LATEST ARTICLES ,

Interpretation of Insurance Industry Data Compliance Series Part 2- Legal System for Insurance Industry Data Compliance

2024-10-26

LABEL: Telecommunications, media, entertainmentand high technology , Insurance , Compliance business ,

introduction

In the previous interpretation (see: One of the Interpretations of Insurance Industry Data Compliance Series - Typical Case Analysis of Insurance Industry Data Compliance), we sorted out the cases of punishment in the insurance industry in recent years, especially those involving economic penalties and restrictions on employees and executives, and even criminal liability. This not only affects the company's reputation and causes economic losses (such as fines), but also directly poses risks to personal careers. Until this year, the insurance industry has still exposed some serious cases of illegal activities, indicating that compliance in the insurance industry is not only necessary but also urgent.

Based on the previous interpretation, this article will further clarify the legal system of data compliance in the insurance industry, especially the legal knowledge related to personal information protection, providing quick guidance for data compliance in the insurance industry, helping enterprises accurately identify legal basis, and carry out corresponding compliance work.
1、 What regulations are necessary?

The legislative system in the field of data is vast, and for non professionals, it has considerable entry barriers and difficulty in understanding. For the insurance industry, it can be summarized as a "1+1" legal framework - data legal regulations and a specialized system for data compliance in the insurance industry. By understanding the "1+1" framework, one can roughly grasp the main legal provisions. Combined with business practice and the assistance of professional institutions, risks can be identified in the data field and corresponding compliance measures can be constructed.

In terms of data legal regulations, it includes at least two areas: data security and personal information protection, among which personal information protection is particularly important for the insurance industry. In the field of data security, it is necessary to understand the Data Security Law and related supporting regulations. The Data Security Law requires enterprises to carry out data classification and grading work, inventory the data they have mastered, and divide it into general data, important data, and core data according to relevant guidelines. Among them, the identification and protection of important data are the most important. In the field of personal information protection, it is necessary to understand the Personal Information Protection Law and related supporting regulations. The Personal Information Protection Law stipulates the requirements for enterprises to process personal information, the obligation to protect personal information, and the rights of individuals to their personal information.

2. In terms of regulations in the insurance industry, it is necessary to understand the relevant legal provisions and special requirements of the State Administration for Financial Regulation (formerly the China Banking and Insurance Regulatory Commission), such as the Insurance Law, the Regulations on the Management of Insurance Companies, the Notice on the Special Rectification of Bank and Insurance Institutions' Infringement of Personal Information Rights and Interests, and the Draft Measures for the Management of Bank and Insurance Institutions' Data.

In addition, the premise of data security is network security, so it is also necessary to understand and master the relevant content of the Cybersecurity Law.
2、 What legal provisions are involved in the protection of personal information in the insurance industry?

Personal information protection compliance is the most important part of the insurance industry. Currently, the punishment of insurance companies and their employees in public cases is mainly based on relevant laws and regulations on personal information protection, and the main reason for the violation is the violation of relevant regulations on personal information protection.
1. Interpretation of the Main Content of the Personal Information Protection Law

The Personal Information Protection Law is China's first specialized and fundamental law on personal information protection, which comprehensively regulates the processing of personal information, clarifies the obligations of personal information processors, and the rights of individuals in personal information processing activities.

(1) Clarify the scope of personal information. The concept of personal information is a prerequisite for personal information protection and an important compliance content. Clarifying what personal information is has a significant guiding role for future companies to carry out personal information protection work. The Civil Code adopts the "identification theory" for the recognition of personal information, which refers to the ability to identify specific natural persons individually or in combination with other information as the standard for determining whether the information belongs to personal information. The Personal Information Protection Law adopts the "identification theory+association theory", which refers to "various information related to identified or identifiable natural persons".

According to GB/T35273-2020 "Personal Information Security Specification", when determining whether a certain information belongs to personal information, two paths should be considered. Information that meets either situation belongs to personal information: one is identification, that is, from the information to the individual, identifying specific natural persons based on the particularity of the information itself, and personal information should help identify specific individuals; The second is association, that is, from individuals to information. For example, if a specific natural person is known, the information generated by that specific natural person in their activities (such as personal location information, personal call records, personal browsing records, etc.) is personal information. For example, the company currently has an employee named Zhang San who is already aware of a specific natural person named Zhang San. In this case, all information related to Zhang San is considered personal information for the company. Therefore, when handling Zhang San's personal information, the company must comply with the requirements of the Personal Information Protection Law. At this point, it is not necessary to determine whether Zhang San's individual information can directly identify him or combine it with other information to identify him, in order to determine whether such information belongs to personal information. As for the specific types and fields of personal information, corresponding national standards and other documents also provide examples, and companies can compare and refer to them in specific practices. On this basis, the Personal Information Protection Law also proposes the concept of sensitive personal information and provides special and strict protection.

(2) Establish the legal basis for personal information processing. The processing of personal information, objectively speaking, is an infringement or impact on the personal information rights and interests of natural persons. Therefore, if there is no legal basis or reason, it belongs to the act of infringing on the personal information rights and interests. Simply put, there are two main types of legitimate reasons for personal information processing: one is to inform and obtain the consent of the individual, whose legitimacy comes from the valid consent of the personal information subject; The second is statutory reasons, which means that when there are situations or reasons stipulated by laws and administrative regulations, the processing activity is legal. The legality basis of personal information processing is currently a pain point and difficulty for most companies in industry practice, often becoming one of the compliance risk points.

(3) Diversified cross-border compliance pathways for personal information transmission. At present, cross-border transmission of personal information is also a hot topic in industry practice. The Personal Information Protection Law provides three paths for data export: security assessment organized by the cyberspace administration, personal information protection certification, and signing standard contracts. At the same time, in March of this year, the Cyberspace Administration of China issued the "Regulations on Promoting and Regulating Cross border Data Flow", which exempted some scenarios and relaxed some declaration thresholds and standards. It is also one of the key legal provisions that need to be referred to for data export.

(4) Protect the rights of individuals in personal information processing activities. The Personal Information Protection Law, in the form of a special chapter in Chapter 4, stipulates the rights of individuals to be informed, to make decisions, to access and copy, to be portable, to delete, and other rights specific to personal information processors in personal information processing activities. This can effectively protect the rights and interests of personal information.

(5) Clarify the obligations of personal information processors. Chapter 5 of the Personal Information Protection Law specifically stipulates the obligations of personal information processors, mainly including general obligations and special obligations. General obligations mainly include specifying internal management systems and operating procedures, classified management, adopting technical measures, personnel training management, and developing and organizing emergency plans; Special obligations include designating a person in charge of personal information protection, establishing a domestic representative office, conducting compliance audits, assessing the impact of personal information protection, notifying of data breaches, and fulfilling obligations on super large platforms.

(6) Clarify the obligations of the Internet platform. This is mainly for the regulatory compliance obligations proposed by the "gatekeeper" in the Internet ecology, which is a large-scale Internet platform. It is based on the provisions on large-scale online platforms and digital intermediary service providers in the EU Digital Market Law and Digital Services Law. According to the Personal Information Protection Law, the so-called "gatekeepers" refer to "personal information processors who provide important Internet platform services, have a large number of users, and have complex business types". However, there is no authoritative identification standard for "gatekeepers".
What risks does the insurance industry face in terms of personal information protection compliance?

For the compliance of personal information protection in the insurance industry, there are many scenarios involving insurance business, such as insurance application, underwriting, claims, customer service, etc. We will also analyze the compliance points for each scenario in the subsequent series of interpretations. Based on the case of personal information protection penalties in the insurance industry, we first emphasize the compliance requirements of legality basis (consent), automated decision-making, and response to personal information rights.
(1) Legitimacy basis (consent) risk

The Personal Information Protection Law for the first time clarifies the legality basis for personal information processing from a legal perspective, including: (1) obtaining the individual's consent; (2) Necessary for the conclusion and performance of contracts to which an individual is a party, or for the implementation of human resource management in accordance with labor rules and regulations formulated in accordance with the law and collective contracts signed in accordance with the law; (3) Necessary for fulfilling statutory duties or obligations; (4) Necessary to respond to sudden public health emergencies or to protect the life, health, and property safety of natural persons in emergency situations; (5) To carry out news reporting, public opinion supervision and other activities for the public interest, and to process personal information within a reasonable range; (6) Process personal information that individuals have voluntarily disclosed or other legally disclosed within a reasonable scope in accordance with the provisions of this law; (7) Other circumstances stipulated by laws and administrative regulations.

It should be noted that the legality basis is based on informed consent, while the other six legality bases are auxiliary. 'Notification' and 'consent' need to be understood separately, with the focus on the disclosure obligation of personal information processors. Article 17 of the Personal Information Protection Law requires personal information processors to inform individuals truthfully, accurately, and completely in a prominent and clear language, which is also an important way to strengthen personal information processors' self compliance. Even in situations where personal consent is not required, informing users may still be necessary. This is not only a significant compliance obligation for the company, but also a compliance point that is easily overlooked in daily legal work. For example, in a certain insurance business scenario, the company's processing of users' personal information such as name, ID card, and mobile phone number is necessary for fulfilling the insurance business contract, and therefore may fall under the situation where consent is not required. However, on this basis, this does not mean that companies no longer need to fulfill the obligation of "consent", that is, personal information subjects have the right to know, and personal information processors should always meet the requirements of transparency.

For consent, it is the most fundamental and important legal basis. However, taking the insurance industry as an example, with tens of thousands of C-end users, it is difficult to obtain the consent of every user. On the one hand, most companies will improve their privacy policies and other external texts, or provide users with texts such as "Personal Information Disclosure Consent Form" on other touchpoints, and obtain consent by requiring them to check or sign; On the other hand, given that the aforementioned legal provisions also specify the circumstances in which consent is not required, most companies hope to assert that they meet a certain condition in order to avoid fulfilling the obligation of "consent". We understand that there is uncertainty regarding the legality basis of not requiring personal "consent". We recommend that the principle of obtaining authorized consent be maintained to fully ensure the legality basis of the company's personal information processing activities.
(2) Automated decision-making risk

For insurance, automated decision-making and commercial marketing are key tasks in the daily business process, and there are corresponding requirements for compliance in personal information processing. The Personal Information Protection Law defines automated decision-making as the activity of automatically analyzing and evaluating an individual's behavior habits, interests, or economic, health, credit status through computer programs, and making decisions. Simply put, it means making corresponding decisions through a computer system without any human involvement. According to the Personal Information Protection Law, there are three main compliance points:

① Prohibit unreasonable differential treatment. Personal information processors using personal information for automated decision-making should ensure transparency and fairness in decision-making, and should not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions.

② Provide options that are not based on personal characteristics or rejection. When using automated decision-making methods to push information and conduct commercial marketing to individuals, options that are not tailored to their personal characteristics should be provided, or convenient refusal options should be provided to individuals.

③ Compliance requirements when automated decision-making has a significant impact. Individuals have the right to request explanations from personal information processors when making decisions that have a significant impact on their rights through automated decision-making, and have the right to refuse decisions made solely through automated decision-making.

In addition, attention should also be paid to the compliance requirements of the Regulations on the Management of Algorithm Recommendation for Internet Information Services for algorithm recommendation services including personalized recommendation, such as implementing the main responsibility of algorithm security, establishing and improving management systems and technical measures such as algorithm mechanism review, information release, etc., providing professionals and technical support appropriate to the scale of algorithm recommendation services, and performing the obligations related to algorithm filing for algorithm recommendation service providers with public opinion attributes or social mobilization capabilities.
(3) Risk response to personal information rights

Chapter 4 of the Personal Information Protection Law specifically stipulates the rights of individuals in personal information processing activities. In practice, users' awareness of protecting their personal information has become increasingly strong. Many clients, in their communication projects with us, particularly hope that we can optimize and design our internal personal information response channels to meet the growing demand for exercising personal information rights. For the insurance industry, it should actively respond to users' legitimate rights requests, including the following compliance points:

① Personal information inquiry. In the face of user inquiries, we should promptly provide corresponding content and responses, including the personal information or types of personal information held about the APP user, the source of the above information from the purpose of use, and the third-party identity or type of information that has already obtained the above information.

② Correction of personal information. Provide methods for requesting correction or supplementary information, such as providing the operator's email, landline phone number, etc. in the privacy policy.

③ Personal information deletion. When users discover that the app violates laws and regulations or violates the agreement between both parties to collect personal information; If the user requests deletion when the personal information processor shares or transfers personal information with a third party, the APP operator shall notify the third party to delete the personal information on the basis of deletion.

④ Individual withdrawal of authorization and consent. The APP provides users with the function/option to withdraw their consent, safeguarding their right to refuse to receive commercial advertisements based on their personal information.

⑤ Cancel account. After accepting the request to cancel the account, if manual processing is required, the verification and processing should be completed within the promised time limit (not exceeding 15 working days).

⑥ Obtain a copy of personal information. The APP should provide users with methods to obtain copies of the following types of personal information, or transmit copies of the following types of personal information to designated third parties: personal basic information, identity information; My health and physiological information, as well as educational work information.
3、 Special regulations on personal information protection in the insurance industry

In addition to the top-level legal provisions on personal information protection at the national level, the insurance industry also has corresponding legal provisions, which are usually the basis for punishment by the insurance regulatory authorities for violations of personal information protection. Mainly including: Insurance Law, Regulations on the Management of Insurance Companies, Notice on the Special Rectification of Violations of Personal Information Rights and Interests by Banking and Insurance Institutions, and Draft Measures for Data Management of Banking and Insurance Institutions.
1. Insurance Law

The Insurance Law mainly regulates insurance activities, clarifies insurance contracts, insurance operating rules, and puts forward requirements for insurance companies, insurance agents, and insurance brokers. But there are also relevant regulations on the protection of personal information.

           

In practice, Article 116 and Article 161 of the Insurance Law are both the basis for punishment by the insurance industry regulatory authorities for violations of personal information protection. For example, in our series of interpretations (see: Interpretation of Insurance Industry Data Compliance Series One - Typical Case Analysis of Insurance Industry Data Compliance), a certain insurance company was punished by a local regulatory bureau of the State Financial Supervision Administration for illegally collecting and using personal information, based on this article.

It is worth noting that the Personal Information Protection Law has the highest punishment intensity, with no lower limit on fines for enterprises, and the maximum can reach 50 million yuan or 5% of the previous year's turnover; The starting point for punishment of personnel is 100000 yuan, with a maximum of one million yuan, and it can be decided to prohibit them from serving as directors, supervisors, senior management personnel, and personal information protection officers of relevant enterprises for a certain period of time. In addition to fines and restrictions on employment, violating the Personal Information Protection Law may also result in confiscation of illegal gains, ordering suspension of related businesses or suspension of operations for rectification, and notifying relevant regulatory authorities to revoke relevant business licenses or revoke business licenses.

If regulatory agencies impose penalties based on the Personal Information Protection Law instead of the Insurance Law, companies will face higher legal responsibilities. For practitioners, the Personal Information Protection Law may prohibit them from serving as directors, supervisors, senior management personnel, and personal information protection officers of relevant enterprises for a certain period of time; The Insurance Law may prohibit entry into the insurance industry for a certain period of time until lifelong. There are differences between the two. The Personal Information Protection Law mainly restricts the appointment of executives and other positions in enterprises for a certain period of time, while the Insurance Law can prohibit entry into the insurance industry for life.
2. Regulations on the Management of Insurance Companies

The "Regulations on the Administration of Insurance Companies" mainly stipulate the punishment authority of the insurance regulatory authorities. Article 69 stipulates that insurance institutions or their employees who violate these regulations shall be punished by the China Insurance Regulatory Commission in accordance with laws and administrative regulations; If there are no provisions in laws and administrative regulations, the China Insurance Regulatory Commission shall order correction, give a warning, and impose a fine of not less than one time and not more than three times the illegal gains on those who have obtained illegal gains, but not exceeding 30000 yuan. For those who have no illegal gains, a fine of not more than 10000 yuan shall be imposed; Those suspected of committing crimes shall be transferred to judicial organs for criminal responsibility in accordance with the law.
3. Notice on the Special Rectification of Violations of Personal Information Rights and Interests by Banking and Insurance Institutions

In August 2022, nearly a year after the Personal Information Protection Law officially came into effect, the former China Banking and Insurance Regulatory Commission issued a notice to various banking and insurance bureaus, banking and insurance institutions, and others on the special rectification work of banks and insurance institutions infringing on personal information rights and interests. The notice required banks and insurance institutions to comprehensively investigate their business practices and management requests related to consumer personal information processing activities since 2021, thoroughly search for problems in their own personal information protection, and list a list of problems. Each bank and insurance institution should establish a file one by one to ensure that rectification and accountability are in place. Violations of banking and insurance regulations must be dealt with in accordance with the rules and regulations; For improper operational behavior, it should be immediately stopped or corrected. If there are serious violations of consumer information security rights such as leaking personal information, accountability should be held accountable; For issues involving illegal and criminal activities, they should be transferred to judicial authorities for punishment.

In March of this year, the General Office of the State Administration for Financial Regulation issued a notice to various regulatory bureaus, large banks, joint-stock banks, foreign-funded banks, direct banks, wealth management companies, insurance group (holding) companies, insurance companies, and insurance professional intermediaries on the main problems discovered in the special rectification of bank and insurance institutions' infringement of personal information rights and interests. It was pointed out that "a large number of problems or hidden dangers were discovered in the specific implementation of personal information processing". Institutions found 150000 problems during self-examination, affecting about 200 million consumers, and regulatory inspections found more than 5000 problems, affecting more than 15 million consumers. There are five specific issues:

Firstly, in terms of personal information collection, it mainly involves mandatory consent, expanded authorization, and general authorization. For example, forcing consumers to agree to provide their information to external organizations and use it for purposes unrelated to the business they handle. Some companies require customers to agree to share their personal information with their affiliated group members in their privacy policies and service agreements, for the purpose of providing services, recommending products, conducting market research and information data analysis, etc., and this authorization is not related to the purpose of handling business.

Secondly, in terms of personal information storage and transmission, the main issues are chaotic electronic data management, lax management of paper materials, and insecure transmission methods. For example, some insurance companies save clear customer information forms, ID cards, driver's licenses and other pictures on Internet computers; Some investigators in the claim settlement center of insurance companies send consumer ID card numbers, mobile phone numbers and other information to the public mailbox of the third-party assessment company through their personal e-mail.

Thirdly, in terms of personal information inquiry and use, this may be the most prominent issue for insurance companies, mainly involving illegal inquiry of account information, improper use of customer information, etc. For example, employees of banks and insurance companies can directly access the account information of their responsible customers without authorization. Insurance company employees purchased on-board personnel liability insurance for dozens of customers' vehicles without their knowledge in order to meet the company's assessment requirements. Some insurance institutions use customer information to give away insurance without authorization in order to meet performance standards.

Fourthly, in terms of third-party cooperation on personal information, the main issue is inadequate control over third-party institutions. For example, agreements signed with third-party institutions do not specify the protection of consumer personal information, and third-party institutions' infringement of personal information rights and interests is not detected and dealt with in a timely manner.

Fifth, in terms of providing and deleting personal information, there are mainly unauthorized external provision and failure to delete personal information in a timely manner.

From the content of the notification, it is closely related to the requirements of the Personal Information Protection Law and corresponds to the key points of personal information protection compliance. It is worth noting for insurance companies and carrying out relevant compliance work.
4. Draft Measures for Data Security Management of Banking and Insurance Institutions

In the specialized regulatory system for data compliance in the insurance industry, it is necessary to pay attention to the relevant provisions and legislative trends of the "Draft Measures for Data Security Management of Banking and Insurance Institutions". At present, there is only a draft for soliciting opinions on this method, and legislation is still being promoted. However, as the first industry management method in the field of security issued by the State Administration of Financial Supervision and Administration after its establishment, it undoubtedly has high targeted reference significance.

In March of this year, the State Administration for Financial Regulation formulated and released the "Regulations on Data Security Management of Banking and Insurance Institutions (Draft for Comments)", consisting of nine chapters and 81 articles, including general provisions, data security governance, data classification and grading, data security management, data security technology protection, personal information protection, data security risk monitoring and disposal, supervision and management, and supplementary provisions. The draft for soliciting opinions clarifies that the personal information protection framework includes multiple aspects such as data collection, use, sharing, entrusted processing, joint processing, disclosure, and cross-border transmission, and specifies in detail the compliance requirements for banks and insurance institutions when processing personal information.

(1) Data collection: When collecting personal information, the principles of legality, legitimacy, necessity, and integrity must be followed. This is not only a requirement of the Personal Information Protection Law, but also a core principle emphasized in the Management Measures. Insurance institutions need to ensure that their business scenarios and data collection scope comply with the principles of "legality, legitimacy, and necessity" when collecting data.

(2) Data usage: When using personal information, insurance institutions must strictly comply with the limitations of processing purposes and cannot abuse data beyond their business scope. Especially for the use of sensitive information, the principle of "necessary and minimum authorization" should be followed. Through this specification, transparency and rationality in the data usage process are ensured.

(3) Data sharing: When sharing personal information, the data subject should be informed of the specific sharing objects, types of information, processing purposes, etc., and obtain their separate consent. This requires insurance institutions to ensure transparency in the data sharing process, especially when sharing data with parent companies, subsidiaries, or third parties, which must undergo strict compliance review and authorization procedures.

(4) Data entrusted processing: When insurance institutions entrust personal information to a third party for processing, they must sign a clear agreement and inform the data subject of the purpose of processing and the type of information. This requirement aims to ensure full compliance in data processing and protect the right to information and choice of data subjects.

(5) Joint data processing: When involving two or more data processors, insurance institutions need to clearly define processing responsibilities and ensure transparency and compliance in the joint processing process. Banks and insurance institutions must ensure that all participants fulfill their respective security obligations and prevent data abuse when conducting joint processing.

(6) Data Disclosure: Before disclosing personal information, strict review is required to ensure that the data subject agrees and meets legal requirements. Unauthorized disclosure may lead to serious legal consequences, therefore in principle, insurance institutions should not disclose without individual consent

(7) Cross border data transmission: When conducting cross-border transmission of personal information, institutions must ensure that the data recipient has sufficient security measures and conduct security assessments in accordance with relevant laws. The cross-border transmission of data often involves complex compliance requirements, so insurance institutions must strictly follow the transmission process stipulated by the state for declaration or filing.

           

Source: Compiled by the Jindu Network Security and Data Compliance Team
4、 The relationship between the legal system of data security and the insurance industry

On June 10, 2021, the Data Security Law was officially promulgated and came into effect on September 1, 2021. The Data Security Law consists of seven chapters and fifty-five articles, including general provisions, data security and development, data security system, data security protection obligations, government data security and openness, legal responsibilities, and supplementary provisions. The legal system for data security is relatively systematic and complex, but for data compliance in the insurance industry, important data may be involved in the business, and data security review may be involved in scenarios such as going public overseas. Therefore, the main focus can be on the classification and grading protection system and data security review system.
1. Data classification and grading protection system

Article 21 of the Data Security Law stipulates: "The state establishes a system for classifying and grading data protection, and implements classification and grading protection for data based on its importance in economic and social development, as well as the degree of harm it may cause to national security, public interests, or the legitimate rights and interests of individuals and organizations in the event of tampering, destruction, leakage, illegal acquisition, or illegal use. The national data security work coordination mechanism coordinates relevant departments to formulate important data catalogs and strengthen the protection of important data." The "Data Classification and Grading" in the Data Security Law adopts the legislative means of "importance level"+"harm level" of data to implement classification and grading protection for data, especially for "related to national security, national economic lifeline, important livelihood, major public interests, etc. Data" Listed as national core data, implementing stricter management systems.

Generally speaking, identifying important data is a challenge in enterprise data compliance, and the same applies to insurance companies. According to the draft Measures for the Management of Data Security of Banking and Insurance Institutions, important data refers to data in specific fields, groups, regions, or with a certain level of accuracy and scale. Once leaked, tampered with, or damaged, it may directly endanger national security, economic operation, social stability, public health, and safety. On March 22, 2024, the national standard GB/T 43697-2024 "Classification and Grading Rules for Data Security Technology Data" was officially released, which includes guidelines for identifying important data and providing important reference for enterprises to identify important data and take corresponding protection measures. For important data identification work, enterprises should take into account both data types and data scales, actively carry out self identification work, and ensure that data security is implemented in place.
2. Data Security Review System

National security review "is a national security review and regulatory system first established by China's National Security Law. According to Article 59 of the National Security Law, "The state establishes a system and mechanism for national security review and supervision, and conducts national security reviews on foreign investment, specific items and key technologies, network information technology products and services, construction projects involving national security matters, and other major issues and activities that affect or may affect national security, effectively preventing and resolving national security risks

The data security review system and network security review are two important security review systems established by law in the national security review system. Article 24 of the Data Security Law stipulates: "The state shall establish a data security review system to conduct national security reviews on data processing activities that affect or may affect national security." Article 35 of the Cybersecurity Law stipulates: "Operators of critical information infrastructure who purchase network products and services that may affect national security shall undergo national security reviews organized by the national cyberspace administration department in conjunction with relevant departments of the State Council

The data security review system in the Data Security Law is different from the network security review system in the Network Security Law. The former mainly targets data processing activities that affect or may affect national security, including data collection, storage, use, processing, transmission, provision, disclosure, etc; The latter mainly targets the procurement of network products and services by critical information infrastructure operators, which may affect or potentially affect national security.

It is worth noting that those who violate the Data Security Law will bear severe legal responsibilities. Chapter 6 of the Data Security Law specifies legal responsibilities for failure to comply with or violation of relevant regulations, with a maximum penalty of 10 million yuan or ten times the illegal gains. Those who commit crimes will be held criminally responsible in accordance with the law.
5、 Implications for Corporate Compliance

Related Fields

About The Author

    Latest articles
    HOT SPOTS
    The United States has released proposed rules to restrict connected vehicles, and the Chinese automotive industry will face challenges head-on
    On September 23, 2024, the Bureau of Industry Security (BIS) of the US Department of Commerce offici

    2024/10/26

    HOT SPOTS
    Enterprise Going Global - Overview of Overseas Data Compliance (South Africa Edition)
    South Africa is currently the second largest economy in Africa, with a leading level of economy and

    2024/10/26

    HOT SPOTS
    The United States is about to take measures to ban trading of Chinese connected vehicles
    On September 23rd, the Bureau of Industry and Security (BIS) of the US Department of Commerce releas

    2024/10/26

    Read the latest articles
    PROFESSIONAL TEAM
    English | Chinese
    Chinese English
    PROFESSIONAL TEAM
    OFFICE
    FRONTIER OBSERVATION
    CAREER DEVELOPMENT
    ABOUT US
    Explore our expertise
    Read article
    阅读更多文章
    Contact us
    PROFESSIONAL AREAS
    MEDIA CENTER
    PROFESSIONAL TEAM
    OFFICE
    FRONTIER OBSERVATION
    CAREER DEVELOPMENT
    ABOUT US
    King & Wood Mallesons Logo

    ©2024 Zhejiang Zhiben Law Firm. All rights reserved.Zhejiang 

    浙ICP备2024130020号-1  | 

    privacy policy
    Terms of use and legal notice