Location : Home > Resource > Paper > Theoretical Deduction
Shen Weixing | Reinventing the Digital Rights System: Towards a differential mode of association of privacy, Information and Data
2023-10-11 [author] Shen Weixing preview:

[author]Shen Weixing


Reinventing the Digital Rights System:
Towards a differential mode of association of privacy, Information and Data

Author Shen Weixing

Professor, School of Law, Tsinghua University

Abstract: As the order concept in computational jurisprudence, privacy, information and data have dual meanings of system construction and normative application. However, the three are in a chaotic situation in the current right discourse, which leads to difficulties in legal regulation. Therefore, on the basis of strict distinction between the object of rights and the rights themselves, privacy, information and data should first be presented in an orderly manner in the aspect of the object of rights, and then the system of individual rights should be constructed on top of the three in a differential mode of association. Specifically, privacy, information, and data are respectively at the factual, descriptive/ content, and symbolic levels, and above them, the right to privacy, which is based on passive defence and relatively strict protection, the right to informational personality and the right to ownership of data, which combine passive defence protection and active utilization, are established respectively; the right to privacy and the right to personal information belong to the right of personality, and are superior to the right to ownership of personal data, which is the right of property. This differential mode of association of personal rights in the digital era can not only provide institutional guarantee for the orderly development of the digital economy, but also improve and enrich the basic scope of computational jurisprudence and promote its scientific process.

Introduction: Privacy, Information and Data as Concepts of Order in Computational Jurisprudence

As an emerging discipline through the intersection of law and information technology, computational jurisprudence has developed a body of knowledge and norms based on data, algorithms and platforms. From the basic category of data, it can be further extended to information and privacy, which are closely related but should be clearly distinguished. Privacy, information and data have been stipulated in the Civil Code and developed in special laws in response to the needs of the development of the digital economy, and have become an important object of research in computational jurisprudence, which has been used as a cornerstone category for theoretical construction. Among them, the most important and fundamental question is how to make a clear distinction between privacy, information and data. Further, what are the rights carried by privacy, information and data, and what are the links and differences between them? In the face of these major challenges to the traditional legal order, computational jurisprudence should forge ahead and actively construct a normative system of individual rights in the digital age, so as to facilitate the proper application of the law in the digital age.

Computational jurisprudence does not come out of nowhere, but rather needs to be nourished by traditional jurisprudence. Nearly a hundred years ago, Philipp Heck, a giant of German legal methodology and a leading figure in Jurisprudence of interests, pointed out that jurisprudence has three tasks, which correspond to three different problems that should be solved by three types of concepts: The first one is the “normalization problem” aiming at the acquisition of norms, for which the concept of contingency (Sollbegriffe) is needed, which mainly exists in statutory law and may be supplemented by scholarship; The second is the “pure cognitive problem” of facts, using the concept of actuality (Seinsbegriffe) formed by academics in prior research or judges in their judgement of the facts;  The third is the “problem of presentation”, which aims to present and organize the conclusions, and which corresponds to the concept of order (Ordnungsbegriffe), which is usually the product of academic accumulation and construction, but which may, exceptionally, also be established directly by the legislator. If we leave aside the factual issues and focus on the normative level, it is easy to see that what Heck calls the concept of contingency and the concept of order point to the fields of normative application and system construction, respectively. Therefore, privacy, information and data, as the three intertwined concepts of order in computational jurisprudence, with the basic attributes of the concept of contingency, constitute an important cornerstone for the reconstruction of the traditional legal order in the digital era, and their importance is self-evident.

The booming development of the digital economy in today's society has triggered a series of emerging legal issues, which have become hot topics for academic research. As a prerequisite for the discussion of these legal issues, the basic theoretical issue is the relationship between privacy, information and data. The clarification of the relationship between these three has both factual and normative value. At the factual level, data has been regarded as the fifth element, and with the development of  digital economy, more and more attention has been paid to it, but the system design around data rights is lacking. The reason is that when people talk about data, they can't help thinking about the information loaded on the data, and the information will inevitably be associated with privacy, which eventually leads to the confusion of data, information and privacy. These three are entangled together and it is completely unable to carry out the corresponding system design; At the normative level, Article 1032(2) of China's Civil Code stipulates that private information also belongs to privacy, which makes it more difficult to distinguish between privacy and information in practice, especially Article 1034(2) of the Civil Code lists the types of personal information such as the name, date of birth, identity document number, biometric information, address, telephone number, email address, whereabouts and so on of a natural person. And what belongs to private information? For example, are mobile phone numbers and home addresses private information and thus private? In particular, are any of the types of information listed in Article 1034(2) purely personal information that is not private? As for the relationship between information and data, under the influence of the General Data Protection Regulation of the European Union, scholars do not distinguish between information and data in their discussions, and the mixing of the two greatly affects the circulation and utilization of data.

Due to multiple reasons such as rapid social changes, technological iterations, rapid economic development, and multiple legislation, the current understanding of privacy, information and data is not clear, and is even in a confusing and disorderly situation. In this regard, this paper first analyses the origins of the confusion and disorder in the rights discourse, and points out the resulting regulatory problems and the direction of solving them. Then, on the basis of distinguishing between the object of the right and the right, the relationship between the three is clarified with personal information as the center, so as to change disorder into order in the object of right. And finally it enters into the right itself, and proves the individual rights carried on privacy, information, and data, and recreates differential mode of association of the individual rights system in the digital era.

The Mixed Order of Privacy, Information and Data in Rights Discourse in the Digital Age

The iterative development of information technology has triggered profound economic and social changes, affecting almost all fields of activity and the daily lives of all peopl. Privacy, information and data have become an important topic of continuous concern and repeated discussion in the theoretical community. However, at present, there exists a mixed order of the three in the aspects of institutional norms, judicial adjudications and theoretical researches, which has led to a number of difficulties in legal regulation that need to be solved appropriately.

1. The gradual generation of the mixed order of privacy, information and date

There are two reasons for the disorderly use of privacy, information and data: first, the iterative development of information technology has broken the monolithic order of only privacy and the protection of its rights in the past; Second, the booming digital economy has led to a sharp increase in the economic value of data, but the difference between data, information and related rights has not yet been fully revealed.

1.1 The development of information technology breaks the monolithic order of privacy

The concept of privacy in our law derives from United States law. Affected by this, personal information protection is often intertwined with traditional privacy protection and mixed with each other. U.S. courts create the right to privacy based on common law, especially tort law. Originally, the right to privacy was the protection of information related to one's private life from disclosure and interference in the sphere of private affairs, manifested as a right to allow oneself to be alone without being disturbed. After entering the sixties and seventies of the 20th century, the continuous development of computer technology and the fundamental change of the communication mechanism have changed the way information is generated, obtained, used and disseminated, and information sharing and utilization have become the norm due to life interactions, social interactions, contract relationships, public interests, etc. Personal information therefore has a social character, and its practical basis lies in the fact that information is produced by individuals but is out of their control. Personal information is collected and collected in large quantities by public and private institutions, and the resulting misuse is widely concerned.

These personal information include both private information and content that may not be called private. Emerging technologies represented by computer automation have shaken the monolithic order of "privacy-as-secrecy", and traditional privacy theories have been emptied. In this context, the theory of self-control of personal information began to develop from the right to privacy, which constitutes an independent source of personal information protection system. From the perspective of the legal interests to be protected, privacy and personal information overlap, and the protection of privacy is the main purpose and logical premise of personal information protection. Traditionally, privacy with passive and passive characteristics is too narrow, because of the expected interest of active use of personal information, privacy rights began to develop dominant characteristics, which are manifested in the right of rights subjects to decide on information related to themselves, that is, the right to use information related to themselves to engage in various activities to meet their own needs according to their own will. When it comes to privacy and personal information, there are different discourse systems due to different traditions and protection models in different countries. Germany has developed the right to self-determination (Recht auf infomationelle Selbstbestimmung) for the protection of personal information, a unified Federal Data Protection Act and an independent personal information protection system. The United States adopts the "big privacy" model of protecting personal information together with privacy, and many scholars interpret privacy as the control of personal information, and personal information is essentially a kind of privacy. In American law, the content protected by privacy is extremely broad, and even called "hodgepodge" by scholars, which not only undertakes the function of general personality rights in German law, but even includes many contents belonging to specific personality rights, such as name and portrait.

Against this background, it is not difficult to understand the major controversy in Chinese law regarding the relationship between privacy and personal information and related rights. For example, in the process of codifying the Civil Code, there were two diametrically opposed views. Some scholars believe that privacy and personal information rights are two different concepts, which cannot be covered by expanding the right to privacy, and that the right to personal information should be separately stipulated on the basis of clear distinction, so that personal information can obtain more adequate and comprehensive protection. On the contrary, some scholars believe that in order to cope with the privacy crisis in the era of big data, the best choice is not to build a new type of personal information right from scratch, but to establish a route based on privacy protection rather than personal information protection by improving the infringement rules on privacy rights and expanding the possibility of remedies. Judging from the provisions of Articles 110 and 111 of the General Provisions of the Civil Law, China has clearly adopted a dual model of differentiated protection of privacy and personal information. The subsequent promulgation of Chapter 6 of the Personality Rights Part of the Civil Code, namely "Privacy and Personal Information Protection", reaffirms and expands the dual-track system of privacy and personal information protection, and private information becomes an institutional bridge between the two. This has led to the formation of a "third way" different from the European and American models, but this mixed succession also brings considerable difficulties to conceptual differentiation and rights construction.

1.2 The boom of the digital economy has led to the mixing of information and data

In today's era, the digital economy has become a new driving force for the economic development of various countries. Big data continues to stimulate business model innovation, continuously give birth to emerging business formats, and become an important driving force for promoting business innovation and value-added and enhancing the core value of enterprises in emerging fields such as the Internet. As a driver of the expansion of the digital economy, data becomes a new economic resource for creating and capturing value. In less than a year since November 2019, the central government has issued three important documents in a row, clearly identifying data as a basic factor of production, emphasizing the need to accelerate the cultivation and development of the data element market, improve standards and measures such as data ownership definition, open sharing, and transaction circulation, and give play to the value of social data resources. At the same time, disputes over data ownership and usage rules caused by the increase in the economic value of data have also emerged. Perhaps, as scholars say, network governance has evolved into data governance in stages, and it will probably continue for quite some time.

However, due to the lack of clear definition of data and related concepts, there are often mixed terms and unclear attributes of data and information. According to incomplete statistics, at least 19 laws and 627 departmental rules alternately use "personal information" and "data" in the same text, while 6 laws and 101 departmental rules appear "privacy", "personal information" and "data" at the same time. In addition, there are various views on the relationship between "personal information" and "personal data". Some scholars believe that personal information is personal data, but there are differences in the title, or use "personal data", or take "personal information". Some scholars believe that "personal information" is different from "personal data", or that the extension of "personal information" is less than "personal data", and personal information is only the part of data that can identify a specific natural person. Although some scholars have noted the conceptual distinction between the two, the impact of legal theory and normative system should be further explored. In judicial practice, the mixed use of "information" and "data" has become the norm. For example, in the civil ruling of the "Touteng War", there was confusion between terms such as "personal information", "personal data", "sensitive information", "user data", "user information", "user personal information and other data" and "user personal information" to refer to the same content.

It should also be noted that the complete indiscriminate use of data and information in comparative law is also an important reason for the above-mentioned mixing. As mentioned above, although Germany has developed an institutional structure for the protection of personal information with the right to self-determination as the core, its basic legislation is called the Federal Data Protection Act. This practice of "protecting personal information in the name of data protection" also exists in EU law. Article 4(1) of the GDPR defines "personal data" as "information relating to an identified or identifiable natural person ('data subject'). This way of defining data as information further exacerbates the mixing of the two and is not desirable.

2. Legal regulatory difficulties arising from the mixed order situation and their resolution

2.1 Legal regulatory difficulties caused by the mixed order situation

The definition of the relationship between privacy, information and data is the premise and starting point for building individual rights in the digital age, but the existing mixed order has led to the blurring of the boundaries between the three, causing many misunderstandings and difficulties in legislation. Recent research on personal information rights and data ownership has been full of sweat, but there are often "plausible" research situations or "Zhang Guan Li Dai" of research subjects. For this reason, scholars inevitably spend a lot of ink and space to clarify themes and issues, and the resulting views can be described as "varied", and it is difficult to reach a consensus. Under the vigorous publicity of news reports and public opinion, the public is prone to form the inertia of thinking "personal information = privacy", believing that as long as the platform involves or processes personal information when providing products and services, it will infringe on privacy, and there is a suspicion of "getting blamed at every turn". This ambiguity is exacerbated by the fact that many digital business platforms regulate the processing of personal information in the name of "privacy policy" rather than "personal information protection policy". At present, this confusion of privacy and personal information, confusion of various types of personal information, and indiscriminate mixing of personal information and data are not only not conducive to accurately regulating the processing of personal information, but also not conducive to promoting the reasonable use of personal information and the lawful and orderly flow of data, which will inevitably bring adverse impacts to economic and social development.

Although in the history of conceptual development, the so-called "personal data" of the EU, that is, personal information, has indeed developed from the right to privacy, and many human rights conferences held in Europe in the 70s of the 20th century have recognized the privacy risks caused by large-scale processing of data by computer technology, but data in the strict sense cannot be simply equated with personal information or privacy. There are inherent contradictions in the use of privacy, information and data, which leads to deviations in the setting of rights and leads to the dual difficulties of rights protection and legal argumentation. In judicial practice, plaintiffs often file lawsuits on the grounds of infringement of privacy and personal information at the same time, and the court must take the trouble to repeatedly reason and separately argue the substantive grounds that constitute or do not constitute infringement, thus adding a great burden of thinking.

Indiscriminately confusing information and data also leads to the loss of one over the other in the design of rights, making relevant personality rights and property rights entangled, and finally unable to clearly answer the key question of whether data can become the object of property rights, which is the construction of data property rights. There are many views that enterprises cannot control personal data, and controlling data is controlling privacy, which leads to the misunderstanding that personal data cannot be traded, making it difficult to construct a data property rights system. This not only affects the establishment of data utilization, data sharing and data transaction rules, does not meet the actual situation of the development demand of the data element market, but is also not conducive to the protection of personal information. As a result, the use of this is not promoted, and the protection cannot be implemented.

2.2 The basic thinking framework for solving difficult problems: the distinction between rights and the object of rights

As mentioned earlier, computational jurisprudence did not come out of nowhere, and traditional jurisprudence was nourished by all the theories that had the growth of emerging jurisprudence. Specifically, in order to clearly distinguish privacy, information and data in the discourse of rights, we should follow the distinction between the object of rights and the rights themselves in traditional rights theory, so as to establish a correct thinking framework.

The worldview of the subject-object dichotomy constitutes the starting point of the entire legal order, and the traditional theory of rights also unfolds. In the strictest sense, the so-called object of rights (Rechtsobjekt) refers only to anything other than the subject of rights that can become the object of legal dominance (Gegenstand). However, this understanding is obviously based on the right to domination such as property rights, and does not naturally include personality rights that are closely related to the subject itself, and privacy, information, and data are precisely related to the latter to varying degrees. In fact, personality rights and property rights and other dominance rights belong to the category of absolute rights, in addition to the major differences in macro value concepts and micro system design, personality rights should also share a similar logical structure with other typical absolute rights such as property rights. Since it is recognized that personality rights are a type of right, and it is understood as respecting the right of the subject of rights to be human and not be infringed by others, there is no need to adhere to the traditional concept of the object of rights based on the right of domination, and personal interests should be included in the scope of the object in the sense that the right "points to" or "is involved". It is for this reason that our doctrine also understands personality (interests) as the object of rights or legal relations. Accordingly, privacy, information and data can be classified as objects of rights, while the right to privacy, personal information and personal data that exist or may exist above the three belong to the rights themselves.

The significance of this distinction is to clarify what exactly the object of the right holder's disposal or infringement by others is. This is often overlooked, intentionally or unintentionally, in the discourse on rights to privacy, information and data. In a general sense, the object of rights can be divided into the first object of rights (Rechtsgegenstände erster Ordnung) and the second in line (Rechtsgegenstände zweiter Ordnung), corresponding to the object of domination (Herrschaftsobjekt) and the object of disposition (Verfügungsobjekt), respectively: the former mainly includes objects and intangible objects, which can be established against the right of domination or use of third parties, such as spiritual works, inventions, names or trademarks; The latter are rights or legal relationships, such as property rights, claims as the object of assignment, and contractual relationships that can be transferred to others. With a slight tweaking and extension, it can be transferred to privacy, information and data, and rights that exist or may exist on top of them. That is, on the one hand, although privacy and information cannot be controlled because they belong to personal interests, these two, together with data, still belong to the object directed or related to the right; On the other hand, although personality rights cannot be freely disposed of like property rights such as property rights and creditors' rights, the right holder still enjoys the authority to dispose (Dispositionsbefugnis) within the scope permitted by the legal order, so that personality rights become the object of disposal. In fact, what can be violated by others is not the privacy, information and data itself, but the rights that exist or may exist on them.

The orderly presentation of privacy, information and data as objects of rights

According to this analysis framework, the following first clarifies the relationship between privacy, information and data as the object of rights, and then constructs the individual rights system in the digital age on this basis. As far as the object of rights is concerned, since personal information is at the center of the relationship between the three, the relationship between personal information and privacy and the relationship between personal information and data should be discussed separately, so as to clearly reveal the difference and connection between the three. In this way, we can completely get rid of the previous chaotic situation, so as to present the most important objects of rights in the digital age in an orderly manner.

1. The relationship between privacy and personal information

So as the object of rights, what is the relationship between privacy and personal information? Paragraph 2 of Article 1032 of the Civil Code stipulates that "privacy is the private space, private activities and private information of natural persons who are peaceful in their private life and do not want others to know". This "1+3" model of "tranquility of private life" and "private space, private activities, and private information" is the basic definition of privacy in the current law. As for personal information, the current law has more than once adopted legislative definitions, and there are significant changes in form. Paragraph 5 of Article 76 of the Cybersecurity Law, Paragraph 2 of Article 1034 of the Civil Code and Paragraph 1 of Article 4 of the Personal Information Protection Law are for the same matter, and there is no special or general provision, so the rules for the precedence of the new law established in Article 92 of the Legislation Law shall be mainly subject to Article 4, Paragraph 1 of the Personal Information Protection Law. According to this, personal information is "all kinds of information relating to an identified or identifiable natural person recorded electronically or otherwise", but "does not include anonymized information". In addition, the provisions of Article 76, Item 5 of the Cybersecurity Law and Article 1034, Paragraph 2 of the Civil Code can also be used as important references, especially the specific enumeration of personal information in the latter two does not go beyond the scope of Article 4, Paragraph 1 of the Personal Information Protection Law. Accordingly, personal information mainly includes but is not limited to the name, date of birth, ID number, biometric information, address, telephone number, email address, health information, whereabouts information, etc. of natural persons. So the question is, which of this personal information is private in privacy? Is there pure personal information that is not private?

1.1 General distinction between privacy and personal information

Before entering private information, it is necessary to conduct a general discussion on the criteria for distinguishing privacy from personal information. As mentioned above, paragraph 2 of Article 1032 of the Civil Code adopts the "1+3" legislative model, defining privacy as "the tranquility and private space of private life, private activities and private information". But in fact, privacy is very undefinable, and the so-called "1+3" legislative model is only a relatively abstract enumeration. In essence, "the distinction between the public and private spheres is at the heart of the construction of privacy law." Private space can also be called "private sphere", which belongs to static privacy, which is a closed, independent space reserved by individuals and isolated from public space, including both physical space and network virtual space. Private activities can also be called "private affairs", which belong to the category of dynamic privacy, which refers to activities that are unwilling to be known by others (hidden) and have nothing to do with the interests of others and social interests (private), mainly including personal family life, social communication and other affairs. Compared with the first two, the tranquility of private life is more general and highly abstract, which is a stable and quiet, undisturbed, self-determined state of life, which belongs to the bottom of privacy. It can be seen that, despite differences in specific meaning and scope, matters related to private space, private activities and the tranquility of private life are independent factual states and do not depend on the form of information.

In contrast, personal information is not equivalent to the state of fact itself, but exists in the form of information that expresses the facts. If privacy is undefinable, then defining information is even more difficult. Among the various complex concepts, the most basic and generally accepted definition of information is that information as a description of the state of a system (Aussagen über den Zustand eines Systems), which can reduce or eliminate uncertainty (Unbestimmtheit/uncertainty). Among them, the so-called system is characterized by filtering out a collection of multiple elements from a certain whole and connecting these elements to each other. If we exclude pure thinking systems, we can also say that systems are fragments of reality. The state of the system is especially embodied in structure, that is, the way multiple elements make up the system and the collection of relationships between each element, which can be transferred to other systems although abstracted from a concrete system. So as a description of the structure of a system, information can be used to refer to multiple systems. It can be seen that although information is abstracted from real, concrete, and specific systems, it often has a certain degree of universality, thus distinguishing it from the specific system itself. If one does not stick to a typical physical system and instead recognizes that the matters involved in private space, private activities, and the tranquility of private life as a state of fact are also special reality systems, then it is at a completely different level from personal information as a description of the state of the system.

Furthermore, the important characteristic of personal information is its direct or indirect identification, which determines its function as establishing the basis for social interaction between people, and is therefore different from the purpose of building privacy in the private sphere. As mentioned above, Article 4.1 of the PIPL changes to Article 76.5 of the Cybersecurity Law and Article 1034.2 of the Civil Code to define personal information based on relevance, but the resulting distinction should not be exaggerated. On the one hand, paragraph 1 of Article 4 of the PIPL still retains the requirement of identifiability in the definition, but does not directly base it on the information involved; On the other hand, this paragraph excludes "information that has been anonymized", and according to Article 73, Paragraph 4, anonymization needs to achieve the effect of "not identifying a specific natural person". Therefore, if the scope of personal information is expanded by the obvious breakthrough of relevance, anonymization, as a negative element, is restricted from the opposite side, thus re-establishing the core position of identifiability. The key to this is that personal information is the basis of normal social activities and social interactions. In the case of the telephone numbers listed in Article 1034, paragraph 2 of the Civil Code, many people take these for granted that they are private because they fear that the leakage of the phone numbers will cause harassment. In fact, the function of mobile phone numbers from the beginning of their establishment is out of the need for social communication, no one will quickly lock the mobile phone number applied for in the telecommunications department into the safe to protect tightly, on the contrary, it is to promote social communication through the sharing of mobile phone numbers as personal information.

In short, the position of the law on personal information and privacy protection is completely different, the main value of personal information lies in the identifiability of social interactions, its function is positioned as the basis of normal social activities and social interactions, and personal information plays a role as an individual as a medium with others and society in social interactions. Simply put, information does not exist in the world for protection, but rather for use. Privacy is not. The aim is to protect the person's solitary life and to draw reasonable boundaries for this purpose. Personal information is both private and social, the latter is more prominent in the information age, while privacy is only private. In fact, Article 1032, Paragraph 2 of the Civil Code, which takes "tranquility in private life" as the bottom of privacy, clearly indicates that the privacy system aims to protect private interests that are not known to others, so as to ensure an individual's stable and quiet life and undisturbed living conditions and spiritual peace. Therefore, the name, ID number, home address, telephone number, e-mail address, etc. of the aforementioned identifiable natural person do not constitute privacy, but pure personal information.

Of course, it must be emphasized that claiming that the aforementioned personal information does not constitute privacy does not mean that such information is completely unprotected by law. The main reason why the public confuses privacy and personal information is that they are worried that if mobile phone numbers, home addresses, etc. are not included in privacy, they will not be protected by law. In fact, the separation of personal information from privacy does not mean that it is not protected, but it is no longer protected in accordance with privacy standards, and the consent of the information subject must be obtained under the right to self-determination of personal information before personal information can be used. Looking at the provisions of the PIPL on personal information processing rules, various rights of information subjects, various obligations of processors, administrative supervision organs and their functions and powers, and various legal liabilities, it is entirely possible to provide more comprehensive protection for information subjects. In the final analysis, we should clearly distinguish between privacy and personal information conceptually, and get rid of the misunderstanding of "covering the world" of privacy as soon as possible.

1.2 Private information is a projection of privacy on information

The general distinction between privacy and personal information discussed above is only concerned with the matters involved in private space, private activities, and the stability of private life as a de facto state, but does not directly touch on private information, a hybrid form that integrates privacy and personal information. Under the background of the rapid development of today's automated processing technology, "privacy informatization" and "information privacy" have become two prominent trends, resulting in the continuous enrichment of the scope of private information, and information privacy has expanded the boundaries of traditional privacy. After characterizing privacy other than private information as the state of fact itself, and considering that personal information includes (but is not necessarily limited to) the description of the state of fact, it is not difficult to find that privacy and personal information are not simply flat cross-relations, but are at a completely different level in three dimensions. Because of this, private information is not only the overlapping part of privacy and personal information, but the projection of privacy on the information layer at the fact level. In other words, private information is the informational expression of private facts such as private spaces, private activities, and private parts.