Formal Implementation of China’s First Regional Regulation on Big Data Security Protection
China’s first regional regulation on big data security protection of Regulations on Big Data Security Protection of Guizhou Province (hereinafter referred to as the Regulations) was formally put into practice on October 1, and this attempt and exploration on top-down design of system protection for development of data industry has aroused intense debate in big data industry.
During its interpretation of the Regulations, Standing Committee of the People's Congress of Guizhou Province explained that given the numerous existing big data security risks, the issue of big data security has become increasingly apparent, and the conflict between big data security requirements and sharing and opening up demands has become more prominent, which require improvement of big data security regulation and attracted extensive attention. The Regulations include the eight major systems of protection organization system, preventive protection system, regulatory protection system, emergency response system, technical protection system, technical service system, talent education and training system and work related supporting system, which jointly constitute integrated big data security governance network with involvement of whole society.
The Regulations has responded to the core issues in development progress of big data industry: Firstly, as legislation on big data security protection, the Regulations addressed the issue of negligence of security protection during facilitation of industrial development which occurred in the development journey of big data industry. Secondly, the Regulations focused on the issue of “chaotic governance” in the course of development and application of big data industry from regulatory perspective, and identified regulators of big data security as well as their specific responsibilities. Thirdly, the Regulations clarified the relations between sharing and opening up and security protection.
In terms of security, principles of “owner’s responsibility, manager’s responsibility, holder’s responsibility, user’s responsibility and collector’s responsibility” have been adopted from governments, enterprises and public institutions to specific builders, operators and maintainers. Regulation and protection of different links of whole data life cycle along with further standardization of data collection have been proposed for the first time, and legitimate uses of data have been identified.
It’s not allowed to use and propagate data acquired or conclusions drawn from big data analysis, mining and consolidation as well as those may compromise national security, national interest and public interest, and related activities shall be stopped immediately and reported to public security organs for punishment pursuant to laws and regulations.
In respect of data security, the Regulations have given prominence to protection of citizens’ personal information, and explicitly prohibited excessive collection. In formation shall be collected with the consent of information source. Obvious signs shall be set and reported for record in case of data collection facilities and equipments installed in public places for collection of information. It’s prohibited to use data knowingly acquired from attack, theft, malicious access and other illegal approaches. Face, fingerprint, gene, disease and other biometric data have also been included in the scope of application.
