background]

The arrival of the network digital era means changes in consumption forms. We have entered the new format of Internet transactions from traditional offline store consumption. The advent of the information explosion era has led to a lack of attention and inability to find suitable information from it. The emergence of new algorithm technologies such as AI face changing, ChatGPT, personalized push, etc. has created new legal risks, countries have issued a number of laws, regulations and policy documents to regulate the generation, collection, storage, processing, analysis, and service of data, and have built a legislative framework for data governance to maintain network security and data security. This process will be continuous. The social economy has entered a new stage of rapid development of digital productivity. In the era of digital economy, data compliance is one of the most important compliance issues faced by enterprises. Non-compliance will affect the short-term revenue and business continuity of enterprises, and even affect the survival of enterprises. In this article, the author will talk about the legal issues related to corporate data compliance in China.

► ► ► What is data compliance?

Data compliance refers to the behavior taken by enterprises on data, from the collection, processing and storage of data to the transfer, deletion and destruction, to ensure that the data is in a state of effective protection and legal use, and has the ability to ensure a continuous security state. At present, data compliance has involved many industries and fields of society, with emphasis on communications, finance, government affairs, industry, medical and other industries.

On June 10, 2021, China's first law on data security, the the People's Republic of China Data Security Law, was promulgated and officially implemented on September 1, 2021. The "Data Security Law" regulates data processing activities from the aspects of regulatory system, data security and development, data security system, data security protection obligations, government data security and openness, and legal responsibilities, effectively supplementing my country's "Cyber Security Law" "," Civil Code "in regulating data processing activities. The data security law, together with the network security law and the personal information protection law, comprehensively constructs the legal framework in the field of data security in China. The construction of China's enterprise data security compliance system should focus on the basic requirements of the data security law, and integrate into the requirements of the personal information protection law, the network security law and other laws and regulations in combination with its own industry characteristics, data sources and carrier characteristics.

How companies can achieve data compliance

According to the legal provisions of China's Data Security Law, enterprise data compliance can be achieved through the following:

(I) Establish and Improve Data Security Compliance Management Organization System

In data security compliance governance, seven points are management and three points are technical principles. Enterprises can establish a compliance framework system from the aspects of organizational structure system, responsibility system, operation mechanism, risk management, internal control measures, etc. Build an integrated organizational system from the strategy layer to the management layer, as well as the control layer and the executive layer from top to bottom, establish a standardized data security management mechanism that covers the whole life cycle of data, apply the control concept of security data throughout the operation process of the entire production process, and establish a compliance strategy system to make security compliance continuously synchronize with the requirements of laws and regulations and the needs of business development, form a closed-loop data security management process from making plans, evaluating security, implementing solutions, to summing up experience.

(II) the establishment of data classification and classification protection system

Article 21 of my country's Data Security Law clearly stipulates that the country shall establish a data classification and classification protection system, according to the importance of data in economic and social development, and once it has been tampered with, destroyed, leaked, or illegally obtained or illegally used, The degree of harm caused by national security, public interests, or the legitimate rights and interests of individuals and organizations implements classified and classified protection of data. Classification and classification is the starting point of the whole data compliance and data protection, enterprises can start the relevant work of grade protection according to their own business, consistent with the relevant policies and regulations of our country. For companies involved in the four important areas of financial technology, smart cars, online education, telecommunications and the Internet, special attention should be paid to the current status of data compliance, key points, governance plans, laws and regulations and other related policies and legal regulations.

(III) the establishment of a sound data security technology system

The construction of data security compliance system is inseparable from the establishment of a sound data security technology system. In the construction of data security technology system, enterprises should consider the three aspects of data security, access control and data protection.

(IV) strengthen the capacity building of personnel and improve the ability to ensure safety and compliance operations

China's data compliance is protected at different levels, so each industry has its own characteristics, and enterprises should learn accordingly according to its own characteristics. Data security compliance governance is a process in which multiple subjects participate together, in which personnel are the cornerstone of the effective implementation of various requirements of data security, and establish a personnel security awareness training mechanism. Through regular training, laws and regulations, standards and norms, case events, etc. will be publicized, gradually improve the value of data security awareness and legal risk identification capabilities.

► ► Key points of relevant corporate data compliance from typical cases

(I) Ctrip platform collects unnecessary personal information and big data killing cases

[Basic Case] In July 2020, Ms. Hu ordered a luxurious lake view big bed room in a hotel in Zhoushan through Ctrip APP and paid the price of 2889 yuan. When leaving the store, Ms. Hu accidentally discovered that the actual listing price of the hotel was only 1377.63 yuan. After checking out, Ms. Hu communicated with Ctrip. Ctrip only refunded part of the price difference on the grounds that it was a platform party and was not the contract counterpart of the order involved. After that, Ms. Hu sued the court on the grounds that Ctrip collected her personal unnecessary information and carried out "big data killing", demanding "one refund and three compensations", and Ctrip APP added options for her to continue to use Ctrip's services when she did not agree with the Service Agreement and the Privacy Policy.

In response to the collection of non-essential information, the court found out that Ctrip's "service agreement" and "privacy policy" required to obtain and process some information beyond the essential information necessary to form an order, including requiring users to specifically authorize Ctrip and its affiliated companies and business partners to share users' registration information, transactions and payment data, and allow them to make further commercial use. The collection of this information is neither necessary nor increases the risk of using the user's personal information.

In response to the refund of the remaining price difference and the payment of three times the compensation for the reservation price difference, because Ctrip did not fulfill its obligation to truthfully inform the price, the court found that it had false propaganda and price fraud, and ruled that the defendant should refund the remaining price difference and pay three times the compensation for the reservation price difference. In addition, the court ordered the defendant to add to the Ctrip Travel APP operated by the defendant the option that the plaintiff does not agree that its existing "service agreement" and "privacy policy" can still be used, or to revise the "service agreement" and "privacy policy" of Ctrip Travel APP for the plaintiff to remove relevant contents related to the collection and use of unnecessary information for users, and the revised version must be approved by the court.

[Compliance Suggestions] When using personal information for automated decision-making, enterprises should reasonably use algorithm recommend rules: First, according to Article 55 of the Personal Information Protection Law, if personal information is to be used for automated decision-making, enterprises should Conduct personal information protection impact assessment and record the entire processing process; secondly, when providing algorithm recommend services to users, enterprises should ensure the neutrality of algorithms, consumers with the same conditions should be treated fairly for the same product or service in the same period of time, and unreasonable differential treatment should not be carried out in terms of transaction conditions such as transaction price according to consumers' personal preferences and trading habits. Finally, in business activities, we should follow the principles of legal, legitimate and necessary personal information processing. When forming user portraits and carrying out personalized recommend, we should pay attention to the compliance of information collection and push, so as to ensure that the process is open and transparent, and the results are fair and reasonable. Decisions involving significant impact should protect the user's right to request explanation and refusal.

An enterprise was fined 1 million for (II) illegal disclosure of government data.

[basic case] in March 2023, in the process of developing an operation and maintenance information management system for a county-level municipal government department in Zhejiang, a science and technology co., ltd. uploaded sensitive business data collected by the construction unit to its own rented public cloud server without the consent of the construction unit, and did not take security protection measures, resulting in serious data leakage.

According to the provisions of Article 45 of the data safety law, the public security organ of Wenzhou, Zhejiang Province, imposed administrative penalties of 1 million yuan, 80000 yuan and 60000 yuan on the company, the project supervisor and the directly responsible personnel respectively. In accordance with the provisions of the detailed rules for the implementation of the responsibility system for network security work of the Party committee (Party group) of Wenzhou City, the local Commission for Discipline Inspection and supervision made a decision on the accountability of the main responsible comrades and department heads of the construction unit, such as criticism and education, exhortation talks, and government investigation.

[Compliance Suggestions] Data processing activities shall be carried out in accordance with the provisions of laws and regulations, establish and improve the data security management system of the whole process, organize and carry out data security education and training, and take corresponding technical measures and other necessary measures to ensure data security. The use of the Internet and other information networks to carry out data processing activities shall, on the basis of the network security level protection system, fulfill the above-mentioned data security protection obligations. The processor of important data shall specify the person in charge of data security and the management organization, and implement the responsibility of data security protection.

(III) Hangzhou Wildlife World Illegal Use of Face Information

[basic case] on April 27, 2019, Guo and his wife bought a two-person annual card at Hangzhou Wildlife World, and kept relevant personal identity information, took photos and entered fingerprints. After the wildlife world sent a group of text messages to the annual card consumers including Guo mou, saying that the admission method would be changed from fingerprint recognition to face recognition, requiring customers to activate their faces, otherwise they could not enter the park normally. Guo mou believed that the wildlife park had no right to change the original admission method to the face recognition admission method without authorization. the two sides failed to negotiate on matters related to maintaining the original admission method and returning the card, thus causing disputes in this case.

In 2021, Hangzhou Intermediate People's Court made a final (II) judgment, finding that Wildlife World violated the principle of legitimacy because it exceeded the purpose of prior collection. Therefore, it ruled that Wildlife World should delete the facial feature information including photos submitted by Guo Mou when handling the card.

[Compliance Suggestions] Enterprises should take strict measures to establish a risk prevention system for handling sensitive personal information, carry out risk assessment of sensitive personal information processing in advance, carefully determine the processing purpose and processing method of sensitive personal information, ensure its legality, and try to minimize the risk of processing sensitive personal information. During the collection phase, the enterprise needs to clearly inform the subject of the importance of sensitive personal information to the individual and the potential risks of authorization. Since sensitive personal information cannot be generally agreed with general personal information, enterprises can obtain individual consent through the interaction design of a separate "notification and consent interface" (such as a separate bullet box), and at the same time, they should also perform additional notification obligations to inform individuals of the necessity of processing sensitive personal information and the impact on personal rights and interests. In the processing stage, the enterprise should fully demonstrate whether the use of sensitive personal information has a specific purpose and sufficient necessity, and should inform the information right holder of the necessity of processing sensitive personal information and the impact on personal rights and interests, and strengthen the protection of personal sensitive information from the aspects of form and content.

Data security compliance governance is the basic requirement for the healthy, compliant and sustainable development of enterprises, as well as the basic guarantee for the sound development of the industry as a whole. Due to the long period required for the construction of the internal control compliance system, especially for enterprises with a large number of operating systems and a large amount of data, they can start their own compliance work as soon as possible, so as to seize the opportunity in the digital economy era.

Lawyer Presentation

Lawyer Liu Ying

Lawyer Liu Ying is currently the director of the Enterprise Compliance Research Center of Beijing Huixiang Law Firm, ISO19600:2014, ISO37301:2021 Compliance Management System Auditor "Environmental, Social and Governance (ESG) Management System Requirements" Drafter, Senior Expert of China Business Federation International Compliance Management Expert Database, Third-party Review Expert of Beijing Public Welfare Legal Service Promotion Association, Mediator of Beijing Diversified Mediation Development Promotion Association, Legal Lecturer of Tsinghua University National Art Fund Talent Training Funding Project, member of the Beijing Intellectual Property Law Research Association, member of the Beijing Lawyers Association Technology and Big Data Legal Affairs Professional Committee, his practice mainly focuses on corporate risk and compliance management, corporate governance and equity investment and financing, construction engineering disputes, trademark rights and copyright protection, etc. Legal services, has served as a legal consultant for many enterprises and institutions, and is good at applying legal risk prevention and control to all aspects of corporate compliance management and project operation based on industry characteristics, "Good law does not sue" is Liu Ying lawyer's consistent practice philosophy.

Lawyer Chen Lin

Lawyer Chen Lin is currently the deputy director of the Corporate Compliance Research Center of Beijing Huixiang Law Firm, a member of the Professional Committee of Non-Performing Assets and Bankruptcy Reorganization, and has been deeply involved in the company and marriage and family legal services industry for more than ten years, specializing in corporate governance, corporate restructuring and bankruptcy, Family wealth management, family-enterprise risk isolation and family trust. Provide comprehensive legal risk assessment and family wealth management and distribution planning services for many banks, asset management companies, large and medium-sized companies and other customers and high net worth individuals, and consider the risk management of enterprises and families from a comprehensive and multi-perspective perspective.