On June 10, 2021, the 29th meeting of the Standing Committee of the 13th National People’s Congress formally voted to pass the Data Security Law. Since the publication of the draft data security law, this law has been under the banner of determining the data security system and increasing penalties. It is foreseeable that after the data security law is passed, all industries involving data security, including blockchain, will be more cautious.
The Data Security Law (Draft) has seven chapters and 51 articles in total. The main contents are as follows:
1. Improve the data classification and protection system
The Data Security Law clearly proposes a data classification and grading protection system. According to the importance of data in economic and social development, and the degree of harm to national security, public interests, or the legitimate rights and interests of citizens and organizations once it is tampered with, destroyed, leaked, or illegally obtained or used, the state implements classification and classification of data. Classified protection. This is another important security protection system required by the “Network Security Law” to implement a network security hierarchical protection system.
First of all, the data security law clearly determines the important data catalog from the national perspective, and solves the problem of directly delegating the management authority of important data to various localities and departments, which may bring about conflicts in the division of standards between regions and departments; it also resolves In the current effective regulations, most of the data classification and grading are carried out independently by enterprises, and the enterprises may give priority to protecting their own interests rather than paying attention to data security issues when the enterprises are autonomously classified.
Secondly, each region and each department determines the specific catalog of important data in the region, this department, and related industries and fields. On the basis of determining the important data catalogue by the country, each region and each department determines the specific catalogue of important data, which will help to further improve the granularity and targeting of important data protection in this region, this department, and related industries and fields on a unified basis. It can better protect important data.
2. Attach importance to the security of cross-border data flow
Although the Data Security Law is not the first to propose cross-border data security, the previously issued “Cyber Security Law”, “National Cyber Security Inspection Operation Guide”, “Data Security Management Measures (Draft for Comment)”, “Data Outbound Evaluation Measures (for comments) “Draft)” and “Measures for the Security Evaluation of Personal Information Outbound (Draft for Comment)” respectively stipulate the cross-border security assessment requirements for critical information infrastructure operators and network operators’ important data and personal information. However, this data security law has significantly strengthened the supervision of the provision of data stored in China to overseas judicial or law enforcement agencies, and clearly proposed export controls related to the cross-border flow of data, data-related countermeasures, and cross-border data law enforcement approval. The system closely revolves around the balanced concept of ensuring data security and encouraging free flow, mainly including:
(1) The state actively carries out international exchanges and cooperation in the field of data and standard formulation to promote the safe and free flow of data across borders;
(2) The state implements export control in accordance with the law on the data of controlled items related to fulfilling international obligations and maintaining national security;
(3) Where foreign countries take discriminatory measures related to data activities against China, corresponding countermeasures can be taken;
(4) If an overseas law enforcement agency requests to retrieve data stored in China, the relevant subject shall report to the competent authority and obtain approval before providing it.
3. Increase penalties for data processing violations
my country has been reiterating the importance of data security, and the increase in penalties this time also shows my country’s determination to strengthen data security management. Judging from the specific penalties, the data security law presents the following characteristics:
(1) Increase in fines standards: For the fines imposed by units, directly responsible persons in charge, and other directly responsible persons, the fines standards will be increased significantly; from “10,000 yuan to 100,000 yuan” to “50,000 yuan and more than 50 yuan” “Below 10,000 yuan”, from “5,000 yuan to 50,000 yuan” to “10,000 yuan and less than 100,000 yuan”, from “100,000 yuan to less than 1 million yuan” to “500,000 yuan and more than five “Below one million yuan” has increased from “10,000 yuan to 100,000 yuan” to “50,000 yuan or more and 500,000 yuan”, and the fines under different circumstances have been greatly increased.
(2) The scope of punishment is expanded. In the case of non-fulfilment of the general legal responsibility of data security protection obligations, the inclusion of “other directly responsible persons” has expanded the scope of punishment. In addition, with regard to penalties for data retrieval violations, the new data safety valve covers behaviors that do not cooperate with data retrieval requirements of Chinese official agencies (internal), and provide data to overseas judicial or law enforcement agencies without the approval of the competent authority (external) Waiting for the scene.
(3) The form of punishment increased. In situations where serious consequences such as refusal to correct or a large number of data leaks are aggravated, the Data Security Law stipulates that “relevant businesses may be suspended, business halted for rectification, relevant business licenses revoked, or business licenses revoked”, greatly increasing the form of liability.
The blockchain industry is closely related to data security and is closely related. After the data security law is passed, the blockchain-related industries should do the following:
1. Do a good job in data collection
Relevant companies in the blockchain industry must be legally authorized to collect user data, that is, unless statutory or agreed upon, they must not collect information without the user’s permission, and must not excessively collect user information. After legal collection, attention should be paid to the identification of relevant data, the screening of non-compliant data and key protection data.
2. Do a good job of using data
After the data security law is promulgated, the blockchain industry should collect and use data within the purpose and scope prescribed by laws and administrative regulations, and must not exceed the necessary limits. In the process of using data, the blockchain industry should strengthen technical measures such as institutional specifications and authority control to strengthen risk monitoring, establish a security responsibility system for data users, and set up relevant positions to be responsible for the management, evaluation and risk control of data use; discover data When security deficiencies, loopholes, and other risks occur, remedial measures should be taken immediately; when data security incidents occur, users should be notified in a timely manner in accordance with regulations.
3. Do a good job in data protection
The Data Security Law clarifies the data security protection obligations for data activities. Blockchain-related industries can improve data security protection work through technology and management methods, including establishing and improving the entire process data security management system, organizing data security education and training, and taking corresponding measures. Technical measures and other necessary measures to ensure data security.
The promulgation of the Data Security Law has established the basic institutional framework for my country’s data security legislation, and the blockchain industry, as an emerging industry that is being encouraged by the state, should set an example and respond positively. It is undeniable that the current data security law is only a framework law. The specific classification and important data protection, data transaction, data security review, data cross-border flow and other systems need to be further refined and implemented, but the trend of my country to strengthen data protection It is obviously easy to see. The blockchain industry can strengthen its own data security supervision capabilities in a timely manner to cope with the risks and challenges brought about by data security in the future.