The Path to Data Protection Governance in China Mainland

1. China's Data Security Continues to be Emphasized in Mainland

Since the 13th Five-Year Plan, China has continued to develop the digital economy, improved its digital infrastructure, accelerated the cultivation of new business forms and models, and achieved positive results in promoting the industrialization of digital industries and the digitization of industries. By 2023, the added value of the core industries of the digital economy is account for 8.5 percent of China's gross domestic product, and the digital economy provided a powerful impetus for sustained and healthy economic and social development.

At the same time, various types of personal information are important source of data and the main component. Enterprises can achieve the innovative development of goods, and provide personalized services for consumers through collecting massive data. However, the collection and use of data should not be borderless. Coupled with recurring risks like information leakage, data leakage, privacy infringement, and so on from time to time, data security has become an imperative concern in the development of the digital economy.

With the advancement of algorithms, the increase of arithmetic power, the continuous emergence of digital products such as instant messaging software, online shopping platforms, and online travel software, and the emergence of new products and new forms of business, the relationship between citizens and Internet platforms is getting closer. As a result, data containing users' personal information, citizens' privacy and even commercial secrets are constantly exposed to Internet platforms. In the era of the digital economy, the issue of data security and privacy protection has become particularly prominent.

The digital era has not only revolutionized traditional security and privacy protection, but also brought unprecedented challenges to security and privacy protection. Based on the characteristics of the digital era, security and privacy protection, along with data security issues are mutually exclusive, and the focus of the Chinese government's regulation of security and privacy protection is data security governance. And the key to data security governance lies in the protection of security and privacy, which mainly encompasses the security of personal information, privacy security, and national security issues.

One of the important features of the digital era is that data have become an important factor of production. Nowadays, data is gradually becoming ubiquitous and pervasive, and becoming the "blood" of active beating in cyberspace. In fact, the identities, properties, and activities of all kinds of subjects are presented in the form of data, which determines that the data has multiple legal attributes. Data security is the concentration of personal information, privacy and even national security, while personal information and privacy protection are specific manifestations of data security. For this reason, the governance of security and privacy protection issues needs to be based on the characteristic of "data".

2. The Fundamental Legal Framework of Data Governance in China Mainland

China's digital economy has developed rapidly. New forms, modes, and industries emerging thick and fast, and some platform companies has developed into industry giants in just a few years. These companies have accumulated a large amount of data during their development, including a lot of personal information, user personal data, and other sensitive information. Therefore, the protection of data security requires active government action.

In recent years, China has enacted and amended a series of laws, such as the Civil Code, the Data Security Law, the Cyber Security Law, and the Personal Information Protection Law, as well as regulations like the Data Exit Security Assessment, the Regulations for the Administration of Network Data Security (Draft), the Ministry of Industry and Information Technology of Issuing the Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation). Additionally, national standards such as the Information Security Technology-Personal Information Security Specification have been introduced to address the issue of data security, including personal information, privacy, national security. Through an examination of the Chinese government's approach on data security governance, it can be found that its governance of data security is mainly reflected in the construction of the institutional frameworks for data collection, data processing, data circulation, and accountability.

2.1. Focus on Improving Data-Processing Systems

Data processing is the most important data activity carried out by data processors in the digital era, which includes the collection, storage, use, processing, transmission, provision and disclosure of data. Data processing activities are the beginning of the circulation and utilization of data. Reasonable regulation of data processing activities can avoid the emergence of security risks from emerging at the root. According to the Civil Code, the Personal Information Protection Law, the Data Security Law and other laws and regulations, there are three main principles on handling of personal information and other data and information: The principle of minimum necessary, the principles of openness and transparency, and the principle of informed consent.

2.1.1. The Principle of Minimum Necessary

In the 1970s, the U.S. Fair Information Practice Principles (FIPPs) established rules on collection limitations, use limitations, disclosure limitations, etc., which provided the ideological source for the establishment and development of the principle of minimum necessary. China has made similar provisions in the Civil Code and the Personal Information Protection Law atipiullates “Personal information processing shall be based on explicit and reasonable purposes and directly related to those purposes and shall exert the minimum impacts on the rights and interests of individuals." The principle of minimum necessary is mainly focus on the type and scope of data collected, such as personal information, shall be directly related to the provision of services. The purpose of the service cannot be realized without the collection of the corresponding data of the individual data. Moreover, the amount of personal data collected shall be the minimum necessary for the realization of the service’s purpose. In addition, the relevant service subject shall not provide services based on the excessive collection of information that is not agreed to by the provider of the personal information [2,3].

2.1.2. The Principles of Openness and Transparency

According to Article 7 of the Personal Information Protection Law, " The principles of openness and transparency shall be observed in the processing of personal information, the rules for processing personal information shall be disclosed, and the purposes, means, and scope of processing shall be explicitly indicated." In terms of the principles of openness and transparency, the case of APPs mainly includes several aspects: first, the disclosure should be complete and include both a privacy policy and rules for the collection and use of personal information within the APP. The scope of the purpose and method of the collection and use of personal information should be made explicit. Second, these disclosed rules should be made available to the individual through an appropriate way so that users can understand them easily.

2.1.3. The Principle of Informed Consent

The principle of informed consent is that the information collector should obtain individuals’ consent. According to article 14 of the Personal Information Protection Law “Where personal information is handled based on individual consent, said consent shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement.” The provisions about the principle of informed consent in China's laws and regulations can be summarized at four levels. Firstly, information handlers can only collect information after individuals have expressly consented to it. Handlers cannot collect information after they have explicitly indicated their refusal to consent to it, nor can they frequently ask for individuals' consent or interfere with individuals' normal use of the information. Secondly, individuals should be provided with the means and ways to withdraw their consent to the collection of information; Thirdly, information should be collected in a proper manner, and users should not be misled into giving consent. Fourthly, information collection should not exceed the scope of consent. This means that collecting information beyond the scope of individuals' authorization in violation of the applicable rules on collection announced.

2.2. Focus on Improving the Environment of Data Circulation

Emphasizing data security does not mean prohibiting data circulation. In terms of national policy, the Chinese Government encourages data trading and circulation, as reflected in the Electronic Commerce Law and the Data Security Law. In fact, in the data industry, data circulation is also a necessary choice to unlock the value of data elements. Establishing a reasonable data circulation system is not only conducive to the prosperity of the data industry, but also helps to enhance data security. At present, China's data circulation system mainly focuses on domestic and cross-border circulation.

2.2.1. Improving the Regulation of Data Localization

In the context of the digital economy, economic globalization remains a major trend. Cross-border data flows have become an important form and pathway for data and information exchanges, as well as economic and trade exchanges among countries or regions. While the explosive growth of cross-border data circulation of data promotes the prosperity of international digital trade, it also brings challenges to the security of personal information, the development of the data industry and even national data security. Especially after the "Prism Gate" program of the United States in 2013, data localization has become a trend sweeping the world.

In 2017, China's Cybersecurity Law came into force, which stipulates that personal information and important data collected and generated by operators of critical information infrastructures within China must be stored domestically. The Data Security Law, enforced in China in 2021, explicitly states that, unless approved by the competent authorities in China, organizations and individuals within the country shall not provide foreign judicial or law enforcement agencies data stored in China.

Various regulations and guidelines emphasize that personal information or important data generated within China should be stored domestically require approval from national competent authorities for any data exit from the country [4]. For example, the Guiding Opinions on Encouraging and Regulating the Development of Internet Rental Bicycles issued by the Ministry of Transportation and Communications (MOTC), the Administrative Measures for Scientific Data issued by the Ministry of Science and Technology (MOST), the Guidelines on Internet Personal Information Security Protection and the Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System issued by the Ministry of Public Security (MPS), the Measures for Data Security Management in the Industrial and Information Sector (for Trial Implementation) issued by the Ministry of Industry and Information Technology, and other relevant regulations and documents.

2.2.2. Improvement of Regulation of Cross-Border Follow of Data

Completely blocking the cross-border circulation and trading of data is neither in line with the objective law nor practically possible. Therefore the adoption of a data localization policy meets the current practical needs. Data exit security has gained more and more attention and importance at all levels, and data security has become an important issue in national digital governance [5]. In terms of data flows, many countries have generally adopted a more conservative and strict governance model for cross-border data flows. A report by the U.S. Information Technology and Innovation Foundation (ITIF) shows that since 2017, the number of countries restricting cross-border data flows has risen from 35 to 62, and the number of data localization measures implemented has risen from 67 to 144 [6]. China is one of the main victims of data leakage and cyber-attacks. According to the Report on Analysis of China's Internet Cybersecurity Monitoring Data, released in July 2021, China's exposure to cyberattacks from abroad is becoming an increasingly serious problem, posing unprecedented challenges to sovereignty and security of national data are facing unprecedented challenges.

Although cross-border flow of data brings challenges to data security protection, the Chinese government has tried to establish a reasonable system to facilitate cross-border data flow. In 2022, the State Internet Information Office published the Data Exit Security Assessment, which provides specific regulations on the management measures for exit security assessment of personal information and important data. This is an important practice for China to explore the supervision of cross-border data flow, which is not only a detailed implementation of the provisions about data exit security assessment in the Cybersecurity Law, the Data Security Law, and the Protection of Personal Information Law and other laws and regulations, but also a key measure for the protection of China's basic strategic resources and national security in the background of internationalized data circulation and sharing [7].

After the implementation of the Data Exit Security Assessment, the first cross-border data transfer case approved under these new rules has been issued by the Beijing office of the Cyberspace Administration of China (Beijing CAC), has approved the first cross-border data transfer case under these new rules. This approval pertains to a data export by the Beijing Friendship Hospital of the Capital Medical University. The data will be received by Amsterdam University Medical Center for purposes of a joint multi-center clinical research project on colorectal medicine [8].

The fact that data can realize cross-border flows lies fundamentally in the assurance of the underlying system. Prior to the release of the Data Exit Security Assessment, the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law had established data exit assessment mechanisms at a preliminary level, and constructed a scientific and systematic legal framework for data exit in cyberspace field. In addition, the Chinese Government adheres to the combination of prior assessment and continuous supervision, and the combination of risk self-assessment and security assessment, providing a relatively complete institutional support for the cross-border flow of data.

2.3. Focusing on the System of Assuming Responsibility for Data Security

Regarding behaviors that threaten data security, China mainly pursues responsibility for the relevant responsible parties in the three areas of civil liability, administrative liability and criminal liability. Data security responsibilities are reflected in the Civil Code, Criminal Law, Data Security Law, Personal Information Protection Law and other laws and regulations. The liability systems in different fields of laws and regulations jointly build a data security responsibility mechanism, which provides a legal basis for the pursuit of data security responsibilities.

2.3.1. Civil Liability

In terms of civil liability, the assumption of responsibility for data security is mainly embodied in Data Security Law. The scope of civil liability under the Data Security Law mainly covers two aspects. Firstly, enterprises engaging in data-related business activities shall bear civil liability for data security incidents caused by failure to take necessary security measures by regulations. Enterprises engaged in data-related business activities in accordance with the provisions of Article 27 in the Data Security Law shall establish and improve a comprehensive security system and take the necessary technical or other measures to protect data security. When an enterprise fails to take the necessary security measures as required and a data security incident occurs, the enterprise shall bear civil liability. Secondly, individuals who damage data security should also bear civil liability. According to the provisions of the Data Security Law, an individual shall be civilly liable if he or she intentionally destroys data security, steals, alters, or destroys data, or illegally uses or maliciously uses data, or illegally leaks data. Moreover, individuals may also be civilly liable if they negligently cause a data security incident. In addition to these, there are provisions in the Civil Code, the Personal Information Protection Act and other laws and regulations on infringement of personal information, personal privacy and other data security.

2.3.2. Administrative Liability

In addition to civil liability, administrative authorities can also take administrative enforcement measures to impose administrative penalties for violations of data security. After the promulgation and implementation of the Cybersecurity Law, a large number of administrative enforcement cases about data security have been published by administrative authorities such as the Cyberspace Administration of China. Among administrative responsibilities, the issue of data security can be categorized into the safeguarding of data sovereignty, the enhancing of the competitiveness of enterprises, the promotion for the development of the digital economy, and the individual level of safeguarding the rights of personal data [9].

Firstly, at the level of national data sovereignty and data security, data handlers have failed to comply with regulations on the security of data transactions and have provided important data outside the country without authorization. Some of the data collected by enterprises may belong to important state intelligence, and the leakage of such data will seriously jeopardize national security. Therefore, the data classification regulations need to be improved, and the protection of data needs to be strengthened.

Secondly, at the level of enterprise data security, the data security obligations of data processors, particularly platform enterprises, include three dimensions establishment of data security management system, fulfillment of the obligation to protect the rights of personal information rights, and cooperation with supervisory authorities [10]. When enterprisers fail to fulfill their obligations to build a data security management system and to fulfill their obligations to protect the rights of personal information, the administrative authorities can impose corresponding penalties.

Finally, at the level of personal information, in the Internet sector, platform companies are prone to data security problems due to the over-collection sensitive personal data, which mainly includes names, genders, identity card numbers and medication use. In China, if a data processor fails to fulfill its data security protection obligations, fails to take any technical measures such as anti-tampering, anti-leakage and anti-intrusion, and fails to take technical protection measures such as de-identification and encryption measures for sensitive data, which leads to data leakage or the risk of data, the law enforcement authorities may penalize such acts in accordance with the Data Security Law.

2.3.1. Criminal Liability

At the level of criminal liability, China has mainly adopted the approach of combining criminal law and non-criminal law regulation. The Criminal Law and judicial interpretations can be broadly categorized into two ways of regulating crimes involving data security: firstly, based on the essential attributes of the data, they are protected as information; secondly, based on the technical characteristics of the data, they are protected as an intrinsic part of the computer system. The former mainly includes the crimes such as of stealing, spying, bribing and illegally providing state secrets and intelligence for an organization, institution, or personnel outside the country, infringing on trade secret, infringing on citizens' personal information, and illegally deleting, altering, or adding the data or application programs installed in or processed and transmitted by the computer systems, while the latter mainly includes the crimes of destroying computer information systems and failing to perform the obligation of information network security management.

At the level of non-criminal laws and regulations, in addition to the regulation of behaviors endangering data security in criminal laws and regulations represented by the Criminal Law, subsidiary criminal law norms in non-criminal laws, such as the Data Security Law, also contain relevant provisions on related behaviors. According to Article 45 of the Data Security Law, data handlers who violate the data management system and jeopardize the country's sovereignty, security, and development interests will also face criminal liability.

3. Data Security Governance Practices in China Mainland

Over the past decade, China's efforts in addressing data security issues have not only made certain achievements at the level of institutional construction but also. With the implementation of relevant laws and regulations, the Chinese government has also accumulated a wealth of practical experience in data security governance. As China's attention to data security and privacy protection continues to deepen, China has responded in the process of governing data security issues from three latitudes: legislation, law enforcement, and justice.

3.1. Legislative Practice and Achievements

In legislative practice, China has continuously insisted on improving relevant laws and regulations to provide more comprehensive protection for data security, which is mainly reflected in the Civil Code, Criminal Law, Data Security Law, Personal Information Protection Law, Cybersecurity Law and other legislations. As mentioned above, China has regulated the infringement of data security at different levels of civil, administrative and criminal liability, and the promulgation and implementation of the Data Security Law has filled the gap in China's data security protection legislation and pointed out the development direction for the establishment of a sound data security governance system. There are some differences between the Data Security Law and the Personal Information Protection Law. Moreover, the Data Security Law aims to safeguard data security in terms of national security and social public interests. The Personal Information Protection Law, on the other hand, focuses on the security of personal information and is more focused on private rights and interests, and it is designed to safeguard the privacy, personality, property and other interests of individual citizens. The two laws complement each other and improve China's protection of various types of data.

In addition, at the legislative level, China has also focused on strengthening the connection between specific systems and the overall governance framework. This effort includes reinforcing connections with the Cybersecurity Law and other laws in terms of basic definitions, data security management, data categorization and classification, and the exit of important data, in order to improve the construction of China's legal system for data governance.

3.2. The Administrative Law Enforcement and Improvement

The issue of data security is fundamental to the development of the digital economy, a view that is particularly evident in law enforcement practices involving data security. In the context of the digital economy, one of the most significant features of platform operators is the possession of massive amounts of data, and the manner in which platform enterprises handle and utilize data impacts whether data security can be protected. In administrative enforcement practice, on July 21, 2022, China's National Internet Information Office imposed the fine of over 8 billion yuan ($1.19 billion) on ride-hailing giant Didi Global Inc in accordance with the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and the Administrative Penalties Law. It marked the highest fine imposed in China on an operator for a violation of data security. The illegal activities mainly include illegal collection of 11.9639 million pieces of screenshot information from users' mobile phone photo albums; excessive collection of 8.323 billion pieces of user clipboard and application list information, excessive collection of 167 million pieces of precise location information, inaccurate and unclear explanation of 19 personal information handling purposes and other illegal activities.

Since 2021, China's law enforcement departments at all levels of net information and other law enforcement agencies have carried out law enforcement in the field of data security in accordance with the law. In response to the serious problem of illegal collection and use of personal information by dozens of mobile apps such as Didi, notified platform operators notified to take down the relevant apps in accordance with the law, and were required to strictly comply with the legal requirements for safeguarding the security of users’ information.

In addition, the establishment of China's National Data Bureau in 2023 marks a new stage in China's efforts to utilize, protect, develop and regulate data elements. It also means that the administrative authorities will continue to enhance Cybersecurity Law enforcement in the field of data security. Main problems of law enforcement in the field of data security that will be addressed, which includes that platforms operators engage in serious illegal and unlawful collection, and use of personal information through coercion, enticement, fraud, and other illegal means. In addition, Additionally, attention will be directed towards operators fail to carry out security assessments as required and having potential security problems, among other things will be focused on.

2.3. Judicial Practice and Emphasis

In judicial practice, China's governance of data security is mainly reflected in the punishment of crimes related to data security. These data-related crimes generally include a wide range of criminal acts relating to personal information, privacy rights and other legal good. Through searches, the scope of “data” as the object of crimes includes not only traditional property such as network virtual property and cryptocurrency, which are associated with property crimes, but also personal information such as candidate information and household registration information, which can identify specific natural individuals. There is an overlapping between data related crimes and traditional crimes in terms of the scope of infringement, such as the act of generating virtual currencies for profit by cracking the instruction codes of virtual currency service providers [11]. Or the act of collecting victims’ personal information ( including users’ name, ID number, bank card number, and phone number) through database cracking [12].

Although laws such as the Data Security Law and the Personal Information Protection Law have their own focus on protecting different types of data in their legislation, the concept of "data" is often interpreted broadly in the context of data crimes. This is because personal information and privacy are often carried as "data", and there is an overlapping between the various concepts. The concept of "data" is often interpreted broadly. Especially in the digital age, the intertwining of data and personal information, privacy and even national security are becoming more and more obvious, making it is difficult to distinguish them in judicial practice. Moreover the protection of the rights and interests of all of them is categorized under the protection of data security, which is also the path of the current judicial practice in China Mainland.

4. China's Data Security and Privacy Protection Path

4.1. Improvement of Laws and Regulations

In recent years, China has actively explored the field of data security, and has regulated data security issues including personal information, privacy protection, national security and many other issues through legislation. The enactment and implementation of a series of laws and regulations, such as the Civil Code, the Personal Information Protection Law, and the Cybersecurity Law, have effectively solved some of the data security problems that need to be addressed, and have provided a good framework for the rule of law for the development of the data industry. However, in the process of practice, there are still many places that need to be optimized and improved in order to address the data security issues.

In terms of legislative refinement, the Data Security Law, for example, still needs to be strengthened in terms of clarifying the main security risks faced by each type of data exit, as well as in terms of fine-grained governance. Furthermore, there are deficiencies in terms of dynamically responding to changes in internal and external data security risks [13]. Although the Data Security Law puts forward principled requirements for designing a security risk system in the flow of data, it does not put forward targeted measures for security risks in the process of data flow. In terms of interconnectivity of laws, despite Civil Code, the Criminal Law, the Data Security Law, and the Personal Information Protection Law are all reflected in respect of data security issues, but the interface among the civil, criminal and criminal law is not very smooth, ultimately resulting in challenges in effectively addressing certain violations.

4.2. Improving the Data Infrastructure

4.2.1. Improvement of Data Grounded Theory

At some level, the imperfect data-related fundamental institutions allow technology-based enterprises to collect, analyze, and use data arbitrarily, which contributes to data security risks and privacy infringement. The lack of clarity about the legal attributes of data has made it impossible for regulators to effectively regulate issues related to data security. Therefore, it is necessary to explore the foundational theory system of data. Liu liehong, the head of NDB, made the remarks at a forum at the second Global Digital Trade Expo. He said that the administration is pressing ahead with a series of works, such as improving the basic systems for data, promoting the circulation, transaction and utilization of data, bolstering data infrastructure construction, advancing research of key technologies in the data field, and strengthening data security governance. Subsequently, on January 4, 2024, the National Data Bureau collaborated with relevant departments to explore the implementation of a "Data Element X" plan for 2024-2026. These initiatives are important to bring the digital economy into a deeper stage of development and to provide theoretical foundational support for data security.

4.2.2. Improvement of Data Classification Regulations

According to the requirements in Article 21 of the Data Security Law, “The State is to establish a categorized and graded protection system for data. This system is designed to implement protection based on the importance of data in economic and social development, as well as the degree of danger to national security, public interests, or the lawful rights and interests of individuals or organizations, if data is altered, destroyed, leaked, or illegally obtained or used.” Subsequently, the Practice Guidelines for Cybersecurity Standards — Guidelines for Network Data Classification and Grading subsequently promulgated classify data into three levels according to its importance: namely, ordinary data, important data and core data. However since general data covers a wide range of data, the same level of security protection may not be able to meet the security needs of different types of data. Data handlers prioritize classification based on the basic framework provided. They can also refine the grading of general data, combining with the industry data classification rules or the organization's production and operation needs to refine the grading of general data.

However, there are also many challenges in the implementation of the regulations of data classification. For example, Article 40 of China's Constitution establishes a strict system for the protection of private communications, which is mainly regulated by telecommunication carriers and state organs. But modern Internet communication tools and exchange platforms form the problem that the content of communications can be easily forwarded, and the boundaries between private communication contacts and public information dissemination are unclear, This ambiguity is not conducive to the establishment of a security and protection order that is appropriate for different type of data. Therefore, it is necessary to distinguish between private communications and public information in Internet communication scenarios, making it easy for network operators and users to clarify the private or public attributes of the network socialization scenarios in which they are engaged. Subsequently, it would facilitate the establishment of strict confidentiality norms for private communications and orderly management of public information in accordance with the idea of categorization and management [14].

4.3. Improvement of Supporting Measures

To solve the current data security problems, we need not only need to continue to improve the laws and regulations, consolidate the basic theory of data, optimize and innovate the regulatory measures, but also to strengthen the data-related infrastructure facilities to meet the urgent need for secure data flow.

Firstly, data resources and data products in the current market are complex and diverse, which should be categorized based on data attribute categories, importance, risk level and other factors.

Secondly, in establishing a data property rights system guarantees rights and interests and compliant use. The system of structural separation of data property rights is at the core. According to Opinions of the CPC Central Committee and the State Council on Establishing a Data Base System to Maximize a Better Role of Data Elements, a classified and hierarchal ownership affirmation and authorization system for public data, corporate data and personal data shall be established. According to the characteristics of data sources and data generation, the legal rights enjoyed by each participant in the process of data production, circulation and use shall be defined respectively, and a property right operation mechanism with ownership of data resources shall be implemented. An example of this progress can be seen in Shenzhen, Guangdong Province, where Data exchange Management Regulations (for Trial Implementation) were released at the municipal level. Shenzhen has taken the lead in exploring the concrete practice of structural separation of data property rights and standardizing the data exchange mechanism [15].

Finally, the focus should be placed on a compliance data exchange system. The compliance data exchange system is the key for optimizing the data circulation environment and strengthening data security, especially the system for cross-border data flow, which is even more important in the context of the current data security game among countries. Compliance and security are the red lines of data exchange, and the security compliance system can reduce the risk of leakage of personal information and national secrets.

5. Summary

Data security, whether from the national level, social level or individual level, has an extremely close relationship with national sovereign security, social stability, individual rights and interests, etc. On the one hand, data security is more closely linked to personal information, personal privacy, national security protection and other issues, making it the centralized manifestation of these issues. On the other hand, data as a carrier of various types of information, coupled with the non-exclusivity and renewability of data, has posed higher challenges to data security. Effective management of data security issues requires not only the continuous improvement of the theoretical system, but also needs to build a set of laws and regulations throughout the data collection, utilization, circulation, and other aspects of the system.