"At present, with the continuous development of relevant laws in China and the increasingly strict supervision of platforms, the security of data exit is very critical." Wang Caiqin, director of network and Information Legal Affairs department of PCCW Shenzhen, said at a seminar on cross-border data flow rules and compliance paths recently.
The report "New Order of Data Security -- Impact Countermeasures and Opportunities in Key Areas" also pointed out that data, as the core and most valuable factor of production in the era of digital economy, is accelerating to become a new driving force and engine for global economic growth. It can be said that data is gradually becoming the "oil" of the era of digital economy. The frequent occurrence of data security problems reflects the chaos of data security loopholes and data abuse on domestic Internet platforms in recent years. Digital technology promotes the diversification of data application scenarios and participants, and the extension of data security continues to expand. Data security governance is confronted with multiple thorny dilemmas. At present, data security has become the most urgent and basic security problem in the era of digital economy, and strengthening data security governance has become a strategic need to maintain national security and national competitiveness.
Wang Caiqin believes that there are three aspects that Chinese enterprises need to consider when planning a reasonable data exit compliance path. One is accurate interpretation of laws and regulations. The second is the interpretation of industry practice usability. The third is the objective position and judgment when localization practice collides with global norms.
First of all, the enterprise data outbound compliance path needs to master the relevant provisions of the Network Security Law, Data Security Law and other laws. According to the Cyber Security Law, personal information and important data collected and generated by operators of critical information infrastructure during their operations in China should be stored in China. If it is really necessary to provide overseas for business needs, security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration jointly with relevant departments under The State Council. The "Data Security Law" stipulates that the exit security management of important data collected and generated by operators of critical information infrastructure in China is subject to the provisions of the "Cyber Security Law"; Measures for exit security administration of important data collected and generated by other data processors in the course of their operations in China shall be formulated by the state cyberspace administration jointly with relevant departments under The State Council. Personal information and important data collected and generated by network operators during their operations in China should be stored in China, according to the Draft Measures for The Assessment of Exit Security of Personal Information and Important Data (Draft). If it is really necessary to provide overseas goods due to business needs, safety assessment shall be conducted in accordance with these measures.
Secondly, enterprises also need to master the application of laws by relevant departments. For example, on October 24, 2018, the Ministry of Science and Technology released information on administrative penalties for human genetic resources in 2015, including BGI. The reason is that bGI participated in sequencing service projects in 2011, the number of samples collected by partners exceeded the number of applications. Bgi officially responded to the penalty on its official Weibo account, saying that after receiving the administrative penalty in 2015, bGI has implemented a comprehensive rectification in accordance with the requirements at the first time, including suspending the execution of research work; Immediately destroy all remaining genetic resources and related research data; After verification of the rectification report and on-site acceptance, the Ministry of Science and Technology has approved BGI to resume international cooperation on human genetic resources.
"As many technology fields become increasingly commercialized, the BGI case reminds enterprises that data resource protection is very important, and how to properly use data under the premise of ensuring data security is the key." Wang Caiqin said.
Finally, consider the provision of personal information and important data to subjects within the territory of the country, but not within its jurisdiction or registered there. Generally, the data in China shall be subject to judicial jurisdiction in accordance with the laws of the mainland, while the data in Hong Kong, Macao and Taiwan shall be separately regulated by the regions. Data that is not transferred and stored outside the country but accessed by institutions, organizations or individuals outside the country shall be regarded as data exit. The transfer of internal data of a network operator group from domestic to overseas, which involves personal information and important data collected and generated during its operation in China, also belongs to data exit.
"Comprehensive data management should be carried out from qualitative data, to hierarchical classification, and then to the combination of blocks. If the data rights confirmation and pricing mechanism are not clear, there is no way to form data assets, which will affect the data transaction circulation. At the same time, for enterprises to collect and use social data based on production and operation, should make clear the collection and use of red lines. The data Security Law should also have an upper level law to regulate and define the whole process of national data generation, use and transfer." Sf Express technology security director Liu Sen said.
