HomeNewsNews Center

News

News Center
Performance Honor

News Center

Interpretation of the Latest Data Security Law

Loading...

2021.06.12

 

In the era of big data, data, like "oil", is an important factor of production. The second Politburo meeting of the 19th National Congress of the Communist Party of China passed the "Implementation of the National Big Data Strategy to Accelerate the Construction of Digital China". The data has significant strategic significance. For a long time, the legal provisions on data in China are low-level and scattered, there is no system, the protection mode is single, the management departments are scattered, some provisions are not operable, and data governance needs to be improved. On June 10, 2021, the 29th meeting of the Standing Committee of the 13th National People's Congress passed the "Data Security Law", which provides a new perspective and legal basis for data governance and data security.

 

1.'s First Law on Data
 
Data is a new thing, and the previous regulations on data are scattered in laws, regulations and other norms, such as the Civil Code, the Network Security Law, the Information Security Technology personal Information Security Code, and so on. These norms are either of low legal level and cannot be used as the basis for adjudication or administrative punishment. Either it is non-specialized and lacks focus and system. The "Data Security Law" takes data security as the core, covers personal information, government data and other types of data, involves data utilization and security development, stipulates the working mechanism, responsibilities and protection system of data security, and takes into account the security and openness of data government data. It is China's first comprehensive, high-level and data-specific law.

 

2. the top-down comprehensive implementation of data security working mechanism
 
Data security is at the heart of this law. This legislation establishes a data security work mechanism from the central to the local level, and stipulates the responsibilities of various localities and departments from both vertical and horizontal aspects. The central leading body for national security is responsible for the decision-making, deliberation and coordination of national data security work, studies, formulates and guides the implementation of national data security strategies and relevant major principles and policies, coordinates major issues and important work of national data security, and establishes a coordination mechanism for national data security work. Each region and department shall be responsible for the data collected and generated in the work of the region and department and the data security. The competent departments of various industries, public security organs or national security organs, and national network information departments are responsible for data security and supervision within their respective responsibilities. However, without the establishment of a unified data regulatory agency, the data formed by an enterprise may be subject to the supervision of multiple departments, institutional redundancy, resulting in repeated supervision, a waste of law enforcement resources, is not conducive to the realization of efficiency.

 

 

 

3. takes into account data utilization and data freedom, both soft and hard
 
Data has the dual characteristics of private and public attributes, taking into account economic and information security. This law requires the protection of data freedom, the state to promote the opening of government data, build an open platform for government data, and promote the development and utilization of government data. At the same time, we do not rule out encouraging the commercial use of data, protecting the rights and interests of individuals and organizations related to data on the basis of ensuring data freedom, and promoting a digital economy with data as a key element.
 
In data processing activities, all subjects must abide by the law, respect social morality and ethics, abide by business ethics and professional ethics, and be honest and trustworthy. Various industry organizations formulate codes of conduct and group standards to strengthen industry self-discipline. In the "two-pronged" data governance of laws and community norms, we will use both soft and hard to jointly create a good data security and development environment.

 

4. comprehensively promote data security and development, focusing on vulnerable groups
 
Data security and data development are coordinated and mutually reinforcing. This Law adheres to the principle of promoting data security through data development and utilization and industrial development, and ensuring data development and utilization and industrial development through data security. The state vigorously implements the big data strategy and promotes the construction of data infrastructure; people's governments at or above the provincial level incorporate the development of the digital economy into their national economic and social development plans, and formulate digital economy development plans as needed. While supporting the digital economy and intelligent services, we should pay attention to the needs of the elderly and the disabled to avoid obstacles to the lives of vulnerable groups.
 
In terms of relevant measures, the state supports the research on data development and utilization and data security technology, and cultivates and develops relevant products or industrial systems. Generalize suggestions to promote the construction of data development and utilization technology and data security standard system; Promote data security testing and evaluation, certification, risk prevention and other services; Support the education and training of data development and utilization and data security, train talents and promote talent exchange; Establish and improve the data transaction management system, standardize trading behavior and cultivate a data trading market. This legislation takes into account the two-way interactive development of data security and utilization, and comprehensively promotes education, talents, transactions, evaluation, certification and social development planning.

 

 

 

5. the establishment of classification, risk assessment and emergency response, national security review system
 
According to the different types of data, it is a common method of international data governance to take targeted management and ensure data security through risk assessment. This law establishes a data classification and classification protection system. The state, regions, and departments classify data, strengthen the protection of important data, and implement stricter protection of data related to national security, the lifeline of the national economy, important people's livelihood, and major public interests. Based on the acquisition, analysis, and research and judgment of various data, formulate risk assessment, reporting, information sharing, monitoring and early warning mechanisms, regularly carry out risk assessment and reporting, and immediately take measures and report in a timely manner when data security incidents are discovered, and initiate a safety emergency response mechanism, Announce to the society in a timely manner. The State establishes a data security review system to conduct national security reviews of data processing activities that affect or may affect national security. If the operators of critical information infrastructure collect and generate important data out of the country, the security assessment shall be conducted in accordance with the measures formulated by the State Cyberspace Administration in conjunction with the relevant departments of the State Council in accordance with the Cybersecurity Law.
 
6. to strengthen the punishment, a variety of means to promote data security supervision
 
Different from traditional administrative investigation or punishment, data security depends more on prevention and timely treatment in advance. Prevention in advance and stopping in the event are better than punishment after the event. Interviews have the characteristics of rapid response, simple procedures, and outstanding effects, so that the data authority can require relevant entities to make rectifications through interviews during the data security supervision process. For those who violate the obligation of data security protection, the competent department can not only order corrections, warnings, suspension of business for rectification, revocation of licenses, etc., but also impose fines on the organization and the person in charge or the person directly responsible at the same time. The maximum fine for the organization is 10 million yuan, and the individual The maximum fine is 200000 yuan; the person in charge or the person directly responsible for the organization that provides data abroad may be fined between 100000 and 1 million. The law provides detailed administrative liability for other data security violations, including different liability methods and fines. For particularly serious acts that constitute a crime, criminal responsibility may be investigated in accordance with the law.
 

In short, the Data Security Law, as China's first law that comprehensively stipulates data security, basically presents the working mechanism and protection system framework for data security. The state, localities and departments focus on promoting digital development and digital security, implement collaborative governance of soft law and hard law, and promote the interactive development of data utilization, data freedom and data security. Specific systems such as classification, risk assessment and reporting, and national security review are in line with international standards and are also in line with the scientific governance of data security. However, the concept of data itself is vague, the use of variable, the data economy model is constantly innovative, and it is difficult to reconcile legal stability and practical flexibility. This legislation has the problems of unclear concepts and too principled rules. Some clauses are only principled or advocacy provisions, lacking operability, and need to be further refined by the implementation rules or other provisions.

 

 

 

—————————————————    Author Introduction    —————————————————

 

 

 

Recommended News

Dynamic... Warmly congratulate the two lawyers Shengdian on the promotion of partners.

• Sheng Dian Good News | Lawyer Guo Chaohui Elected Deputy Chairman of Medical Ethics Committee of Municipal Medical Association

• Dynamic | Shengdian "Professional Afternoon Tea" February Highlights & March Forecast

• Shengdian Good News | Lawyer Chen Jiali Appointment as Expert Mediator of Shenzhen Mediation Center of China Council for the Promotion of International Trade

Previous: The distinction between co-perpetrator and helper perpetrator in the case of non-participation as perpetrator.

Next: The judicial determination dilemma of the "theft" Bitcoin case.

Return to List

Case Advice

Case Advice

* Name

* Company Name

* Provinces

* City

* Mobile Phone

* E-mail

* Summary of the case

* Captcha

图形验证码
Send Now