[Expert point of view] Wang Chunhui: Interpretation of the "Evaluation Measures for Data Outbound"

Author: Wang Chunhui (Director of the Research Base of Network Space Governance and Digital Economy (Yangtze River Delta))

On October 29, 2021, the National Network Information Office announced the "Evaluation Measures for Data Outbound Security (Draft for Soliciting Opinions)" (hereinafter referred to as the "Draft for Soliciting Opinions"). Based on, the State Cyber ​​Information Office revised and improved the "draft of comments". On July 7 this year, the National Internet Council conducted a "Measures for Evaluation of Data Outbound Security" (hereinafter referred to as the "Measures"), which will be implemented from September 1.

The purpose of my country's data outbound security assessment is to ensure the preventive risk of data outbound security, and to ensure that data flow and flow in an orderly manner according to law. In order to achieve the above -mentioned goals, the "Measures" proposed that the data outbound security assessment should follow two basic principles: first, adhere to the principle of combining the combination of advance evaluation and continuous supervision; the second is the principle of combining risk self -assessment and national security assessment.

Article 4 of the Measures clearly states that if there is one of the following four circumstances, the data processor shall be reported to provide important data to the outside world; The data processor of the information provides personal information to the overseas; third, from January 1 last year, the data processor with 100,000 personal information or 10,000 sensitive personal information provides personal information to the country; the fourth is the country Other situations stipulated by the online information department need to declare data outbound security assessment. The applicant's application for data outbound security assessment shall be submitted to the national network information department through the provincial online information department where the local provincial -level network information department is located.

It is worth noting that compared with Article 4 of the previous "Measures" for the previous "Measures", there are two biggest changes. Data processors are merged into one to provide personal information overseas. The main body of this model is two -one is "key information infrastructure operator", and the other is "data processor who handle more than 1 million personal information". The data processed by the former is important data. As long as they leave the country, they must declare security assessments unconditionally. ) On the basis of providing more than 100,000 personal information to overseas or more or more sensitive personal information, "from January 1, last year", it has clear The calculation basis and start and end time of personal information.

So, what are the focus of self -assessment of data outbound risks? What are the risks of national data outbound security assessment? The author believes that for related Internet companies, the following aspects should focus on:

"Self -assessment" of data outbound risks, what are the focus of evaluation?

First of all, according to Article 5 of the Measures, the data processor should conduct a self -assessment of data outbound risks on the following six key content before declared data outbound security assessment: First, the purpose of data outbound and overseas receiving party processing data The legitimacy, legitimacy, and necessity of scope, method, etc.; the second is the scale, scope, type, type, and sensitivity of outbound data. The outbound outbound outbound may bring the risks of national security, public interest, individual or organization's legitimate rights and interests; It is the responsibility and obligations promised by the overseas receiver, as well as whether the management and technical measures and capabilities that fulfill their responsibility obligations can ensure the security of outbound data; the fourth is that the data is tampered with, destruction, leaked, lost, transferred or transferred, or transferred or transferred after leaving the country. Is the risk of illegal acquisition and illegal use, whether the channels for the protection of personal information rights and interests are smooth; fifth is whether the data outbound related contracts set by the foreign receiver or other legal effects (hereinafter referred to as legal documents) are fully agreed Data security protection liability obligations; sixth is other matters that may affect data outbound security.

There are four major characteristics of the above self -assessment:

First, the compliance assessment of data outbound exit, focusing on whether the purpose, scope, and methods of data outbound exit conform to the legal principles of my country's data processing- "legal, legitimate, and necessary";

Second, the risk assessment of data outbound is analyzed and evaluated from the four dimensions of the scale, scope, type, type, and sensitivity of outbound data. Whether the outbound data will bring national security, public interests, individuals, or organization's legitimate rights and interests. risk;

Third, the security and security capacity assessment of data outbound, focusing on evaluating whether the overseas receiving party has the security of the data of the outbound data, especially whether the overseas receiving party can fully fulfill the security guarantee obligations stipulated in the contract according to the principle of honesty.

Fourth, the relief channel assessment of the data outbound and outbound exit, focusing on the risk of tampering, destruction, leakage, loss, transfer or illegal use, personal information rights and interests of data during the data outbound time and outbound. Whether the channels for maintenance and relief are unblocked.

What are the risks of national data outbound security assessment?

After completing the data outbound risk self -assessment, the data processor shall form a self -assessment report in accordance with the requirements of the Measures. At the same time, the relevant legal documents signed with the overseas receiver shall be formulated. Relevant provisions of the Personal Information Exit Standard Contracts formulated by the State Cyber ​​Information Office. After completing the above links, the data processor shall submit the following materials to the provincial online information department: first, the declaration form; the second is the data processing risk self -assessment report; the third is the legal document set by the data processor and the overseas receiver: Four It is other materials required for the security assessment of the network department. The provincial online information department shall complete the complete inspection within 5 working days from the date of receiving the above application materials. The "completeness" here means that the application materials are complete and no other elements need to be added. The provincial online information department will submit the "completeness" application materials to the national network information department. If the national network information department believes that the application materials are not complete, the data processor will be returned and the materials need to be supplemented at one time.

From the date of receiving the complete application materials, the national network information department should determine whether to accept and notify the data processing in writing within 7 working days. The final processing results are in three situations: First, through security assessment, data processing persons After receiving the written notice from the national network information department, you can carry out data outbound activities strictly in accordance with the relevant provisions of the Measures; the second is that the security assessment is not passed. Those should immediately stop the declaration of data that they declare; Third, for the situation that does not belong to the scope of security assessment of the "Regulations", the state's network information department notifys the data processing person will not accept it, and the data processor will not accept it. You can carry out data outbound business in accordance with relevant laws and regulations.

After the national network information department accepts the declaration, the relevant departments of the State Council, the provincial -level network information department, and the specialized institutions will be organized according to the application of data outbound fields. The risk brought by legitimate rights and interests focuses on the following factors:

The first is the legality, legitimacy, and necessity of the purpose, scope, method, etc. of data outbound;

The second is the impact of data security protection policies and regulations of the country or region where the overseas receiving party is located or the network security environment on the security of outbound data; Require;

Third, the scale, scope, type, type, and sensitivity of outbound data, the risk of tampering, destruction, leakage, loss, transfer or illegal utilization after departure and exit;

Fourth, whether data security and personal information rights can be fully guaranteed;

Fifth, whether the data processor and the overseas receiving party have fully agreed the liability for data security protection in the legal documents planned by the foreign receiver;

The sixth is to abide by Chinese laws, administrative regulations, and departmental regulations; seventh is other matters that the national network information department believes that it needs to be evaluated.

The content of the national network information department on data outbound security assessment basically maintains consistency with the content of the data processor's self -assessment. However The assessment of data security protection policies and regulations in the country or region and the network security environment on the security of outbound data; the second is the assessment of whether the data protection level of overseas receiving parties meets my country's laws, administrative regulations and mandatory national standards.

Outbound of important data can choose to use blockchain technology to use blockchain technology

my country's data outbound security assessment system must not only protect personal information, but also to ensure the security of important data outbound activities. There are a certain number of restrictions on the application for outbound security assessment of personal information, that is, "handling more than 1 million personal information" or "providing a total of 100,000 personal information or 10,000 sensitive personal information to 10,000 people from January 1 last year" ; The outbound outbound of important data must be declared security assessment, without any amount of restrictions. Because important data refers to data that may harm national security and public interests once tampering, destruction, leakage or illegal use.

The author recommends that for the outbound of important data, in the standard contract, you can choose to use blockchain technology to realize the traceability and tracking of electronic data to trace the source and track after the outbound process, and ensure that the data outbound process and the exit are valid. Protection and legal use, and make it in a state of persistent security, especially the risks such as leaking, damage, tampering, and abuse after data exit and re -transfer.

The reason for the use of blockchain technology to ensure that important data exit is based on a security state. The blockchain technology system is a comprehensive technology collection, which mainly brings together modern cryptography, distributed network technology, and chain encryption technology structures. , The latest progress of the five major technical fields such as smart contracts and consensus algorithms, as well as the latest achievements in technical directions such as database technology, timestamp technology, digital signature technology. From the above -mentioned many technologies, the system based on blockchain technology shows the "four major characteristics", namely distributed, traceable, contract execution, and convention autonomy. The blockchain technology system enables the credit on the digital information system to be used as a type of equity carrier in confirmation and transfer. During the confirmation and transfer process, there will be no risk of being leaked, destruction, tampering, and abuse. According to the interpretation of important data of the "Network Data Security Management Regulations (Draft for Opinions)", the important data mainly include the following seven types of data: first, the unintentional government data, work secrets, intelligence data, and law enforcement judicial data; Data, data related to the core technology, design schemes, production process, etc. involved in export control items, passwords, biology, electronic information, artificial intelligence and other fields that have directly influenced scientific and technological achievements on national security and economic competition. National laws, administrative regulations, and departmental regulations clearly stipulate that the national economic operation data, important industry business data, and statistical data that need to be protected or controlled; Data from key industries and fields such as taxation, key system components and equipment supply chain data; Fifth, the genes, geography, minerals, meteorology and other population and health, natural resources, and environment of the genes prescribed by relevant national departments have reached the scale or accuracy stipulated by the relevant national departments. National basic data; Sixth, the construction operation and safety data of national infrastructure, key information infrastructure, and its security data, national defense facilities, military management zones, national defense scientific research and production units such as important sensitive areas, security conditions and other data; seventh is other possible impacts National politics, land, military, economy, culture, society, science and technology, ecology, resources, nuclear facilities, overseas interests, biology, space, polar, deep sea and other security data.

From the content of the above seven kinds of "important data", it mainly involves national security and public interests. After these data are out of the country, once tampering, destruction, leakage or illegal acquisition, or illegal use may seriously endanger national security and public interests. The author suggested that important data should be based on the principle of "unnecessary mirror", an exception of outbound exit. Only under the basis of specific purposes and adequate conditions, and adopting strict protection measures before leaving the country.

(Source: rule of law network)

- END -