle or other changes that require the consent of the information subject again, the information subject may be informed within a reasonable timely period afterwards.

 

Third, after the occurrence of a special situation. It is a powerful complement to the above two situations. In case of special circumstances where the information subject cannot be informed in advance, such as disclosure of personal information, emergency investigation and punishment in administrative law enforcement, or prevention of concealment and loss of evidence, the information subject can be informed after the elimination of special circumstances in order to protect its rights as much as possible, on the basis of protecting life and property safety and not hindering the government’s performance of its duties.

 

 

In general administrative procedures, there are many different forms of notification, including written notification, oral notification, specific notification and non-specific notification. This classification also applies to the government’s duty to inform in the protection of personal information.

 

The difference between written and oral notification mainly lies in whether there is a written document. Despite the provisions on written notification in some laws and regulations, such as the explicit requirement for written consent in Article 18 of the Regulation on the Administration of Credit Investigation Industry, there is no legal norm that specifically requires the government to inform in writing. Articles 14 and 29 of the Information Protection Law also stipulate that where other laws or administrative regulations provide that written consent shall be obtained for the processing of personal information, such provisions shall prevail, which indicates that both written and oral notifications are legal and desirable in general. However, given that written notification can leave records for administrative law enforcement, its advantages are relatively more significant. On the one hand, it is conducive to forcing the government to effectively protect individual rights, and on the other hand, it can provide evidence for the government’s liability exemption. Therefore, notification should be made in written form generally. Besides, due to the popularity of electronic documents, electronic written notification also has the advantages of high efficiency, convenience, low cost, and easy storage.

 

The government’s duty to inform in protection of personal information also involves specific notification and non-specific notification based on whether the objects of notification are specific or not. For the information processing with specific notification objects, notifications can be made online and offline in business practice, mainly by popups and direct delivery, which can be used by the government. Besides, the government can also use traditional methods such as phone calls, text messages and emails as mentioned in the Guidelines for Notice and Consent to make specific notifications to the information subject on a one-to-one basis.³⁸

 

Non-specific notification applies to situations where the objects of notification are not specific, the notification content is the same, and express consent of the information subject is not required, such as the notification made by an automatic thermometer when it collects a person’s body temperature. The methods of notification generally include setting up information signs, issuing announcements or rules, etc. For example, Article 17.3 of the Personal Information Protection Law stipulates the method of “formulating personal information processing rules;” and Appendix D of the Guidelines for Notice and Consent also recommends that the text of the rules be made available for review at user clients, information offices, counters, offices, etc..

 

It is particularly worth pointing out that according to Article 26 of the Personal Information Protection Law, where image collection and personal identification equipment are installed in public places for the purpose of maintaining public security, prominent signage must be in place. However, when the government collects sensitive personal information or carries out monitoring or personal identification through face recognition and other digital means according to the law, it should not be deemed to fulfill the duty to inform by setting up prominent information signs only. They should also disclose the location and legal basis for the installation of monitoring and identification devices in public places, the purpose of maintaining public security, the data type and quantity collected, processing methods after information collection, and retention period in a unified way by publishing rules.³⁹

 

In the case of specific objects of notification, such objects should be informed one by one preferentially, considering the full protection of the rights and interests of the information subject. Only when it is very difficult to do so or the cost is too high, can the method of non-specific notification such as announcements be used.

 

 

Article 17 of the Personal Information Protection Law clearly stipulates that a personal information processor shall, before processing personal information, truthfully, accurately, and fully inform an individual of the specific matters in an easy-to-notice manner and in clear and easy-to-understand language. Specifically, for the government’s processing of personal information, the information subject shall be informed of the following content before the information processing:

 

 

As mentioned above, before processing personal information, the government should inform the information subject of the actual information processor and other relevant subjects, namely, administrative organs in the narrow sense, organizations authorized by laws and regulations, and organizations entrusted by administrative organs, as well as any third party knowing the information to be processed or other administrative subjects who share the information. Such disclosure is conducive to the smooth processing of information by the government, because such disclosure can endorse the security of the information processing behavior, thus urging the information subject agree to provide its information based on the trust in the government when there is no legal duty. Additionally, only by clarifying the relevant subjects processing personal information, the information subject can carry out the supervision and rights protection in a targeted and effective way.

 

 

The purpose and basis of information processing include the purpose of the government’s information collection and utilization, and the legal or factual basis that can prove the authority of the government to process information.

 

Article 6 of the Information Protection Law stipulates that personal information processing shall be based on explicit and reasonable purposes and directly related to those purposes. In our opinion, “explicit and reasonable” means government’s specific and clear purposes in personal information processing, and it matches the responsibilities of the government. “Specific” requires that the government should avoid such general statements of purposes as “protecting public interests”, “conducting public management” and “providing public services” when processing personal information. In this connection, some scholars believe that government departments should take public management as the purpose of information processing, no matter what specific responsibilities they have, so it is unnecessary to make repeated notifications in view of information circulation or sharing between government departments.⁴⁰ However, concepts such as “public management” are extremely broad, which makes the separation mechanism of information processing between government departments almost ineffective. Although data interconnection, integration and analysis can effectively enable the construction of digital governance, it undoubtedly increases the infringement risk of a “technology Leviathan,” as well as the difficulty in controlling power.⁴¹ Moreover, “public interests” do not necessarily take precedence over individual information rights and interests. Therefore, the government must inform the information subject of their specific purposes of personal information processing.⁴²

 

The necessity and purpose limitation principle emphasizes the line of personal information processing. That is to say, only the information processing necessary for the attainment of the purpose can be conducted, and the information processing unrelated to the purpose should not be conducted. Besides, any subsequent use of the information should not be contrary to the given purpose, unless it is for public interests, scientific or historical research, and statistics. Although, compared to the draft, Article 6 of the Information Protection Law, which is in effect, adds the statements “shall be directly related to the purpose of processing” and “personal information shall not be excessively collected,” and explains the necessity and purpose limitation principle, and Articles 13.1.3 and 34 emphasize that the government’s processing of personal information “is necessary for the performance of statutory duties or statutory duties” and “shall not exceed the scope and limit necessary for performing their statutory duties” respectively, there is still a lack of operability on how to understand and define elements such as “direct” and “necessary,” and how to strike a balance where multiple purposes and conflicts of interest arise. In this regard, it is appropriate to draw on the guidelines issued by the European Data Protection Supervisor in December 2019 on the principle of proportionality for personal data protection. The guidelines provide practical tools and a checklist for law and policy makers to evaluate whether the intervention of relevant measures on the fundamental right to personal data meet the principle of proportionality or not.⁴³

 

Besides, the information subject should also be informed of the authority of the government to process personal information. Unlike non-government entities, not all government organizations are entitled to directly process personal information based on the principle of statutory responsibility of government entities. For example, according to Article 1 of the Notice on Protection of Personal Information and the Use of Big Data to Support Joint Prevention and Control, only organizations authorized by the health department of the State Council in accordance with the law have the right to collect and use personal information without the consent of individuals during the COVID-19 epidemic period. Therefore, the government should also clarify the basis of its authority when performing the duty to inform, so also facilitate the information subject judging legitimacy of its behavior.

 

 

The scope of the information involved refers to the type of information collected and used by the government, and the time period for processing such information. The “type of information” refers to personal information items such as name, ID number and nationality, while “processing period” refers to the duration of information processing. For example, some software will still run in the background and continue to process personal information after the interface is closed. Therefore, if the information processing behavior continues, the government should clarify it, so that the information subject fully understands the scope of the information being processed.

 

 

The methods of information processing refer to the processing actions taken by the government for personal information, namely collection, storage, use, processing, transmission, provision, publication, deletion, etc. of personal information specified in Article 4 of the Information Protection Law. The retention period of personal information is generally stipulated in the protection of personal information laws, but it is rarely mentioned in the government notification. Article 17.1.2 of the Information Protection Law also stipulates that the personal information processor shall inform the information subject of the retention period of the information. According to Article 19, the period refers to “the minimum time necessary to achieve the purpose of processing.” However, due to the uncertainty in the progress of government work, the retention period of information may not be clear at the time of notification. For example, in the context of normalized COVID-19 epidemic prevention and control, some epidemic prevention information may be stored for a long time and used irregularly. Perhaps for this reason, the government often ignores this content when processing personal information. For example, I checked the health codes of many provinces and cities in the column of “Health Code” of Alipay, and found that it only shows that the information is used for epidemic prevention, while the retention period of relevant personal information is not displayed. In contrast, GDPR is more operable and can be used for reference. Article 14(2)(a) provides that if a definite retention period cannot be given, there shall be a standard for determining the retention period.

 

 

When the government takes general administrative actions, it will inform the administrative counterpart of the right to apply for hearing, state and defend, and the administrative counterpart can also obtain relief by filing an administrative reconsideration or administrative lawsuit. In terms of protection of personal information, informing the information subject of its rights and relief ways of rights should also be included in the duty to inform of the government. Among them, the rights mainly refer to that the information subject can apply for checking, copying, correcting, supplementing, deleting its personal information or take other measures on its personal information. According to Article 50 of the Information Protection Law, where an individual’s request to exercise his rights is rejected by the government, the individual may file a lawsuit with the people’s court in accordance with the law. The ways of relief shall be specified as the content to be notified. 

 

 

The government should pay attention to the following situations when fulfilling its duty to inform:

 

First, the content of notification varies with the time of notification. As mentioned above, notifications are generally made before the processing of personal information, when the content of notification changes and after the occurrence of special circumstances. The content of notification made before the personal information processing and after the occurrence of special circumstances should be as exhaustive as possible, while it need not be exhaustive if an additional notification is made by the government because of a change in the original content, but it should clarify the reason and content of the change, and the influence that the change will have on the information subject and ways for the information subject to seek relief. Otherwise, this important information will be buried in the numerous terms and conditions of consent, which will be contrary to the original intention of the additional notification.

 

Second, the content of notification varies with the method of notification. By some methods of notification, what needs to be informed cannot be fully informed. In certain cases, the method of notification can only be adopted according to the severity of the situation, and the content of each notification does not need to be exhaustive. The most typical one is the notification in the case of image monitoring and personal identification. When the information subject enters a circle of a specific radius with the monitoring device as the center or is close to an identification device, the device will collect images or identify the information subject in real time. Therefore, the information subject can be informed immediately only by eye-catching prompts. A lengthy announcement will be inefficient and useless in that case. Of course, this does not mean that the government’s duty to inform is weakened, since the methods of notification are not mutually exclusive, and the government can make a unified explanation by issuing public announcements in advance. For example, Article 16.2 of the Provisions on the Procedures for Punishing Illegal Acts of Road Traffic Safety stipulates that “the location of fixed traffic technology monitoring equipment shall be made public to society.” In order to make the object of notification understand the content that is disclosed in a unified way, the object of notification should also be informed of the ways to understand the detailed notice. For example, the Guidelines for Notice and Consent suggests ways to obtain more relevant information be disclosed in addition to setting up eye-catching signs, and the object of notification be guided to view more detailed information by “For details, please see...”.

 

Third, the content of notification varies with the type of information. As specified in Article 28 of the Information Protection Law, once sensitive personal information is leaked or illegally used, it may easily lead to the infringement of personal dignity of a natural person or may endanger his personal or property safety. It is generally believed that general information and sensitive information should be protected separately, to balance the protection of individual rights and the use of personal information.⁴⁴ Considering that the leakage or misuse of sensitive information will cause greater damage, the government should provide stronger protections for sensitive personal information, reduce administrative costs by differentiating protections, and set stricter necessity and purpose limitations for collecting sensitive information on the basis of following the principles of proportionality and interest balancing. The content of the relevant notification should also include the necessity of processing such information and the influence on individual rights and interests, and the consent of the information subject should be obtained generally.

 

For example, facial information is unique and cannot be modified. It is the biometric information in sensitive personal information, which has the strongest social nature and is the easiest to collect. Once it is leaked, it will cause great harm to personal and property safety, and may even threaten public security. Therefore, when processing facial information, the government must also comply with the rules on sensitive personal information processing in the second section of the Information Protection Law. Besides, the national standard Information Security Technology — Requirements for Security of Face Recognition Data (Draft for Comments) published on April 23, 2021 also provides specific guidance for the legal processing of facial information by the government. According to the Information Protection Law and the above-mentioned national standard (draft for comments), unless otherwise stated in the laws and regulations, the government, when collecting data for face recognition, should inform the data subject of the collection purpose, necessity of facial information collection and influence on personal rights, data type and quantity, processing methods, retention period and other rules, and obtain an express consent from the data subject. Face verification or face identification can be carried out only when the security or convenience of the non-face recognition method is significantly lower than that of face recognition (e.g. person-to-certificate comparison in airports, railway stations, etc.). Face recognition data should not be used for other purposes than identity recognition, such as evaluating or predicting the job performance, economic status, health status, preferences, interests, etc. of the data subject. In principle, face recognition should not be used to identify minors under the age of 14. Non-face recognition methods should be provided at the same time, so that the data subject can choose which one to use. Besides, security measures should also be provided to protect the data subject’s right to informed consent.⁴⁵

 

 

In general, the government must fulfill the duty to inform when processing personal information, but there are exceptions. In this regard, there are more comprehensive provisions in the Information Protection Law. For example, Articles 18 and 35 of the Information Protection Law stipulate where it should be kept confidential or need not be disclosed according to the laws or administrative regulations, or where notification may hinder the performance of statutory duties. In our opinion, in the government’s processing of personal information, “shall be kept confidential” mainly means that it involves state secrets, and confidentiality provisions should be observed, so it may not be disclosed. “Need not be disclosed” is to reduce unnecessary notifications as much as possible based on the purpose of the administrative activities and the administrative benefit principle, including the following two situations at least: First, information exchange and sharing within the government for the same clearly established purpose. With the same purpose, the government agency receiving personal information is equivalent to an extension of the original agency, so the personal information is not provided to other subjects. However, this requires that the purpose of processing must be clear and specific, otherwise the duty to inform will exist in name only. After all, all administrative agencies can be connected based on the purpose of “public management”, so that personal information can be transmitted arbitrarily among administrative agencies and used to perform various functions. Second, information exchange between the government and the entrusted party when the government entrusts other organizations to process personal information. According to Article 59 of the Information Protection Law, the party entrusted to process personal information shall assist the government to fulfill its duty to inform. For convenience, the notification may be made by the entrusted party, but the entrusted party should disclose the “personal information processor” behind it. The transmission of personal information based on the trust relationship does not exceed the expectation of the individual based on the original content of notification, so there is no need to repeat the notification. The risk of “hindering the performance of statutory duties” is quite common in judicial and law enforcement. For example, for technical investigation and other behaviors, generally there is no need to perform the duty to inform, or it will greatly facilitate individuals to conceal or destroy evidence. However, this exception is invertible. After the performance of duties, there is no longer any possibility of hindering the performance. If the evidence has been fixed, further notification will not result in any loss or damage of the evidence, nor will it hinder the subsequent judicial process and law enforcement. At this time, the government should perform the duty to inform additionally to make prompts and start the relief procedure in time. 

 

 

It is generally believed that the legal liability of the government for violations and infringement of personal information processing is different from that of the subject of private law, which is also reflected in the GDPR. For example, high fines are not applicable to administrative organs. The legal liability stipulated in Chapter 7 of the Information Protection Law is mainly for the subject of private law. For example, Articles 66 and 71 stipulate the administrative penalties for the processing of personal information in violation of the Information Protection Law. Article 68 stipulates the legal liability of state organs for failing to fulfill the duty of protecting personal information and the illegal use of rights by relevant staff. Article 69 provides for the liability for infringement damage compensation under the presumption of imputation. In our eyes, the original intention of this arrangement is that some governments are personal information processors and departments responsible for the protection of personal information. Under the “general + special” mode, for the former, the government will be subject to the provisions of Articles 66, 69 and 71 for its illegal processing of personal information, while for the latter, the government will be subject to the punishment under Article 68 for its improper performance of duties. However, Articles 66, 69 and 71 can hardly be applied to the government’s illegal information processing. Article 68, as the only specific provision for the government, provides only for internal administrative and criminal liabilities. Compared with the draft, the Information Protection Law, which is in effect, adds the right of individuals to sue when their exercise of rights is refused.⁴⁶ However, the administrative reconsideration, administrative litigation and state compensation systems, which are the most important measures against the government’s failure in the performance of the duty to inform, are not yet available.⁴⁷ Therefore, the current provisions of the Information Protection Law are not conducive to supervising administrative organs’ performance of the duty to inform, and the right relief of the information subject. The possible relief for the information subject is to use the administrative public interest litigation system indirectly. Although it is unclear whether the public interest litigation stipulated in Article 70 of the Information Protection Law covers the administrative public interest litigation, procuratorial organs in China have been actively conducting pilot programs to explore the administrative public interest litigation system in the field of protection of personal information. Up to now, the standing committees of 25 provincial-level people’s congresses have made decisions on strengthening procuratorial public interest litigation. Among them, 19 provinces have explicitly required procuratorial organs to carry out public interest litigation in the field of protection of personal information actively and steadily. On April 22, 2021, the Supreme People’s Procuratorate released typical cases of public interest litigation involving the protection of personal information, including six administrative public interest litigation cases. In the administrative public interest litigation where the People’s Procuratorate of Le’an County, Jiangxi Province urged the regulation of government information disclosure, for the disclosure of personal information of citizens that should not be disclosed by the administrative organ when performing its functions of government information disclosure, the procuratorial organ urged the administrative organ to make rectification in the performance of its duties according to the law and protect the security of personal information of citizens, by issuing a prelitigation procuratorial proposal.⁴⁸ In my opinion, it is very necessary to determine that the public interest litigation under the Information Protection Law includes the administrative public interest litigation through legal interpretation based on the provisions of the administrative procedure law. Namely, where a state organ fails to fulfill its duty to protect personal information stipulated by laws and administrative regulations, which results in an infringement of many individual rights and interests, the procuratorial organ may file an administrative public interest lawsuit according to Article 25 of the Administrative Procedure Law, for the reasons as below: First, in the big data age, the violation of personal information is generally “on a large-scale.” When the right to personal information of an unspecific majority of people is violated, the huge aggregation of individual interests is enough to raise the individual rights and interests to the height of public benefits. Second, as the identification function of personal information serves social interaction, the disclosure or abuse of personal information will affect the social order and security; Third, because the information processing of the government involves a large number of information subjects, and the strength difference between government organizations and information subjects is too large, the public interest litigation initiated by the national procuratorial organs which represent the public interests and have strong professional advantages and the ability to present evidence is more efficient and economic, greatly making up for the deficiency in individual rights protection, and conducive to the supervision of administration according to the law.⁴⁹

 

To sum up, in the era of digital government, the government has been extremely important subject of personal information processing. They must be bound by the principle of rule of law, conduct the activities of personal information processing on a clear and legitimate basis, perform legal duties as necessary, and follow strict requirements of purpose limitation.⁵⁰ Though the Information Protection Law, which is in effect, has made some provisions on the government’s processing of personal information, the public law characteristics of the administrative factual behavior of the government’s processing of personal information have not been fully recognized and noticed, and no systematic rules have been formulated in this regard. For example, there are no detailed rules on the particularity of informed consent for the government’s processing of personal information; and the provisions on the legal liability of the government for violating relevant regulations and the relief system for the subject of rights are relatively cursory. The duty to inform is a prerequisite core obligation that the government should fulfill when processing personal information. It is a concrete expression of the right to self-determination of personal information, a prerequisite for exerting the defense function of the right to protection of personal information, and a procedural tool to restrict the government’s information power and prevent the risk of infringement. This paper systematically discusses the duty of the government to inform when processing personal information from the theoretical basis of public law and concrete system construction, and emphasizes the constitutional value and power control function of the duty to inform as well as the public law construction of the system of duty to inform. It is hoped that this paper will provide intellectual reference for formulating specific rules on the government’s processing of personal information in the future.

 

(Translated by SHEN Jinjun)

 

* YU Wenguang ( 喻文光 ), Associate Professor of Renmin University of China Law School, Researcher of Renmin Law and Technology Institute, Renmin University of China.

 

** ZHENG Zixuan ( 郑子璇 ), 2018 Master of Law, Renmin University of China Law School.

 

1. Yu Wenguang, “Data Security Is the Lifeblood of a Digital Government”, Guangming Daily, June 12, 2021, 6.

 

2. Philipp Reimer, Verwaltungsdatenschutzrecht. DÖV 2018: S. 881 ff.,S. 866.

 

3. Main references: Fan Wei, “Reconstructing the Path to Personal Data Protection in the Big Data Age”, Global Law Review 5 (2016); Ren Longlong, “Consent Is Not the Legitimate Basis of Personal Information Processing”, Political Science and Law 1 (2016); Wan Fang, “The Principle of Informed Consent in Privacy Policy and Its Alienation”, Science of Law 2 (2019); Zhang Xinbao, “Collection of Personal Information: Restricting the Application of the Principle of Informed Consent”, Journal of Comparative Law 6 (2019); Ning Yuan, “The Adherence and Revision of the Informed Consent Rule in Protection of Personal Information”, Journal of Jiangxi University of Finance & Economics 2 (2020); Wan Fang, “‘Consent’ and ‘Consent Withdrawal’ in the Processing of Personal Information”, China Legal Science 1 (2021); Han Xuzhi, “The Dilemma and Solution of Informed-consent Rule in Protection of Personal Information — On the Relevant Provisions of the Personal Information Protection Law (Draft)”, Business and Economic Law Review 1 (2021). 

 

4. See Article 3.5 of the national standard Information Security Technology: Guidelines for Personal Information Notices and Consent (Draft for Comments) (released by the Standardization Administration of China on January 12, 2020). 

 

5. Qi Aimin, The Theory of Information Law (Wuhan: Wuhan University Press, 2010), 76.

 

6. Winfried Veil.Die Datenschutz-Grundverordnung: Das neue Kleider des Kaisers, NVwZ 2018:S.686.

 

7. Volkszählungsurteil, BVerfG 65, 1.

 

8. Sun Ping, “Protection of Citizens’ Right of Privacy in the Era of Huge Government Database”, Law Science 7 (2007): 7; Sun Ping, “Systematic Construction of the Basic Right Model of Legislation of Protection of Personal Information”, Law Science 4 (2016).

 

9. Chai Jing, “Will the Census Reveal My Privacy?”, WeChat Official Account Baomiguan, accessed January 3, 2022.

 

10. Opinions of the CPC Central Committee and the State Council on Improving the Systems and Mechanisms for Market-based Allocation of Factors of Production (released on April 9, 2020).

 

11. Ma Yanxin, et al., Digital Government: Change and Law (Beijing: China Renmin University Press, 2021), 3-14.

 

12. Wan Fang, “The Principle of Informed Consent in Privacy Policy and Its Alienation”, Science of Law (Journal of Northwest University of Political Science and Law) 2 (2019).

 

13. Jürgen Kühling/Benedikt Buchnei/Thomas Petri, Datenschutz-Grundverordnung Bundesdatenschutzgesetz Kom-mentar, 3.Aufl. 2020, Art. 6 Rn.1; Boris Paal/Daniel Pauly/Michael Frenzel, Datenschutz-Grundverordnung Bundes datenschutzgesetz Kommentar, 3. Aufl. 2021, Art. 6 Rn.1; Gero Ziegenhom.Katharina von Heckel Datenverarbeitung durch Privaten ach der europaischen Datenschutzreform. NVwZ2016, 1585 (1586).

 

14. Albers/Veit DS-GVO Art6, Rn.11ff, in Stefan Brink/Heinrich Wolff(hrsg.), Beck’scher Online-Kommen-tar Datenschutz,35.Edition 2021.

 

15. Peter Blume, “The Public Sector and the Forthcoming EU Data Protection Regulation”, European Data Protection Law Review (EDPL) 1 (2015): 32-38.

 

16. Sun Ping, “Protection of Citizens’ Right of Privacy in the Era of Huge Government Database”, Law Science 7 (2007).

 

17. Johannes Masing, Herausforderungen des Datenschutzes. NJW, 2012:S.2305.

 

18. Zhou Hanhua, Personal Information Protection Law of China (Experts’ Draft Proposal) and Legislation Research Report (Beijing: Law Press · China, 2006), 66.

 

19. Philipp Reimer, Verwaltungsdatenschutzrecht DÖV 2018: S. 881 ff.,S. 866.

 

20. Ibid.

 

21. Zhang Xiang, “On the Constitutional Justification of the Right to Personal Information”, Global Law Review 1 (2022); Wang Xixin and Peng Li, “Constitutional Basis of the Legal System for Protection of Personal Information”, Tsinghua Law Journal 3 (2021); Gao Fuping, “Protection of Personal Information: From Individual Control to Social Control”, Chinese Journal of Law 3 (2018); Zhou Hanhua, “Protection of Personal Information: A Fundamental Right of Citizens”, People’s Court Daily, March 21, 2005; Zhou Hanhua, “Legal Positioning of Protection of Personal Information”, Studies in Law and Business 3 (2020).

 

22. Justice Dauglas used the “Penumbra Theory” in his Griswold V. Connecticut (1965) judgment to infer and justify the establishment of the right to privacy in the Constitution of the United States, that is, in addition to the explicit rights enumerated in the Amendment to the Constitution, there are marginal rights. These marginal rights are included in the specific fundamental rights clauses established in the Amendment to the Constitution. For example, in the First Amendment, freedom of religion, and freedom of speech and press include freedom of association, freedom to choose public or private or missionary schools, etc.; the Third Amendment places restrictions on the quartering of soldiers in private homes in time of peace without the owner’s consent, which contains the content of the right to privacy; the Fourth Amendment prohibits unreasonable searches and arrests, which also contains the content of the right to privacy. (Gao Shengping, “Development of Personality Right from the Perspective of Comparative Law: A Case Study of American Privacy Right”,Studies in Law and Business 1 (2012): 34.

 

23. Yao Yuerong, “On the Justification of the Right to Information Self-determination as a Basic Right in China”, Political Science and Law 4 (2012).

 

24. Pieroth, Schlink. Grundrechte Staatsrecht II.28. Auflage, C.F. Muller, 2012: Rn.57, S.16.

 

25. Georg Jellinek, System der subjektiven ?ffentlichen Rechte.2. Aufl.1919:S.87.

 

26. Zhang Xiang, “On the Defense Right Function of Fundamental Rights”, The Jurist 2 (2005): 66.

 

27. Xiang Jinqiao, “Characteristics and Balance of Personal Information Rights and Interests”, Study and Practice 4 (2019).

 

28. Philipp Reimer, Verwaltungsdatenschutzrecht DÖV 2018: S. 881 ff.,S. 866.

 

29. Danielle Keats Citron, “Technological Due Process”, WASH.U.L.REV. 1249 (2008); Liu Dongliang, “Technological Due Process: Dual Variations of Procedural Law and Algorithm in the Age of Artificial Intelligence”, Journal of Comparative Law 5 (2020).

 

30. Guo Yu, Study on Personal Data Protection Law (Beijing: Peking University Press, 2012), 173-174.

 

31. Yan Tieyi and Wang Guoju, “On Informing of Administrative Action”, Law Science Magazine 1 (2014).

 

32. Zhou Hanhua, “Legal Positioning of Protection of Personal Information”, Studies in Law and Business 3 (2020).

 

33. According to Article 73.1.1 of the Personal Information Protection Law, a “personal information processor” refers to “any organization or individual that independently determines the purpose and method of processing in personal information processing activities”, However, entrusted organizations process personal information according to the wishes of the principal, rather than doing it independently, therefore they are not personal information processors as specified in the law. If they are excluded from the subjects of the duty to inform, it will not be conducive to the protection of the lawful rights and interests of the information subject.

 

34. According to Article 37 of the Personal Information Protection Law, “The provisions of this law on personal information processed by state organs shall apply for personal information processing by organizations authorized by laws and regulations with the function of managing public affairs to perform statutory duties,” which indicates that the law has taken into account the situation that government organs authorize organizations to exercise administrative power, and also requires authorized organizations to shoulder the same responsibility for protection of personal information as that of government organs.

 

35. According to Article 59 of the Personal Information Protection Law, “The party entrusted to process personal information shall fulfill the relevant duties prescribed by this law and other relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist personal information processors to fulfill their duties under this law,” which indicates that although the party entrusted is not the “personal information processor” stipulated in this law, as the actual processor, he shall take practical actions to assist in the performance of relevant legal duties. 

 

36. According to Article 5.1 (d) of the Information Security Technology: Guidelines for Personal Information Notice and Consent (Draft for Comments), if the personal information controller obtains personal information indirectly from a third party by indirect acceptance or inquiry, it shall inform the personal information subject of the type, purpose, method and scope of collection and use of such personal information, and obtain the express consent of the personal information subject. According to Article 8.1.1 (d), if personal information is shared with other parties, the personal information controller shall inform the user of the audit requirements for the third party, such as the person collecting the information, content of collection, intended use, time of collection, protection measures, and corresponding legal responsibilities of the third-party company.

 

37. The Personal Information Protection Law defines the personal information of minors under the age of 14 as sensitive personal information in Article 28 and stipulates that the duty to inform with more comprehensive content shall be fulfilled when processing sensitive personal information in Article 30. Therefore, the government shall fulfill the duty to inform when processing the personal information of minors under the age of 14. Under this regulation, the government may need to know the age of natural persons, and classify their personal information according to ages. However, to determine the age will lead to an increase in the costs of information processing, and it is not easy to ensure the authenticity of the ages obtained.

 

38. Article 8.2 of the Information Security Technology: Guidelines for Personal Information Notice and Consent (Draft for Comments) stipulates the methods of informing, including new methods such as interactive interfaces and traditional methods such as phone calls, text messages and emails.

 

39. Article 6.1 a) of the Information Security Technology — Requirements for Security of Face Recognition Data (Draft for Comments).

 

40. Cheng Lei, “Protection of Personal Information of Citizens in Criminal Justice”, Journal of Renmin University of China 1 (2019).

 

41. Liu Guo, “Research on Public Law Framework of Protection of Personal Information — A Case Study of Public Health Emergencies”, Gansu Social Sciences 4 (2020).

 

42. Zhao Hong, “State Protection Duty of Personal Information Right in the Era of Civil Code”, Business and Economic Law Review 1 (2021).

 

43. European Data Protection Supervisor, EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data, accessed January 3, 2022.

 

44. Philipp Reimer, Verwaltungsdatenschutzrecht DÖV 2018: S. 881 ff.,S. 866.

 

45. See Article 28-31 of the Personal Information Protection Law and Article 5-6 of the Information Security Technology — Requirements for Security of Face Recognition Data (Draft for Comments). 

 

46. According to Article 50.2 of the Personal Information Protection Law, where an individual’s request to exercise his rights is rejected, the individual may file a lawsuit with the people’s court in accordance with the law. However, this provision can hardly be applied to the government’s failure to perform its duty to inform, because the personal information processor rejects an individual’s request to exercise his rights on the premise of the individual’s request, while the realization of the right to know, as the basis for the individual to exercise other personal information rights, largely depends on whether the government has fulfilled its duty to inform. Under this logical chain, if the government fails to fulfill the duty to inform, it is difficult for individuals to request the exercise of the right to know, and therefore it is difficult to trigger the litigation stipulated in this article. In contrast, individuals do not need to make a request to the government for administrative reconsideration and administrative litigation. Once the government fails to fulfill its duty to inform, individuals can apply for administrative reconsideration or administrative litigation, which is more practical.

 

47. Wang Xixin and Peng Li, “Constitutional Basis of the Legal System for Protection of Personal Information”, Tsinghua Law Journal 3 (2021).

 

48. The Supreme People’s Procuratorate, Model Cases of Civil Public Interest Litigation Involving the Protection of Personal Information by Procuratorial Organs Issued by the Supreme People’s Procuratorate, Internet Information Office of the Supreme People’s Procuratorate, accessed January 3, 2022.

 

49. Hong Hao and Zhao Zubin, “The Basis of the Procuratorial Public Interest Litigation Right Allocation in the Protection of Personal Information”, Inner Mongolia Social Sciences 6 (2020).

 

50. Zhang Xiang, “On the Constitutional Justification of the Right to Personal Information”, Global Law Review 1 (2022).