On The Scope Of Personal Information

Cybersecurity Law of the People’s Republic of China,Article 76 takes identification " as the standard to define the scope of personal information.the newly adopted personal information protection law of the People’s Republic of China,Article 4continues to use the " identification " standard in defining the scope of personal information,and clearly excludes the anonymous personal information.Taking identification" as the main way to judge personal information has become a general consensus in China’s theoretical and practical circles.However,in the era of big data,the development of information recognition and mining technology leads to the rapid expansion of the boundary of "recognition",and the information that could not be recognized can be transformed into identifiable information under certain technical conditions.The online activity trace information,DNA,IP address,pen print and voice print information are listed as personal information,which is the results of technological development.Even anonymous information can not escape the possibility of being recognized.In short,there is no clear boundary between personal information and nonpersonal information,and the scope of personal information continues to expand,showing a trend of dynamic fluctuation.There are multiple difficulties in taking "identification theory as the standard to define the scope of personal information.Why there are no clear provisions on the specific connotation of identification,and the relevant regulations of identification standards are also absent,resulting in the disorderly judgment of new personal information.Nowadays,with the rapid development of information technology,defining the scope of personal information with "identification theory" will inevitably lead to the generalization of personal information,which is an irreversible trend.Under the inevitable background of generalization,it does not mean to allow the disorderly expansion of the scope of personal information.In order to deal with the new situation,it is necessary to define the identification standard more finely,clarify the connotation of identification and consider the rationality of identification,Make the scope of personal information expand orderly under reasonable identification standards.On the basis of reasonable identification standards,broad interpretation should be adopted for the definition of personal information.At the same time,the risk level directory of personal information should be constructed to assess the risk of personal information with sensitivity,divide the corresponding risk levels,match the compliance obligations of different intensities,and control different types of personal information within a reasonable risk range,allow the circulation and use of information in a relatively safe state,and provide guidance for information controllers to adopt effective anonymization.This may be an effective way to solve the generalization of personal information.