In the era of big data and mobile Internet, in order to analyze the distribution characteristics of users and their diversified and personalized needs, most network operators and network products and service providers will use user profile description in their business activities.
What is a "user portrait"? This concept is not mentioned in the laws and regulations related to data collection and processing with enforcement effect, but the national standard "Personal Information Security Code".
It is defined as "the process of analyzing or predicting the personal characteristics of a specific natural person such as occupation, economy, health, education, personal preference, credit and behavior by collecting, summarizing and analyzing personal information, and forming its personal characteristic model."
"Personal Information Security Code" is a recommended national standard, which is encouraged by the state and has no enforcement effect. The regulatory authorities cannot directly quote this document as the direct basis for law enforcement.
However, when the Network Security Coordination Bureau of the National Internet Information Office interviewed the person in charge of the enterprise involved in the "Alipay Annual Billing Event", the person in charge of the bureau clearly pointed out.
The way Alipay and Sesame Credit collect and use personal information is not in line with the spirit of the newly released national standard "Personal Information Security Code" ... It is necessary to strengthen the comprehensive investigation of Alipay platform in strict accordance with the requirements of the network security law.
Carry out special rectification and take effective measures to prevent similar incidents from happening again. It can be seen that in the hot events related to the personal information security of the whole people.
Administrative departments accustomed to expanding power boundaries will generally not be questioned by public opinion and enterprises involved in accidents when they apply recommended standards as mandatory standards.
To this end, Yang Chunbao's lawyer team believes that in practice, the provisions on user portraits in the Personal Information Security Code have a guiding and reference role for law enforcement departments and enterprises.
The content of "Personal Information Security Code" refers to relevant foreign legislation on personal information protection, including the EU General Data Protection Regulation (GDPR was formally implemented on May 25th, 20th18th).
GDPR is not only applicable to EU enterprises, but also applicable to data controllers or data processors with branches in the EU, as long as personal data processing activities take place in the scenario where branches carry out activities.
Even if the actual data processing activities do not occur in the EU, GDPR;; Should be applied; For data controllers or data processors who have not set up branches in the EU, they only need to provide goods or services to the data subjects in the EU (regardless of whether the consideration is paid).
Or monitoring the behavior of EU data subjects, GDPR should be applied. Therefore, for China enterprises that have branches in the European Union, conduct cross-border business and operate globally, especially network operators and network products under the cyber security law.
As far as service providers are concerned, they should pay attention to the possibility of applying GDPR and GDPR regulations on user portraits.
Lawyer Yang Chunbao intends to compare and analyze the relevant provisions of GDPR and Personal Information Security Code on user portraits, so as to provide useful reference for relevant enterprises to use user portraits in compliance.