Chain law research: "Gongxinbao" data loss, interpretation of legal issues involved in the case
With the rapid development of big data, cloud computing, artificial intelligence and other fields, the call for strengthening the protection of personal information continues to rise. From a deeper level, the protection of personal information not only involves the protection of the basic rights of individuals, but also involves various issues such as industrial development, national strategy, and national security.
For enterprises, the situation of data compliance work is urgent and there is a long way to go. With increasingly stringent regulations and the pressure of possible criminal sanctions, data compliance work is imminent.
For the blockchain industry, what kind of legal issues will GXB, which has been caught in a data turmoil recently, face? What enlightenment can it give us?
Recently, a video of the seizure of the office of GXB (Hangzhou Cunxin Data Technology Co., Ltd.) was circulated on the Internet, and many media in the industry verified it, and the matter was confirmed to be true.
According to public information, the public trust chain GXChain is a basic chain serving the global data economy, aiming to create a value network of trusted data. GXP will use blockchain technology to act as a decentralized platform to connect data buyers and sellers. When the buyer needs data, it will broadcast to the entire network through blockchain technology, and the data source will query its own offline database. , if there is relevant data, the smart contract transaction will be carried out, if not, no follow-up operation will be carried out.
Some people in the industry told the media that the reason for the investigation of Gongxinbao has nothing to do with the blockchain business. Some analysts believe that the high probability is because of "data" rather than "blockchain and currency issuance". Including providing data for online loans earlier, reptiles grabbing data, data, and buying black data. The well-known risk control data provider Capricorn Technology and Xinyan Technology were taken away by the police for investigation. , Tianji, Juxinli, etc. have actively or passively stopped the crawler service.
In a 2018 product price service list exposed by the media, GXB introduced that its crawler data types cover Social Security, Xuexin.com, JD.com, Telecom, China Mobile, China Unicom, Zhaopin.com, Sesame Credit, WeChat, Alipay, Even the credit data of the People's Bank of China. (The above content comes from media such as Jinse Finance and Economics)
According to public information, the business scope of Hangzhou Cunxin Data Technology Co., Ltd. includes data processing technology, blockchain technology, etc., and its shareholders include Li Xiaolai and Zhen Fund in addition to Huang Minqiang.
In its list of software copyrights, crawler software is impressively listed.
I vaguely remember that in 2018, it was mentioned in a 2018 article called the best article written by the industry that big data is easy to do evil, and the emergence of blockchain technology may help the Internet get back to its original state. meaning, that is, a decentralized equal system. Gongxinbao, with the slogan "be the master of your own data", encountered Waterloo due to data problems, which is embarrassing.
If this incident has nothing to do with the blockchain as guessed, but is planted on "data", it cannot be said to be "groundless".
With the rapid development of big data, cloud computing, artificial intelligence and other fields, the call for strengthening the protection of personal information has once again been raised. From a deeper level, the protection of personal information not only involves the protection of the basic rights of individuals, but also involves various issues such as industrial development, national strategy, and national security.
It should be emphasized that crawlers themselves are not prohibited by law, but using crawler technology to obtain data has certain legal risks. Malicious reptiles will face various legal issues, including infringement of copyright, infringement of business secrets, infringement of personal privacy and personal information, constitute unfair competition, and in severe cases, intrusion into computer systems may also constitute a criminal offense.
In fact, the research and protection of personal information has long been a judicial hotspot and has been included in the national legislative plan.
What is the legal definition of "personal information"?
On August 22, 2019, the draft of the Personal Rights of the Civil Code was reviewed for the third time at the twelfth meeting of the Standing Committee of the Thirteenth National People's Congress. The second draft of the draft has made specific provisions on the scope of personal information: the scope of personal information includes the name, date of birth, ID card number, personal biometric information, address, telephone number, etc. of a natural person. The third draft of the draft includes the "e-mail address" and "whereabouts information" of natural persons into the scope of personal information on the basis of the scope of personal information defined in the second draft.
In addition, in order to strengthen the protection of personal information, the third draft of the draft changed the "use" of personal information to "processing" of personal information, and added provisions: the processing of personal information includes the use, processing, transmission, provision, disclosure, etc. of personal information . And then cover all aspects of personal information protection as much as possible.
In academia, a basic consensus has also been reached on the definition of personal information: that is, personal information refers to all information that can identify a specific individual individually or in combination, including name, gender, age, weight, files, medical records, income, family Addresses, phone numbers, car engine numbers, computer serial numbers, and even walking routes, spending habits, and Internet browsing records. The most basic feature of personal information is that it is identifiable. Whether it is direct or indirect, single information or combined information, as long as the information of a specific individual can be determined, it is considered to be personal information.
If understood semantically, personal information refers to all information related to natural persons.
If Gongxinbao is as the outside world speculates, what kind of legal liability will it face?
Violation of relevant regulations on personal information protection may result in civil, administrative and criminal liabilities.
civil liability
Illegal disclosure of personal information can mainly constitute a violation of personal rights such as personal privacy or reputation, and requires corresponding civil liabilities (mainly including compensation for losses, apology, elimination of influence, and restoration of reputation, etc.), the legal basis for which is "People's Republic of China Tort Liability Law and the Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Dispute Cases of Infringement of Personal Rights and Interests Using Information Networks.
Administrative responsibility
If the relevant personal information protection regulations are violated, the relevant government departments (such as the Ministry of Industry and Information Technology) may order corrections within a time limit, impose warnings, fines, confiscate illegal gains, revoke licenses or cancel filings, close websites, and prohibit relevant responsible personnel from engaging in network service business, etc. At the same time, illegal records can be recorded in social credit files and published.
criminal responsibility
Article 7 of the "Criminal Law Amendment of the People's Republic of China (7)": Add one article after Article 253 of the Criminal Law as Article 253-1: "State organs or financial, telecommunications, transportation Staff members of units such as medical, educational, and medical, who, in violation of state regulations, sell or illegally provide to others the personal information of citizens obtained by the unit in the course of performing duties or providing services, and if the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention , concurrently or solely with a fine.
"Whoever steals or illegally obtains the above-mentioned information by other means, and the circumstances are serious, shall be punished in accordance with the provisions of the preceding paragraph.
"Where a unit commits the crimes in the preceding two paragraphs, the unit shall be fined, and the persons in charge who are directly responsible for it and other directly responsible persons shall be punished in accordance with the provisions of each of these paragraphs."
It can be seen that the Seventh Amendment restricts the scope of applicable units that sell or illegally provide personal information, and the penalties are relatively light, which cannot effectively curb illegal transactions and leaks of personal information.
Article 17 of the "Criminal Law Amendment (IX) of the People's Republic of China" promulgated on November 1, 2015 stipulates that Article 253-1 of the Criminal Law is amended to read: "Violation of relevant state regulations, selling to others Or provide citizens' personal information, if the circumstances are serious, they shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and may also be fined;
"Those who, in violation of relevant state regulations, sell or provide to others personal information of citizens obtained in the course of performing their duties or providing services, shall be severely punished in accordance with the provisions of the preceding paragraph.
"Whoever steals or illegally obtains citizens' personal information by other means shall be punished in accordance with the provisions of the first paragraph.
"Where a unit commits the crimes mentioned in the preceding three paragraphs, the unit shall be fined, and the persons directly in charge and other directly responsible personnel shall be punished in accordance with the provisions of each of these paragraphs."
In addition, a notice issued by the two high schools and the Ministry of Public Security on legally punishing crimes against citizens’ personal information states:
At present, in order to pursue illegal interests, some criminals use the Internet to wantonly resell citizens' personal information, which has gradually formed a huge "underground industry" and a black interest chain. Citizens' personal information bought and sold includes household registration, bank, and telecommunications account opening information, etc., involving all aspects of citizens' personal lives. Some staff members of some state agencies and enterprises and institutions such as finance, telecommunications, transportation, education, medical care, and property companies, real estate agencies, insurance, and express delivery sold or illegally provided citizens’ personal information obtained in the course of performing their duties or providing services. to others.
Middlemen who obtain information build data platforms on the Internet and sell information wantonly for huge profits. Illegal investigation companies engage in illegal and criminal activities such as illegal debt collection, fraud and extortion based on this information. This kind of crime not only endangers the information security of citizens, but also easily leads to a variety of crimes. The combination of activities affects people's sense of security and threatens social harmony and stability.
Legislative Status of Personal Information Protection
Generally speaking, my country currently does not have a unified personal information protection law, and provisions on personal information protection are scattered in laws, regulations, rules and judicial interpretations.
However, in recent days, laws and regulations related to personal information and data compliance have entered the fast lane of legislation.
For example, "Provisions on Children's Personal Information Network Protection", "Information Security Technology Mobile Internet Application (App) Collection of Personal Information Basic Specifications (Draft)", "Data Security Management Measures", "Personal Information Security Assessment Measures", "Personal Information Security Specifications", "Data Security Management Measures, Methods for Identification of Apps’ Illegal Collection and Use of Personal Information (Draft for Comment), etc.
In addition, on April 10, 2019, the Network Security Bureau of the Ministry of Public Security, the Beijing Internet Industry Association, and the Third Research Institute of the Ministry of Public Security jointly released the "Guidelines for the Protection of Internet Personal Information Security".
Cases promote the rule of law
From the perspective of individual cases, Xu Yuyu, who caused a national sensation and was selected as one of the "Top Ten Cases Promoting the Rule of Law in 2017", was inspired by the telecommunications fraud case to give birth to the "General Principles of Civil Law" on the protection of personal information. Some people call it "Xu Yuyu". Clause”: Article 111 of the General Provisions of the Civil Law stipulates that “the personal information of natural persons shall be protected by law. Any organization or individual that needs to obtain personal information of others shall obtain it according to the law and ensure the information security, and shall not illegally collect, use, Process and transmit personal information of others, and shall not illegally buy, sell, provide or disclose personal information of others.”
How can enterprises do a good job in personal information protection compliance
It should be emphasized that for enterprises, the situation of data compliance work is urgent and there is a long way to go. With increasingly stringent supervision and possible criminal sanctions, especially for data companies, data compliance work must take into account both depth and breadth.
Vertically, it is necessary to ensure that the source of data is legal and the use of data is legal. If the data is exported abroad, it must also be legal. Horizontally, it is necessary to ensure data security and corresponding risk prevention and control work.
The development of compliance work must be institutionalized, routine, and systematic. Enterprises should establish and improve compliance systems and compliance systems related to network security and data protection, which include the establishment of compliance processes and supporting corresponding manpower.
For many companies in the blockchain industry, such as the scope of consent and collection of user personal information and the drafting of corresponding privacy policies, such as the need to understand which data the policy requires can only be stored in the country? This requires companies to review user data and form a corresponding review mechanism. For example, when wallet companies are involved in payment services, they should avoid storing user information on overseas servers.
In addition, in view of the current trend of stricter supervision of personal information protection in my country, and new laws and regulations are constantly being introduced, companies involving data need to closely follow up on legal progress and legislative trends, and ensure that measures for processing personal information comply with relevant laws requirements. For enterprise data compliance, the Lianlaw team will also introduce in detail chapters in future articles. Interested readers and friends, please stay tuned.
