Regulation algorithm recommendation to strengthen personal information protection and compliance management
2022-02-09
Enterprises shall implement the main responsibility of algorithm security, establish and improve management systems and technical measures such as algorithm mechanism review, scientific and technological ethics review, user registration, information release review, data security and personal information protection, anti telecom network fraud, security evaluation and monitoring, emergency disposal of security events, and formulate and disclose rules related to algorithm recommendation services, Provide professionals and technical support appropriate to the scale of algorithm recommendation service. On December 31, 2021, the state network information office, the Ministry of industry and information technology, the Ministry of public security and the market supervision and Administration jointly issued the regulations on the administration of algorithm recommendation for Internet information services (hereinafter referred to as the regulations on the administration of algorithm recommendation), which clearly stipulates the compliance requirements that should be followed when applying algorithm recommendation technology to provide Internet services in China. The release of this regulation is of great significance to urge algorithm recommendation service providers to apply algorithms reasonably and in compliance, purify the industry atmosphere, promote sound development, and effectively safeguard the legitimate rights and interests of users. It also plays a very important role in promoting the compliance work of relevant enterprises. The necessity of strengthening regulation algorithm recommendation For some time, problems caused by unreasonable application of algorithms such as "big data killing", algorithm discrimination and induced addiction have occurred frequently, which has aroused social concern. Therefore, it is extremely necessary to formulate targeted algorithm recommendation management regulations and clarify the main responsibilities and safety management obligations of algorithm recommendation service providers. According to the information released by the China Consumer Association, there are mainly six kinds of algorithm application problems involving consumer rights and interests in the network field: recommendation algorithm, price algorithm, evaluation algorithm, ranking algorithm, probability algorithm and traffic algorithm. Among them, the price algorithm is the "different prices for different people" criticized by consumers. In July 2021, a court in Zhejiang Province ruled that an online travel service company should compensate the plaintiff for the difference in the booking price and pay three times the difference in the room price, In addition, in the travel app operated by the plaintiff, it adds the option that the plaintiff does not agree that its existing service agreement and privacy policy can still use the app, or modifies the service agreement and privacy policy of its travel app for the plaintiff to remove the relevant contents related to the collection and use of users' unnecessary information. Violations of the recommendation algorithm are also common. For example, APP operators conduct targeted commercial marketing by analyzing the pages, advertisements, commodities and topics viewed by users. If they fail to fully inform and obtain the consent of users, it is also an act that infringes on the legitimate rights and interests of users. Since 2019, the Ministry of industry and information technology of the people's Republic of China has organized and carried out the special rectification action of APP infringement on users' rights and interests, and the use of recommendation algorithm to force users to use directional push function is also the frequently reported problem point. Among the 20 batches notified, the total number of apps notified at the level of the Ministry of industry and information technology was 1212. The number of illegal apps with "forcing users to use directional push function" reached 112, accounting for 9.24%, while "forcing users to use directional push function" ranked in the forefront of all concerned violations. By summarizing the existing violation cases, it can be found that the current problems in the violation scenarios recommended by the algorithm mainly include the following situations: (1) the user portrait, personalized display application scenarios and the possible impact on users are not explained in the privacy policy; (2) Without the express consent of the user; (3) Personalized recommendation to minors under the age of 14 based on user portraits; (4) The option of non directional push information is not provided; (5) The user is not provided with the option to refuse to receive directional push; (6) The real identity and contact information of the advertisement sender are not indicated; (7) Affect the normal use of services by users in other unreasonable ways; (8) Use illegal user labels to set and manage users in a discriminatory or biased manner; (9) Big data cooked. Personal information protection compliance requirements The personal information protection law stipulates that the activities of automatically analyzing and evaluating individual behavior habits, interests, hobbies or economic, health and credit status through computer programs and making decisions belong to automatic decision-making. There is no doubt that using algorithm technologies such as generation and synthesis, personalized push, retrieval and filtering to provide information to users belongs to the specific embodiment of automatic decision-making. Therefore, using algorithm recommendation should not only comply with the requirements of consumer rights and interests protection law and e-commerce law, but also strictly comply with the requirements of personal information protection law. According to the provisions of the personal information protection law, when applying algorithm recommendation, attention should be paid to: (1) ensure the transparency of decision-making and the fairness and impartiality of the results, and do not impose unreasonable differential treatment on individuals on transaction conditions such as transaction prices; (2) It should also provide options that are not specific to their personal characteristics, or provide individuals with a convenient way to refuse; (3) When making decisions that have a significant impact on personal rights and interests through automated decision-making, individuals have the right to ask the personal information processor to explain, and have the right to refuse the personal information processor to make decisions only through automated decision-making. Specifically, enterprises providing algorithm recommendation services should carry out work in the following aspects: The enterprise shall protect the user's right to know and clearly explain to the user in the privacy policy and other documents what kind of information the algorithm will use, such as the type and scope of personal information used, the specific purpose and application program used, whether it may be used by a third party, the necessity of using personal information, and the possible impact on the user. Enterprises need to clearly set obvious and easily identifiable marks for the targeted push content based on automatic decision-making, and distinguish it from the non targeted push content; Enterprises must ensure that non directional push options and content are retained to users at the same time. Enterprises should also protect users' right to choose and reject, provide users with convenient rejection methods, set and provide simple and easy to operate closing options and user authority management system, and limit the link of user authority setting page to four clicks. No enterprise should set up obstacles, charge fees or set the validity period for users to refuse personalized information push or commercial marketing. Ensuring the transparency of decision-making and the fairness of results is also the focus of algorithm recommendation. Enterprises should explain the principle, purpose, intention, decision rules, possible impact and other information of automatic decision-making algorithm through privacy policy, algorithm description and other documents, and ensure the fairness of decision-making results from the following dimensions: whether the parameter setting is scientific and reasonable, Whether the user portrait is fair, objective and true, and whether the design of decision-making rules is scientific and reasonable. For example, in order to prevent the risk of "big data ripening", enterprises should clarify whether the differential treatment on transaction conditions such as transaction price and transaction opportunity is reasonable. In addition, when providing algorithmic recommendation services, enterprises should also respect social ethics and ethics, abide by business ethics and professional ethics, follow the principles of fairness, openness and transparency, scientific rationality and good faith, advocate the mainstream value orientation, and should not use algorithmic recommendation services to endanger national security and social public interests, disrupt economic and social order Activities prohibited by laws and administrative regulations such as infringing on the legitimate rights and interests of others shall not use algorithmic recommendation services to disseminate information prohibited by laws and administrative regulations, recommend discriminatory information, disseminate false information, evade supervision, implement monopoly and unfair competition, etc. Implementation path of enterprise compliance From the perspective of compliance management of personal information protection, enterprises providing algorithm recommendation services, as personal information processors, should also implement the provisions of Article 51 of the personal information protection law and achieve compliance in management, such as formulating internal management systems and operating procedures, implementing classified management of personal information, and taking corresponding security technical measures such as encryption and de identification, Reasonably determine the operation authority of personal information processing, regularly carry out safety education and training for employees, formulate and organize the implementation of emergency plans for personal information security incidents, etc. Specifically, enterprises should implement the main responsibility of algorithm security, establish and improve management systems and technical measures such as algorithm mechanism review, scientific and technological ethics review, user registration, information release review, data security and personal information protection, anti telecom network fraud, security evaluation and monitoring, emergency disposal of security events, and formulate and disclose rules related to algorithm recommendation services, Provide professionals and technical support appropriate to the scale of algorithm recommendation service. As one of the scenarios of "using personal information for automatic decision-making", algorithm recommendation also needs to make personal information processing compliance, conduct personal information protection impact assessment in advance, and record the processing. When making algorithm recommendation, enterprises should clearly inform users by means of privacy policy and pop-up window, and clearly mark the business functions and recommended contents with the words "recommend", "guess what you like", "push", "recommend according to your search", "recommend according to your interest" and so on; Establish and improve the legal and compliant user model and user label management, improve the rules of interest points recorded in the user model, no illegal and bad information keywords, no discriminatory or biased user labels, and eliminate any form of coercion, deception and misleading users to use personalized recommendations, as well as the system settings involving ripening, price discrimination and other violations. In the following business scenarios, enterprises should keep relevant records when applying algorithm recommendation to prove the legitimacy of their behavior: (1) implement different trading conditions based on the actual needs of consumers and in line with legitimate trading habits and industry practices; (2) Based on preferential activities for new users within a reasonable period of time; (3) Random transactions based on fair, reasonable and non discriminatory rules of the platform; (4) Restrictions or differential treatment based on protecting the interests and safety of vulnerable groups; wait. In addition, the regulations on the administration of algorithm recommendation also set corresponding administrative requirements. The network information department, together with relevant departments such as telecommunications, public security and market supervision, shall establish a hierarchical and classified security management system for algorithm recommendation services, and implement hierarchical and classified management for algorithm recommendation service providers according to the public opinion attribute or social mobilization ability, content category, user scale, data importance of algorithm recommendation technology processing, and the degree of intervention in user behavior. If an enterprise providing algorithm recommendation services has the attribute of public opinion or the ability of social mobilization, it shall fill in the name of the service provider, service form, application field, algorithm type and other filing information through the Internet information service algorithm filing system within 10 working days from the date of providing the services, and fulfill the filing procedures. In short, as a technical means, algorithm recommendation itself is neutral. Using it correctly can improve the business efficiency of enterprises and provide users with more targeted and better services. The release of the regulations on the administration of algorithm recommendation is a concentrated embodiment of mutual coordination, detailed supervision and improved governance of government departments, which helps to standardize the behavior of providing algorithm recommendation services, ensure fair and orderly competition in the market and safeguard the legitimate rights and interests of consumers. Relevant enterprises must strengthen self-discipline, carry out in-depth compliance work and earnestly undertake