1. Sign an electronic contract: It is understood that there were network security laws and data security laws before. What are the characteristics of the Personal Information Protection Law compared with the previous laws?
Lawyer Wang Xinrui: In the past, there were many legal provisions on the protection of personal information. Relatively speaking, the personal information protection law has some innovations or richness in the system.
(1) The legal basis becomes richer.
Before, we only had the basis of "informed consent" on the legal basis of handling personal information.
As we mentioned earlier, there are many scenes about the protection of personal information. If we only rely on "consent", there may still be some contradictions.
Therefore, we have added some legal foundations such as contracts, public interests and news media supervision.
(2) From the perspective of consent, it is also the main basis for the protection of personal information worldwide.
But just agreeing is not enough. This time, it is enriched on the basis of consent, and the concept of "personal consent" is mentioned.
"Personal consent" will also have a great impact on the compliance of enterprises.
Furthermore, the personal information protection law has made some responses to automated decision-making and some new technologies. We have summarized all the industry practices related to observing personal information, including some experiences of foreign legislation. For example, the requirements of data classification and risk pre-assessment and the obligations that need to be fulfilled before data cross-border are added.
In this way, we can see that after the promulgation of the personal information protection law, the system coverage is more comprehensive.
Of course, for enterprises, it is also necessary to understand that personal information compliance is not a once-and-for-all thing, but a sustainable process, which means that enterprises need to make continuous efforts to fulfill the compliance obligations brought about by these systems.
And to some extent, the compliance and legality of personal information protection are not exactly the same thing. The process of compliance is inseparable from the continuous investment of enterprises in technology and system, and it is not black and white.
Of course, what is illegal is sometimes clear. But what are compliance and violation? There are certain boundaries that need to be proved by enterprises themselves.
2. Electronic contract signing: You just mentioned that enterprises must leave traces and store data safely. Nowadays, many enterprises want to use electronic signatures, and independent third parties provide neutral evidence.
As a third-party neutral platform, how can the electronic signature platform better meet the compliance requirements of the Personal Information Protection Law?
Lawyer Wang Xinrui: After the promulgation of the Personal Information Protection Law, we also discussed it with some clients. For example, "personal consent" is not only the process of consent itself, but also needs to be recorded.
It can be seen that a change brought about by the personal information protection law is the establishment of fault presumption responsibility, which requires enterprises to prove their innocence in the face of some personal information risk events.
If an enterprise wants to prove that it has done nothing wrong, it needs to leave a mark on the whole process and then prove it. One value of the electronic signing platform is also here. It can help enterprises to leave traces in real time during the whole process, such as how to obtain consent or personal consent, or some notification actions for employees. In the later stage, if employees or companies want to inquire about electronic contracts and notarization information, the electronic signature platform is relatively realizable, which is also the value that electronic signature manufacturers can bring to enterprises.
On the other hand, due to the large number of customers served by electronic signature manufacturers, internal control and internal access rights settings should be considered, such as the need to isolate these data internally.
Electronic signature: regarding these, there is a complete set of security mechanism and process inside the signature. Some of our internal operation and maintenance personnel can't access the data directly.
At the same time, when we provide products to external corporate customers or individual customers, we should also inform them at the first time and tell them what information needs to be collected. Generally, we collect the least information, as long as we complete the real-name authentication.
There will be a minimum of information for the description of what, especially when facial recognition is used. We will also have a separate description of this kind of data that belongs to special privacy.
3. Electronic signing of contracts: In addition, what improvements do you think third-party electronic signature service providers need to make?
Lawyer Wang Xinrui: After the promulgation of the Personal Information Protection Law, the products of all large companies need to be adjusted according to it.
First of all, this adjustment should be consistent with compliance with obligations. I think some of the schemes and technical means we are doing now can definitely be proved to be effective in the past. After the promulgation of the Law on the Protection of Personal Information, enterprises need to go through all stages of providing "notification-consent" to see if it meets the legal requirements.
In addition, enterprises need to classify data, and I see that many enterprises have not yet fully done so. There is a simple reason. In the past, there was no mandatory provision by law. The data can only be classified after the enterprise classifies the data, such as personal information and sensitive personal information. It may even distinguish that some information is not only personal information, but also important data. In this way, enterprises can determine which types of data should be processed in what way, or under what circumstances limit data processing.
Just like the conversation between lawyer Wang Xinrui and lawyer Qian Shang, after the promulgation of the Personal Information Protection Law, enterprises will pay more attention to the compliance requirements of personal information security protection when choosing electronic signature suppliers, so third-party technical service providers need to pay more attention to relevant details to help enterprises avoid potential risks.