the Legal Definition and Protection on "Data"
Author: Paul Wang 2020-07-26Article 127 of the General Provisions of the Civil Law of the People's Republic of China (hereinafter referred to as " the General Provisions of the Civil Law ") stipulates that if other laws particularly provide for the protection of data and online virtual assets, such provisions shall prevail. The Civil Code of the People's Republic of China (hereinafter referred to as "the Civil Code "), which was adopted at the Third Session of the Thirteenth National People's Congress, treats the General Provisions of Civil Law as the supplementary provisions of the Civil Code. Article 127 of the General Provisions of Civil Law is in the chapter of civil rights. The General Provisions of the Civil Law is a general outline of the Civil Code. Article 127 of the General Provisions of the Civil Law juxtaposes data and network virtual property as principle provisions on civil rights.
How to understand the content of "data" civil rights in Article 127 of the General Provisions of the Civil Law? Does the right object of data include both personality rights and property rights? No matter as the data of personality rights or property rights, what are the problems of current legal protection and future legislative and judicial protection? If we do not try to explore and answer these basic questions, even though Article 127 of the General Provisions of the Civil Law confirms the civil rights of data subjects in Civil Law, existing legislation and normative documents do not strictly define the legal intension and extension of "data", so it is difficult to strengthen the protection of data, and the protection mainly stays at the level of traditional "privacy" information protection, which is not conducive to the legislative and judicial protection of data subjects.
The legislative and judicial reality is also as mentioned above, except for the General Provisions of the Civil Law, which stipulate the data as the contents of civil rights in principle, at the legal level, So far, only the Cybersecurity Law of the People's Republic of China (hereinafter referred to as "the Cybersecurity Law" has expressed "data" from the perspective of network construction, operation and service provision, network operation security and network infrastructure from the legal level. There are 16 references to "data" in the Cybersecurity Law totally, and it is the first time to put forward data network security features such as integrity, confidentiality and availability from the legal level. Article 1 of the Cybersecurity Law also does not use the concept of "data" but rather "information" to express the legislative purpose. Article 1 of the Cybersecurity Law stipulates that this law is enacted to ensure cybersecurity, secure the cyberspace sovereignty, national security and the public interests, protect the legitimate rights and interests of citizens, legal persons and other organizations, and promote the healthy development of information technology in economic and social sectors. It is noteworthy that Article 18 of the Cybersecurity Law refers to the concept of "data resources" at the legal level for the first time. The Regulations on the Protection of Personal Information of Telecommunications and Internet Users (hereinafter referred to as "the Protection Regulations"), published by the Ministry of Industry and Information Technology of the People's Republic of China (Decree No. 24) on June 8, 2013 and implemented on September 1, 2013, does not use the expression "data" throughout, but defines "personal information of users". Article 4 of the Protection Regulations stipulates that the personal information of users in these provisions shall refer to the information collected by telecommunication service operators and Internet information service providers in the course of providing services, such as the user's name, date of birth, identity card number, address, telephone number, account number and password, which can be used to identify the users either independently or in combination with other information, and the time and place at which the user uses the service. It is noteworthy that the definition of "personal information of users" in the Protection Regulations does not distinguish between general information and sensitive information, that is, it does not define the information in a typed manner, nor does it provide for the identifiability of "personal information", so the "protection" of the Protection Regulations are not very effective. The Provisions of the Supreme People's Court on Application of Laws to Cases Involving Civil Disputes over Infringement upon Personal Rights and Interests by Using Information Networks (hereinafter referred to as "Provisions on Information Network Disputes"), which came into effect on 10 October 2014, does not use the concept of "data", but provides for the rights, obligations and responsibilities of "information network service providers" and "network users" in "information processing" from the perspective of information network personal rights infringement protection. The "data security capability" is defined in the "Function Interface Template" in Appendix C of the Information Security Technology - Personal Information Security Specification (Draft for Approval) (hereinafter referred to as " the Security Specification") issued by the National Standardization Commission, namely, the Method to Guarantee the Right of Personal Information Subject to Choose and Consent (2018 version), and the Method to Realize the Independent Will of Personal Information Subject (2020 version) (The appendices are hereinafter collectively referred to as "the Information Specifications"). The Information Specifications stipulate that: "Data security capability refers to the ability of personal information controllers to protect the confidentiality, integrity and availability of personal information; personal information controllers can prove their data security capability by carrying out relevant national standards compliance work and display relevant certificates to the personal information subject in the form of chain. Throughout the Security Specification, "information" and "data" are used together, sometimes interpreting information in terms of "data" and sometimes interpreting data in terms of "information". In addition, the Security Specification is a guide to industry technical standards and has no mandatory legal effect.
By combing through the existing laws, judicial interpretations and relevant normative documents on network information security and personal information protection in China, it is found that the legal concept of "data" has not been defined at the legislative level in China. On many occasions, data and information are not strictly distinguished in expression and use. It can be considered that the existing laws, judicial interpretations and relevant normative documents imply the same meaning of "information" and "data", at least the concepts can be substituted for each other. Through a comparative analysis of Article 127 of the General Provisions of the Civil Law, the author thinks that the provision of "data" as a civil right is a breakthrough in civil legislation, and the juxtaposition of "data" and "virtual property right" in the same article is unprecedented in civil legislation. From the perspective of the extraterritorial legislation, the EU is the jurisdiction with the most comprehensive and strict for personal data protection legislation, especially the General Data Protection Regulation promulgated by the European Commission, led by Germany, which belongs to the same Civil Law system as China. Its legislative experience of "data" is worth learning from and discussing. The General Data Protection Regulation begins "Whereas Clause" by referring to "the protection of natural persons with regard to the processing of personal data as a fundamental right". In Chapter I, Article 4 "Definitions" of the General Data Protection Regulation, "Personal data" is defined: "Personal data" means any information about an identified or identifiable natural person ("data subject"), and goes on to specify the meaning of identifiable: an identifiable natural person is one who can be identified, directly or indirectly, through identification such as a name, identity card number, location data, online identification number, or through one or more physical, physiological, genetic, psychological, economic, cultural or identity elements that are directed at that natural person. From the intension and extension of its definition, the subject's right to "personal data" should include the content of personality rights and property rights. Domestic scholars have also studied the property rights of data from the perspective of "data ownership", arguing that: big data has both personal (such as privacy, etc.) and property attributes, in which the ownership of the data subject's possession, use, benefit and disposal of the data is the fundamental legal basis for big data transactions, The technical and economic effects of Big Data are the basis of data as a legally protected property, and the fundamental value of data transaction. The author agrees with the aforementioned scholars’ view, but the data transaction is based on the data market and the legal confirmation of data rights. From the perspective of legislation, firstly, the content of data needs to be clearly defined. Secondly, it is necessary to clarify the data subject's right object, especially the legal definition of data property rights, so as to effectively implement the data subject's possession, use, benefit, disposal and other relevant personal rights and property rights.
From the comparative study of the relevant legislative provisions on personal information and data between China and EU, it can be found that the distinction between data and information has at least the following characteristics: (1) based on the development of digital technologies such as Big Data, Artificial Intelligence and Cloud Computing, the elemental characteristics of personal information are increasingly accurate and quantifiable; (2) The information generated by the network behavior of information subject makes the identity, private activity, biological information and property information of information subject highly accurate and identifiable; (3) the highly accurate identifiable information generated by the network behavior of the information subject will affect the privacy and property security of the information subject if leaked. In the author’s view, data and information are interrelated and intrinsically linked. In common semantic expression and life experience, information and data can be substituted for each other on most occasions, but differ in intuitive perception. For example, before the emergence of technologies related to Big Data, data was rarely protected from the legal level, and "information" protection was rarely materialized to the high-level protection of civil rights. Moreover, before the emergence of Big Data, 5G, Artificial Intelligence and Cloud Computing technologies, there were few specific and strict regulations on the content of information subject's rights related to information processing (such as portability right, objection right, forgotten right, etc.). In the author’s view, the core reason why "data" and the protection of data subject's rights has become a legal issue nowadays is that digital technology can quantify the identifiable characteristics of information subjects with a high degree of precision. These highly precise quantitative information of data subjects can not only achieve intelligent machine autonomous decision-making, but also serve as the basis for human decision-making. When the precise quantitative data of information can serve as the basis of decision-making, it means huge economic and social management benefits after data aggregation, but there is a natural contradiction between the economic benefits, social benefits and data subjects. Therefore, data, as a legal civil right, should be protected on the premise of data market at the judicial level.
Based on the aforementioned, the author believes that the data is the information that can be accurately identified after quantifying the characteristics of the information subject based on digital technology. As mentioned earlier, the General Provisions of the Civil Law does not define data, but only provides for data in principle and in the same clause in the chapter of "civil rights" as a content of rights alongside "virtual property rights". From legislative logic, it is difficult to completely deny that the legislator has set aside space for the personality rights and property rights of the data based on foresight, and that is why the discussion of Article 127 of the General Provisions of the Civil Law is of practical significance.
There is no doubt that data has economic and social benefits as information that is precisely quantifiable and identifiable to the data subject. In China, the legal protection of data subject's relevant rights is mostly from the perspective of the traditional Civil Law of individual's "Privacy Right". For example, the Supreme Court's Provisions on Information Network Disputes only provides a judicial interpretation from the perspective of the rights and interests disputes caused by "infringement" by means of information network, but its justiciability mainly focuses on personal rights, and there are few litigable contents of infringement such as "property rights" confirmation and payment. In the author’s view, data property rights, as the right object of data subject, is an extremely important right content. The lack of existing legislation, or even blank, is not conducive to the development of Big Data Industry, Artificial Intelligence, 5G, Blockchain, Cloud Computing and other digital industries. The current "privacy" protection legislation and judicial interpretation cannot adapt to the "data" aggregation rights protection claims under the background of Digital Economy. In the author’s view, legal attribute of data as assets need to be clarified before data property rights are legislated.
As mentioned above, the basis of data property rights is the data market, and the data transaction market requires the Legal confirmation of the data subject. Before the application of the technology portfolio represented by the Blockchain, data was mainly used as a tool for product development, marketing and research in a certain range of terminal market. In the process of development, grey industrial chains such as "Data Mining" and "Data Cleaning" were also derived, and the value of data was first reflected in areas not protected by law. With the development of informatization and intelligence, the importance of data related to the security, property, privacy and social order of individuals, enterprises and organizations is gradually recognized by regulators. As the legal protection of data has not kept pace with the rapid development of "data market" applications and demands, the contradiction between cyber disinformation, cyber fraud and the siloed isolation of real information and the cost of security protection has become increasingly prominent. There is an urgent need to clarify the legal boundaries of rights and obligations in relation to data as a factor of production that brings "value".
First of all, Internet market operators, represented by various Internet giants, are in possession of a large amount of information and data on personal and enterprise activities. These data are constantly used for commercial purposes to earn profits, and the conflict of interest among data holders, users and source data subjects becomes increasingly acute as the conditions for data to become a factor of production become more and more adequate, so there is an urgent need for legislative and judicial intervention at the national level. The premise of modeling the characteristics of data elements is that data has use value, which cannot be separated from the specific Application Scenarios of data. In the Information Internet before the generation of Blockchain, the use mode and value embodiment of data were controlled by data collectors and holders, and the information security and value rights and interests of the source data subjects were rarely considered. The conditions of Data Capitalization were very weak. The General Provisions of the Civil Law has stipulated virtual property rights such as data in principle for the first time in legislation, which means that Data Capitalization has basic civil legal basis. The next step is to make further legislation and judicial interpretations on the judicialization of data property rights, the concretization of rights, the elements of infringement, the legalization of transaction transfer, and the standardization of infringement compensation, in order to adapt to the real needs of production and life. For example, the basis of Data Capitalization is the legal confirmation of data rights, which first needs to solve the problem of the ownership status of the source data subject to the data object. What types of data, and what links of data fall within the scope of ownership of the source data subject, are involved in the collection, storage, use and transmission of data? Is it limited to the source data subject's right to assert ownership of the data object? Or can the person who processes and controls the use of the data, meeting certain conditions, also become the subject of ownership of the data and can they legally authorize others to use the data? How long after the authorized, reasonably used data is out of the control of the source data subject or what conditions change to require reauthorization or reconfirmation? Another important question is what is the data carrier to enter the scope of ownership identification of source data subjects or legal control subjects? Is it Token under the Application Scenario of Blockchain Technology -- Token Intelligent Contract as the carrier? Or a typed database batch determination under certain conditions? In the author’s view, Blockchain, as the value rule system of Virtual Value Exchange Smart Contract under the Distributed Consensus Credit Mechanism, is the key to "data" becoming assets or as the property right of data subject. Only under the Distributed Consensus of Blockchain and the value rule system of Smart Contract, "data" can be Token capitalized, data can be legally confirmed as property rights, and the value flow and sharing of data can have a realistic possibility. The legal confirmation of data ownership should include compulsory legal confirmation of data ownership and voluntary legal confirmation of data ownership. The data subject to compulsory confirmation should mainly focus on the necessary basic data from various subjects involved in the Internet business operation. It may not have the content of property rights, but it is extremely important to the Internet enterprise's compliance with the law. Therefore, the compulsory legal confirmation of data ownership should be based on the principle of one-time ownership confirmation, effective long-term authorization and constant value.
Secondly, from the perspective of commercial applications, the collection, storage and use of data held by Internet enterprises should be limited by the scale of Data Capitalization of the enterprise after the legal confirmation and Capitalization of the data. If the data that can be confirmed and capitalized held by an enterprise is larger than the Net Assets of the enterprise itself, the law should restrict the enterprise's further collection, storage, use of new data, legal confirmation of data rights, Capitalization and other behaviors. Otherwise, the boundaries of data security and privacy protection will be artificially breached due to the drive of interests, and the data security protection will be in vain.
Thirdly, after the legal confirmation and Capitalization of data, data as an asset shall be able to enter the balance sheet of the enterprise, but the data assets that can be capitalized and enter the balance sheet of the enterprise should have relatively large industrial application value, which involves the industrial intelligent business scenario of data. For example, in the future, driverless vehicles are likely to become important dynamic data application terminals, and the Internet of Things and other industries will inevitably involve the demand for legal confirmation of rights for large-scale intelligent data business, so the underlying Blockchain Technology support is the general trend. Future data involves cross-border comprehensive evaluation of law, audit, technology, management and other aspects. Data driven intelligent business scenarios will be the core of the Digital Economy.
Finally, the inclusion of the property content of data in judicial protection is the due meaning and advanced form of protection for data security and privacy protection. The series of laws, regulations, rules and national standard security norms that China has successively introduced with "privacy information protection" as the core orientation are basically based on administrative management as the guiding principle of legislation. Although the Supreme People's Court's Provisions on Information Network Disputes is a judicial interpretation regulating the rights and interests disputes that constitute "infringement" by means of information network, its justiciability mainly centers on the personal rights, and there are few litigable contents of infringement such as "property rights" confirmation and payment. In the author’s view, the most effective protection of data security and privacy is the legislative confirmation and judicial application of data rights confirmation. When the property right of data is established, the obligation boundaries of data collectors, holders and users, as well as the right boundaries of data owners are established. Data owners' claims and maintenances of their rights are superior to the top-down administrative law enforcement and supervision in the reality of data business monopoly.
In summary, the author believes that: the property right of data is based on the data market, on the premise of the legal confirmation of the data subject, and in the form of Token Carrier, through the Blockchain Distributed Consensus Application Scenario, the data element characteristics should be modeled, and the rights and interests should be abstracted into data assets. At least under the current technical conditions, it is difficult to capitalize the data without Blockchain Distributed Consensus Application. The data that can't be capitalized and legally confirmed is difficult to play the production and commercial value of the data. The digitalization without the Value Exchange Rule system is not the real digitalization, and the upgrading from Information Internet to Value Internet cannot exist. Under the conditions of Big Data, Cloud Computing, Artificial Intelligence and Blockchain technology, the technological conditions of Intelligent Network and alue Internet for complete mirroring the "Four Rules" of the physical world to the virtual world have been met. Real digitalization should focus on the legal status of "data" property rights, as well as the integration of traditional industries, traditional Information Internet and Blockchain Distribution Consensus, Smart Contract Rule System, and Token data assets. Data will inevitably become a factor of production in the Digital Economy. To become a factor of production and participate in the profit creation and distribution in the process of production, the legal confirmation of data rights is the primary work. For data to be a factor of production and to participate in the creation and distribution of profits in the production process, the legal confirmation of data rights is the primary work. At present, the Digital Economy is being discussed from the government to the private sector, but the core of the discussion is mostly focused on "data security and protection" from the perspective of technology and administration, which is of course very important. However, without the establishment of the legal status of data property rights and judicial justiciability, the administrative enforcement of data security is not only not conducive to "Data Capitalization" and "promoting data to become a factor of production", but also likely to lead to the fact that under the realistic condition of "oligarchy" of commercial data, the power of formulating industry technology standards and administrative rules is controlled by Internet elites and giants. If they launch the "Enclosure Movement" for data assets (the lifeblood of the future Digital Economy), the data will be in danger, and administrative law enforcement will face serious questions. It is important to point out that the development of Digital Economy cannot be separated from the Blockchain Distributed Consensus and the basic application of Intelligent Contract Rule System, without which it is impossible to determine the legal boundaries of "data", digital assets are just empty words, and data as a factor of production also has no digital basis. Blockchain naturally has the significant functions of increasing credit supply, retroactive deposit, reducing judicial cost, improving judicial adjudication efficiency and reducing disputes. In the author's view, legislation, judicial protection and legal supervision in the era of Digital Economy should closely focus on the legal definition of "data" and the legal confirmation of data rights, judicial justiciability, infringement and privacy protection in data application. The legal confirmation of data rights cannot be separated from the integration of Blockchain and industry. Only through Blockchain "chain reform" can the industry break the "information island" of effective industrial data, and form a data market. When the legal confirmation of data rights and the market pricing obtain the due legislative and judicial status, the data will have the real realistic foundation to become the assets and a factor of production. At that time, a new era of Digital Economy will become a reality!
Notes: 1.Research on Data Ownership in Big DataTransactions, Yang Zhangbo, p.2. http://www.doc88.com/p-9069672036839.html. Visit the website at 18:39 on May 31, 2020. 2.The " source data subjects " in this paper refers to the digital data generated at the first time based on the behaviors of specific individuals and organizations, including the data generated due to certain behaviors in physical and virtual space conditions in Blockchain and Non-Blockchain application scenarios. 3.Blockchain Changes the Future, p.15, Wang Youqiang and Tu Jing, People's Daily Press, the first edition at the end of January 2020. 4.The degree of Digital Image of the physical world determines the development degree of Digital Economy. The core reason for the sustainable development of the physical world lies in the complete system of Value 5.Exchange Rules. From barter to gold and silver, and then to credit paper money, the central value exchange system with government, organization and intermediary as credit endorsement is the cornerstone of the existence and development of the physical world. This set of value exchange system consists of a set of rules: Social Rules with the legal system as the core, Technical Rules with the mathematical system as the core, and Market Rules with the pursuit of self-interest as the goal and the satisfaction of social needs as the core, which jointly maintain and promote the development of human society. Social Rules, Technical Rules and Market Rules all take Value Exchange Rules as the internal driving force to realize wealth creation and distribution. The key to realize the Digital Image of the physical world is to virtualize all four basic rules into the digital world. The information technology revolution has easily solved the Digital Virtual Image of Social Rules, Technical Rules and Market Rules, but it can't complete the most critical Digital Image of the Value Exchange Rule system, and people can't implement effective value sharing and value transmission according to the virtual rules of the Information Internet.