Analysis of foreign data security regulations
As human beings enter the digital economy era, countries around the world's dependence on data has increased rapidly, and data has become a basic strategic resource of the country, which has had an important impact on social lifestyle, economic operation mechanism , national governance capabilities, etc. The focus of national competition is shifting from the competition for land, population, capital, and resources to the competition for data. In the future, the competitiveness at the national level will be partially reflected in a country's ability to scale, develop, utilize and control data. "Data sovereignty" will become the space for another major power to play after border defense, coastal defense and air defense. In recent years, my country's " Network Security Law ", "data security law", " Personal Information Protection Law " and other data security-related laws and regulations have successively promulgated, providing institutional support and legal guarantees for the construction of data security. Compared with developed countries in the world, my country's data security industry started late. By referring to the data security policies and strategic policies of other countries and regions, it can help us to have a deeper understanding of the development direction of my country's data security industry. Stone Refining Network cooperated with Guohao Law Firm to jointly sort out 87 data security policies, regulations and strategies of 14 countries or organizations including Europe, North America , South America, Asia, Oceania , and Africa, including EU , Germany, France, the United Kingdom, Italy, Russia, the United States, Canada, Brazil , Japan, India, South Korea, Australia, and South Africa, and analyzed them from the overall legislative situation of each country, legal rank , relationships between laws, positioning of each law, and key content points. Due to the limited level of the author, there will inevitably be omissions and deviations. Please give me some advice.
(Follow this account and send a private message to the editor. You can download the original PDF version of the "2022 Foreign Data Security Policy Research Report" and the original PDF version of more than 80 data security policies in 14 countries)
This article is about 50,000 words, and the estimated reading time is 15 minutes.
Note: Industry colleagues are welcome to feedback on improvement, joint improvement, exchange and cooperation. Please send an email to: [email protected] for information feedback.
Statement: Beijing Lianshi Network Technology Co., Ltd. has a copyright protected by law for the content of this article and related product information. Without authorization, no one may use all or part of the content of the article for commercial purposes by transfer, sale, etc. The text or opinions of this article should be indicated if the source is indicated when reprinting or excerpting. The materials and information contained in the article, including but not limited to text, pictures, data, opinions, suggestions and other forms, cannot replace the legal opinions issued by lawyers. If any violation of the above statement is made, the Company will hold him/her accountable. During the writing process of the article, a series of references were cited to facilitate explanation of key points and explanation of meanings. If there is any infringement, please contact our company to modify or delete it.
Global Data Security Policy Research Report (2022)
European
1. Overall legislation
European data security legislation is in the world's leading position in both legislative time and legislative system. As an economic community, the EU's starting point in data security legislation is different from that of general entity countries. emphasizes technology-oriented data sharing and free flow, eliminating information barriers between member countries . To achieve this goal, the EU must build a complete legal framework in terms of data storage processing, basic rights of citizens, data security protection and supervision, and cross-border data flow.
The EU's policy decision-making characteristics are multifaceted interactive. The European Commission, European Parliament, European Council , European Council , European Commission and other institutions participated in the formulation of EU laws and regulations.The basic legal framework of the EU can be roughly divided into three levels: first-level laws, mainly referring to treaties; second-level laws, including directives, regulations, decisions, opinions and suggestions; third-level laws are case law , mainly referring to judgments or rulings on specific events or cases made in accordance with second-level laws.
EU legislation on data security. At the first-level legal level, the 1981 "Personal Protection Convention on the Automated Processing of Personal Data" is the world's first international convention on data protection; at the second-level legal level, the 1995 "Law No. 95/46/EC/ on Personal Protection Related to the Processing of Personal Data and the Free Circulation of Such Data", the 2016 "General Data Protection Regulation (GDPR)" and the 2018 "No. Regulations on Free Flow of Non-Personal Data" Regulations on Free Flow of Non-Personal Data" Regulations on Free Flow of Non-Personal Data in 2018 》, forming a unified framework for data governance ; the Cybersecurity Act 2019 established the first EU-wide cybersecurity certification plan; the European Data Strategy 2020 is committed to realizing the vision of a truly single data market; the Data Governance Act 2020, the Data Bill 2022 (Draft) 2022, the Digital Market Act 2022, and the Digital Services Act 2022 are important legislative measures taken to implement the European Data Strategy, laying the foundation for Europe's new data governance methods.
2. Key Legal Analysis
1 EU Convention No. 108
(1) Positioning
981, the European Commission passed the "Convention on the Protection of Personal Data in the Automated Processing of Personal Data" (referred to as "Convention No. 108"). Convention No. 108 is the world's first international convention on data protection. is designed to ensure that citizens within each Party’s jurisdiction, regardless of their nationality or residence, are protected in the process of automated processing of their personal data, respecting their rights and fundamental freedoms, especially respect for privacy rights.
(2) Features
Convention No. 108 is the first legally binding international document on data protection in the world. It reflects the consensus reached by European countries on personal data protection as human rights protection and promotes more countries to participate and join. The Convention establishes the basic principles on the protection of personal data and the basic obligations of each party to . The Convention also takes the protection of basic freedoms and rights of individuals as the starting point for States parties to fulfill their national obligations under the treaty. In addition, the establishment of the Convention Committee has established a multi-national cooperation framework for personal data protection to a certain extent.
(3) Main content
"Convention No. 108 (2018 edition) consists of eight chapters and 32 clauses, including general rules, basic principles of data protection, cross-border circulation of personal data, regulatory agencies, mutual cooperation, the Convention Committee, amendments to the Convention, and the final clauses.
In terms of application, the Convention clearly states that it is the personal data processing activities within the jurisdiction of the State party, covering the private sector and public sector . It is no longer limited to the "automated personal data processing" activities defined in the previous version, and is no longer applicable to data processing activities carried out by natural persons in purely personal or family activities.
Convention proposes to address data security. States parties should provide data controllers, including data processors, to take appropriate security measures to prevent accidental or unauthorized access, damage, loss, utilization, modification or dissemination of personal data. At the same time, the State party has also introduced the requirement that data controllers promptly inform regulatory agencies of personal data breaches.
In terms of obligations, the Convention puts forward broader obligations to data processing subjects, such as "evaluating the risk of data processing behaviors that may affect the rights and fundamental freedoms of the data subjects that are planned to be implemented" to reduce the risk of infringement of human rights or fundamental freedoms; " takes technical and organizational measures that take into account the rights of personal data protection at all stages of data processing ".
In the cross-border circulation of personal data, the Convention strives to ensure that appropriate protection is given in the process of processing personal data, while promoting the free circulation of data among countries. The Convention clearly states that no State Party shall prohibit cross-border transmission of data only for the purpose of protecting personal data, or set special authorization conditions. Cross-border transmissions by non-member countries must be carried out when the appropriate level of personal data protection stipulated in the Convention is guaranteed.
2 EU Directive 95
(1) Positioning
On October 24, 1995, the European Parliament and the European Council passed Directive No. 95/46/EC/ on Personal Protection Related to the Processing of Personal Data and the Free Circulation of Such Data (hereinafter referred to as Directive 95). The 95 Directive provides a basic framework and prototype for EU member states to formulate and implement data protection laws, promotes the unification of data protection standards in member states, and promotes the establishment of a global personal data protection order.
(2) Features
The "North 95 Directive" directly requires member states to improve data protection legislation in the form of directives rather than treaties, and is committed to coordinating the protection of the basic rights and freedoms of natural persons in the field of data processing, and eliminating obstacles to the free circulation of personal data within the community. first proposed the principle of informed consent of , and used "the data subject has clearly expressed consent" as one of the legal conditions for data processing ; adopted a unified legislative model and stipulated that an independent data protection agency was established, which was a typical representative of the claim of extraterritorial effectiveness in the Personal Information Protection Law.
(3) Main content
The "North 95" includes 72 preambles and 34 clauses, aiming to improve the unity of European personal information protection laws and make up for the "Convention No. 108" issued in 1980. Although it is binding on member states, there are not many countries that are truly implemented and there are differences in implementation effects, and thus respond to the dual challenges of protecting personal data rights and eliminating data circulation obstacles caused by the rapid development of information technology era.
In terms of the security of processing personal data, Directive 95 states that Member States should provide that controllers must implement appropriate technical and organizational measures (especially where processing involves the transmission of data over the network) in order to protect personal data from accidental or illegal destruction or accidental loss, alteration, unauthorized disclosure or access, and to prevent all other illegal forms of processing. Taking into account the latest technology and its implementation costs, such measures should ensure a level of security that is appropriate to the potential risks of processing behavior and the nature of the data to be protected.
In terms of data protection supervision, the Directive 95 proposes that member states should establish regulatory agencies and give them completely independent exercise functions. The rights that regulators should be granted include the right to investigate, the right to intervene, the right to legal litigation, etc.
In terms of cross-border flow of personal data, the "North 95 Directive" clearly states that the transfer of personal data to third countries must be based on the premise that the third country provides sufficient protection for personal data. To determine whether the third country has sufficient protection of personal data, the adequacy of the level of protection provided by the third country should be evaluated around the situation of data transmission operations; special consideration should be given to the nature of the data, the purpose and duration of the intended processing operation, the country of origin and final destination of the data, the current general and departmental laws and regulations of the third country, and the professional rules and security measures that the country complies with.
3 EU " General Data Protection Regulation "
(1) Positioning
On April 14, 2016, the European Parliament and the European Council passed the General Data Protection Regulation (hereinafter referred to as "GDPR"), which officially came into effect on May 25, 2018. GDPR is called "'s strictest privacy bill ". On the one hand, GDPR gives individual users more autonomy and choice over their own data; on the other hand, GDPR has formulated very strict restrictive rules for the control subjects and processing subjects of user data, effectively promoting the establishment of the EU's digital single market.
(2) Features
GDPR has elevated the protection and supervision of personal data to an unprecedented level. The EU's data protection legislation has been upgraded from "Directive" (directive) to "Regulation" (regulation). GDPR further refines rights and obligations, and establishes two new rights, namely "right to be forgotten" and "right to carry" in terms of the rights of data subjects; in terms of the obligations of data processing subjects, GDPR uses huge administrative penalties to warn the data processing subjects to strictly fulfill its compliance obligations. GDPR has extraterritorial jurisdiction design, and global enterprises may be subject to GDPR control. GDPR also establishes data protection officers and other systems to assist in the fulfillment of corporate obligations and supervision of supervisory agencies. In order to promote the implementation and effective implementation of GDPR, the EU Data Protection Committee (“EDPB”) has further introduced guidelines in a variety of specific situations. Although these guidelines are not legally compulsory, their essence is to provide guidelines, suggestions and best operations specified in specific scenarios or the corresponding provisions of GDPR, and therefore have high reference value in practice.
(3) Main content
GDPR was re-formed on the basis of the "North 95" to further respond to the gradual lack of ability to resolve security risks and challenges in the "North 95" with a total of 11 chapters and 99 items. Compared with the "North 95" which only had 34 items, as many as 3500 specific modifications were made. Two years after the GDPR came into effect, the "North 95" was abolished. At the same time, GDPR integrates the previous privacy protection directive, electronic communication privacy protection directive, and EU citizen rights directive, and coordinates the data privacy laws of each European by unifying EU regulations, protects all European citizens from privacy violations and data leakage, and simplifies the regulatory methods for data privacy in international business .
4 EU "Regulations on the Free Flow of Non-Personal Data"
(1) Positioning
On November 14, 2018, the European Parliament and the European Council jointly promulgated the "Regulations on the Free Flow of Non-Personal Data" (hereinafter referred to as the "Regulations"), which was officially implemented on May 28, 2019. The Regulations aims to unify the free flow rules on non-personal data , and form a unified framework for data governance with the GDPR that has been implemented and effective, so as to balance personal data protection and data security, and promote the EU to build a competitive digital economy under a single digital market strategy.
(2) Features
The Regulations repeal unreasonable data localization restrictions and promote the relevant rules of data migration of by abolishing unreasonable data localization restrictions and promoting the relevant rules of data migration of by professional users, strengthening the official cooperation mechanism of regulatory agencies of member states, promoting the establishment of codes of conduct for data and cloud service providers, and enhancing the trust of governments and enterprises in cross-border storage and processing of data, so as to ensure that non-personal data can flow freely within the EU.
(3) Main content
The Regulations include 39 preambles and 9 clauses, and regulate the flow of non-personal data from the two aspects of prohibiting data localization and promoting the development of new technologies. The Regulations define the scope of non-personal data, that is, data other than personal data defined in the GDPR (any information related to an identified or identifiable natural person); clarify rules for cross-border flow of non-personal data within the EU, set a framework for data storage and processing throughout Europe, and prohibit data localization restrictions; allow competent authorities to obtain data access to the data in order to perform their duties in accordance with EU law or national law, and access to the data by competent authorities shall not be rejected on the grounds that data is processed in another member state; encourage and promote the formulation of a code of self-disciplined conduct at the EU level, which is based on the principles of transparency and interactivity, reasonably considers open standards to ensure data transfer and free conversion of data service providers.
5 EU Cybersecurity Act
(1) Positioning
On April 17, 2019, the European Parliament and the European Council passed the Cybersecurity Act (hereinafter referred to as the Bill), which was officially implemented on June 27, 2019. The old version of the Cybersecurity Act (No 526/2013) was abolished. The Act established the first EU-wide cybersecurity certification program, which is of great significance to the construction of network and information communication security systems of EU member states and the improvement of security risk prevention and control capabilities.
(2) Features
The Act specifies the EU Cyberspace Security Agency (ENISA) as a permanent EU Cyberspace Security Functional Organization, implements a general network security certification system, and defines the qualification standards of the conformity assessment agency.
(3) Main content
The Act includes three parts: preamble, main text and appendix. The main text section contains three chapters, a total of 69 clauses, involving specific provisions on the repositioning of functions and tasks of ENISA (EU Cybersecurity Agency), the Cybersecurity Certification Framework and Certification Program, Information and Communication Technology (ICT) Cybersecurity Certification and other matters. The appendix part is about the specific requirements that the assessment agency that obtains certification qualifications should meet.
Among them, for the construction of the European cybersecurity certification framework, on the one hand, it will help increase trust in ICT products, ICT services and ICT processes that have been certified according to the European cybersecurity certification program; on the other hand, it will help avoid double the conflict or overlapping national cybersecurity certification program, thereby reducing the cost of enterprises operating in a digital single market.
6 EU "European Data Strategy"
(1) Positioning
On February 19, 2020, the European Commission issued the "European Data Strategy" (hereinafter referred to as the "Strategy"), marking a milestone step for the EU in the process of digital integration. The Strategy outlines European policy initiatives and investment strategies to realize the data economy in the next five years, and aims to achieve the vision of a truly single data market and to address the problems found through policy and financial measures based on the achievements made in the past few years.
(2) Features
The Strategy shows that data is the core link of this change. Data will reshape the way citizens produce, consume and live. Data-driven innovation will have a huge impact on citizens; respect for citizens' rights is the core of building a single data market. In the process of building a single data market, the EU's value concept and basic human rights requirements should be implemented. By 2030, a unified European data space will be built, a unified data market that is truly open to data around the world. Here, both personal and non-personal data, including sensitive business data, will be properly protected, and companies can also easily access almost unlimited amounts of high-quality industry data, improving growth and creating value while minimizing anthropogenic carbon emissions and environmental impacts.
(3) Main content
"Strategy" includes eight parts, including background introduction, key points, vision, problems, strategies, international paths, conclusions, and appendix (European strategic sectors and public data space creation plan in the public interest field). The implementation of the Strategy will be based on four aspects: a cross-sectoral governance framework for data access and use; promoters: investing in data and infrastructure that enhances European interoperability in data hosting, processing and use; capacity building: enhancing individual capabilities, investment skills and small and medium-sized enterprises; and European public data space in the strategic sector and public interest areas.
Among them, for the European public data space in strategic industries and public interest fields, the "Strategy" supports the establishment of European industrial (manufacturing) data public space, European green transaction data public space, European transportation data public space, European health data public space, European financial data public space, European energy data public space, European agricultural data public space, European administrative data public space, and European skill data public space, a total of 9 European data public spaces.
7 EU Data Governance Act
(1) Positioning
On November 25, 2020, the European Commission issued a proposed draft of the EU Data Governance Act (hereinafter referred to as the Bill).On April 6, 2022, the European Parliament held a final vote on the EU Bill and was approved by the parliament. The promulgation of the Act is regarded as an important legislative measure taken to implement the European Data Strategy. has strengthened the EU's empowerment of public data to a certain extent and laid the foundation for Europe's new data governance methods.
(2) Features
The Act constructs three data sharing mechanisms suitable for various industries: public sector data reuse mechanism, data intermediary agency and notification system, and data altruism system.
(3) Main content
The Act has nine chapters and 38 articles, including general provisions, reuse of certain categories of protected data held by public sector agencies, requirements for data intermediary services, data altruism, competent authorities and procedures, European Commission for Data Innovation, International Access and Transfer, Authorization and Commission Procedures, Final and Transition Terms.
The Act clarifies the conditions for reuse of data in the public sector. Allows natural or legal persons to access and reuse public data in a secure processing environment provided by the public sector. The Act restricts the sensitivity of data that can be reused and requires that the public sector that conducts data reuse have relevant technical equipment guarantees. Member States must establish a single focal point to support researchers and innovative enterprises in using data, and must establish a data reuse system that can support the public sector through technical means and legal aid. Public sector agencies should impose conditions to maintain the integrity of the functional integrity of the technical system of the safe handling environment used. The Act advocates the establishment of non-profit “data intermediaries” to provide infrastructure for public data spaces. Data intermediaries are required to register with designated competent authorities.
8 EU Data Act (Draft)
(1) Positioning
On February 23, 2022, the European Commission officially announced the full text of the draft Data Act, which is a supplement to the Data Governance Act. The Data Act (Draft) aims to ensure that data value is equitably distributed among data economic participants and promote the access and use of data, which helps achieve a broader policy goal, namely, to ensure that enterprises in all sectors of the EU can innovate and compete, effectively empower personal data, and provide more proportional and predictable mechanisms for enterprises and public sector institutions to respond to major policy and social challenges, including public emergencies and other special circumstances, with important risk control compliance vane significance.
(2) Features
The Data Act (Draft) constructs basic rules for data use rights applicable to all departments, which will promote voluntary sharing of data in individuals and enterprises, and unify the conditions for use of certain public sector data without changing the substantive rights of data or established data access and use rights. The Data Act (Draft) also adds to the Digital Markets Act proposal, which would require certain core platform service providers identified as “ Gatekeeper ” to provide more efficient portability to data generated through business and end-user activities.
(3) Main content
The Data Act (Draft) Articles involve many aspects such as data sharing, data holder obligations, public agency access, international transmission of non-personal data, cloud conversion and interoperability. The regulatory objects are mainly manufacturers and digital service providers selling products in the EU market, as well as users of such products or services, data processing service providers, etc.
The Data Act (Draft) proposes that EU laws, values and standards should be maintained (but not limited to) in terms of security, data protection and privacy, and consumer protection.To prevent illegal access to non-personal data, data processing service providers bound by the Act, such as cloud and edge services, should take all reasonable measures to prevent access to systems that store non-personal data, including, as appropriate, through data encryption, frequent audit submission, verification of compliance with relevant security assurance certification plans, and modification of company policies .
The Data Act stipulates the right of users to switch services between different data processing service providers, as well as the obligation of data processing service providers to transmit non-personal data to overseas. First, it eliminates the technical, organizational, contractual barriers to effective switching between data processing service providers; second, it clarifies the relevant requirements for data processing service providers to transmit non-personal data across borders. For example, data processing service providers should take all reasonable technical, legal and organizational measures, including contractual arrangements, to prevent international transmission or government access to non-personal data held in their own EU.
Germany: From the central to the local, from the general to the special
1. Overall legislation
In the world, Germany has always been a "model student" in data protection. Germany was the first to pass clear legislation to strictly protect data, and has established a comprehensive data protection legal system framework from central legislation to local legislation, from general legislation to specialized areas. This system is also leading the way around the world. At the same time, Germany has long been committed to the coordinated development of European legal integration in the field of data protection, which has profoundly influenced the data legislation process in Europe and even the world. In recent years, Germany has paid close attention to the challenges brought by the development of emerging technologies such as electronic monitoring, personal information storage, electronic office, industrial Internet, and video conferencing. By refining legal forms, data security risk management is strengthened.
2. Key legal analysis
1 Germany's "Federal Personal Information Protection Law"
(1) Positioning
1976, the German Federal Parliament passed the Federal Parliament, which is the most representative special law on the protection of personal information in the civil law country. The official name of the law is the "Action for the Prevention of Abuse of Personal Information Processing", which adopts a unified legislative model to uniformly regulate and protect personal information protection.
(2) Features
The Federal Personal Information Protection Law is based on the Constitution and civil law. The constitutional basis is the theory of information self-determination, and the civil law basis is the general personal rights theory. Its purpose is to provide unified and sufficient protection of personal privacy in the process of personal information processing, so as to legalize personal information processing behavior.
In terms of civil law, the maritime law system and the civil law system have different opinions. The United States, the representative country of the law of the sea, believes that privacy rights are the theoretical basis for personal information protection, and the United States Personal Information Protection Law is directly named after privacy rights; while Germany believes that according to the " German Civil Code ", general personal rights is the basic right to protect personal information.
(3) Main content
The principle of personal information protection is the core content of the Federal Personal Information Protection Law. The law has established a complete system of principles: direct principle, correction principle, clear purpose principle, safety protection principle, disclosure principle, restricted utilization principle, etc.
The Federal Personal Information Protection Law makes complete and systematic provisions on the supervision mechanism. This law sets up personal information protection committee members to supervise the processing of personal information by public authorities. At the same time, information protection personnel are also set up to supervise the processing of personal information by non-public agencies. Information protection persons are appointed by each unit to have the necessary professional knowledge and basic conditions for appointment.
Damage compensation system is a right relief measure under the Federal Personal Information Protection Law and is also the ultimate way for the personal information subject to remedy his rights. The law divides infringement of personal information into two categories, namely administrative infringement and civil infringement.This law clearly distinguishes the compensation for damages caused by two infringements, and stipulates different attribution principles and the scope of compensation respectively.
The Federal Personal Information Protection Law has clear provisions on cross-border transmission. Transnational transmission refers to the transmission of personal information by German state agencies to foreign (or regional) state agencies or non-state agencies (including international organizations) regardless of whether these agencies are in Germany or not. State organs should meet two requirements for transmission of personal information to non-state organs: First, the transmission behavior is the act of state organs performing their duties and has the requirements for the utilization of personal information; Second, the recipient of personal information has legitimate interests in the personal information required to be transmitted, and the subject of personal information has no interest worthy of protection enough to prohibit the transmission and implementation. This is also the basic condition for the cross-border transmission of personal information in the German Information Protection Law.
2 Germany's Federal Data Protection Law
(1) Positioning
977, the German Federal Parliament issued the Federal Data Protection Law, which has undergone many amendments in the decades since its inception. In November 2019, the German Parliament made the last amendment to the German Federal Data Protection Act so far. As the most important law in Germany's data protection legal system, this law plays an important role in the cause of personal data protection in Germany. The Federal Data Protection Law has always implemented the theory of personal information self-determination, and has continuously strengthened individuals' control over personal information by stipulating a series of rights such as the right to know, the right to modify, the right to consent, the right to disclose and use of personal information.
(2) Features
The Federal Data Protection Law aims to achieve the protection of general personal rights through data protection, while strengthening the theory of personal information self-determination. This means that Germany has raised the legal stance of personal data protection to the height of implementing the Constitution (i.e., " German Basic Law ") rather than simple government law enforcement work. The law connects the German data protection legal system with the General Data Protection Regulation (GDPR) promulgated by the EU in 2016 and the Directive on the Protection of Natural Persons and the Free Circulation of Data in Authorized Institutions in the Prevention, Investigation, Investigation or Arrest of Criminal Suspects or Execution of Criminal Punishment.
(3) Main content
The legal purpose is to give priority to European law rather than domestic constitution. old version of the Federal Data Protection Act pointed out that the purpose of the law is to protect personal rights from infringement during the processing of personal data. However, the new version of the Federal Data Protection Act deletes this legal purpose, which means that European law is more preferred over domestic constitutions in the Federal Data Protection Act, but the protection of personal rights is still the basis. The direct object protected by
is not data in the general sense, but personal data that is related to the individual. , as defined in the old version, personal data refers to various specific data that has a personal or substantial association with an identified or identifiable natural person. The new version of the Federal Data Protection Act deletes the definition of personal data, but the concept of "personal data" remains a basic concept used by the law from beginning to end.
legislative objectives and protection objects determine the particularity of the protection of rights and interests in this law. Before the law was promulgated, the legislative materials clearly mentioned that in view of technological progress, legislation should take appropriate measures to protect individual private spheres from infringement during data processing, that is, the concretization of general personal rights in the field of private life. With the development of society, under the modern conditions of automated data processing, the free development of personality depends on the individual's right to fight against the unlimited collection, storage, use and transmission of their personal information, namely: the theory of the right to self-determination of personal information. This shift means that Germany will raise the protection of personal data to the fundamental constitutional right to confirm.
clarifies the criminal components and penalties for infringement of citizens’ right to self-determination in their personal information. After the GDPR came into effect, the law has greatly revised the terms of crime and punishment in order to achieve the coordinated development goals of European laws.It stipulates that in the event of unauthorized, non-open personal data will be deliberately transmitted to third parties or otherwise made open by means of other means, and shall be sentenced to a free sentence of not more than 3 years or a fine.
3 Germany's "IT Security Law"
(1) Positioning
On May 28, 2021, the German Bundestag promulgated the 2.0 version of the "IT Security Law" aimed at protecting the security of important infrastructure data, and by making up for legal loopholes and expanding regulatory frameworks, we can improve the security of German IT systems and strengthen national security.
(2) Main content
Expand the permissions of the Federal Information Security Office (BSI). includes expanding the screening of IT products including routers, smart TVs, etc. in the form of technical investigations to ensure the security of the product; extracting data information from telecom service providers to identify victims of cyber attacks and providing effective support for defense against such attacks. The time limit for storing log data can be extended to up to 18 months.
Strengthens protection of digital consumers. promotes the transparency of security-related IT products through "voluntary IT security labels" and other means, especially to ensure that the IT security functions of products in consumer fields can be seen and understood by consumers.
extends the scope of critical infrastructure. The critical infrastructure industry has added "waste treatment" as a critical infrastructure department; it has expanded relevant entities to include operators with "infrastructure with special public interests" and "network-critical" operators.
Added obligations to manufacturers, suppliers and critical infrastructure departments. The law stipulates that operators of critical infrastructure sectors need to install technical defense systems to monitor attacks on their IT infrastructure. BSI will clearly define the minimum standards for core components of critical infrastructure in the future, and the critical infrastructure industry will only purchase and install manufacturer components to issue a “trusted statement”.
sets an official query contact point for cross-border transmission requirements. When providing services to Germany, an official query contact point must be set up in Germany for suppliers whose residence is abroad and therefore storing data on foreign servers.
amends the provisions on fines. increases the penalties for computer-related crimes and data protection-related crimes, and revises the fine directory. According to the violation, the fine amount can reach up to 20 million euros, or 4% of the company's total global turnover in the previous business year, whichever is higher.
4 Germany's "Federal Data Strategy"
(1) Positioning
In January 2021, the German government released the "Federal Data Strategy", which aims to increase the collection and use of data in the fields of business, science, society and administrative management, enhance data security guarantee capabilities, and make Germany a leader in European data sharing and innovative applications.
(2) Main content
The Strategy establishes four major areas of action, namely: building an efficient and sustainable data infrastructure; promoting data innovation and using data responsibly; improving data capabilities and building a data culture; making Germany a data pioneer.
(a) Building an efficient and sustainable data infrastructure: Germany and Europe must ensure a voice in the formulation of relevant standards to enhance digital sovereignty. In addition, participants in the data ecosystem are willing to share and use data only if the data infrastructure is reliable and can ensure data security.
(b) Promote data innovation and use data responsibly: The German federal government will create the appropriate framework conditions that enable the government, society, industry and scientific community to use and share data responsibly and sustainably, making it a core component of digital innovation.
(c) Improve data capabilities and create a data culture: The Strategy proposes to launch a national digital education action, provide teaching on digital topics, and gradually connect to the education systems of various federal states; with the help of the Ministry of Education and Research's "Research on Innovative Products and Services of Small and Medium Enterprises" funding measures, help German enterprises develop new digital products and production system solutions, etc.
(d) makes Germany a data pioneer: Germany establishes a digital college in the Federal Institute of Public Administration to improve the digital capabilities of federal civil servants and digital-based administrative management capabilities; jointly build an internal data platform for the federal government, so that various departments can share data in a standardized format.
UK: Based on codes, case law, and secondary statutory law
1. Overall legislation
The establishment of the UK data protection system is a product of the development and extension of the theory of personal privacy rights in Western society in the past century. Therefore, under the influence of the EU's legal framework for data protection, the UK's legislative protection of personal data and privacy has gradually formed a data protection system composed of codes, case law, civil practice, secondary statutory law and law enforcement agencies.
2. Key Legal Analysis
1 UK Data Protection Act
(1) Positioning
984, the first Data Protection Act passed by the British Parliament is an important measure in the UK to promote the development of the top-level design of the digital economy. The law proposes the basic principles of personal data protection, prohibiting data subjects from establishing data protection registrants and data protection courts as regulatory agencies and complaining agencies for the enforcement of laws, respectively.
(2) Features
maintains credibility. In order for the UK economy and society to maximize the benefit of data innovation, the public needs to know whether personal data is safe and rationally used. Therefore, the law requires relevant institutions to keep their personal information strictly confidential when using them.
promotes future trade development. cross-border data flow capacity is crucial to a country's future economic operation, and the new data protection bill is committed to promoting the maximization of data flow between the UK and the EU and other countries.
ensures security. The new bill will take measures to deal with the threat of various criminal acts and promote data sharing and security cooperation among judicial institutions in various countries.
(3) Main content
The new bill gives citizens more control over personal information, such as the right to "information-consent" right, the right to carry data, the right to be forgotten, the right to speak in user portraits, etc.
improves the protection of corporate interests. The new Act revised and improved the relevant requirements of the 1998 Data Protection Act for public and private enterprises to adapt to the needs of the development of the digital economy, help enterprises better protect personal data, and enhance their reputation and business.
increases authorization for regulatory authorities' ICO. The Information Commissioner's Office (ICO), the UK's personal data protection agency, has gained more power to safeguard consumers' interests, including the right to investigate, the right to civil penalties, criminal accountability, etc. At the same time, we will strengthen the protection of whistleblowers of illegal acts and impose fines of up to £17 million or 4% of global turnover for the most serious violations.
sets a special data protection framework for criminal judiciary. ’s new bill takes into account the situations in which criminal judiciary needs to collect, use, and share data and information in order to deal with criminal acts, and tailors the framework for processing data for law enforcement purposes.
2 UK "Privacy and Electronic Communications Regulations"
(1) Positioning
In 2003, the British Parliament passed the "Privacy and Electronic Communications Regulations (PECR), requiring electronic communications service providers to protect end user information, and the information specialist is responsible for supervising and implementing it.This regulation is the implementation of the UK's Electronic Privacy Directive (Directive 2002/58/EC) on the EU. It is in line with the UK's Data Protection Act and the UK GDPR, giving citizens the right to privacy in electronic communications and protecting consumers from the harm of information abuse and potential cybercrime.
(2) Features
This regulation includes large-scale online instant messaging services into the scope of legal supervision, making the rights and obligations between the people and enterprises clearer, and on the basis of protecting user privacy, it better promotes the development of related industries.
(3) Main content
This regulation is a data privacy regulation. Like GDPR, it stipulates that marketing activities that enterprises can and cannot carry out without the consent of the personal data subject, and provides guidance on how enterprises should handle personal and company data. In short, the Ordinance applies to all organizations that implement at least one of the following: marketing by phone, email, text message or fax; using cookies or similar technologies on the website; preparing a phone book (or similar public directory); and providing network or communication service providers. The two regulations of PECR and GDPR complement each other, but there are significant differences between the two: GDPR requires reporting of violations within 72 hours, while PECR requires 24 hours; unlike GDPR, PECR is applicable to other organizations in addition to individuals.
3 UK "Network and Information Systems Security Regulations"
(1) Positioning
" Security Regulations" that came into effect on May 10, 2018 is the British version of the "Network and Information Systems Directive" issued by the EU on July 6, 2016. It is the first cross-field regulatory regulation in the UK focusing on network security. It plays a key role in achieving UK national cybersecurity, aiming to improve the security level of networks and information systems (including network and physical elasticity) to ensure basic services and digital services.
(2) Main content
Clearly the scope of application of regulations: This regulation applies to two types of entities, one is the Basic Service Operator (OES) of the UK's energy, transportation, health and digital infrastructure sectors; the other is the Digital Service Provider (DSP). Both must adopt appropriately proportionate technical and cybersecurity countermeasures to manage the systemic risks that their underlying services or digital services rely on. The ordinance does not apply to DSPs (organizations that employ less than 50 people and have a total annual turnover and/or balance sheet less than €10 million (approximately £8.7 million)) that are considered “micro or small businesses”.
Refine the legal obligations of responsible entities: OES and DSP must take measures to ensure the security of network and information systems, including: assessing risks, preventing and minimizing the impact of security risk events, and reporting security risk events to relevant authorities in a timely manner; conducting business continuity management, monitoring and testing whether the processes and procedures comply with international standards.
stipulates the criteria for judging "major" events: This regulation stipulates that organizations shall report "major" events to their competent authorities no later than 72 hours. For OES, three factors must be considered when determining whether an event is "significant": the number of users affected by the interrupt, the duration of the interrupt, and the size of the geographical area affected by the event. For DSP, the following situations will be judged as significant events: the event causes the unavailability of services of more than 5 million users; the loss of confidentiality, integrity, availability or authenticity of data accessed by networks or information systems of more than 100,000 users; the risk of loss of public safety or life; or property damage to at least one user exceeds 1 million euros (approximately £860,000).
Specify compliance assessment department: National Cyber Security Centre (NCSC) is a UK national technical agency responsible for providing advice and assistance in cybersecurity, providing technical advice and single point of contact (SPOC) for its Computer Security Incident Response Team (CSIRT).
4 The United Kingdom General Data Protection Regulation
(1) Positioning
Since the UK left the EU at the end of 2020, it is no longer under the jurisdiction of the General Data Protection Regulation.Therefore, the country needs a new regulation to protect citizens' personal data rights, and the UK GDPR was born. The UK GDPR is the UK General Data Protection Regulation, effective January 1, 2021, covering the main principles and rights and obligations in the UK when processing personal data, and is in line with the Data Protection Act 2018, and applies to any organization that provides goods and services to UK individuals and/or monitors any personal behavior in the UK.
(2) Main content
clearly applies to personal data processed by data controllers or data processors in the UK; the UK GDPR is also applicable to data controllers or data processors not established in the UK, processing personal data in the UK (providing goods or services to data subjects in the UK, or monitoring the behavior of data subjects, where such behavior occurs in the UK).
Connecting with EU GDPR requirements for data controllers: UK GDPR continues to use the principles of EU GDPR data protection, these data principles include transparency, purpose limitations, storage limitations, data minimization, accuracy, completeness and confidentiality, and accountability.
stipulates the rights of data subjects: The rights of data subjects under the UK GDPR are roughly similar to those granted to data subjects by the EU GDPR, including the right to know, access, correction, deletion, data portability, right to not be affected by automatic decision-making, and the right to object or opt out. However, the UK GDPR has made changes to some content: access rights - access to the data subject's personal data will "affect the price of the company's financial instruments or related action decisions" or "impair the specific functions of the Bank of England" and will not allow the data subject to access; correction rights - "impair specific functions designed to protect the public" or "contradict the legal obligations of the disclosure of personal data".
UK GDPR imposes more restrictions on the transmission of personal data to third parties: According to law, transfers are allowed only if such transfers are required for law enforcement purposes; data transfer activities should be carried out under the premise of sufficient data protection measures in third-party countries; or under the premise that other appropriate protection measures are in place; or in specific special circumstances; or related to relevant authorities or international organizations in third-party countries, such as international institutions that perform relevant law enforcement functions.
Re-form penalty after Brexit: The UK needs a new way to punish data controllers found after Brexit in 2020. Therefore, the Office of the Information Commissioner or the ICO has the right to enforce the UK GDPR, with penalties similar to the EU GDPR.
5 UK "National Cybersecurity Strategy 2022-2030"
(1) Positioning
On January 25, 2022, the British government officially released the "National Cybersecurity Strategy 2022-2030". The strategy explains how the British government can ensure that the public sector effectively responds to cyber threats and draws a strategic vision to ensure that the core functions of the government are resilient to cyber attacks, strengthen the UK's status as a sovereign state, and enhance its influence, aiming to build a democratic and responsible cyber power.
(2) Main content
The pillars of this strategy are supported by five goals: sets the dimensions that need to be considered in terms of cyber resilience, providing a consistency framework and common language that can be applied to the entire government. Including: managing network security risks, preventing cyber attacks, detecting cyber security incidents, minimizing the impact of cyber security incidents, cultivating correct cyber security skills, knowledge and culture, etc.
clarifies the development goals of the stage: When all government organizations meet the results specified in the corresponding Network Assessment Framework (CAF) configuration files under the Cybersecurity Assurance Framework, the goals of the strategy will be achieved: by 2025, the government agencies identified in the key functions will "enhance" to achieve the results specified in the CAF profile; by 2026, all central government departments will achieve the results specified in the CAF profile; by 2030, all other government agencies will "basically" achieve the results listed in the CAF profile.
6 UK Data Reform Act
(1) Positioning
Local time on May 10, 2022, the UK held the opening ceremony of the National Parliament. In a speech, Prince Charles of the UK announced a new Data Reform Act, aiming to guide the UK's independent privacy legislation from the EU. The bill will be used to reform the existing General Data Protection Ordinance and Data Protection Act in the UK.
(2) Main content
The bill proposes to create a world-class data rights system with the help of Brexit, thereby creating a new UK data protection framework that is conducive to growth and trustworthy to reduce the burden on enterprises, promote economic development, help scientific innovation and improve the lives of the British people; modernize the Office of the Information Commissioner (ICO) to ensure that it has the ability and authority to take stronger actions against institutions that violate data-related legislation, while requiring them to be more responsible to Parliament and the public; increase industry participation in smart data plans, so that citizens and small businesses have more control over their data, and help people in need of health care by helping improve appropriate access to data by personal data subjects in health and social care environments.
At the same time, the bill states that it will improve its competitiveness and efficiency by reducing the burden faced by British businesses, such as establishing a data protection framework that focuses on privacy outcomes; ensuring that data can be used to empower citizens and improve their lives by providing more efficient public health care, security and government services; creating a clearer regulatory environment for personal data use, driving responsible innovation and promoting scientific progress; ensuring that regulators take appropriate action against organizations that violate data rights and ensuring citizens have a clearer understanding of their rights; and simplifying research rules to consolidate the UK's position as a tech superpower.
France: Determine the strategic position of "digital sovereignty"
1. Overall legislation
France As one of the earliest countries to develop network technology, its Internet has become very popular. The rapid development of the Internet has highlighted the importance of network management. France is committed to ensuring the security of personal information and strives to combat data security issues through legislation.
978, the Information Technology and Freedom Act was enacted, which is one of the origin laws of France to protect data security. The plan clearly elaborates on the relationship between the development of information technology and information security, that is, "Information technology should serve every citizen. Its development should be carried out in the context of international cooperation. It shall not violate human identity, human rights, privacy and public freedoms." Based on this law, France's "Personal Data Protection Law" and "Data Protection Law" came into effect and was released at the end of 2018 respectively. The fundamental purpose is to ensure the security of French personal data and important data.
994, in order to adapt to changes in the international strategic situation, France published the first defense white paper after the Cold War and regarded cyber information attacks as one of the biggest threats in the next 15 years. On this basis, France successively launched "Information System Defense and Security: French Strategy" and "France National Digital Security Strategy" in 2008 and 2015, respectively, reflecting France's emphasis on cyber information protection. The "Cyber Defense Strategy Review" released in February 2018 clearly stated that "'digital sovereignty' is an integral part of national sovereignty", and the status of data security has risen to a new strategic height .
2. Key legal analysis
1 France "Information Technology and Freedom Act"
(1) Positioning
The Information Technology and Freedom Act formulated by France in 1978 involves personal data protection, which is also one of the origin laws of data protection in France. On August 6, 2004, it was revised on "Protecting the Security of Personal Information".
(2) Features
This plan clearly explains the relationship between the development of information technology and information security, that is, "Information technology should serve every citizen.Its development should be carried out in the context of international cooperation. It shall not violate human identity, human rights, privacy, public freedom, etc. ”
(3) Main content
This plan proposes the premise of cross-border data: If a non-European Community country in the country where the data recipient is located does not provide sufficient protection for personal privacy, freedom and basic rights in terms of actual or possible processing of personal data, the data controller shall not transmit personal data to the non-European Community state; the adequacy of protection provided by the state should take into account the current regulations of the country and the security measures applicable to the country, as well as the specific characteristics of data processing, including its purpose and duration, data nature, data source, destination and other characteristics.
and if the premise is not met, exceptions for data cross-border can still be carried out, such as: is for the purpose of protecting the life of the data subject; for the purpose of protecting the public interest; for the performance of legal obligations and ensuring the normal exercise of statutory rights; for the basis of legal conditions, enter information into the public register, and according to legislation and regulatory provisions, the register in which the information is entered is intended for public reference and is open for public consultation or used by any person who proves legitimate interests; perform contracts between the data controller and the data subject, or pre-contractual measures taken in response to the request of the data subject; enter or perform contracts between the data controller and a third party, whether it is a contract concluded or to be concluded for the benefit of the data subject.
2 France's "National Security and Defense White Paper"
(1) Positioning
White Paper is an important way for France to release its national security and military strategy. In 1994, in order to adapt to changes in the international strategic situation, France released the first national defense white paper after the Cold War. More than ten years later, France made new judgments on the international security strategic situation. On June 17, 2008, the French government officially published the "National Security and Defense White Paper". This is an anti- Important documents reflecting the development of France's national security strategy and military strategy. The white paper made new judgments on the world situation after the Cold War, especially in the 21st century, and on this basis it proposed France's main national security strategy, clarified France's European defense policy and NATO policy, and determined the direction and principles of France's national defense development.
(2) Features
"France White Paper on National Defense and National Security" for the first time elevates cybersecurity to the level of national security, and regards cyber information attacks as the future 15 One of the biggest threats in the year, , emphasized that France should have effective information defense capabilities, investigate and counterattack cyber attacks, and develop high-level cybersecurity products.
(3) Main content
white paper proposes to examine national security issues with a more comprehensive perspective and consider France's security interests in a more comprehensive way, rather than being limited to defense issues. It defines the national security strategy as a strategy aimed at eliminating "all dangers and threats that may cause damage to the survival of the country". The field of national security includes defense policies, but is not limited to this. Other national policies, such as foreign policy and economic policies, will also directly serve national security.
3 France "Information System Defense and Security: French Strategy"
(1) Positioning
The White Paper on National Defense and National Security (referred to as the "White Paper") released in 2008 believes that in the next fifteen years, the threat faced by France will mainly stem from large-scale hacking attacks against national information infrastructure. This judgment prompted the French government to make a decision to significantly strengthen the national cyber defense capabilities. The National Agency for Information System Security (ANSSI), established in 2009, is the first step to fulfilling this commitment. The national strategy for information system defense and security stated in this document (issued in February 2011) just reflects the ambition contained in the White Paper, which is also based on the implementation and extension of the White Paper.
(2) Features
Strategy clearly defines four strategic goals: to become a world-class power in cyber defense; to ensure freedom of decision-making by protecting sovereign information; to strengthen the cybersecurity of national critical infrastructure; and to ensure cyberspace security.
(3) Main content
Strategy proposes seven basic tasks: prepare and analyze the environment in advance so as to make reasonable decisions; detect and block attacks, warn and monitor possible victims in real time; improve and maintain scientific research, technology, industry and human resources capabilities to maintain necessary autonomy; protect national information systems and critical infrastructure operators in order to obtain better national resistance; revise our laws to adapt to the endless trend of technological changes and new uses; carry out international cooperation in information system security, combating cybercrime and cyber defense to better protect national information systems; communicate, inform and convince so that the French can take measures to deal with challenges related to information system security.
4 France "France National Digital Security Strategy"
(1) Positioning
On October 19, 2015, French Prime Minister Manuel Valls personally signed and released the new version of "France National Digital Security Strategy", which reflects the current and future core propositions and overall arrangements for cyberspace and digital security. The French National Digital Security Strategy is an important benchmark strategy in France's digital transformation period, reflecting France's key strategic layout in protecting and promoting the country's economic, political and social development. This "Strategy" not only meets the major practical needs of France and the EU, but also has good reference significance for the development of cybersecurity and informatization in countries around the world.
(2) Features
The Strategy emphasizes that France should develop necessary scientific and technological and industrial capabilities, protect information sovereignty and digital security, and especially achieve independent development in the field of digital security and gain greater influence on the international stage. Specific measures include promoting the development of security products and services in France and Europe through industrial policies and government procurement, increasing the international publicity of French digital products and services, promoting France and the EU to stand out as indispensable global stakeholders in products in this field, becoming an international benchmark in the field of youth awareness education and the protection of women and children in cyberspace, promoting the development process and global application of the Budapest Cyber Crime Convention, strengthening France's participation and influence in international cybersecurity discussions, assisting the EU and other countries in establishing cybersecurity capabilities, and promoting the stability of global cyberspace.
(3) Main content
The "Strategic" goals lock in five major areas. The main lines of these five areas are key infrastructure and important information system security involving the fundamental interests of French countries; freedom of speech, data security and privacy protection directly related to France's core values; French digital security literacy and education, French digital security technology and industrial development; and French digital security layout in the EU and international context. Although the five major areas cover a wide range, the content of the "Strategy" is specific and pragmatic, not only has conceptual and principled strategic directions, but also corresponds to specific plans, methods, projects and implementation subjects, and maintains the continuity of previous related strategies, policies and laws, and is highly guiding and operable.
5 France "Cyber Defense Strategy Review"
(1) Positioning
In February 2018, the French General Defense and National Security Secretariat (SGDSN) issued the "Cyber Defense Strategy Review" (Revue strategy de Cyberdefense). The report proposes the French network defense model, analyzes its characteristics, and proposes six tasks and four major operating chains for network defense.
(2) Features
This file clearly states that "digital sovereignty" is an integral part of national sovereignty .The report formally proposed the concept of "digital sovereignty" for the large number of illegal possession and monopolistic data wealth of global Internet giants, saying that digital sovereignty is an important part of national sovereignty and an important guarantee for France to maintain cybersecurity and protect its independent decision-making and action capabilities. The report points out that in the face of new threats caused by the growing digitalization of society, France must safeguard its right to exercise its sovereignty.
(3) Main content
France's network defense model distinguishes offensive capabilities and defense capabilities. By distinguishing the tasks and means of network protection from the goals of intelligence and offensive operations, it strengthens the state's intervention in the security of information systems in the government and economic fields, division of labor in key areas, respects personal privacy, and allows private actors to establish a trust relationship between the services responsible for network protection. Moreover, the French cyber defense model has six tasks, including prevention, prediction, protection, monitoring, attribution, emergency response (remedial measures, criminal punishment and military operations).
6 France Personal Data Protection Law
(1)Location
France Personal Data Protection Law came into effect on November 7, 2018. This bill is a legislative measure for France to implement the EU's General Data Protection Regulations, with the purpose of protecting the security of citizens' personal data information.
(2) Features
In order to avoid the abuse of personal information data, the law extends the review obligations of data controllers and operators. In addition to complying with the "safe haven rules", data controllers and operators should also register specific documents, conduct pre-review of high-risk activities of data users, and encrypt important data information. In addition, if the data controller and user use data information for the sake of social public interest, the relevant departments may formulate separate regulations to clarify the scope of reasonable use.
(3) Main content
The law proposes that when the following conditions are met, the controller of personal data can transmit data to non-EU countries: applicable to the processing of personal data for the prevention, investigation, investigation or prosecution of criminal offenses or the execution of criminal penalties; if the personal data comes from another country and the country transmitting the data has transferred data in accordance with the effective authorization of its domestic data-related laws and regulations; a legally binding instrument proves that it provides a guarantee for the protection of personal data; or in the absence of such a decision or instrument, the data controller has evaluated all circumstances in the transfer of data and believes that there are effective safeguards. (Due to word limits, please refer to the PDF version of the report for details on the relevant content of the French "Data Protection Law" and other policies)
Italy: Privacy becomes the basic composition of "electronic citizenship"
1. Overall legislation
Italy protects personal data from the early concept of privacy and has risen to the height of human rights. Article 2 of Italy's 1947 Constitution stipulates that "the Republic recognizes and guarantees the inviolability of human rights for individuals and members of the association expressing their individuality, and requires the fulfillment of unviolable obligations in terms of political, economic and social solidarity." Based on the Italian Constitution, in 1996, Italy passed the Data Protection Law with Act No. 675, which regards privacy protection as part of a larger whole, that is, the processing of personal data should "respect the rights, basic freedoms and dignity of natural persons, especially in terms of privacy and personal identity." Therefore, privacy has become a fundamental component of “electronic citizenship.”
003, based on the Italian Constitution and the Data Protection Law and other laws and regulations, the Congress formulated and passed the Italian Personal Data Protection Code. The basic principles of personal data protection "everyone has the right to protect personal data related to themselves" are proposed, and the regulatory obligations of "ensure that the rights, fundamental freedoms and dignity of the data subject are respected in processing personal data, especially in terms of confidentiality, personal identity and right to protect personal data". The subsequent E-Commerce Law and Consumer Code are personal data protection that are suitable for different scenarios.
In terms of national strategy, in 2013, Italy released the National Strategic Framework for Cyberspace Security. The strategy covers the description of national security, the harm to the economy due to cybersecurity issues, the assessment of Italy's cybersecurity capabilities, and the division of responsibilities of the public and private sectors as stakeholders in cybersecurity. The corresponding National Plan for Cyberspace Protection and ICT Security determines specific strategic and business goals. These two heavyweight strategic documents combined with Italy's digital agenda have effectively promoted the country's digital economy.
2. Key legal analysis
1 Italy's Constitution
(1) Positioning
Constitution of the Italian Republic was adopted at the Constitutional Conference on December 22, 1947. The Constitution is the fundamental law of the country and the product of the comprehensive role of specific social, political, economic and ideological and cultural conditions. It concentrates on reflecting the actual contrasting relationship of various political forces, confirms the victory of the revolution and the real democratic politics, and stipulates the fundamental tasks and fundamental systems of the country, namely the social system, the principles of the state system, the organization of state power, and the basic rights and obligations of citizens.
(2) Features
947 Constitution stipulates: "The Republic recognizes and protects the inviolable rights of mankind, whether as an individual or as a social structure that develops its personality, and requires the fulfillment of unshirkable obligations in the political, economic and social community." This is the early "human rights" of Italy. Subsequently, based on the "human rights" established by the law, "privacy rights" were further derived, and the concept of "personal data protection" was thus produced.
(3) Main content
The Constitution points out that Italy is a labor-based democratic republic, whose sovereignty belongs to the people, and the people exercise sovereignty within the form and scope stipulated in the Constitution; the Republic recognizes and guarantees the inviolability of its human rights for individuals and members of the association expressing its individuality, and fulfills its unviolable obligations in terms of political, economic and social solidarity.
2 Italy's Data Protection Law
(1) Positioning
996, Italy passed the Data Protection Law under Act No. 675, establishing the right to protect personal data and using it as a separate legal right.
(2) Features
Italian Data Protection Law (No. 675 of December 31, 1996) regards privacy protection as part of a larger whole, that is, the processing of personal data should "respect the rights, basic freedoms and dignity of natural persons, especially in terms of privacy and personal identity." Therefore, privacy has become a fundamental component of “electronic citizenship.”
(3) Main content
Italy's Data Protection Act states that the personal data being processed should be saved and controlled, while also taking into account its nature and specific characteristics of processing, the risk of destroying or losing (even by chance) unauthorized access to data or being illegally processed or processed in a manner inconsistent with the data is minimized through appropriate security measures. In addition, the Regulations also point out the basic principles of personal information processing: legal and fair processing; collection and recording for specific, clear and legal purposes and for further processing operations in a manner that does not conflict with the said purposes; accuracy and up-to-date if necessary; relevance and no more than statutory limits; and preservation in the form of allowing identification of the data subject to no more than the time required for the purpose of collecting or subsequent processing.
3 Italian "Personal Data Protection Code"
(1) Positioning
Since the beginning of the 20th century, Italy has also quickly made legislative adjustments in order to implement the reform of EU data protection rules.In 2003, Congress adopted the Personal Data Protection Code, which concentrated the provisions on personal privacy protection and personal data protection into the code. As the situation changes, the code is constantly being revised and improved.
(2) Features
This code proposes the basic principles of personal data protection of “everyone has the right to protect personal data related to himself” and the basic purpose of the regulations “to ensure respect for the rights, basic freedoms and dignity of the data subject when processing personal data, especially in terms of confidentiality, personal identity and the right to protect personal data”.
The bill proposes the principle of minimization : information systems and software should minimize the use and identification of configuration personal data, based on data processing methods, if the personal data processing needs can be achieved through the use of anonymous data or appropriate arrangements, the data processing mode of "allowing to identify data objects" should only be used if necessary.
(3) Main content
Code proposes that personal data can be legally transmitted across borders in the following situations:
) The data subject has clearly agreed, and if sensitive data is involved, it is necessary to express consent in writing;
) If the transmission is for the data processor It is necessary for one party as the contract subject to perform its contractual obligations, or take measures at the request of the personal data subject before signing the contract, or to sign or perform a contract signed in the interests of the personal data subject;
) Data transmission is necessary to maintain the major public interests mentioned in laws or regulations;
) If data transmission is necessary to protect the life and health of third parties. If this purpose involves a specific personal data subject and the specific personal data subject cannot authorize consent, the consent may be authorized by an entity or immediate family member who can legally represent the data subject, a person living with the data subject, or other relevant person;
) If the data transmission is necessary to investigate the defense attorney, or to establish or defend a legal claim (provided that the data is transferred only for the above purposes and does not exceed the time required for the existing legislation applicable to commercial and industrial confidentiality);
) If the data transmission is carried out by a request to consult administrative records or publicly provided registration books, lists, records or information contained in the document, it shall be carried out in accordance with the provisions applicable to the subject matter;
) If the data transmission is necessary, such as for scientific or statistical purposes only, or for historical purposes only, etc.;
) If the data transmission involves data related to legal persons, institutions or associations.
4 Italy's "E-Commerce Law"
(1) Positioning
The "E-Commerce Law" passed by Act No. 70 of 2003 is the purpose of formulating an e-commerce framework and clearly establishing mandatory rules for data protection used in the e-commerce field.
(2) Features Article 16 of the
Act exempts the liability for compensation for "information infringement", on the condition that the provider:
) "Disunderstand that the activity or information is illegal, and, regarding damages lawsuits, do not understand the facts or circumstances that make the illegality of the activity or information obvious;
) Take action immediately, delete the information immediately after appropriate communication with the competent authority and knowing such facts, or prohibit access to such information".
(3) Main content
Act states that suppliers must notify other parties in a clear, understandable and clear manner how to retain and archive the contract. The supplier must provide this information to consumers before sending a summary of the contract to them. The above contracts should be stored in a persistent format.In addition, the Act states that in order for the “click-package” contract to be valid, the provider must send transaction-related information for consumer confirmation, including: a summary of the general and specific conditions applicable to the contract; detailed information on the main characteristics of the goods or services provided; detailed information on prices, payment methods, delivery costs, taxes, and rights to consumer repentance and withdrawal, including the terms and conditions for the exercise of these rights.
5 Italian Consumer Code
(1) Positioning
The Consumer Code passed by Act No. 206 of 2005 is a basic reference law for protecting the rights of consumers and users.
(2) Features
This code mainly sets rules involving consumer data protection, reflecting the guidelines of the EU plan.
(3) Main content
Code proposes to strengthen the protection of consumers and users by improving consumers' awareness of rights (education and consumer information), and promote the development of association relations and collective action tools, thereby improving the legal status of consumers (individual and collective levels).
6 Italy's National Cyberspace Security Strategy Framework
(1) Positioning
In 2013, Italy released the National Strategic Framework for Cyberspace Security. The strategy covers the description of national security, the harm to the economy due to cybersecurity issues, the assessment of Italy's cybersecurity capabilities, and the division of responsibilities of the public and private sectors as stakeholders in cybersecurity.
(2) Features
The current National Cyber Security Strategy Framework emphasizes the nature and evolving trends of cyber threats, as well as the fragility of national ICT networks. It outlines the roles and tasks of public and private stakeholders involved in cybersecurity and identifies tools and procedures to enhance national preparation for addressing new challenges posed by cyberspace.
(3) Main content
This strategy proposes six major guidelines for strengthening national cyber defense capabilities:
) Enhance the technical, operational and analysis capabilities of all institutions related to cybersecurity to leverage national capabilities to analyze, prevent, mitigate and effectively respond to multi-dimensional cyber threats;
) Strengthen the ability to protect critical infrastructure and strategic assets from cyber attacks, while ensuring their business continuity and fully comply with international requirements, security standards and Agreement;
) Promote all public-private partnerships aimed at actively promoting the protection of national intellectual property rights and technological innovation;
) Promote security culture among citizens and institutions, while leveraging academic expertise to improve users' awareness of cyber threats;
) Strengthen the ability to effectively suppress cybercrime activities, in accordance with national and international norms;
) Fully support international cooperation in the field of cybersecurity, paying special attention to the ongoing measures of international organizations and their allies as members of Italy.
Russia: Dual implementation of regulations and strategies for data security protection
1. Overall legislation
Russian data and information security regulations system is a unified legislation based on the Constitution of the Russian Federation. The "Law on Information, Informationization and Information Protection" promulgated in February 1995 mentioned citizens' personal information for the first time and was protected by law. It was not until July 2006 that the "Personal Data Law" was officially promulgated, and it was jointly established with the "State Secret Law", "Russian Federation Security Law" and "Commercial Secret Law" and other regulations to build a legal system for data and information security.
Russia's national data security system is reflected in four important aspects: information security runs through Russia's national data security throughout, personal data security highlights the characteristics of Russia's national data security, network data security highlights the close relationship between network security and national security, and commercial data security highlights national economic security.
2. Key legal analysis
1 "Constitution of the Russian Federation"
(1) Positioning
"Constitution of the Russian Federation" was promulgated on December 12, 1993. As the highest law of the country, it contains general basic rules of the legal framework for information security, that is, the key elements of the legal status of the subject of information relations.
(2) Features
The Constitution establishes that the right to privacy belongs to the constitutional rights of citizens. Everyone enjoys the right to inviolate private life, personal and family secrets, and protect their reputation and reputation. "Collection, storage, use and dissemination of personal private life information without consent."
(3) Main content
The Constitution of the Russian Federation is divided into nine chapters and 137 articles. Chapter 1 is the fundamental system of the constitution, Chapter 2 is the rights and freedoms of people and citizens, Chapter 3 is the federal system, Chapter 4 is the president of the Russian Federation, Chapter 5 is the federal meeting, the government of the Russian Federation, Chapter 7 is the judicial power, Chapter 8 is the local autonomy, and the ninth is the amendment and re-examination of the constitution.
2 Russia's "Information, Information Technology and Information Protection Law"
(1) Positioning
"Information, Information Technology and Information Protection Law" was promulgated in 2006 (the name was "Information, Information Technology and Information Protection Law" before the revision was made), it is Russia's first federal law on data and information security, and it is also an important legislation in the field of Russian Internet network security and data security.
(2) Features
1) Localized data storage. Internet information operators need to store relevant subject information into Russia within 6 months of generating, disseminating and processing data, including text, voice, images and other information.
2) information can be used as an asset. information resources are the components of property and the object of ownership. It is clear that information can be an asset, and its subject can be citizens, state organs, local autonomous organs, institutions and social groups.
) Information protection obligations that information owners and information system operators need to bear. The data processing license and notification system stipulates: "Non-state institutions and private institutions engaged in activities related to the processing of personal data and providing personal data to users should undergo the necessary franchise (apply for a license, apply for a license)."
(3) Main content
(3) Main content
2006 The "Law on Information, Information Technology and Information Protection" was reviewed and passed by the Parliament of the Russian Federation. The law mainly stipulates the guidelines of the entire information legislative system, as well as the legislative protection of information security, adjusts the legal relationships arising from relevant entities when searching, obtaining, transmitting, producing and disseminating information, using information technology and performing information protection, aiming to protect citizens from malicious information, and stipulates that search engines should exclude network links for publishing information prohibited by the country in Russia. Russia can realize the independent control of the Russian Internet and domestic data by creating a domain name system, an independent address resolution system, a trusted routing node and other measures, and reduce its dependence on overseas networks.
3 "Personal Data Law of the Russian Federation"
(1) Positioning
"Personal Data Law of the Russian Federation" was promulgated on July 27, 2006. It is an important law in the field of personal information protection and the main legal norm in the legal system of data and information security.
(2) Features
1) Conditions for processing personal information anonymization. Anonymization of personal information can only be carried out with personal consent, or otherwise provided by the laws of the Russian Federation in the field of personal data.
) Strengthen data security and protect data sovereignty.In terms of cross-border data flow, strict control systems are implemented, and data localization systems are implemented, including specific regulatory goals such as privacy protection, maintaining network security, and facilitating law enforcement. It is also required that processors have an obligation to ensure that the rights of personal data subjects are fully protected in foreign countries where the personal data is transmitted.
(3) Main content
On December 10, 2020, the State Duma of the Russian Federation Conference issued an amendment to the "Personal Data Law of the Russian Federation", further clarifying the rules for the processing of public personal data, aiming to establish a mechanism to protect the rights and freedoms of individual data subjects.
4 "Security Law of the Russian Federation"
(1) Positioning
"Security Law of the Russian Federation" was promulgated in 1992. It is the basic law of the national security system and the cornerstone of the security legal system.
(2) Features
1) Compliance supervision is being promoted. The state organs and local governments of the subjects of the Russian Federation ensure the implementation of legislation in the field of security within their purview.
) Establish the Security Council. Consider the Federation of the Russian Federation and foreign countries' security, defense organizations, military construction, defense production, military technical cooperation, and other issues related to Russia's constitutional order, sovereignty, independence and territorial integrity, as well as international cooperation in the field of security.
(3) Main content
The Russian Federation Security Law is divided into four chapters, with a total of 20 articles. The first chapter is the general provisions, which clearly points out the connotation and basic principles of the security law being applicable to national security, public safety, ecological security, personnel safety, and other security activities stipulated by law, and determines the status of the Russian Federation Security Conference and the functions of the federal and local power agencies. Chapter 2 stipulates the functions and authority of the state power organs, federal subject power organs, autonomous regions and other power agencies. Chapter 3 clarifies the status, nature, tasks, functions, members, secretaries, activity organizations and resolutions of the security conference. Chapter 4 stipulates the time of entry into force of the law and the corresponding invalid laws.
5 Russian Trade Secret Law
(1) Positioning
The Trade Secret Law was promulgated on July 29, 2004, and is committed to protecting the data rights and interests of enterprises, organizations and institutions.
(2) Features
) Data information of state secrets should be encrypted in accordance with regulations, and the degree of damage caused by Russian national security after its leakage is carried out in a tiered manner. Institutions and organizations that contact and use state secret information should take necessary protective measures as required to ensure the security of relevant data information.
) Enterprises engaged in the research and development of confidential information protection means/tools should have relevant qualifications.
) Only after enterprises, institutions and organizations obtain corresponding confidential information use licenses can they apply for and use relevant data information involving state secrets, and take corresponding confidentiality measures according to the confidentiality level of the information during use.
(3) Main content
The State Secret Law regulates the rights and obligations of trade secret owners. It is clearly stated that the relevant data information listed as trade secrets is protected by law and no third party may access it at will without authorization. In order to perform its duties, relevant state power organs (including public institutions) must provide formal documents signed by the head of the relevant competent authority. The documents should explain the specific purpose of the use of the data and the legal basis for their application to obtain the data. In order to ensure the security of data involving commercial secrets, the law stipulates that the owner of commercial secrets should promptly establish a corresponding commercial secret protection system in accordance with the Trade Secrets Law and other federal laws, prepare an information list that constitutes commercial secrets, adopt necessary technical protection methods and methods, and clarify the access, processing, storage, and publication processes and conditions of relevant data.
6 Russia's "State Secret Law"
(1) Positioning
The "State Secret Law" was promulgated on July 21, 1993. The scope of activities is limited to the military, foreign economic, reconnaissance, anti-reconnaissance and related business investigations, further preventing the possibility of possible restrictions on citizenship rights due to state secret protection activities.
(2) Features
specifies legal supervision measures for protected information carriers and makes clear provisions on the management of confidential information carriers, such as:
) If the carrier is composed of information files of different confidential levels, each part should be stamped with a corresponding confidential seal (secret seal), then the entire carrier must be stamped with a secret seal (secret seal) with the same confidential seal as the highest confidential level among the components;
When it is impossible to prove that the obtained (formulated) information files and existing lists are obtained (formulated) and the information files and materials of the existing list. When the information documents and materials contained in it are consistent, the person in charge of the state power organs, enterprises, institutions and organizations shall keep them confidential in advance in accordance with the proposed confidentiality level;
) When the functions and ownership form of state secret information documents and materials change, and when the work of using state secret information documents and materials is liquidated or terminated, measures shall be taken to protect these information documents and materials;
) The carriers of state secret information documents and materials shall be destroyed, filed or transferred to the statutory corresponding institutions in accordance with prescribed procedures, etc.
(3) Main content
The Supreme Committee of the Russian Soviet Socialist Republic passed the "State Secret Law of the Russian Federation" (No. 5485-1, July 21, 1993), which stipulates the scope of information related to state secrets, the confidentiality and decryption of information, information protection, and Russian security guarantee issues. In Russia's national history, ways to solve the restrictions and guarantees of information related to national security have been established through open legal standards.
7 Russian "Personal Data Processing Regulations"
(1) Positioning
"Personal Data Processing Regulations" (referred to as "Personal Information Processing Regulations") was promulgated on September 15, 2008. Its main purpose is to implement the "Personal Data" Federal Law and the special provisions on the processing of personal data without using automation tools.
(2) Features
) Measures to ensure the security of personal data when processing personal data without using automated tools.
) Destroy or depersonalize some personal data and maintain processing records.
(3) Main content
The "Regulations" contain three chapters in total. The first chapter is a general provision, the second chapter is the characteristics of the personal data processing organization without using automation tools, and the third chapter is a measure to ensure the security of personal data when processing personal data without using automation tools, and comprehensively regulate the personal data processing activities without using information systems.
8 Russia "Protection Requirements for Personal Data Processing"
(1) Positioning
"Protection Requirements for Personal Data Related Information Systems in the Processing of Personal Data" (hereinafter referred to as "Protection Requirements for Personal Data Processing") was promulgated on November 1, 2012. This document stipulates the protection requirements and protection levels of personal data processing in the personal data information system (hereinafter referred to as the information system).
(2) Features
) The personal data protection system should consider organizational and (or) technical measures determined due to technical security threats.
) implements classified and hierarchical protection, and when processing personal data in the information system, four levels of personal data protection have been established.
(3) Main content
ranks the personal data storage system and regulates its security protection measures.
North America
United States: Adhere to market leadership and industry autonomy
1. Overall legislation
The United States is one of the earliest countries in the world to propose privacy rights and protect the law. The government has long adhered to the data governance concept of combining open data and free flow of data, and adhered to the market as the main means and industry autonomy as the main means. However, there has not yet been a comprehensive federal data privacy law. In terms of hierarchy, on the basis of the separation of powers by governments at all levels from federal to state, the United States also implements vertical decentralization between the federal and state levels, and the legislation is more diversified and diversified.
At the federal level, the Computer Fraud and Abuse Act of 1986 and the Executive Order on Strengthening National Cybersecurity in 2021 were signed and issued by the President, focusing on the protection of network security; the Privacy Act of 1974, the Privacy Act of 1986, and the Clarification of Legal Use of Data Overseas Act of 2018 were passed by Congress to protect personal information and privacy. At the state level, the 2018 California Consumer Privacy Act and the 2021 Virginia Consumer Data Protection Act signed and issued by the governor, as a privacy protection law specifically targeting California consumers, have an important benchmark and reference value for the legislative process of other states.
2. Key Legal Analysis
1 US Privacy Act
(1) Positioning
1 In December 1974, the US Congress passed the Privacy Act. This department’s legislation is an important law issued by the United States to protect citizens’ privacy rights and the right to know. aims to balance the differences in interests between the government’s need to maintain personal information and the protection of personal privacy rights, so as to protect citizens from the collection, maintenance, use and disclosure of personal information about personal information, and unreasonable violation of their privacy rights.
(2) Features
The Privacy Act provides provisions for the collection, utilization and protection of personal data by the federal administrative department, and applies to U.S. citizens and foreigners who have obtained permanent residence in the United States.
(3) Main content
The Privacy Act clarifies the main rights of the information subject, the main obligations of the government agencies, and civil relief measures, and makes detailed provisions on how government agencies should collect personal information, what content can be stored, how the collected personal information is open to the public, and the rights of the information subject.
The Privacy Act focuses on four basic policy objectives: restricting the disclosure of personal information records kept by various institutions, giving individuals more access to institutions to keep records, granting individuals the right to modify information records, and requiring government agencies to comply with the statutory norms of collecting, maintaining and disclosing records.
2 US Electronic Communications Privacy Act
(1) Positioning
986, the US Congress formulated the Electronic Communications Privacy Act (ECPA), aiming to extend the original regulations on wired telephone monitoring, including electronic data transmission through computers.
(2) Features
The Electronic Communication Privacy Law provides detailed standards for law enforcement agencies to access electronic communications and related data. It not only makes specific provisions for the protection of wired, verbal and electronic communications for dynamic transmission, but also regulates the security requirements for statically stored electronic communications, and coordinates the conflicts between national security and personal privacy and communication secrets.
(3) Main content
The Electronic Communications Privacy Law includes three main chapters: "Pen Register Act", "Wiretap Act", and "Stored Communications Act".The "Pen Recorder Method" aims at the equipment or process of law enforcement agencies that use pen recorders or similar tracking and recording devices to record or decode dialing, routing, addressing or signaling information transmitted by instruments or facilities that transmit wired or electronic communications, but such information does not include the content of any communication; the "Eavesdropping Method" manages real-time intercepting communications transmitted over lines and expands the scope to electronic communications; the "Storage Communication Method" involves access and disclosure of stored wired and electronic communications or account records, especially this part defines the concept of "electronic storage" for the first time.
3 The Computer Fraud and Abuse Act of the United States
(1) Positioning
On October 16, 1986, US President R. Reagan signed the Computer Fraud and Abuse Act (CFAA), which is the first federal law specifically targeting computer crimes in the United States and is considered a milestone in punishing hackers to attack computer cyber crimes.
(2) Features
The Computer Fraud and Abuse Law encourages researchers to eradicate vulnerabilities in the public interest and provide clear regulations for good-willed security researchers to promote the development of network security.
(3) Main content
The Computer Fraud and Abuse Law lists seven types of criminal activities: obtaining national security information, leaking confidentiality, intruding into government computers, obtaining fraud and obtaining value, damaging computers or information, selling passwords, threatening to damage computers, as well as two types of criminal activities, "outsiders who intrude into computers" and "intruders who exceed their authorization".
4 The US "Clarifying Legal Use of Data Overseas"
(1) Positioning
On March 23, 2018, the US Congress passed the "Clarifying Legal Use of Data Overseas" Act (hereinafter referred to as the "Cloud Act", which broke the data local jurisdiction model followed in the previous process of retrieving data evidence in the transnational data type, and built a new standard framework based on the actual data control authority of the data controller.
(2) Features
The Cloud Act unilaterally granted the US government "long-arm jurisdiction" over the vast majority of Internet data around the world. Relevant people pointed out that this is the US government's "long-arm jurisdiction" for the vast majority of Internet data around the world. Relevant people pointed out that this is the US government's "long-arm jurisdiction" for the vast majority of the world's Internet data. Provocations of data sovereignty in other countries not only violate personal privacy, but also conflict with legislation of multiple countries, threatening the mutually beneficial cooperation of multinational enterprises.
(3) Main content
The Cloud Act mainly provides: the scope of evidence retrieval of US government, clarifying the obligation of service providers to extraterritorial judicial assistance, exceptions to the obligation of extraterritorial judicial assistance to service providers, and foreign governments requesting data from US companies. The Cloud Act proposes that regardless of whether the communications, records or other information of the service provider is stored in the United States, as long as the relevant communications, records or other information is owned, controlled or supervised by the service provider, it shall be saved, backed up, and disclosed in accordance with the requirements of the law.
5 U.S. Consumer Privacy Act
(1)Location
In June 2018, the governor of California, the United States signed and promulgated the Consumer Privacy Act (California Consumer Protection) Act, CCPA), and came into effect on January 1, 2020. The Consumer Privacy Act provides a legal way for consumers to control personal information and is considered to be the strictest privacy legislation in the United States at present.
(2) Features
Although the Consumer Privacy Act is a privacy protection law specifically targeting California consumers, the economy of California It is the world's leading strength in scientific and technological innovation, so the significance of the Ministry's legislation far exceeds its original legislative level and plays an important benchmark for the legislative process of other states.
(3) Main content
The main content of the Consumer Privacy Act includes four parts: the background of the bill's issuance, the rights of consumers, the obligations of enterprises, and the detailed explanation of the terms in the bill.The Consumer Privacy Act stipulates that if an company violates privacy protection requirements, it will face compensation of up to $750 per consumer and fines of up to $7,500 for each consumer.
6 United States "Executive Order on Strengthening National Cybersecurity"
(1) Positioning
On May 12, 2021, US President Biden signed the "Executive Order on Strengthening National Cybersecurity" (hereinafter referred to as the "Executive Order"), aiming to adopt bold measures to improve the US government's cybersecurity modernization, software supply chain security, incident detection and response, and overall resistance to threats. It is the US government's response to a series of highly-anticipated major cybersecurity incidents such as SolarWinds supply chain attacks, Microsoft Exchange vulnerability attacks, and Colonial Pipeline oil pipelines.
(2) Features
The Executive Order takes the prevention, discovery, evaluation and remediation of cyber incidents as its top priority, and proposes to establish a cybersecurity review committee to review and evaluate major cyber incidents, threat activities, vulnerabilities, etc. that affect the federal information system or non-federal system.
(3) Main content
Executive order includes nine parts: policy, removing obstacles to threat information sharing, modernization of federal government cybersecurity, enhancing the security of software supply chain, establishing a network security review committee, standardizing federal government cybersecurity vulnerabilities and incident emergency response, strengthening the detection capabilities of network security vulnerabilities in federal government networks, strengthening the investigation and repair capabilities of federal government cybersecurity incidents, and national security systems.
7 The Consumer Data Protection Act
(1) Positioning
On March 2, 2021, Governor Ralph Northam of Virginia, United States signed the Consumer Data Protection Act ("CDPA" for short), which came into effect on January 1, 2023. The introduction of this bill has made Virginia the second state in the United States to have data privacy legislation.
(2) Features
The Consumer Data Protection Act refers to the results of the California Consumer Privacy Act and the EU GDPR, and is more perfect in promoting enterprises to protect consumer data privacy and grant consumers relevant rights.
(3) Main content
In addition to giving consumers the right to access, correct, delete and obtain copies of personal data, the Consumer Privacy Act also clearly states that consumers have the right to freely choose to sell their own personal data and allow their own personal data to be used for targeted advertising or analytical decisions.
8 U.S. Unified Person Data Protection Act
(1) Positioning
In August 2021, the U.S. Unified Person Data Protection Act (UPDPA), a model bill aimed at unifying the privacy legislation of states, which will come into effect on the 180th from the date of its promulgation.
(2) Features
The Unified Person Data Protection Law distinguishes between "compatible", "incompatible" and "prohibited" data practices based on the possibility that data practices are beneficial to or unfavorable to the data subject; and provides broad exemptions for pseudonymous data.
(3) Main contents
The main contents of the "Unified Personal Data Protection Law" include: scope of application, personal data held by personal data subjects, access and correction rights of personal data subjects, pseudonym data, compatible, incompatible and prohibited data practices, the responsibilities of collecting controllers, third-party controllers and practitioners, voluntary consensus standards, implementation and rule formulation. The law applies to activities carried out by data controllers or data processors within the state, including business, production of products or providing services to residents of the state.
Canada: Prevention first, comprehensively manage data security issues
1. Overall legislation
Canada is one of the earliest countries in the world to build a national fiber network, and its e-government construction has been in the world's leading position for many years. The high popularity of the Internet and the rapid development of services have made Canada have a high level of Internet infrastructure in the world. The security issues caused by the Internet have also made Canada one of the earliest countries in the world to advocate the protection of Internet security. Canada not only emphasizes cybersecurity protection at the national strategic and legal level, but also advocates cooperation among government departments and self-discipline in the Internet industry. Its Internet governance is characterized by prevention-oriented comprehensive governance.
National Strategy, on June 12, 2018, Canadian Minister of Public Security Ralph Goodell, Defense Minister Harjit Sajan, and Canadian Minister of Innovation, Science and Economic Development Nafdipp Baines jointly released the country's new version of the country's national cybersecurity strategy. This strategy serves as Canada's roadmap for cybersecurity, aiming to achieve Canada's security goals and priorities. This strategy will guide the Canadian government in cybersecurity activities to protect Canadians’ digital privacy, security and economy. The strategy will also strengthen Canada's crackdown, resistance to cybercrime and improve its own cybersecurity resilience.
In terms of data security, the initial legal application entity in Canada was the government. In 1983, Canada enacted the Privacy Act to regulate the federal government's collection, use and disclosure of personal information. The Information Access Act came into effect on July 1, 1983, aims to increase accountability and transparency among federal agencies to shape an open and democratic society and to conduct compliance supervision of the behavior of these agencies. In addition, Canada has subsequently introduced laws that use private, enterprises and organizations as the applicable subjects. In 2000, the Personal Information Protection and Electronic Documents Act (hereinafter referred to as "PIPEDA") was passed, which stipulates the scope and guidelines for the use of personal information by private or enterprises during business activities. (Note: There are deletes)
In terms of cybersecurity, in March 2012, Canada released a report on its security intelligence service, "Assessment of Canadian Cybersecurity Threats to Critical Infrastructure", which evaluated the cybersecurity threat environment faced by critical infrastructure in four major Canadian departments (energy facilities, transportation, finance, information and communication technology). The report clearly states that achieving a fully comprehensive "situational awareness" is a major challenge for owners/operators and shows that reducing the risks arising from interdependence requires a collaborative approach for the private/public sector.
2. Key Legal Analysis
1 Canada's Privacy Law
(1) Positioning
983, Canada promulgated the Privacy Law to regulate the federal government's collection, use and disclosure of personal information, and came into effect on July 1, 1983. The aim is to expand the scope of existing Canadian laws that protect individuals’ privacy about their own personal information held by government agencies and give individuals the right to access that information.
(2) Features
limits the scale of information collected by the government: unless directly related to the operation plan or activities of the agency, the government agency shall not collect any personal information and stipulate the individual's right to know: the government agency shall inform any relevant personal information subject of the personal information collected by the agency of the purpose of the information collected. The scale of government use of information: government agencies shall not use personal information under the control of government agencies without the consent of relevant individuals.(Unless it is a "public" purpose such as the government compiles information or discloses information)
(3) Main content
This section focuses on the collection of the main content of the law regarding the definition of personal information, as follows:
Personal information refers to information about an identifiable individual recorded in any form, including but not limited to the generality of the aforementioned provisions:
) Information related to an individual's race, ethnicity or ethnicity, skin color, religion, age or marital status;
) Information related to an individual's education or medical care, crime or employment history, or information related to the financial transactions in which the individual participates;
) Any identification number, symbol or other specific number assigned to an individual;
) The address, fingerprint or blood type of the individual;
) The personal opinion or opinion of an individual, unless it is a proposal for a grant, reward or prize made to another person by another person or part of a government agency or government agency as stipulated in the regulations;
) The letters sent by an individual to a government agency that expressly or expressly belonging to a private or confidential nature, and a reply to such letters that may reveal the contents of the original letter;
) The opinion or opinion of another person to that individual;
) The opinion or opinion of another person on the proposal of a grant, reward or prize made to the individual by a part of the institution or institution referred to in subsection (e), but does not include the name of another person who agrees with the opinion or opinion of another person;
) The name of the individual appears with other personal information related to the individual, or the disclosure of the name itself will disclose information about the individual;
0) Information about a person who is now or once an official or employee of a government agency, which is related to the position or function of the individual, including: the person is or has been a senior employee or employee of a government agency, as well as the position, business address and telephone number of the individual.
2 Canada Information Access Act
(1) Positioning
The Information Access Act came into effect on July 1, 1983. The purpose of the program is to improve accountability and transparency of federal agencies to shape an open and democratic society and to conduct compliance supervision of the behavior of these agencies.
(2) Features
This bill sets access rights for information under the control of government agencies. The law embodies three principles: government information should be provided to the public; exceptions that have the right to view should be specific restrictions; and decisions on the disclosure of government information should be reviewed by other parties independent of the government. In this way, the personal information subject has strong legal guarantees for the access rights and review procedures for the personal information controlled by the government.
(3) Main content
This plan proposes that when it comes to special circumstances in international affairs and national defense, the head of Canadian government agencies may refuse to disclose any records required in this section, including information disclosure that may damage international affairs, information related to Canadian defense, etc., including but not limited to the following:
related to military tactics or strategies, or related to military exercises or operations, or related to detection, prevention or suppression of hostile activities; anything related to weapons or other defense equipment (which is being involved, developed, produced or considered as weapons) , information about any defense agency, any military force, unit or personnel; data obtained or prepared for relevant intelligence purposes; information about foreign, international organizations or foreign citizens used by the Canadian government during the deliberation, consultation, or in the process of handling international affairs; information on the methods, technical equipment and other sources used by the Canadian government regarding the collection, evaluation or processing of the information described in Articles (d) or (e); position taken or about to be adopted by the Canadian government, foreign government or international organization for current or future international negotiations; information on foreign transportation communications with other countries or organizations or official communications with Canadian embassies abroad; information on communications or cryptographic systems used by Canada or other countries.
3 Canada "Personal Information Protection and Electronic Documents Act"
(1) Positioning
000, the "Personal Information Protection and Electronic Documents Act" (hereinafter referred to as "PIPEDA") was passed. This bill stipulates the scope and guidelines for private or enterprises to use personal information when conducting business activities.
(2) Features
As one of the most important federal regulations in Canada, PIPEDA is a legislative guarantee for privacy rights. All Canadian companies are subject to the Personal Information Protection and Electronic Documents Act when collecting, using and disclosing personal information during their business activities.
(3) Main content
This program meets the following requirements for cross-border data. If the cross-border data is met, the data can be cross-border (the cross-border part comes from subjective interpretation. For details, please refer to the original text of the regulations:
There are investigations or litigation that are being conducted or may be conducted for violation of foreign laws; it is necessary to disclose so as to obtain information from an individual or institution for investigation or audit; the use of information is limited to the purpose of the initial sharing of information; ensure that relevant information is processed in a confidential manner, and no further disclosure shall be allowed without consent; conduct and publish research related to personal information protection; specific users, such as personnel exchange, sharing of knowledge and expertise, etc.
4 Canada "Critical Infrastructure Threat Assessment"
(1) Positioning
In March 2012, Canada released a report on its security intelligence service, "Assessment of Cybersecurity Threats to Critical Infrastructure" (referred to as "Critical Infrastructure Threat Assessment"), which evaluated the cybersecurity threat environment faced by critical infrastructure in four major departments in Canada (energy facilities, transportation, finance, information and communication technology). Canada believes that the main responsibility for the protection of critical infrastructure lies in the owners and users. In order to avoid risks, Canada also regularly faces the cyber situation of key departments in key departments.
(2) Features
The report clearly states that achieving a full and comprehensive "situational awareness" is the main challenge facing owners/operators, and shows that reducing the risks generated by interdependence requires a collaborative approach by the private/public sector.
(3) Main content
Report mainly points out that information security issues have emerged due to technological changes, but people have found that solving this problem requires not only implementation at the technical/operational level, but also a more comprehensive approach at the national level.The challenge of information security issues is to protect the entire information-based society, rather than just protecting critical information infrastructure. Therefore, Canadian security and intelligence agencies need to pay more attention to cyber attacks against government and trade secrets, and prevent illegal acts of stealing intellectual property through cyber espionage. Relevant departments or organizations should bear the relevant security costs in an appropriate manner to ensure a low probability of security incidents. This will not only better protect the commercial interests of relevant departments or organizations regarding critical infrastructure, but also benefit the public, thereby increasing their information about relevant entities and governments.
5 Canada's "New Version of National Cyber Security Strategy"
(1) Positioning
June 12, 2018, Canadian Minister of Public Security Ralph Goodell, Defense Minister Harjit Sajan, and Canadian Minister of Innovation, Science and Economic Development Nafdipp Baines jointly released the country's new version of the country's national cybersecurity strategy. This strategy, as Canada's roadmap in cybersecurity, aims to achieve Canadians' goals and priorities in security .
(2) Features
This strategy will guide the Canadian government to carry out cybersecurity activities to protect the digital privacy, security and economy of the Canadian people. The strategy will also strengthen Canada's law enforcement efforts to combat and resist cybercrime and improve its own country's cybersecurity resilience. Canada's new version of the national cybersecurity strategy will fund innovation and economic growth and the development of cyber talent in Canada.
(3) Main content
This strategy determines the guiding role of the Canadian government and conveys the importance of strengthening cooperation with Canadian stakeholders and partners. The strategy includes a number of initiatives, such as the incorporation of government cybersecurity operations into the creation of the Canadian Cybersecurity Centre led by the communications security agency, and the establishment of a national cybercrime coordinator within the RCMP.
6 Canada's "Digital Charter Implementation Act 2020"
(1) Positioning
On November 17, 2020, the official website of the Canadian government issued an announcement stating that the "Digital Charter Implementation Act 2020" proposed by Canadian Minister of Science and Technology Innovation and Economic Development Baynes has entered the first-reading process of the legislative work of the House of Commons in Canada. This Law applies to various organizations related to personal information, such as organizations that collect, use or disclose personal information in commercial activities.
(2) Features
This law protects individuals' privacy rights over their personal information by establishing rules, and ensures that relevant organizations can only collect information for reasonable and appropriate purposes, and protect personal information in appropriate ways. The bill seeks to ensure citizens are protected by more modern and realistic laws, while in the context of continuous technological development, it also hopes that innovative companies can benefit from clear rules. The proportionality of technical and protective purposes is proposed: organizations that de-identify personal information must ensure that any technical and management measures applicable to that information are proportional to the purpose of de-identification of information and the sensitivity of personal information.
(3) Main content
This bill proposes the de-identification definition , that is, by technical means to modify personal information or create information from personal information to ensure that the information will not be identified, or cannot be used alone or in combination with other information to identify an individual under reasonable foreseeable circumstances.
In addition, the plan proposes "organizational accountability" and stipulates that each organization must implement a privacy management plan, which mainly includes the protection of personal information, the receipt and processing of information requests and complaints, compliance with the law and organization of personnel training, and the writing of policies and procedures formulated by the organization to fulfill its obligations.
South America
Brazil: With the Constitution as the core, the compliance supervision is both effective and the implementation of
1. Overall legislation
Brazil has formed a legislative system centered on the Brazilian Federal Constitution and the implementation of scrutiny of compliance supervision.The Brazilian Federal Constitution puts forward the requirement that personal privacy rights are inviolable" has become the cornerstone of data security legislation. The Brazilian General Data Protection Law was promulgated in 2018, forming Brazil's administrative regulations and legal framework for data security, and becoming Brazil's main personal data protection laws. Focusing on data security and personal information protection, Brazil promulgated the Brazilian Information Acquisition Law and the Brazilian Cyber Civil Law to regulate the Internet legal framework and put forward protection requirements for Brazil's public information acquisition.
Economy is the body, finance is the bloodline, Brazil also has regulations on data protection for specific industries, which is subject to Brazil's The entities regulated by the Central Bank (BCB) must comply with the Brazilian Bank Secrecy Act and the Brazilian Cybersecurity Regulations. According to the Brazilian Bank Secrecy Act, financial entities must keep "all their credit and debit transactions and services provided". The Brazilian Good Data Act, Government Act, Government Decree No. 9936/19, and the Brazilian Central Bank Resolution 4737/19 all jointly regulate the creation and management of databases containing payment records information of individual or legal entities, aiming to establish credit records.
2. Key Legal Analysis
1 Brazilian Constitution
(1) Positioning
The text of the amendment proposal PEC No. 17/2019 on October 20, 2021, which has been approved by the House of Representatives. PEC No. 17/2019 The Constitution of Brazil has revised the Constitution of the Federation to include the protection of personal data in its basic rights and protection.
(2) Features
Brazil's Constitution establishes the exclusive legislative power of the federal government in the protection and processing of personal data.
(3) Main content
The Constitution promulgated by Brazil in October 1988 not only protects privacy rights including the confidentiality of communications, telegraphs, telephones and data communications, but also involves consumer protection. In this amendment, Article 5 of the Constitution concerning the rights of individuals and collectives has added a new section, pointing out that "the right to protect personal data, including rights in digital media, is protected under the terms of law.
2 Brazil General Data Protection Law
(1) Positioning
In August 2018, the General Data Protection Law (LGPD) was officially passed by Brazilian President Michel Temer, and will take effect from September 2020. The punishment for violations will also take effect in August 2021. The Act is an amendment to Law No. 12965 of April 23, 2014. The General Data Protection Law is greatly influenced by the EU's General Data Protection Regulation (GDPR). It is Brazil's first comprehensive legislation on personal data protection, significantly increasing Brazil's personal data protection requirements and further enhancing Brazil's data protection capabilities. At the same time, Brazil has established a data protection regulator under the law, the National Data Protection Agency.
(2) Features
LGPD is a comprehensive law that sets out detailed rules on the collection, use, processing and storage of personal data. It will cover all operating industries in Brazil, affect all private and public entities, regardless of whether the processing of personal data occurs in digital and physical environments. In terms of personal rights, the user group will have the right to ask the Internet service provider to correct or exclude the personal information they collect during their operations and have the right to access such data.
(3) Main content
The Brazilian General Data Protection Law is divided into ten chapters and 65 articles, including basic regulations, the processing of personal data, the rights of data subjects, the processing of personal data by government departments, cross-border data transmission, personal data processing agents, data security and good practices, supervision, the National Protection Administration and the National Personal Data and Privacy Protection Committee, as well as final and excessive clauses.
3 Brazilian "Cyber Civil Law"
(1) Positioning
In April 2014, Brazil passed the "Cyber Civil Law" (Law No. 12965/2014), which clarified the principles, rights and obligations of users, enterprises and public institutions to use the Internet in Brazil. In January 2015, the Brazilian Ministry of Justice launched the amendment of some provisions of the Cyber Civil Law and amended the Cyber Civil Law. On May 20, 2016, President Dilma Rousseff signed the Cyber Civil Code No. 8771/2016, which regulates the legal framework of the Internet.
(2) Features
Regarding the protection of logs, personal data and private communications, the revised "Cyber Civil Law" defines "user registration information" and determines that when the administrative authorities require the provider to provide user registration information, they must state their explicit legal basis for authorizing access to such information and the motivation for the request. Providers who do not collect user registration information shall inform the authorities of this fact and shall be exempted from the obligation to provide this information. In addition, the revised Cyber Civil Code focuses on data privacy and establishes security and confidentiality standards for logs, personal data and private communications adopted by connection and application providers.
(3) Main content
The revised "Cyber Civil Law" has a total of four chapters, mainly including general provisions, network neutrality, protection, supervision and transparency of recording personal information and private communications.
4 Brazil "Brazil Good Data Law"
(1) Positioning
"Brazil Good Data Law" regulates the creation and management of databases containing payment record information of individual or legal entity, and aims to establish credit records.
(2) Features
Account registrant has the right to access personal and related information in the database for free, and the manager is responsible for maintaining the security system through telephone or other means.
During the process of processing personal data, inform the storage, database administrator's identity, the purpose of processing personal data, and the recipient of the data during sharing in advance.
(3) Main content
The Good Data Law regulates the formation and consultation of databases, which contain the credit records formed by information from natural persons or legal persons. It is applicable to the formation and consultation of personal or legal person performance information databases and does not affect the provisions of Law No. 8078 of September 11, 1990 - Consumer Protection and Defense. The maintained database will be subject to the jurisdiction of specific legislation. (Due to word limits, please refer to the PDF version of the report for the relevant interpretation of the policies such as the "Bank Confidentiality Law", "Brazil Information Acquisition Law", "Cybersecurity Regulations", "Brazil Government Law No. 9936/19", "Resolution 4737/19 of the Central Bank of Brazil", etc.)
Asian
Japan: Taking into account the comprehensive and specific areas
1. Overall legislation
Compared with the legislation of Europe and the United States in terms of personal information protection, Japan's legislation on personal information protection started late. In the process of legislation, while widely drawing on advanced legislation experience in Europe and the United States, it also fully considered the actual situation of Japan. Based on the balance between data-driven innovation and personal information protection, Japan has adopted a relatively neutral unified and legislative supervision model. By adopting a unified and comprehensive legislation and the formulation of individual laws in specific fields, it has achieved strict regulation on the use of personal information, while also ensuring data liquidity to inspire corporate innovation.
In terms of personal information protection, since the "Personal Information Protection Law on Computer Processing in Administrative Organs" was officially promulgated and came into effect in 1988, it has been revised many times. The current "Personal Information Protection Law" (2020) has established a legislative system for personal information protection in Japan.
In terms of cybersecurity, the 2000 Action Plan for Protecting Information Systems from Cyber Attacks is Japan's first policy document in this field. The 2013 Cybersecurity Strategy, the 2014 Cybersecurity Basic Law, the 2015 Cybersecurity Strategy (Second Edition)", the 2018 Cybersecurity Strategy (Third Edition) and the latest Cybersecurity Strategy in 2022 have built legal frameworks related to cyberspace and are committed to building a "free, fair and secure cyberspace."
2. Key legal analysis
1 Japan's "Administrative Personal Information Protection Law"
(1) Positioning
1 In December 1988, the Japanese legislative body promulgated the "Administrative Personal Information Protection Law" (hereinafter referred to as the "Administrative Personal Information Protection Law"), which began to be implemented in October 1988. is the first national-level legislation specifically for personal information protection .
(2) Features
"The Law on the Protection of Personal Information Processing of Computers in Administrative Organs" only applies to administrative organs, and only protects personal information processing by computers, and does not involve the act of manual processing of information.
(3) Main content
The main purpose of the "Personal Information Protection Law on Computer Processing of Administrative Organs" has two aspects. One is to protect individual rights and interests, and the first purpose is to ensure that the protection of personal information will not become an obstacle to the normal operation of administrative organs and promote the smooth and smooth operation of administrative organs. The law divides the objects of protection into three categories, namely personal information, personal information held and personal information archives.
2 Japan's "Personal Information Protection Law"
(1) Positioning
In May 2003, Japan officially passed the "Personal Information Protection Law" and it was officially implemented on April 1, 2005. This law was formulated on the basis of the "Personal Information Protection Law on Computer Processing of Administrative Organs". clarifies general content such as basic concepts and guidelines, as well as general legal content related to private enterprises. is an important position in the Japanese personal information protection legal system.
(2) Features
Japan's "Personal Information Protection Law" (2020) has enhanced user rights, increased the obligations of data processors, added relevant clauses on pseudonymous information processing, expanded the scope of extraterritorial application, and increased the punishment measures.
(3) Main content
Japan's "Personal Information Protection Law" (2020) mainly includes general provisions, the responsibilities of state and local public groups, personal information protection measures, personal information processor obligations, personal information protection committee, miscellaneous rules, penalty rules, etc. The new version of the "Personal Information Protection Law" focuses on the use of facial recognition information, introduces two new information types, "pseudonymous processing information" and "anonymous processing information", refines the data leakage reporting system, and strengthens the supervision of cross-border data transmission.
In terms of cross-border data supervision, the new version of the Personal Information Protection Law has added restrictions on personal information processors to third parties abroad in two aspects. On the one hand, when cross-border data transmission is carried out with the consent of an individual, the data exporter shall provide the data subject with relevant information such as the country name, the personal information protection system of the relevant country, the security measures that should be taken, etc.; on the other hand, when cross-border data transmission is carried out by a data transmission contract, the contract must adopt data security protection standards and necessary measures equivalent to the Personal Information Protection Law to continuously ensure that the data input party correctly and appropriately handles the personal data.
3 Japan's "Cybersecurity Strategy"
(1) Positioning
June 10, 2013, the National Information Security Center of Japan released the "Cybersecurity Strategy-Building a World-Leading Strong and Vibrant Cyberspace".This strategy clearly proposes to build a "world-leading", "strong" and "vibrant" cyberspace, marking the independence of cybersecurity policies from information security policies.
(2) Features
The latest version of the "Cybersecurity Strategy" has formulated three strategic goals for cybersecurity: to improve economic and social vitality and sustainable development, create a digital society where the people live a safe and comfortable life, and contribute to the peace and stability of the international community and Japan's security guarantee.
(3) Main content
The latest version of "Cybersecurity Strategy" mainly includes the purpose and background formulated, the basic concept of strategy, the understanding of the topics around cyberspace, the measures taken to achieve the three strategic goals, and the promotion of the system. The Cybersecurity Strategy identifies five basic principles for planning and implementing relevant cybersecurity measures: ensuring the free flow of information, the rule of law, openness, autonomy and multi-party cooperation. In order to ensure the realization of the goal of "free, fair and secure cyberspace", the "Cybersecurity Strategy" also provides three major directions of promotion: on the basis of digital reform, synchronously promote digital transformation and network security; looking at the entire cyberspace, ensure the interconnection and chainization of public spaces; and strengthen security protection capabilities.
4 Japan's Basic Law on Cybersecurity
(1) Positioning
On November 6, 2014, the Japanese Congress voted to pass the Basic Law on Cybersecurity, aiming to strengthen the coordination and application of the Japanese government and the people in the field of cybersecurity and better respond to cyber attacks.
(2) Features
The Basic Law of Cybersecurity defines the concept of "network security" for the first time. On the basis of the Basic Law of 2000, it clarifies the basic principles and policies of network security, and stipulates the establishment of a network security strategy headquarters, responsible for formulating a network security strategy and ensuring its implementation.
(3) Main content
The Basic Law of Cybersecurity includes five chapters: general provisions, network security strategy, basic policies, network security strategy headquarters, and penalty. Among them, in terms of cybersecurity strategy, the Basic Law of Cybersecurity proposes that in order to ensure that necessary funds are the funds required to implement the cybersecurity strategy, the government should take necessary measures to implement the strategy smoothly, such as including it in the budget within the scope permitted by the national finance every year. In terms of the Cybersecurity Strategy Headquarters, the Japanese government upgraded the Information Security Policy Committee to the "Cybersecurity Strategy Headquarters" authorized by law in January 2015, as the highest command body for Japan to promote cybersecurity policies.
India: Building a new legal system for data security protection
1. Overall legislation
As a typical country that implements data localization and cross-border flow restrictions policies, India has successively promulgated a series of important laws or documents in recent years, forming a data security protection legal system with the "Information Technology Law" as the parent law, the "Personal Data Protection Act" as the center, the central legislation as the center, and the specific administrative regulations of each state as the auxiliary. It covers many issues in the digital era such as electronic signatures, e-government, and cybercrime, providing a comprehensive legal framework for India's e-commerce development and network information security.
2. Key Legal Analysis
1 India's "Information Technology Law"
(1) Positioning
999, the Ministry of Information Industry of India formulated the "Information Technology Law" based on the "Model Law of E-Commerce" of the United Nations Commission on International Trade Law. The law was passed by the Indian Parliament in May 2000 and officially came into effect on October 17, 2000. The Information Technology Act is the first basic law promulgated by India on network activities, and since then India has become a country with special legislation in the fields of computers and the Internet.
(2) Features
Substantive Law and procedural Law: This law not only stipulates the substantive legal content such as electronic contracts and electronic signatures, but also stipulates procedural issues such as electronic evidence, jurisdiction, and appeal courts.
Focus on efficiency and security: This method stipulates "confirm receipt" for transaction security considerations. With the rapid development of e-commerce, the Information Technology Act of 2008 deleted the requirement of "receipts", which is conducive to accelerating the circulation of e-commerce. Meanwhile, the Indian government is trying to reform the national crypto policy to facilitate the development of e-commerce and monitoring of cyber terrorism and online money laundering. In addition, the law strengthened the punishment for cybercrime in 2008 and refined the responsibilities of network service providers in 2011, which not only ensured security but also achieved efficiency.
Government-led, taking into account the autonomy of the parties involved: India adopts a government-led model, and all electronic certification agencies implement a compulsory licensing system. Any institution that has not obtained an official license shall not engage in electronic certification services.
(3) Main content
Clearly the purpose of legislation: mainly includes two aspects: one is to confirm the legal status of e-commerce activities; the other is to standardize e-commerce activities and prevent and crack down on crimes against computers and the Internet.
proposes to establish an "Internet Appeal Court" that specifically accepts cases in the computer and network fields: clarifies its personnel composition, court composition, jurisdiction, trial procedures and authority.
stipulates that eight types of behavior constitute "destruction of computers and computer systems" crimes: Once is verified, the amount of civil compensation the offender will have to bear can reach 10 million rupees (about 2 million yuan). These eight types of behaviors include intrusion into other people's computers, computer systems and networks without permission, private downloading of data information in other people's computers or systems, and creating and disseminating computer viruses. If you tamper with computer source files, intentionally conceal, destroy, destroy or change the computer source code may be sentenced to 3 years in prison or a fine of up to 20,000 rupees.
India revised and added new types of computer crimes in 2006 and 2008: two revisions mainly stipulate new types of cyber crimes, and in the 2008 amendment, the content of cyber terrorism was focused on raising cyber counter-terrorism to a new level.
2 India's Personal Data Protection Act
(1) Positioning
On July 27, 2018, the Personal Data Protection Act drafted by the "Data Protection Expert Committee" of India was promulgated and publicly solicited opinions; on December 4, 2019, the federal cabinet led by Indian Prime Minister Narendra Modi approved the revised bill, namely the "Indian Personal Data Protection Act 2019" (Bill 373 of 2019). The bill aims to “establish a strong data protection framework and establish a data protection agency for India to give Indian citizens the rights to relevant personal data to ensure their fundamental rights regarding ‘privacy and personal data protection’”.
(2) Features
Legislative purpose has multiple characteristics: This bill emphasizes that "right to privacy" is a basic right, and it is necessary for the law to protect personal data as an important aspect of private information. The bill also proposes to protect citizens' interests, trade and industrial interests, and national interests, hoping to focus on citizens' interests, but also emphasizes that "for national security, government agencies have the right to access personal data and conduct investigations." It can be seen that although the purpose of the bill is to protect individual freedom and basic rights as its core, its ultimate goal is to "national interests first" and take into account other different goals.
adopts a unified legislative model: Indian states may enact their respective laws, but this bill has priority effect if the terms of the bill are inconsistent with any other laws that are in effect in place.
legislative content has Indian characteristics: From the perspective of data protection legislation, the personal data protection law formulated by India converges with the EU's General Data Protection Regulation in many aspects, reflecting the general trend of international data protection legislation.In terms of extraterritorial jurisdiction, the EU has stipulated a broad scope of foreign-related jurisdiction, and as long as it involves the collection and processing of personal data of its own residents, it will be subject to jurisdiction regardless of whether the company has an entity in the country.
(3) Main content
clarifies the scope of application of the bill: includes personal data collection, disclosure, sharing and processing activities carried out in India; personal data processing activities carried out by Indian states, companies, citizens or other individuals and groups established in accordance with Indian laws; business carried out in India, activities to provide goods or services to Indian data subjects, and personal data processing activities related to portrait activities of data subjects in India. But the bill does not apply to the processing of anonymous data.
clarifies the data protection obligations that the data trustee should bear to the data subject: ensures that the data trustee must act in the best interests of the data subject. It mainly includes prohibited behaviors in processing personal data, restrictions on the purpose of processing personal data, restrictions on the collection of personal data, notification requirements for the collection or processing of personal data, quality of personal data processed, restrictions on the retention of personal data, the responsibility of the data trustee, and the consent necessary for the processing of personal data.
clarifies the rights of the data subject: stipulates the rights of the data subject and the general conditions for exercising the rights, including the right to confirm and access, the right to portability of data, the right to be forgotten, the right to correct, the right to delete, the right to appeal, etc. The right to delete is the right to delete personal data when the processing purpose is no longer necessary, as a supplement to the data subject's restriction or prevention of the data trustee's continued disclosure of personal data "right to be forgotten".
Cross-border transmission of personal data: Act proposes that a copy of personal data must be left in the country. Each data trustee should ensure that at least one copy of the personal data service is stored in a server or data center located in India. The bill stipulates that critical personal data can only be processed in servers or data centers located in India. In addition, the bill gives the government discretion to the exit of personal data.
proposes the toughest penalties: the bill stipulates that any organization that shares customer data without the customer's consent will be fined Rs 150 million or a fine of 4% of its global turnover. The processing and reporting delays of data breaches will be fined Rs 5 crore or a fine of 2% of global turnover.
3 India's National Cyber Security Policy
(1) Positioning
On July 2, 2013, the Ministry of Communications and Information Technology of India issued the "India's National Cyber Security Policy" document, aiming to establish a national cybersecurity governance mechanism.
(2) Main content
The policy proposes the 14 goals to be achieved and several strategies to be adopted: includes creating a secure network ecosystem that enables IT systems and transactions occurring in cyberspace to gain sufficient trust, and strengthens IT utilization in all economic sectors in India; creating a trusted framework to achieve the design of security strategies and promote compatibility with global security standards and best practices through consistent assessments of products, processes, technologies and personnel; strengthening regulatory frameworks to ensure a secure cyberspace ecosystem; creating and strengthening a national, sectoral, and all-weather and uninterrupted cybersecurity mechanism.
clearly defines the strategy to be adopted: includes creating a solid network ecosystem and insurance framework, encouraging open standards, strengthening regulatory frameworks, creating early warning of security threats, vulnerability management and mechanisms to deal with security threats, ensuring the security of e-government services, the protection and flexibility of critical information infrastructure, promoting research and development of network security, reducing supply chain risks, and human resources development.
4 India's "White Paper on Data Protection Framework for India"
(1) Positioning
At the end of November 2017, the Indian Ministry of Electronic Information Technology released the "White Paper on Data Protection Framework for India" to solicit opinions from the public.The White Paper provides a fixed legal framework for data protection and also prepares for the subsequent drafting of the Data Protection Law, aiming to promote digital economic growth and protect the security of citizens' personal data.
(2) Features
The White Paper combines the relevant data protection clauses in the current existing laws and regulations in India, and refers to the legislative practices of the EU, the United States, the United Kingdom, Australia, South Africa and other countries, and conducts in-depth exploration and demonstration in the scope of data protection and exemptions, data processing, institutional obligations and individual rights, supervision and execution.
(3) Main content
The White Paper proposes seven principles of the data protection framework: technology agnostic principle, overall application principle, informed consent principle, data minimization principle, controller responsibility principle, structured execution principle and deterrent punishment principle.
Clear scope of use: In order to clarify the scope of application of its data-related laws and regulations, the White Paper put forward many views and made suggestions from the public. The White Paper proposes that the geographical scope of data protection should be applicable to the Indian field or outside the field. How should foreign agencies without permanent resident data be regulated in India? The White Paper has extensively solicited opinions on whether the scope of data protection subjects should be applicable to natural persons or legal persons, whether public institutions and private institutions should be regulated in general or legislated separately, whether the Data Protection Law should be retroactively and whether a certain grace period should be given, the White Paper has extensively solicited opinions.
clarifies the definition of personal data, personal sensitive data, data processing, data controller and data processor: Explanation of key definitions, the White Paper refers to India's SPDI regulations, the EU GDPR and other legal documents to further clarify its core definition.
proposes data protection exemption: The White Paper lists exemptions for personal data protection, such as data processing for the purposes of family, news, art or literature, academic research, history, statistics, criminal investigation protection or national security. For the above exemptions, such data should be obtained legally and the law has given such personal data to a sufficient degree of protection.
stipulates cross-border data flow rules: Whether special cross-border data flow promotion clauses should be set up in the Data Protection Law, how to set standards, thresholds or tests to protect them, and whether cross-border flow should be prohibited for some special types of data such as personal sensitive information, the White Paper has extensively solicited opinions.
Data processing, institutional obligations and personal rights: includes consent, child consent, notification, purpose description and restriction on use, personal sensitive data processing, storage restrictions and data quality, personal participation rights, etc.
Supervision and implementation: The White Paper makes suggestions on execution methods, responsibilities, execution tools, trial procedures, and relief means.
South Korea: "Four Laws and Four Orders" build a data security line
1. Overall legislation
South Korea's "Four Laws and Four Orders" weave a data security compliance network. The Personal Information Protection Act (PIPA), as a general law on data protection in South Korea, mainly applies to the situation where the private sector and public institutions process personal information. South Korea's parliament has passed amendments to the data laws of the "Personal Information Protection Law", "Information and Communication Technology and Security Law" and the "Credit Information Protection Law", and incorporated data protection clauses into the "Cyber Act". At this point, the "Personal Information Protection Law" finally became a real personal information data protection law, which is interconnected with the "Information and Communication Technology and Security Law" and the "Credit Information Protection Law", and each has its own focus to build a data security system together.
2. Key legal analysis
1 South Korea's "Personal Information Protection Law"
(1) Positioning
The promulgation date of the "Personal Information Protection Law" was issued on March 29, 2011, as a unified, general and specialized personal data protection law within the jurisdiction of South Korea.Comprehensive provisions have been made on issues such as the basic principles of personal information protection, the benchmark for personal information protection, the rights protection of information subjects, and the relief of personal information self-determination rights.
(2) Features
1) Clear multiple channels for cross-border data flow. legal ways to expand cross-border data flow to undertake the cross-border data flow mechanism commonly adopted internationally. It also stipulates that once there is any illegal act in the cross-border process, cross-border behavior will be immediately suspended to ensure the security of personal information.
2) Establish a privacy policy review mechanism. introduces a privacy policy review system to assist the personal information protection committee in evaluating the enterprise's privacy policy and ensuring the adequacy of the privacy policy.
3) Introduce data portability rights. enterprises must have the ability to provide their users with all copies of personal information about the data subject they have and the ability to pass personal information to another service provider.
4) Right to reject and interpret for automated decision-making. data subjects are not restricted and restricted by purely automated decisions (including portraits) that have legal or material influence on the individual, and have the right to raise objections. At the same time, individuals have the right to obtain relevant information about automated decision-making.
(3) Main content
The "Personal Information Protection Law" mainly includes ten chapters and 76 articles, mainly including the principles of personal information protection, the rights of data subjects, the rights of data subjects, the relationship between the individual information and other legal relationships, the formulation of privacy policies, personal information processing and security management, the rights protection of data subjects, the special circumstances of the processing of personal information, the adjustment committee for the regulation of personal information, the class action litigation of personal information, etc., and stipulates systems such as the management of personal information, the security measures of personal information, the protection of the rights of information subjects, and the group litigation of personal information, aiming to protect the personal information rights of all citizens to prevent information collection, leakage, improper use and abuse. The scope of application of the law covers all personal information managed by the public and private sectors. By stipulating matters related to the processing and protection of personal information, individual freedoms and rights are protected and individual dignity and value are realized.
2 South Korea's "Information Protection Law"
(1) Positioning
The promulgation date of the "Information Communication Network Utilization Promotion and Information Protection Law" (referred to as the "Information Protection Law") is January 16, 2001. The regulations comprehensively and specifically regulate the collection, use and protection of personal credit information in the telecommunications industry, which is the basic law of the South Korean telecommunications industry.
(2) Features
1) Restrictions on cross-border flow of important information
This law clearly restricts the flow of important information to foreign countries. It is stipulated that the government may require information and communication service providers or users to take necessary measures to prevent any important information about industry, economy, science, technology, etc. from flowing abroad through the information and communication network. Such important information includes: (A) information related to national security and major policies; (B) information related to cutting-edge technologies or equipment developed in China.
The government may require information and communication service providers who process this information to take the following measures: (A) Install systematic or technical equipment that can prevent the illegal use of information and communication networks; (B) Establish relevant systems and install relevant technical equipment; (C) Systematic and technical measures that can prevent illegal destruction or operation of information; (D) Measures that can prevent information and communication service providers from leaking information learned during their performance of their duties.
2) Requirements for the collection and processing of data for public officials
(A) When the Deputy Minister of Science and Technology Information and Communications or the information and communication service provider of the Korea Communications Commission receives a request for protection of documents and data submitted or collected, it shall not provide it to third parties or disclose it to the public.
(B) If the Deputy Minister of Science and Technology Information and Communications or the Korean Communications Commission receives data submission through the network, or the data collected is digitally processed, institutional and technical security measures should be taken to prevent the leakage of personal information and trade secrets.
(3) Main content
The Information and Communication Network Law is divided into nine chapters and 76 articles (of which Chapter 3 has been deleted) committed to promoting the use of information and communication of networks. In addition to protecting service user information and communication, its purpose is to contribute to improving people's lives and promoting public welfare by creating a sound and secure environment to use the network. Chapter 1 is the general rules, Chapter 2 is the promotion of network use for information and communications, Chapter 4 is the creation of a secure service use environment for information and communications, Chapter 5 is the protection of user in information and communications, Chapter 6 is the ensuring network stability of information and communications, Chapter 7 is the telecommunications billing service, Chapter 8 is the international cooperation, and Chapter 9 is the appendix.
3 Korea's "Credit Information Usage and Protection Law"
(1) Positioning
"Credit Information Usage and Protection Law" was promulgated on April 1, 2009, and is the first Korean regulation on the provision and use of credit information in commercial transactions in financial industry.
(2) Features
) specifies the process of data processing. "Processing" data refers to the collection (including investigation, the same below), creation, connection, interlocking, recording, storage, saving, processing, editing, retrieval, output, correction, recovery, use, combination, etc. of credit information.
) It is clear that personal information is passed through "pseudonym processing and anonymization processing", and requires that it cannot be recognized without using additional information
"pseudonym information" refers to personal credit information processed in a pseudonym.
"Anonymous processing" refers to the processing of personal credit information so that it can no longer identify specific individuals or credit information subjects.
(3) Main content
The Credit Information Law is divided into 7 chapters and 52 articles, committed to improving credit information-related industries, promoting the effective use and system management of credit information, properly protecting personal life secrets, preventing credit information from being abused and abused, and establishing and improving credit order. It includes: Chapter 1 General Provisions, Chapter 2 Credit Information Business License, etc., Chapter 3 Collection and Processing of Credit Information, Chapter 4 Distribution and Management of Credit Information, Chapter 5 Credit Information Related Industry, Chapter 6 Credit Information Subject Protection, and Chapter 7 Supplementary Supplement.
4 South Korea's "Location Information Protection and Use Law"
(1) Positioning
The "Location Information Protection and Use Law" was promulgated on March 22, 2010, and is the first law for the protection of personal location privacy information in .
(2) Features
Clearly define the legal definition of personal location information and requires the processor of personal location information to take technical measures to protect it. First, technical measures such as installing firewalls and using encryption software should be taken. Secondly, location information operators and other location information should ensure that the collection, use and data provided are automatically recorded and saved in the location information system.
(3) Main content
The Location Information Law is divided into six chapters and 43 articles. Chapter 1 is the general provisions, Chapter 2 location information business registration, Chapter 3 location information protection, Chapter 4 personal location information for emergency rescue, Chapter 5 establishing the basis for the use of location information, etc., Chapter 6 punishment, committed to protecting the confidentiality of personal life, not being leaked, misused or abused, and promoting the use of location information through safe use of location information, thereby improving people's livelihood and promoting public welfare.
5 South Korea's "Implementation Order for Information and Communication Network Law"
(1) Positioning
The date of promulgation of the "Implementation Order for the Promotion of Information and Communication Network Utilization and Information Protection" is February 29, 2008. The decree further implements the full life cycle protection requirements of personal information in the "Implementation Order for the Promotion of Information and Communication Network Utilization and Information Protection Law" (referred to as: Implementation Order for the Promotion of Information and Communication Network Utilization and Information Protection Law).
(2) Features
This regulation supports policy investigation, research and system establishment of information and communication service providers, strengthen information protection, analyze countermeasures and research related to the use of information and communication services, and improve the information protection capabilities and professional knowledge of information and communication service providers, such as the education of the chief information security officer, international exchanges and cooperation related to information and communication service security, and other security-required projects information and communication systems and information security management.
(3) Main content
The "Implementation Order of the Information and Communication Network Law" is divided into seven chapters (formerly Chapter 3 has been deleted) and is committed to the matters required for the entrusting and implementation of the Law on Promoting the Utilization of the Information and Communication Regulations. Chapter 1 is the general principles, Chapter 2: Information and communication promotes the use of networks, Chapter 4: Information and communication creates a secure service use environment, Chapter 5: User protection in information and communication networks, Chapter 6: Information and communication ensures network stability, etc., Chapter 7: Supplement.
6 South Korea's "Implementation Order for the Use and Protection of Credit Information"
(1) Positioning
The date of promulgation of the "Implementation Order for the Use and Protection of Credit Information" is October 1, 2009, and the specific matters that are implemented in the provisions of the "Implementation Law on the Use and Protection of Credit Information" are refined and implemented.
(2) Features
implements data protection requirements in data processing. Specifically, it includes the requirements for data protection in processing activities such as data collection, storage, use, processing, and transmission.
) Institutions provide information sets to data professional institutions, they should take the following measures to provide:
Multiple information sets link multiple information, and should be replaced with information that cannot identify individuals but can be distinguished (hereinafter referred to as "key combinations"); data sets containing personal credit information should be processed as pseudonyms.
) When the merger requesting agency provides information sets to the data professional institution or when the data professional institution delivers the merger information sets to the merger requesting agency, it shall take protection measures such as encryption to prevent the third party from knowing its content.
) When transmitting information, it is necessary to use commercial encryption software or security algorithms to encrypt
) Credit information companies and other credit information should implement technical, physical and administrative security measures: installation and operation of access control equipment, such as preventing third parties from illegally accessing credit information intrusion prevention systems; preventing the information entering the credit reporting system from being tampered, damaged, or damaged; matters that grant credit information processing query rights according to positions and tasks, and regularly check the credit information query records; other matters necessary to ensure the stability of credit information.
(3) Main content
The "Credit Information Law Implementation Order" is divided into five chapters and 38 articles, and is committed to the detailed implementation of the specific laws of the "Credit Information Law". Chapter 1 is the general provisions, Chapter 2, Chapter 2, Credit Reporting Business and other licenses, Chapter 3, Credit Reporting Information Collection and Processing, Chapter 4, Credit Information Distribution and Management, and Chapter 5, Credit Information Related Industry.
7 South Korea's "Implementation Order of the Personal Information Protection Law"
(1) Positioning
The date of promulgation of the "Implementation Order of the Personal Information Protection Law" is September 29, 2001, and stipulates matters authorized by the "Personal Information Protection Law" and the matters required for implementation.
(2) Features
Processing of personal information requires confirmation whether measures required to ensure security have been taken, such as pseudonymization or encryption.Measures to ensure the security of personal information are as follows:
) The formulation and implementation of an internal management plan for the security processing of personal information;
) Measures to control access to personal information and restrict access rights;
) Application of encryption technology or corresponding measures to safely store and transmit personal information;
) Measures to preserve access records of personal information infringement incidents and prevent forgery and tampering;
) Installation and update of personal information security programs;
) Provide storage facilities or installation of locking devices and other physical measures to safely store personal information.
(3) Main content
The "Credit Information Law Implementation Order" is divided into five chapters and 38 articles, and is committed to the detailed implementation of the specific laws of the "Credit Information Law". Chapter 1 is the general provisions, Chapter 2, Chapter 2, Credit Reporting Business and other licenses, Chapter 3, Credit Reporting Information Collection and Processing, Chapter 4, Credit Information Distribution and Management, and Chapter 5, Credit Information Related Industry.
8 South Korea's "Implementation Order for the Protection and Use of Location Information Law"
(1) Positioning
The date of promulgation of the "Implementation Order for the Protection and Use of Location Information Law" is February 29, 2008, and the implementation of the location information implementation requirements in the "Credit Information Use and Protection Law" are implemented.
(2) Features
1) Set the person in charge of position information management. formulates processing and management procedures and guidelines, stipulates the responsibilities and responsibilities of location information processors, and records the operation and management of processing ledgers that provide location information and other facts.
2) Regular self-checking of location information protection measures. implements identity verification, confirms the access rights of the location information and location information system, installs a firewall and other measures to prevent unauthorized access to the location information system.
3) Take necessary technical measures to protect the security of location information. location information system should be connected to the operation of electronic automatic record storage device, installation and operation of security programs to prevent the location information system from being violated. Encryption technology that can safely store and transmit location information or corresponding measures should be used.
(3) Main content
The "Position Information Law Implementation Order" is mainly divided into 40 contents, from personal location information collection, registration to security protection measures and refinement to the implementation of the "Credit Information Law".
Oceania
Australia: Privacy and security protection has risen to the top-level national strategy
1. Overall legislation
Australia was the first country to attach importance to privacy security. The Privacy Law promulgated by the country in 1988 was applied at the capital Canberra and the federal level. Since then, other states in the country have also successively promulgated regulations applicable to their own privacy. These laws and regulations have been revised over the years. The country has integrated the information privacy principles and national privacy principles into Australian privacy principles, standardized the full-cycle management method of private information data from collection, storage, security, use, publishing to destruction, and subsequently elevated privacy security protection to a top-level strategy. It promulgated the "Public Service Big Data Strategy" and the 2020 "Cybersecurity Strategy". In order to implement the strategy, it promulgated the "National Data Action Plan".
2. Key legal analysis
1 Australia's "Privacy Law"
(1) Positioning
The "Privacy Law" was promulgated in 1988 and is a law for the protection of personal information.
(2) Features
) APP entities must take reasonable measures to protect personal information from abuse, infringement and loss, as well as unauthorized access, modification or disclosure, and destroy or cancel their identity when the purpose of collecting personal information is no longer needed.
) has established requirements for the collection, management, processing, use, disclosure and other processing of personal information.
) Before transmitting personal information to overseas, the APP entity must take reasonable measures to ensure that the overseas recipient will not violate the APP related to the personal information.
(3) Main content
Australian privacy rights related legislation is reflected in federal, provincial and regional bills. The Privacy Act of Australia (1988) enacted in 1988 is a law on the protection of personal information. The biggest feature of this Privacy Act is to formulate the principle of privacy protection. This principle sets general standards for the operation and management of personal information. The circumstances it applies include: the collection of personal information (for example, filling in forms); the use and disclosure of personal information; the accuracy of personal information: the security of personal information holding; the right to access personal information, etc.
The Privacy Law has a wide range of regulations, including tax, medical care, credit information and other categories. Its regulations on the handling mode of privacy issues are also quite complete, and the processing methods of various types of information are deeply restricted by information privacy rights. The principles stipulated in the Privacy Law are not normative principles, which means that the law does not stipulate what organizations should do in each case. Instead, the Act provides principles for how personal information is operated, and each organization or organization needs to comply with them according to its respective circumstances. If an organization or institution violates the privacy principle, the Privacy Commissioner's Office may conduct an investigation, and if an individual's privacy rights are violated, the individual subject may also complain to the office for the infringement of the organization or institution.
2 Australia's Critical Infrastructure Security Act
(1) Positioning
The Critical Infrastructure Security Act was promulgated on April 11, 2018, and has built a complete framework for the risk protection system for critical information infrastructure, improving core security practices related to critical infrastructure asset management, and ensuring that responsible entities adopt a comprehensive and proactive approach to identifying, preventing and reducing risks.
(2) Features
) The word "safety and reliability" is mentioned 40 times in the regulations, which involves power network or power systems, natural gas transmission pipelines, financial services and markets.
) Data storage or processing services are provided on a commercial basis, involving the use of one or more computers, enabling the end user to store or back up data.
) Strictly implement information protection supervision requirements. The Minister requires the reporting entity or operator of critical infrastructure assets to provide certain information or documents. The privilege of prohibiting self-incrimination does not apply to the requirements for providing information or documents under this section for information or documents under this section.
) provides higher cybersecurity obligations to the country's most important asset owners and operators, mainly focusing on strengthening relations with the government.
) has improved the provisions on information sharing, making it easier for regulated entities and governments to share information to fulfill their obligations.
(3) Main content
After the promulgation of the "Critical Infrastructure Protection Act", it has undergone 2 revisions. As the latest amendment to the Critical Infrastructure Security Act of 2018, the 2021 amendment will come into force the day after obtaining the Governor’s approval. These changes will create new obligations for responsible parties to establish and maintain critical infrastructure risk management programs, as well as a new framework for cybersecurity obligations required by operators of critical infrastructure assets. The 2021 Amendment is a reform of the second part of the 2018 Amendment. After identifying the need to strengthen the regulatory framework, the Australian government has enacted the first part of the reforms based on existing requirements of the SOCI Act, based on the Security Legislative Amendment (Critical Infrastructure) Act 2021.
022 amendment aims to strengthen the risk management, preparation, prevention and resilience capabilities of owners and operators of critical infrastructure assets to ensure normal business activities.They also seek to improve information exchange between industries and governments to gain a more comprehensive understanding of threats, prescribing that most of the critical infrastructure assets that are interrelated and dependent on belong to national strategic systems. These critical infrastructure assets are critical to the country because they are interdependent among sectors and, if disturbed, may have potential ripple consequences for other critical infrastructure assets and sectors.
3 Australia's Telecommunications Act
(1) Positioning
The Telecommunications Act was promulgated in 1997 and established a legal framework for law enforcement and intelligence departments to require the private sector to provide voluntary and mandatory technical assistance to encryption technology.
(2) Features
Telecom operators are included in the national critical infrastructure scope in accordance with the telecommunications security reform framework and take measures to comprehensively improve the level of network security.
(3) Main content
The Telecommunications Law includes four appendixes. Schedule 1 is the standard operator licensing conditions, including 88 chapters, Schedule 2 is the standard service provider rules, including six chapters and 20 chapters, Schedule 3 is the carrier's rights and exemptions, including three chapters and 63 chapters, and Schedule 4 ACMA can review decisions including two chapters.
4 Australia's "Public Service Big Data Strategy"
(1) Positioning
"Public Service Big Data Strategy" was promulgated in August 2013 to help the Australian government use efficient and intelligent big data analysis, and benefit the government in many aspects of policy formulation and service provision.
(2) Features
Data disclosure should be paid attention to protecting citizens' privacy. The government requires all departments and agencies to first consider data privacy and security issues before opening up data, especially when using it across departments. From the generation of various types of data to the accumulation of various types of data sets, to the data flow to the destination, effective control means must be set up in every step of the entire process of data application analysis.
(3) Main content
The Public Service Big Data Strategy sets Australia's vision to become a modern data-driven society by 2030, and shows that the government is committed to promoting valuable data flows in ways that consumers benefit and protect consumers.
5 Australia's "Cybersecurity Strategy"
(1) Positioning
"Cybersecurity Strategy" was promulgated on August 6, 2020, clarifying Australia's principles and goals in the field of cybersecurity.
(2) Features
The Strategy requires the improvement of the community's network security factor. The government will implement the "Digital Identity" plan so that people can choose to use trusted digital identity certificates to access network services provided by the government and the private sector, so as to protect relevant entities from identity theft and cybercrimes, and ensure that relevant entities use network services more easily and safely. At the same time, the following points must be achieved: First, actively strive to raise public awareness of cybersecurity threats and promote the entire community to adopt safe and reliable online behavior; second, establish a 7×24-hour cybersecurity recommendation hotline for families and Australian elderly people; third, increase funds for victim support; fourth, introduce voluntary Internet of Things business rules to help consumers make informed purchasing decisions.
(3) Main content
The Cybersecurity Strategy (hereinafter referred to as the "Strategy") aims to strengthen Australia's cybersecurity in the next 10 years. It emphasizes that combating cybercrime, promoting the "digital identity" plan, supporting small and medium-sized enterprises and expanding regional impact should be regarded as the policy goals of the national cybersecurity strategy in the future. This is the conclusion drawn by the current Australian government after analyzing and judging the current objective environment of the new crown epidemic based on history and reality.
6 Australia's National Data Security Action Plan
(1) Positioning
The National Data Security Action Plan was promulgated on April 6, 2022. It is the first national data security action plan, forming a national data security framework.
(2) Features
) protects citizens' data (information collected, processed and stored on digital systems and networks) from infringement.
) establishes data security settings and requirements for governments, enterprises and individuals, and operates with the focus on security, accountability and control.
(3) Main content
The Action Plan aims to supplement the Morrison government's efforts to strengthen Australian cybersecurity, which includes: supporting the online development of various industries by launching a national plan to combat cybercrime; combating cybercrimes and ensuring national security legislation through funding a dedicated cybercrime center led by the Australian Federal Bureau of Investigation to combat cybercrime and ensure national security legislation Milestone reforms are carried out to better protect critical infrastructure; revolutionize the way Australian agencies investigate and prosecute cybercrime through important legislation to make all Australians safer; ensure law enforcement agencies have the power to combat dark web crimes; combat cyberattacks through ransomware action plans to protect Australians from ransomware; promote digital information exchange with U.S. authorities by signing a CLOUD Act agreement with the United States; launching a public information campaign to improve Australian cybersecurity.
Africa
Africa: Improve data protection legislation and safeguard national data sovereignty
1. Overall legislation
As Africa's digital infrastructure continues to improve, digital technology has penetrated and extended to various fields such as politics, economy and military in various African countries. Therefore, strengthening personal information protection and ensuring data security has become the top priority for African countries to build. To this end, African countries have continuously improved data protection legislation to achieve safeguarding national data sovereignty, safeguarding national security, and promoting healthy economic development. At present, there are comprehensive data protection laws in South Africa, Nigeria, Egypt, Kenya, Uganda, Rwanda and other countries, and the South African "Personal Information Protection Law" is the most distinctive.
2. Key legal analysis
1 South Africa's "Personal Information Protection Law"
(1) Positioning
Substantive provisions of South Africa's "Personal Information Protection Law" have come into effect on July 1, 2020 (the supervision regulations for information acquisition will come into effect on June 30, 2021). The bill stipulates the conditions for processing personal information, determines the minimum requirements for processing personal information, and clarifies the relevant rights of the data subject, so as to protect the security of personal information processed by public and private institutions.
(2) Features
For the first time, data security protection is comprehensively strengthened at the legislative level. The Act is South Africa’s first comprehensive data protection law, aiming to promote enhanced protection of personal information processed by public and private institutions. The law grants a 12-month grace period for organizations to achieve compliance; it clearly defines and refines the penalties. Organizations that violate regulations may face an administrative fine of up to 10 million South African rand (about 4 million yuan), may also be filed in civil lawsuits or be required to bear criminal liability. The Act is one of the few laws around the world that provide data asset protection for legal persons such as companies and trust companies.
promotes South Africa's data protection legislation to connect with international standards. The implementation of this law is a major advance in South Africa's privacy protection field. By regulating the information processing behavior of natural persons and legal persons and setting more obligations for South Africa's companies that process personal information, South Africa is in line with international standards in terms of data protection legislation.
(3) Main content
clearly defines the scope of application and the definition of personal information: From the perspective of applicable objects, POPIA's general obligations apply to the "responsible party" (i.e. the main processor of personal data that determines the purpose and method of processing), and its limited obligations also apply to the "operator" (i.e. the data processor). From a geographical perspective, this law applies to situations where the responsible party is responsible for processing personal information and his residence is in South Africa, or although his residence is in another place, he uses automatic or non-automatic means to process personal information in South Africa. At the same time, the law contains an open definition of “personal information”, which usually refers to information about identifiable living natural persons, identifiable companies or similar legal persons.
stipulates the conditions for legal processing of personal information: This law provides a general information protection mechanism, which applies to both the public and private sectors. Similar to the EU's Data Protection Directive (Directory 95), the law stipulates eight conditions for the legal processing of personal information, including: accountability, processing restrictions, purpose specification, further processing restrictions, information quality, openness, security guarantees, and participation of data subjects.
requires enterprises to take measures to implement security guarantees: This law ensures that the personal information they hold and control is protected from unauthorized access, use and loss. This includes taking appropriate physical, technical and organizational measures to protect the security of personal information and ensuring that the level of security measures is consistent with the quantity, nature and sensitivity of the personal information involved. The law also requires enterprises to appoint an information officer and a deputy information officer to ensure that the enterprise's behavior complies with regulations and can handle complaints from the data subject, and enterprises should also retain all process documents related to the processing.
puts forward special personal information processing requirements: This law prohibits the processing of special personal information (related to individuals' religious beliefs, race, criminal behavior, health, sexual life, political stance, and even trade union members). Although this prohibition can be cancelled by obtaining the consent of the data parties, the data parties may revoke the consent at any time.
Requirements for enriching cross-border data flow: This law stipulates that enterprises shall not transfer the personal information of the data subject to foreign third parties unless the third party as the information recipient is restricted by laws, binding company rules or binding agreements with the same level of protection.
Refine the rights and responsibilities and functions of supervisory agencies: This law stipulates that the rights and responsibilities and functions of supervisory agencies include: providing education, monitoring and enforcement, consultation with stakeholders, handling complaints, organizing research and reporting to Congress, etc.
clearly stipulates the penalty and gives data subjects remedy rights: 's penalties for not complying with the law include up to 10 years in prison or an administrative fine of not exceeding 10 million South African rand (about 577,176 US dollars). In addition, the law has formulated new civil remedies that give data subjects the right to file claims against all parties responsible for personal information on a strict basis.
Statement: Beijing Lianshi Network Technology Co., Ltd. has a copyright protected by law for the content of this article and related product information. Without authorized permission, no one may use all or part of the content of the article for commercial purposes. The text or opinions of this article should be indicated if the source is indicated when reprinting or excerpting. The materials and information contained in the article, including but not limited to text, pictures, data, opinions, suggestions and other forms, cannot replace the legal opinions issued by lawyers. If any violation of the above statement is made, the Company will hold him/her accountable. During the writing process of the article, a series of references were cited to facilitate explanation of key points and explanation of meanings. If there is any infringement, please contact our company to modify or delete it.
(Follow this account and send a private message to the editor. You can download the original PDF version of the "2022 Foreign Data Security Policy Research Report" and the original PDF version of more than 80 data security policies in 14 countries)
