Who Should Obtain the Third “Consent”?

Who should obtain the third “consent” and the relationship between consent and notification.

1. Who should obtain the separate consent in the third “consent”?

After the “Personal Information Protection Law” above takes effect, can the “triple authorization principle” continue to apply? “discusses the applicability of the “triple authorization principle”. It discusses that “triple authorization” should be “triple consent”, but does not discuss in depth who should obtain the separate consent in the third consent.

That is, when Company A provides users’ personal information to Company B, in accordance with Article 23 of the “Personal Information Protection Law” (hereinafter referred to as the “Personal Protection Law”), Company A shall inform the individual of Company B’s name or name, contact information, processing Purpose, method of processing and categories of personal information, and obtain individual consent. The consent here is considered as the third level of consent in this article, but whether the consent here should be obtained by Company A or Company B is uncertain in practice. Another extended question is, if Company A informs the information subject that it will provide personal information to Company B and obtains separate consent, does Company B, as the recipient of the information, need to obtain consent and inform the information subject?

In this regard, this article attempts to discuss in two situations, and believes that it depends on whether organization A actively provides personal information to organization B.

(1) If organization A actively provides personal information to organization B based on the legal basis of consent, for example, seller A obtains separate consent and informs the individual to provide his home address to courier company B to complete the door-to-door service, then B The company no longer needs to obtain the individual’s separate consent and inform the individual. (It is assumed here that the seller’s personal home address to the logistics company is not necessary to perform the sales contract; Company B is not a “trustee” in the insurance law)

(2) If organization A is passive or organization B is the demander of personal information, after obtaining personal consent from organization B to obtain personal information from organization A (the third consent), it still depends on whether A agrees to provide personal information to B (i.e. the second level of consent), at this point the key question is whether institution A needs to obtain individual consent (i.e. the first level of consent) from the individual for the act of providing personal information to institution B? This is a very tricky problem in practice. Theoretically speaking, the legal basis for the collection and storage of users’ personal information by organization A in order to provide services to individuals is legal and legitimate, but there is no legal basis for providing users’ personal information to the outside world, that is, if it is not based on contracts or legal obligations, etc. If the “legal basis of non-consent” needs to provide users’ personal information to other institutions, institution A needs to obtain separate consent before providing personal information to institution B. This kind of separate consent obviously cannot be realized through a blanket notification in the privacy policy when the user first uses the services of organization A.

In addition, it is a fact that certain Category A institutions have difficulty obtaining individual consent from individuals. For example, many institutions that do not directly face users are involved in the electronic payment link. The e-commerce platform is connected to many third-party payment services. During the payment process, one of the third-party payment institutions will be randomly selected to transmit the payment request, and then through UnionPay and Nets Union reaches the bank to complete the deduction, so the above-mentioned institutions legally store a large amount of personal consumption record information. Licensed credit agencies need these transaction information to generate personal credit reports. If the above institutions are required to strictly obtain separate consent for each transaction, for example, a pop-up window to obtain separate consent when the service interface is suspended. Judging from the current technology and management methods, it is difficult to assess the impact on the operational efficiency of online payment and the corresponding compliance costs, unless future laws and regulations stipulate otherwise.

2. The relationship between consent and notification

According to Article 23 of the Personal Protection Act, the provision of personal information to the outside world requires notification to the individual and obtaining separate consent. It seems that consent and notification need to be carried out simultaneously, and consent must be notified at the same time, but in many cases, individuals need to be notified, and consent is not always required; then there are also situations where neither consent nor notification is required.

First of all, for personal information processing activities based on personal consent, personal information processors need to perform the obligation of notification, and then obtain personal consent or separate consent before implementing personal information processing activities.

If the processing of personal information is not based on consent, it is still necessary to notify the individual in accordance with Article 17 of the Personal Protection Act. One is to meet the principle of transparency in the processing of personal information; the other is to protect the individual’s right to know. The right to know is a prerequisite for protecting personal personality and property rights. Therefore, unless it involves major public interests or national interests, personal information processors should perform the obligation of disclosure.

Secondly, the circumstances that neither consent nor notification are required are stipulated in Articles 18 and 35 of the Personal Protection Law.

Article 18: Where personal information processors process personal information, if laws and administrative regulations stipulate that it should be kept confidential or do not need to be notified, they may not notify the individual of the matters specified in the first paragraph of the preceding article.

If in an emergency it is impossible to notify the individual in a timely manner to protect the life, health and property safety of a natural person, the personal information processor shall notify the individual in a timely manner after the emergency is resolved.

Article 35: State organs handling personal information in order to perform statutory duties shall fulfill the obligation of notification in accordance with the provisions of this Law; except for the circumstances specified in Article 18, Paragraph 1 of this Law, or where the notification will prevent state organs from performing their statutory duties.

In summary, situations where neither consent nor notification are required:

(1) Circumstances that should be kept secret as stipulated by laws and administrative regulations or that informing individuals will hinder the performance of statutory duties by state organs The circumstances that should be kept confidential as stipulated by laws and administrative regulations, according to general understanding, refer to the protection of public security, the state, etc. based on crime investigation, anti-terrorism, etc. Security and other social and public interests and national interests are considered, and personal information processors required by laws and administrative regulations need to keep confidential. For example, the Law on Keeping State Secrets, the Anti-Terrorism Law, the Anti-Espionage Law, and the National Intelligence Law.

The situation where informing individuals will prevent state agencies from performing their statutory duties means that if individuals are notified before processing personal information, state agencies will not be able to perform their statutory duties. It has to be said that this is still vague, and it needs to be determined according to the actual situation whether it makes the state agency unable to perform its statutory duties and the principle of proportionality, and carefully excludes the individual’s right to know.

(2) Circumstances that do not require notification

The information subject has already known the information that needs to be disclosed, let us go back to the above example again:

Scenario 1: If institution A actively provides personal information to institution B based on the legal basis of consent, and institution A has informed the individual and obtained consent, institution B, as the recipient of the personal information, does not need to inform again.

Scenario 2: If organization A is passive or organization B is the demander of personal information, after B obtains the individual’s consent to request personal information from organization A (the third consent), it still depends on whether A agrees to provide personal information to B ( That is, the second level of consent), at this time, does institution A need to obtain separate consent from the individual for the act of providing personal information to institution B, and inform the individual? This article tends to believe that, if organization B obtains the individual’s consent to obtain personal information from organization A, if it can be determined that the subject of personal data has already known the information that needs to be disclosed, that is, the type and purpose of the information that organization A provides to organization B, then organization A does not need to Separate consent is then obtained, and there is no need to inform the individual again.

Processing of personal information that has been legally disclosed

If it is required to notify and obtain consent one by one for the processing of personal information that has been disclosed, it will not only be difficult to achieve, but also not conducive to the legal use of personal information. However, personal information processors must process the information that has been legally disclosed within a “reasonable range” before they are exempted from the obligation to disclose. For illegally disclosed information, or legally disclosed but processed beyond the reasonable scope, personal information processors still have the obligation to inform. As for how to grasp the “reasonable range” in practice, we can consider whether the purpose of personal information processing is consistent with the purpose of disclosing personal information, and whether it meets the subjective expectations of the information subject and the objective expectations of the public at the same time.

3. Is there any chance for individuals to refuse to carry out news reports and public opinion supervision for the public interest?

Article 27: Personal information processors may, within a reasonable scope, process personal information that is disclosed by the individual or has been legally disclosed; unless the individual expressly refuses. Where personal information processors process disclosed personal information and have a significant impact on individual rights and interests, they shall obtain the individual’s consent in accordance with the provisions of this Law.

Article 27 of the Personal Protection Law stipulates that if an individual explicitly refuses to process the personal information that he discloses or legally discloses, the personal information processor cannot process it without authorization, but how the individual can exercise the right to refuse still needs to be discussed. Here, this article makes a brief analysis of Article 13, Paragraph 5 of the Personal Protection Act [Processing personal information within a reasonable scope for news reporting, public opinion supervision, etc. for the public interest].

The content exposed by news reports or public opinion supervision may be legally disclosed personal information or undisclosed personal information. If it is legally disclosed personal information, it is not necessary to obtain the individual’s consent for the public disclosure within a reasonable range for news reports or public opinion supervision, and it seems that there is no need to inform, because if it is unfavorable to the parties, it seems illogical to inform the parties, who will Agree? In this scenario, it seems that individuals have no chance to refuse, unless there are annotations and statements in various scenarios where personal information is disclosed [do not use it for other purposes without permission]. However, when the public interest prevails, personal interests will be squeezed, and the statement seems to be useless; if it is non-public personal information, personal information processors need to consider whether it is for the purpose of news reports or public opinion supervision and exposure. Processing personal information within a “reasonable range”.

Discussion is welcome.

Data Compliance and Governance

Date: January 14, 2022, 17:00

#personalinformationprotectionlaw #inform #agreement