Part VII: Data breach notification requirements in the event of a security incident

Data breach notification refers to the obligation of the controller and processor of personal information to notify and report the breach to different subjects when a personal data breach security incident occurs.

Data leakage is no small matter. It always inevitably occurs in the process of daily business operations. Once data leakage and other types of security incidents occur, it will cause varying degrees of harm and impact on personal information subjects. The reasons for data leakage are complex, such as network operators’ own system vulnerabilities, failure to update technical measures in time, deliberate attacks by hackers, illegal operations or deliberate leaks by internal management personnel, etc., which are difficult to completely eliminate and contain.

Therefore, data protection laws of different regions and countries have established “data breach notification systems” in their legislation to strengthen the management of data breaches, and effectively protect the rights and interests of data subjects by taking effective measures in a timely manner and controlling the expansion of the scope of damage.

(1) Interpretation of my country’s Personal Information Protection Law:

Articles 33 and 34 of the GDPR stipulate that in the event of a personal data breach, the data controller shall notify the supervisory authority and the affected data subject. It is mandatory that the data controller shall disclose the personal data within 72 hours of the discovery of the data breach. The situation is reported to the supervisory authority, unless personal data leakage is unlikely to pose a risk to the rights and freedoms of natural persons. If data leakage may pose a higher risk to the rights and freedoms of natural persons, the data controller should also immediately notify the data subject of the personal data leakage.

On the basis of referring to and borrowing from overseas data protection legislation, my country’s personal protection law has also adopted clear legal provisions to make specific requirements for data breach notifications:

1 Clarified the circumstances under which data breach notification obligations need to be implemented

This protection law requires that personal information processors are required to perform data breach notification obligations when (1) personal information leaks; (2) personal information has been tampered with; (3) personal information is lost.

Judging from the current regulations, the circumstances that trigger the notification of a data breach are mainly in two major points:

01

First, as long as personal information has been leaked, regardless of whether the personal information is a sensitive type of personal information or general personal information, the data leakage notification system may need to be activated;

02

The second is to clarify the specific scenarios that trigger notifications, including situations of leakage, tampering, and loss. This protection law does not specify the amount of personal information that has been leaked. It can be seen that it does not determine whether the data breach notification system needs to be activated based on the “quantity”, but based on whether “leakage, tampering, and The essence of “loss” and whether it is “dangerous to the data subject” is qualitatively used as the main criterion for initiating the data breach notification system.

2 Clarify the subject that fulfills the data breach notification obligation

Similar to GDPR, in the legislative context of my country’s personal protection law, “personal information processors” are required to bear the obligation to notify data breaches, that is, enterprises, organizations and individuals that have the right and can independently determine the purpose and method of personal data processing Will become the subject of fulfilling the obligation of data breach notification.

3 Clarify who needs to be notified of data breaches

With reference to the experience of overseas data legislation, my country’s personal protection law also divides the notified objects into two types of subjects:

01

Data Supervision Department: Department that performs personal information protection duties

02

The data subject itself: individual users.

However, our country’s personal protection law does not use the number and scale of data breaches as the basis for judging whether to notify the data supervision department, like the provisions of some overseas data laws, but clearly stipulates that as long as personal information leakage or tampering occurs or may occur , In the case of loss, the personal information processor shall notify the supervisory department that performs personal information protection duties. In view of the fact that our country is still in a state of multi-head supervision in terms of personal information supervision, in terms of the requirements and scope of informing the data supervision department, we still look forward to the following judicial interpretations and policy guidelines to give more guidance.

Regarding whether it is necessary to notify the “personal information subject”, my country’s Personal Insurance Law also provides certain exemptions. If the personal information processor can take immediate and immediate measures and can effectively avoid the harm caused by information leakage, tampering, and loss, the personal information processor that has a data leakage incident may not notify the personal information subject. However, please note that the personal insurance law stipulates stricter conditions for the exemption of “opt-out notification”, which requires that personal information processors need to take measures “immediately” and that such measures can be “effectively avoided” against individuals. The harm of the information subject.

At the same time, the “opt out of notification” exemption is also restricted, that is, when the department performing personal information protection duties believes that the data leakage incident may cause harm, the corresponding data supervision department has the right to request the personal information processor to notify personal.

4 Clarified the circumstances under which data breach notification obligations need to be implemented

After confirming whether to initiate a data breach notification, what specific content should be included in the notification is also a key part of the notification system. Our country’s individual protection law also makes clear provisions on this, and the notice should include:

01

The types of information that have occurred or may occur personal information leakage, tampering, or loss;

02

Cause of occurrence

03

The possible harm caused by this incident;

04

Remedial measures taken by the personal information processor;

05

Measures that individuals can take to mitigate the harm;

06

Contact information of the personal information processor.

05 Notification time limit requirements

The data protection laws in some of the more developed overseas regions have clear regulations on the form, time, and notification procedures of data breach notifications. At present, in my country’s personal insurance law, there are no requirements such as “72 hours” or “two working days” in the notification time requirements, but the requirements of “immediate remedial measures” + “timely notification” are adopted.

After a data breach occurs, the specific requirements of the form, time and process of the implementation of the notice also need to be clarified by further judicial interpretations, guidelines and standards to provide companies with more specific practical instructions.

(2) Comparison of major overseas personal information protection laws:

Part VII: Data breach notification requirements in the event of a security incident

Data breach notification refers to the obligation of the controller and processor of personal information to notify and report the breach to different subjects when a personal data breach security incident occurs.

Data leakage is no small matter. It always inevitably occurs in the process of daily business operations. Once data leakage and other types of security incidents occur, it will cause varying degrees of harm and impact on personal information subjects. The reasons for data leakage are complex, such as network operators’ own system vulnerabilities, failure to update technical measures in time, deliberate attacks by hackers, illegal operations or deliberate leaks by internal management personnel, etc., which are difficult to completely eliminate and contain.

Therefore, data protection laws of different regions and countries have established “data breach notification systems” in their legislation to strengthen the management of data breaches, and effectively protect the rights and interests of data subjects by taking effective measures in a timely manner and controlling the expansion of the scope of damage.

(1) Interpretation of my country’s Personal Information Protection Law:

Articles 33 and 34 of the GDPR stipulate that in the event of a personal data breach, the data controller shall notify the supervisory authority and the affected data subject. It is mandatory that the data controller shall disclose the personal data within 72 hours of the discovery of the data breach. The situation is reported to the supervisory authority, unless personal data leakage is unlikely to pose a risk to the rights and freedoms of natural persons. If data leakage may pose a higher risk to the rights and freedoms of natural persons, the data controller should also immediately notify the data subject of the personal data leakage.

On the basis of referring to and borrowing from overseas data protection legislation, my country’s personal protection law has also adopted clear legal provisions to make specific requirements for data breach notifications:

1 Clarified the circumstances under which data breach notification obligations need to be implemented

This protection law requires that personal information processors are required to perform data breach notification obligations when (1) personal information leaks; (2) personal information has been tampered with; (3) personal information is lost.

Judging from the current regulations, the circumstances that trigger the notification of a data breach are mainly in two major points:

01

First, as long as personal information has been leaked, regardless of whether the personal information is a sensitive type of personal information or general personal information, the data leakage notification system may need to be activated;

02

The second is to clarify the specific scenarios that trigger notifications, including situations of leakage, tampering, and loss. This protection law does not specify the amount of personal information that has been leaked. It can be seen that it does not determine whether the data breach notification system needs to be activated based on the “quantity”, but based on whether “leakage, tampering, and The essence of “loss” and whether it is “dangerous to the data subject” is qualitatively used as the main criterion for initiating the data breach notification system.

2 Clarify the subject that fulfills the data breach notification obligation

Similar to GDPR, in the legislative context of my country’s personal protection law, “personal information processors” are required to bear the obligation to notify data breaches, that is, enterprises, organizations and individuals that have the right and can independently determine the purpose and method of personal data processing Will become the subject of fulfilling the obligation of data breach notification.

3 Clarify who needs to be notified of data breaches

With reference to the experience of overseas data legislation, my country’s personal protection law also divides the notified objects into two types of subjects:

01

Data Supervision Department: Department that performs personal information protection duties

02

The data subject itself: individual users.

However, our country’s personal protection law does not use the number and scale of data breaches as the basis for judging whether to notify the data supervision department, like the provisions of some overseas data laws, but clearly stipulates that as long as personal information leakage or tampering occurs or may occur , In the case of loss, the personal information processor shall notify the supervisory department that performs personal information protection duties. In view of the fact that our country is still in a state of multi-head supervision in terms of personal information supervision, in terms of the requirements and scope of informing the data supervision department, we still look forward to the following judicial interpretations and policy guidelines to give more guidance.

Regarding whether it is necessary to notify the “personal information subject”, my country’s Personal Insurance Law also provides certain exemptions. If the personal information processor can take immediate and immediate measures and can effectively avoid the harm caused by information leakage, tampering, and loss, the personal information processor that has a data leakage incident may not notify the personal information subject. However, please note that the personal insurance law stipulates stricter conditions for the exemption of “opt-out notification”, which requires that personal information processors need to take measures “immediately” and that such measures can be “effectively avoided” against individuals. The harm of the information subject.

At the same time, the “opt out of notification” exemption is also restricted, that is, when the department performing personal information protection duties believes that the data leakage incident may cause harm, the corresponding data supervision department has the right to request the personal information processor to notify personal.

4 Clarified the circumstances under which data breach notification obligations need to be implemented

After confirming whether to initiate a data breach notification, what specific content should be included in the notification is also a key part of the notification system. Our country’s individual protection law also makes clear provisions on this, and the notice should include:

01

The types of information that have occurred or may occur personal information leakage, tampering, or loss;

02

Cause of occurrence

03

The possible harm caused by this incident;

04

Remedial measures taken by the personal information processor;

05

Measures that individuals can take to mitigate the harm;

06

Contact information of the personal information processor.

05 Notification time limit requirements

The data protection laws in some of the more developed overseas regions have clear regulations on the form, time, and notification procedures of data breach notifications. At present, in my country’s personal insurance law, there are no requirements such as “72 hours” or “two working days” in the notification time requirements, but the requirements of “immediate remedial measures” + “timely notification” are adopted.

After a data breach occurs, the specific requirements of the form, time and process of the implementation of the notice also need to be clarified by further judicial interpretations, guidelines and standards to provide companies with more specific practical instructions.

(2) Comparison of major overseas personal information protection laws:

The Links:   LM5H40TA NL10276AC30-58F