Research On The Obligations Of Enterprise Data Security Protection

With the expansion of the application scope of "big data",the value of user data has become increasingly prominent,and it has now become the object that major data companies are eager to collect.Because user data can be directly converted into commercial interests,people are gradually treating it as a kind of property.In this context,infringements against user data emerge in an endless stream,including both illegally obtaining data from users and illegally obtaining data from other subjects who hold user data.Among them,the first case involves only two legal subjects,and once a dispute occurs,there is no difficulty in finding the parties.However,in the second case,it is often difficult to directly identify the actual infringer,which makes it difficult for users to obtain effective relief for their rights and interests in data.Therefore,user data rights and interests urgently need a general protection method.The data security protection obligations in the "Data Security Law" have become an important starting point.The so-called enterprise data security protection obligation means that enterprises should fulfill reasonable security protection obligations for the user data held by them to prevent the illegal infringement of user data rights during the period in which they are held.To improve the protection of civil user data rights and interests,it is first necessary to clarify the legal basis for data security protection obligations.The rights and interests of user data are generated based on the object of the basic rights expressed by the data.As long as the rights and interests at the basic level do not change,the rights and interests at the digital level cannot be assigned separately.Therefore,the source of legitimacy for enterprises to hold and process user data lies in the authorization of users,rather than the transfer of rights and interests in user data.According to the relevant theory of duty of care,enterprises should undertake the obligation to prevent the occurrence of harm because of the dangers that their data business activities bring to the rights and interests of users’ data.Therefore,enterprises that process data should undertake civil data security protection obligations with respect to user data rights and interests.Secondly,it is necessary to clarify the civil law positioning and fulfillment requirements of civil data security protection obligations.Data security protection obligations have been clearly stipulated in the "Data Security Law",and together with the "Network Security Law",the "Personal Information Protection Law" and the rules on data security protection in a series of national standards constitute the data security protection in my country.Obligation system,but the interpretation of its content and how to implement it all need to be carried out with the help of corresponding national standards.Different from purely civil law,the Data Security Law is a comprehensive law,and its provisions are not entirely civil rules.At the same time,the "Data Security Law" does not directly provide a basis for civil subjects to claim their rights and interests,so it still needs to be found in the civil law.In the tort liability section of the Civil Code,the general tort of data processors violating data security protection obligations is adjusted by Article 1165,but the liability of data processors in third-party data infringement is not clearly stipulated.However,among the special subject obligations,Articles 1197 and 1198 are respectively the special subject obligations of network service providers and operators.At the practical level,whether it is the application relationship of Articles 1197 and 1198 of the Civil Code,or the "know or should know","take necessary measures" in Article 1197 of the Civil Code and Article 29 of the "Data Security Law" "The standard of "Fulfilling the obligation of security protection" in Article 1198,Paragraph 2 of the Civil Code in data leakage remains to be clarified.Finally,it is necessary to clarify the legal responsibility of enterprises for breaching data security obligations.The breach of data security protection obligations by enterprises is reflected in two aspects:breach of contract and infringement.In the judgment of liability for breach of contract,it mainly depends on the agreement of both parties to the contract,and different relief methods are generated according to the different content of the agreement;it is more complicated to determine whether the data processor needs to bear the liability for data infringement.First,in terms of the method of attribution,based on the professionalism of data infringement,the presumption of fault liability should be adopted;secondly,in the determination of fault,it should be judged according to the rules of whether "know or should know" and whether"necessary measures have been taken".In terms of compensation for damages,as an information carrier,data contains complex rights and interests,including the property value at the data level,which is transformed from limited exclusive statistical value,and the basic rights and interests value(such as copyright)contained in the data.,portrait rights,etc.).For companies that process data,they often only care about the property value of user data at the data level,while for users,they pay more attention to the entity rights at the basic value level.Article 69 of the "Personal Information Protection Law" adopts the "complete relief+data relief" model for the relief of personal information,which can also be adopted for the relief of users’ data rights.Only for data rights relief,"complete relief" and "data relief" are more reflected in the issue of co-occurrence of responsibilities.When the rights and interests of users’ data are infringed,the data processor’s liability for breach of contract and tort liability,data infringement liability and basic rights infringement liability must choose one to be claimed.