Recently, in the Liu vs. Jinri Toutiao infringement of personal privacy case, the argument made by Toutiao’s attorney—that contacts are not included in private personal information—caused an uproar on the Internet. Most people believed Toutiao was using twisted logic, since contact lists are obviously private personal information.
But are they? In the following article, the authors will provide an analysis from five different perspectives, explaining the connotation, nature, and method of gathering and usage for one’s contact list.
First: What information is included in one’s contact list?
Toutiao’s attorney held that contact list information is not considered the defendant’s private personal information, because phone numbers play a role in information communication between citizens on a daily basis; instead of being treated as private, they should instead be shared with others.
Is contact list information merely names and phone numbers? There are at least three layers of information in one’s contact list. The first is the name and phone number of the personal information subject; the second is the contact list information, including the contact’s name, nickname, phone number, company, position, address, birthday, etc.; and the third is the personal information subject’s social network information, including personal identity, family and other social relationship information, etc.
To the personal information subject, contact lists are a representation of his or her personal social network formed and accumulated over the years, and include information that falls within the range of sensitive personal information. Therefore, contact lists are not merely “phone numbers”.
Second: Are contact lists included in personal information?
Article 1 of the Supreme People’s Court and Supreme People's Procuratorate Explanation on Various Issues Related to Laws Applied to the Trial of Infringement of Citizens’ Personal Information Cases stated that “communication contact information” is considered “citizens’ personal information”. Additionally, Article 3.1 of the National Recommended Standards Information Security Technology—Personal Information Security Standards (the “old Security Standards”) made clear that personal information includes “communication contact information”.
On the other hand, the Information Security Technology—Personal Information Security Standards Draft (the “new Security Standards”), issued on June 25, 2019, stated in its Appendix B, Chart B.1 “Other Information”, that compared with the old Security Standards, “personal phone numbers” is deleted, and “contact lists, friends lists, group chat lists” are added.
From the changes made in the new Security Standards, due to the rich content contained in one’s contact list, it should not only be considered personal information, but sensitive personal information as well.
Third: Are contact lists included in private personal information?
Private personal information refers to secrets in a citizen’s personal life which he or she is not willing to disclose or make known to others (beyond a certain range), such as personal property or physical disabilities. The right to privacy is a human right to control personal information, private activity and private business, owned by individuals and unrelated to public interests.
Not all personal information owned by personal information subjects is considered private personal information. Due to needs in social communication and public management, personal information must be disclosed to specified or unspecified persons within a certain range; however, such disclosure should be conditional, e.g. to which the extent should the disclosure be limited, to whom the information is disclosed, and what liabilities and obligations should rest on the receiving parties, etc.
In the Ling, J.D. vs. TikTok and Duoshan case, Ling had no intention to let his friends and contacts know he was using the TikTok app; however, TikTok and Duoshan recommended a number of “friends” to him, including friends of his friends, classmates of his classmates and his ex-girlfriend, etc. Evidently, Ling would also appear in these “friends”’ recommended lists. This type of social connection formed based on contact list information is beyond the range of information that personal information subjects are willing to use publicly.
When information that one is unwilling to disclose to others is involved, whether disclosure of such information will cause a positive or a negative effect on the rights owner, and whether such information has commercial value or not, as long as such information is not within the public domain and the owner is not willing to make it known to the public, it should be protected by the right to privacy.
Toutiao’s attorney also expressed that although contact lists contain information such as names and phone numbers, this information does not belong to the defendant himself, but instead to the members of his social network. Therefore, the defendant’s contact lists are not considered his “private information”.
However, although information of one’s contact list is not information of the personal information subject himself, this information is a collection formed based on the personal information subject’s identity. When individual members of a social network join together via certain rules to form a new information collection, it then holds a different meaning, and one cannot simply say it has no relation with the personal information subject.
Hence, contact lists should be included in private information.
Fourth: Why are network operators so eager to collect contact list information?
1. Marketing and Promotion
After the operator extracts contact list information, it will match the phone numbers with its system, which automatically invites those contact lists that have not yet joined. Through contact lists, the operator can form a chain of promotion, which can quickly expand the number of users and raise brand awareness.
2. Social Connections
This is particularly important for social media Apps; forming a social network circle and interacting with people they know can increase users’ loyalty and retention. Many non-social media Apps are also adding social functions, and contact lists are an important way to form social networks.
3. Specific Needs of Certain Industries
For example, financial lending platforms commonly gather contact list information, for two reasons: one, they can cross-verify the authenticity of the borrower through the contact list information, implementing anti-fraud measures; two, when the borrower’s repayment is overdue or when he loses contact, they can ask for payment or his new contact information via his friends and family.
4. In Case of Need
Operators may collect contact list information when it has no relation with their own business functions. However, in the age where data is king, operators commonly believe that the more information they collect and the more data they accumulate, the more “materials” they will have in the future when they carry out other businesses.
Fifth: How should contact list information be gathered and used?
1. Gathering of Contact Lists
According to Article 41 of the Network Security Law, “Gathering and use of personal information by network operators should follow principles of legality, justification and necessity. The rules for gathering and use should be made public; the purpose, method, and range of gathering and use should be made clear; and consent must be obtained from the subject whose information is being gathered.”
The definition of “necessity” is: without gathering this information, the network operator will be unable to realize its business functions. This means that the gathering of contact lists by operators must be for the normal realization of their business functions. In addition, the purpose, method, and range of gathering and use should be told to the personal information subject; if the personal information subject does not consent to the gathering and use, operators should not forcefully gather the information, or gather and use information beyond its limit.
Using financial lending platforms as an example: due to its risk management function for borrowers, the platform can gather borrowers’ contact lists. However, the platform cannot use the gathered contact list information for demanding repayment from any contact lists other than the borrower; doing so would be considered usage beyond the limit.
2. Sharing of Contact Lists
3. Use of Contact Lists
The authors believe that except being required under special supervisory regulations by the law or the industry, operators should delete or anonymize contact list information within a reasonable period after the list has completed its purpose of supporting the business functions. However, due to the great commercial value of contact lists that cannot be underestimated, operators typically store the data for a long term, even if the users have already written off their accounts.
In the Liu vs. Jinri Toutiao infringement of personal privacy case, Liu was unable to stop Toutiao from continued use of his original contact list by denying access to his contact lists or by allowing access to a blank contact list. Under the situation where the personal information subject has withdrawn his or her consent, how should the original personal information be used?
According to Article 7.9 of the new Security Standards, controllers of personal information should provide personal information subjects with methods to withdraw consent to gathering and using personal information. After the consent is withdrawn, controllers of personal information should not continue to dispose of the corresponding personal information.
What does “should not continue to dispose of the corresponding personal information” mean? As an example, if one day I decide that I don’t want anyone to know I’m using TikTok, and withdraw my consent to use my contact lists, the platform should no longer recommend friends to me, or recommend me to other friends, based on the previous gathered contact lists; otherwise, the withdrawal of consent would be meaningless.
In conclusion, the authors would like to share their personal thoughts on the Liu vs. Jinri Toutiao case. Currently, there is not yet a sound system of laws and regulations for data security and personal information protection; related rules have not yet been formulated and implemented, many are still in the draft phase, and there are still many conflicts regarding operators’ compliance liabilities. However, the authors believe that before related supervisory regulations are officially implemented, enterprises should perform self-checks and prepare backup rectification plans in advance. After the supervisory regulations are officially promulgated, they can then respond to conflicts between compliance and business interests more easily.