An Overview of China's Cybersecurity & Data Protection Regulation

The PISS gives examples and explanations of the basic principles that a personal data controller is required to comply with when processing personal information:

• Principle of parity of rights and responsibilities: bearing liability for the prejudice caused to the lawful rights and interests of personal data subjects by its personal information processing activities.
• Principle of purpose limitation: having a lawful, legitimate, necessary and explicit purpose in processing personal information.
• Principle of opting to agree: expressly indicating to personal data subjects the objective, method and scope of, and rules for, processing personal information and seeking their authorization and consent to do so.
• Minimum necessity principle: unless otherwise provided with the personal data subjects, only the minimum types and quantities of personal information necessary to satisfy the purpose authorized and consented to by the personal data subjects are to be processed; and once the purpose is achieved, the personal information is to be deleted in a timely manner as agreed.
• Transparency principle: disclosing the scope and purpose of, and rules for, processing personal information in a clear, easily comprehensible and reasonable manner and submitting to external scrutiny.
• Principle of ensuring security: having security capabilities match the security risks faced and using sufficient management measures and technical means to protect the confidentiality, integrity and usability of personal information.
• Subject participation principle: providing to personal data subjects the means to access, correct and delete their personal information as well as to revoke their consent, cancel their accounts, etc.

4 . HOW DO THE NEW LAWS AND GUIDELINES REGULATE BIG DATA AND ARTIFICIAL INTELLIGENCE?

The Cybersecurity Law, the PISS and other related laws, regulations and national standards provide for personal information protection and data security from various aspects and different perspectives:

• In terms of data collection, an enterprise that deals with big data or artificial intelligence is required to comply with the principles of lawfulness, legitimacy and necessity when collecting personal information, and acquire consent from personal data subjects in accordance with relevant provisions. If such information is obtained from a third party, it is additionally required to review the qualifications and rights of such third party.
• In terms of data storage, given that big data and artificial intelligence involve vast amounts of data, among which may be included sensitive personal information, the likelihood that a relevant enterprise is deemed a critical information infrastructure operator is large, requiring it to comply with provisions on the localized storage of data and security assessments of the cross-border data transfers. To prevent the leakage, damage or loss of data and ensure their security, the enterprise will face relatively stringent requirements in respect of the systems and technical measures for the storage of data.
• In terms of the use of data, big data and artificial intelligence involves the analysis and processing of vast quantities of data and the end products may be a reflection of the result of such data analysis and processing; thus, the classification and gradation of information, and the desensitization and de-identification of information are especially important. Big Data Security Management Guide (Draft for Comments) provides relatively detailed provisions for the storage of data.

An entity dealing with big data or artificial intelligence is required, on the one hand, as a network operator, to comply with relevant provisions of the Cybersecurity Law and, on the other hand, as a personal data controller and/or big data holder/developer, is additionally required to comply with other relevant provisions on the protection of personal information and data security.

5 . HOW DO THE DATA PROTECTION AND CYBERSECURITY LAWS AFFECT OVERSEAS DATA TRANSFERS OR CROSS-BORDER TRANSACTIONS?

If an enterprise falls within the scope of a “critical information infrastructure operator” as specified in the Cybersecurity Law, the personal information and important data that it collects and generates in the course of its operations in China will need to be stored locally. For multinational corporations, this will increase data storage and data security compliance costs: firstly, to satisfy this requirement, relevant enterprises need to set up local servers to store the data, and may not transmit such data abroad directly; secondly, when proposing to provide the data abroad, they are required to seek the consent of the personal data subjects and identify the important data; and thirdly, they are required to conduct a security assessment of the overseas transfer of the personal information and important data (a self-assessment or mandatory assessment). According to the Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas (Draft for Comments), the assessment stresses on:

• the necessity of the transfer of the data overseas;
• details of the personal information, including the quantity, scope, type and degree of sensitivity of the personal information as well as whether the personal data subject consents to the transfer of his/her personal information overseas;
• details of the important data, including the quantity, scope,
• type and degree of sensitivity of the important data;
• the security protection measures, capabilities and level of the recipient of the data, as well as the cybersecurity environment of the country or region where the recipient is located;
• the risk of the data being leaked, damaged, altered or abused once it is transferred overseas and further transferred;
• the risk potentially posed to national security, the public interest or individuals' lawful interests once the data is transferred overseas and the data transferred overseas are aggregated; and
• other important matters that need to be assessed.

If the quantity of data to be provided abroad is relatively large (containing or accumulating the personal information of at least 500,000 people; or the amount of data exceeding 1,000GB) or such data involves special industries or sectors (e.g. nuclear facilities and population health), it must be referred to the competent industry authority or regulator to arrange for an assessment, i.e. a mandatory assessment.

It should be noted that this assessment method expands the entities to which such security assessments are applicable to ordinary network operators, not just limiting them to critical information infrastructure operators, and mandatory assessments are directly applicable to critical information infrastructure operators. Such regulations have yet to be officially issued.

6 . WHAT EFFECT WILL THE ELECTRONIC COMMERCE LAW HAVE AFTER IT COMES INTO FORCE? HOW DOES IT DIFFER FROM CURRENT REGULATIONS ON CYBERSECURITY AND DATA PROTECTION?

The E-commerce Law was adopted on August 31, 2018 and will become effective from January 1, 2019.

The E-commerce Law reflects the features of its industry, more specifically:

• In terms of the applicable subject, the PISS applies to all “personal data controllers”; the Cybersecurity Law applies to “network operators”; and the E-commerce Law applies to “e-commerce operators”, including e-commerce platform operators, platform merchants and e-commerce operators that sell merchandise or offer services on their own websites or through other network services as compared to the prior two, its scope is narrower and more specific.
• In terms of user rights, the E-commerce Law further emphasizes that unreasonable conditions may not be set for users to access, correct or delete their information or for users to deregister.
• In terms of cybersecurity protection obligation, the E-commerce Law specifies that an e-commerce platform operator shall take technical measures and other necessary measures to ensure the secure and stable operation of its network, and prevent illegal and criminal activities online.
• In terms of preservation of information, the Cybersecurity Law requires technical measures to be taken to monitor and record network operation status and cybersecurity incidents, and relevant network logs to be retained for not less than six months in accordance with provisions. The E-commerce Law, on the other hand, specifically requires an e-commerce platform operator to make a record of and preserve merchandise and service information and transaction information published on its platform, and ensure the integrity, confidentiality and usability of such information. Merchandise and service information and transaction information shall be preserved for at least three years from the date of completion of a transaction.

7 . COULD YOU DESCRIBE THE MOST IMPORTANT DATA PROTECTION AND CYBERSECURITY REGULATIONS AND GUIDELINES AFFECTING E-COMMERCE PLATFORMS?

For e-commerce platforms, the following four laws, regulations and recommended standards have a material impact on their data protection and cybersecurity compliance:

• E-commerce Law: in addition to complying with the provisions on the obligations to protect personal information and assure cybersecurity of the Cybersecurity Law and other related laws and regulations, e-commerce operators, including e-commerce platform operators are required to comply with the additional data protection requirements under the E-commerce Law.
• Law on the Protection of the Rights and Interests of Consumers: for e-commerce platforms, not only does this law provide for the administrative penalties bearable by them for violations of provisions relating to the protection of the personal information of consumers, but it also provides the basis for consumers to pursue their civil liability.
• Cybersecurity Law: the requirements in the Cybersecurity Law and its complementary regulations in respect of the protection of personal information and cybersecurity are rules that e-commerce platforms, as network operators, are required to comply with and also matters that they need to consider first and foremost in their data protection compliance work.
• PISS: for e-commerce platforms, they may, in practice, refer to such specification when formulating personal information protection compliance policies. Although this specification lacks mandatory enforceability, it reflects the attitude of the legislative and law enforcement authorities to a certain extent and, as such, has important reference significance and practical value.

8 . WHEN PROVIDING ADVICE TO E-COMMERCE PLATFORM CUSTOMERS, WHAT ASPECTS DO LAWYERS NEED TO PAY ATTENTION TO IN RESPECT OF THE LIMITATION OF CUSTOMER LIABILITY AND COMPLIANCE WITH CYBERSECURITY REGULATIONS?

In terms of the limitation of customer liability, an e-commerce platform needs to pay attention, when sharing data with third parties (including but not limited to domestic entities, foreign entities, entities within the group, entities outside the group, partners, suppliers and advertising agencies) or obtaining personal information or data from a third party entity, to check the third party entity's relevant rights and qualifications and provide for their rights, obligations and the bearing of liability with the third party entity by such means as a contract so that liability can be clearly allocated in the event of a legal risk arising or a data security event occurring.

A lawyer will usually remind an e-commerce platform customer to pay attention to compliance points from two aspects, one of which is the protection of personal information and data:

• Collection and use of users' personal information: when an e-commerce platform collects and uses the personal information of users, it is required to expressly state the purpose, scope and method, and secure the users' consent. Additionally, it should formulate a clear and explicit privacy policy and inform users on the method and means for realizing their rights (access right, right of correction, right of deletion, etc.).
• Localized storage of data: for an e-commerce platform, its operations involve the processing and computing of a large quantity of users' personal information and transaction data, thus, from the perspective that a leak of such data could seriously prejudice the public interest, there is a relatively great likelihood that an e-commerce platform could be deemed a critical information infrastructure operator. So, it needs to remind customers to pay attention to the localized storage of data.
• Cross-border data transfers: particularly for a cross-border e-commerce platform, if it needs to transfer data to its parent abroad or another affiliate abroad, or if it is required to provide data to a foreign government authority for the purposes of an investigation by a foreign regulator or judicial authority, it is necessary to remind it to pay attention to conducting a comprehensive assessment, including of whether the data can be transferred abroad, or whether a security assessment needs to be carried out, etc.

The other is cybersecurity, and attention needs to be paid mainly to the following:

• Systems: attention needs to be paid to formulating and implementing a hierarchical cybersecurity protection system, user information protection system, and systems for cybersecurity event monitoring, early warning and contingency plan. Additionally, given that there is a relatively great likelihood that an e-commerce platform could be deemed a critical information infrastructure operator, attention additionally needs to be paid to establishing a dedicated security management body and naming someone to be responsible for security management, and to regularly carry out cybersecurity training, skill evaluations, etc.
• Technology: it is necessary to take necessary and genuinely effective technical measures to ensure data security, guard against acts that jeopardize cybersecurity, and monitor and log network operating status and cybersecurity events. Additionally, attention needs to be paid to regularly maintaining/upgrading technical measures and eliminating latent security threats.

9 . CAN YOU GIVE EXAMPLES OF A FEW RECENT MAJOR CASES THAT EXPLAIN THE LAW IN THIS SECTOR AND THEIR OUTCOMES?

On December 11, 2017, the Jiangsu Consumer Council sued Beijing Baidu Netcom Science and Technology Co., Ltd., claiming that two mobile apps, “Mobile Baidu” and “Baidu Browser” failed to inform consumers, before installation, of the various authorizations it obtained and the purpose. Without the authorizations of consumers, they obtained authorizations such as “listening in on calls, location, reading short multimedia messages, reading address books and revising system settings”. Such authorizations were not necessary for providing normal services and exceeded the reasonable scope. This was the first consumer civil public interest lawsuit involving the security of personal information. Although it ultimately ended with the withdrawal of the suit, it nevertheless had the practical significance of bringing to consumers an awareness of personal information security and cautioning enterprises to strengthen data security compliance. There may perhaps be more such cases in future.

At the beginning of 2017, GooMe sued Wuhan Yuanguang Science & Technology Co., Ltd. in the Shenzhen Municipal Intermediate People's Court. On May 23, 2018, in its judgment, the court held that real-time information and data from public transport stored in the back office server for the plaintiff's app was practicable and could bring real or potential, immediate or future economic benefits to the plaintiff, the information/data had the properties of intangible property and was a legal interest subject to the protection of the Anti-unfair Competition Law. Yuanguang's act of using web crawler technology to enter GooMe's server back office without GooMe's permission to illegally obtain and use without consideration of its integrated real-time public transport information and data was, in reality, an act of obtaining something for nothing. It had the subjective willfulness of illegally appropriating another's intangible property rights and interests, undermined another's market competitive advantages by seeking competitive advantages for itself, and constituted an act of unfair competition. The judgment in this case follows on the approach in the unfair competition disputes, Dianping vs. Baidu Maps and Sina Weibo vs. Maimai, again stressing the legal demarcation for data scraping and providing a major message to enterprises on the obtaining and use of data.

Jet Deng, Senior Partner (Beijing)

Dentons

Jet Deng is a partner of Dentons. Jet earned his JM degree in 2005 and his PhD degree in International Economic Law in 2012 at the University of International Business and Economics. He has also been a part-time researcher at the Competition Law Center of the University of International Business and Economics since 2005.

Jet is an experienced attorney-at-law specialized in antitrust practice. Jet began to concentrate on antitrust practice since 2004 – a time even before the enactment of the Anti-Monopoly Law (AML) in the PRC legal system. Jet has represented clients in a wide range of issues in relation to antimonopoly law and has been highly recommended for his professionalism and value added to the client in investigations, merger control and court proceedings. He has rich hands-on experience in handling high-profile investigations concerning cartel, resale price maintenance (RPM) and abuse of dominance, as well as a number of merger control filings for cross-border M&A. Jet is one of the practitioners who are often entrusted to represent clients on the most contentious and pioneering anti-competition issues before Chinese courts.

In addition to practice, Dr. Deng has been an active participant in legislative consultations and one of the experts who are regularly invited to provide training for anti-monopoly law enforcement authorities in China. He is one of the few practitioners who are also prolific writers contributing to the academic discussion of competition law.

Jet's working languages include Mandarin and English.

Ken Dai, Partner (Shanghai)

Dentons

Ken Dai earned his LLB and LLM respectively from the China University of Political Science and Law, and the University of Bristol in United Kingdom. Currently, Ken Dai is the member of the Antitrust Committee of the IBA, the Competition Committee of the IPBA, the Outbound Investment and the Antitrust Committee at the Shanghai Bar Association and Asian Competition Forum. In addition, he is the columnist of Forbes China.

Ken Dai specializes in antitrust investigation, antitrust compliance, merger filing and private antitrust litigation. He is one of the first lawyers who practice antitrust law in China. He has advised certain multinational companies on establishing antitrust law manuals and compliance programs. He has also advised numerous multinationals on the application of the PRC Anti-monopoly Law and enforcement policies in relation to distribution practices in China. In addition, he has a diversity of experience advising both foreign companies and domestic enterprises in making merger filings before MOFCOM. Furthermore, he has regularly assisted and represented certain enterprises in completing and bringing private antitrust litigations in China. He has experience advising companies in handling the legal issues between intellectual property rights and antitrust laws.

Ken's working languages include Chinese, English and Cantonese.

1 . 中国目前的数据保护机制和执法趋势发展如何呢？

目前尚未颁布专门的数据保护法，与其相关的规定主要有：

• 《宪法》（2018 年修订）规定，公民的人格尊严不受侵犯，公民享有通信自由和通信秘密的权利，国家尊重和保障人权。

• 《刑法修正案（七）》（2009 年2 月28 日起实施）将非法获取、出售、提供公民个人信息的行为纳入刑事规制范围。《刑法修正案（九）》（2015 年11 月1 日起实施）将“出售、非法提供公民个人信息罪”和“非法获取公民个人信息罪”整合为“侵犯公民个人信息罪”。《网络安全法》（2017 年6 月1 日起实施）首次以法律形式对个人信息进行了定义，并明确了网络运营者收集和使用个人信息的规则。《民法总则》（2017 年10 月1 日起实施）首次确立了个人信息的独立民事权利地位。《电子商务法》（2019 年1 月1 日起实施）对电子商务经营者保护用户个人信息的义务进行了明确。《个人信息保护法》目前在草拟中， 这意味着个人信息保护将迎来专门立法。

• 自《网络安全法》生效以来，与之相关的配套规定主要包括《个人信息和重要数据出境安全评估办法（征求意见稿）》、《个人信息安全规范》、《个人信息去标识化指南（征求意见稿）》、《数据出境安全评估指南（征求意见稿）》等。

• 行业规范方面，主要有《银行业金融机构数据治理指引》（2018 年5 月21 日起实施）和《民航网络信息安全管理规定（暂行）（征求意见稿）》。

2 . 能否为我们介绍一下今年5月1日生效的个人信息保护指南？

2018 年5 月1 日起实施的国家标准《个人信息安全规范》明确了个人信息安全基本原则，对个人信息的收集、保存、使用、共享、转让、公开披露、跨境传输、安全事件处置等事项提供了较为详细和全面的行为指引。同时，《个人信息安全规范》附录部分还就个人信息、个人敏感信息进行了专门的释义和示例，并对保障个人信息主体选择同意权的方法和隐私政策的制定提供了模版以供参考。

3 . 能否为我们介绍一下今年六月发布的指引草案？

《个人信息安全规范》对个人信息控制者开展个人信息处理活动应当遵循的基本原则进行了列举和阐释 ：

• 权责一致原则 ：对其个人信息处理活动对个人信息主体合法权益造成的损害承担责任。

• 目的明确原则 ：具有合法、正当、必要、明确的个人信息处理目的。

• 选择同意原则 ：向个人信息主体明示个人信息处理目的、方式、范围、规则等，征求其授权同意。

• 最少够用原则 ：除与个人信息主体另有约定外，只处理满足个人信息主体授权同意的目的所需的最少个人信息类型和数量。目的达成后，应及时根据约定删除个人信息。

• 公开透明原则 ：以明确、易懂和合理的方式公开处理个人信息的范围、目的、规则等，并接受外部监督。

• 确保安全原则 ：具备与所面临的安全风险相匹配的安全能力，并采取足够的管理措施和技术手段，保护个人信息的保密性、完整性、可用性。

• 主体参与原则 ：向个人信息主体提供能够访问、更正、删除其个人信息，以及撤回同意、注销账户等方法。

4 . 新的法律和指引怎样监管大数据和人工智能？

《网络安全法》、《个人信息安全规范》及其他相关法律法规、国家标准从多个方面、不同角度对个人信息保护和数据安全作出了规定：

• 数据收集方面，从事大数据和人工智能的企业需遵循个人信息收集合法、正当、必要的原则，依据相关规定取得信息主体授权。如从第三方获取，还应当对第三方的资质和权利进行审核。

• 数据存储方面，鉴于大数据和人工智能涉及海量数据，其中还可能包含较为敏感的个人信息，因此，相关企业被认为是关键信息基础设施运营者的可能性较大，从而需要遵循数据本地化存储和跨境传输安全评估的规定。为防止数据泄露、损毁和丢失，确保数据安全，其对于数据存储的制度和技术措施具有较高要求。

• 数据使用方面，大数据和人工智能涉及对大量数据的分析和处理，其最终产品可能是数据分析和处理结果的体现，因此信息分类、分级，以及信息脱敏和去识别化尤为重要。《大数据安全管理指南（征求意见稿）》对数据存储提供了较为细致的规定。

对于从事大数据和人工智能的主体而言，一方面应作为网络运营者遵守《网络安全法》下的相关规定，另一方面作为个人信息控制者和／或大数据持有／开发者，还应遵守其他个人信息保护和数据安全相关规定。

5 . 数据保护和网络安全法规怎样影响数据出境和跨境交易？

如企业落入《网络安全法》规定的“关键信息基础设施运营者”范畴，则其在中国境内运营中收集和产生的个人信息和重要数据将需要进行本地化存储。这对于跨国公司而言，将提高数据存储和数据安全合规成本——首先，为满足该等要求，相关企业需建立本地服务器存储数据，而不能直接将数据传输至境外 ；其次，在拟向境外提供数据时，应当就个人信息征得个人信息主体的同意，就重要数据进行识别 ；再次，应当就个人信息和重要数据的出境情况进行安全评估（自行评估或强制评估）。根据《个人信息和重要数据出境安全评估办法（征求意见稿）》，评估的重点包括 ：

• 数据出境的必要性 ；
• 涉及个人信息情况，包括个人信息的数量、范围、类型、敏感程度，以及个人信息主体是否同意其个人信息出境等 ；
• 涉及重要数据情况，包括重要数据的数量、范围、类型及其敏感程度等 ；
• 数据接收方的安全保护措施、能力和水平，以及所在国家和地区的网络安全环境等 ；
• 数据出境及再转移后被泄露、毁损、篡改、滥用等风险；
• 数据出境及出境数据汇聚可能对国家安全、社会公共利益、个人合法利益带来的风险 ；
• 其他需评估的重要事项。

如拟向境外提供的数据量较大（含有或累计含有50 万人以上的个人信息 ；或数据量超过1000GB），或涉及特殊行业或领域（如核设施、人口健康等）则需要报请行业主管或监管部门组织评估，即强制评估。

值得注意的是，该评估办法将安全评估适用主体扩大至一般网络运营者，而不仅限于关键信息基础设施运营者，对于关键信息基础设施运营者，将直接适用强制评估。该规定目前并未正式颁布。

6 . 《 电子商务法》在生效后有什么影响？与现行的网络安全和数据保护法规有何不同？

2018 年8 月31 日，《电子商务法》获通过，自2019 年1 月1日起施行。

《电子商务法》体现了其行业特点，具体而言 ：

• 适用主体方面，《个人信息安全规范》适用于一切“个人信息控制者”；《网络安全法》适用于“网络运营者”；《电子商务法》适用于“电子商务经营者”，包括电子商务平台经营者、平台内经营者和通过自建网站、其他网络服务销售商品或者提供服务的电子商务经营者三类，相对前两者而言，其范围更窄也更具体。
• 用户权利方面，《电子商务法》进一步强调不得对用户信息查询、更正、删除以及用户注销设置不合理条件。
• 网络安全保护义务方面，《电子商务法》明确电子商务平台经营者应当采取技术措施和其他必要措施保证其网络安全、稳定运行，防范网络违法犯罪活动。
• 信息保存方面，《网络安全法》规定采取监测、记录网络运行状态、网络安全事件的技术措施，并按照规定留存相关的网络日志不少于六个月。《电子商务法》则针对电子商务平台经营者规定，应当记录、保存平台上发布的商品和服务信息、交易信息，并确保信息的完整性、保密性、可用性。商品和服务信息、交易信息保存时间自交易完成之日起不少于三年。

7 . 请您介绍一下影响电商平台最重要的数据保护和网络安全法规指引。

对于电商平台而言，以下四部法律法规、推荐性标准对其数据保护和网络安全合规的影响重大 ：

《电子商务法》：电子商务经营者，包括电子商务平台经营者，除遵守《网络安全法》及其他法律法规中有关个人信息保护及网络安全保障义务的规定外，还需遵循《电子商务法》下进一步的数据保护要求。

《消费者权益保护法》：对于电商平台而言，该法不仅对其违反消费者个人信息保护相关规定的行政处罚作出了规定，还为消费者追究其民事责任提供了依据。

《网络安全法》：《网络安全法》及其配套规定中个人信息保护和网络安全相关要求是电商平台作为网络运营者需要遵循的规则，也是其在进行数据保护合规工作时首先和重点需要考虑的内容。

《个人信息安全规范》：对于电商平台而言，实践中可参考该规范制定个人信息保护合规政策。该规范虽不具有强制执行力，但其在一定程度上能够体现立法和执法机关的态度，具有重要参考意义和实践价值。

8 . 在为电商平台客户提供咨询时，律师需要就限制客户责任和遵守网络安全法规注意哪些方面？

在限制客户责任方面，电商平台需要注意，在与第三方主体（包括但不限于境内主体、境外主体，集团内主体、集团外主体，合作伙伴、供应商、广告商等）共享数据，或从第三方主体处获取个人信息和数据时，应当核查第三方主体的相关权利和资质，并采用签订合同等方式与第三方主体书面约定权利义务和责任的承担，以在出现法律风险或发生数据安全事故时明确责任分配。

律师通常从两个方面提示电商平台客户注意合规点，其一是个人信息和数据保护 ：

• 用户个人信息的收集和使用 ：电商平台在收集、使用用户个人信息时，需明示收集、使用个人信息的目的、范围和方式, 并取得用户同意。同时，应当制定清晰、明确的隐私政策，告知用户其相关权利（访问权、更正权、删除权等）实现的方式和途径。
• 数据本地化存储 ：就电商平台而言，其运营中涉及大量用户个人信息和交易数据的处理和运算，因此从其数据泄漏可能严重危害公共利益的角度，电商平台有较大可能被认为属于关键信息基础设施运营者，因此需要提示客户注意进行数据本地化存储。
• 跨境数据传输 ：尤其对于跨境电商平台而言，如需向其境外母公司或其他境外关联公司传输数据，或为接受境外监管机构、司法机关调查之目的，向境外政府部门提供数据，需提示其注意进行全面的评估，包括数据是否能够向境外传输、是否需要进行安全评估等。

其二是网络安全，需要注意的主要有：

• 制度方面 ：注意制定和落实网络安全等级保护制度、用户信息保护制度、网络安全事件监测预警和应急预案制度。同时，鉴于电商平台有较大可能被认为属于关键信息基础设施运营者，还需注意设立专门安全管理机构和安全管理负责人，定期进行网络安全培训、技能考核等。
• 技术方面 ：需采取必要的、切实有效的技术措施确保数据安全，防范危害网络安全的行为，监测、记录网络运行状态和网络安全事件。同时，应注意定期维护／升级技术措施，排除安全隐患。

9 . 您能否举例说明该领域法律近期的一些重大案件及其结果？

2017 年12 月11 日，江苏省消费者权益保护委员会对北京百度网讯科技有限公司提起诉讼，称“手机百度”“百度浏览器”两款手机应用在消费者安装前，未告知其所获取的各种权限及目的，在未取得用户同意的情况下，获取诸如“监听电话、定位、读取短彩信、读取联系人、修改系统设置”等权限。上述权限并非提供正常服务所必须，已超出合理的范围。此案是全国首例关于个人信息安全消费民事公益诉讼，虽以撤诉告终， 仍具有唤醒消费者个人信息安全意识、警示企业加强数据安全合规的现实意义，未来或将有更多类似案件。

2017 年初，深圳市谷米科技有限公司向深圳市中级人民法院诉武汉元光科技有限公司。2018 年5 月23 日，法院判决指出，存储于原告APP后台服务器的公交实时类信息数据，具有实用性并能够为其带来现实或潜在、当下或将来的经济利益，具备无形财产的属性，属于受反不正当竞争法保护的法益 ； 元光公司未经谷米公司许可，利用网络爬虫技术进入其服务器后台非法获取并无偿使用其整合形成的实时公交信息数据的行为，实为一种“不劳而获”的行为，具有非法占用他人无形财产权益，破坏他人市场竞争优势，并为自己谋取竞争优势的主观故意，构成不正当竞争行为。该案判决继承了大众点评诉百度地图不正当竞争纠纷、新浪微博诉脉脉不正当竞争纠纷判决中的思路，再次强调了数据抓取行为的法律边界，为企业的数据获取和使用行为提供了重要启示。

邓志松 高级合伙人（北京）

大成律师事务所

邓志松律师是大成律师事务所合伙人。他在对外经济贸易大学接受法学教育，于2005 年获得硕士学位，2012 年获得博士学位。他自2005 年起一直在对外经济贸易大学竞争法中心从事兼职研究员工作。

邓律师是专注于反垄断实务的资深律师。早在2004 年——《反垄断法》在中国法律体系中尚未生效之时，即投身于反垄断实务。邓律师代理客户处理各类反垄断纠纷，其在反垄断调查、经营者集中和法院诉讼中表现出的专业能力和为客户创造价值得到高度赞赏。他曾处理备受关注的涉及卡特尔、固定转售价格和滥用市场支配地位的反垄断调查案件，并为跨境并购、收购进行反垄断申报，具有丰富的实务经验。邓律师是在中国法院代理客户处理最具争议性和前沿性的反垄断纠纷的实务人士之一。

除了从事实务，邓律师还积极参与立法研讨，其也经常作为专家向中国反垄断执法机构提供专业培训。他是为数不多的在竞争法学术探讨方面著述丰富的实务人士之一。

邓志松律师的工作语言为普通话和英文。

戴健民 合伙人（上海）

大成律师事务所

戴健民律师分别在中国政法大学和英国布里斯托尔大学获得了法学学士和法学硕士学位。目前，戴健民律师分别是国际律师协会反垄断委员会委员、环太平洋律师协会竞争委员会成员、上海律师协会的国际投资与反垄断业务研究委员会委员，以及亚洲竞争法论坛的成员。同时，他也是福布斯中国的专栏作家。

戴健民律师专门从事反垄断调查、反垄断合规、并购申报和私人反垄断诉讼业务。他是第一批在中国实践反垄断法的律师之一。他为跨国企业提供意见，协助制定反垄断法手册和合规程序。与此同时，在中国反垄断法应用以及与中国分销业务有关的反垄断实施政策方面，他也为不少跨国企业提供法律服务。此外，他不时为向商务部提出经营者集中申报的国外公司和国内企业提供意见，在该业务领域拥有丰富经验。他还经常协助并代表企业在中国完成和引入反垄断诉讼，他也擅长帮助企业解决知识产权和反垄断法之间的法律问题。

戴健民律师的工作语言为：普通话、英文和粤语。