Recent Law Enforcement Observations on Network Security, Data Security, and Personal Information Protection
Recently, an administrative penalty decision made by a public security organ against a certain foot massage club has been widely circulated online. The reason why this administrative penalty decision has received widespread attention from society is that the basis for the public security organs to investigate and punish foot spas is the "Data Security Law", rather than the common "Public Security Management Penalty Law"; The illegal fact of punishment is that "the computer in this place stores the customer's name, mobile phone number, ID card number and other sensitive data without password, does not establish a data security management system, and does not take necessary measures to ensure data security".
Coincidentally, the two administrative penalty decisions made by the public security organs against a certain food operation department and a certain supermarket operation department recently have also attracted everyone's attention, because the basis for the investigation and punishment by the public security organs is the "Cybersecurity Law" and "Personal Information Protection Law", and the commonly seen "Food Safety Law" and "Consumer Rights Protection Law". Among them, the administrative penalty decision made by the public security organs against a certain food operation department states that the illegal fact identified by the public security organs is that "the internet service WiFi provided to customers is open, with only a simple password and no identity verification measures, and security technology protection measures are not implemented according to regulations, which constitutes a suspected network operator's failure to fulfill network security protection obligations". In addition, the administrative penalty decision made by the public security organs against a supermarket operating department states that:, The illegal facts in the operation department of a certain supermarket are The supermarket, due to normal business needs, collected member information, including personal information such as name and phone number, but did not take corresponding security measures such as encryption and de identification; did not establish internal management systems and operating procedures. As a personal information processor, the unit did not take the above measures to ensure that personal information processing activities comply with laws and administrative regulations, and to prevent unauthorized access and personal information leakage Tampering or loss is considered a failure to fulfill personal information protection obligations.
Due to the fact that the above-mentioned punishment scenarios are quite common in real life, and the penalized units are also common shops with various grounding systems on the streets and alleys, it is not uncommon for public security organs to "fly into ordinary people's homes" in administrative law enforcement. The author then searched the relevant databases and found that the above cases were not individual cases, but rather presented in a batch state. It is evident that recent public security organs (especially some provinces and cities) have increased their administrative enforcement efforts on network security, data security, and personal information protection, and their deterrent effect and social effect are also very obvious.