laitimes

A number of experts interpret the "Regulations on the Management of Network Data Security"

A number of experts interpret the "Regulations on the Management of Network Data Security"

1. Improve the legal system for data security to escort the high-quality development of the digital economy

Yu Xiaohui (Member of the 14th National Committee of the Chinese People's Political Consultative Conference, President of China Academy of Information and Communications Technology)

2. Strengthen legal safeguards for the modernization of network data security governance systems and capabilities

Shi Jianzhong (Vice President and Professor, China University of Political Science and Law, Dean of the Institute of Data Rule of Law)

3. Accelerate the establishment of a system of laws and regulations for network data security, and comprehensively improve governance and supervision capabilities

Yang Jianjun (Vice President of China Electronics Standardization Institute, Secretary-General of National Cyber Security Standardization Technical Committee)

4. Complete the legal system for data security and build a solid line of defense for network data security

Jiang Yan (Director, National Industrial Information Security Development Research Center)

Expert interpretation one

Improve the legal system for data security

Escorting the high-quality development of the digital economyYu Xiaohui (Member of the 14th National Committee of the Chinese People's Political Consultative Conference, President of the China Academy of Information and Communications Technology)

The promulgation of the Regulations on the Management of Network Data Security (hereinafter referred to as the "Regulations") has further improved the legal system of data security management in the mainland, which is of great significance for clarifying the requirements for network data security management and improving the level of network governance and management networks, and also provides a strong legal guarantee for fully releasing the value of data elements and escorting the high-quality development of the digital economy.

1. The "Regulations" are of great significance in improving the legal system for data security management

(1) Important measures to implement the overall national security concept. Data security is an important area of the overall national security concept. The Party Central Committee and the State Council attach great importance to data security work, and have put forward clear requirements such as accelerating the establishment of laws and regulations and effectively ensuring national data security. General Secretary Xi Jinping stressed that "it is necessary to maintain national data security, protect personal information and trade secrets, promote the efficient circulation and use of data, and empower the real economy" and "accelerate the construction of a basic data system". The Third Plenary Session of the 20th Central Committee of the Communist Party of China (CPC) pointed out that it is necessary to "improve the ability of data security governance and supervision, and establish an efficient, convenient and secure cross-border data flow mechanism". Improving data security management is not only related to the development, utilization and security of data itself as an important factor of production, but also closely related to national sovereignty, national security, social order, and public interests. The "Regulations" implement the overall national security concept, coordinate the promotion of the development and utilization of online data and ensure the security of online data, and further consolidate the foundation of the rule of law for maintaining data security. (2) Conform to the inevitable requirements of the global data security development situation. With the rapid development of new technologies and applications such as artificial intelligence and big data, the volume of data is growing explosively, and security risks are increasing day by day, and the importance of strengthening network data security management is becoming more and more prominent. From the perspective of the international community, major countries and regions attach great importance to the fundamental and strategic value of data resources, and continue to improve laws and regulations in the field of data security, such as the Data Law officially adopted by the Council of the European Union in November 2023, which provides a broader set of rules applicable to all data on the basis of the General Data Protection Regulation. In response to the new situation of data security, the mainland has formulated and promulgated the Regulations on the basis of existing data security laws to further improve the data security management system and effectively ensure national data security. (3) Institutional safeguards for promoting the high-quality development of the digital economy. As a new factor of production, data is the foundation of digitalization, networking, and intelligence, and has been rapidly integrated into production, distribution, circulation, consumption, and social service management. The "Opinions of the Central Committee of the Communist Party of China and the State Council on Building a Data Basic System to Better Play the Role of Data Elements" proposes that on the premise of maintaining national data security and protecting personal information and trade secrets, a data basic system that adapts to data characteristics, conforms to the laws of digital economy development, ensures national data security, and demonstrates innovation and leadership should be built. In order to give full play to the advantages of the mainland's massive data scale and rich application scenarios, activate the potential of data elements, and make the digital economy stronger, better and bigger, the State Council issued the "Regulations" in a timely manner, giving full play to the role of the rule of law in consolidating the foundation, stabilizing expectations, and benefiting the long-term, ensuring that data security work and the construction of the data element market are steadily advancing on the track of the rule of law, and ensuring the high-quality development of the data element market with high-level data security.

II. The "Regulations" have a solid foundation for the data security management system, and have distinctive characteristics

The Regulations have a total of 9 chapters and 64 articles, which not only clarify the general provisions on network data security management, but also further improve and refine the specific requirements for personal information protection, important data security management, cross-border network data security management, and the obligations of online platform service providers, etc., and consolidate the foundation of the mainland's data security management system, which is distinctively systematic, innovative, contemporary and open. (1) Adhere to the concept of systems, and improve the system of legal norms for data security. After years of development, the mainland has initially established a legal framework for data security with the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law as the core. The promulgation of the "Regulations" has implemented the data security management requirements stipulated in the three higher-level laws through one administrative regulation, refined the system provisions on data classification and grading, cross-border data flow, and personal information processing, further strengthened the institutional convergence between different laws, and enhanced the systematization of legal norms. At the same time, the "Regulations" have also further promoted the construction of a full-level legal norm system of "laws, administrative regulations, and departmental rules". (2) Persist in upholding integrity and innovation, and enrich the basic requirements for data security management. The "Regulations" implement the relevant systems of the superior law, and on the basis of inheriting the principled requirements such as the classification and grading protection system of data, give full play to the flexibility and innovation space of administrative regulations, and make corresponding system designs for the new situation of data processing. For example, in the case of network data processors using automated tools to access and collect network data, the Regulations stipulate that the impact on network services shall be assessed, and it is required that they shall not illegally invade the networks of others and shall not interfere with the normal operation of network services. For another example, in response to the problem of training data brought about by the development of artificial intelligence, the Regulations require network data processors that provide generative AI services to strengthen the security management of training data and training data processing activities, and take effective measures to prevent and deal with network data security risks. (3) Persist in keeping pace with the times and refine the rules of the personal information protection system. Based on the current needs of the development of the digital economy, the Regulations further refine the relevant personal information protection requirements according to specific scenarios on the basis of the basic principles and rules established by the Personal Information Protection Law. For example, in response to the abuse of "individual consent" in practice, the Regulations clearly stipulate the specific requirements that network data processors should comply with when processing personal information based on personal consent, including that the collection of personal information is necessary for the provision of products or services, and that the collection of personal information must not exceed the scope of collection, and that individual consent must not be obtained through misleading, fraud, coercion, etc. For another example, the Regulations clearly stipulate the conditions for the implementation of personal information transfer in response to the issue of personal information subjects need to transfer personal information to exercise their individual rights, and require online data processors to provide specific paths for personal data subjects to exercise relevant rights and interests. (4) Persist in open development and promote the cross-border flow of online data. The Regulations refine the security management requirements for cross-border data transfer, and provide specific guidance for promoting the orderly and free flow of data in accordance with the law. On the one hand, the Regulations follow the existing system of cross-border data flow in mainland China, clarify the specific conditions for the cross-border provision of personal information and important data, and upgrade relevant regulations such as the Provisions on Promoting and Regulating Cross-border Data Flow to administrative regulations, providing clear guidance for online data processors to provide online data overseas. For example, the Regulations clearly list eight circumstances under which online data processors may provide personal information overseas, further facilitating the practical operation of relevant entities and providing a stronger institutional guarantee for promoting cross-border data flows. On the other hand, the Regulations strengthen the security management requirements in the cross-border flow of data, stipulating that the state shall take measures to prevent and deal with cross-border data risks and threats, and prohibit the provision of procedures and tools specifically used to destroy or circumvent technical measures, so as to provide security guarantees for cross-border data flows. (5) Persist in coordinated governance, consolidating entity responsibility for online platforms. With the rapid development of the Internet, network platforms have become a key node in cyberspace governance. In particular, large online platforms have a significant impact on personal privacy and data security due to their large user base and complex data processing activities. The Regulations set up a special chapter for online platform service providers, stipulating their obligations in terms of network data security management and strengthening the protection of data security throughout the chain. For example, the Regulations not only stipulate the online data security management obligations that online platform service providers themselves should perform, but also clarify that online platform service providers shall clarify the obligations of third-party network data security management through platform rules or contracts, and if they fail to fulfill their corresponding obligations to supervise and implement the obligations and cause harm to users, the online platform service providers shall bear corresponding responsibilities in accordance with law.

III. The Regulations open a new stage of the rule of law in data governance in the mainland

At present, with the accelerated evolution and upgrading of the Internet and the sustained and rapid development of the digital economy, the role of data as a new factor of production in the digital era in promoting high-quality economic development and the formation of new quality productivity has become more prominent. In the new era and new journey, it is necessary to accurately grasp the new situation and new tasks facing data governance in the mainland, take the promulgation of the "Regulations" as an opportunity to build the foundation of the rule of law, implement the power of the rule of law, and accumulate the momentum of the rule of law, continue to promote data development and security governance on the track of the rule of law, and escort the high-quality development of the digital economy with high-level data rule of law construction. The first is to build a more complete legal and regulatory system for data governance, establish and improve basic systems and rules such as data transaction and circulation, promptly respond to data security risks and challenges brought about by the development of new technologies such as artificial intelligence, big data, and cloud computing, and scientifically use laws and regulations to guide the development of emerging fields. The second is to build a more efficient legal implementation system for data governance, continue to deepen the implementation of various systems of the Regulations, adhere to the unity of promoting development and management in accordance with law, give full play to the role of the Regulations in promoting the development of the data industry and standardizing security management, and carry out in-depth strict, standardized, fair, and civilized online law enforcement. The third is to build a more powerful data governance guarantee system, strengthen the publicity and promotion of data security laws and regulations, enhance the awareness and ability of the whole society to rule of law in data security, deepen research on the rule of law in the field of data, and effectively use the rule of law in data governance to help build a cyber power and a digital China.

Expert Interpretation II

Strengthen the modernization of network data security governance systems and capabilities

With the vigorous development and widespread application of digital technology, every field of social and economic life is deeply networked, informatized and digitized. There is no national security without data security. Based on the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law and other laws, the Regulations on the Management of Network Data Security (hereinafter referred to as the "Regulations") focus on network data, refine relevant regulations, and improve network data security rules, providing a more operable legal guarantee for improving the modernization of the network data security governance system and capabilities, marking a new stage in the governance of network data security in mainland China. The "Regulations" improve the system of classified and hierarchical protection of network data. Categorical and hierarchical protection is an important starting point for the network data security system. Article 21 of the Data Security Law stipulates that the State shall establish a system of categorical and hierarchical protection of data. Classified and hierarchical protection of data is not only a principle determined by the Data Security Law, but also a general system established by the Data Security Law. The Regulations not only clarify the general standards for data classification and grading in the general provisions, but also establish an important data security system in a special chapter. For example, the catalogue of important data, the special obligations and responsibilities of processors of important data, the key content of the risk assessment before processing, the reporting system for risk assessment, the regulatory measures of the relevant competent authorities at or above the provincial level, etc. The relevant data classification and grading system of the Regulations is operable and has a guiding role in ensuring data security. The Regulations consolidate the main responsibilities of network data processors. To clarify the network data security boundary, it is necessary to refine the data processing rules and clarify the responsibilities of various entities. Data security is not abstract, but concrete and whole-process. Establishing and improving a network data security management system means that every processing activity and every link of data processing, such as data collection, storage, use, processing, transmission, provision, disclosure, and even deletion, needs to implement a data security management system and incorporate it into the legal track of data security. In order to ensure data security, based on the expressions of "data processing", "processing of personal information", "processors of important data" and "personal information processors" in the Data Security Law and the Personal Information Protection Law, the Regulations extract the important concept of "network data processor", and further improve the obligations and rules for network data processors to process different data in different scenarios: fulfilling the mandatory requirements of laws, administrative regulations and national standards, establishing and improving the network data security management system, Employ necessary security technical measures and other necessary measures, establish and complete emergency response plans for network data security incidents, handle network data security incidents, and bear entity responsibility for the security of the network data handled. The Regulations refine the institutional requirements for online data processing activities. With regard to the provision, entrusted processing and joint processing of personal information and important data, the Regulations stipulate the main terms of relevant contracts, enhancing the guidance of administrative regulations. In view of the situations that have occurred in real economic life where network data processors need to transfer network data due to merger, division, dissolution, bankruptcy, and other reasons, the "Regulations" clearly stipulate that network data recipients shall continue to perform their obligations to protect network data security. At the same time, for the provision of generative AI services, the Regulations specifically stipulate that network data processors shall strengthen the security management of training data and training data processing activities, and take effective measures to prevent and deal with network data security risks, raising the level of effectiveness of the relevant provisions. In addition, on the basis of the Personal Information Protection Law, a special chapter of the Regulations stipulates specific rules for the protection of personal information, so that the security of personal information is more effectively guaranteed by the rule of law. The Regulations optimize the cross-border security management system for network data. The Third Plenary Session of the 20th Central Committee of the Communist Party of China pointed out that "improve the ability of data security governance and supervision, and establish an efficient, convenient and secure cross-border data flow mechanism." In order to regulate the cross-border management of online data, the Regulations set up a special chapter to stipulate the cross-border security management of online data, the conditions under which online data processors may provide personal information abroad, and the procedures for the export of important data. At the same time, the state shall take measures to prevent and deal with cross-border security risks and threats to network data. It is particularly noteworthy that, in order to improve the anti-sanction, anti-interference, and anti-"long-arm jurisdiction" mechanisms in the field of online data, and to improve the domestic legal basis for the mainland's participation in global data security governance, the Regulations are based on the relevant provisions of the Personal Information Protection Law and the Data Security Law, and clearly stipulate the extraterritorial jurisdiction system for network data security in the general provisions. The Regulations clarify the responsibilities and obligations of online platform service providers. As the main form of the digital economy at this stage, the platform economy is mainly an economic activity with data as the key element, so the network platform service provider plays an important role in ensuring the security of network data. The special chapter of the "Regulations" stipulates the obligations and responsibilities of online platform service providers, which has an important normative role and guiding significance for regulating the behavior of online platform service providers, strengthening platform self-discipline in accordance with the law, safeguarding the legitimate rights and interests of users, and promoting the upward and high-quality development of the platform economy. The "Regulations" have improved systems and mechanisms for the supervision and management of online data. As a new factor of production, data is the foundation of digitalization, networking, and intelligence, and has been rapidly integrated into production, distribution, circulation, consumption, and social service management, profoundly changing the mode of production, lifestyle, and social governance. Regulating network data processing activities, ensuring network data security, promoting the rational and effective use of network data in accordance with law, protecting the lawful rights and interests of individuals and organizations, and safeguarding national security and the public interest is a systematic project that requires the joint participation of the government, enterprises, society, and individuals, especially the establishment and improvement of a scientific and efficient regulatory system, and better play the role of the government. The "Regulations" build a network data supervision and management system and mechanism that combines division of labor and coordination, which is conducive to the formation of a joint force for network data security supervision. Adhering to high-quality development and high-level safety and benign interaction is the legislative orientation of the Regulations. To accurately understand and correctly apply the "Regulations", it is necessary to comprehensively and accurately grasp the legislative objectives of the "Regulations" in order to achieve the general outline and give full play to its legal effects. Regulating online data handling activities should not only ensure the security of network data, but also promote the reasonable and effective use of network data in accordance with law, protect the lawful rights and interests of individuals and organizations, and preserve national security and the public interest. It can be seen that the "Regulations" adhere to promoting high-level security with high-quality development and ensuring high-quality development with high-level security, which is in line with the "Cybersecurity Law", "Data Security Law" and "Personal Information Protection Law". The Regulations set the bottom line of network data security, draw a clear red line for network data security, clarify the responsibilities for network data security, clarify the boundaries of network data security on the track of the rule of law, and enhance the modern legal guarantee of the network data security governance system and capabilities. We look forward to ensuring the orderly and free flow of data in accordance with the law with a high level of data security rule of law, helping to give full play to the advantages of the mainland's massive data scale and rich application scenarios, strengthening and expanding the digital economy, enabling high-quality development, and continuously injecting strong momentum into the realization of Chinese-style modernization.

Expert interpretation three

Accelerate the establishment of a system of laws and regulations for network data security

Comprehensively improve governance and supervision capabilitiesYang Jianjun (Vice President of China Electronics Standardization Institute, Secretary General of National Cybersecurity Standardization Technical Committee)

General Secretary Xi Jinping stressed that it is necessary to adhere to the rule of law, run the Internet according to the law, and go online according to the law, so that the Internet can operate healthily on the track of the rule of law. In recent years, the mainland has accelerated the construction of a legal system for network data security, with the promulgation and implementation of laws such as the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, establishing the basic institutional framework and basic legal principles for network data security. Formulate and issue departmental rules such as the Provisions on Promoting and Regulating Cross-border Data Flows, the Measures for Security Assessment of Cross-border Data Transfer, the Measures for Standard Contracts for Cross-border Transfer of Personal Information, and the Several Provisions on the Security Management of Automotive Data (for Trial Implementation) to make clear provisions on the management of network data security; 33 national standards for data security have been developed and released, and 18 standards are under development, covering data classification and grading, data security risk assessment, personal information protection, etc., and significant progress and remarkable results have been achieved in the network data security regulations, systems, and standards system.

As an important part of the network data security regulatory system, the "Regulations on the Management of Network Data Security" (hereinafter referred to as the "Regulations") provide a more operational legal system basis, which is of profound significance for comprehensively improving the capacity of governance and supervision.

I. Deeply understand the importance of the "Regulations" for network data security management efforts

The CPC Central Committee attaches great importance to data security, and General Secretary Xi Jinping has repeatedly issued important instructions on data security, emphasizing that "national data security must be maintained and personal information and trade secrets must be protected". (1) The "Regulations" are an important measure to implement the decisions and deployments of the Party Central Committee, and the Third Plenary Session of the 20th Central Committee of the Communist Party of China put forward important tasks in the field of network data security, such as "improving the capacity for data security governance and supervision" and "establishing an efficient, convenient and secure cross-border data flow mechanism". The promulgation of the "Regulations" is an important measure to build a network data security governance system in the mainland, a key link in realizing the modernization of network data security governance and supervision capabilities, and an effective path to implement the major deployment of the Party Central Committee on network data security work. Focusing on the key points of network data security work in the new era and new situation, the "Regulations" further refine the "Cybersecurity Law", "Data Security Law" and "Personal Information Protection Law", providing an important guarantee for the mainland to carry out in-depth network data security protection work. (2) The "Regulations" are an urgent need to respond to network data security risks under the new situation, and with the rapid development of networking, digitization, and intelligence, the high degree of aggregation, high-frequency flow, and high openness of network data has exacerbated the risk of network data leakage. New types of cyber fraud, hacker attacks and other security incidents are frequent, and the risk of sensitive data theft in key areas such as finance, biology, and energy has intensified. The phenomenon of illegal collection of personal information and indiscriminate collection and abuse still exists, infringing on the lawful rights and interests of the people and endangering social security. The promulgation of the "Regulations" puts forward clear requirements on the security of data processing activities, personal information protection, important data protection, and the obligations of online platform service providers, effectively improving the country's ability to ensure data security. (3) The "Regulations" are an important guarantee for carrying out comprehensive governance of network data security, ensuring network data security, and an important foundation for activating the value of data elements and promoting the healthy development of the digital economy. In accordance with the law, the mainland has carried out key work such as cross-border data security management, special governance of apps, automotive data security management, and data security risk assessment in key areas, effectively regulating online data processing activities and processing behaviors, and promoting the high-quality development of online data security. The promulgation of the "Regulations" further clarifies the management requirements around the key and difficult issues of data security and personal information protection, delineates the bottom line and red line, and provides important legal guarantees for the governance of network data security.

II. The "Regulations" put forward specific requirements for network data security management efforts

To implement the overall national security concept, the "Regulations" define the scope of application, the objects of protection, and the subject of supervision, put forward responsibilities, obligations, and security requirements, and provide systematic guidance and work compliance for network data security management work. (1) Consolidate the responsibilities and obligations of network data handlers. Consolidating the main responsibilities of network data processors is the key to doing a good job in network data security management. The "Regulations" propose, first, that network data processors bear the main responsibility for the security of the network data they process, and require that they do a good job in the construction of management systems, the use of technical measures, the discovery and reporting of vulnerabilities, and the emergency handling of incidents. Second, specific requirements are put forward for different network data subjects, such as network data processors who provide services to state organs and critical information infrastructure operators, network data processors that provide generative AI services, network data processors that provide products and services to the society, and network platform service providers. (2) Strengthen the protection of personal information and important data. The protection of personal information has become one of the most immediate and practical interests of the broad masses of the people, and important data is related to national security, economic operation, social stability, public health and safety, and doing a good job in the protection of personal information and important data is the focus of network data security management. On the basis of the superior law, the "Regulations" propose for online data processors, first, to respond to requests for the transfer of personal information and provide channels to access and obtain their personal information. The second is to carry out regular compliance audits on personal information protection. Third, where the personal information of 10 million or more people is handled, obligations such as clarifying the person responsible for network data security and the management body shall also be performed. The "Regulations" make it clear for processors of important data that, first, they shall identify and declare important data in accordance with relevant national regulations, and implement the responsibility for network data security protection. The second is to clarify the person in charge of network data security and the management body. The third is to carry out risk assessment on a regular basis. (3) Do a good job of cross-border security management of network data. At present, there is a strong demand for cross-border exchange and sharing of network data, and there are rich scenarios, and the construction of a safe, orderly and convenient management mechanism for cross-border flow of network data is an important exploration of network data security management. The state has clarified the security management systems for data export, such as the security assessment of data export, the standard contract for personal information export, and the personal information protection certification, and the Provisions on Promoting and Regulating Cross-border Data Flow issued this year have further optimized and adjusted the above systems. The Regulations clarify the assessment of the need for cross-border transfer of important data and the management principles for the lawful flow of general data, put forward the conditions for the cross-border transfer of personal information, and establish a security supervision model for the cross-border flow of network data that is suitable for the new development pattern. (4) Standardize the obligations of online platform service providers. The Third Plenary Session of the 20th Central Committee of the Communist Party of China clearly proposed to "promote the innovation and development of the platform economy and improve the normalized regulatory system of the platform economy". The key to personal information protection is that online platforms provide basic technical services for the processing of personal information and set basic processing rules. The "Regulations" propose, first, that online platforms should strengthen the network data security management of third-party products and services connected to their platforms, conduct security verification of applications, standardize the use of automated decision-making methods for information push, and encourage the use of national network identity authentication public services. The second is to clarify the definition of large-scale online platforms, and require them to publish an annual social responsibility report on personal information protection and submit a risk assessment report every year.

III. Give full play to the normative and guiding role of data security standards to support the implementation of the Regulations

Standardization is an important part of the national network data security governance system, and it is also an important starting point for the implementation of the Regulations. The "Regulations" put forward requirements for standardization work. The National Cybersecurity Standardization Technical Committee, as the unified technical focal point for national standards for network and data security, has developed and released a number of key standards for network data security to provide standard guarantees for the implementation of the Regulations. (1) Provide standard support for key efforts on network data security governanceThe published "Data Classification and Grading Rules" stipulate the principles, frameworks, methods, and processes for data classification and grading, and provide guidelines for identifying important data; The "Data Security Risk Assessment Method" under research gives the implementation process, assessment content, analysis and evaluation methods of data security risk assessment. Standards such as the Security Certification Requirements for Cross-border Processing of Personal Information under research stipulate the basic requirements that relevant parties should comply with when processing personal information across borders. (2) Standards such as the "Data Security Protection Requirements" currently being developed to provide standard methods for the protection of important data and personal information, and put forward protection requirements for important data in areas such as data handling security, management and operation security, and security technology, to ensure the effective protection and lawful use of important data. Standards such as the Personal Information Security Specification and the Security Requirements for the Handling of Sensitive Personal Information put forward basic requirements for personal information protection, and standardize the principles and security requirements that should be followed in carrying out personal information processing activities such as collection, storage, use, and external provision. Standards such as the "Requirements for the Transfer of Personal Information Based on Individual Requests" and the "Requirements for Personal Information Protection Compliance Audits" are being developed to stipulate the technical requirements for personal information subjects requesting the transfer of their personal information and the principles for personal information protection compliance audits, so as to promote the deepening of personal information governance efforts. (3) To provide standards and guidance for regulating the healthy development of online platforms, six data security standards for online services, such as online shopping, instant messaging, online payment, online car reservations, online audio and video, and express logistics, have been issued, to guide and regulate the data security activities of online service platform operators. Standards such as the Basic Requirements for the Collection of Personal Information by Mobile Internet Applications (Apps) and the Specifications for the Security Assessment of Personal Information of Mobile Internet Applications (Apps) have been issued to regulate the collection and processing of personal information by apps and other products and services. Standards such as the Security Requirements for Automated Decision-making Based on Personal Information and the Guidelines for Social Responsibility in Data Security and Personal Information Protection under research stipulate the evaluation indicators for the transparency and social responsibility of automated decision-making.

In the next step, we will continue to play an important supporting role in the implementation of the "Regulations", closely follow the major national strategic deployments such as the circulation of data elements and artificial intelligence, strengthen the overall research and planning layout of data security standardization, and accelerate the development of key and urgently needed standards in the field of data security.

Expert Interpretation IV

Complete legal systems for data security and build a solid line of defense for network data security

Jiang Yan (Director of the National Industrial Information Security Development Research Center) In order to regulate network data processing activities, protect the legitimate rights and interests of individuals and organizations in cyberspace, and safeguard national security and public interests, the State Council officially promulgated the "Regulations on the Management of Network Data Security" (hereinafter referred to as the "Regulations"). The promulgation of the Regulations marks the further improvement of the mainland's data security regulatory system, which is of great significance to the mainland's efforts to strengthen data security and personal information protection, ensure the orderly development and utilization of data elements, and promote the healthy and orderly development of the digital economy.

On the one hand, the Regulations refine and implement the relevant systems of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, and clarify the requirements for "notification-consent" rules for personal information, risk assessment of important data, conditions for cross-border flow of personal information, and third-party security management of online platform service providers, providing an important basis for follow-up legislation and law enforcement. On the other hand, in view of the outstanding problems of network data security management, the "Regulations" take into account the new security issues brought about by new technologies and new applications while scientifically summarizing the past governance experience, and refine network data governance schemes such as personal information protection, important data security, cross-border network data security management, and the obligations of network platform service providers, covering important areas of network data governance and providing a solid institutional guarantee for the development of network data security management. I. Deeply understand the importance of the promulgation of the "Regulations", and the Party Central Committee and the State Council attach great importance to data security work. General Secretary Xi Jinping has made important instructions on many occasions, emphasizing that "there is no national security without cybersecurity", "we must effectively ensure national data security", and "strengthen the ability to protect national critical data resources". The "Regulations" implement the decisions and deployments of the Party Central Committee and the State Council on data security, coordinate development and security, encourage the rational and effective use of online data, promote the development of the digital economy with data as a key element, and draw a "bottom line" and "red line" for security. (1) The "Regulations" are an inherent need to implement the design of major legal systems, and the successive promulgation of the "Cybersecurity Law", "Data Security Law", "Personal Information Protection Law" and other laws in mainland China provide a basic legal framework and system design for network data security. As a supporting administrative regulation of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, the Regulations refine and implement the institutional design and principled provisions in the higher-level law, provide specific institutional guarantees and implementation paths for network data security assurance, and help further promote the establishment and improvement of the data security legal and regulatory system in the mainland and strengthen the convergence of major systems. (2) The "Regulations" are an important guarantee for the orderly development of the digital economy, and as the core element of the digital economy, the value of data lies in its ability to flow and integrate between different entities. However, with the development, circulation and utilization of data, the value of data has become increasingly prominent, and security risks such as data leakage and data theft have also increased day by day, seriously affecting the stability of digital economic activities. The "Regulations" closely follow the needs of the development of the digital economy, and ensure that data is fully developed and utilized in a secure network environment by building and improving the network data security responsibility and obligation system, which will help further promote the high-quality and sustainable development of the mainland's digital economy. (3) The "Regulations" are a key measure to maintain the security order of cyberspaceIn recent years, incidents of leakage and illegal use of personal information, enterprise data, government affairs data, and so forth have occurred from time to time, and network data security has a bearing on the vital interests of the broad masses of the people, on the business activities of enterprises, and on national security. All sectors of society are very concerned about network data security, and the promulgation of the "Regulations" is to actively respond to the concerns of all sectors of society, standardize network data processing behaviors, crack down on illegal activities of network data, protect the legitimate rights and interests of individuals and enterprises in cyberspace, and ensure economic development and national security. II. The "Regulations" provide basic guidelines for carrying out network data security management efforts (1) Establish a closed loop for network data security management work, and implement the overall national security concept The "Regulations" implement the overall national security concept, and construct data identification, processing, protection, assessment, inspection, rectification, and from the perspectives of network data classification and grading, security protection, emergency response, incident reporting, security inspections, and information sharing, as well as important data declaration and notification, provision or entrusted processing, risk assessment, and annual reports. Systematic and closed-loop management mechanisms such as emergency response. First, the work of network data governance requires the participation of all parties, and the "Regulations" coordinate and promote the management of network data security through the division of responsibilities for network data security supervision at the national, relevant departments and local levels, as well as the requirement that network data processors bear the main responsibility for the security of the network data they process. The second is to emphasize the dynamic nature of network data security management. The "Regulations" emphasize that network data processors take the initiative to identify and report important data, and that changes in the subject of important data processors need to report important data disposal plans, as well as the provision and entrustment of personal information and security management of important data, aiming to guide network data processors to timely grasp the latest situation in the processing of network data and promptly perform their responsibilities for network data security protection. (2) Clarify the requirements for the protection of personal information, increase the degree of protection of personal rights and interestsPersonal information protection has become one of the interests of the broad masses of the people, and the Personal Information Protection Law provides that individuals enjoy rights and interests such as the right to know, the right to decide, and the right to delete their personal information, but the practice and implementation of relevant provisions still require further specific operational guidance. First, the "Regulations" clarify that network data processors that handle the personal information of more than 10 million people shall clarify the person in charge of network data security and the management body in accordance with article 30 of the "Regulations". Second, in response to the fact that the privacy policy or user agreement is too deeply hidden, the content is lengthy and obscure, as well as the problems of personal information bundling authorization and compulsory authorization, the "Regulations" stipulate that the personal information processing rules include the purpose, method and type of personal information processed, the necessity of processing sensitive personal information and its impact on the rights and interests of individuals, etc., and require that the personal information processing rules be displayed publicly, easily accessible and placed in a conspicuous position; Clarify the specific requirements for "separate consent", emphasizing that consent must not be obtained through misleading, fraud, coercion, etc., and consent must not be frequently solicited after individuals have clearly expressed their disagreement with the processing of their personal information. Third, in response to new situations such as automatic collection technology that cannot avoid the collection of unnecessary personal information, and the handling of personal information after an individual cancels his account, the network data processor is required to delete personal information or anonymize it. (3) Standardize the cross-border security management of online data and promote the efficient, convenient, and safe flow of dataThe mainland's "14th Five-Year Plan for the Development of the Digital Economy" proposes to "standardize the management of the entire life cycle of data collection, transmission, storage, processing, sharing, and destruction, and promote data users to implement data security protection responsibilities". Standardized data processing activities are the key to ensuring the accuracy, integrity and security of data, as well as the key to promoting the efficient, convenient and safe cross-border flow of data and stimulating the innovation vitality of data elements. On the basis of the previous security management of data export, the Regulations explore a facilitation mechanism for cross-border data flow. First, the national cyberspace administration is to coordinate with relevant departments to establish a special working mechanism for the security management of national data exports, research and formulate policies related to the security management of national online data exports, and coordinate the handling of major security issues related to the security of online data exports. Second, on the basis of the three methods of providing personal information overseas, such as security assessment, security certification, and standard contract, and in combination with the security practice of data export, the Regulations provide personal information abroad in five situations where it is truly necessary to provide personal information overseas in order to conclude and perform a contract to which an individual is a party, to implement cross-border human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law, to perform statutory duties or obligations, and to protect the life, health and property safety of natural persons in an emergency. It is clarified that it can be used as a condition for providing personal information overseas, facilitating the cross-border flow of data, and opening up services to the outside world at a high level. Third, in response to the situation of important data export, the Regulations emphasize that important data collected and generated by network data processors in the course of their operations within the territory of the People's Republic of China really needs to be provided abroad, and shall pass the data export security assessment organized by the national cyberspace department. Where network data handlers identify and declare important data in accordance with relevant state provisions, but have not been notified by the relevant regions or departments or publicly released as important data, they do not need to make a security assessment for the export of data as important data. It responds to the concerns of all parties about whether it is an important data export and whether it is necessary to apply for a security assessment for data export. (4) Clarify the obligations of online platform service providers, and consolidate responsibilities for online data security managementWith the rapid development of the digital economy, online platform service providers play an important role in the processing and management of online data. At present, problems such as the use of data by online platforms to carry out unfair competition and algorithmic discrimination are becoming increasingly prominent, affecting the legitimate rights and interests of users and the orderly development of platforms. To this end, first, the "Regulations" clarify the third-party security management responsibilities of online platform service providers, smart terminals and other equipment producers with pre-installed applications, and require them to supervise and urge third-party product and service providers within the platform to perform their responsibilities for network data security protection. Second, in view of the current problems such as the difficulty of closing personalized recommendation services, the large types of personal information collected, and the risk of abuse of accurate personal portrait data, the "Regulations" emphasize the setting of personalized recommendation closure options that are easy to understand, easy to access and operate, and provide users with functions such as refusing to receive push information and deleting user tags based on their personal characteristics, so as to protect the legitimate rights and interests of users. The third is to clarify that large-scale online platform service providers are to publish annual reports on social responsibility for personal information protection and accept supervision from all sectors of society. At the same time, platforms are required not to use data to carry out acts of unfair competition, so as to maintain the order of fair competition in the market. III. Several Thoughts on Implementing the Requirements of the "Regulations" and Promoting Online Data Governance Efforts (1) Gather the forces of all parties to promote the in-depth implementation of the "Regulations" On the one hand, continue to do a good job of publicizing and implementing the "Regulations" and other network data security laws and policies, and guide relevant departments to make good use, use, and make full use of policies through methods such as concentrated publicity and training, and going deep into local and key enterprises, guiding enterprises to promptly grasp policy requirements and build a network data security compliance system. On the other hand, support the development of technologies and products such as network data classification and grading, risk assessment, monitoring and early warning, accelerate the cultivation of network data security personnel, and better support the construction of a comprehensive network data security guarantee system. (2) Promote the further improvement of network data security rules, guidelines, and standardsCurrently, national standards such as rules for data classification and grading, and personal information security norms have been formulated and implemented, multiple standards are being developed in areas such as important data security management and the protection of sensitive personal information, and data security management measures or rules for data classification and grading have been drafted in fields such as industry and informatization, natural resources, finance, and education, to provide guidance for data security and personal information protection efforts. The next step should be to encourage relevant regulatory departments to accelerate the formulation and implementation of rules, guidelines, and standards related to data security in the industry and field, as well as pilot work on relevant systems, in consideration of the actual situation of the industry, to promote the implementation of online data governance efforts. (3) Give full play to the role of systems such as risk assessment and inspection and testing, such as for risk assessment, compliance audits, and annual reports, which are not only important ways for network data handlers to perform their responsibility for network data security management, but also an important way to increase their own network data security management capacity. The "Regulations" stipulate that all relevant competent departments shall periodically organize and carry out network data security risk assessments in their respective industries and fields, and conduct oversight and inspections of network data processors' performance of network data security protection obligations; The state internet information department is to plan and coordinate relevant regulatory departments to promptly summarize, assess, share, and publish information related to network data security risks. Relevant departments should strengthen information sharing, coordinate all types of inspection and assessment efforts, and reduce the compliance costs of network data operators while truly giving full play to the effectiveness of inspection and assessment efforts. The Regulations focus on the development of online data governance and security at home and abroad, and clarify the obligations and responsibilities that network data processors should perform, which is an important starting point for the role of the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law in the practice of network data governance, and is also a key link in the establishment and improvement of the data security legal system and the ability to ensure data security. The promulgation and implementation of the Regulations will further lay a solid foundation for the development of the mainland's digital economy and escort the construction of a cyber power with high-level security.

Disclaimer: This article is transferred from the Information Security and Communication Confidentiality Magazine. The content of the article is the original author's personal point of view, and this official account is compiled/reprinted only to share and convey different views, if you have any objections, please contact us!

Transferred from丨Information Security and Communication Confidentiality Magazine

A number of experts interpret the "Regulations on the Management of Network Data Security"

About the Institute

Founded in November 1985, the International Institute of Technology and Economics (IITE) is a non-profit research institute affiliated to the Development Research Center of the State Council, whose main functions are to study major policy, strategic and forward-looking issues in the economic, scientific and technological and social development of the mainland, track and analyze the development trend of the world's science and technology and economic development, and provide decision-making consulting services for the central government and relevant ministries and commissions. The "Global Technology Map" is the official WeChat account of the International Institute of Technology and Economics, which is dedicated to conveying cutting-edge technology information and technological innovation insights to the public.

Address: Block A, Building 20, Xiaonanzhuang, Haidian District, Beijing

Phone: 010-82635522

WeChat: iite_er

Read on