[author]Cheng Xiao
[content]
On the Attribution and Legal Protection of Economic Interests in Personal Data
Cheng Xiao
Professor, Law School, Tsinghua University
Abstract:Whether the economic interests of personal data belong to natural persons and how to protect and realize the interests in law is one of the core issues in the establishment of the data property system in China.Personal information and personal data have the relationship of two sides of the same coin,they are both objects of personal information rights and interests,rather than different civil rights objects.Under the monistic protection model of personality rights adopted by Chinese law,personal information rights and interests protect both the spiritual interests enjoyed by natural persons against personal information(or personal data)and the economic interests enjoyed by natural persons against personal data(or personal information).It should not be assumed that economic interests in personal data can only be attributed to the processor,and there is no need to create a separate right of ownership of personal data to protect the economic interests of natural persons in respect of personal data.Individual consent and license are two forms for natural persons to realize economic interests in personal data based on personal information rights and interests,which have different nature and legal effects and are applicable to different personal data transaction scenarios.Personal information rights and interests have a constraining effect on the property rights in corporate data.
Keywords: personal information, personal data, personal information rights and interests, data property rights
1Introduction
Personal data is one of the most important types of data. The processing of personal data in the digital society is universal. Whether it is the production and operation activities of enterprises, the performance of statutory duties by state organs, or the provision of public services by public institutions, various processing activities such as the collection, storage, processing, use, and provision of personal data are required. Personal data carries personal information. Natural persons enjoy personal information rights and interests in the processing of personal information. Such rights and interests are protected by laws such as the Civil Code and the Personal Information Protection Law. There is no doubt about this. However, there is a great controversy in the theoretical community as to whether personal data and personal information should be distinguished. The negative view is that personal information and personal data should not be distinguished, and natural persons enjoy personal information rights and interests in personal information or personal data. The affirmative view is that personal data and personal information should be strictly distinguished, but there are different views on what rights and interests natural persons enjoy in personal data: some scholars believe that natural persons enjoy personal information rights and interests in personal information, and have ownership of personal data; some scholars believe that based on the consideration of equality and efficiency, the property interests in personal data should be allocated to the processors (or producers) of personal data such as enterprises.
However, existing studies have not deeply analyzed the reasons for distinguishing or not distinguishing personal data from personal information, nor have they fully demonstrated why natural persons have ownership of personal data, and the legitimacy of allocating the economic benefits of personal data to the processor. In view of this, this article starts from the perspective of civil rights and studies whether personal information and personal data should be distinguished, whether the economic benefits of personal data should belong to natural persons, and how to achieve them. It is hoped that this can provide a reference for building a data property rights system with Chinese characteristics that fully protects personal data rights and effectively realizes the value of data elements.
2Questions about the distinction between personal data and personal information
In the discussion surrounding the rights and interests of personal data and even the construction of the entire data rights and interests system (including but not limited to data property rights), the relationship between the two concepts of "data" and "information" and "personal data" and "personal information" has always been an important point of contention. Whether scholars who advocate that the economic benefits of personal data should be completely attributed to enterprises or scholars who assert that natural persons have ownership of personal data, they all use the distinction between personal data and personal information as the starting point and premise of their arguments. However, even if it can be concluded from the perspective of information science that data and information should be distinguished, it does not mean that personal data and personal information should and can be distinguished at the level of civil rights, and they should be regulated as different objects of civil rights.
2.1Definition of Personal Information and Personal Data
Before discussing the distinction between personal information and personal data, it is necessary to first clarify their meanings. Article 1034, paragraph 2 of the Civil Code and Article 4, paragraph 1 of the Personal Information Protection Law both define "personal information". The Civil Code uses "identification" as the core element for judging personal information, that is, any information that can identify a specific natural person alone or in combination with other information is personal information. The Personal Information Protection Law adds the requirement of "relevance" to "identification", that is, in addition to information that has been anonymized, any information related to an identified or identifiable natural person is personal information. Information that is not related to an identified or identifiable natural person is usually information that cannot directly or indirectly identify a specific natural person and does not belong to personal information. Therefore, the above two definitions are not contradictory, and the scope of personal information defined is basically the same.
Personal data and non-personal data is an important data classification method. The concept of "personal data" has been accepted and used by the laws of many countries, and is also often used in my country's theoretical circles. However, my country's existing laws do not use "personal data". This concept has only appeared in some policy documents and local regulations. For example, the "Opinions of the CPC Central Committee and the State Council on Building a More Perfect System and Mechanism for Market-based Allocation of Factors" proposed: "Promote the improvement of the data classification and grading security protection system applicable to the big data environment, and strengthen the protection of government data, corporate trade secrets and personal data". As the most important and basic policy document in my country's data property rights field, the "Opinions of the CPC Central Committee and the State Council on Building a Data Basic System to Better Play the Role of Data Factors" (hereinafter referred to as "Data 20") uses the concepts of "personal information" and "personal data" at the same time, and also uses expressions such as "personal information data" and "data carrying personal information".
The definition of personal data in comparative law is similar. Article 4, paragraph 1 of the EU General Data Protection Regulation (GDPR) states: "'Personal data' means any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." Section 2 (t) of India's Digital Personal Data Protection Act 2023 defines personal data as "any data about or relating to an identifiable individual." Article 1034, paragraph 2 of the Civil Code of my country and Article 4, paragraph 1 of the Personal Information Protection Law define personal information, and Article 3, paragraph 1 of the Data Security Law defines data. Combined with the above legal provisions, personal data in Chinese law can be defined as: any information related to an identified or identifiable natural person recorded electronically or otherwise.
The core of the concept of "personal data" is that it must be data related to an identified or identifiable natural person. It does not matter whether the data is produced by or comes from an individual. Some scholars refer to individuals as "data producers" or "data sources" in order to indicate that individuals are also participants in the process of data element production. However, "personal data" and "data from individuals" are not the same. Not all data from individuals are personal data, and data that is not from individuals is not necessarily not personal data. Some data is generated by machines and does not appear to be personal data on the surface, but after being processed by big data technology, it can be traced back to individuals and thus become personal data. For example, the readings collected from smart meters, because each electronic device has a unique load characteristic when powered on, the daily living habits of a specific natural person can be understood based on the power consumption, so the readings of smart meters are personal data. On the contrary, even if the data is produced by or comes from an individual, if a specific natural person cannot be identified, it does not belong to personal data. For example, pure landscape pictures, weather records, fictional novels, etc. uploaded by natural person users on the platform. Of course, in a broad sense, these data from users can be called "user data."
2.2The hierarchy and relationship between data and information
From the perspective of information science, "information" and "data" are both different and related. In theory, scholars divide information into three levels: structural information, syntactic information and semantic information. Among them, structural information belongs to the physical level and is used to carry syntactic information. Syntactic information focuses on encoding information as a character set. It is information determined by a set of characters and their relationships, or information that exists in the form of a set of characters that can be processed by information technology, such as code, text and image. Syntactic information has no meaning. It is only applicable or inapplicable, and there is no right or wrong. However, as the third layer of information, semantic information focuses on meaning. There is a distinction between right and wrong. Semantic information must be transmitted through syntactic information. Knowledge is semantic information in the human mind. The relationship between the three levels of information is: structural information carries syntactic information, and syntactic information carries semantic information. Unlike information, data has only two levels: one is data at the structural level, that is, data carrier (Datentraeger), which is the medium for storing data, such as computer hard disk, USB flash drive, etc. With the development of cloud computing technology, data can be stored in a large number of different locations far away from users, so the determination of data carriers has become less and less important. The second is data at the symbol level, that is, machine-readable coded information, which is equivalent to syntactic information. As far as data is concerned, there is no third level of information, namely the semantic information layer, because this level is already the content layer.
When expressing the relationship between data and information, the most commonly used expression is "data is the carrier of information, and information is the content of data." In this sentence, "data" refers to data at the symbol level, and "information" only refers to information at the semantic level. In terms of the relationship between data at the symbol level and information at the semantic level, information is content, and people can know something by obtaining information. Data is a form, a series of symbols used to record or carry information. Data is considered to be the carrier of information, and information is transmitted with the help of data as a carrier. Data can carry or record a variety of information, which can be personal information or any information unrelated to individuals (such as weather, hydrology and other natural information). The same information can also be stored in different data processed by different processors (such as Zhang released the same travel video he recorded on three platforms A, B and C). Information is the essential reason for the value of data. Different data processing methods can be used to discover various different information for the same data. If information cannot be mined from the data at all, the data itself has no value. Because data that does not contain any information at all is just a bunch of messy symbols or codes, which is meaningless. In the modern network information technology environment, the data at the symbol layer is composed of binary coding units, which can be stored, processed and transmitted by computers. The development of digital technology has enabled the relationship between information and data to break through the distinguishing characteristics of content and form of traditional media. The two can be freely converted in a special network environment and become one. Since data at the symbol level is completely integrated with syntactic information, data not only carries but also directly displays semantic information, which makes people gradually accustomed to referring to information as data, that is, when people say data, they often refer to semantic information. Although data in the modern network information environment is both a digital medium for information and a direct manifestation of information, it cannot be considered that data "has the dual attributes of both information entity and information medium".
Therefore, the distinction between data and information is not meaningless in law. For example, data security refers to ensuring that data is in a state of effective protection and legal use, and has the ability to ensure continuous security. Protecting the security of data can certainly protect the security of information in the data, but protecting data security alone cannot completely protect the security of information. For example, a state cadre leaked confidential information heard at work to others. At this time, he violated the "Law on Guarding State Secrets" rather than the "Data Security Law". Therefore, the realization of information security requires not only the "Data Security Law", but also other laws such as the "Law on Guarding State Secrets", "National Security Law", "Securities Law", and "Personal Information Protection Law". However, based on the distinction between information and data, it cannot be concluded that personal information and personal data are different objects of civil rights, the former is the object of personality rights and the latter is the object of property rights.
2.3Personal data and personal information should not be distinguished in civil law
For something to become an independent civil rights object, it must not only meet the objective independence requirements, but also have the necessity of being regulated by law. From the perspective of civil law, personal data and personal information are just different names for the same thing, and are not independent civil rights objects.
2.3.1Personal data and personal information cannot be distinguished objectively
As mentioned above, even if information and data are distinguished, if the content is completely isolated (i.e., information is excluded), the data at the symbolic level itself is not understandable and has no value, and there is no need to regulate it in law. From the perspective of normative purpose, civil law norms refer to information content (for example, anonymized data does not need civil law norms at the personal level). It is meaningless to stipulate that the bit form of a simple binary code is the object of civil rights. A careful study of the relationship between personal data and personal information shows that they are just different names for the same object from different perspectives, and there is no substantial difference. The biggest difference between the two is that they are slightly different in their emphasis on reference: personal information focuses on the semantic level, and personal data focuses on the syntactic level. In essence, in the Internet information age, personal information and personal data are closely integrated and are two sides of the same coin. Although from the perspective of information science, the processing of personal data by computers focuses on the processing and operation of "data" in the sense of bit form, the reason why personal data has economic and social value is that it can identify specific natural persons, that is, analyze personal information. Therefore, whether it is the processing of personal information or the processing of personal data, it must be an activity carried out at the symbol level (data) and the content level (information) at the same time. Metaphysically separating personal data from personal information is not only inconsistent with practice, but also violates the basic requirements of the object of civil rights.
Specifically, when people use the concept of "personal data", it is impossible to stay at the character level like the concept of "data". Whether it is personal information or personal data, they can only be concepts used at the semantic level (semantischen Ebene). As long as it is information or data related to an identified or identifiable natural person, it must be personal information or personal data, and can be included in the scope of adjustment of the Personal Information Protection Law (or Personal Data Protection Law). The processing of personal data is the processing of personal information, and the two are the same thing. For this reason, although some countries have enacted the "Personal Data Protection Law" and some countries have promulgated the "Personal Information Protection Law", the scope of adjustment, basic principles and processing rules of these laws are generally the same. my country's laws have clearly stipulated the personal information rights and interests of natural persons. Therefore, no matter how it is expressed, the rights enjoyed by individuals for personal data are essentially personal information rights and interests. An important role of the legal system is to reduce the complexity of the world and thus simplify everyone's cognitive tasks. By making the reactions of others more predictable, the whole world is more orderly, which makes it easier for individuals to cope with this complex and ever-changing world and avoid "cognitive overload". Obviously, when it is impossible to distinguish between personal information and personal data and design different rights based on this, it is bound to artificially complicate the problem, greatly increase the cognitive difficulty of all parties involved in data production, circulation, and use, and increase the coordination cost.
2.3.2Our civil law does not regard personal data and personal information as objects of different rights
An important reason why scholars advocate the distinction between personal data and personal information is that our civil law has already stipulated personal information and personal data as different objects of civil rights. Specifically, Article 111 of the Civil Code stipulates personal information, which is between Article 110, which stipulates specific personality rights, and Article 112, which stipulates identity rights, while Article 127 of the Civil Code stipulates data together with virtual property. The position of "personal information" and "data" in this article in the Civil Code fully demonstrates that personal information is the object of personality rights, and data is the object of property rights. The author believes that it is not possible to conclude that our civil law has stipulated personal information and personal data as different objects of rights simply from the order in which the two concepts of "personal information" and "data" appear in Chapter 5 of the General Provisions of the Civil Code.
First, Article 111 of the Civil Code comes from Article 111 of the General Provisions of the Civil Law. The reason why the legislature made provisions for the protection of personal information in Article 111 of the General Provisions of the Civil Law is that "the right to personal information is an important right enjoyed by citizens in the modern information society. It is of practical significance to clarify the protection of personal information in order to protect the personal dignity of citizens, protect citizens from illegal intrusion, and maintain normal social order". When the highest legislature compiled the Civil Code, in addition to continuing to retain Article 111, it also used multiple articles (Articles 1034-1039) in Chapter 6 of the Personal Rights Code "Privacy Rights and Personal Information Protection" to make provisions for the protection of personal information. This truly clarifies that there are civil rights and interests in personal information and that its nature is personal rights and interests. It can be seen that personal information as the object of personal rights and interests is not determined by the position of Article 111 of the Civil Code, but is based on the provisions on personal information protection in the Personal Rights Code of the Civil Code.
Secondly, it is also hasty to conclude that the current law has distinguished personal information from personal data and regarded them as different objects of rights because Article 127 of the Civil Code stipulates data and network virtual property together. From the interpretation written by the comrades of the legislature, it can be seen that the legislative purpose of Article 127 of the Civil Code is to "establish the principle of protecting data and network virtual property according to law", so as to "provide a solid foundation for future legislation". In other words, the legislature has noticed the complexity and variability of data ownership and legal protection issues, and left this issue to other laws. Indeed, there are many types of data (such as personal data, corporate data and public data, raw data, data resources and data products, etc.), and the scenarios of data generation and application are also very rich, which makes the types of rights on data different. For example, the data legally collected and generated by enterprises alone may involve multiple rights of different subjects, such as copyright on databases as compilation works, trade secret rights on data constituting trade secrets, property rights of enterprises for public data, and personal information rights of natural persons for personal data. As a basic civil law, the Civil Code obviously cannot make specific provisions on various rights on data, and can only be left to future legislation.
Another reason used to support the "distinction between personal information and personal data" is that if such a distinction is not made, it will lead to the processor controlling personal data is controlling personal information, and trading personal data is trading personal information. This worry is obviously unnecessary. Chinese law has never prohibited legal personal information transactions. Article 111 of the Civil Code and Article 10 of the Personal Information Protection Law only prohibit "illegal sale, provision or disclosure of other people's personal information." Not only that, Article 23 of the Personal Information Protection Law also makes clear provisions on the provision of personal information. With the consent of the individual and in compliance with the provisions of laws and administrative regulations, the personal information processor can completely use personal information as the object of transaction. In other words, whether it is called personal data or personal information, as long as the processor processes it, it must follow the informed consent rules or have other legal basis. As long as there is a legal basis, the processor of personal data can obtain legal control over personal data relative to other processors. Of course, this control right cannot be opposed to the individual as the subject of the information, because the individual has the right to withdraw consent at any time or terminate the license contract with legitimate reasons, making the personal data processor have no right to process personal data. Therefore, the question of whether companies control personal data is to control personal information does not exist at all.
2.3.3It is impossible and unnecessary to create a separate ownership of personal data
Personal information rights and interests protect both the spiritual and economic interests of natural persons in personal information. In this case, even if we do not consider whether personal information and personal data can be objectively distinguished as two independent rights objects, there is no need to establish a separate property right on personal data, especially the so-called ownership of personal data. The characteristics of data determine that ownership cannot be generated on it like tangible objects. As a civil right, the ownership is limited to tangible objects such as movables and immovables because the characteristics of tangible objects such as "tangibility", "competitiveness" and "depletability" can play a "demarcation function" (Abgrenzungsfunktion) to clarify the boundaries of rights. Therefore, there is no need to list the contents of ownership one by one in civil law. It is only necessary to descriptively stipulate that "the owner has the right to possess, use, benefit from and dispose of his or her real estate or movables in accordance with the law". The key point is that ownership enables the right holder to exclude infringement and obstruction of his or her ownership by any other person unless these people obtain the consent of the owner or have a legal basis. The owner has particularly full legal power (eine besondere Fuelle von Befugnisse) over movable and immovable property. Any use of a specific tangible object that does not violate the mandatory provisions of the law and public order and good morals should belong to the owner. In other words, the owner can exercise exclusive and monopolistic control over the tangible object and exclude any interference from a third party. The restrictions on ownership only come from the needs of people's common life, the owner's willingness and the provisions of the law.
Data is neither movable nor immovable property. It has special attributes such as "intangibility", "non-competitiveness" and "non-wearability". This makes it impossible for data to directly generate a clear demarcation function of the scope of rights and the boundaries of the obligor's behavior like tangible objects. If the legislator wants to give the right holder the right to data, he can only adopt an exclusion strategy or a governance strategy based on the distribution of legal interests. The former refers to defining the boundaries of data rights and stipulating what actions other than the right holder may not take on the data. As for how the right holder uses the data, it is up to the right holder to decide. The latter refers to the law determining what powers the right holder enjoys one by one (Befugnissen), that is, stipulating what actions the right holder can take on the data.
Ignoring the attributes of data, treating it as a tangible object, and believing that ownership can be established on personal data or even data will inevitably damage information freedom and hinder scientific and technological progress. For this reason, except for the concept of data ownership proposed by some people at the beginning of the rise of the data ownership issue, basically no one outside the region agrees with the view of data ownership. my country's "Twenty Data Articles" also jumped out of the traditional ownership idea with tangible objects as the object, emphasizing "innovating the concept of data property rights, downplaying ownership, emphasizing the right to use, and focusing on the circulation of data use rights". When clarifying the data property rights of enterprises, the document adopts the method of clarifying the various powers of the right holder, and establishing a separate property rights operation mechanism for data resource holding rights, data processing and use rights, and data product operation rights. It is particularly important to note that the "Twenty Data Articles" also proposed the concept of "data source rights and interests". The data source includes individuals. When the data source is an individual, the personal data source enjoys the rights and interests of personal data. Article 7, sentence 1 of the "Twenty Data" stipulates: "Fully protect the legitimate rights and interests of data sources, promote the data circulation and use model based on informed consent or legal reasons, and ensure that data sources enjoy the rights and interests of obtaining or copying and transferring the data generated by them." As far as personal data is concerned, the "data circulation and use based on informed consent or legal reasons" in this sentence obviously means to ensure that the processor handles personal data in accordance with Articles 1035 and 1036 of the Civil Code and Article 13 of the Personal Information Protection Law on the processing of personal information, and shall not infringe on the individual's right to know and right to decide; the "guarantee that the data source enjoys the rights and interests of obtaining or copying and transferring the data generated by them" in this sentence refers to the right to review, copy, correct and portability as stipulated in Article 1037, paragraph 1 of the Civil Code and Articles 45 and 46 of the Personal Information Protection Law.
3Ownership of economic benefits from personal data
The economic benefits of natural persons from their personal data means that they have the right to commercialize their personal data (Merchandising), such as permitting others to use their personal data and obtaining corresponding fees. Economic benefits from personal data can of course be legally obtained by others, such as companies processing legally processed personal data into data products and selling them to others for profit. Strangely, it seems natural for companies to obtain economic benefits from personal data, and no one objects; while for natural persons to enjoy economic benefits from their personal data, there are opposing views that such economic benefits should be allocated to the data processors. The main reasons for opposing the view are: first, the economic value of personal information has a dilution effect. If the overall economic value of big data is dispersed at the individual level, the economic value of each person's personal information will be severely diluted and almost negligible; second, allocating property interests to individuals will bring a series of problems, such as leading to personality inequality between individuals, triggering a social competition for petty profits, which will have an adverse impact on the already formed personal information processing industry model, triggering the "anti-commons tragedy", and even some people abuse such interests to hinder the development of technology and information industries and damage the overall welfare of society; third, when individuals agree to data processing, they have already transferred the use value of personal data, and the producers of data have obtained the value of the data content and obtained full control over the data; finally, individuals are only the source of data, not the producer, and cannot originally obtain or share data rights with data producers. The author believes that none of the above reasons are valid, and natural persons should also be able to enjoy the economic benefits of personal data.
3.1Economic interests in personal data should belong to natural persons
3.1.1Legal interest distribution function of personal information rights
The core content of personal information rights in Chinese law is that individuals have the right to know and decide on the processing of personal information, and have the right to restrict or refuse others from processing their personal information, unless otherwise provided by laws or administrative regulations (Article 44 of the Personal Information Protection Law). The right to know and decide on the processing of personal information is not a request right, but the core power of personal information rights. The rights of individuals to review, copy, carry, supplement, correct, delete, explain and explain stipulated in Chapter 4 of the Personal Information Protection Law are effective on people rather than on the world. They are all request rights enjoyed by individuals against personal information processors, and are functional powers configured by the legislator to realize the right to know and the right to decide in personal information rights. This makes personal information rights have the functions of defending against infringement and allocating legal interests at the same time. In other words, from a negative perspective, personal information rights protect the personal property rights and even personal dignity and personal freedom carried by personal information, and protect them from infringement by illegal personal information processing activities. The function of defending against infringement of personal information rights and interests is mainly realized through the legal basis for the processing of personal information, that is, individuals have the right to prohibit any personal information processor from processing their personal information without informing and obtaining their consent or without obtaining other legal basis. From a positive perspective, personal information rights and interests also protect the autonomous interests of individuals in the processing of personal information, that is, the space for individuals to decide on the processing of their personal information based on free will. Individuals have the right to agree that others process their personal information in a specific way for a specific purpose, and can also withdraw their consent or restrict the purpose and method of processing. This legal interest distribution function of personal information rights and interests means that individuals can make various uses of their personal information that do not violate the mandatory provisions of laws and administrative regulations and public order and good customs, which of course also includes commercial use by themselves or by allowing others. Therefore, natural persons can obtain economic benefits from personal data based on their personal information rights and interests. Prohibiting natural persons from commercial use of their personal data is essentially an illegal restriction of natural persons' personal information rights and interests.
The right of individuals to know and decide on the processing of their personal data is crucial to maintaining the personal dignity and personal freedom of natural persons. Personal data refers to various data related to identified or identifiable natural persons, among which the economic interests and spiritual interests of data related to personal identity are easily and frequently integrated. For example, a beautiful woman with a very sweet voice agrees that a commercial company will use her voice data and facial information for commercial purposes (such as for in-vehicle navigation systems), which not only improves her social status and popularity (self-perceived personality identity is also improved), but also realizes her economic interests. Since the spiritual interests and economic interests of personal data are closely related and influence each other, depriving natural persons of control over their economic interests in personal data is likely to make it difficult for natural persons to protect their spiritual interests.
3.1.2The economic value of personal data should not be judged based on the value
It is inappropriate to allocate all the economic interests of personal data to the data processor simply because the economic value of personal data is low or thin. In many cases, the personal information of a single natural person is indeed of little value, but the possibility of a natural person making various commercial uses of his or her personal information cannot be denied simply because of its low value. In reality, except for a very small number of singers, movie stars, and sports stars, the names and portraits of most ordinary people are basically unlikely to be used by others and gain economic benefits. However, Article 993 of the Civil Code still clearly stipulates that natural persons can allow others to use their names, portraits, etc. If we follow the aforementioned view that opposes natural persons from enjoying economic benefits from personal data, the Civil Code should also allocate the right to commercially exploit the names and portraits of most ordinary people to those market entities such as enterprises that can make the most efficient use of them. But this is obviously inappropriate. As long as people have the possibility of commercializing their personal information, they cannot be deprived of the opportunity to commercialize their personal information because the economic value of the personal information of most individuals is low.
In fact, with the development of the economy and society, especially science and technology, the personal data of individual natural persons is becoming more and more valuable. Whether it is the spiritual interests or economic interests of natural persons for personal data, they are not isolated and fixed, but are always generated and evolved in the economic and legal relationship between individuals and others with their personal data as the center. The commercial use of personal data by natural persons and the mining of the economic value of big data collected by enterprises based on personal data are not zero-sum games. With the development of big data and artificial intelligence technology, not only are enterprises increasingly using data commercially, but also the ways in which natural persons can use their personal data commercially are changing and developing, and the forms of transactions are becoming increasingly diverse. Among them, there are explicit transactions reached through one-to-one negotiations, and there are also implicit transactions that are actually formed by collecting and using personal data one-to-many. For example, in voice artificial intelligence training and digital human product production, data processors sign personal data licensing contracts with individuals to obtain a large amount of natural persons' voice information and other personal data, but they need to pay the individuals corresponding money as consideration. This is an explicit way for individuals to realize economic benefits from personal data, which is representative. In this kind of transaction, the processor and the individual have a relatively sufficient opportunity to negotiate on the commercial use of personal data and the consideration. In addition to this explicit personal data transaction, there are also a large number of implicit personal data commercial use occasions in practice, such as the processing of personal data generated incidentally by Internet companies in the process of providing network services to individual users. The generation and transaction of such personal data is largely implicit. In these cases, although the parties do not have many opportunities to conduct special consultations on the commercial use of personal data, individuals have obtained the consideration of free network services by providing personal data, and have actually realized the economic benefits of their personal data. As for the view that recognizing the economic benefits of individuals in personal data may trigger a social competition for petty profits and abuse of rights to hinder technological development, there is also a lack of empirical evidence. my country's "Civil Code" and "Personal Information Protection Law" and other laws have the legislative goal of scientifically coordinating the protection of personal information rights and interests with the reasonable use of personal information, and have established a complete system for the reasonable use of personal information, which is sufficient to prevent the abuse of personal information rights and interests to harm national interests and social public interests.
3.2The economic benefits of personal data enjoyed by natural persons do not conflict with the data property rights of enterprises
The view that enterprises, as data producers, should obtain all the economic value of personal data on the grounds that data processors such as enterprises have invested capital in the generation of data and have the right to make independent decisions on data production is worth discussing. On the one hand, although the legitimacy of the enterprise's data property rights can be demonstrated by "the enterprise invests capital and human and material resources and bears economic responsibility for the production of data", the enterprise's data property rights should obviously not be based on depriving natural persons of the economic benefits of personal data; on the other hand, the consent or permission of an individual will not lead to the legal effect of the transfer of rights like the sale of tangible objects by an individual. As a personal right, the personal information rights and interests cannot be waived, transferred or inherited (Article 992 of the Civil Code). An individual can withdraw his consent or terminate the personal data license use contract. The personal information rights and interests always have a restrictive effect on the enterprise's data property rights. If it is believed that personal data cannot be commercialized after the individual agrees or permits, it obviously constitutes an improper restriction on the personal information rights and interests.
The view of data producer rights that some Chinese scholars are fond of talking about comes from the European Union. However, the EU's data producer rights only apply to non-personal data, not personal data. Professor Zech of Germany proposed the view of "data producer rights" (Rechts des Datenerzeugers) in a paper published in 2015. He believes that the exclusive or exclusive rights to data should be allocated to the producers of data, which is conducive to stimulating data collection, increasing the amount of data that can be analyzed, and indirectly strengthening innovation activities; it is conducive to promoting data disclosure, so that data collectors can provide potentially useful data that they cannot analyze to other market participants for analysis, generating macroeconomic added value; it helps to solve the information paradox, that is, to establish a data trading market through legal exclusivity; in addition, by allocating the benefits of data in big data applications and making it a clear starting point for contractual agreements, it can also be used as a principled judgment standard for allocating data use when there is no agreement or the agreement is unclear. However, once personal data is involved, it enters the field of personal data protection law. Professor Cai Xi believes that whether the personal relevance of personal data can or should lead to the allocation of property rights to personal information remains to be studied. The report "Building a European Digital Economy" released by the European Commission in January 2017 proposed the introduction of a new right - "Data producer's right", that is, the owner or long-term user of the device as the producer of non-personal data has the right to use or authorize others to use such non-personal data. But when it comes to personal data, the report clearly states that "individuals retain the right to withdraw their consent at any time after authorizing its use. Before the other party authorizes further use of personal data, personal data needs to be provided anonymously so that individuals cannot be identified or can no longer be identified." Obviously, the European Commission's data producer rights do not exclude natural persons' economic interests in personal data. Given that there is too much controversy over whether ownership can be generated on data, in order to achieve fairness in the data economy and promote the circulation and use of data, the EU legislature has reconstructed the rights of data sources by drawing on the access rights and portability rights stipulated in the General Data Protection Regulation. Articles 4 and 5 of the EU Data Act, which came into force on January 11, 2024, grant users, i.e. natural or legal persons who own connected products or who temporarily transfer the right to use connected products or receive related services under a contract, the right to access, obtain and use data generated by connected products or related services, including: (1) the right to access data, i.e. when users cannot access data directly from connected products or related services, the data holder shall promptly provide the data and the relevant metadata necessary for the interpretation and use of the data to the users in a structured, common and machine-readable format of equal quality, convenience, security, free of charge, and continuously and in real time where relevant and technically feasible; (2) the right of users to share data with third parties, i.e. upon request by the user or a party on behalf of the user, the data holder shall promptly provide the available data and the relevant metadata necessary for the interpretation and use of the data to third parties in a comprehensive, structured, common and machine-readable format, of the same quality as that available to the data holder, and shall provide the data to the users conveniently, securely and free of charge, and shall provide the data continuously and in real time where relevant and technically feasible. Article 1, paragraph 5 of the EU Data Law clearly stipulates that the law does not affect the EU laws and laws of each member state on personal data protection, privacy and confidentiality of communications, and when the law conflicts with EU laws or member state legislation on personal data protection or privacy, the laws on personal data protection or privacy shall prevail.
my country's "Twenty Articles on Data" clearly states that "the legitimate rights and interests of data sources should be fully protected, data circulation and use models based on informed consent or legal reasons should be promoted, and data sources should be guaranteed to enjoy the rights and interests of obtaining or copying and transferring data generated by them". Simply put, the data source is the subject who provides data to the data processor or the data processor collects data from it. The data processor collects data from the data source and uses and processes it. The data source is a concept corresponding to the data processor. The subject of the data source includes both individuals and legal persons or unincorporated organizations. The rights of the data source include both the personal information rights and interests enjoyed by natural persons for their personal data and the rights and interests enjoyed by other data sources for non-personal data. For personal data, the provisions of laws such as the Civil Code and the Personal Information Protection Law should be applied to respect and protect the rights and interests of personal information. For non-personal data, the "Twenty Articles on Data" propose to grant the source of non-personal data the right to informed consent, access, copy and transfer the data they have contributed to, but my country's current laws do not provide for these rights. In short, whether it is to recognize the rights of data producers or data sources, or to stipulate the data property rights of data processors, it is necessary to reasonably coordinate their relationship with the personal information rights and interests of natural persons.
4Protection and realization of economic interests in personal information rights
Since natural persons can enjoy economic interests in personal data, how should the law protect and realize them? my country's current laws do not stipulate the ownership or other property rights of natural persons to personal data, and in theory there is no need to establish such rights to protect the economic interests of natural persons in personal data. The personal information rights established by the Civil Code and the Personal Information Protection Law are fully capable of protecting and realizing the economic interests of natural persons in personal data.
4.1Labor empowerment theory cannot prove personal data ownership
When discussing data property rights, the labor empowerment theory is often used to argue that data processors who work and invest capital in data processing should enjoy legally protected property rights to the data. However, recently there are also views that use it to prove the ownership of personal data by natural persons. This view holds that individuals are the source of personal data, and personal data is the product of individuals engaging in "digital labor". Based on the labor empowerment theory, natural persons should be given ownership of their personal data. At the same time, since data processors have also contributed to the formation of personal data to a certain extent, data processors such as enterprises enjoy data usufruct rights derived from personal data ownership. The author believes that the labor empowerment theory cannot prove the ownership of personal data by natural persons. Regardless of whether personal data can be considered to be entirely generated by personal labor, even if it can be considered so, the labor empowerment theory can only prove that individuals should have the right to legal protection for personal data generated by their labor, but it cannot prove that the nature of this right is the ownership of personal data. In fact, it is also questionable whether personal data can be considered as the product of personal labor.
Admittedly, personal data is data related to a specific natural person who has been identified or can be identified, but being related to an individual does not necessarily mean that it is the product of personal labor. Take the personal data listed in Article 1034, Paragraph 2 of the Civil Code as an example, "name, date of birth, ID number, biometric information, address, telephone number, email address, health information, whereabouts information, etc.", except for whereabouts information, which is related to personal behavior and activities, other personal data has nothing to do with activities, either innate (such as date of birth, biometric information) or acquired (such as name, ID number, address, telephone number, email address, health information). Even if the whereabouts information is personal data generated as a byproduct of an individual's daily activities, it has little to do with labor in the sense of creating value. As for those personal data that cannot be listed one by one in the law, such as personal hobbies, habits, interests, occupations, etc., they are all behavioral data generated by the daily behavior (alltägliches Verhalten) of natural persons in digital space, and personal daily behavior is not labor in the sense of "taking anything out of its natural state" as Locke said. In the modern digital society, a lot of personal information is generated and processed entirely because of the development and application of modern network information technology, such as communication records, personal biogenetic information, network transaction information, Internet browsing traces, network social media messages, whereabouts, Internet of Things information, etc. "Digitization means that we have to draw information from everything under the sun, even including many things that we used to think had nothing to do with "information". For example, a person's location, the vibration of the engine, the load-bearing capacity of the bridge, etc., we have to convert these contents into data through quantitative methods." Without the application of modern network technology, these personal information cannot be generated, let alone digitized into personal data and used. Many personal data are just data that individuals unconsciously generate when participating in modern digital life and receiving digital services, such as browsing records and consumption records. Even if personal data such as posts and comments on social networks are considered to be consciously created by individuals, this "consciousness" is only the autonomous consciousness of individuals engaging in social activities, rather than the consciousness of engaging in personal data production, that is, the so-called digital labor.
Not only that, many personal data in modern society are not generated by individuals alone, but are often jointly generated by individuals and data processors such as Internet companies. If the rights are to be confirmed based on the labor empowerment theory, then in the initial rights configuration stage, individuals and personal data processors should share property rights to personal data, after all, individuals and processors jointly "produce" data. As for why the ownership of personal data is given to individuals and the so-called usufruct is given to data processors, some scholars argue that this is because although individuals as sources and enterprises as processors have contributed, the degree of contribution is different, so ownership and usufruct should be granted separately according to the degree of contribution. However, if ownership and usufruct are the result of direct legal configuration, on what grounds should such rights configuration be based? The degree of contribution of individuals and data processors to the formation of personal data is itself impossible to measure. Even if it is possible, according to the theory of property law, different shares of co-owners should be determined according to the degree of contribution. It is absolutely impossible to allocate ownership to individuals and allocate a completely different nature of usufruct to data processors. If ownership is initially allocated to individuals by the legislator, and usufruct comes from personal data ownership, then what legal relationship is based on which the establishment of usufruct occurs between individuals and enterprises? These questions cannot be answered by the viewpoint of personal data ownership based on the labor empowerment theory.
4.2Personal information rights and interests are sufficient to protect the economic interests of natural persons
The idea of "protecting the spiritual interests of natural persons with personal information rights and interests and protecting the economic interests of natural persons with personal data ownership" comes from the "dual model" of personality rights protection represented by the United States. In American law, the right to privacy and the right to publicity are used to protect the spiritual interests and economic interests of personality elements such as name, portrait, and reputation respectively. Among them, the right to privacy is a spiritual right, which protects the spiritual interests of natural persons, namely, personal solitude and the tranquility of private life. This right cannot be transferred or inherited and mainly has a negative defense function; the right to publicity belongs to property rights, which is the right to control the commercial use of a person's name or portrait, and protects the economic interests of personality elements such as portrait, name, and voice. This right can be transferred and inherited. American scholars believe that the fundamental reason why personal data is protected is that it is a kind of property, that is, "individuals have ownership of their personal information and, like the owner of the property, have the right to control any use of their personal information." Influenced by the "dual model" of American law, some scholars have always advocated that in addition to the personal rights and interests such as the right to reputation, the right to name, the right to portrait, and the rights and interests of personal information stipulated in the current laws of my country, the right to goodwill, the right to trade name, the right to image, and the property right of personal information should be created to protect the economic interests of natural persons and other civil subjects in terms of reputation, name, portrait, and personal information.
However, the law of our country has always adopted the "monolithic model" of personality rights protection, that is, to achieve the integrated protection of spiritual interests and economic interests in personality elements such as name, title, and portrait through personality rights. Civil subjects can not only defend against the infringement of the spiritual interests of their personality elements and request corresponding damages based on personality rights, but also commercialize personality elements based on personality rights to achieve corresponding economic interests and obtain relief when others damage such interests. Germany is a typical representative of the "monolithic model". German scholars believe that the spiritual attributes and property attributes of personality rights are not contradictory. Personality rights not only protect the spiritual interests of natural persons, but also protect their economic interests, especially considering that those celebrities conduct marketing activities through advertising, which makes their portraits and names have higher economic value. This is even more true. German courts have continuously expanded the objects of protection of personality rights through precedents, from only protecting spiritual interests to gradually affirming the economic value of personality elements such as name, portrait, and voice, and finally achieved the integrated protection of spiritual interests and economic interests in personality elements through the general personality rights system. However, the "monolithic model" of personality rights protection adopted by our country's law is different from Germany's monolithic protection through general personality rights. From the General Principles of Civil Law to the Civil Code, my country has integrated the protection of the spiritual and economic interests of natural persons in terms of their name, portrait and other personality elements through specific personality rights (such as the right to name and the right to portrait, etc.) clearly stipulated by law. Specifically, when a person infringes upon the personality rights and causes serious mental damage to a natural person, the injured person may request compensation for mental damages in accordance with Article 1183, Paragraph 1 of the Civil Code; at the same time, as long as it is not prohibited by law or not permitted according to its nature, a civil subject may permit others to use his or her name, title, portrait, voice, etc. (Articles 993, 1012, 1013, 1018, and 1023 of the Civil Code). If a person infringes upon the personality rights and interests and causes property losses to others, he or she shall compensate the injured person for the losses suffered or the profits obtained by the infringer. If the losses of the injured person and the profits of the infringer are difficult to determine, the court may determine the amount of compensation based on the actual situation (Article 1182 of the Civil Code). Personal information rights and interests are a new type of personal rights and interests, and of course they are subject to the above-mentioned provisions of the Civil Code. The spiritual and economic interests of natural persons in personal information (personal data) are also protected by the integrated protection of personal information rights and interests - Article 69, paragraph 2 of the Personal Information Protection Law also clearly states this point. In short, under the unified protection model, personal information rights and interests are sufficient to protect the economic interests of natural persons in personal data, and there is no need to establish personal data ownership or other property rights of natural persons.
4.3Consent and permission are two ways to realize the economic benefits of personal data
The meaning of "consent" (Einwilligung) in civil law is very broad, covering almost all ways of exercising rights. According to the legal status of the consent, the consentee can be divided into three levels from strong to weak: first, the consent with the strongest legal effect can lead to "transfer of rights" (translative Rechtsübertragung), that is, the consentee obtains rights due to personal consent; second, the consent with weaker effect will produce the effect of "constructive transfer of rights" (konsitutive Rechtsübertragung), that is, the consent creates rights for others on the object, such as granting exclusive licenses or establishing debt licensing contracts; third, the weakest legal effect is the unilateral consent made by an individual that can be withdrawn at will (such as a temporary parking permit). Since personal information rights and interests cannot be transferred, waived or inherited, the Civil Code and the Personal Information Protection Law stipulate the second and third levels of consent. According to Article 1035, Paragraph 1, Item 1 of the Civil Code and Article 13 of the Personal Information Protection Law, personal information processors must inform and obtain the consent of individuals before processing personal information, otherwise they shall not process personal information, unless the processor has circumstances that do not require the consent of individuals as stipulated by laws and administrative regulations. For the processing of personal information based on consent, individuals can withdraw their consent without reason and without restriction (Article 15 of the Personal Information Protection Law). This kind of consent is the weakest consent. At the same time, Article 993 of the Civil Code stipulates that civil subjects can authorize others to use their names, titles, portraits, etc., unless they are not permitted according to legal provisions or due to their nature. Accordingly, individuals can authorize others to use their personal information, and this kind of permission essentially also falls within the scope of consent, but has stronger legal effect, that is, it generates a debt contract, so that the licensed user obtains the right to use personal data. The "personal consent" and "personal permission" in the above legal provisions are both ways for natural persons to realize economic benefits from personal data based on personal information rights and interests, but the two are different in legal nature, effect and applicable scenarios.
4.3.1Individual consent and permission produce different legal effects
Individual consent is a voluntary and clear expression made by an individual, which is one of the legal bases for the processing of personal data. After obtaining the individual's consent, the processor of personal data can process personal data within the scope of the corresponding processing purpose and processing method. However, personal consent only has the effect of excluding the illegality of processing behavior within the scope of the processor informing the individual of matters that should be informed according to laws and administrative regulations. Because the law grants individuals the right to know and decide on the processing of their personal data, it means that infringement of personal information rights by any other person is excluded. No one may process personal data unless the individual's consent is obtained or there is another legal basis. Although personal consent excludes the illegality of personal data processing, it does not establish a continuously binding creditor-debtor relationship between the individual and the processor. Because in the modern network information age, the status between processors and individuals is not equal. If it is believed that individual consent can generate a creditor-debtor relationship with continuous binding force and complex rights and obligations, it means that processors can arbitrarily construct private law rights and obligations between them and individuals through unilateral notification, which will put individuals in an extremely disadvantageous position and fail to fully protect their personal information rights and interests. For this reason, Article 15, Paragraph 1 of the Personal Information Protection Law clearly stipulates that if personal information is processed based on individual consent, the individual has the right to withdraw his or her consent. This withdrawal can be made at any time without any reason, and the processor cannot impose any restrictions on the individual's right to withdraw consent. Therefore, if a personal data processor processes personal data based on individual consent, once the individual withdraws consent, it must stop processing personal data and delete it or anonymize the personal data into non-personal data.
If an individual allows a processor to process his or her personal data through permission, the situation is different. Personal permission means that an individual, as the subject of personal information rights and interests, grants certain property rights to the data processor, permitting the data processor to collect, store, process, and use personal data in a certain way, within a certain time and geographical scope. In the case of personal permission, the individual and the processor have established a clear creditor-debtor relationship (personal data permission use contract) through negotiation. Therefore, the individual no longer enjoys the right of arbitrary withdrawal stipulated in Article 15, Paragraph 1 of the Personal Information Protection Law. If an individual wants to terminate the contract, he or she should apply the provisions of Articles 1022 and 1023 of the Civil Code, that is, he or she should notify the other party in a reasonable period of time, and if the permission use period has been clearly agreed upon, the individual should also have a legitimate reason. If the other party suffers losses due to the termination of the contract, the loss should also be compensated, unless it is due to reasons that cannot be attributed to the subject of personal information rights.
4.3.2Personal consent and personal permission are applicable to different scenarios
Although personal consent and personal permission have different forms of expression and legal effects, they are both ways for natural persons to realize their economic interests in personal data. In terms of personal consent, individuals can independently decide to grant their personal data to others for processing, which can not only obtain free digital services as a consideration, but also choose the purpose and method of personal data processing according to their own needs, thereby saving costs and improving efficiency accordingly. This is also one of the ways for natural persons to realize their economic interests in personal data. For example, when traveling, people can choose facial recognition to enter the station more quickly, or choose to wait in line for manual verification of personal information before entering the station. For another example, passengers can book tickets through various ticket service websites, call airlines to buy tickets, or go to the ticket window with their ID cards to buy tickets. It is a very natural and common phenomenon in the modern information society that different individuals frequently give consent based on specific considerations, so that people are accustomed to it and ignore its role in maintaining the free development of natural person personality and meeting personalized economic needs. Laws such as the "Civil Code" and the "Personal Information Protection Law" impose an absolute obligation on unspecified personal information processors not to process personal information without informing and obtaining personal consent, creating an autonomous space for individuals without interference, in which individuals enjoy the freedom to use personal information in various ways (without interference from others). Some people use personal information to achieve free development of personality, while some people use personal information to obtain economic benefits, which are all due to the rights and interests of personal information.
Compared with personal consent, personal permission means that individuals and personal data processors have the opportunity to negotiate one-on-one and then enter into a personal data license use contract. For example, when Internet companies conduct voice artificial intelligence training, they obtain individual voice data one by one; when Internet companies develop digital products such as "digital people" or "virtual idols", they need to obtain a large amount of personal data of specific, small numbers of natural persons (these people are called "people in the middle"), such as their every move, voice, expression, etc. In the medical industry, even personal data such as the entire medical and health information of a single patient is very valuable to research institutions and pharmaceutical companies. Since this information is sensitive personal information, it is more scientific and reasonable to sign a personal data license contract in a one-to-one manner. With the development of society, the application scenarios for individuals and personal data processors to grant authorization one-to-one will continue to increase, and in the future, a new type of profession that specializes in producing personal data for sale and profit may even emerge.
Considering the inequality in ability and status between individuals and data processors, corresponding mechanisms should be established to ensure that individuals can truly realize the license of their personal data. For example, individuals hand over their data to agency companies for management, and these companies act on behalf of individuals to negotiate and conclude personal data license contracts with data processors. At present, some Internet companies focusing on personal data management have emerged internationally, such as Datacoup, Digi.me and Meeco. These companies no longer rely too much on consumer data provided by data intermediaries and traditional companies, but directly establish connections with consumers, and build corresponding platforms to allow users to choose to share and provide personal data to companies, thereby helping consumers realize their economic interests in personal data. The "Twenty Data" also proposed to "explore a mechanism for trustees to represent personal interests and supervise market entities to collect, process and use personal information data." The so-called trustees refer to the above-mentioned professional institutions, which are entrusted by many scattered individuals to manage their personal data, sign personal data license contracts on behalf of individuals with data processors, and help individuals realize their economic interests in personal data, and effectively supervise processors to handle personal data legally and in compliance with regulations.
It should be noted that in practice, many personal data processors (especially Internet companies) want to obtain personal consent and personal permission at the same time by allowing users to click to agree to their "privacy policy". Considering the differences in the legal nature and effects of the two, the author believes that this should not be allowed. The processor must distinguish between the two in an obvious way so that the individual fully understands whether he or she has only given personal consent within the matters that should be informed according to laws and administrative regulations, or has established a personal data license use contract with the processor through personal permission. In addition, when the processor concludes a personal data license contract with an individual in a standard clause, it is necessary to apply the regulations on standard clauses in laws and judicial interpretations such as the Civil Code to make adjustments. Finally, if there is a dispute as to whether the individual has given consent or permission, it should be deemed that the consent has been given.
4.4Coordination of the relationship between personal information rights and interests and corporate data property rights
When natural persons realize their economic interests in personal data through exercising their personal information rights and interests, an unavoidable issue is how to coordinate the relationship between personal information rights and interests and corporate data property rights. Confirming the property rights of enterprises to data is the key to building a data property rights system. Article 5 of the "Twenty Articles on Data" clearly states that for data collected and processed by various market entities in production and business activities that do not involve personal information and public interests, market entities have the right to hold, use, and obtain benefits in accordance with laws and regulations. In fact, enterprises also enjoy corresponding property rights for the personal data they legally process. The legitimacy of such property rights lies not only in the fact that enterprises have invested manpower, material resources and capital in processing personal data, but also in the fact that their processing of personal data is legal, that is, they have obtained the consent of the individual, have a contractual relationship with the individual for use, or have the conditions stipulated by laws and administrative regulations. Therefore, only by recognizing that natural persons have personal information rights and interests in personal data and can realize economic benefits from personal data by exercising such rights and interests, can we recognize that enterprises also have property rights for the personal data they process based on the two just standards of labor empowerment and consent of the right holder in private law, and finally confirm that enterprises have property rights with control and exclusive effect over all data processed by their capital, manpower and material resources. This right means: on the one hand, enterprises have the right to use data in various ways by themselves or allow others to do so in a way that does not violate the law and public order and good morals; on the other hand, enterprises have the right to prohibit others from infringing their data property rights without their consent or without legal reasons, including prohibiting others from accessing, copying, using data and prohibiting others from destroying the integrity of data.
Since personal information rights and interests belong to personal rights and interests, their effectiveness is higher than the data property rights of enterprises. Therefore, when enterprises exercise their data property rights, they must not only comply with the content of individual consent and abide by the personal data license use contract signed between them and individuals, but also obey the various statutory restrictions on data property rights imposed by personal information rights and interests. Regarding the behavior of enterprises processing personal data based on individual consent, the statutory restrictions established by my country's "Civil Code", "Personal Information Protection Law" and other laws include: (1) Individuals can withdraw their consent at any time. Once withdrawn, the enterprise must stop processing the personal data without affecting the personal information processing activities that have been carried out based on the individual's consent before the withdrawal; (2) Individuals can request the enterprise to transfer their personal data to the personal information processor designated by the individual when it meets the regulations, and the enterprise must provide a way for the transfer; (3) When the statutory or agreed conditions such as the purpose of personal information processing has been achieved or cannot be achieved are met, the individual can request the enterprise to delete the collected personal data; (4) If the personal data processed by the enterprise is public personal data, the enterprise can only prevent others from engaging in unfair competition with this data and acts that undermine the integrity of the data (such as deleting, modifying or adding data), but cannot prevent others from accessing this public data, using it within a reasonable range, and engaging in parallel development.
5Conclusion
In the process of accelerating the construction of the data property rights system in my country, it is crucial to study and solve the ownership and legal protection of economic interests in personal data. The research in this article shows that personal information and personal data are two sides of the same coin, and they are both objects of personal information rights. Personal information rights not only have the function of defending against infringement, but also can exclude others from illegally processing personal data; they also have the function of distributing legal interests, ensuring that individuals can organize and construct the commercial use of their personal data in the digital economy and realize economic interests accordingly. If it is not necessary, do not add entities. When the personal information rights stipulated in the current law can already protect the economic interests of natural persons in personal data, there is no need to set up "personal data ownership", "personal data property rights" or "source data property rights" for natural persons. Otherwise, it will not only violate the provisions of the current law, but also artificially cause the complexity of the data property rights system. Similarly, for non-personal data processed by processors, if the data source can be given the rights of informed consent, inquiry, copy transfer, correction, etc. through legislation in the future, it will be sufficient to protect its economic interests. Naturally, there is no need to establish the so-called "ownership of non-personal data", "non-personal data property rights" or "source data property rights".
In short, the interests of all parties around data are complex and changing. However, a complex world requires simple rules. The data property rights system constructed by my country should not only conform to the current legal system, but also strive to reduce the complexity of the system and simplify cognitive tasks, so that the system is easier to understand and more predictable for all participants in the process of data production, circulation and use. Only in this way can the data property rights system truly protect and coordinate the legitimate rights and interests of all parties, activate the potential of data elements, and strengthen, optimize and expand the digital economy.