What is the legislative background of the data security protection law?

Compared with the Cyber Security Law of the People's Republic of China, the Data Security Law of People's Republic of China (PRC) has achieved a breakthrough in overseas jurisdiction.

1, the supplement and extension of the concept of "data" by the data security law.

The effective network security law does not define "data", but adopts two concepts: "network data" (all kinds of electronic data collected, stored, transmitted, processed and generated through the network) and "personal information" (all kinds of information recorded electronically or in other ways that can identify a natural person individually or in combination with other information). These two concepts have actually covered all kinds of electronic data used by citizens in network activities, and involve individuals.

Due to the differences in legislation, the Data Security Law directly and concisely defines "data" as "any information record in electronic or non-electronic form", and its protection scope is greatly expanded compared with the Network Security Law. This change brings electronic records and information recorded in other ways into the data category, which not only meets the requirements of information security in the digital age, but also adapts to the new requirements of overall information protection and overall information security in the digital economy era.

2. The Data Security Law has a certain extraterritorial effect, which provides a legal basis for countering the "long-arm jurisdiction" of relevant foreign laws.

Compared with the network security law "This law is applicable to the construction, operation, maintenance and use of networks in People's Republic of China (PRC) and the supervision and management of network security", the data security law goes further, stipulating that "People's Republic of China (PRC) * * * and overseas organizations and individuals engage in data activities that endanger People's Republic of China (PRC) * * * national security, social public interests or citizens. Nowadays, with the rapid development of the Internet, data collection and storage have already broken through national boundaries. For example, the GDPR of the European Union has greatly expanded its jurisdiction over extraterritorial data security. GDPR pays more attention to the principle of effect. As long as it objectively constitutes the processing of personal data of natural persons in a country or region, it will be under the jurisdiction of GDPR. Introducing "extraterritorial effect" into data security law is of great significance for protecting China's national sovereignty and individual rights of citizens.

3. Both laws mentioned the concept of "important data", but due to the problem of grasping the scale in practice, its scope was not clearly defined.

The Network Security Law stipulates the hierarchical protection and exit of important data. Article 21 of the law stipulates that network operators should "take measures such as data classification, backup and encryption for important data". Article 25 of the Data Security Law also stipulates that the processor of important data should set up a person in charge of data security and a management organization. Although the two laws do not define the scope of important data, they can be identified and used for reference through the definitions of other relevant laws and regulations. For example, on May 28th, 2009, 2065438, the National Internet Informatization Office published the Measures for the Management of Data Security (Draft for Comment). It clearly defines "important data" as: "Important data refers to data that may directly affect national security, economic security, social stability, public health and safety, such as undisclosed government information, large-scale population, genetic health, geography, mineral resources and so on. Important data generally does not include enterprise production and operation, internal management information and personal information.

4. The Data Security Law has established a brand-new "data security assessment system" with a wider scope of assessment.

In the cyber security law, the exit security assessment method of personal information and important data (draft for comment) and the data security management method (draft for comment), the data exit security assessment system is stipulated, but the above system is limited to the evaluation of data or important data during the exit process. For example, Article 37 of the Cyber Security Law stipulates that personal information and important data collected and generated by operators of key information infrastructure in People's Republic of China (PRC) shall be stored in China. If it is really necessary to provide it overseas due to business needs, the safety assessment shall be conducted in accordance with the measures formulated by the national network information department in conjunction with the relevant departments of the State Council. The Data Security Law provides a wider range of data security assessment, targeting all data activities of important data processors. Article 28 of the Data Security Law stipulates: "The processor of important data shall make a risk assessment of its data activities on a regular basis in accordance with the regulations, and submit a risk assessment report to the relevant competent department. The risk assessment report should include the types and quantities of important data held by the organization, the collection, storage, processing and use of data, the data security risks faced and its countermeasures. "

From the analysis of law enforcement cases

Throughout the enforcement cases of 20 18 and 1 Cyber Security Law, the compliance risks of organs, institutions and enterprises mainly focus on five aspects: network security level protection, personal information protection, network information content audit and network products and services. Since the Data Security Law has not been formally implemented, we can also refer to the enforcement priorities and punishment measures of the Network Security Law, which is of reference significance for enterprise compliance and helps network security practitioners avoid the minefield of enterprise network and information security and improve their own network security defense system.

1, Network Security Law is mainly the responsibility of network operators.

For enterprises, according to the third paragraph of Article 76 of the Network Security Law, network operators refer to network owners, managers and network service providers. Specifically, combined with law enforcement cases, the responsible subjects are mainly concentrated in the following three categories: operators of websites and platforms with information publishing functions (such as Sina Weibo, WeChat public platform, Baidu, and Today's headlines); Network technology/technology companies; Schools, colleges and other institutions.

The main responsible subject of data security law is the processor of important data. In Chapter IV Obligations of Data Security Protection, Article 27 An important data processor shall specify the person in charge of data security and the management organization, and implement the responsibility of data security protection. "There are instructions.

2. The main law enforcement agencies of the Cyber Security Law: National Network Information Office, Ministry of Industry and Information Technology and Ministry of Public Security.

Although there are no clear regulations or guidelines to inform all law enforcement departments of the main scope of law enforcement, according to the 20 18 network law enforcement case, the general law enforcement points of all departments are shown in the following figure.

Article 6 of the first chapter of the Data Security Law stipulates the supervision of competent departments and industries, and the competent departments of industry, telecommunications, transportation, finance, natural resources, health, education, science and technology bear the responsibility of data security supervision; Public security organs and state security organs undertake the responsibility of data security supervision; The national network information department is responsible for coordinating the network data security and related supervision work, and the specific law enforcement concerns of each department will have to wait for the law enforcement case analysis one year later.