The Cyberspace Administration of China issued the "Regulations on the Administration of Cyber Data Security (Draft for Solicitation of Comments)"
The state intends to establish a data classification and hierarchical protection system
On November 14, the Cyberspace Administration of China issued a notice on the "Regulations on Network Data Security Management (Draft for Solicitation of Comments)" for public comments.
A reporter from Beijing Youth Daily learned that the "Draft Opinions" proposes that the state establishes a data classification and hierarchical protection system; biometrics such as face, gait, fingerprints, iris, and voiceprints must not be used as the only personal identity authentication method to force individual consent Collect their personal biometric information; large-scale Internet platform operators who set up headquarters or operation centers or R&D centers overseas should report to the national network information department and competent authorities, etc.
"Network Data Security Management Regulations (Draft for Solicitation of Comments)"
Publish and publicly solicit opinions from the public
"Cyber China" WeChat public account issued a document stating that to implement the "Network Security Law of the People's Republic of China", "Data Security Law of the People's Republic of China", "Personal Information Protection Law of the People's Republic of China" and other laws on data security management regulations, to regulate network data Processing activities, protecting the legitimate rights and interests of individuals and organizations in cyberspace, and safeguarding national security and public interests. According to the State Council’s 2021 legislative plan, the Cyberspace Administration of China will work with relevant departments to study and draft the “Regulations on Cyber Data Security Management (Draft for Comment)”, We now solicit public opinions from the public.
A reporter from the Beijing Youth Daily learned that the "Draft Opinions" proposed that the state establishes a data classification and grading protection system.
According to the impact and importance of the data on national security, public interests, or the legitimate rights and interests of individuals and organizations, the data is divided into general data, important data, and core data. Different levels of data adopt different protection measures.
The state provides key protections for personal information and important data, and strictly protects core data.
All regions and departments shall carry out classified and hierarchical management of data in their own regions, departments, and related industries and fields in accordance with the national data classification and classification requirements.
The data processor should establish
Data security emergency response mechanism
The "Draft Opinions" proposes that data processors who carry out the following activities should apply for network security review in accordance with relevant national regulations: Internet platform operators that gather a large number of data resources related to national security, economic development, and public interest implement mergers, reorganizations, and divisions , Which affects or may affect national security; data processors that process personal information of more than 1 million people go to a foreign listing; data processors go to Hong Kong to list, affect or may affect national security; other data processing that affects or may affect national security Activity.
Operators of large-scale Internet platforms that set up headquarters or operation centers or R&D centers overseas shall report to the national cyberspace administration and competent authorities.
The "Draft Opinions" proposes that in the event of mergers, reorganizations, divisions, etc. of data processors, the data recipients should continue to perform their data security protection obligations. If important data and personal information of more than 1 million people are involved, they should report to the districted city-level supervisor Departmental report; if the data processor is dissolved, declared bankrupt, etc., it should report to the districted city-level competent department, and transfer or delete the data in accordance with relevant requirements. If the competent department is not clear, it should report to the districted city-level network information Department report.
Data processors shall establish a data security emergency response mechanism, promptly activate an emergency response mechanism when a data security incident occurs, and take measures to prevent the expansion of harm and eliminate potential security hazards.
The "Draft of Opinions" stipulates that if data processors really need to provide data outside the People’s Republic of China due to business needs, they shall pass the data outbound security assessment organized by the State Cyberspace Administration of China, and the data processors and data recipients shall pass the National Cyberspace Administration Personal information protection certification conducted by a professional organization recognized by the department.
Keep relevant log records and data export approval records for more than three years.
No individual or organization shall provide programs, tools, lines, etc. for penetrating or bypassing data cross-border security gateways, and shall not provide Internet access, server hosting, technical support, and dissemination for penetrating or bypassing data cross-border security gateways. Promotion, payment and settlement, application downloading and other services.
Biometric features such as human faces must not be used as
The only way to verify personal identity
The "Draft of Opinions" provides specific regulations on the protection of personal information. Data processors who use biometrics for personal identity authentication should conduct risk assessments on the necessity and safety. Faces, gait, fingerprints, iris, voiceprints, etc. As the only personal identity authentication method, such biometrics are used to force individuals to agree to the collection of their personal biometric information.
In addition, the "Draft Opinions" also stipulates that Internet platform operators should establish data-related platform rules, privacy policies, and algorithm strategy disclosure systems, and promptly disclose formulation procedures and adjudication procedures to ensure that platform rules, privacy policies, and algorithms are fair and just.
The establishment of platform rules and privacy policies of large-scale Internet platform operators with more than 100 million daily active users or amendments that have a significant impact on user rights and interests shall be evaluated by a third-party agency recognized by the national cybersecurity and informatization department, and reported to the cybersecurity and informatization department at or above the provincial level. Agreed with the telecommunications authority.
Internet platform operators shall assume data security management responsibilities for third-party products and services connected to their platforms, clarify the data security responsibilities of third parties through contracts and other forms, and urge third parties to strengthen data security management and take necessary data security protections measure.
If third-party products and services cause damage to users, users can request Internet platform operators to pay compensation in advance.
In addition, the "Draft Opinions" proposes that Internet platform operators shall not use data and platform rules to engage in the following activities: use the user data collected by the platform, implement differentiated pricing of products and services for users with the same trading conditions, etc. to harm users without justified reasons Acts of legitimate interests; use the data collected by the platform to collect operator data, implement lowest-price sales in product promotion, and other acts that harm fair competition; use data to mislead, deceive, and coerce users, impair users' right to decide on the processing of their data, and violate Users are willing to process user data; set unreasonable restrictions and barriers in platform rules, algorithms, technology, traffic distribution, etc., restrict small and medium-sized enterprises on the platform from fair access to industry and market data generated by the platform, and hinder market innovation.
Text / reporter Zhang Xin