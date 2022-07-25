After a one-year investigation, the Cyberspace Administration of China announced the decision to levy a fine of 8 billion yuan on Didi. Didi did not contest the allegations levelled against itself, namely the infringement of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. The Cyberspace Administration listed specific figures concerning information illegally or excessively collected by the company, including the ride-hailing app users' facial recognition data, age, occupation and family relationships; the pick-up location of the ride; the drivers' education background and other information that needs to be protected. It is believed that the evidence is conclusive, just as the Cyberspace Administration has stated.

Innovative industries developed with the Internet and social platforms are on the rise, bringing riches to enterprises. Users, at the same time, enjoy new and convenient service experiences. However, China's supervisory practice on these service providers is to give free rein to innovation and technology companies to explore and try things out first. Laws or management regulations are formulated to regulate certain practices only after problems are discovered. No doubt, such a management practice is conducive to the cultivation of emerging industries. The reason is that if commercial operations are not allowed until the completion of the corresponding laws, it will, to a certain extent, hinder the development of innovation and technology enterprises. But from the perspective of protecting the users' interests, a great risk might have to be shouldered as a result. In the past two years, China has been continuously targeting those corporations that have gained a footing for dominance, investigating their status of market monopoly and violations of the protection of personal information and handing out heavy penalties. There has been a difference of opinion as to whether such actions are fair.

The laws of the state should be obeyed by everyone — this is beyond question. Yet, state administrative organs and state-owned enterprises have a responsibility to lead by example. At present, when it comes to state-owned telecommunication enterprises, banks and medical institutions, the protection of personal information leaves a lot to be desired. It is true that even if state-owned enterprises do not do a good job, private enterprises still need to abide by the law. In spite of this, what can be seen now is that only private enterprises are facing the harsh consequences of violating the law, while state-owned enterprises are subject to lax requirements. In the eyes of the public, the gravitas of the law has been greatly reduced.

Users are also responsible for protecting their own personal information. The law expressly states that users have the right to consent to, be aware of and make a choice concerning the collection of information. Having said that, users are often ignorant of their rights. The rights that they are made aware of are not written in common and plain language, but on pages that are densely crawling with words. In addition, the government has never tried its best to publicise and educate the public on the protection of personal information. Therefore, users are informed of their rights in a manner of formality, but in reality, they exercise the so-called right of choice unknowingly.

Heavy penalties for violations should be fully supported in order to maintain the gravitas of the law. Be that as it may, law enforcement must be highly transparent so that law-abiding corporations know what to follow. The implementation details of the Personal Information Protection Law must be unveiled as soon as possible.

明報社評 2022.7.25：嚴懲違規與教育並重 保護個人信息須指引

國家互聯網信息辦公室對網約車企業滴滴全球股份有限公司施以有史以來最重的刑罰80億元人民幣，原因是該公司違反3條信息保護法律。

網信辦經過一年調查，公布對滴滴公司罰款80億元的決定，滴滴公司對於被指違反《網絡安全法》、《數據安全法》和《個人信息保護法》並無抗辯，網信辦列舉違法收集和過度收集信息的具體數字，這些信息包括這家網約車企業客戶的人臉識別、年齡、職業、親情關係、約車地點、司機學歷等等需要保護的信息。相信的確如網信辦所說，證據確鑿。

利用互聯網和社交平台開發的創新產業，方興未艾，企業賺得盆滿鉢滿，用戶也有嶄新與方便的服務體驗，惟國家對此的監管，是讓創科企業「先行先試」，到發現問題才制定法律或者管理規定加以規範，這種管理做法，有利培育新興產業，因為如果等待法律完備才允許商業運作，在某種程度上會窒礙創科企業，但從用家利益保護的角度看，則可能要承受很大的風險。過去兩年，國家陸續對這些已經「坐大」的企業，調查其市場壟斷以及違反保護個人信息的行為，施以重罰，做法是否有欠公允，言人人殊。

國家法律，人人都應遵守，毫無異議，但國家行政機關以及國企應有帶頭示範的責任。現在電訊業國企、銀行及醫療機構，對於保護個人信息方面，乏善足陳。雖然說即使國企做不好，私企也要守法，現在只看到嚴懲私企，對國企要求稀鬆，在公眾面前，法律的嚴肅性大打折扣。

保護個人信息，用家也有責任，法律明示用戶對信息收集有同意權、知情權和選擇權。然而，用戶往往對於自身的權利一無所知。他們被告知的權利，並非以通俗易懂的語言寫成，更是寫在密密麻麻的幾頁紙上，加上政府從來沒有對個人信息保護方面盡力做宣傳教育，所以，用戶是在形式上被告知權利，實際上是在不知情的情况下行使所謂選擇權。

重罰違規行為，應該全力支持，方能維護法律的嚴肅，但執法必須高度透明，才能使遵紀守法的企業知所遵循，《個人信息保護法》的執行細則必須盡快出台。

