Case Proposal: The service reports their reactions to information security incidents to the authority

I propose the following data to be a new case:

Fields Data
Name The service reports their reactions to information security incidents to the authority
Description When the service is encountering and dealing with the information security incident, the service would report their reactions to the authority out of any legal process.
Classification neutral
Topic Topic Security (ToS;DR Phoenix)
Weight 70

Examples:
https://www.douban.com/about/privacy
https://www.bilibili.com/blackboard/privacy-pc.html

1 Like

安全事件的基本情况和可能的影响、我们已采取或将要采取的处置措施、你可自主防范和降低风险的建议、对你的补救措施等。我们将及时将事件相关情况以邮件、信函、电话、推送通知等方式告知你,难以逐一告知个人信息主体时,我们会采取合理、有效的方式发布公告。同时,我们还将按照监管部门要求,主动上报个人信息安全事件的处置情况。

From Douban Privacy Policy

同时,我们还设立哔哩哔哩安全应急响应中心(https://security.bilibilli.com),由专业的安全技术和运营团队负责维护,便于及时有效的响应、处置各类安全漏洞和突发事件,联合相关部门进行安全事件溯源和打击

From Bilibili Privacy Policy

According to PRC law, services are required to report their reactions to security incidents to the authority. For user, it would involve giving information to the authority without being accused of crime. Although it is presumed that it is to defend mainland China’s closure Internet environment from “enemies”, this reason is not the users’ concern. However, since I’m not a law expert, I don’t know if other countries adopts similar policy.

1 Like

I have no idea about the legal situation in the PRC or what would count as a security incident. Perhaps this could be made clearer by adding examples of what a security incident means, by pointing to the PRC law that mandates this and arguing why this is so bad.

But in other jurisdictions there may be somewhat similar legal provisions that may make it into the terms of service. In Europe, the GDPR mandates that businesses must report data breaches withing 72 hours after becoming aware of the incident:

(86) … the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, …

Also, in Brazil, there is a similar provision in the Lei Geral de Proteção de Dados (LGPD):

Art. 48. O controlador deverá comunicar à autoridade nacional e ao titular a ocorrência de incidente de segurança que possa acarretar risco ou dano relevante aos titulares.

I have yet to see any of this mentioned in the terms of service and privacy policies that I have read, but if it can be generalized I think it could become a case. I would disagree, however, that this communication is outside of any legal process, considering that it is explicitly provisioned for in the law. The GDPR and LGPD provisions I wouldn’t consider bad, but perhaps neutral.

3 Likes

I think your suggestions (especially the “generalized” one) is good. I’ll change it to “neutral”. But I still need someone who are good at writing descriptions to help me change it.

1 Like

Maybe something like this?

Fields Data
Name Security incidents are reported to the authority
Description If the service is encountering and dealing with a security incident involving potential losses or damages for its users, its reactions may be reported to the authority as part of a legal proceeding.
Classification neutral
Topic Topic Security (ToS;DR Phoenix)
Weight 70
2 Likes

This sounds pretty good to me.

1 Like