Will Relying on “Privacy Policy” Pop-Ups Satisfy Compliance?
At present, most apps display the user agreement and privacy policy (or personal information protection policy) in the form of a pop-up window when the user opens the app for the first time, relying on the way the user checks to fulfill the obligation of notification and consent. The “Personal Information Protection Law” (“Personal Protection Law”) stipulates other legal bases other than consent and the constituent elements of valid consent. There are still no breakthrough changes in content and form.
Does ticking the Privacy Policy constitute valid consent? Can compliance requirements be met?
To thoroughly understand this issue, this article believes that it is necessary to conduct an in-depth exploration of the nature and legal significance of privacy policy and consent. Therefore, by sorting out the research of different scholars, learning and thinking, and then trying to put forward some suggestions on the content and form of privacy policy : The personal information processing activities carried out on different legal bases should be listed separately, and the notification obligation should be fully fulfilled in combination with different user interaction designs; the data processing based on consent should be listed separately to obtain consent, so as to achieve true full knowledge , voluntarily explicit.
1. What is the definition and nature of consent?
Except for the “Personal Data Protection Law” in Taiwan, which clearly defines consent as “expression of will”. The personal information protection laws of most countries and regions, including the relevant laws and regulations of our country, basically do not define what is personal consent, but only stipulate the elements of consent.
During the drafting process of my country’s Personal Information Protection Law, the first sentence of Article 14, Paragraph 1, of the first-review draft stipulated: “Consent to process personal information shall be voluntarily and clearly expressed by the individual on the premise of full knowledge. .”
The second review draft deleted the word “expression of will”, and the first sentence of paragraph 1 of the article was revised to read: “Consent to process personal information should be voluntarily and explicitly given by the individual under the premise of full knowledge.”
The first sentence of paragraph 1 of Article 14 of the officially promulgated “Personal Protection Law” stipulates: “Where the processing of personal information is based on the consent of the individual, the consent shall be made voluntarily and explicitly by the individual on the premise of full knowledge.”
Therefore, my country’s “Personal Protection Law” does not stipulate “consent” as “expression of intention”, but what is the meaning of consent?
1. Why is the nature of personal consent not an expression of will?
According to Professor Cheng Xiao’s explanation in “On Individual Consent in Personal Information Processing”, the individual’s consent to the personal information processor’s processing activities for his or her personal information is not intended to have civil legal consequences. In the statement, there is no agreement between the individual and the personal information processor on the establishment, modification, and termination of civil legal relationship, that is, the consent made by the individual is not an expression of intention.
If the nature of personal consent is understood as expression of will, the legal rules on expression of will in civil law will be wrongly applied to personal information processing activities.
On the one hand, it will confuse the capacity for civil conduct and the capacity for consent. The age of personal consent in the processing of personal information is different from the age of civil capacity, because the processing of personal information is not a transaction, but a de facto act of collecting, storing, processing, using, and providing personal information. , the civil capacity applicable to transactions cannot be applied to the processing of personal information. In addition, the validity of personal consent in the processing of personal information is also restricted by other provisions of the Personal Information Protection Law, especially whether the personal information processor has fully fulfilled the obligation of notification. If not adequately informed, even if there is an individual’s consent, it is still invalid consent.
On the other hand, revocation and withdrawal of declaration of intent are mistakenly applied to personal consent in the processing of personal information. The provisions of the civil law on the withdrawal, revocation, and exclusion period of the right to rescind the declaration of will cannot be applied to the personal consent in the processing of personal information. Individuals have the right to withdraw their consent at any time as long as the processing of personal information is based on their consent. Just imagine that once an individual has given consent, it cannot be withdrawn or is difficult to withdraw, then the individual’s consent cannot be a real consent, and he has no real decision-making power over the processing of personal information, and cannot fully maintain personal dignity and personal freedom. of. In addition, as far as the revocation of legal acts is concerned, the exercise of the right of revocation has retrospective effect. However, the individual’s withdrawal of consent in the processing of personal information is not retroactive. Since the processor must be prepared for the withdrawal of consent by the individual at any time, in order to achieve a balance of interests between the protection of personal information rights and the reasonable use of personal information, such provisions must be made in law, which is also the principle of good faith and fairness. Require.
2. What is the nature of the individual consent?
Professor Cheng Xiao believes that a natural person’s right to personal information means that other organizations or individuals should respect and not infringe on this right, and recognizing the personal information rights of a natural person will inevitably lead to restrictions on the freedom of behavior of others. Any processing of personal information by processors (whether it is collection, storage, use, or processing, transmission, provision, disclosure, etc.) objectively constitutes an intrusion or interference with the rights and interests of personal information, which violates the legal order and has (provisional) illegality. To rule out this illegality, it must have legal legitimacy. In the personal information protection law, such legitimacy comes either from the consent of the individual, or from the provisions of laws and administrative regulations, that is, statutory permission.
On the negative level, personal consent is a cause of illegal deterrence, that is, a cause of exemption, which excludes the illegality (or fault) of the act and makes the perpetrator not bear tort liability, such as consent (articles 1219 and 1036 of the Civil Code), Self-help behavior, emergency avoidance, legitimate defense;
On a positive level, individual consent is one of the lawful grounds or legitimate grounds for personal information processing activities. The personal consent in the processing of personal information provides a legal basis for the processing of personal information and excludes the illegality of the act, so that the processing has a legal basis and does not constitute an infringement of the rights and interests of personal information.
Article 1036 of the “Civil Code” handles personal information. Under any of the following circumstances, the perpetrator shall not bear civil liability:
(1) Acts reasonably carried out within the scope of the consent of the natural person or his guardian;
(2) Reasonably handle the information disclosed by the natural person himself or otherwise legally disclosed, unless the natural person expressly refuses or the processing of the information violates his vital interests;
(3) Other acts reasonably carried out in order to safeguard the public interest or the legitimate rights and interests of the natural person.
Article 1219 of the “Civil Code” Medical personnel shall explain the condition and medical measures to patients during diagnosis and treatment activities. If surgery, special examination, or special treatment is required, the medical personnel shall promptly explain the medical risks and alternative medical plans to the patient in detail, and obtain their explicit consent; if it is impossible or inappropriate to explain to the patient, they shall explain to the patient’s close relatives, and obtain their express consent.
Where medical personnel fail to fulfill their obligations in the preceding paragraph and cause damage to patients, the medical institution shall be liable for compensation.
In Professor Chang Pengao’s “A Systematic Interpretation of Quasi-Legal Acts”, it is believed that patient consent should be classified as quasi-legal acts for the following reasons:
First, it requires the patient to agree in writing to the diagnosis and treatment activities of the medical institution in terms of composition, indicating that the patient has the willingness to accept the diagnosis and treatment activities, which does not mean the effect;
Second, its legal effect is to exclude the illegality of diagnosis and treatment activities, which has nothing to do with the change of rights;
Third, the occurrence of this legal effect is stipulated by the law, that is, on the premise of the patient’s consent, as long as the medical institution fulfills the corresponding prudent diagnosis and treatment obligations, it does not need to bear the liability for compensation for the damage caused by the patient’s diagnosis and treatment activities, even if The true meaning of the patient’s consent does not exclude the illegality of the diagnosis and treatment activities, or the patient does not mean not to pursue the medical institution’s liability for damages, nor does it affect the legal effect. In contrast, after medical damage occurs, the patient’s waiver of the right to claim compensation for damages is a legal act, because it produces the effect of extinguishing the right, and this effect depends entirely on the patient’s will.
The patient’s consent should be classified as a quasi-legal act. The premise is to recognize the definition of quasi-legal act made by Professor Chang Pengao. The quasi-legal act refers to the act of expressing the inner state externally, but the effect is directly stipulated by the law. It can be simplified as “expressive act + The legal norms of “statutory effect” means that behavior is its constituent element, but the legal effect is completely regulated by law.
The institutional function of legal acts is to realize free will, and its internal logic is to express the meaning of effect that causes specific effects through actions, so the meaning of effect is the most fundamental characteristic of legal acts. The quasi-legal act has expressive meaning, but has no effective meaning. The object of the expressive act can be a certain will, or the cognition of a certain factual situation, or a certain emotional attitude or position, but the expression of a quasi-legal act Object does not mean effect.
Therefore, lawyers Jin Zhenhua and Lu Weixin wrote in “Is Privacy Policy Actionable?” “In combination with the above theories, it is believed that personal consent is a quasi-legal act while serving as a reason for the exemption of information processors:
(1) In terms of constitution, the individual agrees to the processing activities of the personal information processor, indicating that the individual has the willingness to have the personal information processed, but this willingness is not an effect meaning, that is, it does not constitute an expression of will;
(2) In terms of legal effect, the individual’s express behavior excludes the illegality of the personal information processor, and has nothing to do with the change of rights;
(3) The occurrence of the legal effects of such representations is directly regulated by laws such as the Civil Code and the Personal Information Protection Law.
2. What is the legal significance of the current privacy policy?
First, agreeing to the Privacy Policy does not constitute a contractual relationship.
Generally speaking, the typical way of forming a contract is the way of offer and acceptance. An offer is an expression of intention to conclude a contract with others, and an acceptance is an expression of intention of the offeree to agree to the offer.
Lawyers Jin Zhenhua and Lu Weixin, based on the legal norms of “expressed behavior + statutory effect”, believe that although there is no room for personal information processors to express their free will in the privacy policy, after all, there is a desire to express their desire to process personal information in accordance with legal requirements. This meaning should be It is an expression of intention, and at the same time, such expression of intention needs to be implemented through the expression of the privacy policy, and the legal consequences of the privacy policy can be processed after obtaining the individual’s consent. Personal information is directly regulated by the “Personal Protection Law”, so it is in line with quasi-law elements of behavior. The expressive behavior published by the privacy policy has no effective meaning and cannot constitute an expression of intention, that is, it does not constitute an offer.
As mentioned above, an individual’s “consent” does not constitute a declaration of intent, nor does it constitute a commitment in the establishment of a contract. Therefore, an individual’s consent to the processing of their personal information cannot constitute a contractual relationship.
It is worth noting that if the processing of personal information is only necessary for the conclusion and performance of a contract where the individual is a party, this article believes that only agreeing to the privacy policy should not indicate the individual’s intention to establish the overall contract (user agreement), The privacy policy can form part of the contract content (user agreement), which can be compared to the service standards in the technical service contract.
Secondly, the greatest effect of the privacy policy is that personal information processors follow the principle of transparency and fulfill the disclosure obligation stipulated in the Personal Protection Law.
However, the content and presentation of the current privacy policy cannot meet the authenticity, accuracy, and completeness of Article 17 of the “Personal Protection Law”. Consent expressly given. Processors of personal information must give sufficient notice to ensure that individuals give their consent on the premise of fully informed consent. Consent is not valid if it is given without the individual’s full or insufficient knowledge.
For example, at the content level, the current privacy policy contains all the basic conditions of personal information processing. It generally starts with how personal information is collected and used, with a subsection explaining when consent is not required. For health emergencies, news reporting for the public interest, or processing legally disclosed personal information, due to its own uncertainties, it is indeed impossible to explain the processing of personal information. However, there is no separate explanation for the processing of personal information that is necessary for the conclusion or performance of a contract, or based on statutory obligations. Individuals do not have a clear understanding of which personal information processing is necessary to perform a contract or fulfill statutory obligations. In the end, users do not know which personal information processing does not require their consent after reading it.
In addition, formally, the privacy policy adopts a one-time notice, and users give up reading the privacy policy because the content is tedious and cumbersome and there is no room for choice. In addition, even if you are only using basic functions at present, you must agree to the future personal information processing activities of APP. In the subsequent specific business scenarios, personal information processing involves the collection of more personal information, sensitive personal information, or processing activities that may have a significant impact on personal rights and interests. Users are not informed again, or the purpose of personal information processing is added by updating the privacy policy. The changed part is strengthened to inform the individual separately.
3. Some suggestions on the content and form of the privacy policy
This article believes that the privacy policy should be used as a notification of personal information processing. If personal information processing includes a legal basis other than consent, the user should not check the privacy policy to obtain consent. Generally speaking, there may be multiple legal bases for personal information processors to process personal information. Therefore, the personal information processing activities carried out on different legal bases should be listed separately, and the notification obligation should be fully performed in combination with different user interaction designs. For example, which personal data is processed to fulfill a legal obligation, which personal data is necessary to perform a contract. When processing personal information based on non-consent legal basis, the text of the privacy policy or privacy notice should read “I have read or I have known”, not “I agree”.
Separately list the data processing based on consent to obtain consent, so as to achieve truly fully informed and voluntary clarity. In the case where separate consent is required under the Personal Protection Law, consent must be obtained in a pop-up window or in other forms before processing; if the processing activities involve sensitive personal information or may have a significant impact on personal rights and interests, further notification is required And obtain the user’s separate consent.
Compliance requirements and business needs are not absolutely incompatible. Creatively designing compliant interactive pages is the path we must take.
Data Compliance and Governance
Date: February 18, 2022, 02:46
#personalinformationprotectionlaw #inform #agree