SHANG Xixue
As AI technologies such as DeepSeek have been applied in conventional network platforms, AI technologies such as machine learning, deep learning, and natural language processing have broken through the fragmentation limitations of non-automated data processing systems, and can accurately describe user profiles in massive and scattered digital trace data, and even dig out behavioral preferences and potential needs that the data subjects are not aware of. However, given the differences between digital behavior traces and personal information in morphological characteristics and identity, the conventional personal information protection model with personal control as the core is difficult to cope with. Given the interweaving and correlation between digital behavior traces and personal information, citizen privacy, and data elements, the following two issues need to be clarified. On the one hand, under the normative and practical background of personal information with identification as the core definition, the subject correlation of digital behavior traces carries the necessity of data protection and privacy protection. On the other hand, from the perspective of data element development, low identity does not affect the commercial use value of digital behavior traces but only identifies specific identities on the network. It is necessary to update the concept of identity to coordinate and link up the application of some personal information self-determination norms.
To solve these two problems, this paper adopts normative analysis methods, case analysis methods, and value analysis methods, takes the core qualitative elements of personal information as the starting point of the argument, and discusses the legal attributes, rights, and interests connotation, and corresponding normative modes of digital behavior traces from the normative perspectives of privacy protection, personal information protection, and data element marketization.
Firstly, the legal orientation of digital behavior traces is explained. The digital record of participation behavior in cyberspace (posting, comments, etc.) is not personal information. The function positioning of personal information is descriptive, while the function positioning of digital behavior records is retention. Personal information processed anonymously is no longer personal information, but anonymization corresponds to de-identification, not de-relevance. For the digital behavior trace data with more prominent relevant characteristics, the identification is not enough to support the protection of the rights and interests of the individual data it carries.Secondly, it analyzes whether digital behavior traces can be included in the scope of personal information protection in the existing normative framework. To safeguard the security and related rights and interests of users' digital behavior traces in commercial use, considering the characteristics of commercial use of digital trace information, it is necessary to re-understand the “identifiability” of digital behavior traces. The normative governance of digital behavior traces cannot be separated from the framework of the law of protection, but given the particularity of digital behavior traces, the application of specific rules under the law should be selective or conditional, and the application boundary mainly lies in whether digital behavior traces can be identified as personal information.
Finally, the standardized utilization path of fuzzy and qualitative digital behavior traces is established. When the digital behavior trace is qualitatively ambiguous, that is, there is no direct correlation, it is difficult to apply the legal protection framework fully. Given the correlation between digital behavior traces and individuals, some personal information processing norms can be applied in the selection of applicable paths, thus maintaining the personal interests carried by digital behavior traces and providing security for participating behaviors in the digital space. Specific ideas are as follows:
Firstly, the platforms should implement the notification and consent mechanism. The informed consent system may apply to digital behavioral data that are not clearly identifiable and relevant. The function of the informed consent right can guarantee users' independent control over their digital behavioral records, and prevent the risk of online privacy infringement.
Secondly, the platforms shall adhere to the principle of transparency. In the Platform service agreement, regarding the collection and utilization of the user's behavioral traces on the platform, the mode of use, scope of use, and purpose of use shall be agreed upon through negotiation and respecting the user's subjective will. The platforms should explain the processing of digital behavioral traces, in line with the principle of transparent processing.
Thirdly, the platforms shall adopt classification processing rules. Based on the above-mentioned factors such as the content of rights, protection considerations, and system application of digital traces, and in combination with the sensitivity of trace information (the degree of correlation with the privacy of a specific natural person), density (the number of similar information, that is, whether it is an isolated trace or a track formed by continuous tracking), and abundance (the mixing degree of different types of information, and the more types mean more cross-verified connection points), the system protection mode of digital trace information is classified.