| In the era of big data,national data security is facing a severe test,and the overall sense of data "uneasiness" in society is becoming stronger.The need for a data security review system stems from various aspects,including the urgent need for data risk management on the one hand and the urgent need for national security review on the other.Since the data security review system has not yet been established,it is necessary to integrate normative analysis and comparative analysis to study the basic structure of the system,and to develop the main line of data security review: "what is,what is reviewed,who is reviewed,who is reviewed,and how is reviewed".From the evolution of "cyber security" to "data security",and then the first time the term "data security review" was introduced in the Data Security Law,the connotation of data security has completed a leap from the technical to the legal level.There are competing,linked and differentiated relationships between it and network security review,data security assessment and data security evaluation,and there is a dual institutional demand from the level of risk governance and national security review.The review of data security is to determine whether "data is secure",and needs to focus on four aspects: national security,social public interest,personal information rights and the orderly flow of data across borders.The former covers both data processors with and without data control rights,and data processors may have competing identities with data controllers,while the latter are divided into three categories of hardware and software operators,namely websites,platforms and production businesses,according to the type of industry and the field they belong to.The review subjects are classified according to the source of the data business and the actual control,and must fulfil two mandatory obligations: the obligation to self-assess data risks beforehand and the obligation to sign a data security agreement.Due to the diversity of the types of subjects,the permanent and ad hoc review bodies are required to carry out a "differentiated" review rather than a "generalised review",depending on the actual situation.Depending on their competence,the review bodies are divided into two categories: the lead agency and the executive agency;and depending on the content and field of activity,they need to adopt different collaborative review mechanisms.The review bodies are required to follow a strict review process,with written conclusions on the "initiation procedure","verification procedure","decision procedure" and "remedy procedure".The review body must follow a rigorous review process,with written conclusions on "initiation procedures","verification procedures","decision procedures" and "remedy procedures".The legislative construction of the data security review system should be carried out in three aspects: at the legislative level,law should be the possible option rather than the optimal option at the legislative level,and priority should be given to administrative regulations to promote the legislative process of data security review;at the legislative model,it is not appropriate to adopt a comprehensive legislative model for data security review,and priority should be given to the one-line legislative model;at the legislative provision,the legislative purpose clause,general clause and exception clause are the main provisions of data security review. |
PDF Full Text Request