From control to utilization: the transformation of the data governance of criminal law

Abstract: Data security and data sharing are the basic goals of data governance. Affected by the concept of data empowerment, the current criminal law adopts the control mode, focusing on the prohibition of "acquisition", "leakage" and "stealing" data, and in order to prevent abuse of abuse. The control mode ignores the public product attributes of data, which cannot comprehensively and effectively protect data and benefits. As a result, it is impossible to effectively maintain data security and it is difficult to achieve data sharing. The purpose of regulating the use of abuse of behavior is the real direction of the adjustment of the data governance model of the criminal law. The use model can be implemented based on the following paths: special terms of setting up the general rules of the Criminal Law, and the explanation of the data legal benefits of the guidance points; appropriate restrictions on the legislation of the control mode, exert the independent value of data; increase the crime of abuse of algorithms, illegally provide algorithm services, and make up for the current criminal law specifications The regrets of lack of supply; actively exploring the illegal obstruction of data crimes, and avoiding the realization of the realization of data sharing due to excessive intervention of criminal law.

Keywords: data security Data legal interest and criminal law control mode Utilization mode

The author changed it, professor of Kaiyuan Law School of Shanghai Jiaotong University (Shanghai 200030).

Source: "Chinese Social Science" 2022, No. 7 P56-P74

Editor in charge: Li Shumin

Data refers to any records of information in electronics or other ways. With the advent of the data era, massive data has stimulated the creativity of the whole society, greatly enhanced the vitality of society and market, and has become a highly noticed basic and strategic resource. At the same time, a large number of illegal acquisition, disclosure, and data abuse of data have emerged endlessly, which has seriously hinder the healthy development of society and economy. To ensure data security and promote data sharing, it has become the basic goal of global data governance, and it has also become an important criterion for the allocation of data resources and obligations globally globally. Based on actual needs, all countries and regions have continuously updated legislation, or passed a special data protection bill, or the legal rules of data governance in accordance with the existing relevant bills, and my country is no exception.

The Opinions on the Construction of a more complete factor market -oriented system mechanism issued by the Central Committee of the Communist Party of China and the State Council in March 2020 clearly stated that it is necessary to accelerate the cultivation of the data factor market, strengthen the integration of data resources, enhance the value of social data resources, and cultivate a new digital economy. Industry, new formats and new models, establish a data security protection system. The "Recommended and Management Regulations on the Recommendation of Internet Information Service Algorithms" jointly issued by the National Internet Information Office and other four ministries and commissions in December 2021 provides a policy basis for regulating the recommendation activities of Internet information service algorithms and promoting the healthy development of the Internet. However, due to the influence of the concept of empowerment, my country's criminal legislation and justice regarded data mainly as the carrier of personal rights and the extension of individual freedom, which focused on safeguarding the security of the right of rights for data. Not enough, leading to the setting of relevant criminal law specifications from the needs of social and economic development, many problems in the field of data security protection have occurred, resulting in the legitimate rights and interests of the regulatory of criminal law. Cultivation. How to guide national data governance policies through improving the legislation and interpretation of criminal law, to promote the effective conversion of the data governance model of the criminal law, and to achieve the collaboration and balanced development of security maintenance, free protection and technological progress is a major criminal law problem that needs to be solved.

1. The current model of criminal law data governance

The task of criminal law is to protect the benefits of the law, and the law is the cornerstone of the criminal law and the criminal regulation system. However, there are no criminal norm systems in my country's criminal law as the core. The current criminal law -related crimes are scattered in different chapters, which are presented through different crimes and types of behavior.

(1) The current criminal law data governance system

1. System: Direct protection and indirect protection

From the perspective of the crime system, the criminal law points mainly use direct and indirect protection methods for data. Direct protection is directly protected by data as criminal objects. For a long time, the protection of the profit of the criminal law for data law is limited to the security of the computer information system. It was not until the Criminal Law Amendment (11). Expansion is extended by the crime of hacking social management order to endanger the crime of public security and the crime of destroying the order of the socialist market economy. Indirect protection is to use the specific information, secrets, certificates, or certificates that indicate the content of the data as the object of criminal objects. Its scope covers many fields such as politics, economy, and military, and the protection of the protection of national security, public safety, market economy order, citizen personal rights, property rights, and social management order.

In general, the current criminal law system presents the following characteristics: (1) In direct protection, the scope of the data involved is extremely narrow, which is limited to "computer information system data", "citizen personal information", "direct production safety monitoring, alarm, protection, protection, protection , Life Equipment and Facilities Related Data "and" Data Related to Drug Registration "; (2) In indirect protection, legislative purposes clearly focus on the protection of national legal and social law, reflecting key maintenance and order of safeguarding safety and order. Legislation of interests; (3) both protection methods use data as criminal objects. Independent data legal benefits do not exist, and the nature, hierarchy, type, and functional positioning of the data are not clear.

2. Behavioral type: The existing crimes of disconnection and incomplete criminal law have not failed to protect all stages of the data activity, but only stipulate the following types of illegal behavior: (1) the behavior of fabrication or dissemination of false data (such as fabrication and and The crime of disseminating false information of securities and futures transactions); (2) behavior of deleting, tampering, concealing, or destroying data (such as dangerous homework); (3) behavior of illegally obtaining or leaking data (such as infringement of citizens' personal information); 4) Actions that illegally use information or data (such as using uninterrupted information transactions). Among them, the behavior of prohibiting fabrication and providing false data protects the authenticity of the data, not the data legal benefits that exist. Really closely related to the latter, the integrity of the data, the confidentiality of the data, and the availability of the data. The above types of illegal types indicate that the focus of criminal law governance lies in the illegal acquisition behavior of data rather than abuse of behavior. In this regard, the current criminal law stipulates that the protection of data legal benefits is undoubtedly broken, and the types of illegal behavior also significantly present incomplete characteristics.

(2) The current criminal law data control mode

Data sharing and data security are the basic goals of data governance. Data sharing is achieved through data processing, including data collection, storage, use, processing, transportation, provision, and disclosure; and data security refers to The ability to ensure continuous safety. It can be seen that data security includes data control security and data utilization security. Among them, data control security reflects a concept of empowerment, which focuses on protecting the control of data subjects for data. Data utilization security reflected the concept of free use, which focuses on protecting the security of data in each processing stage. Based on this, the protection model of the criminal law on data security can be divided into data control security protection models and data use security protection models. For the convenience of writing, these two modes are referred to as data control mode and data utilization mode for this article. From the characteristics of the data control mode, my country's criminal law adopts this model.

First of all, in terms of regulatory concepts, strive to achieve pre -protection of data utilization security through the maintenance of data "static security". Taking the crime of invading the computer information system as an example, many acts that infringe on the computer information system through tampering, deleting or destroying data are designed to implement criminal crimes such as financial fraud, theft, corruption, misappropriation of public funds, and theft of state secrets. Criminal law can protect the benefits of relevant laws by protecting the security of data. For another example, the personal information of citizens is usually closely related to the personality of citizens or property interests. In most cases, simply obtaining or leaking such data will not directly harm the relevant interests. However, because it may become the source of data abuse, it is possible to protect the personal, property safety, and normal work and life of citizens in advance by prohibiting such behaviors. It can be seen that the data control mode is a pre -prevention mechanism that aims to prevent the danger of data abuse that may be caused by data leakage or illegal acquisition.

Secondly, in terms of regulatory priorities, by restraining illegal acquisition or leakage data, weakening data subjects to weaken the degree of control of the data of the data, and strengthen the control of the data subject to the data. This is reflected in the current criminal law and related interpretations as three points.

The first is to directly protect the control of the data of the data by actively prohibiting data theft and leakage behavior. According to the traditional concept, strengthening the control of the data subject for data is considered to be the most effective way to strictly protect the interests of the data subject. In my country's criminal law specification system in China, the illegal acquisition or leakage of data is prohibited from the vast majority of the criminal specifications of data involving data. For example, in the crime of national, business or military secrets as the object of protection, all regulations are illegal acquisition or leakage of secrets.

The second is to indirectly strengthen the control of data subjects by prohibiting deletion, tampering (modification), concealing, destroying, increasing, and interference data. Because the analysis value of data is generated in the continuous combination, peeling, and aggregation, "in the analysis stage, processing may also lead to changes in data. For example, create a new data data set by combining Converting them into 'anonymous' data ", which causes internal tension between the integrity and availability of the data. By prohibiting the protection of data integrity by prohibiting deletion and modification of data, it will inevitably lead to weakening data availability. The existing criminal law is prohibited from increasing, deleting, modified, and destruction of data. In order to protect the integrity of the data, it is actually an indirectly enhanced data control of the data to control the data.

Third, when explaining the constituent elements of data crimes, the color control mode is also highlighted. The current criminal law does not stipulate the general terms of protecting data and benefits, resulting in a large number of violations of data. It is difficult to be punished. In order to get rid of this dilemma, through the explanation of the connotation of the expansion data and the scope of its carrier, it has become a general practice in the practice world. On the one hand, the relevant judicial interpretation defines the connotation of the computer system as a system with automatic processing data function, so that the range of the data carrier is expanded. On the other hand, the new recent judicial jurisprudence broke the tradition of previously limited the protection objects as "identity" certification data, and the act of stealing virtual property as the crime of illegal invasion of computer information systems. For the deletion of personal information that is difficult to evaluate as the crime of illegally acquiring the personal information of citizens, it is evaluated as the crime of destroying the computer information system. These practices eventually caused the aforementioned two crimes to be reduced to "pocket crimes." Under the premise that the current criminal law aims to maintain data control security, this will undoubtedly further strengthen the color of the data control mode. Finally, in terms of regulatory scope, respect the wishes of the data main body, and use the "knowledge consent" as the reason for the obstruction of data acquisition and use of behavioral violations. The legislation of the data control mode actually gives the data subject to the exclusive rights of data, except for national secrets (such as national core data related to national security, national economic life, important people's livelihood, major public interests, etc.) In addition to the special types of specific transfer, if the data subject consent is obtained, any behavior of obtaining or using data in principle is legal. The basis for this treatment comes from the provisions of the various pre -departmental laws. For example, Article 29 of the "Consumer Rights Protection Law" and Article 41 of the "Cyber ​​Security Law" clearly clearly clearly determine that consumers' consent and collector's consent are used as the legal conditions for collecting and using relevant data. Article 32 of my country's "Data Security Law" stipulates that any organization or individual may steal or obtain data in other illegal ways. In the justice, the focus of the controversial focus of the case of "Sina Weibo Case" and "Zhu Xi v. Baidu cases" focused on whether the acting of data acquisition requires the consent of knowledge, whether there is an consent of informedness, and the consent of informed consent.

(3) The basis for the data control mode

The reason why the current criminal law adopts the control model is the basis of corresponding theories, reality, and legal policies.

1. Theoretical basis: data rights attribute

The data worthy of protection can be controlled by only the corresponding subject, and it is actually projected by the personal law concept in the criminal law. For a long time, the rights of rights in the private law have prevailed, so that those legal status that is protected only through specific commands or ban has also been regarded as rights. Emphasize the country's protection obligations. When determining the attributes of the data, it is a right that can fight against unspecified subjects or a state -protected rights. There is a significant difference in the academic community, thereby forming a dispute between the rights attribute model and the equity attribute model. Among them, the rights attribute model affirmed the exclusive belonging relationship between the data interests and the specific subject. Whether the subject is government, enterprise or private, only specific subjects can implement data such as storage, processing, and use, and other subjects shall not be implemented. This model regards data interests as a kind of exclusive right, emphasizing an absolute exclusive dominance between the rights subject and its possessive and controlled data. This understanding is reflected in the issue of data governance, which is manifested as the focus of data protection on the control security of data, that is, the data control mode is adopted. Decided by the exclusiveness of exclusive rights, the limited contact attribute of data is the logical starting point of the mode.

On the contrary, if data interests are regarded as a protected right of the country, that is, the use of equity attribute models, a third -party body in addition to the data subject can also share certain data benefits and requires when the interests are damaged. The law provides relief. For example, my country's legislation does not give business secrets with rights attributes. Regarding the act of infringing business secrets, the owner of the business secrets and the use of business secrets can be used as the owner of the interests of commercial secrets. People with business secrets bear the liability for infringement.

It can be seen that different data attribute models can lead to different social effects: under the mode of rights attributes, in principle, other stakeholders are prohibited from sharing this interest; in the equity attribute model, in view of the fact that the private law emphasizes that "law cannot be prohibited from freedom", except In addition to the laws, data sharing is not prohibited in principle. The equity attribute model is reflected in the data governance of the criminal law, which means that the focus of data protection should be placed on the regulation of the use of data.

2. Practical motivation: Independence, supplementary protection of data legal benefits

Because the criminal law has not set up the general terms of independent protection of data and benefits, whether the data can be protected, depend on the specific legal benefits behind it, and whether the criminal law has set the clauses to protect the legal benefits. With the development of big data technology, the various new types of infringement of the data itself are endless. If the traditional protection model is continued, the current criminal law specifications that cannot meet the needs of data governance will be difficult to get fundamental improvement. In this context, recognition of the independence of data legal benefits and the necessity and legitimacy of its protection have gradually become the consensus of all sectors of criminal law. Before the legislative response has not yet actively made, in order to avoid penalties, the theoretical and practical circles mostly advocate that the protection of the security crime of computer information systems is data security, and then based on the purpose of protecting the benefits of the data and expand the scope of the data of the data and the scope of the carrier. Explanation, that is, breakthroughs in the "computer information system" and "computer system" of the criminal law, expand the data of such criminal objects to all data. This kind of interpretation of the objective purpose of responding to the needs of social life, on the one hand, so that the data benefits are no longer attached to the security of the computer information system, and the independent protection of data legal benefits has been achieved. Crimes have become the clause of the pocket and realize the supplementary protection of data legal benefits. 3. Policy appeal: Reinforcement of data abuse risk premature prevention

With the arrival of risk society, the concept of risk prevention is valued. "Although there is no damage to legal and benefits, as long as it is threatened by dangerous behavior, it can be affirmed that criminal illegal existence can be affirmed." This produces "it is necessary to act as a legal infringement in danger. Active Criminal Law legislation of criminal punishment. The criminalization of obtaining or leaking data should also be understood under the concept of the legislative concept. For example, for illegal acquisition of personal information of citizens, although the protection of the crime can be explained from the perspective of personal information independent decision, the relevant leakage or sale behavior "serious threats to the personal, property security and personal privacy constituent" is only the case. " The legislators set the substantial reason for the crime. In other words, the purpose of the norm of crime is to combat the crime of infringing on personal information such as citizenship such as selling, providing, and illegally acquiring personal information of citizens, and cutting off the chain of crimes such as telecommunications network fraud to prevent and reduce the occurrence of crimes from the source. For another example, the "Criminal Law Amendment (11)" has added a crime of hazardous homework to criminal data behavior of "tampering, concealment, and destruction". It should also be involved in advance to prevent punishment for such crimes.

2. Internal defects of Criminal Law Data Control Mode

As the basic goal of data governance, the data security and data sharing sub -data protection are both ends. On the balance of interests, the control mode puts the weight of the data on the static security (data control security) end of the data, which undoubtedly played an important role in the protection of data security. However, due to its excessive reinforcement data control, whether this model can help achieve the basic governance goals of data security and data sharing, it is not doubt.

(1) Public product attributes that ignore data

With the value orientation of civil law from a pure personal standard to the social standard, the "social construction attributes" of the concept of rights are increasingly prominent. The concept of empowering power needs to be integrated into the social public interest gene, which has become a social consensus. In the context of the context of this kind of legal value focus, "in addition to the subjective purpose of individuals, in addition to holding various heterogeneous subjective purposes, it always shares the same or similar subjective purpose and interests in different content, scope and extent". " Essence In view of this, while recognizing the private rights attributes of data, it is necessary to face up to the public product attributes such as the interaction, sharing, and publicity of data to release the public value of the data. However, the control model has ignored the public attributes of the data and led to many disadvantages.

1. Ignore the legitimacy of the diverse subject

The current over -emphasis on the privacy of data or the right to data control has ignored the reality of multiple legitimate interests of other subjects in the same data. Taking the personal information that is most closely related to citizens, the chapter of the "civil rights" of the Civil Code clearly protects personal information as rights. According to Article 1034 of the Civil Code, the "recognizable" information that "can be able to identify specific natural persons with other information alone" is the essential attribute of personal information. However, "recognition" is actually a relationship of relationships rather than data and information. This is because: first, "recognition" reflects the relationship between individuals and others. The pursuit of information "recognizable" is not inherent, but the needs of social interaction. "To enter society or participate in social activities, you need to disclose and disclose your identity to others. Closing personal information means isolated from the world. From the perspective of society, society also needs to use personal information provided by individuals and scattered all over the place. , Personal information that can be collected to understand and judge someone. " Since "recognition" is the correlation between individuals or society or society, when protecting personal information, it is necessary to consider the legitimate interests of information recipients. Second, "recognition" reflects the relationship between individuals and information. "Recognized" means that data can be realized directly or indirectly through relevant data. However, whether it is directly locked or indirectly locks, it does not indicate that the relevant information indicated by the data has a corresponding relationship with the individual, but it does not mean that these data must be attributed to individuals. For example, different people can use the same name. Therefore, the information of "identifying" is not the inherent characteristics of data, and it represents a category of self -and others. It simply emphasizes that the private rights attributes of data are not enough to reveal the essential characteristics of the data. 2. Can't effectively achieve the value goal of "data sharing"

Data can be used as a private right object, which is limited to contact, but this is only the characteristics of non -functional data, rather than the commonality of all data. On the one hand, the limitation of data is the product of the data after the legal specifications, not the characteristics of the information or data itself. On the other hand, from the basic value orientation of legal order, information disclosure is the principle, and the exception of the contact and use of data to restrict data is the exception. For example, the "Regulations on the Disclosure of Government Information" stipulates that information disclosure is the principle of information disclosure in addition to information involving state secrets or may endanger national security, as well as information that involves business secrets or other people's privacy. Even the state secrets are limited by restrictions on their restrictions through regulations. In this regard, Article 15, paragraph 2, paragraph 2 of the Secret Law stipulates that the confidential period of the state secrets, except for other regulations, does not exceed 30 years, the secret level does not exceed 20 years, and the secret level does not exceed 10 years. In addition, promoting data circulation is an important value of data empowerment. In addition to the traditional privacy authorization model of privacy rights putting the focus of data rights in the negative defense function of personal information, whether it is the empowerment model of personal information self -decision rights or the power of property rights The method of actively punished the data, "the right to motivate data to actively share or transfer its legitimate data rights." In the data control mode, "Data Sharing" first encountered obstacles in concept.

(2) It is not feasible in social policies

1. Increasing corporate transactions, innovation costs and criminal legal risks

To develop the country, the society must improve, and the orderly circulation of data and information is a basic condition. The basic concept of data control mode has the tendency to achieve the basic conditions of hedging. On the one hand, the data control model has increased the cost of enterprises and individuals to obtain data. In the data control mode, the principle of informed consent is the basic principle of data collection and utilization. However, in the face of massive data, each data requires each data to obtain an ahead of time. Development is therefore necessary to distinguish different data types and adopt different processing rules for whether it is identified and derived data. On the other hand, the data control model allows enterprises to face higher criminal legal risks. Because the main body that is truly capable of collecting and analyzing the data is the government and enterprises. If the protection of data control is comprehensively strengthened, all data acquisition and utilization behaviors agreeing with the consent of the data rights or controller will constitute illegal acquisition illegal acquisition The possibility of computer information system data or illegal acquisition of personal information.

2. Weakened social governance ability

If the nature, type, and level of the data are not divided, the data flow and secondary use will be prohibited, which will inevitably affect the enhancement of social governance capabilities. First of all, if the big data cannot be effectively used for dynamic analysis and response, the probability of public policy decision -making will lack realistic pertinence, which is not conducive to the accuracy of social governance. The governance efficiency of the public information in the epidemic prevention and control gives a very convincing endorsement of the impact of the control mode. Secondly, if related data cannot be effectively used, convenient public services will be limited, which will inevitably increase citizens' time costs, economic costs, and social exchanges. Finally, the data control mode hinders the data sharing of multiple subjects, which makes it difficult to evaluate and correct relevant governance decisions in a timely manner. It is impossible to construct a model that responds to the corresponding models in response to various problems, which is not conducive to promoting the modernization of national governance.

(3) It is difficult to effectively protect the effectiveness of the data control mode of the data and benefits of data, and is constrained by specific prerequisites. First, at the factual level, the data main body has the ability to control all data related to its interests. Others can only obtain relevant data through the "knowing consent" method of rights subject. Second, at the standardized level, obtaining illegal data acquisition can effectively evaluate data abuse. However, with the iterative upgrade of scientific and technological changes, the prerequisite for supporting the performance of the data control mode is gradually disappearing. Relying on the control mode alone cannot truly achieve effective protection of data legal benefits.

1. Insufficient data subject equity protection

Relying on the concept of data empowerment, the control mode is based on the data control mode with the principle of "knowing consent" as the core. Instead of strengthening the security of citizens' personal information security, the data right holder is facing great risk. On the one hand, the subject of data rights and data users have significant inequality at the economy, society, and technical level, which makes it lack the bargaining ability between the data right subject and the user. On the other hand, the principle of "knowing consent" that strengthens the control of rights in real life often flows in the form, because the user agreement that informs the user rights and obligations is not only too complicated, but also "for the use of the corresponding network products or services, users are clicking on clicking There is often no choice when consent, and the incompetence of the transaction status has greatly reduced the authenticity of consent and the knowledge of privacy declaration. " In other words, in the context of big data, due to the lack of bargaining ability of the data of the data, the behavior of data users' abuse of data can instead can use the principle of "knowing consent" in the data collection stage to be properly turned, which leads to the ultimate bearing of the risk of data abuse. Improperly shifted from users to the subject of rights.

2. Inadequate criticism of criminal law

Criminal Law stipulates that illegal acquisition of personal information and illegal obtaining computer information system data crimes cannot achieve sufficient evaluation of data abuse. On the one hand, the abuse of data abuse of large data and induction consumption in reality is becoming more and more common, and its harm is no less than the illegal acquisition behavior of data. On the other hand, there is a significant difference in illegal acquisition behavior and illegal acquisition behavior objects objects objects objects. Taking the stolen property and use as an example, the criminal law generally only evaluates the stealing behavior of property, and the subsequent use behavior belongs to an inseparable post -afterwards. Because after the offender illegally obtained property, due to the non -copyright and possession of the property, the ownership of the right holder was deprived of the property ownership of the property because it was difficult to exercise normally. Different from this, simple data acquisition behaviors are only obtained by obtaining data, and the excavation and utilization behavior behind the data behind the data has not been implemented. These behaviors may be very different from the harmfulness of acquisition. necessary.

3. Incarishment of crime and punishment

Compared with dangerous criminals, preparations, and helping criminals, criminals, criminals, and righteousness are undoubtedly more serious in the degree of illegality and crime. Judging from the requirements of the principle of balancing of crime, if the legislators criminalize the pre -category behavior, the necessity of crimeization of post -categories should be higher, and the legal punishment should be heavier. In this way, the current regulations on the criminal law on data crimes can be described as obvious. The reason is that the acting of data acquisition and leakage is only the pre -active behavior that attracts the risk of data abuse, rather than the actual harmful behavior of the actual infringement of data and benefits. However, the criminal law is upside down, and the focus of regulation is on illegal acquisition instead of abuse of behavior, which undoubtedly violates the principle of crime equilibrium. Take a step back, even if the crime of illegally acquiring the personal information of citizens and illegal obtaining computer information system data is used as the general terms of data crime, as a dangerous prisoner, its legal punishment is light, and its punishment is abused Behavior is still difficult to achieve the corresponding level of punishment and the degree of harm.

Third, the steering of the use model of criminal law

Because the realization of data value is based on data circulation and data sharing, data sharing is not only the orientation of national economic and social policies, but also the objective requirements for the pre -laws such as civil law and administrative law to take into account data circulation and realize the configuration of data benefits. Because of this, Article 1 of the Data Security Law is one of the core tasks of "promoting data development and utilization" as one of its core tasks. The legislative mode of strengthening data control security not only conflicts with the aforementioned requirements at the concept level, but also in fact also has negative consequences of improper restrictions on data sharing. In view of this, acts of data abuse and data acquisition, leakage, tampering, deletion, etc. are placed under the evaluation of criminal law, and the governance mode is adjusted from the control mode to the use mode. Essence

(1) The characteristics of data utilization mode

In principle, the data utilization mode does not prohibit others from obtaining or using data. Instead, through the method of regulating the abuse of data abuse, taking into account the interests of the data subject and the interests of data users, in order to release the social value contained in the data as much as possible, as much as possible Essence Its characteristics include the following three points.

First, in terms of regulatory concepts, the data utilization model aims to release the social value of data through the maintenance of data "moving security". Because sporadic data generated by a single data subject usually lacks analytical value, and the data sharing of data with the re -collection and utilization of data has become the key to realizing the data economy and social governance. The maintenance of data "static and secure" only gives the data subject to negative defense rights, and it does not make it directly obtain the positive value contained in the data. Starting from this, the data use model values ​​not the static control of the data on the data, but the dynamic use of data analysis, sharing and other dynamic use behaviors and processes, thereby releasing the social value contained in the data. Second, in terms of regulation, the data use model focuses on data abuse. Because the rich information contained in the data is inseparable from the analysis and sharing of data, the data utilization model must attach importance to the social and economic value of the data, and the weakening of the data subjects emphasized by the data control mode to control the data control or exclusive possession of the data. This does not mean that this model no longer pays attention to the maintenance of the interests of the data subject. Renning, it is the way to guide data users to use data reasonably by changing the regulation to the behavior of data abuse, so as to achieve a more comprehensive maintenance of the interests of the data subject. Because the value of the data lies in the analysis and utilization of data, simply obtaining data without using or using behavior is "legitimate interest exemption", and it will not harm the interests of the data subject. The legislation of the data control mode is to achieve the pre -improvement of data abuse behavior by restricting data obtaining behavior. In this case, instead of being widely protected by data acquisition of data, it is better to achieve the interests of multi -party subjects by prohibiting data abuse by prohibiting data abuse.

Third, in terms of legal policies and demands, through establishing a new risk distribution mechanism, the data utilization model can take into account the interests of the data subject and the interests of data users. Under the traditional data control mode, the legitimacy of the data utilization behavior is mainly based on the knowledge consent of the data subject. However, the principle of informed consent is easily alienated into the exemption of data for data users, causing data subjects to be forced to bear the risk of data abuse. In contrast, in the data use mode, because the focus of data governance lies in data utilization behavior, data users cannot justify their use behavior by obtaining the "knowing consent" of the data subject. ——The data subject undertakes the risk of data abuse and data users can enjoy the benefits of abuse of data -it will be effectively reversed, and the risks that should not be borne by the data subject will be returned to the data utilization party. The conversion of this risk liability will cause data users to limit it as much as possible in a reasonable range when using data, thereby making the interests of the data subject and the interests of data users take into account.

(2) The basis for data utilization mode

1. Theoretical basis: unity of law order and humility of criminal law

Public product attributes of data are the basic principles of the data governance model of criminal law. However, from the perspective of criminal law, the fundamental reason for the use of models to protect the best model of data legal benefits is not the inherent requirements of the public product attributes of data, but the unity of law order and the humility of criminal law. On the one hand, the order of legal order should be unified to achieve the coexistence of multiple interests, "enables their respective purposes and (carried) legal principles to be in an appropriate proportion relationship." Because the legislation of the control mode blindly emphasizes the control of the right of the right to data, the benefits of other subjects using data must be difficult to ensure. Only by focusing on the protection of data legal benefits can we not only ensure the realization of data sharing benefits, but also to maintain the interests of the data subject through regulatory data abuse, so as to be the requirements of the uniformity of legal order. On the other hand, the criminal law should be humble, and the legislation of the data utilization mode meets the requirements. The purpose of the criminal law is to protect the benefits of the law, but the criminal law does not punish all the behaviors that cause the damage to the legal benefits, but to limit the punishment object to the act of improving the degree of illegality. In view of the simple data leakage, it does not directly damage the interests of the data subject, and subsequent data abuse is possible, so only the latter has the necessity of punishment. The legislation of the data use mode is more in line with the inherent requirements of the humility of the criminal law.

2. Based on value basis: balance between security, freedom and science and technology

Balanced security and freedom to promote social development is an important goal of criminal law data governance. In the information society era, data has become an important productive for "stimulating the creativity and market vitality of the whole society, promoting the quality of economic development, changes in efficiency, and dynamic change". "The large -scale collection, processing, reporting, and even transactions of data is the essential requirements of data activities. It should not be simply standing on the user's position, protecting personal information in order to protect personal information, and simply restrictions on data activities." The current criminal law data governance system is lagging behind data utilization practice, which is almost completely focused on the rights of the data main body, and does not fully consider data flow, data sharing and data transactions. This leads to excessive protection of personal data rights on the one hand, on the other hand, insufficient protection of digital flow and the development of digital economy based on this, thereby destroying the balance between security, freedom and science and technology. On the contrary, if the focus of protection is placed on data utilization behavior, it can not only avoid the disadvantages of the traditional control model that limits the value of data utilization, and avoid the infringement of data illegal behavior on the rights of data subject. The goal of criminal law based on the value order of the constitution should be to ensure the balance of public welfare and legal order through the protection of legal benefits, and to achieve its protection purposes based on retribution and prevention theory under the new technological environment. The positioning goal of personal information processing behavior to prevent abuse helps to achieve the above purposes. 3. Policy basis: data value, user rights and criminal law tasks

The production, circulation, and analysis of data have become the core of the data economy. The socialization and market -based utilization system of data resources is the basis of the development of the data economy. In this regard, the data utilization model also has its legitimacy in terms of governance policies.

First of all, as the digital economy has become an important engine that promotes the high -quality development of the national economy, the value of data use is increasingly valued, and the transformation trend from data control to data use has appeared. From the perspective of foreign legislation, on the one hand, legislators pay more attention to the positive value of data rights. In recent years, whether it is Europe or the United States, from the perspective of realizing the positive value of data, users have allowed users to sign and use agreements with data operators. On the other hand, on the issue of data protection, the relatively trend of data protection has occurred. Europe has not regarded the autonomous decision of data information on data as an exclusive absolute power, and the United States' criminal regulations on data crime have shown a gradual tendency. For example, the judgment of data capture and use behavior is "authorized", a considerable number of jurisprudence adopts a relatively loose identification standard.

Secondly, adjust the data protection mode to the data utilization mode to meet the inherent value demands of the front method. In the order of the overall law, the criminal law is a means to achieve the protection of legal interests, and is only in the position of guarantee or supplementary law. It is determined by the Institute of Positioning of Criminal Law, which is a series of issues such as legal benefits and how to distribute legal benefits between different subjects. In principle, it is determined by the pre -laws such as civil law and administrative law. Although the Civil Code only stipulates that "the protection of data and online virtual property in the network is stipulated, in accordance with its regulations", there is no positive clarification of the attributes of the data, whether it is adopted to adopt the rights attribute model or the equity attribute model, none of them, none of them are one of them. Excisely emphasize that data users should be given corresponding rights and interests. This shows that in the case of the possibility and necessity of the coexistence of multiple rights on the data, the focus of data governance should be shifted from controlling data circulation to avoid data abuse. Conflict.

Finally, the focus of data security regulation is turned to data utilization, which is in line with the task positioning of criminal law. The task of criminal law lies in protecting the benefits of the law. Only by acting in danger of urgency to the law and benefits can it be necessary to regulate the criminal law. Generally speaking, data leakage or data acquisition does not directly lead to the danger of urgency. Only when the data is used can it affect the personality and property benefits above the data. Therefore, for the maintenance of data security, the shift from the control mode to the use mode can fully evaluate different nature and type data infringement behaviors, which is in line with the functional positioning of criminal law as supplementary legal benefits protection tools.

The above analysis shows that proper restrictions on control mode legislation and strengthening the use of model legislation are the correct direction of criminal law data governance. Of course, the data utilization mode does not exclude the control mode legislation, but only believes that it should be restricted to a specific range and exist as an exceptional mode. As an institutional arrangement, the data utilization model, under the premise that the data subject has right to the data, transforms data into public products, promotes the full circulation of data, thereby maximizing its social value.

Fourth, the use of criminal law data utilization mode to realize the path

The construction of the data utilization model belongs to a systematic project and should take into account different needs. In terms of governance principles, there should be a proportional proportion of the principle of proportion and balance to ensure that the governance goals of data security are intended to be adopted to achieve the dynamic of personal data rights protection and data flow, and the development of digital economy development. balance. In the governance mode, the application of the application of the control pattern legislation should be clearly clear and the scale structure of the use mode legislation should be clarified. In terms of implementation methods, legislation and interpretation should be adhered to in parallel, and the system effects of criminal law specifications should be given full. In terms of governance, it is necessary to ensure the sufficient supply of criminal law through the way of crimeization, but also actively explore the cause of illegal barriers to avoid excessive supply of criminal standards. (1) Special clauses to guide the explanation of data law and benefits in the General Provisions of the Criminal Law

The value of the data lies in the information it contains. Different information, the legal benefits carried by the data are naturally different. According to the different attributes of legal interests, the criminal law points specifies different criminal norms. However, it is not difficult to find out that the existing norms can be found that any or one type of crime specification cannot exhaust the legal benefits carried by the data. In fact, it is not expected that the legislators will set the specific charges corresponding to the traditional crime for the data. Based on this, the protection of data legal benefits should still be based on the interpretation of the criminal law and interpret the behavior worthy of punishment and punishment as a crime to ensure that the supply of criminal punishment specifications is sufficient. To this end, it is necessary to set up a special terms in the General Principles of the Criminal Law to guide the explanation of data legal benefits. This clause should help achieve the following two functions.

The first is to determine the nature of data infringement based on the legal and interest attributes of information containing information. When the criminal law does not set up a element of some kind of infringement of data legal benefits, but when such behavior has caused serious consequences, the nature of damage and interests and relevant criminal law stipulates that by expanding the explanation of punishment data abuse behavior. Because "the data contains the personality dignity, freedom value, commercial value, and public management value of the data main body," this state of multiple interests determines that some of the legal benefits of the data bearer cannot exclude the existence of other nature and legal benefits. For example, as far as the QQ account and their passwords or Alipay accounts and their passwords are concerned, although they are all "identity certification" protected by illegal obtaining computer information system data crimes, this does not prevent it from being "able to be alone or with other other with other other with other. The personal information of information combined with identification of specific natural persons ", if there is deposit in the account, the aforementioned information can also be evaluated as the carrier of property legal benefits.

Second, when related data has multiple legal benefits, determine the criminal law specifications that can be funded in accordance with the main legal interest attributes. For example, the qualitative of illegal theft of virtual property behavior has always existed in the dispute between data crimes and property crimes illegally obtaining computer information systems. The focus of dispute is the nature of virtual property. Since the ontology of virtual property is data, if the protection of the protection of the data of illegal obtaining the data of computer information system is expanded as data security legal benefits, of course, it is possible to apply illegal acquisition of computer information system data crimes. However, there is a problem with the processing plan: on the one hand, the virtual property with property attributes is only regarded as data, ignoring the property interests carried by the data; on the other hand, illegally obtaining the data of computer information system data as the general terms of protecting the data of data legal benefits, In terms of statutory punishment configuration, it is impossible to take into account the data of various attributes, which may lead to imbalance in punishment. If the virtual property of others is stolen, the provisions of the property crime should be applied to the explanation of the extension of the property. Different from this, although the data in the database collected by an enterprise is also economic value, for theft or deleting such data, it should not only be evaluated from the perspective of property legal benefits. Essence Because the relevant data collected by enterprises has certain economic value, these data mainly serve the production and operation activities of the enterprise; and the behavior of enterprises collected and analyzed related data is to enhance market competitiveness. Therefore, the behavior of the stolen enterprise related data should be evaluated as illegal acquisition of commercial secrets instead of theft, and the behavior of deleting the relevant data of the enterprise will be evaluated to destroy the crime of production and operation rather than deliberately destroy property.

(2) Proper restriction of control mode legislation

In view of the public product attributes of data, criminal law should not prohibit all data obtaining behaviors. Only when specific conditions are met, can we adopt control mode legislation. In the specific legislative process, the following elements should be focused on.

1. The value of legal benefits is significant

Decided by the attributes of the data of the data, unless the data sharing behavior meets the requirements of the infringement principle, it should not limit the acquisition and use of data. Therefore, the data interests under the control mode should be limited to legal benefits with great value. Article 9 of the Confidential Law stipulates that "the data of the country may damage the security and interests of the state in politics, economy, national defense, diplomacy, etc." will not be made public. Article 15 of the "Regulations on the Disclosure of Government Information" also stipulates that "government information involving business secrets and personal privacy such as damage to the legitimate rights and interests of third parties shall be restricted to disclosure. As a response to the pre -departmental law specifications, the criminal law can use the control model to legislate for state secrets, business secrets, personal information, personal information, and information that affects the security of computer information systems, and other data that affects the order of market economy and production operations.

2. The specific risk of leakage behavior

There is no doubt that data processing behaviors will cause certain risks to the subject of the legal interest, such as "personal criminal criminal (such as fishing law enforcement, identity theft) in danger; sense of humiliation and data disclosure (such as sex, health and other sensitive information) ; Discrimination and embarrassment; information permanent; scene detachment (even if the reason is changed) ". The legislation of the control mode is preventive legislation, which aims to avoid data abuse by restricting data acquisition, thereby achieving prefixative protection for downstream related legal benefits. Therefore, data acquisition and leakage behavior can only be used when the relevant law benefits are in dangerous state. The criterion for data abuse risks is that its standard is to obtain the usual use of the corresponding data and the possibility and necessity for other exceptions. For example, after the personal information of citizens is obtained and leaked, it is usually used for cyber fraud and cyber theft. The acquisition behavior of restricting relevant data through control mode is legitimacy. Conversely, although the trading and transfer behavior of online stores, at the same time, with the transfer of personal information of relevant consumer, the transfer shops are mainly used for normal business activities, and generally do not produce the harmful consequences of data abuse. At this time, even if the data transfer does not sign the consent of the relevant information subject, it should not be restricted. 3. The possibility of major legal benefits

The possibility of subsequent data abuse caused major damage is an important reference for setting up control mode legislation. If the subsequent data abuse will not cause significant damage to the interests of data rights, it should give up the control mode legislation and give data sharing to a greater space to maximize the data benefits. Because "when the private cost conflicts with social costs, the legal decision maker will give priority to controlling social costs, and if necessary, it will be at the cost of indulging private costs; after all, social costs are the actual reduction of social wealth, and private costs are just society. The transfer of wealth ".

With reference to the above elements, it is not feasible to directly transform the crime that harms the security of the computer information system into a crime that protects data security, because it completely ignores the consideration of the benefits of data sharing, and it takes the position of absolute protection of data control security while falling to the ground. Essence Of course, considering the importance of citizen's personal information to the realization of economic development and improving social governance, it is still necessary to add two crimes to improve related protection.

The first is to increase the crime of leakage citizen's personal information. Although my country's criminal law legislation and judicial interpretation of the protection of citizens' personal information are complete, it is still lacking the criminal specifications for the criminal criminal and punishment of the personal information of citizens. Lack of obligation. The value of the data comes from the analysis and utilization of the data set. It is actually related enterprises and platforms that truly control the data and enjoy the benefits. It should bear the obligation to prevent the security management of data leakage, but the current regulations of criminal law are missing. (2) The criminal law penalty loopholes are unavoidable. In the era of online society, data leaks are often based on simple keyboards and system operations. Whether such behavior is intentionally or unintentional, there are no shortage of difficulties in evidence. If there is no punishment, there will be a penalty of penalties. (3) The risk of information leakage shall be borne by the citizen. In real life, if citizens want to obtain related services, there is no other way except agreed with enterprises or platforms to collect or analyze related data. If the relevant data leakage behavior is not punished, the company or platform that enjoys data benefits and actual control of data will not bear the risk of any data leakage, and the individual who does not realize the individual who controls the data set is forced to bear it. This is obviously faulty. By setting up the crime of leakage citizens' personal information, it can not only make up for the vulnerability of punishment, but also strengthen the awareness of risk prevention and control of enterprises or platforms. Of course, in order to avoid excessive increased risk management burden on enterprises or platforms, the provision setting should insist on the legislative tradition of the faulty offenders.

The second is to add deletion and tampering with personal information of citizens. The current types of criminal law have not stipulated to delete and tamper with personal information of citizens. We must punish such behaviors. At present, it can only be achieved by expanding explanation of the crime of destructing computer information systems. However, this approach not only leads to the general terms of destroying the crime of destruction of the computer information system, but also reduces it to the bottom of the pocket. At the same time, there is a significant difference in the legal punishment of the crime of infringing the personal information of the citizen, and it is easy to generate imbalances of punishment. Although there are opinions, data with value of electronic photos, emails, etc. can be protected as property, and those who delete or tampered with such data can be based on intentional destruction of the crime of property. In practice, there are also cases that define the behavior of deleting data to destroy the crime of production and operation. However, the value of related data is not fully reflected in the value of property, and property crimes generally require that the specific amount is met as a threshold for crime. It is obviously unable to protect those personal information that is not directly related to property. In view of this, it is necessary to add new clauses in the crime of infringement of the personal information of citizens, and will be criminal to delete or tamper with the personal information of citizens.

(3) Moderate strengthening and using mode legislation

The abuse of data abuse is a supplementary regulatory measure. Only in the case of existing criminal law specifications, it can be applied. This situation includes: (1) Criminal Law scores do not have provisions of regulatory related data abuse; (2) although the criminal law scores are applicable, the application of relevant laws and regulations cannot achieve a balanced crime. Considering the status quo of data abuse, it is necessary to add the following two charges to achieve effective governance. The first is to increase the crime of abuse of algorithms. In the era of big data, producers and operators form user portraits by collecting and analyzing user data and form a personalized recommendation based on this to provide consumers with more accurate and effective information. At the same time, at the same time, different consumers purchase the same commodity and services, the phenomenon of "big data killing" with different prices by operators, and personalized recommendations that seriously interfere with personal lives are widely existing. This undoubtedly increases the cost of user use, leading to the use of unnecessary consumption of property and time, and even deprived of its right to choose and arrange personal life. In this regard, the existing criminal law specifications have not provided effective governance plans, and it is necessary to punish such acts by creating abuse algorithms. Specifically to the design of the element, the following points should be considered: (1) "violation of national regulations" as the front conditions for the crime of abuse algorithm; The consequences of citizens' autonomous choice; (3) the provisions of the crime of evasion of tax evasion and refusing to fulfill the obligations of information network security management, and avoid excessive criminal penalties by setting up relevant objective punishment conditions.

The second is to add illegal provision of algorithm services. In addition to directly regulating the behavior of abuse of algorithms, the behavior of illegal algorithm services should also be regulated. Data operators' profits of interest determine their demand for algorithm services. Compared with this, companies that specialize in providing algorithm services in the future will inevitably increase. Enterprises that provide illegal algorithm services through regulations are conducive to suppressing algorithm abuse of algorithms from the source. Such behaviors cannot be punished by illegal business crimes, because the legal benefits of illegal business crimes are the order of market access, and the behavior of illegally providing algorithm services does not involve the legal benefits. It is even more desirable to add illegal provision of algorithm service to regulate such acts.

(4) Research on the de -guilty of data acquisition and use of behaviors

The data control mode limits the freedom of data and efficient flow, which is not conducive to achieving the basic goals of data sharing. How to use the legitimate data use behavior to remove sin is of great significance. In this regard, the role of knowledge consent is limited.

First of all, informed consent does not necessarily block the illegality of data collection and utilization behavior. The illegality of obtaining data acquisition and data utilization behavior through informed consent is based on the relevant consent as the independent decision of the data subject. The problem is that most of the data subjects in the information society era are mostly in a weak position. In fact, they lack the ability to negotiate. If they only apply the principle of "knowledge consent" in form, it is easy to sacrifice the legitimate interests of the data subject. Therefore, if the format of the data sharing is obviously not conducive to protecting the rights of privacy and personal information, the information right holder shall have the right to deny the effectiveness of the clause, and this clause cannot become the legitimate foundation of the personal information of Internet companies to share user information. The exemption of infringement ".

Secondly, informed consent is only the right to eliminate the violations of the behavior of behavior, not the element of the element. The relevant laws and regulations of my country take the informed consent of the data of the data as a necessary condition for judging collection and utilization of behaviors, which leads to information collection and use behavior that has not been obtained by the information of the data main body. However, considering the public product attributes of data, if the informed consent of the data subject is completely used as the basis of the data sharing, it may excessively sacrifice the interests of other subjects. Therefore, the principle of informed consent is at most to determine the reason why data sharing is legitimate, but it is not a sufficient necessary condition to determine whether the data sharing behavior is illegal.

Finally, in the following circumstances, even if the data is obtained or used by the main body of the data right, it should still block the criminal illegality of the behavior: (1) the data of the data rights has authorized the relevant platform The behavior is not exceeded of the scope of authorization. For example, when transferring on related network platforms or online stores, if the business activities before and after transfer are substantially identical, and for the transfer of relevant citizen information for transfer, even in principle Instead. (2) Data acquisition or utilization behavior is reasonable and does not have interests. In principle, in addition to the data of applicable control modes such as state secrets, business secrets, and personal information, only when related data is restricted and accessible at the same time, the behavior that uses data without consent will be criminal illegal. Otherwise, it should not be identified as a crime. If data acquisition or use of behaviors is within a reasonable limit and does not illegally infringe on the interests of others, based on the principle of reasonable use, the legitimacy of such behaviors should be affirmed.

Conclusion

- END -