Welcome to Shanghai Founder Law Firm!   Email:info@gcls.cn  Tel:0086-021-62996116-0

News

Location:Home - News - News

Guochuang Lawyers | Embracing the Invisible But Visible Data Age — — Collection and Use of Network Product Data from the Data Security Act

Update time:2021/6/18 9:52:47 Browse times:8944

Recently, the first case of Big Data being convicted: Hangzhou Magic Scorpio Data Technology Co., Ltd., the crime of infringing on citizens' personal information is rampant. Have we been bundled with data, and have we been caught in the crisis of virtual replication of individuals? Is it true that we have become transparent people on the network, but also in reality, a body that needs to be constantly satisfied by material desires? In the increasingly severe situation of individual information protection, the legislation of data security protection is imminent.

The Data Security Law of the People's Republic of China (the "Data Security Law") was promulgated on June 10, 2021, and will come into force on September 1 of that year. The Data Security Law is the first specific law in China aimed at data utilization and data security protection. It stipulates that data processing activities are based on security assurance and aim at data utilization, and apply to both individuals, organizations and countries. The Data Security Law defines relevant concepts of data, namely, the object of data processing is information, the behavior of data is records, and data is presented electronically or otherwise. Data processing activities include seven statutory methods: collection, storage, use, processing, transmission, provision and publication. Data security includes three specific contents: effective protection, lawful use, and the ability to "ensure continuous security status".

The Data Security Law also provides that the State protects data rights and interests, encourages lawful and reasonable use, safeguards free flow of data, and promotes the development of the digital economy. Data utilization, including government data, shall not only comply with laws and traditional ethics, but also strengthen data security protection.

Internet online business activities are becoming more and more frequent. Appropriate division of commercial product data helps us to clarify the scope of objects to be protected and target.

Product data generally refers to the recording of various data activities or information in electronic or non-electronic form, and Product data on various big data platforms including government data platforms is generally not only the content of service provision, but also the circulation of goods; some may be the direct subject matter of transaction, and others may be deemed as the addition of raw materials for secondary processing or combined with other products to become new data goods. For example, personal ID card, driver's license, marriage certificate and other data in government information platforms are data provided as government information platforms, while insurance information appearing on a common big data platform page after being specially authorized by individuals may be the push information received after the information is transacted. In the field of computer algorithm application, personal data has become the de facto object of transaction. Individuals trade their buying habits, browsing traces and other data information for various kinds of push services, which saves time or other costs accordingly. This kind of data exchange is deep, different from the traditional exchange of money or barter. Data exchange is invisible but nowhere to hide the visible exchange.

Further analysis of data exchange will not be carried out here. This paper will briefly analyze the behavior and compliance risks of product data activities according to the provisions of data security law.

In the big data platform, data products with different functions and fields involve different data content, but the data activities of various products involve nothing more than data collection and data use. The common ways to acquire product data include self-collection and external collection. Specifically, data acquisition activities generally include data capture, data collection, data purchase, data precipitation, etc.

Data Grabbing refers to the automatic adoption of data on the target website of the platform by the web crawler software in accordance with the preset algorithmic logic. Web crawler software is not prohibited in terms of its own technology. However, the crawler software itself will be limited to different degrees by laws and regulations depending on the type or nature of the target data. According to the degree of publicity of the crawler data, we can divide the crawler data into public data, public data, semi-public data and internal data.

Public data refers to various data resources collected and generated by administrative authorities at all levels and public institutions performing public administration and service functions in the process of performing their duties according to the law. Public data, with the nature of public nature, is shared by all members of society. According to the Data Security Law, the State will step up efforts to build e-government, and gradually improve the scientificity, accuracy and timeliness of government data. The use of data to serve economic and social development shall be timely and accurately disclosed, except for those that may not be disclosed according to the law. Therefore, when using public data, individuals and organizations may, within a reasonable scope of use and under the premise of ensuring security, make appropriate copies of data. In addition, for some government public websites that explicitly state that "the information disclosed is only available for online self-inquiry by the public, and for single use, no individual or organization may crawl, quote or cache the content of this page by any means", attention should be paid to such statement. Attention should be paid to avoiding crawler access to webpage data.

There is no unified definition of public data and semi-public data. For the purpose of this Interpretation, public data refers to data that has been made public and is accessible to the public on the Internet by a general organization or individual, such as enterprise information including enterprise name, legal representative, registration date, contact person, postal address, email address, enterprise scale, business scope, registered capital, annual turnover, website and other basic information. In general, such public data may be crawled without special authorization. Semi-public data in this Interpretation refers to the data that can be browsed and copied after logging in other websites on the Internet. The crawling of semi-public data shall comply with the provisions of the relevant data crawling terms in the website user agreement. Attention should be paid to the stipulations on crawling scope in the website Robots agreement (such as statement) and the relevant anti-crawling technical measures (if any) of the website shall be complied with.

For example, the website user agreement and the Robots agreement stipulate that no crawling or anti-crawling technical measures shall be taken in relation to the required public data and semi-public data. Otherwise, the organization or individual may face the legal risk of infringement, breach of contract or even criminal liability. For example, the following legal risks of crawling internal data may be encountered when a program is used to create a virtual user identity or to crawling semi-public data by bypassing the login system.

Internal data refers to the non-public data between local area networks such as the internal website of a company or on internal storage media. Such data may not be crawled. For example, crawling the internal LAN data of a target website by crawler software will face the criminal risk of constituting the crime of illegally obtaining the data of a computer information system or the crime of destroying a computer information system, or unfair competition of "infringing trade secrets" (crawling a target website with the same or similar business model) or "impeding or disrupting the normal operation of network products or services legally provided by another business operator" (crawling the internal system data of a target website by crawler).

In addition to crawling through the software program setting algorithm, the abovementioned public data, public data and semi-public data can also be obtained by way of manually browsing, copying, downloading, and integrating data or information. Such manual collection of the abovementioned source data does not directly violate relevant laws and regulations. However, it should be noted that the ownership of relevant data related intellectual property rights is clear and that the use of the data itself does not constitute unfair competition.

The main method of obtaining product data externally is data purchase. In purchasing data, attention should be paid to the legal risks of the seller's qualification, data object, and data content. Prior to the conclusion of a purchase agreement, the data seller should be required to conduct due diligence on its credit standing and conditions to investigate whether the data seller has a record of administrative or criminal penalties, whether its credit standing is good, and whether its products and services meet mandatory requirements of laws, administrative regulations, and relevant national standards. The compliance of the data seller's business scope and industry qualifications should be confirmed, and the data seller's business scope should be compared with the scope of data provided. The data seller's business scope should also be confirmed, and whether the data seller has applied security authentication or testing, and whether it meets cybersecurity level protection and information protection requirements to avoid commercial risks. If the data seller is not the data generator, the above qualifications of the data generator should also be reviewed as well, and the data seller has the right to sell the data.

Secondly, if the relevant data is related to the CII sector, it is necessary to confirm the data object and content of the data purchased. Unauthorized data involving personal information should not be purchased.

Where the purchase of network products and services may affect national security, cybersecurity review should be passed, and a security confidentiality agreement should be entered into with the provider in accordance with the requirements of the security review measures for network products and services. Any violation of such obligations could result in a high fine, suspension of business or other administrative penalties, or even the risk of criminal liability for the "crime of failing to perform the obligation of managing the security of information networks".

In the case of data involving the purchase of personal information, network operators can only purchase desensitized data that has been processed to prevent specific persons from being identified and cannot be recovered. If data recipients purchase identifiable personal information of citizens without the consent of the data subjects, they will face administrative penalties of confiscation of income and imposition of a high fine, which will constitute the "crime of infringement of personal information of citizens" if the circumstances are serious. If agreed by the data subject, data recipients obtaining user information through the Open Platform Interface (Open API) shall adhere to the principle of "user authorization" (User authorization upon registration) + "data sellers authorization" + "user authorization" (further knowledge and consent concerning specific use matters). If data recipients obtain and use the user information of the data sellers without the authorization and consent of the data sellers, it may constitute an unfair competition against the data sellers and be subject to liability for damages.

In addition, with respect to data with commercial and legal risks, the big data platform operator may bind the seller to the terms of commitments and warranties in the purchase contracts at the time of purchase, and the seller may obtain data formally legally by confirming the data legality or qualification in the purchase contracts. However, contractual commitments and warranties may not fully exempt the legal and infringement risk of mandatory provisions of laws and regulations on adding purchasers.


The final category of product data acquisition is "data precipitation", which is associated with platform users, and is generated from the use of data products. Data precipitation is a behavior of users using analysis software and/or services of the big data platform to generate information content. The platform user agreement may stipulate that the platform operator is entitled to possess, use, profit from and dispose of all its information content (including but not limited to text, pictures, audio, video, graphics, interface design, layout framework, relevant data or electronic files, etc.). The platform may obtain and use the data once generated, provided that the activity of generating such data is based on the agreement between the platform and the user. If precipitation data is not generated from the user's use of the platform based on the protocol, to avoid any ownership dispute, the user agreement and the privacy policy shall be revised to make the precipitation data belong to the platform.

The big data platform operator's use of data obtained as a result of the above activities includes data filtering and publishing, and data access by users. The platform operator will filter the acquired data, find and correct identifiable errors in the data file, including checking the consistency of the data, handling invalid and missing values, etc., and upload the data to the corresponding platform page for publishing after the data filtering process. When analyzing and using the data resources available to publish information such as market forecasts, statistics, personal and enterprise credit information, etc., the platform operator shall pay attention to that it does not affect national security, economic operation, social stability, or harm the legitimate rights and interests of others.

After the publishing of the data product, the platform operator may open to authorized users the access to the existing data on the platform, including public data, public data, manually replicated semi-public data, purchased data and precipitated data on the platform, and users may open to browse, copy, download, analyze and prepare forms (if any), etc.; however, it should be noted again that the data uploaded to the platform should neither include the personal information or privacy information of specific natural persons at any time, nor contain any content or information that is in violation of the Cyber Security Law such as endangering national security. Meanwhile, according to the Cyber Security Law, the big data platform operator shall conduct risk assessment on a regular basis and submit an assessment report to the Cyber Security Administration, which report shall at least include 1) the type and quantity of important data, 2) the data processing activities, and 3) the risks faced by the data, and the countermeasures.

In the final link of data use, "Open User Access to Data", the collection and use of user data will be involved in order to achieve the business function of the product or service. The platform operator shall develop and disclose rules for collection and use, which may be included in the website's privacy policy or made available to the users in other forms, subject to the explicit consent of the users; and any collection of important data or personal sensitive information shall be filed with the local Cyber Security Administration for the record. When providing user data to others, the data needs to be processed to the extent that a specific individual cannot be identified and cannot be recovered.

In the Internet era, with the deep integration of information technology and industry development, data has become an important strategic resource for enterprises. User information, transaction data and product data of various industries have emerged one after another. The real security risks faced by all kinds of data become urgent problems. In short, because of the high variability and complexity of data, the key to data product compliance lies in the consideration of the legitimacy of the previous link and even the source data. Faced with specific and detailed data, we should adhere to the attitude of tracing the source, and carefully verify the source of data and the corresponding legal regulations, so as to avoid the blind people feeling the whole picture. Data is unconscious, technology is only neutral, legislation for data, planning for the future.

Whether individual information is constantly flooding the invisible sea of data, or commercial product data disseminated in offline assisted directed matchmaking, how to standardize data collection from the source, how to use and protect the real core data, expect and welcome more in-depth exploration.


Lawyer Introduction


ELLY LIU

Tel:13671553378

Email:liujing@gcls.cn

Main Fields: Corporate, Investment & Financing, Fund Business Working Languages: Chinese, Japanese

BRIEF INTRODUCTION

Elly Liu graduated from East China University of Political Science and Law with the master’s degree majoring in the international finance law and supervision. She used to work in a well-known transnational enterprise and financial institution. She has a multiple professional background with various practice fields in funds, internet finance and corporate. Elly Liu has a high sensitivity on product innovation and supervision situation in the financial field, providing comprehensive legal services for all types of financial institutions, especially for investment raising for fund project establishment and investment deals.