最优秀的中国互联网法律律师事务所之一

Annual Report of Privacy Policy Transparency (2017)

admin   2018-03-10 15:33
By Nandu Personal Information Protection Research Center
 
1.  INTRODUCTION
On September 24th, 2017, Cyberspace Administration of China (CAC) and other 3 national ministries and commissions jointly released the assessment result of the privacy policies of the first ten leading Internet products and services, including WeChat, Sina Weibo, JD.com, Baidu Maps, AutoNavi Maps, Ctrip, etc.
 
Privacy policy is a statement or a legal document that discloses the ways a party gathers, uses, discloses, and manages a customer or client's data, which can be usually seen while registering. It fulfills a legal requirement to protect a customer or client's privacy.
 
This is the first time a national ministries carried out a special program for privacy policy. According to the result, all ten products and services have revised their privacy policies successively during the assessment while most of the raised issues have been rectified.
 
2.  BACKGROUND
Nandu Personal Information Protection Research Center (PIPRC) has been concentrating on the transparency of Internet services’ privacy policies.
 
Last March, PIPRC randomly picked 50 websites and APPs for privacy policy transparency assessment. In May, under the requirements of Cyberspace Security Law, PIPRC, along with TISIZE & Partners, came up with “Criteria of Privacy Policy Assessment”. A month later, PIPRC published “Privacy Policy Transparency Report of 1000 Websites and APPs” (1000 Mixed), which covered 500 websites and 500 APPs across ten industries.
 
After that, PIPRC upgraded the criteria according to the standards China Electronics Standardization Institute (CESI) is developing. Last August, PIPRC assessed and released transparency reports of another 550 mostly used services within 5 industries including recruitment, Internet finance, social media, travel and online shopping.
 
As the services in both times are popular ones, some of them were included twice. It has been noticed that privacy policies of many services had been revised during the 3 months between.
 
3. MAJOR FINDINGS
 
3.1 Overall Analysis
The outcomes are divided into high, relative high, medium, relative low and low by privacy policy transparency. Table 1 indicates that regardless of the time when the assessment was taken, the distribution is always shaped as a steep pyramid – very few have high transparency while the majority has low transparency.
 
Table 1: Distribution of Transparency
 
The outcome from “1000 Mixed” tells that no service could enter the level of high transparency while the services fall into “Relative Low” and “Low” add up to 81% out of 1000. When the comparison is taken between industries, social media leads among all.
 
Assessments on single industry give out the same conclusion. Graph 1 shows that only 2 industries, recruitment and social media, have similar percentage in “Relative Low” and “Low” with 1000 mixed. The rest with much higher percentages leads to the conclusion that policy transparency of other industries is below average.

Graph 1: Distribution of Transparency
 
In the other hand, number of services with “High” transparency assessments on single industry exceeds that in 1000 mixed. There are some services from 3 industries appear in “High” level, 4 from Internet finance, 4 from online shopping and 2 from travel.
 
Table 2: Services with “High” transparency
 
Among the 10 services above, 8 were included in PIPRC’s assessments both times as well as in the assessment done by national ministries. Their privacy policies were revised during the later assessment and at the second PIPRC assessment, moved into “High” level.
 
3.2 Single Service Analysis
Although in “High” level, services from large companies consist of the majority, it does not certainly imply that the better the company is known, the higher its policy transparency is.
 
In industry of recruitment, instead of falling into “High” level, some services with high popularity are evenly distributed in the various levels. For instance, 58 City, Linkedin, ChinaHR and Kanzhun.com are the top ones; 51Job, Lagou and Dajie fall into “Relative Low” level; Zhaopin.com, Liepin and Ganji are at the bottom.
 
The same situation happens in online shopping as well. Services with long history and good reputation have poor policy transparency unexpectedly, such as Dangdang, Lefeng, Jumei, SMZDM. So do services like Xiaohongshu, Daling, Ymatou, which have become popular because of the trend of online shopping overseas.
 
Within the 1550 services assessed by PIPRC, 252 were assessed twice while some of them revised their privacy policies. However, only 18’s policy transparency has noticeably improvement: 4 services added privacy policy from none, 9 services enhanced their policy to some extent, 5 services upgraded to the highest level of transparency.
 

Table 3: Services with noticeably improvement in privacy policy
 
It is quite notable that Ctrip jumps from “Low” level straight up to “High”. In the old version, Ctrip’s privacy policy contained only the most basic standards. After the program carried out by national ministries, the new version released on September 21st covered all the important standards such as clearly inform users what and how the personal information will be collected and the use of it; the purpose of forming user portraits; whether to used the personal information to send out commercial advertisements; clearly inform users of the right to access, delete and correct their personal information, etc.
 
Graph 2: Ctrip’s privacy policy: old vs. new
 
Besides, some highlights are found among the services in “High” level. Alipay sets a “table of contents” button, which offers users a way to switch between chapters. Didi uses a table to illustrate how the APP asks for device permissions. JD.com provides one month's “regret period” for users who want to log out. Baidu turns the key information in the privacy policy into animation and uses an anthropomorphic image to explain its privacy terms in a story-telling manner.
 
However, there are still 17 services that have no privacy policy at both assessments.
 

Table 4: Services without privacy policy at both assessments
 
3.3 Criteria Analysis
The criteria developed by PIPRC has different versions for website and APP, with slightly difference in a few standards and weights. It has been noticed that services always perform poorly on the following standards:
 
 I.  User’s denial of additional features shall not affect the use of core functions. Services to provide additional features should give user option to choose. When user refuses, services may not provide the corresponding features, but should ensure core functions are usable.
 
II.  Services’ using user’s personal information on new purposes requires user to consent again. When services need to collect user's personal information beyond what is stated previously, it is necessary to explain the necessity to user and obtain the explicit consent in the form of “pop-up” window or so to urge user to read the relevant terms.
 
III.  When information breach happens, companies shall take remedial measures. In privacy policy, companies should describe potential risks that may exist after personal information is collected. In response to any leakage, damage or loss of personal information that has occurred or may occur, an emergency plan should be initiated, involved users should be promptly notified and the relevant government authorities should be informed.
 
IV.  The way to deal with the user information when the company ceases to operate. When products and services stop operating, companies should stop collecting user's personal information in a timely manner, inform users about the situation through website announcement, and promise to permanently delete user's personal information within a certain period of time.
 
 V.  User's right to unregister. The user should be guaranteed with rights to withdraw the consent, delete personal information, and unregister the account. If user withdraws the consent or unregisters the account, companies should not store or process the corresponding personal information.
 
In addition, the privacy policies of these 1550 services share the same problem of using identical texts while a few contain “hegemonic terms”.
 
      About “data cross-border”                                           About “third-party sharing”
About “disclaimer”
 
4. CONCLUSIONS AND SUGGESTIONS
It has to be clarified that PIPRC’s assessing criteria only applies to the privacy policies of websites and APPs. High transparency does not necessarily imply that the service has a strong protection over user’s personal information, it only indicates the service’s privacy policy is relatively comprehensive.
 
From the assessments, it can be concluded that there are common shortcomings in the privacy policy of the participating services such as lacking of user rights clause, using of identical texts, slow update, and hidden format terms. However, as the state and society attach more and more importance to the protection of personal information, many companies have actively revised the privacy policies in accordance with the requirements of the Cyberspace Security Law and other relevant laws and regulations. Some of them have even added distinguishing features to reflect company characteristics, making companies’ responsibilities as well as user rights clearer.
 
Therefore, we would like to propose the following suggestions:
 
A.  Continue the privacy policy assessment program.
The program done by CAC and other 3 national ministries has stimulated companies, especially large Internet companies, to improve their privacy policies. However, we should also note that there are still many companies that do not have a privacy policy or use an unreasonable one. Therefore, we hope that the relevant ministries will expand their assessment scope and continue to review more products and services in more industries.
 
At the same time, we urge third-party social organizations to pay close attention to privacy policy and make continuous assessments at a certain pace. This is to to urge companies to strengthen self-discipline and also provide users with channels for understanding the importance of privacy policy.
 
B.  Refine the existing laws and regulations and publish relevant standards and norms.
 
At present, the Cyberspace Security Law and related laws and regulations have not been detailed to the level of privacy policy. When formulating the privacy policy, companies decide where to locate the policy, the content and structure of the policy at will. All the behaviors above will cause inconvenience to users.
 
Therefore, we recommend that the relevant regulatory agencies to regulate the content and presentation of privacy policies in accordance with the existing laws and regulations. For example, provide a summary at the beginning of the privacy policy; unify the location of privacy policies and ensure the links are effective. By doing these, users can easily understand the policy structure and find important terms.
 
In addition, we also hope that the application stores require developers to provide a privacy policy during the uploading process, so that users can learn about the personal information they need to provide before installing.
 
C.  Expand the scope of assessment to practical level.
 
Up to now, the assessment of privacy policy has remained at the text level. In fact, how companies implement their privacy policies, such as how to share user information with third parties, when to delete user information after unregistering, are not known.
 
Therefore, we suggest that the relevant regulatory agencies and third-party organizations expand the range of assessment to operational level. It will further urge the companies to effectively fulfill the contents of the privacy policy.