Behind the daily fresh crisis: hidden data security "iceberg" deserves attention

21st Century Economic Herald Profile Reporter Zhong Yuxin Beijing Reporting

"Fresh Fresh E -commerce First Share" Daily Fresh recently reported "bad news".

On July 28, some netizens revealed that the daily "disbanded on the spot". In response, the daily fresh response stated that under the goal of achieving profitability, the company adjusted its business and organization, and some employees resigned. Prior to the rumor of "dissolution", the Daily Youxian APP was notified by the Ministry of Industry and Information Technology due to "over -range collection of personal information" and failed to complete the rectification as required.

Annual report "difficult production", stock price plunge, business suspension, employee's salary ... Daily freshly appeared on hot search, standing at the cusp of public opinion. Behind its storm, there are still some extension issues worth thinking: when they are trapped, how should the Internet platform process user data compl out? How to avoid data security risks?

Data security issues cannot be ignored

According to the website of the Beijing Consumers Association, in response to the recent situation of "Daily Fresh" unable to operate normally, it has caused a large number of consumer complaints. In the afternoon Daily excellent freshness must properly handle consumer complaints, timely announce the refund plan and registration method; actively cooperate with the work organized by the Consumer Association; explain the situation and rectification plan to the Municipal Consumers Association within three working days. On August 12, Daily Youxian claimed that the rectification plan had been submitted to the Beijing Consumers Association.

According to the national corporate credit information publicity system, two subsidiaries of Youxian daily, Beijing Daily Youxian Technology Co., Ltd. and Shanghai Daily Youxian Electronic Commerce Co., Ltd., are unable to contact the registered residence or operating venue, and are separated by them. Local market supervision and management departments were included in the operating exception list on August 1 and August 3. In addition, Zhejiang Daily Youxian Electronic Commerce Co., Ltd. conducted a cancellation of the case on August 4th. The reason for the cancellation of the resolution was dissolved. The creditors were currently announced that the creditors could declare their claims to the liquidation team within 45 days from the date of the announcement.

Chu songs, the wind and rain are coming, waiting for the daily freshness whether it is defeated or rebirth, it is still unknown. A problem that cannot be ignored is: when the Internet platform with a large amount of user information is in crisis, how to ensure its data security?

Article 22 of the "Personal Information Protection Law" to transfer personal information under special circumstances such as merging, separation, dissolution, and declaration of bankruptcy for enterprises, and make the provider's informing obligations and information receiving parties shall continue to fulfill their obligations. Regulations: "If personal information processors need to transfer personal information due to merging, separation, dissolution, and declaration of bankruptcy, the name or name and contact information of the receiver shall inform the receiver. The receiver shall continue to perform personal information processor. Obligations. If the receiver changes the original treatment purpose and method of treatment, it shall re -obtain personal consent in accordance with the provisions of this Law. "

Li Jinyu, a partner of Zhejiang Kenting Law Firm, said that for Internet companies, user data often constitutes an important part of its core assets. "When Internet companies stop operating, in accordance with the" Personal Information Protection Law "and other laws and regulations, the company needs to stop using and destroy the native data provided by users. The derivative data formed by the enterprise can be processed after desensitization processing, which can Transfer as data assets. "

Establish and improve data compliance long -term mechanism

"The Internet platform will involve many types of personal information data due to different businesses. In daily operations, the data needs to be classified and classified. Data involved in financial categories requires higher -level protection." Reporter to the 21st Century Business Herald.

The "Personal Information Protection Law" stipulates that the processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information. In addition, the "Personal Information Protection Law" also makes relevant requirements for the internal management system and operating procedures of the enterprise, classification management, security technical measures, operating authority, education and training, personal information security incident emergency plans, etc., emphasizing that the main body of personal information protection for personal information protection is also emphasized. responsibility. This means that as a personal information processor, it is necessary to improve the compliance guarantee measures in the full life cycle of personal information to make up for the shortcomings of the corresponding links.

The Internet platform has a large number of commercial operation data and personal information data. In daily operations, the data protection barrier needs to be built. Once a leak occurs, it will have adverse effects on personal rights and business operations.

According to the Guangzhou Public Security Bureau, after developing an APP system in Guangzhou in July this year, due to the failure of the data security protection obligations, the security vulnerability of the system was used by criminals. Police was fined 50,000 yuan.

The company's "Driving Training Platform" stores more than 10.7 million pieces of information such as the name, ID number, mobile phone number, and personal photos of driving school training, but it has not established the data security management system and operating procedures. The personal information of driving school students did not take de -identification and encryption measures, and there were serious data security risks such as unauthorized access to loopholes in the system. Relevant departments stated that once the company's system platform is stolen by criminals, it will cause a large number of personal information of driving school students to leak and have a significant impact on the personal interests of the general public. According to the relevant provisions of the Data Security Law, the Guangzhou police warned the company's illegal acts that the company did not fulfill the obligations of data security protection and punished the administrative penalty of RMB 50,000 in accordance with the law. This is one of the first cases of the Guangdong Police's application of the Data Security Law. Relevant police specially reminded that network security is related to national security. All units and individuals have the responsibility and obligation to protect data security. In particular, units holding and mastering a large number of citizen personal information should be strictly taken in accordance with the law to effectively protect citizens to effectively guarantee citizens Personal information security.

If the relevant information is leaked, how should individuals defend their rights? Li Jinyu said that in practice, individuals have faced issues such as high rights protection and long rights protection cycle through their own forces. The Personal Information Protection Law has set up public interest litigation clauses and strengthened legal regulations for infringing personal information behavior. In the future, personal information protection public interest litigation and private interest litigation will need to be connected to form a joint protection force.

According to the work report of the Supreme People's Procuratorate, in 2021, my country's procuratorial organs handled more than 2,000 public interest proceedings in the field of personal information protection, an increase of nearly 3 times year -on -year. In April 2021, the Supreme People's Procuratorate issued a typical case of the personal information protection public interest lawsuit of the procuratorial organs, including 11 cases including the citizen's personal information civil interest lawsuit against the citizen's personal information in Hangzhou City Procuratorate in Hangzhou City, Zhejiang Province. The release revealed that if Internet companies have not fulfilled their personal information management and protection obligations, the procuratorate will require them to bear the responsibility of public welfare damage through public interest litigation to promote the implementation of corporate subject responsibilities.

Data security is a topic that cannot be ignored in the development of the digital economy. In recent years, relevant laws and regulations such as the "Cyber ​​Security Law", "Data Security Law", and "Personal Information Protection Law" have accelerated the implementation. The relevant rules of supporting facilities have been continuously improved. The context of enterprises talking about data security is also changing. "Enterprises are shifting from passive cooperation to active compliance. More and more companies are actively participating in various standards construction, exerting technological advantages, contributing to data security, forming a benign interaction, and promoting the common development of the industry." Li Jinyu said.

- END -