The rapid development of digital technology poses new challenges to the construction of the rule of law in the digital age. Peking University Law School will hold a series of forums on "Digital and the Rule of Law" in September 2022. The theme of this forum is "Privacy and Data Protection Law from a Global Perspective", and well-known scholars from Japan, Europe, and the United States and Chinese scholars are invited.

On September 8, 2022, the second session of the "Digital and Rule of Law" series of forums at Peking University Law School was given by Daniel J. Solove, chair professor of George Washington University Law School and founder of Teach Privacy. The lecture was presided over by Peng Kun, Assistant Dean and Assistant Professor of Peking University Law School, and attracted more than 300 teachers and students both inside and outside the school.

This article presents the key points of the lecture in the form of written transcripts.

Daniel J. Solove:

The current privacy law represented by the EU's General Data Protection Regulation relies too much on the right to privacy to protect privacy; the right to privacy itself is beneficial to individuals, but it cannot fully achieve the goal of protecting privacy. The role of privacy rights is limited, and it can only be used as an auxiliary mechanism for privacy protection.

On the whole, the right to privacy has the following problems:

First of all, although privacy rights appear to give individuals a wide range of choices, in fact they impose a great burden on individuals due to the time-consuming exercise of rights. Further complicating the situation, individuals are likely to be unaware that some companies have access to this information; because of the constant flow of data, deletion of information is an endless process.

Second, it is unrealistic for individuals to self-manage their privacy because, in general, individuals are not sufficiently capable to scientifically compare the benefits and potential risks of allowing information collectors to collect personal information. Allowing them to collect and use personal information can bring immediate convenience, but the risk is vague and uncertain; because the privacy policy provided by the information collector is often vague, and it sometimes does not strictly enforce the policy, the individual cannot foresee that their information will be used. how to be handled.

Finally, privacy also has a social nature and should not allow complete self-determination of individuals. On the one hand, some information is shared, and on the other hand, the content of some information is interconnected. By analyzing one person's information, other people's information can be obtained; if an individual deletes or changes his own information, the inferences made before will also be Change accordingly and this will affect others.

The above issues are reflected in the specific rights:

First, the right to know, that is, the right to know that one's own information is collected. The sheer volume of information being collected makes exercising this right consuming too much time; moreover, it is meaningless to simply know that information about oneself is being collected; individuals should also know how their information will be used and the risks involved, so that they can decide whether to The collection is allowed to make a reasonable decision. In addition, the purpose of establishing the right to know is to hold the information collectors accountable for the information processing process, which is complex and highly specialized; but for users who lack the expertise and sufficient time, the privacy policy should be as concise as possible. The tension between the two also makes it difficult for the right to know to realize its due value.

The second is the right to obtain, that is, the right to obtain one's own information from the information collector. Similar to the right to know, the high time cost of exercising the right makes it lack of practical value.

Third, the right to portability, that is, the right to require the data controller to provide a copy of its own data in order to transfer the data to a new data controller in the future. However, the object of the right to portability is limited to its own data, and the data that individuals want to transfer is often not limited to this; in addition, the purpose of setting the right to portability is to promote competition among data processors, but the field of competition between enterprises is not limited privacy protection; moreover, privacy protection will increase the cost, but may put the enterprise at a disadvantage. Therefore, the right to portability is difficult to achieve its own purpose.

Fourth, the right to rectification, that is, the right to correct erroneous personal information. Likewise, individuals do not have enough time to correct the vast amount of misinformation; more importantly, it is the business, not the user, who should be responsible for proofreading information and correcting errors. However, the jurisprudence of the U.S. courts holds that individuals can only hold companies accountable when misinformation causes actual losses, which makes companies even more slack in taking responsibility for ensuring accurate information. In addition, there is no objective standard for checking the correctness of predictive information at the time of publication, which makes personal information more difficult to correct.

Fifth, the right to erasure, that is, the right to delete personal data, is linked to the principle of minimum necessity. However, it is difficult for individual users to judge the scope of the necessary information that the enterprise needs to achieve a specific purpose and the specific period of time that the information needs to be retained. This task should be performed by the public regulatory agency.

Sixth, the right to be forgotten. It is the right to request anonymity, such as asking search engines not to display a certain piece of information in search results. But rather than giving individuals the right to request anonymity, it would be more effective for the law to directly require companies to clear criminal records and other information that is harmful to individuals.

Seventh, the right to refuse, that is, the right to refuse information processors to use their own information in a specific way. This right also faces high exercise costs and the inability of individuals to fully understand the specific ways in which companies use information.

Eighth, the right to be exempted from automated decision-making, that is, the right to deny information processors the right to make automated decisions based on personal information. However, at present, the knowledge base that users rely on to decide whether to refuse is weak. They neither understand the algorithm that makes the decision, because the users who make the decision are often not professionals; nor can they understand the information of others as a reference for decision-making, because their is the privacy of others.

Speaker Profile:

As one of the world's leading experts on privacy law, Professor Daniel J. Solove has authored more than 10 monographs, textbooks, and more than 50 papers. His papers have been published in Harvard Law Review, Yale Law Journal, Stanford Law Review, Columbia Law Review and other magazines. His latest book is BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press, March 2022) (with Woodrow Hartzog). Professor Solove writes a column on LinkedIn as a "thought leader" and has more than 1 million followers. He also blogs frequently on the Privacy+Security Blog.

Translated by: Gao Jiaxin

Edited by: Ma Liting