Research on the right of data portability based on regional type and its impact on the credit reporting industry

. With the promulgation of the Personal Credit Information Protection Law, the right to data portability in China has been preliminarily established. This paper discusses the ontology, theoretical basis, and applicable dilemma of the right to regional data portability. It proposes that the right of personal credit investigation is a type of personal credit investigation and self-determination. Expand discussion. China's legislative system is becoming more and more perfect, and data security and technology costs are no longer insurmountable problems. From the perspectives of data protection, data monopoly, unfair competition, and cost-effectiveness, the background and meaning of the right to data portability are proposed. The portability of type data is of great significance to the development of the credit reporting industry.


Introduction
With the rapid development of China's Internet industry, problems such as illegal use and infringement of personal credit information emerge in an endless stream. However, China's legal protection is relatively lagging behind or even blank, making it difficult for citizens to obtain legal remedies effectively. Therefore, Chinese legislation has begun to pay attention to the legal protection of personal credit information to improve this phenomenon. In this regard, the data rights proposed by the EU in the data legislation are a suitable research object. In-depth research on the creative right of data portability has specific reference significance for China's future legislation on personal credit protection.

Right to data portability
In the fast-developing Internet era, data formation and storage costs have been continuously reduced. The rapid development of data processing technology has made the economic value of data more and more prominent. The business opportunities hidden behind data are getting more and more attention. However, the collection, storage, development, utilization, transfer, or other commercial utilization of data will infringe on personal data and inevitably affect personal rights such as personal privacy. In order to regulate the development and utilization of personal data, countries around the world have formulated and promulgated corresponding personal data protection laws. Among them, international legislation focuses on protecting the right to privacy, while the decentralized legislative model protects personal data. In terms of personal data protection, the EU fully combines the characteristics of the Internet's significant data era, which dramatically improves the level of personal data protection. In addition to strengthening the "right to be forgotten," the regulation creatively introduces a new data right, the "right to data portability." The right to data portability emphasizes the storage and transfer of personal data to strengthen personal data control and promote market competition [1]. The EU's bold innovation in data legislation, especially the invention of the "right to data portability," It has attracted much attention since its launch, and there are many positive and negative attitudes.

Portability attributes
The General Data Protection Regulation describes the right to data portability as a "fundamental right" of natural persons. However, data protection legislation only applies to EU member states. It has not risen to the "fundamental rights" of natural persons recognized internationally. That is, the right to data portability does not belong to Global "Fundamental Human Rights." According to the importance and basis of safeguarding interests, the categories of human rights can be divided into basic human rights and non-basic human rights. Fundamental human rights are universal and apply to all human rights subjects; non-basic human rights are derived from fundamental human rights and are relative. The scope of application of the right to data portability and the subject of the application is historical, relative, and special and belong to the category of non-basic human rights. The special interests of traditional rights; the right subject can freely choose the autonomous behavior of specific interests; third, EU member states generally give positive social evaluations to these specific interests. As mentioned above, the right to data portability is a legal status that has been formally established after years of negotiation in Europe [2]. However, it has been formally applied to judicial practice for less than two years and has not been verified and tested. Therefore, data portability rights are not globally recognized. However, the importance and value of the right to data portability will gradually emerge with the full implementation of the EU, and countries around the world may recognize this tried-and-true creative data right.See Figure 1.

Portability Architecture
As a new type of self-determination right, the right to data portability has a complete rights architecture model. In terms of comparative law, the European Union, Australia, India, Brazil, and other countries have successively passed legislation to clarify the specific provisions of the right of portability. In terms of the subject of rights, the preamble of the GDPR stipulates that the object of protection should be natural persons. The Indian Personal Data Protection Act (in the future referred to as the "Indian Act") and the Brazilian General Data Protection Act (hereinafter referred to as the "Brazilian Act") also provide for the individual as the subject, Australia's "Competition and Consumer Data Rights Rules" (in the future referred to as the "Australian Law"), in addition to involving individual consumers, also includes accredited third parties exercising this right on behalf of consumers. The subjects of the right to data portability established in China should be natural persons and individuals. In terms of institutional arrangements, the Civil Code places the protection of personal credit reporting in an independent chapter on personality rights. The Guarantee Law is closely linked with the Civil Code [3]. Chapter 1, General Provisions, also protects the personal credit reporting of natural persons. Both Emphasize personal credit. In terms of institutional logic, natural persons are generally in a weak position than civil law subjects, legal persons, and unincorporated subjects. Enterprises and governments can use technological advantages and human resources to control data, while natural persons are disadvantaged due to information asymmetry. Sexuality can not well realize their right to know information. At the same time, China's data portability legislation needs to be further improved and refined. Before that, third-party entities similar to those stipulated by Australian law should not be introduced blindly. Therefore, only giving natural persons the right to data portability is an excellent way to ease their rights.

The data portability dilemma
Based on the above analysis, China already has the theoretical and practical conditions for establishing the right to data portability. However, after the introduction of the right to data portability, its application still faces many difficulties.

Conflict between personal data and big data
In the era of big data, the reason why information has economic benefits and property attributes is that a piece of single independent information has little value because of the collection of data. Based on this premise, most enterprises form huge data information bases after obtaining raw data. These information bases mix thousands of pieces of information together for processing and analysis, resulting in ethical dilemmas during data transmission. In the case of Weibo v. Maimai for unfair competition, the court determined that illegally obtaining information was an act of unfair competition [4]. In this case, it involves both user identity information, such as registered accounts, nicknames, and introductions, as well as network behavior information, such as browsing and publishing. Therefore, it is difficult to distinguish between the two when data crawling is used, resulting in continuous data transfer objects and portable rights boundaries. See Figure 2.

Reconciliation of portability and other data rights
While introducing the right of portability, China's "People's Insurance Law" also stipulates the right to know, the right to inquire, the right to reproduce, the right to update, and the right to delete. Each of the above rights must be properly coordinated with the right to carry. The right of inquiry is a prerequisite for exercising the right of portability. Without the right of inquiry, no further data rights can be asserted; moreover, the exercise of the right of portability will not hinder the application of the right of deletion, and if the conditions of the right of deletion are satisfied, it is still possible to request control right of deletion. The right to copy and the right to data portability also have similarities. The difference is that the former is the subject of the right to copy or transcribe personal credit information, while the latter is the data processing system that the right holder requests to obtain or transfer data. It can be understood that the right holder authorizes a third party to copy its Personal credit [5].

Information under the protection of personality rights of EU personal credit
records can be carried

Protection and utilization of personal credit information in the era of big data
At present, with the increasing network and dramatization of personal production and life, human beings are accelerating into the era of big data. Using big data and other analysis methods, various data agencies can evaluate and predict various behaviors of information subjects through personal credit information systems and form various "user portraits," that is, the so-called "data people." The increasing amount of various personal information is conducive to overcoming the asymmetry of market information and brings many conveniences to credit, employment, business, and public services. However, the widespread use of personal credit information systems also brings hidden dangers to personal privacy and security. For example, the collection of personal credit information is not standardized, processed safely, and used improperly, resulting in personal credit investigations; marketing text messages, emails, and telephone harassment are increasing; Internet companies and merchants use the user data accumulated in the process of serving customers to conduct data transactions. Transfer and other phenomena are very common. For the Internet and the information industry, the personal credit protection regulations are scattered, the regulations are unclear, and the ownership, flow, and usage rules of personal credit are unclear, resulting in the coexistence of personal credit islands and information abuse, and the circulation of personal credit and big data. The surging undercurrents and secrecy have impacted not only the public's trust and confidence on the Internet and the information industry but also hindered the open circulation of personal credit information in the government and commercial fields.See

The meaning of personal credit
According to Article 20 of the General Regulation on Information Protection adopted by the European Union, the right to portability of personal credit information refers to the right of the information subject to obtain the information provided to the information controller in a structured, conventional, and machine-readable format, and The right to transfer this information from the controller from which it is provided to another controller of the information. The personal credit information here includes not only personal credit information that can identify a specific natural person alone or in combination with other information, such as name, ID number, contact information, mailing address, an account password, etc., mood, economy, culture, social life and other information, such as property status, whereabouts, health, etc. Judging from the historical background of personal credit protection in the EU, it should be said that the "right to portability" is the concept of "personal self-determination" under the goal of personal credit protection in Europe. Because in the theory of personality rights in the civil law system, the German personality rights theory believes that people should be autonomous and autonomous. I have the right to make my own decision to exclude heteronomy, heteronomy, or heteronomy on any issue involving the formation and development of personality. The collection, processing, and use of personal credit information directly affect the personal dignity of the subject of personal credit information. Personal credit information enjoys all interests and the right to self-determination of information. I have the right to decide on the collection, storage, and processing of personal credit information. The right to inquire and use personal credit information is a concrete manifestation of the right to self-determination of personal credit information. However, compared with the earlier right of inquiry, the right of portability empowers the information subject to obtain structured personal data in electronic form, which is conducive to strengthening the protection of personal credit reporting and enhancing the activity and resource attributes of personal credit reporting in the big data economy.

The impact of the right of portability in the credit reporting industry
The negative impact of the new EU General Regulations on the credit reporting industry has always been the focus of the global credit reporting industry and European credit reporting agencies. In view of the impact of the right of data portability on the credit reporting industry, we should proceed from the connotation of the "right to portability" and the legislative intent and analyze the data processing basis of the credit reporting system and the connotation of personal data. Considering that the processing of personal data is "consent," and considering the public interest of the credit reporting system, some countries have certain exemptions for the credit reporting system, some countries do not require authorization, some need to inform users, and some require consent. Taking Europe as an example, the credit registration system (also known as the public credit reporting system, PCR for short) mandates data collection as an exception because it is based on Articles 3 of the General Regulations, "Fulfilling Statutory Obligations," and Article 5 -Protection of the Public Interest , initially, the "right to portability" does not apply.
At the same time, market credit bureaus (also known as private credit bureaus, PCBs) generally do not need user consent to collect negative data because private credit bureaus in most European countries are based on Article 6 of the General Regulation "legitimate interests" principle, simply notify the borrower, without the need for individual consent, in order to maximize commercial interests and data subjects' privacy rights. Countries have taken different approaches when it comes to positive data, with some requiring notification of individuals and explicit consent from borrowers. As stipulated in the Italian industry code, "Code of Conduct for Private Institutions Handling Consumer Credit Information" and "Regulations on Credit Information Systems and Balance of Interests," the processing of positive personal information requires written consent and does not require consent to be processed. According to the relevant provisions of the UK Information Commission on the UK Personal Data Protection Act, credit bureaus only need to inform customers to collect and process credit data. In fact, in the legislative process of the General Regulations, the personal data protection agency believes that the sixth basis for European personal data processing, namely the generalization of "legitimate interests," is One of the root causes of weak protection is to clarify the scope of a legal basis for personal data processing and even recommend deletion.See  At present, the latest General Regulation issued by the European Parliament not only does not delete the basis for the processing of personal data by European private credit reporting agencies, that is, Article 6 "legitimate interests," but also continues to serve as the legal basis for credit reporting agencies to process personal information. The new business growth point of credit reporting agencies -anti-fraud services is regarded as "legitimate interests," which further consolidates the basis for the survival of the credit reporting industry -the legal basis of "legitimate interests" and authorizes EU member states to combine their national legal systems Explain the applicability of the "legitimate interest" basis. Secondly, the "General Regulations" can only carry the original data provided by the data subject and do not apply to the data of contracts, accounts, the performance of contracts, and internal bank risk assessments signed by banks and customers. For traditional credit reporting agencies, the data collected by the credit reporting system mainly comes from banks, retailers, and credit card companies. Only basic data is the original data (portable) provided by customers, while credit data and public data are not collected by customers themselves. It is not processed by the reporting agency. Even if the customer exercises the right to portability and "carries" the data provided by himself to another lending agency, it currently has no substantial impact on the institution's extensive credit reporting system.

Conclusion
To sum up, the preliminary conclusion is that since the processing of personal data in the credit reporting industry does not depend on the "consent of the information subject" and "performance of the contract," there is no legal basis for the right of portability, the European credit registration system, private Credit bureaus are not applicable. Therefore, the European Credit Information Association neither regards the right to portability as a stumbling block for the development of the credit reporting industry nor is it like the "right to object" to personal data processing and the "right to be forgotten" to delete personal data but to regard it as an association with the European Union. The subject of communication and lobbying between the Commission, the Council of Europe, and the European Parliament on General Regulation legislation.