Research On The Data Controller Security Protection Obligation

With the rapid development of cloud computing,big data and artificial intelligence,the degree of informationization and networking has deepened,and the competition among various social entities has begun to transform from hard power to soft power.The resource contention has begun to transform from physical space to virtual space.The resources behind virtual space is a vast amount of personal data.The personal data is obtained by various network service providers in their business activities,as well as by public authorities in long-term social statistics.These entities became data controllers because of their ability to control data.Data controllers acquire large amounts of personal data to create a competitive advantage,but actually without assuming the corresponding security protection obligations.Therefore,this article takes the protection of personal data as the research content,and proposes a new data security protection obligation from the perspective of the obligations of the data controller,in order to build a systematic personal data protection system.Data controllers were first seen in the European legislation,as subjects to assume the obligation to secure personal data.At present,China does not have a unified understanding concept of data controller.At the same time,there are many similar concepts such as"network service providers,network operators,information controllers".and so on.The GDPR defines a data controller as a natural person,legal person,public authority,agency or other institution that determines the purpose and manner of personal data processing,either alone or in conjunction with others.It should be said that the term "data controller"includes the data controller who obtains personal data from the source,as well as the data controller who actually implement the data processing operation.The introduction of the concept of data controller into our country is not only the introduction of the concept,but also the need to fully demonstrate its commitment to data security protection.The introduction of data controllers is in line with the justification of material benefits such as profit reimbursement and satisfaction of trust interests.It is necessary to unify the concept of our country and save social costs,as well as to assume the dual roles of data service provider and cyberspace manager.Feasible conditions.Data controllers' misconduct in the process of obtaining and using personal data is frequent,which is reflected in the over-collection,the improper use of personal data behind commercial advertisements and the abuse of personal data supporting algorithmic automated decision-making,and data leakage under the deep application of cloud storage.The legal causes of data controller misconduct are reflected in the following aspects:the lack of specific rules,the lack of uniformity of laws and national standards and the lack of supervision of the performance of obligations.The regulation causes of data controller's misconduct are reflected in:the lack of data security protection measures,the lack of authority of data regulators and the lack of attention to data protection.The data controller's commitment to data security protection stems from responding to personal data protection needs.The legitimacy of data security protection obligations needs to be considered from the level of data subject's rights and requirements.Although the right of personal data has not been widely recognized at present,there is an inherent dilemma of entitlement.However,the right to protection of personal data has a value basis at the legal interest level.Personal data carries personal,property and public interests,and it is indeed necessary to protect it.The establishment and commitment of data security protection obligations is an affirmation of the legal value of personal data.At the same time,the theoretical basis of data security protection obligations includes public goods theory and data security theory.On the one hand,personal data and the information network that carries it are public goods in the new era;on the other hand,personal data security is related to national data security and even the overall national security.The two aspects have laid the theoretical foundation for data security protection obligations from the protection needs of public goods and the need for stable maintenance of national security.Therefore,it is necessary to establish data security protection obligations through legislation,both from the perspective of controlling the leakage of data in China,protecting the integrity of data sovereignty,and protecting the freedom of personal data and safeguarding private rights of individuals.The specific content structure of the data security protection obligation should be aware that based on the liquidity and shareability of the data itself,the data subject is less likely to control it.Therefore,the security protection cycle of the data controller should cover the entire life cycle of personal data.The scope of protection should also be extended accordingly,but at the same time,it should also distinguish between personal data service obligations arising from laws,contracts,and unilateral commitments.Under this premise,combined with the personal data protection principles and rules that have been widely established in the international community,by strengthening overall transparency,designing system protection measures,assessing the impact of data processing,recording data processing behaviors,notifying data collection and disclosure,as well as data subject's requirements to correct and clear personal data,and supervising the implementation of various obligations by data protection commissioner.And establish a systematic data security protection obligation specification and propose specific legal provisions.In order to construct a data security protection obligation system,it is necessary to clarify the principles and requirements for system construction based on the typical risks faced by personal data,combining the principle of balance of rights and obligations,the reasonable expectation of data subjects,and the principle of minimum proportion.Therefore,by learning from the EU unified legislation and the U.S.decentralized legislative model,we will establish a unified legislative path in China and establish a separate chapter on the security protection obligation of data controllers.At the same time,in order to ensure the implementation of the data security protection obligation,third-party certification,industry convention autonomy and administrative level of data supervision mechanism can be introduced to build an internal and external implementation of supporting mechanism.Moreover,when the data controller fails to fulfill the obligation of data security protection,the corresponding legal liability is applied by combining civil liability with administrative liability.Finally,through the systematic system construction of the above various levels,a complete data controller security protection obligation system is formed,which achieves an effective balance between personal data protection and data industrialization development.