Criminal Legal Risks in Corporate Data Compliance and Suggestions for Prevention

: The application of big data facilitates every aspect of our lives, so many enterprises are willing to use illegal means to obtain more data and snoop on user's data with excessive privileges. However, the illegal collection, application and storage of data not only make enterprises face huge fines and shut down their business, but also may incur prison sentences. How to deal with data within the red line of the law and prevent possible criminal legal risks has become a problem that enterprises should solve nowadays. Enterprises should take the current laws and regulations as the basis, standardize the collection, storage, use and transmission of data to avoid possible criminal risks, establish a data compliance management team, and realize the sustainable development of enterprises.

compliance, data security assessment compliance, data portability compliance, data crawling behavior compliance, data compliance in special industries, and so on.

Laws and Regulations Applicable to Enterprise Data Compliance
According to data from the United Nations Conference on Trade and Development, more than 100 countries have enacted data security protection legislation globally, and more than 40 countries have introduced corresponding drafts. [2]The EU adopted the General Data Protection Regulation in 2016, Japan enacted the Personal Information Protection Law Amendment Act in 2020, and Canada introduced the Digital Charter Implementation Act in 2020.The succession of new regulations marks the emergence of data compliance as a high-profile compliance risk area around the world.
China It can be seen that China's legislation to actively adapt to the wave of the times, the increasingly important data security in the legal scope of protection, China's data security legislation has also entered a period of rapid development, China has officially opened the era of the rule of law in the application and governance of data, the above laws and regulations have also become a basic code of data compliance construction of the current enterprise.

Criminal risks associated with access to information behaviors
Enterprises are suspected of committing the crime of infringing on citizens' personal information if they have illegally obtained citizens' personal information.For example, in the case of "Li, Zhang suspected of infringement of citizens' personal information", the defendant, as a shareholder of a company, before leaving the company, copied the relevant customer information to a USB flash drive and used it for the company's customer marketing, which constituted the crime of infringing on citizens' personal information without the authorization of the subject of the information protection and was sentenced in accordance with the law to the crime of infringing on citizens' personal information. [3] company that obtains citizens' personal information by illegally accessing the information system of a government or medical institution is suspected of committing the crime of illegally obtaining computer information system data.In China first data compliance case -The Case of Z Network Technology Co., Ltd, Chen and Others Illegally Obtaining Computer Information System Data -the defendants, using data crawler technology without authorization and permission, instructing a number of technicians to illegally obtain data from a food delivery platform, causing over 40000 yuan direct economic loss, was identified as the crime of illegally obtaining computer information system data. [4]nterprises are suspected of committing the offense of infringing upon trade secrets if they are acquiring secret information, etc., of the relevant industry.

Criminal risks associated with the act of processing information
If an enterprise violates its data security protection obligations and refuses to make corrections or causes serious consequences such as the leakage of large amounts of data, it is suspected of constituting the crime of refusing to fulfill its information network security management obligations.For example, in the case handled by Shanghai Pudong New District People's Court, the defendant, Hu, rented domestic and foreign servers for illegal profit, produced and rented out the Tushengsun and Forty-two wall-flipping software on his own, and illegally provided overseas Internet access services for more than 2,000 network users in the country.In March and June 2016, Shanghai Municipal Public Security Bureau interviewed defendant Hu twice, and asked him to stop the network service.In October of the same year, the Public Security Bureau imposed administrative penalties on the Defendant in the form of an order to stop networking, a warning, a fine and confiscation of the illegal income.Defendant Hu refused to rectify the situation and continued to rent out the Tushengsun wall-flipping software, earning a total of RMB 236,167 in illegal income.[5]   The court finally ruled that the defendant had committed the crime of refusing to fulfill the obligation of information network security management, and sentenced him to six months' imprisonment, six months' probation, and a fine of 30,000 yuan.

Establishment of a dedicated compliance management department and data compliance team
The vast majority of multinational enterprises have set up the position of corporate data compliance officer or data protection officer at the request of the countries in which they operate, and 360 is the first large-scale Internet enterprise to set up a chief privacy officer in China. [6]Some companies have also embedded their compliance functions in their legal departments, but there are many differences between corporate compliance and legal work.
Legal work mainly involves legal risks in enterprise business activities, such as breach of contract liability arising from the performance of contracts, labor disputes with employees, etc., so its code of practice mainly refers to laws and regulations.In addition to legal risks in corporate compliance, it is also necessary to deal with social responsibility risks arising from the violation of ethical norms, such as the loss of credibility of the enterprise, so it is also necessary to master the industry guidelines, ethical norms and so on.Work content in addition to managing data protection work, but also with regulatory authorities, data subjects to docking, always grasp the regulatory direction of data compliance.
In addition, specific enterprises should also set up professional data compliance teams in order to meet the management requirements of data compliance.Because electronic data collection, storage, use, etc. is usually specialized, for example, the Shanghai Putuo District Procuratorate publicized the country's first case of criminal compliance in the field of data does not prosecute the case involves the illegal use of network crawlers, so the professional data compliance team should also be equipped with professional computer personnel to assist in the day-to-day work, in order to ensure that professional and neutral compliance personnel to participate in the development and implementation of the criminal compliance program, and to clearly delineate the data compliance management requirements of the enterprise managers.Clearly delineating the compliance responsibilities of enterprise management personnel, ensuring the criminal compliance plan is not just shown on the paper, but implemented in actual work. [7]o summarize, the iron must be hardened by itself.In order to prevent criminal legal risks, enterprises must first look for breakthroughs from themselves, fill the loopholes within the enterprise, and form a work system that meets the requirements of laws and regulations.

Hierarchical categorization of existing data in the enterprise
With reference to the relevant provisions of the Data Security Law, data is categorized into general data, important data, core data, personal information, commercial secrets, etc., matching different governance systems for different levels, reasonably allocating internal resources of the enterprise, and forming a compliance management system.

Identify different hierarchical management systems and develop a categorized governance system
Corresponding compliance management measures have been formulated for specialized data classified in accordance with the aforementioned classification, and different hierarchical management systems have been established to form a categorized governance system.For example, measures such as backup and encryption should be taken for important data, attention should be paid to strictly restricting cross-border transmission of data related to national security, and personal information that needs to be made available outside the country should be subject to strict legal procedures, security assessments organized by the national Internet information department, and protection and certification by professional institutions.

Review every aspect of data processing in its entirety
Data processing includes data collection, storage and cross-border transmission, use and processing, provision and disclosure, and deletion of links.When processing data, enterprises should review each link and assess the level of risk; problems found in any link should be rectified in a timely manner; and the obligation to delete data collected in violation of the law should be fulfilled in a timely manner to avoid compliance risks.

Reasonable allocation of internal resources to form a compliance management system
Enterprises can start from the three dimensions of data categorization, data usage life cycle, and data hierarchy management in accordance with the aforementioned workflow, combine them with specific business departments and business directions, lay out a reasonable data management structure, and conduct data compliance training for internal personnel (including corporate executives) and external cooperative third parties, so as to gradually form an effective data compliance management system for long-term operation.

Conduct regular assessments of the effectiveness of data compliance management efforts
The first step is to perform data compliance monitoring.When problems are discovered in the course of work, we take the initiative to reflect them to the management department, which accepts the reports and refers them to the data compliance team for analysis and processing.This ensures that the enterprise's activities of collecting, storing, using, and processing data in its daily business activities are in line with the data compliance requirements stipulated in the relevant laws and regulations of China.
The second step is data compliance auditing.Completed by the internal independent audit department or entrusted to an external third-party auditing organization or professional law firm, through the use of professional and systematic methods, the enterprise's business activities involved in the data compliance management review and evaluation of the scoring, and issue relevant professional opinions on the audit of the problems found one by one to explain the issues, the issues will be categorized by the risk level, and put forward corrective comments and measures for the risk.The audit will explain the problems found in the audit one by one, categorize the problems into risk levels, and propose corrective suggestions and measures for the risks.
The third step is the management review.The top management of the enterprise takes the lead in conducting a comprehensive evaluation of the adaptability, adequacy and effectiveness of the data compliance management system, as well as the implementation of the data compliance policy and objectives, using the results of the analysis in the second step as the criteria and taking into account the actual situation of the enterprise.
promulgated and implemented the Cybersecurity Law of the People's Republic of China in 2017, and successively promulgated and implemented the Data Security Law and the Personal Information Protection Law, and the judiciary issued the Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Infringing on Citizens' Personal Information, and the Provisions of the Supreme People's Court on the Trial of Nine Cases of Infringing on the Rights and Interests of the Person by Using the Information Network Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Nine Civil Cases of Infringement of Personal Rights and Interests by the Use of Information Networks" to protect personal information.