Digital payments, face recognition, search engines, all kinds of APP, 4G / 5G communication networks and a series of data-based information products have fully integrated in our daily life.
While we are enjoying the convenience brought by information technology, the we also shall think to the risks of data leakage, illegal acquisition and utilization of personal information, and intrusion of cyberspace information are also facing great challenges.
In July 2020, "Draft of the Data Security Law" (the "Draft") was published and publicly solicited for opinions. For the first time, the Draft limits the object of regulation to "data" and defines it as "any record of information in electronic or non-electronic form", instead of using words such as "information" or "network", which clearly defines the boundary of "data".
We summarized the following points which we believe are interesting to our readers.
I - Management & Supervision of Data Security
Firstly, the Draft defines the top-level design of data security governance in China, and the central national security leading organization is responsible for the decision-making and overall coordination of data security work (Article 6).
Secondly, the Draft stipulates the main responsibility of all regions and departments, which is not only responsible for data security, but also runs through the whole process of data generation and processing.
Meanwhile, the regulatory responsibilities of the industry competent departments and public security (National Security) for data security in their respective fields are clarified, and the national network and information department is responsible for the overall coordination of data security (Article 7).
II - Data classification and protection system
The Draft clearly defines the importance and harm degree of data in economic and social development, and implements classified protection of data at different levels.
At the same time, it is required that all regions and departments shall determine their own important data protection catalogue and focus on the protection of the data listed in the catalog. It can be seen from this provision that the definition and scope of important data shall be subject to the data protection catalogue issued by each region or department.
However, the Draft does not clearly specify the levels and classification of data, and what kind of protection should be adopted for different levels or categories.
Therefore, we hope that the Draft or subsequent relevant explanations can provide more specific contents (Article 19).
III - Risk Assessment of Data security
The Draft clearly indicates that the state should establish high-quality data security risk assessment, reporting, information sharing and other mechanisms.
For important data processors, they should regularly carry out risk assessment on data activities and make reports. The report should include the type, quantity, collection, storage, processing and use of data etc. (Article 28).
IV - Agent Service of Data Transaction
The Draft for the first time makes it clear that the agent service institutions engaged in data transaction shall require the data provider to explain the data source, examine the identity of both Parties to the transaction, and keep the transaction records.
This article is more inclined to the formal review of the data provided, only requires the description of the data source, not the legality of the data.
Secondly, if the agent fails to fulfill the above obligations, resulting in data transaction from illegal sources, the maximum penalty is RMB 1 million (Article 30 and 43).
V - Government Data Opening
As early as 2015, the document "Plan for Promoting the Development of Big Data" issued by the State Council pointed out that "by the end of 2018, a unified and open platform for national government data should be built, and it should take the lead in the fields of credit, transportation, medical care, health, employment, social security, geography, culture, education, science and technology, resources, agriculture, environment, safety supervision, finance, quality, statistics, meteorology, oceanography, enterprise registration and supervision Public data resources should be reasonably and moderately opened to the public" .
On the basis of existing relevant policies or rules, the Draft further puts forward clear requirements for the security and openness of government data this time, including improving the scientificity, effectiveness and timeliness of government data, collecting and using data by state organs according to law, improving data security management system, and entrusting others to store or process data according to legal procedures etc. (Article 34 – 40).
Although the Draft still has some issues from the perspective of legislation, such as too broad or vague.
However, as a whole, it is also a great progress to upgrade the data security to the level of law for protection.
And it also reminds governments, enterprises and individuals at all levels that only by collecting, operating and using data according to law they can enjoy the convenience brought by information technology more safely.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.