赵丰

Health Data Protection： The Legal Risks and Their Governance of the Application of Health QR Code

Zhao Feng

（Law School， Wuhan University， Wuhan 430079， China）

Abstract： The large-scale epidemic of COVID-19 has disrupted the normal order of production and life in the world， and has also brought new challenges to the social governance of each country. In order to control epidemic diseases and promote economic recovery， health QR code has emerged as a digital technology management method. From the actual effect， the development of the health QR code has largely eliminated the tedious work of filling out reports， reduced the possibility of cross-infection， and improved the efficiency of data collection. But at the same time， the widespread use of the health QR code may also bring security risks to users' health data， such as leakage， illegal use， etc.， and may even affect the legitimate rights and interests of users in travel and in work. Therefore， the government and enterprises must follow the principles of lawfulness， transparency and minimum in order to eliminate the above-mentioned risks. Furthermore， in the design of the legal system， legislators should consider fully guaranteeing the realization of users' right to know， strengthening legal responsibilities for illegal disclosure and use of health data， and flexibly setting personal health data management deadlines. It is worth noting that our country's personal information protection legislation still has a long way to go， and the social attention caused by the health QR code will undoubtedly provide new impetus to accelerate legislation and improve the personal information protection rules of China.

Key words： health data; Personal Information Protection Act; health QR code; right of the data subjects; liability of the data controllers

CLC： D 912                  DC： A                    Article ID：2096-9783（2021）02-0105-12

1 Introduction： Phenomenon， Problems， and Methods

1.1 The Phenomenon

During 2020， the Corona Virus Disease （COVID-19） spread raging around the world， and all countries have taken emergency measures to deal with the epidemic. After unremitting efforts， most of countries have achieved remarkable results in epidemic prevention work. But for the countries whose economic development was still in recovery period， the long-term ban had undoubtedly brought a heavy impact on it. More importantly， economic society is a dynamic circulating system， which cannot be shut down for an excessive amount of time. Under the premise of ensuring the prevention and control of the epidemic， it's necessary to plan ahead for production recovery and stabilize the expectations of enterprises and financial institutions， by doing this， the people's livelihood and social stability shall be ensured， the annual economic and social development goals and tasks shall be achieved. As the production was resumed， there existed some difficulty to identify the epidemic situation and thus it was hard to keep control over it and prevent it from deterioration. In order to speed up the resumption of work and production， the health QR code， which has played an active role in the prevention and control of the epidemic in various regions and cities， have been launched in China firstly and it was then selectively adopted by other countries and regions in the world. Meanwhile， the health QR code recorded the users' identity information， contact information， and travel trajectory. By scanning the health QR code， controllers can know the health risk status of the user at that time， so that they can take corresponding control measures in accordance with local regulations. Through the health QR code， enterprises， universities， schools and other units can timely and effectively grasp the health information of employees， teachers and students of the unit， so they can assure targeted and precise joint prevention and take control measures[1]. While the health QR code assisted society to restore the order of its life， it also brought data security risks which cannot be ignored. This article will summarize and analyze the views gathered from government announcements， news reports， social comments， and academic articles at home and abroad， and share some of my personal thoughts.

1.2 The Problems

Due to differences in administrative efficiency and ways of thinking， governments at home and abroad have had different responses to whether private companies or public platforms should be allowed to use technical measures to collect personal health data in response to the management of the epidemic. At the same time， the laws of various countries on health management， data protection， and personal information protection have some provisions that can be referred to， they do not provide clearer solutions for the processing of citizens' health data in large-scale emergency health incidents. This undoubtedly provided an opportunity for the development of related academic research and the revision of laws.

For foreign scholars， on the one hand， they recognize the potential positive effects of digital technology measures， and on the other hand， they are also full of concerns about realistic risks. Whitelaw S argues that big data and artificial intelligence （AI） have helped facilitate COVID-19 preparedness， the tracking of people， and the spread of infection in several countries， meanwhile， technophiles support the use of such data to reconstruct the movements of people exposed to the flu-like virus and identify others at risk of infection. Privacy advocates counter that this approach used in China， subjects people to the kind of digital surveillance that has no place in a Western democracy[2]. Faggiano A and Carugo S believe that QR code-based surveys could be especially helpful to conduct large medical cross-sectional studies and to simplify clinical practice in the COVID-19 era[3]. Ichiro Nakamoto points out the QR codes are officially regarded as electronic certificates of individuals health status， and can be used for contact tracing， exposure risk self-triage， self-update of health status， health care appointments， and contact-free psychiatric consultations[4]. Wim Naudé insists that data is central to whether AI will be an effective tool against future epidemics and pandemics. The fear is that public health concerns would trump data privacy concerns.  Mission creep may occur， with governments continuing the extraordinary surveillance of their citizens long after the pandemic is over. Thus， concerns about the erosion of data privacy are justified [5].

Domestic scholars mainly talk about the chaos， problems and countermeasures in the widely used health QR code. For example， Xu Ke believes that the use of digital anti-epidemic technology faces questions about misjudgment， inability to recognize each other， strengthens government monitoring， blurs the boundaries between government and enterprise， and infringes on citizens' privacy. In order to solve the above problems， the effectiveness and legitimacy of digital anti-epidemic technologies should be reviewed， so as to construct data rules under emergency conditions under the dual goals of data efficiency and data justice[6]. Bao Kun analyzes and believes that the government should properly carry out internal data control based on the data behavior code pointed out by the principle of proportionality， and give citizens a way to remedy the extent of damage to legal benefits， so as to build the legality of normalized application of health code data[7]. Li Xiaonan proposed that， in principle， epidemic prevention and control can be used as a legitimate reason for exempting part of the obligations of data control subjects and derogating part of the rights of information subjects. However， the data control subject should still assume the necessary personal information security guarantee responsibility and follow the basic principles of data processing such as "purpose restriction" and "necessity"[8].

In general， scholars at home and abroad have pointed out the many legal risks in the use of health QR code， especially when the personal information protection legislation of our country is still in the process of continuous improvement， how to deal with efficiency， fairness and the issue of security has become an unavoidable issue in the current information governance process.

1.3 The Methods

In response to this situation， this paper intends to adopt the method of text analysis of domestic and foreign laws and policies， and by comparing the social hazards， legal deficiencies and countermeasures in the use of health QR code in other typical foreign countries， summarize and analyze the basic principles that should be adhered to in handling the legal risks of health QR code and the system design to be adopted. Starting from the above ideas， this paper explains the advantages and disadvantages of the use of health QR code， and proposes some legal suggestions for shaping and improving the rules of collection and use of personal data.

2 The Value about Implementation of the Health QR Code

Since the idea of a document to certify immunity was first floated at the beginning of the pandemic， governments and companies have been exploring technology solutions to devise a health passport that is both effective and trustworthy. The health QR code， as a technical assistance tool to achieve security testing and social governance， was first implemented in the government service infrastructure of Internet companies， such as Tencent or Alibaba. These technology companies quickly grasped the crucial points of government and user needs， and opened the functional services of personal health information record and query at the entrance of the government service platform[9].

2.1 The technical basis and actual usage of health QR code

The "health QR code" is based on the real data. Citizens or workers can apply online to fill in the actual address， physical health status， whether they have been to the epidemic area， and whether they have contacted key personnel. After the above information has been reviewed， it will generate a personal health QR code. And the generation of three-color health QR code is mainly based on three dimensions： one is the spatial dimension， which is based on the national epidemic risk degree， and is judged according to the data accurate to the town （street）; the second is the time dimension， that is， the number of times a person has visited the epidemic areas and the length of stay; the third is the dimension of interpersonal relationship， that is， the state of contact with key personnel， and then quantify the score. Meanwhile， the data also relies on the information collected from the country， various departments and regions. After prevention and control rules， as well as data modeling， analysis and evaluation， three risk states can be calculated and the three-color health QR code is dynamically managed [10]. If one person who holds the green QR code has been to a key area and has contacted the infected people， the health QR code would turn yellow. The person who receives the red QR code and the yellow QR code must be isolated and treated in accordance with the regulations （seen as Fig. 1）.

In addition，  Alipay and WeChat have very large user groups in China， most of the users are real-name registered， which can ensure that personal information is true， therefore， it is naturally more beneficial if they develop the health QR code than other technology companies. Meanwhile， in order to ensure the accuracy of the data， the platform has opened an online complaint channel. After receiving the complaint， the technical staff will pass two methods of forward verification and reverse test to compare the reliability of the data source. By solving similar problems in batches， operators can gradually optimize and improve the health QR code big data system. On the other hand， as the results of dissent expressed by the masses the platform strengthened offline verification， conducted "online comparison + offline verification"， eliminated errors， corrected data， and improved data in a timely manner according to the actual situation of individuals in the towns and villages[11]. This demonstrates the softness and flexibility of the technology， as well as its accuracy and effort in making the technology as accessible to the public as possible.

2.2 The meaning and function of health QR code

Firstly， the use of the health QR code can be used as a channel for unified collection of health information. For example， in the early stage of the outbreak， the channels for reporting health information were mainly communities， schools， and units in China. At the same time， after the employees resumed their work， they also needed to be isolated in other provinces. Repeated detection and reporting of these channels was time-consuming for individuals. For organizations， information needed to be reported layer by layer， which also directly slows down work efficiency [12]. The appearance of the health QR code has unified a reporting channel across the same province， a city or different regions， thereby greatly improving the operational efficiency of all links.

Secondly， the health QR code directly helps everyone to get to know how safe or dangerous the environment where they once passed. Individual initiative is the basic guarantee of public health and safety. For the general public， in order to continue in the good job of self-protection and self-management， they must proactively declare and fill in the information in realistic manner to ensure that the health QR code is true， accurate and effective. On this basis， if someone is found to be infected， the health QR code of these individuals will also be changed， thereby reminding them that they have had close contact with an infected person.

Thirdly， the health QR code simplifies customs clearance procedures and improves the ability of front-line investigators to accurately prevent and control. Whether it's a community， a railroad， or an airport， staff need to carefully check the health certificate. However， due to the increase in inspection personnel and the tightness of time， misunderstanding and under sights sometimes occur. In comparison with the traditional inflexible way， the health QR code simplifies it to the extent that now it is just necessary to check the color[13]. This approach can serve as a reliable solution to counteract the emergency of a public health crisis; as a routine tool to enhance the level of public health; to accelerate the recovery of social activities; to assist decision making for policy makers; and as a sustainable measure that enables scalability.

Finally， the health QR code provides big data support needed for the resumption of production. The current epidemic prevention task is still arduous， and how to solve the contradiction between epidemic prevention and resumption of work has become an important issue for governments everywhere. In order to resume work， the life trajectory and health of employees in the recent period is what companies need to be familiar with above all. In China， some local governments require the employee's health green QR code as a prerequisite to allow the company to resume its work， they also request the companies to arrange "health instructors" in key buildings， where they guide employees through the health QR code [14]. Foreign staff is also guided by the instructor on the spot through the process of applying for the health QR code and entering into the building with the health QR code after registration.

3 Legal Risks Brought by the Health QR Code under the Related Chinese Laws

In the Law of the People's Republic of China on the Prevention and Control of Infectious Diseases， the contingency rules of paroxysmal public health events， and other laws and regulations， there are provisions for individuals to report information related to the epidemic. That is to say， for the purpose of epidemic prevention and control， individuals have the obligation to declare personal information such as ID cards， addresses， health status， contact history， and residence history， meanwhile， relevant departments and agencies also have legal basis for changing the purpose of information use. However， the big data industry was faster than the policy and law making in our country. Although we have put great emphasis on the protection of personal information， especially for health-type information， the "People's Republic of China Personal Information Protection Law" is still in the deliberation stage （according to the legislative plan， it may be introduced in this year）. On the positive side， the emergence of the health QR code as a special product also provides new materials and cases for improving personal information protection legislation in the future.

3.1 Risk of Personal Health Data Leakage

The health QR code involves a large amount of personal information such as name， ID number， contact information， location， itinerary， health， etc. Once leaked or misused， the consequences can be disastrous. At the beginning of the launch of the health QR code， it was only accessible in the local area. This problem is not outstanding. Today， the health QR code are mutually recognized across provinces， further amplifying information security risks. Some people worry that if the scope of data sharing is expanded， it will become difficult to keep the information secured[15]. Prior to this， users' personal data leakage， virtual property theft， virus intrusion， data reselling， telecommunications fraud and other incidents occurred frequently， causing huge losses to users[16]. At this time， the health QR code involves the personal privacy of hundreds of millions of its users， and the information data it carries is detailed and true. Therefore， it is necessary to guard the information security of the health QR code and prevent its illegal use.

3.2 Automated Decision-making Errors Will Affect Individuals' Work and Travel Rights

There have been reports in the media that some users complained that they are still marked as "red QR code" although their own health status meets the requirements of isolation and even hold a health certificate or nucleic acid test certificate issued by the hospital[17]. Due to the lack of sufficient explanation of the big data or artificial intelligence analysis mechanism by relevant parties， there is no way for users to find out the specific reason for being considered as "red QR code". Correction often requires a certain amount of time. More unfortunately， the supervisor only recognizes the "color" of the QR code and ignores other proofs， which has an impact on the user's daily life. Obviously， the process of generating the health QR code belongs to an automated decision-making mechanism that can significantly affect the rights and interests of personal information subjects.

In the newly released 2020 version of the "Personal Information Security Regulations of China"， for the automatic decision-making mechanism， it is recommended to conduct a personal information security impact assessment at the planning and design stage or before the first use， and effective protection of personal information subjects should also be taken according to the evaluation measures[18]. At the same time， relevant software should provide personal information subjects with a complaint channel for the results of automatic decision-making， and support manual review of the results of automatic decision-making. For big data analysis， when it is impossible to ensure that the data source is 100% accurate and comprehensive， while providing convenience for the vast majority of people， it is also necessary to provide alternative solutions to deal with special situations， so the data can better serve everyone， rather than dominate everyone.

3.3 The Claims of Information Access and Data Ownership Violate Principle of Proportionality

Using the "Pepidem Health QR code" under the WeChat Pay menu， we can directly access the "National Epidemic Disease Health Information QR code" developed by the National Government Service Platform， and this health QR code provides related "User Service Agreement" and "Privacy Policy". The Mini Program's "Privacy Policy" mentions the scope of this mini program's information collection， including information about other apps that the user has used， which is not related to the core function of the health QR code[19]. However， our Network Security Law clearly regulates in Article 41： network operators are not allowed to collect personal information unrelated to the services they provide. Therefore， even the users accept the agreement to use the service which means they accept the terms in the agreement and policies， the terms still inevitably violate the essence of the law. The mini program's "Privacy Policy" also pointed out that "in order to protect the safety of users or the public from personal infringement and prevent phishing， fraud， viruses and network attacks， this mini program will share data with third-party affiliates and partners" and "As our business continues to develop， we and our affiliates may conduct mergers， acquisitions， asset transfers， or similar transactions， and thus your information may be transferred as part of such transactions". However， before the "Notice on Doing a Good Job in Protecting and Using Personal Data to Support Joint Prevention and Control"， there was already a clear requirement that personal information collected for epidemic prevention and control and disease prevention cannot be used for other purposes.

3.4 Lack of Data Deletion Mechanism after the Epidemic

The use of the health QR code is a high-tech anti-epidemic method worth promoting. When the epidemic has completely passed， where will the information collected in an emergency to complete a larger collective mission go？ At present， the official department has not yet provided any future guidance for the compliant disposal of data extracted during the epidemic after the situation will have ended. The information extraction process related to the health QR code largely and incompletely focused on collection of data and its usage， but paid no attention on the importance of data deletion. Observing from the actual situation， only a few health QR code services have provisions related to deletion in their user agreement and privacy policy. For example， the aforementioned WeChat "epidemic health QR code" contains provisions related to deletion of information， which are similar to the right to delete or forget under the EU's General Data Protection Regulation （GDPR）.

4 Legal Countermeasures of Other Typical Foreign Countries

4.1 America

The U.S. Congress recently proposed two draft bills， which may well illustrate the core issues of the current privacy legislation debate on COVID-19. First， Senate Republicans proposed the COVID-19 Consumer Data Protection Act （CDPA） on May 7， followed by Senate Democrats who proposed the Public Health Emergency Privacy Act （PHEPA） on May 14. The following table provides several key elements in these bills[20].

[CDPA PHEPA SCOPE Applies to a "covered entity"， defined to include any organization subject to the FTC Act， as well as any common carrier or nonprofit organization defined per federal law.

Includes exemption for service providers. Applies to a "Covered Organization"， which broadly includes any person subject to de minimis and household exceptions， including any governmental entity that is not a public health authority.

Includes exemption for service providers and healthcare providers. AUTHORIZED PURPOSES FOR PROCESSING Prohibits covered entities from collecting， processing， or transferring data of an individual unless （i） the covered entity is processing the data for a "covered purpose" or （ii） the covered entity satisfies specified notice and consent protocols.

Defines covered purpose to include （i） tracking the spread， signs， or symptoms of COVID-19; （ii） measuring compliance with social distancing guidelines and requirements; and （iii） contact tracing of COVID-19 cases. Explicitly prohibits certain types of data processing， including those related to （i） commercial advertising; （ii） marketing， soliciting， or selling activities in targeted areas such as housing， education， and finance; and （iii） discriminating or disadvantaging an individual in a place of public accommodation. Contains requirements similar to the CDPA， although （i） there is no specific requirement that the privacy notice be public-facing; （ii） the privacy policy must include a summary of individual rights; and （iii） the public reporting obligation only applies to entities that collect the data of 100，000 individuals or more， but it requires that such organizations issue a public report every 90 days， rather than just once. AFFIRMATIVE PRIVATE RIGHTS AND OBLIGATIONS Requires covered entities to （i） provide an effective opt-out mechanism to revoke consent and otherwise restrict processing of covered data; （ii） delete all covered data when it is no longer being used; （iii） ensure the accuracy of covered data and provide a mechanism for individuals to report inaccuracies; （iv） implement data-minimization processes in accordance with guidelines to be issued by the FTC; and （v） establish reasonable administrative， technical， and physical data security policies and practices to protect covered data. Apart from a specific data-minimization obligation， contains the other privacy rights and obligations found in the CDPA： an opt-out mechanism， data destruction requirement， data accuracy obligation， and a mandate to establish reasonable safeguards for the protection of emergency health data.

Also requires reasonable safeguards to protect against discrimination and to ensure that data is disclosed to governments only for public health reasons. ENFORCEMENT Delegates primary enforcement authority to the FTC under section 5 of the FTC Act; secondary enforcement authority given to state attorneys general. Delegates primary enforcement authority to the FTC under section 5 of the FTC Act; secondary enforcement authority given to state attorneys general.

Includes private right of action with maximum statutory damages of $5，000 per violation， as well as reasonable attorney fees and other fees that the court deems appropriate. ]

As the table shows， although these two bills may not be the final decision on this issue， there is substantial overlap between the two bills， the overlap provides a good overview of areas where legislators believe should complement existing laws. These areas include the collection of health information for public health purposes to combat the COVID-19 pandemic， while other protective measures （such as use restrictions， data minimization requirements， retention restrictions， and personal rights protection） are required to ensure the correct use and use of data for more targeted purposes.

4.2 Europe Union

Taking into account the contribution from the European Data Protection Board， the Data Protection Guidance for COVID-19 Apps sets out features and requirements that apps should meet to ensure compliance with EU privacy and personal data protection legislation， in particular the EU General Data Protection Regulation （GDPR） and the EU ePrivacy Directive. This includes the following features and requirements[21]： （1） National health authorities as data controllers： The apps should be designed in such a manner that national health authorities （or entities carrying out tasks in the public interest in the field of health） are the data controllers; （2） Ensuring that individuals remain in control： Measures should be taken to ensure that individuals remain in control of their personal data， including; ① Ensuring that the installation of the app is genuinely voluntary and without any negative consequences for individuals that decide not to download/use it; ② Not bundling different app functionalities （e.g.， information， symptom checker， contact tracing and warning functionalities）. Individuals should be able to provide their consent specifically for each functionality; ③ If proximity data are used， storing such data on the individual's device and sharing the data with health authorities only after confirmation that the individual is infected and on the condition that they choose to do so; ④ Providing individuals with all necessary information about the processing of their personal data; ⑤ Ensuring they can exercise their data protection rights under the GDPR; and ⑥ Deactivating the app， at the latest， when the pandemic is declared to be under control. （3） Legal basis for the data processing： Users' consent would be required for installation of the apps and the storing of information on their device， while national health authorities should rely on a Member State law and the need to comply with that law as a legal basis for processing the data. That law should ① prescribe in detail the processing of specific health data and clearly specify the purposes for the processing; ② clearly spell out who is the data controller， and who， besides the data controller， can have access to such data; ③ exclude the possibility of processing such data for purposes other than those listed in the legislation; and ④ provide for specific safeguards. （4） Data minimization： An assessment of the need to process personal data and the relevance of such personal data should be carried out in the light of the purpose（s） pursued. Regarding contact tracing and warning apps， the Guidance recommends using Bluetooth Low Energy communications data （or data generated by equivalent technology） to determine proximity. Location data is not necessary for the purpose of contact tracing functionalities. （5） Limiting data disclosure and access： The Guidance recommends using the decentralized solution for contact tracing and warning apps （see above）. （6） Providing precise purposes for processing： For example， the purpose "for the prevention of further COVID-19 infections" is not specific enough. （7） Setting strict data retention periods： For contact tracing and warning apps， proximity data should be deleted within one month （incubation period plus margin） or after the person was tested and the result was negative. （8） Ensuring data security： The Guidance recommends storing data on the individual's terminal device using state-of-the art encryption. （9） Carrying out a DPIA： The Guidance emphasizes the need to carry out a data protection impact assessment for processing health data on a larger scale.

4.3 Australia

The mainstream opinion in Australia believes that the necessary response is legislation which provides protections equivalent to those in the COVID Safe Act， and mandates all protections that both private and government QR providers must adopt. The legislative goal should be： "This information is collected solely for contract tracing， and is prohibited from being used for anything else". Meanwhile， specific protections （with equivalent legislative protections in the COVID Safe Act indicated） should include [22]： （1） No required collection of any data beyond the minimum necessary for contact tracing. This is： first name or alias; phone number or email address （but optional to provide both）; times of entry and （if possible） exit.  This should only be required of one person in a party. （2） Collection of QR data is forbidden to be combined with collection for any other purposes. （3） All access to and use of QR data is forbidden， except for access and uses strictly necessary for contact tracing. It would be a serious offence to make any other use or disclosure of the data， included by QR Providers （private or public）. （4） Encryption of collected data， at least by QR providers; and storage within Australia. Secure storage required by businesses and agencies. （5） Deletion of all QR data after 28 days， unless contact tracers request extension. （6） In addition to offences， a private right of action under commonwealth， state and territory privacy laws， so that individuals can obtain compensation for any breaches of the legislation， including any offences. （7） Legislative provisions making any "function creep" impossible except by explicit subsequent primary legislation. （8） Periodic publication （at least every six months） required in each state and territory， of the extent to which the use of QR data in contact tracing has resulted in successful tracing which would not otherwise have occurred. （9） A "sunset clause" when all QR data collection stops， to be assessed at least every 6 months by the chief health officers in each state or territory， to be based on whether the QR Code system is necessary and proportionate to counter COVID-19. The underlying principle should be that surveillance systems should not be permanent.

4.4 Japan

Last year， the Japanese Cabinet also approved a bill to revise the Act on the Protection of Personal Information （APPI）， which would require companies to take certain additional measures to protect personal data of data subjects. The reported goals of the bill include， for example [23]： （i） broadening data subjects' powers to exercise control over their data; and （ii） to establish a system to facilitate corporation's internal use of "big data". The following changes will have a direct impact on the collection and use of health data in Japan： （1） Right of data subjects to request a data handler cease use of data and erase data： The APPI currently provides for data subjects to request companies cease the use of data or erase data under limited circumstances. The update， aims to broaden these powers， making it easier for data subjects to request that a data handler ceases use of or deletes stored data. （2） Right of data subjects to demand disclosure of data： The amendments would broaden the types of retained data （i.e.， data retained for less than 6 months will be included in the definition of the retained data）; a data handler must disclose to a data subject upon request. （3） Restricting the use of the "opt-out" exception for third-party consent： The current version of the APPI allows data handlers to use an "opt-out provision" for transfers to third-parties if they provide certain information to the Personal Information Protection Commission （PPC）. The update envisions limiting the cases will allow this exception to be used. That is to say that： （i） personal data which was improperly collected （i.e.， violating Article 17 of the APPI）; and （ii） personal data which was transferred from a third party using the same "opt-out" exception may not be transferred using the "opt-out" exception. （4） Pseudonymisation： Unlike the GDPR， the APPI currently does not provide for pseudonymisation of data. The update contemplates adding this in some form， which a data handler can utilize in limited circumstances， with the intent that controls on personal data that has been pseudonymised in accordance with the APPI will be relaxed; for example， the rights of data subjects to demand disclosure， correction and ceasing of usage. （5） Additional instructions on obligations when transferring data to third parties： Even where data may not rise to the level of "personal data" on the side of the transferor， if the data could become personal data when combined with other data on the side of the transferee， in general， the consent of the data subject must be obtained. This may apply to， for example， data collected through internet cookies. （6） Mandatory reporting： In specific cases， the update requires data handlers to report a data breach to the PPC and the affected data subjects.

5 Anticipated Solutions within the Legal Framework

Pursuant to most international human rights laws （IHRL）， measures that interfere with fundamental rights must satisfy a three-part test： legality， necessity， and proportionality. China， for instance， has yet to adopt comprehensive legislation regulating privacy and data protection， although there are relevant civil， criminal， and cybersecurity laws， and national guidelines. Specific to the QR health code context， China released a series of national guidelines for personal health information codes to specify requirements for the collection， processing， and use of personal health information. However， recommended guidelines lack the force of law[24]. Therefore， within the scope of legal framework， on the one hand， we should focus on the strengthening and implementation of the basic principles， on the other hand， we should also promote the construction of more comprehensive protection rules.

5.1 Ensuring the Right to Know of Public is Fulfilled and Guaranteed

In the collection and use of network information， informed consent is the basic right of citizens. However， some research institutions have investigated 16 health QR code applets in 14 provinces and cities on the WeChat platform and found out， that some programs do not have user agreements and privacy policies， but go directly to the information registration page [25]. Article 41 of the Cyber Security Law provides that network operators should follow the principles of lawfulness， legitimacy and necessary collect and use of personal information， publicly collect and use rules， and express the purpose， method and scope of information collection and use with the consent of the person being collected. Relevant departments should supervise the platform to improve procedures， actively fulfill the obligation of notification， and fully protect the public's right to know.

5.2 Increasing the Penalties for Unauthorized Disclosure and Use of Health Data

Previously， the Central Cyber Office issued "Notice on Doing a Good Job in Protecting Personal Information and Using Big Data to Support Joint Prevention and Control"， which clearly required that institutions which collect or master personal information are responsible for the security of personal information and adopt strict management and technical protection measures to prevent theft and disclosure[26]. The Ministry of Industry and Information Technology also publicly stated that it will strictly implement data security and personal information protection measures to prevent data breaches and abuses. On information security issues， prevention and punishment are equally important. All localities should intensify supervision， timely discover and deal with the behavior of leaking and abusing health QR code data， publish typical cases to the society， and strengthen the warning deterrent effect.

5.3 Setting the Validity Period for the Health QR Code Flexibly

According to the "Information Security Technology Personal Information Security Standards"， the least sufficient principle of is one of the basic principles of personal information security[27]. As an extraordinary product in an extraordinary period， the health QR code loses its meaning after the epidemic. Relevant departments should actively supervise the destruction of relevant data in a timely manner to satisfy the users' right to be forgotten. As the GDPR has made stricter regulations on data deletion： when the purpose of collecting or processing personal data has been achieved and there is no need to continue to retain the data， the data subject （user） has the right to request the data controller to delete the data immediately， and the data controller is obliged to delete the data immediately [28]. Meanwhile， it is recommended that users should carefully read the service agreement and privacy policy when registering a health QR code for using the health QR code service， and do not share their health QR code in public channels.

5.4 Government and Enterprises Should Abide by the Principles of Lawfulness， Minimum Necessary Limit and Safety Protection

Like other digital government projects， the health QR code is a digital management project initiated by government departments in a special period of the epidemic. The government has played a role of data controller in the health QR code services and is the demand side， initiator， pusher and ultimate implementer of the management. Therefore， government departments should abide by the principles of lawfulness， minimum necessary limit and safety protection to determine the type， content and usage of data collection in the application of the health QR code. Meanwhile， operating enterprises as data processor entities， in addition to complying with the above-mentioned legal and transparent principles of data protection， should also implement the following legal obligations according to its unique role， including： Prohibited to process data beyond the scope of government trust; Prohibited to use of data in the purpose of own operations; Prohibited to subcontract without government consent when undertaking corresponding technical services.

5.5 Promote the Promulgation of the Personal Information Protection Law as Soon as Possible

On October 21， 2020， the "Personal Information Protection Law （Draft）" （hereinafter referred to as the "Draft"） reviewed by the Standing Committee of the National People's Congress was officially released for public comments， which marks that China's personal information protection system is going to enter a new milestone. According to the provisions of the draft， even if the processing of personal information is for the needs of preventing and controlling epidemics and dealing with public health emergencies， it must strictly abide by the processing rules stipulated by the law， gradually realize the minimum scope of processing purposes， disclose the rules of information collection and use， and earnestly protect the security of personal information[29]. This could be regarded as the most direct applicable effect for the risk prevention of digital technologies such as the health QR code. Therefore， in 2021 we should promote the promulgation and implementation of this bill as soon as possible.

6 Conclusions

The pandemic of COVID-19 not only reflects medical and health problems to humans， but also presents various of opportunities and challenges to the healthy and safe development of the big data industry. Moreover， the application of health QR code in the epidemic can be regarded as a large-scale experiment of digital governance [30]. Relying on the convergence of data resources， digital technology supports and produces thinking drive， at the same time， through the "data flow" driving the recovery of the "people flow" and "business flow" in the real world， the data management system has achieved a leap in the modernization of national governance. It can be expected that the health QR code governance model may be reused in other government affairs management issues in the future， which requires us to deeply reflect on the health QR code experience and deficiencies， and thus shape a good rule framework for the sustainable development of digital governance. Accordingly it is recommended that in the future legislation of the People's Republic of China Personal Information Protection Law should fully incorporate government departments into the system， thereby providing positive legal guidance for government departments to initiate digital governance. In the process of making specific rules， Chinese legislators should also refer to internationally accepted practices， distinguish the roles of data controller and data processor， and accelerate the establishment of an orderly digital governance ecosystem with proper functions and responsibilities.

References：

[1] Deng Jianya， Gu Jiadong. Talking about the Use and Protection of Citizens' Personal Information from Epidemic Prevention and Health Codes[J]. Journal of Nanjing Medical University （Social Science Edition）， 2021， 21（1）： 42-46.

[2] Whitelaw S， Mamas M A， Topol E， et al. Applications of Digital Technology in COVID-19 Pandemic Planning and Response[J]. The Lancet Digital Health， 2020， 2（8）： e435-e440.

[3] Faggiano A， Carugo S. Can the Implementation of Electronic Surveys with Quick Response （QR） Codes be Useful in the COVID-19 Era？[J]. International Journal of Epidemiology， 2020， 49（5）： 1732-1733.

[4] Nakamoto I， Wang S， Guo Y， et al. A QR Code–based Contact Tracing Framework for Sustainable Containment of COVID-19： Evaluation of an Approach to Assist the Return to Normal Activity[J]. JMIR mHealth and uHealth， 2020， 8（9）： e22321.

[5] Wim Naudé. Artificial Intelligence vs COVID-19： Limitations， Constraints and Pitfalls[J]. AI&SOCIETY， 2020， 35： 761–765.

[6] Xu Ke. Data Governance of Major Public Health Events[J]. Jinan Journal （Philosophy and Social Science Edition）， 2021， 43（1）： 80-91.

[7] Bao Kun. Restrictions on the Proportionality Principle of Normalized Application of Health Code Data[J]. Electronic Government Affairs， 2021（1）： 32-41.

[8] Li Xiaonan. The Legal Response to the Use of Personal Information in "Anti-epidemic Data"[J]. Finance and Economics Law. 2020（4）： 108-120.

[9] Editorial Department of Hangzhou Journal. The "Health Code" First in Hangzhou Has Become the Standard Equipment for Digital Epidemic Prevention in Various Places[J]. Hangzhou， 2020（16）： 24.

[10] Liu Qinjuan. Three-color Health Code Weaving Dense "Anti-epidemic Net"[J]. Network Communication， 2020（3）： 38-39.

[11] Gao Ping， Xu Mingjing. Enlightenment from the "Digital War Epidemic" in Hangzhou： Data Empowerment to Deepen Collaborative Governance[J]. Social Governance， 2020（8）： 53-58.

[12] Jiao Binlong. Improve the "Health Code" Function[J]. Democracy， 2020（7）： 29-30.

[13] Guo Peng. Let the Health Code Become a Convenient Code[J]. Minsheng Weekly， 2020（26）： 42-43.

[14] Li Xiaowei， Zhao Jie. Exploring Those Things behind the "Health Code"[J]. Late Qing， 2020（7）： 77.

[15] Ning Yuan. Personal Information Protection Regulations in the Use of Health Codes[J]. Legal Review， 2020， 38（06）： 111-121.

[16] Jia Yanying， Is It difficult to protect personal information？[J]. People·Rule of Law， 2020（17）：12-13.

[17] Liu Hang. In the Process of Using Health Code， Can We Balance the Protection and Use of Personal Information？[EB/OL]. [2020-03-19]. https：//www.mpaypass.com.cn/news/202003/19101326. html，.

[18] Wan Jing. The New Version of Personal Information Security Regulations is Released， and the Collection of Personal Biometric Information Requires the Express Consent of the User[J]. Citizen and Law， 2020（3）：17-18.

[19] WeChat， How to Get the Health Code for Epidemic Prevention on Mobile Phone WeChat？[EB/OL]. [2020-03-30]. https：//jingyan.baidu.com/article/c85b7a64228ef0413bac9592.html.

[20] Michael R. Roberts. Mobile Technologies and COVID-19： A Primer on Fighting the Virus with Cell Phones[J]. 2020， 12（4）：228-235.

[21] EU Reporter Correspondent. COVID-19 Tracing Apps： Ensuring Privacy and Data Protection[EB/OL]. [2020-05-07]. https：//www.eureporter.co/frontpage/2020/05/07/covid-19-tracing-apps-ensuring-privacy-and-data-protection/.

[22] Graham Greenleaf. Australia： A Poor Model for QR Data' attendance tracking'[EB/OL]. [2021-01-06]. https：//www.digitalasiahub.org/2021/01/06/australia-a-poor-model-for-qr-data-attendance-tracking/.

[23] Hiroto Imai. Update of Japan's Privacy Law Approved by Cabinet[EB/OL]. [2021-03-31]. https：//www.engage.hoganlovells.com/knowledgeservices/news/update-of-japans-privacy-law-approved-by-cabinet.

[24] Xu Xiaoyi. Smartphones Out， Bye COVID-19！—Assessing the Possibility of Exporting China's Global Pandemic-Era QR Codes as Health Certificates， Harvard Journal of Law and Technology， 2021， 34（1）：8-10.

[25] Li Yanghe. Health Code Lacks Informed Consent and Privacy Protection Clauses[EB/OL]. [2020-04-30].  http：//finance.sina.com.cn/china/dfjj/2020-04-30/doc-iirczymi9211225.shtml.

[26] Office of the Central Network Security and Information Technology Commission. Notice on Doing a Good Job in Protecting and Using Personal Data to Support Joint Prevention and Control[EB/OL]. [2020-02-10]. http：//www.gov.cn/xinwen/2020-02/10/content_5476711.htm，

[27] Ministry of Industry and Information Technology of the People's Republic China. Strict Implementation of Health Code Data Security and Personal Information Protection Measures[EB/OL]. [2020-03-04]. http：//shanghai.xinmin.cn/xmsq/2020/03/04/31677652.html.

[28] European Parliament. General Data Protection Regulation[EB/OL]. [2018-05-25]. https：//gdpr-info.eu/art-17-gdpr/.

[29] Liu Man. National People's Congress： "Health Code" is Legal to Collect Personal Information， But the Rules of Use Should be Made Public[EB/OL]. [2021-02-03]. https：//www.163.com/dy/article/G1TVJQFP05129 QAF.html.

[30] Hu Yi. After the Epidemic， Where does the Health Code Go？[R]. Xinhua Daily， 2020-03-06 （008）.

摘    要：COVID-19的大規模流行破坏了世界正常的生产和生活秩序，也给每个国家的社会治理带来了新的挑战。为了控制流行疾病和促进经济恢复，健康二维码作为一种数字技术管理手段应运而生。从实际效果来看，健康二维码的开发在很大程度上消除了填写报告的繁琐工作，减少了交叉感染的可能性，并提高了数据收集的效率。但与此同时，健康二维码的广泛使用也可能给用户的健康数据带来安全隐患，诸如泄露、非法利用等，甚至可能影响用户旅行和工作的正当权益。因此，政府和企业必须遵循合法、透明和最低限度的原则，以消除上述风险。同时，在法律制度设计上，立法者应考虑充分保障用户知情权的实现、强化非法公开和使用健康数据的法律责任、灵活设定个人健康数据管理期限等。值得注意的是，我国的个人信息保护立法工作仍任重道远，健康二维码引起的社会关注无疑将为加速立法和完善中国个人信息保护规则提供新的动力。

关键词：健康数据;个人信息保护法;健康二维码;数据主体的权利;数据管理者的责任