[author]Shen Weixing
[content]
Reinventing the Digital Rights System:
Towards a differential mode of association of privacy, Information and Data
Author Shen Weixing
Professor, School of Law, Tsinghua University
Abstract: As the order concept in computational jurisprudence, privacy, information and data have dual meanings of system construction and normative application. However, the three are in a chaotic situation in the current right discourse, which leads to difficulties in legal regulation. Therefore, on the basis of strict distinction between the object of rights and the rights themselves, privacy, information and data should first be presented in an orderly manner in the aspect of the object of rights, and then the system of individual rights should be constructed on top of the three in a differential mode of association. Specifically, privacy, information, and data are respectively at the factual, descriptive/ content, and symbolic levels, and above them, the right to privacy, which is based on passive defence and relatively strict protection, the right to informational personality and the right to ownership of data, which combine passive defence protection and active utilization, are established respectively; the right to privacy and the right to personal information belong to the right of personality, and are superior to the right to ownership of personal data, which is the right of property. This differential mode of association of personal rights in the digital era can not only provide institutional guarantee for the orderly development of the digital economy, but also improve and enrich the basic scope of computational jurisprudence and promote its scientific process.
Introduction: Privacy, Information and Data as Concepts of Order in Computational Jurisprudence
As an emerging discipline through the intersection of law and information technology, computational jurisprudence has developed a body of knowledge and norms based on data, algorithms and platforms. From the basic category of data, it can be further extended to information and privacy, which are closely related but should be clearly distinguished. Privacy, information and data have been stipulated in the Civil Code and developed in special laws in response to the needs of the development of the digital economy, and have become an important object of research in computational jurisprudence, which has been used as a cornerstone category for theoretical construction. Among them, the most important and fundamental question is how to make a clear distinction between privacy, information and data. Further, what are the rights carried by privacy, information and data, and what are the links and differences between them? In the face of these major challenges to the traditional legal order, computational jurisprudence should forge ahead and actively construct a normative system of individual rights in the digital age, so as to facilitate the proper application of the law in the digital age.
Computational jurisprudence does not come out of nowhere, but rather needs to be nourished by traditional jurisprudence. Nearly a hundred years ago, Philipp Heck, a giant of German legal methodology and a leading figure in Jurisprudence of interests, pointed out that jurisprudence has three tasks, which correspond to three different problems that should be solved by three types of concepts: The first one is the “normalization problem” aiming at the acquisition of norms, for which the concept of contingency (Sollbegriffe) is needed, which mainly exists in statutory law and may be supplemented by scholarship; The second is the “pure cognitive problem” of facts, using the concept of actuality (Seinsbegriffe) formed by academics in prior research or judges in their judgement of the facts; The third is the “problem of presentation”, which aims to present and organize the conclusions, and which corresponds to the concept of order (Ordnungsbegriffe), which is usually the product of academic accumulation and construction, but which may, exceptionally, also be established directly by the legislator. If we leave aside the factual issues and focus on the normative level, it is easy to see that what Heck calls the concept of contingency and the concept of order point to the fields of normative application and system construction, respectively. Therefore, privacy, information and data, as the three intertwined concepts of order in computational jurisprudence, with the basic attributes of the concept of contingency, constitute an important cornerstone for the reconstruction of the traditional legal order in the digital era, and their importance is self-evident.
The booming development of the digital economy in today's society has triggered a series of emerging legal issues, which have become hot topics for academic research. As a prerequisite for the discussion of these legal issues, the basic theoretical issue is the relationship between privacy, information and data. The clarification of the relationship between these three has both factual and normative value. At the factual level, data has been regarded as the fifth element, and with the development of digital economy, more and more attention has been paid to it, but the system design around data rights is lacking. The reason is that when people talk about data, they can't help thinking about the information loaded on the data, and the information will inevitably be associated with privacy, which eventually leads to the confusion of data, information and privacy. These three are entangled together and it is completely unable to carry out the corresponding system design; At the normative level, Article 1032(2) of China's Civil Code stipulates that private information also belongs to privacy, which makes it more difficult to distinguish between privacy and information in practice, especially Article 1034(2) of the Civil Code lists the types of personal information such as the name, date of birth, identity document number, biometric information, address, telephone number, email address, whereabouts and so on of a natural person. And what belongs to private information? For example, are mobile phone numbers and home addresses private information and thus private? In particular, are any of the types of information listed in Article 1034(2) purely personal information that is not private? As for the relationship between information and data, under the influence of the General Data Protection Regulation of the European Union, scholars do not distinguish between information and data in their discussions, and the mixing of the two greatly affects the circulation and utilization of data.
Due to multiple reasons such as rapid social changes, technological iterations, rapid economic development, and multiple legislation, the current understanding of privacy, information and data is not clear, and is even in a confusing and disorderly situation. In this regard, this paper first analyses the origins of the confusion and disorder in the rights discourse, and points out the resulting regulatory problems and the direction of solving them. Then, on the basis of distinguishing between the object of the right and the right, the relationship between the three is clarified with personal information as the center, so as to change disorder into order in the object of right. And finally it enters into the right itself, and proves the individual rights carried on privacy, information, and data, and recreates differential mode of association of the individual rights system in the digital era.
The Mixed Order of Privacy, Information and Data in Rights Discourse in the Digital Age
The iterative development of information technology has triggered profound economic and social changes, affecting almost all fields of activity and the daily lives of all peopl. Privacy, information and data have become an important topic of continuous concern and repeated discussion in the theoretical community. However, at present, there exists a mixed order of the three in the aspects of institutional norms, judicial adjudications and theoretical researches, which has led to a number of difficulties in legal regulation that need to be solved appropriately.
1. The gradual generation of the mixed order of privacy, information and date
There are two reasons for the disorderly use of privacy, information and data: first, the iterative development of information technology has broken the monolithic order of only privacy and the protection of its rights in the past; Second, the booming digital economy has led to a sharp increase in the economic value of data, but the difference between data, information and related rights has not yet been fully revealed.
1.1 The development of information technology breaks the monolithic order of privacy
The concept of privacy in our law derives from United States law. Affected by this, personal information protection is often intertwined with traditional privacy protection and mixed with each other. U.S. courts create the right to privacy based on common law, especially tort law. Originally, the right to privacy was the protection of information related to one's private life from disclosure and interference in the sphere of private affairs, manifested as a right to allow oneself to be alone without being disturbed. After entering the sixties and seventies of the 20th century, the continuous development of computer technology and the fundamental change of the communication mechanism have changed the way information is generated, obtained, used and disseminated, and information sharing and utilization have become the norm due to life interactions, social interactions, contract relationships, public interests, etc. Personal information therefore has a social character, and its practical basis lies in the fact that information is produced by individuals but is out of their control. Personal information is collected and collected in large quantities by public and private institutions, and the resulting misuse is widely concerned.
These personal information include both private information and content that may not be called private. Emerging technologies represented by computer automation have shaken the monolithic order of "privacy-as-secrecy", and traditional privacy theories have been emptied. In this context, the theory of self-control of personal information began to develop from the right to privacy, which constitutes an independent source of personal information protection system. From the perspective of the legal interests to be protected, privacy and personal information overlap, and the protection of privacy is the main purpose and logical premise of personal information protection. Traditionally, privacy with passive and passive characteristics is too narrow, because of the expected interest of active use of personal information, privacy rights began to develop dominant characteristics, which are manifested in the right of rights subjects to decide on information related to themselves, that is, the right to use information related to themselves to engage in various activities to meet their own needs according to their own will. When it comes to privacy and personal information, there are different discourse systems due to different traditions and protection models in different countries. Germany has developed the right to self-determination (Recht auf infomationelle Selbstbestimmung) for the protection of personal information, a unified Federal Data Protection Act and an independent personal information protection system. The United States adopts the "big privacy" model of protecting personal information together with privacy, and many scholars interpret privacy as the control of personal information, and personal information is essentially a kind of privacy. In American law, the content protected by privacy is extremely broad, and even called "hodgepodge" by scholars, which not only undertakes the function of general personality rights in German law, but even includes many contents belonging to specific personality rights, such as name and portrait.
Against this background, it is not difficult to understand the major controversy in Chinese law regarding the relationship between privacy and personal information and related rights. For example, in the process of codifying the Civil Code, there were two diametrically opposed views. Some scholars believe that privacy and personal information rights are two different concepts, which cannot be covered by expanding the right to privacy, and that the right to personal information should be separately stipulated on the basis of clear distinction, so that personal information can obtain more adequate and comprehensive protection. On the contrary, some scholars believe that in order to cope with the privacy crisis in the era of big data, the best choice is not to build a new type of personal information right from scratch, but to establish a route based on privacy protection rather than personal information protection by improving the infringement rules on privacy rights and expanding the possibility of remedies. Judging from the provisions of Articles 110 and 111 of the General Provisions of the Civil Law, China has clearly adopted a dual model of differentiated protection of privacy and personal information. The subsequent promulgation of Chapter 6 of the Personality Rights Part of the Civil Code, namely "Privacy and Personal Information Protection", reaffirms and expands the dual-track system of privacy and personal information protection, and private information becomes an institutional bridge between the two. This has led to the formation of a "third way" different from the European and American models, but this mixed succession also brings considerable difficulties to conceptual differentiation and rights construction.
1.2 The boom of the digital economy has led to the mixing of information and data
In today's era, the digital economy has become a new driving force for the economic development of various countries. Big data continues to stimulate business model innovation, continuously give birth to emerging business formats, and become an important driving force for promoting business innovation and value-added and enhancing the core value of enterprises in emerging fields such as the Internet. As a driver of the expansion of the digital economy, data becomes a new economic resource for creating and capturing value. In less than a year since November 2019, the central government has issued three important documents in a row, clearly identifying data as a basic factor of production, emphasizing the need to accelerate the cultivation and development of the data element market, improve standards and measures such as data ownership definition, open sharing, and transaction circulation, and give play to the value of social data resources. At the same time, disputes over data ownership and usage rules caused by the increase in the economic value of data have also emerged. Perhaps, as scholars say, network governance has evolved into data governance in stages, and it will probably continue for quite some time.
However, due to the lack of clear definition of data and related concepts, there are often mixed terms and unclear attributes of data and information. According to incomplete statistics, at least 19 laws and 627 departmental rules alternately use "personal information" and "data" in the same text, while 6 laws and 101 departmental rules appear "privacy", "personal information" and "data" at the same time. In addition, there are various views on the relationship between "personal information" and "personal data". Some scholars believe that personal information is personal data, but there are differences in the title, or use "personal data", or take "personal information". Some scholars believe that "personal information" is different from "personal data", or that the extension of "personal information" is less than "personal data", and personal information is only the part of data that can identify a specific natural person. Although some scholars have noted the conceptual distinction between the two, the impact of legal theory and normative system should be further explored. In judicial practice, the mixed use of "information" and "data" has become the norm. For example, in the civil ruling of the "Touteng War", there was confusion between terms such as "personal information", "personal data", "sensitive information", "user data", "user information", "user personal information and other data" and "user personal information" to refer to the same content.
It should also be noted that the complete indiscriminate use of data and information in comparative law is also an important reason for the above-mentioned mixing. As mentioned above, although Germany has developed an institutional structure for the protection of personal information with the right to self-determination as the core, its basic legislation is called the Federal Data Protection Act. This practice of "protecting personal information in the name of data protection" also exists in EU law. Article 4(1) of the GDPR defines "personal data" as "information relating to an identified or identifiable natural person ('data subject'). This way of defining data as information further exacerbates the mixing of the two and is not desirable.
2. Legal regulatory difficulties arising from the mixed order situation and their resolution
2.1 Legal regulatory difficulties caused by the mixed order situation
The definition of the relationship between privacy, information and data is the premise and starting point for building individual rights in the digital age, but the existing mixed order has led to the blurring of the boundaries between the three, causing many misunderstandings and difficulties in legislation. Recent research on personal information rights and data ownership has been full of sweat, but there are often "plausible" research situations or "Zhang Guan Li Dai" of research subjects. For this reason, scholars inevitably spend a lot of ink and space to clarify themes and issues, and the resulting views can be described as "varied", and it is difficult to reach a consensus. Under the vigorous publicity of news reports and public opinion, the public is prone to form the inertia of thinking "personal information = privacy", believing that as long as the platform involves or processes personal information when providing products and services, it will infringe on privacy, and there is a suspicion of "getting blamed at every turn". This ambiguity is exacerbated by the fact that many digital business platforms regulate the processing of personal information in the name of "privacy policy" rather than "personal information protection policy". At present, this confusion of privacy and personal information, confusion of various types of personal information, and indiscriminate mixing of personal information and data are not only not conducive to accurately regulating the processing of personal information, but also not conducive to promoting the reasonable use of personal information and the lawful and orderly flow of data, which will inevitably bring adverse impacts to economic and social development.
Although in the history of conceptual development, the so-called "personal data" of the EU, that is, personal information, has indeed developed from the right to privacy, and many human rights conferences held in Europe in the 70s of the 20th century have recognized the privacy risks caused by large-scale processing of data by computer technology, but data in the strict sense cannot be simply equated with personal information or privacy. There are inherent contradictions in the use of privacy, information and data, which leads to deviations in the setting of rights and leads to the dual difficulties of rights protection and legal argumentation. In judicial practice, plaintiffs often file lawsuits on the grounds of infringement of privacy and personal information at the same time, and the court must take the trouble to repeatedly reason and separately argue the substantive grounds that constitute or do not constitute infringement, thus adding a great burden of thinking.
Indiscriminately confusing information and data also leads to the loss of one over the other in the design of rights, making relevant personality rights and property rights entangled, and finally unable to clearly answer the key question of whether data can become the object of property rights, which is the construction of data property rights. There are many views that enterprises cannot control personal data, and controlling data is controlling privacy, which leads to the misunderstanding that personal data cannot be traded, making it difficult to construct a data property rights system. This not only affects the establishment of data utilization, data sharing and data transaction rules, does not meet the actual situation of the development demand of the data element market, but is also not conducive to the protection of personal information. As a result, the use of this is not promoted, and the protection cannot be implemented.
2.2 The basic thinking framework for solving difficult problems: the distinction between rights and the object of rights
As mentioned earlier, computational jurisprudence did not come out of nowhere, and traditional jurisprudence was nourished by all the theories that had the growth of emerging jurisprudence. Specifically, in order to clearly distinguish privacy, information and data in the discourse of rights, we should follow the distinction between the object of rights and the rights themselves in traditional rights theory, so as to establish a correct thinking framework.
The worldview of the subject-object dichotomy constitutes the starting point of the entire legal order, and the traditional theory of rights also unfolds. In the strictest sense, the so-called object of rights (Rechtsobjekt) refers only to anything other than the subject of rights that can become the object of legal dominance (Gegenstand). However, this understanding is obviously based on the right to domination such as property rights, and does not naturally include personality rights that are closely related to the subject itself, and privacy, information, and data are precisely related to the latter to varying degrees. In fact, personality rights and property rights and other dominance rights belong to the category of absolute rights, in addition to the major differences in macro value concepts and micro system design, personality rights should also share a similar logical structure with other typical absolute rights such as property rights. Since it is recognized that personality rights are a type of right, and it is understood as respecting the right of the subject of rights to be human and not be infringed by others, there is no need to adhere to the traditional concept of the object of rights based on the right of domination, and personal interests should be included in the scope of the object in the sense that the right "points to" or "is involved". It is for this reason that our doctrine also understands personality (interests) as the object of rights or legal relations. Accordingly, privacy, information and data can be classified as objects of rights, while the right to privacy, personal information and personal data that exist or may exist above the three belong to the rights themselves.
The significance of this distinction is to clarify what exactly the object of the right holder's disposal or infringement by others is. This is often overlooked, intentionally or unintentionally, in the discourse on rights to privacy, information and data. In a general sense, the object of rights can be divided into the first object of rights (Rechtsgegenstände erster Ordnung) and the second in line (Rechtsgegenstände zweiter Ordnung), corresponding to the object of domination (Herrschaftsobjekt) and the object of disposition (Verfügungsobjekt), respectively: the former mainly includes objects and intangible objects, which can be established against the right of domination or use of third parties, such as spiritual works, inventions, names or trademarks; The latter are rights or legal relationships, such as property rights, claims as the object of assignment, and contractual relationships that can be transferred to others. With a slight tweaking and extension, it can be transferred to privacy, information and data, and rights that exist or may exist on top of them. That is, on the one hand, although privacy and information cannot be controlled because they belong to personal interests, these two, together with data, still belong to the object directed or related to the right; On the other hand, although personality rights cannot be freely disposed of like property rights such as property rights and creditors' rights, the right holder still enjoys the authority to dispose (Dispositionsbefugnis) within the scope permitted by the legal order, so that personality rights become the object of disposal. In fact, what can be violated by others is not the privacy, information and data itself, but the rights that exist or may exist on them.
The orderly presentation of privacy, information and data as objects of rights
According to this analysis framework, the following first clarifies the relationship between privacy, information and data as the object of rights, and then constructs the individual rights system in the digital age on this basis. As far as the object of rights is concerned, since personal information is at the center of the relationship between the three, the relationship between personal information and privacy and the relationship between personal information and data should be discussed separately, so as to clearly reveal the difference and connection between the three. In this way, we can completely get rid of the previous chaotic situation, so as to present the most important objects of rights in the digital age in an orderly manner.
1. The relationship between privacy and personal information
So as the object of rights, what is the relationship between privacy and personal information? Paragraph 2 of Article 1032 of the Civil Code stipulates that "privacy is the private space, private activities and private information of natural persons who are peaceful in their private life and do not want others to know". This "1+3" model of "tranquility of private life" and "private space, private activities, and private information" is the basic definition of privacy in the current law. As for personal information, the current law has more than once adopted legislative definitions, and there are significant changes in form. Paragraph 5 of Article 76 of the Cybersecurity Law, Paragraph 2 of Article 1034 of the Civil Code and Paragraph 1 of Article 4 of the Personal Information Protection Law are for the same matter, and there is no special or general provision, so the rules for the precedence of the new law established in Article 92 of the Legislation Law shall be mainly subject to Article 4, Paragraph 1 of the Personal Information Protection Law. According to this, personal information is "all kinds of information relating to an identified or identifiable natural person recorded electronically or otherwise", but "does not include anonymized information". In addition, the provisions of Article 76, Item 5 of the Cybersecurity Law and Article 1034, Paragraph 2 of the Civil Code can also be used as important references, especially the specific enumeration of personal information in the latter two does not go beyond the scope of Article 4, Paragraph 1 of the Personal Information Protection Law. Accordingly, personal information mainly includes but is not limited to the name, date of birth, ID number, biometric information, address, telephone number, email address, health information, whereabouts information, etc. of natural persons. So the question is, which of this personal information is private in privacy? Is there pure personal information that is not private?
1.1 General distinction between privacy and personal information
Before entering private information, it is necessary to conduct a general discussion on the criteria for distinguishing privacy from personal information. As mentioned above, paragraph 2 of Article 1032 of the Civil Code adopts the "1+3" legislative model, defining privacy as "the tranquility and private space of private life, private activities and private information". But in fact, privacy is very undefinable, and the so-called "1+3" legislative model is only a relatively abstract enumeration. In essence, "the distinction between the public and private spheres is at the heart of the construction of privacy law." Private space can also be called "private sphere", which belongs to static privacy, which is a closed, independent space reserved by individuals and isolated from public space, including both physical space and network virtual space. Private activities can also be called "private affairs", which belong to the category of dynamic privacy, which refers to activities that are unwilling to be known by others (hidden) and have nothing to do with the interests of others and social interests (private), mainly including personal family life, social communication and other affairs. Compared with the first two, the tranquility of private life is more general and highly abstract, which is a stable and quiet, undisturbed, self-determined state of life, which belongs to the bottom of privacy. It can be seen that, despite differences in specific meaning and scope, matters related to private space, private activities and the tranquility of private life are independent factual states and do not depend on the form of information.
In contrast, personal information is not equivalent to the state of fact itself, but exists in the form of information that expresses the facts. If privacy is undefinable, then defining information is even more difficult. Among the various complex concepts, the most basic and generally accepted definition of information is that information as a description of the state of a system (Aussagen über den Zustand eines Systems), which can reduce or eliminate uncertainty (Unbestimmtheit/uncertainty). Among them, the so-called system is characterized by filtering out a collection of multiple elements from a certain whole and connecting these elements to each other. If we exclude pure thinking systems, we can also say that systems are fragments of reality. The state of the system is especially embodied in structure, that is, the way multiple elements make up the system and the collection of relationships between each element, which can be transferred to other systems although abstracted from a concrete system. So as a description of the structure of a system, information can be used to refer to multiple systems. It can be seen that although information is abstracted from real, concrete, and specific systems, it often has a certain degree of universality, thus distinguishing it from the specific system itself. If one does not stick to a typical physical system and instead recognizes that the matters involved in private space, private activities, and the tranquility of private life as a state of fact are also special reality systems, then it is at a completely different level from personal information as a description of the state of the system.
Furthermore, the important characteristic of personal information is its direct or indirect identification, which determines its function as establishing the basis for social interaction between people, and is therefore different from the purpose of building privacy in the private sphere. As mentioned above, Article 4.1 of the PIPL changes to Article 76.5 of the Cybersecurity Law and Article 1034.2 of the Civil Code to define personal information based on relevance, but the resulting distinction should not be exaggerated. On the one hand, paragraph 1 of Article 4 of the PIPL still retains the requirement of identifiability in the definition, but does not directly base it on the information involved; On the other hand, this paragraph excludes "information that has been anonymized", and according to Article 73, Paragraph 4, anonymization needs to achieve the effect of "not identifying a specific natural person". Therefore, if the scope of personal information is expanded by the obvious breakthrough of relevance, anonymization, as a negative element, is restricted from the opposite side, thus re-establishing the core position of identifiability. The key to this is that personal information is the basis of normal social activities and social interactions. In the case of the telephone numbers listed in Article 1034, paragraph 2 of the Civil Code, many people take these for granted that they are private because they fear that the leakage of the phone numbers will cause harassment. In fact, the function of mobile phone numbers from the beginning of their establishment is out of the need for social communication, no one will quickly lock the mobile phone number applied for in the telecommunications department into the safe to protect tightly, on the contrary, it is to promote social communication through the sharing of mobile phone numbers as personal information.
In short, the position of the law on personal information and privacy protection is completely different, the main value of personal information lies in the identifiability of social interactions, its function is positioned as the basis of normal social activities and social interactions, and personal information plays a role as an individual as a medium with others and society in social interactions. Simply put, information does not exist in the world for protection, but rather for use. Privacy is not. The aim is to protect the person's solitary life and to draw reasonable boundaries for this purpose. Personal information is both private and social, the latter is more prominent in the information age, while privacy is only private. In fact, Article 1032, Paragraph 2 of the Civil Code, which takes "tranquility in private life" as the bottom of privacy, clearly indicates that the privacy system aims to protect private interests that are not known to others, so as to ensure an individual's stable and quiet life and undisturbed living conditions and spiritual peace. Therefore, the name, ID number, home address, telephone number, e-mail address, etc. of the aforementioned identifiable natural person do not constitute privacy, but pure personal information.
Of course, it must be emphasized that claiming that the aforementioned personal information does not constitute privacy does not mean that such information is completely unprotected by law. The main reason why the public confuses privacy and personal information is that they are worried that if mobile phone numbers, home addresses, etc. are not included in privacy, they will not be protected by law. In fact, the separation of personal information from privacy does not mean that it is not protected, but it is no longer protected in accordance with privacy standards, and the consent of the information subject must be obtained under the right to self-determination of personal information before personal information can be used. Looking at the provisions of the PIPL on personal information processing rules, various rights of information subjects, various obligations of processors, administrative supervision organs and their functions and powers, and various legal liabilities, it is entirely possible to provide more comprehensive protection for information subjects. In the final analysis, we should clearly distinguish between privacy and personal information conceptually, and get rid of the misunderstanding of "covering the world" of privacy as soon as possible.
1.2 Private information is a projection of privacy on information
The general distinction between privacy and personal information discussed above is only concerned with the matters involved in private space, private activities, and the stability of private life as a de facto state, but does not directly touch on private information, a hybrid form that integrates privacy and personal information. Under the background of the rapid development of today's automated processing technology, "privacy informatization" and "information privacy" have become two prominent trends, resulting in the continuous enrichment of the scope of private information, and information privacy has expanded the boundaries of traditional privacy. After characterizing privacy other than private information as the state of fact itself, and considering that personal information includes (but is not necessarily limited to) the description of the state of fact, it is not difficult to find that privacy and personal information are not simply flat cross-relations, but are at a completely different level in three dimensions. Because of this, private information is not only the overlapping part of privacy and personal information, but the projection of privacy on the information layer at the fact level. In other words, private information is the informational expression of private facts such as private spaces, private activities, and private parts.
Figure 1 Relationship between privacy, personal information, and private information
Then from the personal information end, there is a difference between private information and non-private information. The latter, such as the name, ID number, home address, telephone number, e-mail address, etc. of natural persons, are mainly used to meet the needs of social communication; The former, such as natural person's whereabouts information, health information, sexual orientation information, intimate part information, etc., because it is closely related to the natural person's whereabouts, health status, sexual orientation, intimate parts and other private facts, so it is in the private domain of the individual and should be protected to a higher degree. Not only that, but private information should fall into the realm of sensitive information. For the latter, paragraph 1 of Article 28 of the PIPL stipulates that "sensitive information refers to personal information that, once leaked or illegally used, is likely to cause infringement of the personal dignity of natural persons or endanger to personal or property safety", and private information meets this standard. This will have a significant impact on the application of private information specifications.
2. The relationship between personal information and data
Let's look at the relationship between personal information and data. Etymology, data (Datum) is the being, according to which any object is data; Information, on the other hand, literally refers to the impression left by an object on the observer. This introduction of the observer into the definition seems to dissolve the objectivity of information, but if we strictly distinguish between latent information and factual information, and limit the concept of information mainly to the former, the contradiction can be eliminated. Latent information is all the statements necessary to describe the state of the system, without requiring a particular observer to also make this statement, so the certainty of the system is only certain for potential observers, for which no specific observer is required. As understood today, especially in the modern semiotik sense, information contributes to the growth of human knowledge and therefore has a semantic meaning (semantische Bedeutung), while data is the syntactic presentation of information in symbols (syntaktische Repräsentation). Taking the paper book that simulates the world as an example, the text printed in the book is data, the reader obtains information by interpreting the text, and the book itself is the physical carrier of the data. Digitization, on the other hand, means converting analog information into data form, but not any form of symbolic information storage, especially binary symbols used by computer systems. Therefore, in the digital age, we can say that data is read by machines, and information is read by people.
Information and data are interdependent and interdependent, which can be described as the relationship between "orange flesh and orange peel", but it is not indistinguishable because of its closeness, and distinction does not mean separation. In fact, the process of formulating the General Provisions of the Civil Code has made it clear the position of distinguishing between information and data. Paragraph 2 of Article 108 of the General Provisions of the Civil Code (Draft for First Deliberation) generally adopts the expression "data information" and stipulates it as the object of intellectual property rights together with works, patents, trademarks, etc. However, strictly speaking, even if personal information and data should be established, there is an essential difference from intellectual property rights, so it is difficult to treat "data information" as the object of intellectual property rights without distinction. The General Provisions of the Civil Law (Draft and Second Reading Draft) immediately changed its stance and dismantled "data information" into personal information and data, which were specifically stipulated in Articles 109 and 124 respectively. This clearly differentiated position was entered into the General Provisions of the Civil Code through the formally adopted General Provisions of the Civil Code, which provides for personal information in article 111 and data in article 127, clearly indicating the pattern in which the legislator separates information and data from personality rights and property rights. On this basis, the definition of personal information and data in the current law further points out the difference between the two: Article 4.1 of the PIPL stipulates that personal information shall be "recorded electronically or by other means" as a formal requirement, while Article 3.1 of the Data Security Law defines data as "recording information by electronic or other means". According to this, the relationship between data and information is the relationship between record and record, or rather, between form and content. Thus, it provides a solid normative basis for the conceptual distinction between information and data.
In short, information is content, knowledge, etc., and its function is to solve uncertainty; And data is the form, the carrier of the expression of information. Or in the semiotic sense, information is in the semantic (content) layer and data is in the syntactic (symbolic) layer. In this regard, the two are at different levels, and the difference between them is very obvious. Of course, information and data are two sides of a closely integrated body, like "orange peel and orange flesh", we must distinguish information and data, but also cannot be separated. The purpose of differentiation is to classify regulations and give them different types of rights. At the same time, because the two are closely related, the personal information loaded on it must be considered when using the data, and only the data of the carrier of the anonymized and de-identified information can enter the circulation field. Most of the use of data loaded with personal information is carried out in a "usable and invisible" manner through open API interfaces. This is the normative position that information and data should be distinguished but not separated.
The differential pattern of individual rights in privacy, information and data
As mentioned above, private life tranquility and private facts such as private space and private activities are at the factual level, personal information is at the content level as a description of the factual state related to the individual, and private information is an informative description of private facts; Unlike personal information, which is at the content layer, personal data is at the symbol layer as a carrier of personal information. In this way, after clarifying the relationship between privacy, personal information and data as the object of rights, we can further examine the rights themselves, so as to construct the differential pattern of the individual rights system in the digital age.
1. Differentiated protection of privacy rights and personal information rights
In the current law, the distinction between privacy and personal information protection has become a foregone conclusion, and the key lies in how to accurately demarcate the rights of the two. In fact, there is no doubt that specific personality rights should be set for individuals above privacy, the key lies in whether rights can be created over personal information, what is the nature of such rights, and the normative application of private information.
1.1 Proof of personal information rights: based on comparison with privacy
To prove the right to personal information, it is useful to start by comparing it with the right to privacy. In Chinese law, the right to privacy has undergone a long process of exploration and evolution, which has been roughly divided into three stages. The first stage is the partial protection of privacy through the right of reputation. The General Principles of Civil Law, known as the "Declaration of Civil Rights", do not provide for the right to privacy, but this does not mean that privacy is completely unprotected by law in judicial practice, because Article 140 of the Mintong Opinions and the Supreme People's Court's Answers to Several Questions Concerning the Trial of Cases Involving the Right to Reputation include some acts of infringement of privacy within the scope of the right to reputation. The second stage is the direct recognition of privacy as an independent personality interest. Paragraph 2 of Article 1 of the Judicial Interpretation on Compensation for Moral Damage classifies the situation of "violating the public interest or social morality and infringing on the privacy of others" as the cause of compensation for moral damage, thereby recognizing privacy as a personal interest independent of the right to reputation and providing relatively comprehensive protection. Previously, legislation in special areas such as the Law on the Protection of Minors and the Law on the Protection of Rights and Interests of Women had been confirmed. The third stage is to enshrine the right to privacy in legislation. This concept was first embodied in the amended Law on the Protection of Rights and Interests of Women, while Article 2, Paragraph 1 of the Tort Liability Law provides for the first time in the basic civil law the right to privacy from the perspective of the object of protection. The 2017 General Provisions of the Civil Code positively confirmed the specific type of personality right of "privacy", and then the personality rights part of the Civil Code in 2020 refined the "right to privacy" into a "1+3" model. It can be seen that it is often not easy for a legally protected status to become a right, and there is a process of development of rights.
For this reason, the question of whether rights can be created over personal information is full of controversy in doctrine. From the perspective of the legislative process and the current provisions, the jury is still out. Article 111, Paragraph 1 of the General Provisions of the Civil Code and Article 1034, Paragraph 1 of the Personality Rights Series both stipulate that "personal information is protected by law", so it can be at least determined that there is a legally protected status above personal information. Whether it can be elevated to a civil right is unknown. However, in the draft of the Personality Rights Compilation of the Civil Code, the expression "right to personal information" once appeared, but it was quickly deleted and replaced with the expression "Privacy and Personal Information Protection" in Chapter 6 of the Personality Rights Part of the Civil Code. The subsequent personal information protection legislation, recognizing the existence of civil rights and interests above personal information, has never changed, and is finally reflected in Article 2 of the Personal Information Protection Law, that is, "the rights and interests of natural persons in personal information are protected by law, and no organization or individual may infringe on the rights and interests of natural persons' personal information". But the question is, what exactly is "equity"? Does the legally protected status of personal information constitute a civil right?
The author maintains that personal information should be set up for individuals, but this right is not an absolute right with a clear boundary like the ownership of things, but a framework right (Rahmenrecht) with relatively unclear boundaries. Since such rights do not have a clearly defined scope of protection and need to be determined on a case-by-case basis whether they have been infringed, they are also referred to as "incomplete" absolute rights. In this sense, the right to personal information has a similar structure to the right to privacy. From the perspective of the provisions on privacy and personal information protection themselves, there seems to be a big difference between the two. Because for the right to privacy, Article 1033 of the Civil Code enumerates in detail the specific forms of various infringements, with the exception of "otherwise provided by law or expressly agreed by the right holder"; However, Article 1036 of the Civil Code and Article 13, Paragraph 1 of the Personal Information Protection Law provide various exceptions for the protection of personal information, which indicates that the intensity of protection of personal information and privacy is different. However, we turn our attention to the legal application of personal information protection, especially Article 998 of the General Provisions of the Personality Rights Part of the Civil Code on the determination and assumption of responsibility for moral personality rights, which openly lists the elements that should be considered in determining tort liability for infringement of personality rights other than the right to life, the right to body, and the right to health, including but not limited to "the occupation, scope of influence, degree of fault, and purpose, method, and consequences of the actor and the victim", which obviously adopts the normative technique of a dynamic system. This article applies not only to moral personality rights such as privacy, but also to the protection of personal information. The determination of whether or not to protect personal information must be appropriately applied by considering the aforementioned factors in each case with the help of weighing methods. Therefore, from a structural point of view, the right to privacy and the right to personal information are undoubtedly framework rights.
However, the difference between the right to personal information and the right to privacy is also obvious. Although both belong to personality rights, in principle, the right to privacy only has the function of passive defense, while the right to personal information has the dual functions of passive defense and active use because personal information can be used commercially. There was controversy in the legislative process about whether the right to privacy could be used commercially, but the mainstream view denied it and was endorsed by the legislature. This is especially reflected in the current law, the provisions on privacy in the second sentence of Article 1032 of the Civil Code are mainly expressed by the enumeration of behavioral prohibitions, that is, "no organization or individual may infringe on the privacy rights of others by spying, harassing, leaking, disclosing or other means", while Article 1033 concretizes the specific forms of infringement. This is not the case with the right to personal information. Although Article 111, Paragraph 2 of the Civil Code and Article 10 of the Personal Information Protection Law also enumerate in detail the prohibitions on acts related to the protection of personal information, the provisions on the basis of legality and the grounds for exemption from liability such as Article 1034, Paragraph 1 and Article 1035 of the Civil Code and Article 13 of the Personal Information Protection Law are obviously premised on not opposing or even encouraging the processing of personal information within a reasonable range. In addition, the explicit provisions of Article 999 of the Civil Code on the reasonable use of personal information and Article 1 of the Personal Information Protection Law take "promoting the reasonable use of personal information" as the legislative purpose, etc., which clearly recognize that personal information has more legislative value than privacy protection.
Back to the question of whether personal information should be granted to individuals. Since the establishment of personality rights in privacy has been confirmed by legislation after a long process of exploration and evolution, it is more important to upgrade the legal status of personal information to civil rights because it can also be actively used than privacy that only has a passive defense function. In particular, the establishment of authority over personal information does not hinder the use of information. First, only by setting up authority on information can scientific system design be carried out, so as to promote the healthy and orderly use of information; Second, the right to personal information is only a framework right, and specific uses can still be excluded from infringement through trade-offs in individual cases. Moreover, the Personal Information Protection Law is not regulated by all forms of personal information processing activities, but is subject to certain restrictions. Conversely, paragraph 1 of Article 72 of the PIPL excludes the situation where "natural persons process personal information for personal or family affairs". On the positive side, the protected personal information should also meet specific formal requirements, namely "recording electronically or otherwise" as stipulated in Article 1034, Paragraph 2 of the Civil Code and Article 4, Paragraph 1 of the Personal Information Protection Law. This also has important implications for the normative application of private information.
1.2 Specifications for private information apply
As mentioned earlier, private information is an informative expression of matters related to private spaces, intimate activities, and the tranquility of private life. Its particularity lies in: on the one hand, such information is private, so it falls within the scope of privacy protection; On the other hand, it exists in the form of information and should be protected by law as personal information. For its normative application, paragraph 3 of Article 1034 of the Civil Code specifically stipulates that "the provisions on privacy rights shall apply; If there are no provisions, the provisions on the protection of personal information shall apply." However, it should be made clear that this article aims to solve the problem of competing norms between privacy and personal information protection. Since the Civil Code protects the right to privacy to a higher degree than the right to personal information, for example, as far as consent as a cause for exemption is concerned, the requirement for privacy in Article 1033 is "explicit" consent, while there is no "explicit" requirement for the consent of the information subject in the provisions on personal information protection in Article 1035, paragraph 1, item 1, so the provisions on privacy should take precedence. In this regard, the purpose of Article 1034, paragraph 3, which establishes the applicable rules that precedence privacy provisions over the protection of personal information, is to improve the protection of private information.
However, after the implementation of the Personal Information Protection Law, because the law limits the scope of the right to personal information and adds many provisions to strengthen protection, whether the provisions on privacy in the Civil Code can be applied in priority should be further screened in conjunction with the specific provisions. First of all, paragraph 1 of Article 72 of the PIPL excludes the situation where "natural persons process personal information for personal or family affairs", and within this scope, private information does not apply to the provisions on personal information protection, but can only resort to the privacy system. Secondly, there is no doubt as to whether the form of consent of the right holder can fully apply the right to privacy and exclude the protection of personal information. Since Article 14, Paragraph 1, Sentence 1 of the PIPL generally requires that consent should be given "explicitly", which is fully consistent with the requirements of Article 1033 of the Civil Code, it is not unavoidable to continue to apply the privacy provisions in this regard. However, Article 29 of the PIPL further requires "separate" consent for sensitive information, and private information should also fall under the category of sensitive information because it is private, so the provisions on "separate" consent for sensitive information should be directly applied to achieve a higher degree of protection. In addition, Article 69, Paragraph 1 of the PIPL sets the principle of attribution of tort liability as a presumption of fault, but the Civil Code does not have such a similar provision on privacy, so in this regard, the provisions on personal information protection should take precedence.
In summary, although Article 1034, paragraph 3 of the Civil Code stipulates, "the provisions on privacy shall apply to the private information in personal information; If there are no provisions, the provisions on the protection of personal information shall apply", but it cannot be assumed that the provisions on privacy applicable to the law on private information necessarily take precedence over the protection of personal information. As analyzed above, privacy and information are in different levels, private information is not the intersection of privacy and information on the plane, but the product of privacy projected on personal information (see Figure 1), so private information is both information and privacy, it must apply both privacy regulations, but also apply information protection and utilization regulations, the two constitute a normative competition should be specifically judged from the normative purpose of strengthening the protection of private information. Only when the privacy provisions are more protective can they take precedence, otherwise the provisions on the protection of personal information shall apply.
2. The coordinated coexistence of the right to personal information and the ownership of personal data
As mentioned above, the right to personal information is a typical framework right, although it belongs to the category of personality rights, it also carries the personality interests of the information subject and the property interests arising from the commercial use of personality elements, so it has the dual functions of passive defense and active use. However, the right to personal information alone cannot fully express the system of individual rights in the digital age, and personal data ownership should also be created for data containing personal information.
The difference between the right to personal information and the ownership of personal data mainly lies in the different nature of the rights of the two: the right to personal information belongs to the category of personality rights, while the ownership of personal data should be classified as property rights. This conclusion is based on the law in force. From the perspective of system interpretation, the provisions on personal information in Article 111 of the Civil Code are located between the provisions on specific personality rights in Article 110 and the provisions on identity rights in Article 112, and the specific provisions on personal information protection in Articles 1034 to 1039 are listed in the fourth part of the Personality Rights Series, from which the personality rights attributes of personal information rights can be derived. Although personal information can be used commercially, this is only the property content contained in personality rights, and does not change its basic positioning as personality rights. In contrast, the provisions on data in Article 127 of the Civil Code do not fall into the normative context of personality rights, and the juxtaposition of data with virtual property is equated, thus providing a normative basis for data to become the object of property rights. Therefore, although Article 127 seems to be a simple declaratory provision, its significance is not limited to the intentional blanks of legislation, but reveals the property interests above the data and its status protected by law, thereby providing important guidance for the construction of a normative system for data property rights in the current law and future data legislation. In this way, from the level of information and data as the object of rights, the binary construction of individual rights on information and data in the digital age has been formed.
One of the reasons why data ownership is attributed to individuals is that such data carries personal information. Strictly speaking, whether the data is personally relevant does not depend on the data itself, but on the information it carries, so usually only the data that carries personal information is personal data. In order to strengthen the comprehensive and three-dimensional protection of personal information, it is necessary to extend individual rights from the content layer to the symbol layer by giving data ownership to individuals. On the other hand, it further reveals the logic and factual basis for confirming data rights, as the data recorded in personal information originates from an individual's online behavior (whether searching, browsing, or online consumption), and the property interests arising there from should belong to the individual, so it is necessary to set personal data ownership on such data. The main significance of establishing the ownership of personal data is twofold: first, it requires information processors (mostly platform enterprises) to obtain data usufruct rights on the premise of obtaining the authorization of individuals; Second, it makes it a legitimate premise for all netizens as individuals to participate in the distribution of data dividends. However, it must be emphasized that although the ownership of personal data is called "ownership", it is not a traditional ownership that exists on tangible things with absolute domination and exclusive effect, and is structurally isomorphic with the right to personal information, and is also a framework right. The isomorphism of the two rights stems from the close correlation of the "orange peel and orange flesh" of their subject matter. According to Article 4, Paragraph 1 of the Personal Information Protection Act and Article 3, Paragraph 1 of the Data Security Law, etc., personal information is presented in the form of "electronic or other records", while data is "recorded electronically or otherwise recorded information". From the perspective of the right to personal information, this is actually to limit the scope of personal information with data; From the perspective of personal data ownership, it is to provide an attribution basis for personal data ownership through the personal relevance of information. In this way, the normative position of "distinguishing but not separating" is realized, so that the two cooperate and cooperate with each other, and a balance can be found between the protection and use of personal information and data.
In fact, the binary structure of the juxtaposition of the right to personal information and the ownership of personal data is an inevitable corollary of the strict distinction between information and data at the object level. Although the current law does not always strictly distinguish between information and data, the meaning of the word "information" is relative, which can refer to both semantic information, that is, information in the sense of personal information, and syntactic information, that is, data, on which the understanding of existing provisions can be deepened. According to Article 1037 of the Civil Code and Chapter IV of the Personal Information Protection Law, the right to personal information includes the right to make informed decisions, access, copy, portability, objection, correction, refusal, deletion, etc. However, from the standpoint of strictly distinguishing between information and data, the above powers often refer not only to simple personal information, but may refer to personal data, or to both personal information and personal data. Taking the right to informed consent as an example, whether the consent is an exercise of the right to personal information or ownership of personal data depends on the specific content of the authority granted. In the case of authorized disclosure, since the object of disclosure is personal information, but it must be realized by reading personal data, it is the simultaneous exercise of the right to personal information and the ownership of personal data; In contrast, authorizing automated decision-making is the exercise of ownership of personal data because the automated decision-making is a machine that reads and processes the data without the direct involvement of a human person. Another example is that the right to portability is entirely a content of personal data ownership, and does not directly involve the right to personal information. Because it requires the processor to support the transfer of personal data in a machine-readable manner, although the data to be transferred carries personal information, the latter is not presented in a human-readable way during the simple transfer process. This once again demonstrates the difference and connection between the right to personal information and the ownership of personal data.
Finally, the importance of establishing ownership of personal data is, inter alia, the creation of usufruct rights for businesses as processors on this basis. If only the right to personal information is recognized or the ownership of personal data is absorbed in this way, then the biggest theoretical obstacle to the empowerment of data enterprises is that personal information is a personality element, which carries the personality interests of natural persons, and therefore cannot become an object dominated by others. As a result, it is impossible to create data rights with direct control and exclusive effect within an appropriate scope for data enterprises. On the contrary, if personal information and data are strictly distinguished at the level of the object of rights, and the right to personal information and the ownership of personal data are created separately for individuals, the usufruct rights of enterprise data can be separated from the latter based on the idea of separation of rights. In this regard, the distinction between the right to personal information and the ownership of personal data is not a simple reproduction of the real world, but a technical construction of individual rights in the normative world based on the distinction between information and data.
Epilogue
Law aims to create a just social order, and it is the function of law to achieve justice and create order. But to achieve justice, clear and orderly jurisprudence concepts must be used as analytical tools. Privacy, information and data are located at the facts, description/content and symbol layers respectively, and three different framework rights should be set on top of the three objects: privacy, personal information rights and personal data ownership. In this way, the chaotic order of privacy, information and data in the current discourse on rights can be eliminated, and the individual rights system in the digital age can be recreated on the basis of the orderly presentation of the object of rights, so as to form a differential pattern of privacy, personal information right and personal data ownership. In short, only a clear distinction between privacy, information and data can resolve the legal regulatory problems caused by the mixed order. For these three, let them each take their place, so that each can show its talents. For the sake of intuition, the main conclusions obtained in this paper are shown in the following table.
Table 1 Differential pattern of privacy, personal information right, and personal data ownership
|
Name of Right |
Object of Rights |
The level at which it is |
Nature of Rights |
Interest Content |
Positioning capabilities |
|
Privacy |
privacy |
Factual level |
Personality rights |
Personality interests |
Passive defense |
|
Right to Personal Information |
personal information |
Description / content level |
Personality rights |
Personality interests、Property interests |
Passive defense、Active use |
|
Personal Data Ownership |
personal date |
Symbolic level |
Property rights |
Property interests |
Passive defense、Active use |
As the concept of order in computational jurisprudence, privacy, information and data all have the dual significance of system construction and normative application, and the topics involved are not limited to the normative system of individual rights in the digital age, but also have broader application space. If this level of differentiation is used as a basic and analytical tool, it can actively deal with many difficult legal issues arising in the digital age, promote the healthy and orderly development of the digital economy, and realize the scientific theory of computational law.
The original article was published in the 3rd issue of "Political and Legal Forum" in 2022, thanks to the WeChat public account "Political and Legal Forum" for authorizing the reprint!