In the Internet era, people in daily life have at least one mobile phone, and it is even more difficult to leave the computer and the Internet for work. It can be said that the traces we leave in the real environment are far less than those on the Internet.
It can even be said that if we disappear completely one day, the traces in reality may be preserved for a year or two, while the traces in the Internet may not disappear for ten or twenty years. Today’s Internet memory has far exceeded reality.
Under the interconnection of all things, the details of our personal life will be completely recorded. Social platforms are recording your words, deeds and opinions, shopping platforms are recording your preferences and consumption, maps or taxi-hailing programs are recording your mobile location, payment platforms are recording your capital flow, short video platforms are recording your browsing records, etc. data to accurately push the short videos that they are most likely to be interested in, and cameras that can be seen everywhere, such as supermarkets, shopping malls, communities, hospitals, streets, etc., are constantly collecting data information…
It is precisely because all kinds of information are collected that “information selling” can also become a profession. Other users have reported that some online shopping platforms will be “tailored” too high according to the user’s age of use, consumption records and other data. s price.
For example, the media once exposed that the price of shopping with an Apple mobile phone is too expensive, which is a kind of low-level “big data killing”.
picture
In view of the frequent occurrence of personal information in modern society, on August 20, the 30th meeting of the Standing Committee of the 13th National People’s Congress voted to pass the “Personal Information Protection Law of the People’s Republic of China” (hereinafter referred to as the “Personal Protection Law”), Effective from November 1, 2021.
Summary of changes to the Personal Information Protection Act
According to media statistics, the full text of the Personal Information Protection Law has 8 chapters and 74 articles. Compared with the second-review draft released on April 29, 2021, a total of 55 articles have been revised and improved.
In fact, for the sorting out of the “Personal Information Protection Law”, major media and self-media have launched their own analysis and interpretation in the past two days, which can be described as very detailed and professional. Here, we only make a macro overview of the main points, so that readers can understand the main features of the “Gebao Law” from a large perspective.
The following ten points are the main points covered by the Personal Protection Law:
1. It is forbidden for merchants to “kill big data” through automated decision-making;
2. It is not allowed to force push personalized advertisements to users;
3. To process sensitive personal information such as biometrics, medical health, financial accounts, etc., the individual’s individual consent shall be obtained;
4. To regulate the installation of image collection and personal identification equipment in public places;
5. For applications that illegally process personal information, order to suspend or terminate the provision of services;
6. Large-scale Internet platforms should establish and improve the personal information protection compliance system;
7. Add the right to portability of personal information to break the situation of data monopoly and data silos;
8. The personal information processor shall provide the means for the transfer of personal information;
9. Formulate special handling rules for minors under the age of fourteen;
10. Clarify the rules for the protection of the personal information of the deceased.
In addition, according to the People’s Court News, compared with the second review draft submitted for deliberation in April this year, the latest official version of the “Personal Protection Law” has made six major revisions, involving personal information processing rules, minors’ information protection, personal information Cross-border provision of rules and the right to portability of personal information, etc., actively respond to public concerns such as excessive collection of personal information by APP, “big data killing”, automatic algorithm push, data information attribution, etc. rights are further highlighted. Specifically:
1. Emphasize that no excessive collection of personal information is allowed
The Personal Protection Law stipulates that the processing of personal information should have a clear and reasonable purpose, and should be directly related to the purpose of processing, and adopt a method that has the least impact on personal rights and interests. The collection of personal information should be limited to the minimum scope to achieve the purpose of processing.
In response to the hidden danger of personal information leakage, the third review draft of the draft added that no organization or individual shall illegally collect, use, process, or transmit other people’s personal information, and shall not illegally buy, sell, provide or disclose other people’s personal information.
For the operating companies behind various mainstream apps, the draft also clearly stipulates that large Internet platforms should establish and improve a personal information protection compliance system.
2. No differential treatment through automated decision-making
The “Personal Protection Law” first clarifies the concept of automated decision-making: automatically analyze and evaluate an individual’s behavioral habits, hobbies or economic, health, credit status, etc. through programs, and make decision-making activities. At the same time, it is stipulated that automated decision-making should abide by the general rules of personal information processing, obtain personal consent on the premise of fully informing about personal information processing related matters, and shall not refuse to provide products or services on the grounds of personal disagreement; when using personal information to make automated decision-making, Unreasonable differential treatment of individuals in terms of transaction prices and other transaction conditions shall not be implemented, and personal information protection impact assessment shall be conducted in advance.
3. Adding the right to portability of personal information
The right to data portability means that the data subject has the right to obtain the personal data that he has provided to the data controller and to transfer this data to other data controllers without restriction. That is to say, users can transfer all their personal data from one platform to another through “one-click transfer”, which greatly facilitates individuals to obtain and transfer their personal information.
Drawing on the useful experience of foreign legislation, adding provisions on the right to portability of personal information is a highlight of the Personal Protection Law.
The “Personal Protection Law” stipulates that if an individual requests the transfer of personal information to the personal information processor designated by him, and the conditions specified by the national cybersecurity and informatization department are met, the personal information processor shall provide a transfer channel.
4. Improve the Complaint and Reporting Mechanism
The “Personal Protection Law” clearly states that the national network information department will coordinate and coordinate relevant departments to improve the working mechanism for personal information protection complaints and reporting; if the department performing personal information protection duties finds that illegal handling of personal information is suspected of committing a crime, it shall promptly transfer it to the public security organ for handling in accordance with the law; Relevant responsible persons may decide to prohibit them from serving as directors, supervisors, senior managers and persons in charge of personal information protection of relevant enterprises within a certain period of time.
V. Formulate special handling rules for minors under the age of fourteen
The Personal Protection Law further clarifies that the personal information of minors under the age of fourteen is sensitive personal information, and personal information processors should formulate special personal information processing rules when handling the personal information of minors under the age of fourteen. There is no doubt that this regulation not only responds to the urgent needs of the public, but also strengthens the protection of certain vulnerable groups, and helps to solve the real difficulties in the regulatory field.
6. Clarify the rules for the protection of the personal information of the deceased
The Personal Protection Law clarifies that when a natural person dies, his close relatives may exercise the rights to view, copy, correct, delete, etc., the personal information of the deceased, as stipulated in this chapter, for their own legitimate and legitimate interests, unless otherwise arranged by the deceased before his death.
The clause first means that the right of close relatives to exercise the personal information of the deceased is not arbitrary, and must also comply with the principles of legality and legitimacy; secondly, the clause reflects respect for the wishes of the deceased and encourages natural persons to carefully arrange their personal information before death.
The improvement process of laws and regulations related to network security
my country’s Internet development has a history of several decades. During this period, various laws and regulations and important regulations and measures have also been issued. Among them, there are big and small, there are overall situation and areas, and there are general outlines and supplements.
In this regard, Yang Tianshi, a senior expert of the Venus VF Expert Group, has drawn a map after careful research and summary. Its shape is like a house, and the roof is the upper law “National Security Law”. Important laws: Data Security Law, Cybersecurity Law, Personal Information Protection Law.
According to media reports, my country’s first laws and regulations on information network computer security were the “Regulations of the People’s Republic of China on the Security Protection of Computer Information Systems” issued in 1994, which were issued by Order No. 147 of the State Council of the People’s Republic of China. An administrative regulation involving the security of computer information systems has been in place for 27 years.
In fact, over the years, my country’s cybersecurity-related laws have been constantly improving. According to incomplete statistics, the laws and regulations related to network security are as follows:
The Regulations of the People’s Republic of China on the Security Protection of Computer Information Systems, issued by Order No. 147 of the State Council of the People’s Republic of China, is my country’s first administrative regulation involving the security of computer information systems.
The “Regulations” are to protect the security of computer information systems, promote the application and development of computers, and ensure the smooth progress of socialist modernization.
“Administrative Measures for the Security Protection of International Networking of Computer Information Networks”
On December 11, 1997, the “Administrative Measures for the Security Protection of International Networking of Computer Information Networks” was approved by the State Council of the People’s Republic of China and issued by the Ministry of Public Security on December 16, 1997 (No. 33). It came into effect on January 8, 2011, and was revised in accordance with the Decision of the State Council on Abolishing and Amending Some Administrative Regulations.
The “Measures” are management measures formulated for the security protection of the international networking of computer information networks. Tell people what online behaviors are not allowed, and if they commit illegal acts, they will bear legal responsibility, and if a crime is constituted, they will also bear criminal responsibility. on the one hand. It is a means of prevention; on the other hand. It is also backed by its coercive power. Build the last line of defense for information network security.
“Regulations on the Administration of Confidentiality in the International Networking of Computer Information Systems”
The “Regulations on the Secrecy Management of the International Networking of Computer Information Systems” is to strengthen the confidentiality management of the international networking of computer information systems and ensure the security of state secrets. According to the “Law of the People’s Republic of China on Guarding State Secrets” and relevant state regulations, it is formulated by the State Secrecy Bureau , which came into force on January 1, 2000.
Measures for the Administration of Internet Information Services
On September 20, 2000, the 31st executive meeting of the State Council of the People’s Republic of China adopted the Measures for the Administration of Internet Information Services, which came into force on September 25, 2000.
The “Measures” were revised in accordance with the “Decision of the State Council on Abolishing and Amending Some Administrative Regulations” on January 8, 2011.
On January 8, 2021, the Cyberspace Administration of China publicly solicited opinions on the “Administrative Measures for Internet Information Services (Revised Draft for Comment)”, and the deadline for feedback is February 7, 2021.
The Measures are formulated to regulate Internet information service activities and promote the healthy and orderly development of Internet information services.
“Regulations on the Administration of Internet Access Service Business Places”
The Regulations on the Administration of Business Sites for Internet Access Services was adopted at the 62nd executive meeting of the State Council on August 14, 2002, promulgated on September 29, 2002, and came into force on November 15, 2002.
The purpose of the Regulations is to strengthen the management of information network security, public security and fire safety of Internet access service business premises, regulate the business behavior of operators, safeguard the legitimate rights and interests of the public and operators, and ensure the healthy development of Internet access service business activities. , to promote the construction of socialist spiritual civilization.
Among them, it is emphasized that Internet service business sites must have sound and complete information network security management systems and security technical measures, and have security management personnel, business management personnel, and professional technical personnel who are suitable for their business activities and have obtained professional qualifications.
“Administrative Measures for the Filing of Non-Commercial Internet Information Services”
The Administrative Measures for the Filing of Non-Commercial Internet Information Services, which was deliberated and adopted at the 12th executive meeting of the Ministry of Information Industry of the People’s Republic of China on January 28, 2005, are hereby promulgated, and shall come into force on March 20, 2005.
The “Measures” are for the purpose of regulating the filing and filing management of non-commercial Internet information services and promoting the healthy development of the Internet information service industry. regulations, this method is formulated.
These Measures shall apply to the provision of non-commercial Internet information services within the territory of the People’s Republic of China, the implementation of record-filing procedures, and the implementation of record-filing management.
“Electronic Signature Law of the People’s Republic of China”
The electronic Signature Law of the People’s Republic of China was adopted at the 11th meeting of the Standing Committee of the 10th National People’s Congress of the People’s Republic of China on August 28, 2004, and came into force on April 1, 2005. The current version is revised at the tenth meeting of the Standing Committee of the Thirteenth National People’s Congress on April 23, 2019.
This law is a law formulated to regulate electronic signature behavior, establish the legal effect of electronic signature, and safeguard the legitimate rights and interests of all parties concerned.
“Administrative Measures for the Level Protection of Information Security”
The “Administrative Measures for the Level Protection of Information Security” was jointly issued by the Ministry of Public Security, the State Secrecy Administration, the State Cryptography Administration, and the State Council Information, and was officially implemented on June 22, 2007.
The “Measures” are designed to standardize the management of information security graded protection, improve the ability and level of information security assurance, maintain national security, social stability and public interests, and ensure and promote the construction of informatization. and other relevant laws and regulations.
Law of the People’s Republic of China on Guarding State Secrets
The Law of the People’s Republic of China on Guarding State Secrets was adopted on September 5, 1988 at the third meeting of the Standing Committee of the Seventh National People’s Congress, and on April 29, 2010 at the fourteenth meeting of the Standing Committee of the Eleventh National People’s Congress The revision was adopted at the meeting, and the revised “Law of the People’s Republic of China on Guarding State Secrets” is hereby promulgated and will come into force on October 1, 2010.
The law was formulated to preserve state secrets, safeguard national security and interests, and ensure the smooth progress of reform and opening up and socialist construction.
“Implementation Regulations of the Law of the People’s Republic of China on Guarding State Secrets”
The Regulations for the Implementation of the Law of the People’s Republic of China on Guarding State Secrets is formulated in accordance with the provisions of the Law of the People’s Republic of China on Guarding State Secrets (hereinafter referred to as the Secrecy Law). Promulgated by the State Council on January 17, 2014, and effective from March 1, 2014.
In 2010, the newly revised secrecy law established a series of new systems and measures, and the implementation measures are no longer compatible with them, and should be adjusted and supplemented accordingly. At the same time, some of the contents of the newly revised secrecy law are still relatively principled, and it is necessary to make specific details to facilitate the implementation of the law. The second is to meet the needs of economic and social development. With the in-depth development of the market economy and the rapid advancement of informatization construction, the situation facing confidentiality work is more complex and severe, and the difficulty of confidentiality management is increasing. The third is to meet the needs of lawful administration of confidentiality work.
“National Security Law of the People’s Republic of China”
The National Security Law of the People’s Republic of China is to maintain national security, defend the regime of the people’s democratic dictatorship and the socialist system with Chinese characteristics, protect the fundamental interests of the people, ensure the smooth progress of reform and opening up and socialist modernization, and realize the great rejuvenation of the Chinese nation. Regulations formulated in accordance with the “Constitution of the People’s Republic of China”.
On July 1, 2015, the fifteenth meeting of the Standing Committee of the Twelfth National People’s Congress passed the new National Security Law. President Xi Jinping signed Presidential Decree No. 29 to be announced. The law clarifies national security tasks in 11 areas including political security, homeland security, military security, cultural security, and technological security, with a total of 7 chapters and 84 articles, which will come into force on July 1, 2015.
Cybersecurity Law of the People’s Republic of China
The Cybersecurity Law of the People’s Republic of China was adopted at the 24th meeting of the Standing Committee of the Twelfth National People’s Congress of the People’s Republic of China on November 7, 2016, and will come into force on June 1, 2017.
The Cybersecurity Law is a law formulated to safeguard cybersecurity, safeguard cyberspace sovereignty and national security, and social public interests, protect the legitimate rights and interests of citizens, legal persons and other organizations, and promote the healthy development of economic and social informatization.
There are 7 chapters and 79 articles in the Cybersecurity Law, and there are 6 highlights in the content:
First, it clarifies the principle of cyberspace sovereignty; second, it clarifies the security obligations of network product and service providers; third, it clarifies the security obligations of network operators; fourth, it further improves personal information protection rules; Fifth, establish a critical information infrastructure security protection system; sixth, establish rules for cross-border transmission of critical information infrastructure important data.
“Public Security Organs Information Security Level Protection Inspection Work Specifications (Trial)”
The “Specifications for the Inspection of Information Security Level Protection of Public Security Organs (Trial)” was issued in September 2017 in accordance with the “Administrative Measures for Information Security Level Protection” to regulate the public information network security supervision departments of public security organs to carry out information security level protection inspections. specification. It defines the “inspection work of information security level protection of public security organs”.
The article also stipulates and explains the inspection process of graded protection, including before inspection, personnel, during inspection, after inspection, and inspection content.
“Cryptography Law of the People’s Republic of China”
On October 26, 2019, my country’s first cryptography law was approved by the 14th meeting of the Standing Committee of the 13th National People’s Congress, and it will be officially implemented on January 1, 2020.
As a comprehensive and basic law in the field of cryptography in my country, the Act will effectively regulate the application and management of cryptography, promote the development of cryptography, ensure network and information security, and improve the level of scientific, standardized, and legalized cryptography management.
The promulgation of the “Cryptography Law” will have positive significance for accelerating the scientific development of my country’s encryption industry:
■Further strengthen the party’s absolute leadership over cryptographic work, and ensure that the party’s propositions become the will of the state through the legislative process;
■Realize management according to law, and lay the foundation for comprehensively promoting the legal construction of cryptography work;
■ Effectively maintain national network and information security, and effectively prevent and crack down on cryptographic illegal and criminal activities;
■Regulate the order of the cryptographic market, insist on equal emphasis on development and security, and provide legal protection for the scientific development of my country’s cryptographic industry.
“Criminal Law of the People’s Republic of China”
The “Amendment to the Criminal Law of the People’s Republic of China (Eleven)” was adopted by the 24th meeting of the Standing Committee of the 13th National People’s Congress of the People’s Republic of China on December 26, 2020. No. 66), which will come into force on March 1, 2021. The parts related to network security and information protection are Articles 285, 286, and 287 respectively;
1) 2009 “Amendment to the Criminal Law of the People’s Republic of China (VII)”
Crime of illegally intruding into computer information system (Article 285 of Amendment 7 to the Criminal Law, the maximum statutory penalty is 3 years)
The crime of illegally obtaining computer information system data (Article 285 of the Seventh Amendment to the Criminal Law, the maximum statutory sentence is 7 years)
2) In August 2011, the Supreme People’s Court and the Supreme People’s Procuratorate “Interpretation on Several Issues Concerning the Application of Law in Handling Criminal Cases of Endangering the Security of Computer Information Systems”
3) The 2015 “Amendment to the Criminal Law of the People’s Republic of China (IX)”
Crime of infringing on citizens’ personal information (Article 253 of Amendment IX to the Criminal Law is amended to be a general subject, including acts of illegally acquiring, selling or providing, with a maximum statutory sentence of 7 years)
Crime of illegal use of information network (Article 287 of Amendment 9 to the Criminal Law, the maximum statutory sentence is 3 years)
Crime of refusing to perform the obligation of information network security management (Article 286 of Amendment 9 to the Criminal Law, the maximum statutory sentence is 3 years)
4) In May 2017, the Supreme People’s Court and the Supreme People’s Procuratorate “Interpretation on Several Issues Concerning the Application of Law in Handling Criminal Cases of Infringing Citizens’ Personal Information”
The Criminal Law Amendment and Judicial Interpretation define personal information in a wider range than the Cybersecurity Law, including personally identifiable information and personal activity information, reflecting outstanding protections such as personal IP trajectories.
“Key Information Infrastructure Security Protection Regulations”
It took more than four years from the release of the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comment) (hereinafter referred to as the “Draft for Comments”) to the official release of the Regulations.
In November 2016, the “Cyber Security Law” was promulgated, which formally proposed the concept of “CII” for the first time, and pointed out that “for CII, important protection work should be carried out on the basis of the network security level protection system”.
Critical information infrastructure (CII) protection is one of the key tasks to strengthen cybersecurity legislation, and is ushering in the intensive release of top-level designs and laws and regulations.
In July 2017, the Cyberspace Administration of the People’s Republic of China issued a draft for comments, but the industry generally believed that the draft was not clear in terms of the identification of CII and the scope of legal protection.
On April 27, 2021, the “Regulations on the Security Protection of Critical Information Infrastructure” were adopted at the 133rd executive meeting of the State Council; on August 17, the State Council issued the “Regulations on the Security Protection of Critical Information Infrastructures” (hereinafter referred to as the “Regulations”), The scope of application of CII security protection, supervision subjects, assessment objects and other basic elements are defined, and systematic guidance and work compliance are provided for the development of security protection work. The Regulations will come into force on September 1 this year.
“Data Security Law of the People’s Republic of China”
On June 10, 2021, the “Data Security Law of the People’s Republic of China” was adopted by the 29th meeting of the Standing Committee of the 13th National People’s Congress, and will come into force on September 1, 2021.
The Data Security Law regulates data processing activities. By ensuring data security, it promotes data development and utilization, protects the legitimate rights and interests of individuals and organizations, and safeguards national sovereignty, security, and development interests.
As the basic law of data security management, the “Data Security Law” has pointed out the direction and provided us with legal protection. Relevant entities and individuals collecting, storing, using, processing, transmitting, providing, and disclosing data resources shall establish and improve data security management systems in accordance with the law, and take corresponding technical measures to ensure data security.
“Personal Information Protection Law of the People’s Republic of China”
In May 2020, the third session of the 13th National People’s Congress voted to pass the “Civil Code”, which clarified that the personal information of natural persons is protected by law. In October 2020, the Personal Information Protection Law (Draft) was released. On August 20, 2021, the 30th meeting of the Standing Committee of the Thirteenth National People’s Congress voted to pass the “Personal Information Protection Law of the People’s Republic of China”. Effective from the 1st.
Conclusion: the gradual improvement of laws and regulations is the general trend
From the history of the development of laws and regulations related to network security and information protection, it is not difficult to see that the country is increasingly shifting from macro to micro, and from the overall situation to the individual in the construction of laws and regulations. That is, people-oriented, more and more attention is paid to the protection of the legitimate rights and interests of people.
The past ten years have been a period of barbaric growth of the Internet, and the Internet industry has developed explosively as a result. During this period, many disorderly incidents have occurred, such as wanton violations of citizens’ privacy, big data killing, information leakage, etc. , there are still a large number of Internet APP service providers committing crimes against the wind, and they have not changed their minds.
Why? Precisely because there is a lot of interest in it. But now, if my country’s Internet industry is to embark on a path of compliance and order, it must rectify these chaos, implement it in the form of laws and regulations, and form a deterrent force, so that all kinds of Internet chaos can be gradually eliminated.
In fact, the laws and regulations related to network security in my country are far more than the above statistics, because all walks of life have their own security regulations, such as industry and finance. From a macro perspective, we have listed the relevant laws and regulations related to network security and important regulations and measures related to the public, so as to facilitate everyone to form a time context, or from which we can spy on the evolution of relevant laws and regulations in my country.
The Links: LB064V02-A3 7MBP50RA120
