Written by Ruoyin Qi
In October 2020, China unveiled the Draft of Personal Information Protection Law (PIPL), which would be the first comprehensive set of laws aiming to protect personal data in the country.[1] In terms of examining the impact of the PIPL, academics shall first have a discussion as to the principle of informed consent as it has important legal status in the protection of personal data. This article will give an introduction of informed consent first. It will then extrapolate on the dilemmas facing the principle of informed consent by respectively stating the failure of informed consent to be an authorisation mechanism and accountability mechanism.
Introduction of informed consent
The importance of the principle of informed consent is inherent to informational self-determination. The concept of the informational self-determination embodies Westin’s perception of privacy, which is ‘the right of the individual to decide what information about himself should be communicated to others and under what circumstances’.[2] It is clear from the General Data Protection Regulation (GDPR) adopted by the EU that self-determination is the bedrock of the legislation of personal information. Another theory of protecting personal information is the right to personal information established in the American case Whalen v Roe[3], indicating that the right to personal information is the control of disclosure of personal information. However, in both theories regarding the protection of privacy, people’s control over their information is emphasised and informed consent is regarded as the core of such ability to control.[4] Taking into account the crucial role of informed consent, it has been explicitly pointed out in Article 1 of the Draft that, except the protection of the rights and interests in personal information, the protection of personal information also requires the draft to regulate activities processing personal information, to ensure the orderly and free flow of personal information in accordance with the law, and to promote the reasonable use of personal information. Accordingly, the consent must be informed and specific, indicating wishes of the data subject.
Dilemmas facing informed consent
A. Failure as an authorisation mechanism
Despite the importance of informed consent, it cannot adapt to the rapid development of modern information processing and e-economy, thus failing to realise its original function.[5] The first difficulty is that users are unable to authorise their consent on the basis of effective information. To realise the function of informed consent, various sorts of apps and websites will display relative ‘Privacy Policies’ that require users to click the ‘agree’ button. More specifically, some apps force users to scroll to the bottom of the terms and conditions and wait for a few seconds to be eligible to click the ‘agree’ button. Albeit these measures, few users will read these terms and conditions of privacy policies in practice. This is because privacy policies are full of legal terms that are too professional for ordinary people to read and understand. In this sense, informed consent is also regarded as the ‘illusion of control’.[6] Hence, informed consent fails to protect personal information as an authorisation mechanism.
The second difficulty is that data breach incidents usually occur during users’ authorisation process. The basis of the difficulty is the imbalanced bargaining power between users and software inventors. Corporations funding the invention of apps may abuse this mechanism by taking advantage of users’ negligence. This phenomenon is obvious particularly when corporations include unreasonable and unfair terms in privacy policies which infringe the right of personal information and users agree to these privacy policies without fully reading them. An example is the extremely unreasonable privacy policies in the ‘ZAO’ app. According to the Privacy Policy in this AI face-changing app, users agree to grant ZAO the completely free, irrevocable, and permanent right to sub-authorisation and sub-license in the globe after they upload their photos.[7] Even privacy policies of giant firms include terms detrimental to personal information. For example, personal information may be leaked by agreeing to the right to provide personal information collected from users to related parties introduced in Alipay terms. Hence, informed consent is a sham generating greater threats to the protection of personal information.
Thirdly, users are unable to truly refuse privacy policies. This is because network service providers usually provide unified contracts and leave no space for users to negotiate terms and conditions, leading to the consequence that users should either agree or give up using these apps. Considering the close relation between social media apps and our daily life, users cannot have access to services and products without giving consent. As users are forced to accept privacy policies, the consent given by users are rarely true and voluntary.[8]
B. Failure as an accountability mechanism
Informed consent not only fails as an authorisation mechanism but is also an ineffective accountability mechanism. Informed consent is considered when examining the legitimacy of the way corporations deal with personal information. Accordingly, corporations may rely on informed consent to exempt their responsibility, or they may be charged for the breach of privacy policies. The function of accountability is embodied in the principle of triple authorisation outlined in Sina v Maimai[9] where third parties require the authorisation of both users and platforms.[10] The application of the principle is to control the usage and proliferation of personal information as much as possible during the transmission of personal data. Such control is essential as the acquisition of data not only can be the source of competitive advantages, but also can create more economic benefits.[11] However, though the Draft adheres to the principle of triple authorisation, the principle itself gives rise to controversies. Academics argue that the principle of triple authorisation is detrimental to scientific innovations and ought to be doubted about its protection of privacy in practice.[12]
The suspicion as to the legitimacy of its protection of data can be demonstrated by the limited scope of authorisation. For instance, address book information authorised within apps and platforms is usually information belonging to people other than users, which cannot be particularly authorised by users themselves. Nevertheless, most social media apps promote their applications through acquiring address book information authorised by users, which was the issue concerned in Lin v TikTok[13]. In this case, Lin prohibits access to others in his address book, but TikTok still recommended ‘people who may know’ to Lin based on his information recorded in other people’s address books. The court held that TikTok’s collection of Lin’s personal information without informed consent constitutes an infringement, whereas the recommendation of ‘person who may know’ is not. However, the court has not analysed the behaviour of the app to collect information belonging to people in the user’s address book based on informed consent. By contrast, the requirement of consent of those who are involved in a user’s address book to share data is commonly accepted outside Chinese jurisdiction, which is confirmed in the German WhatsApp case.[14] Thus, this requirement inevitably brings up practical problems for social media apps relying on the acquisition of address book information as more consent is required in order to collect data. Considering the loopholes in protecting address book information, informed consent can hardly be employed to make corporations accountable for their abuse of information without being detrimental to their commercial operation. Academics have raised several solutions to deal with the dilemma, such as replacing the informed consent rules with risk rules. Namely, if the risk of using information to the information subject is relatively small, the data can be collected and utilised without consent.[15] However, this solution has completely departed from the principle of informed consent, neglecting the protection of personal dignity. Hence, one potential resolution may be that the principle of informed consent should be detailed by constraining privacy policies with standard contracts, so the terms detrimental to personal information may be avoided.
Conclusion
Informed consent, though facing practical difficulties in authorisation and accountability, still plays a vital role in the Draft of Personal Information Protection Law (PIPL). Instead of forfeiting the idea completely, the Draft should clarify the boundaries of the ‘privacy policy’ and identify an effective way for courts to charge corporations on reliance of informed consent.
[1] Glenn Haley and Sharon Chan, ‘China’s draft Personal Information Protection Law: What Businesses Should Know’ (Bryan Cave Leighton Paisner LLP, 2 December 2020) < https://www.bclplaw.com/en-US/insights/chinas-draft-personal-information-protection-law-what-businesses-should-know.html> accessed 10 Mar 2021 [2] Westin Alan, Privacy and Freedom (New York: Atheneum 1967), p7 [3] 429 US 589 (1977) [4] Xuzhi Han, ‘The Dilemma and Solution of Informed-consent Rule in Personal Information Protection—On the Relevant Provisions of the Personal Information Protection Law (Draft)’ (2021) Business and Economic Law Review 1 [5] Chu Shao, ‘Informed Consent rule is the fulcrum of personal information protection’, (People’s Court News, 19 December 2020) < https://www.chinacourt.org/article/detail/2020/12/id/5672825.shtml> accessed 10 Mar 2021 [6] Woodrow Hartzog, Privacy’s Blueprint: The Battle to Control the Design of New Technologies, (Harvard University Press, 2018), p 75 [7] (n4), 48 [8] (n5) [9] (2016) Beijing Intellectual Property Court No.588 [10] Wei Xu, ‘Rethinking and Typified Construction of the Triple Authorisation Principle for Enterprise Data Acquisition’ 2019 SJTU Law Review 20 [11] (n9) [12] Juan Xu, ‘Risk Decision Tree Model for Data Rights Protection in Difficult Internet Cases’ 2018 Nanjing Journal of Social Sciences 83 [13] (2019) Beijing Internet Court No.6694 [14] Vgl.AG Bad Hersfeld, Beschluss vom 15.Mai 2017-F 120/17 EASO [15] Peiru Cai and Xixin Wang, ‘Discussion on Personality Protection and Economic Incentive Mechanism in Personal Information Protection’ 2020 Journal of Comparative Law 106, 108