Research on the Protection of Tort in the Process of Service Data Circulation

With the advent of the era of “big data”, service data has released increasingly higher commercial value. Incidents such as personal information leakage and data product infringement that frequently occur in the process of data circulation seriously infringe the rights of data subjects and data controllers. This article takes service data as an example, combines the existing laws and regulations at home and abroad, analyzes the legal attributes of service data products and the definition of the rights of related subjects, and proposes corresponding tort protection suggestions from the two perspectives of personal information protection and data product protection.


Introduction
With the continuous growth of Internet users and the rapid development of Internet applications and ecommerce, network service providers (data controllers) collect and generate a large amount of data (service data referred to in this article) in business, which have more and more commercial applications, and there are more and more examples of data collection, integration, analysis and mining, and transactions. However, data ownership, invasion of personal privacy, transaction compliance, and corporate data leakage are also gradually attract attention in the process of data circulation.
Service providers need to follow the relevant principles of personal information protection in the process of collecting personal (data subject) information in their business activities. Secondly, the data products formed by anonymized and desensitized service data bearing personal information have huge potential commercial value. It is extremely easy to be illegally used, traded and spread by individuals or other commercial organizations, seriously infringing the rights and interests of data controllers. Strengthening the protection of personal information in the Internet age, while focusing on the misappropriation and infringement of commercial data and data products, giving clear service data infringement protection methods, and deterring criminals have become a very urgent issue at this stage.
This article combines the existing laws and regulations on the protection of personal information and data products at home and abroad, on the basis of clarifying the boundaries and legal attributes of personal information, original service data and data products, for the two stages of the service data life cycle, put forward corresponding infringement protection suggestions from multiple infringement plot dimensions.

Data and information
From the basic concept, data is a record that reflects objective things and their attributes, and it is a recognizable and abstract symbol; information is the motion state and changing content of various things in the objective world, and it needs to be expressed by a certain carrier. Broadly defined, when discussing data problems, it is often not strictly defined. It can point to both the information at the content layer and the data file at the symbol layer.
There are different regulations on the protection of "data" and "information" in China's existing legislation. The protection of "information" mainly focuses on the protection of personal information. In the 2020 version of Personal Information Security Specification, personal information is defined as the information formed by the personal information controller through processing of personal information or other information, such as user portraits or feature tags, which can identify the identity of a specific natural person or reflect the activities of a specific natural person, alone or in combination with other information. With the improvement of portrait technology, the scope and definition of personal information are constantly being updated. At the same time, personal information contains sensitive information in addition to basic personal information. In the Civil Code of China to be implemented in January 2020, it is mentioned that "private information in personal information shall be governed by the right to privacy; if there is no provision, the regulations concerning the protection of personal information apply." Although China's Personal Information Protection Law is still in the process of formulation, the relevant legal provisions on the protection of personal information are scattered in the Chinese Criminal Law, Civil Law General Rules, People's Republic of China Network Security Law and other laws. The Civil Code of China, issued by the National People's Congress on May 28, 2020 and entered into force on January 1, 2021, separates the right to personality into a chapter, and the right to privacy and personal information protection are also independent in the chapter on the right to personality Formed a chapter clearly stating that "natural persons enjoy the right to privacy" and "natural persons' personal information is protected by law." In terms of data legislation, Article 27 of the General Rules of Civil Law, Article 127 of the Civil Code, Article 18 of the Cyber Security Law of the People's Republic of China, and Article 69 of the Electronic Commerce Law of the People's Republic of China separately list the law's support for data protection and data circulation, preferring public power.
In foreign legislation, information and data can be converted to a certain extent. For example, the meaning of personal data in the General Data Protection Regulation is basically the same as the definition of personal information in the Chinese Cyber Security Law.
In summary, personal information legal issues and simple data file legal issues are easily confused and should be strictly distinguished. The two are really different problem areas.

Legal attributes
Personal information contained in service data is one of the core parts of the data. Discussing the identification of the ownership of personal information from the perspective of privacy protection is a research hotspot at home and abroad. There are several statements about the determination of the ownership of personal information: Table 1 Several opinions on the identification of personal information ownership Theory Proposition Reason Defect

New Personality rights
Personal information is a specific new personality right All data must be protected by a personal information protection mechanism.
Due to the non-tradability of personality rights, personal information resources cannot be used as property. intellectual The right to personal Personal information The personality rights of Objects of real rights cannot be expanded indefinitely and include service data.

Data property rights
Personal information is a "new property right" Citizens have the right to possess, use, profit, and dispose of their own information according to law.
Ignore the protection of the personal rights of citizens' personal information.
Generalized the exclusive right of information to the data medium. In summary, combining the intangibility and property of service data, service data cannot be simply attributed to real right because it does not conform to the uniqueness of objects; in essence, the originality of personal data resources does not have the originality of content, nor can it belong to the scope of intellectual property. From the perspective of balancing personal information protection and data circulation, its right attribute should be a special intangible property right, on the other hand, in order to protect the legal rights and interests of the data controller, it should be made clear that the data controller enjoys the property rights of the legally collected service data.

Definition of service data rights
In the process of service data circulation, the relevant subjects should be clearly divided into data subjects, data controllers, data processors, third-party subjects (usually referring to the data buyers in the data transaction process). These types of subjects have different responsibilities and obligations in the process of data circulation.
(1) Data Subject Without the consent of the data subject, others cannot illegally collect and trade personal information of citizens. From the perspective of personality rights, the ownership of personal information should belong to the data subject. Data subjects enjoy corresponding rights in the stages of data collection, data processing, and data use. This section summarizes the rights involved in data subjects in domestic and foreign laws, regulations, or related standards. The main rights are as follows: Act.

right to rectification
The data subject has the right to request the controller to correct the erroneous data related to it or to complete the incomplete data.

Right of judicial relief
Data subjects have the right to defend their rights through judicial appeal to obtain compensation.

EU's General Data Protection Regulation; the United Kingdom's Data Protection Act; Korea 's Personal Information Protection Act. (2) Data controller and data processor The definition of data controller and data processor has always been very uncertain. The national standard Information Security Technology Personal Information Security Specification (GB/T 35273)
revised the definition of personal information controller to an organization or individual capable of determining the purpose and method of processing personal information; the Civil Code to be implemented defines the subjects that collect, store, use, process, transmit, provide, and disclose personal information as personal information processors. In the absence of clear boundaries, this article believes that data processors are generally data controllers, but there are also examples of data controllers entrusting third parties to process data. If entrusted to a third party, the data controller shall define the rights and obligations of the data processor through a contract of entrustment to ensure that the data subject enjoys legal rights and interests, and the data processor has the right to control, use, profit, and dispose of service data products.
(3) Data to the buyer Data buyers purchase data products that serve the data distribution market, and as consumers, they have the consumer rights stipulated in the Law on the Protection of Consumer Rights and Interests of the People's Republic of China, namely, the right to security, the right to know, the right to choose independently, the right to fair trading, and claims rights, rights of association, the right to know, the dignity of personality, the right to be respected, the right to supervise.

Service data tort protection
Data collectors and third-party companies may become the tort-feasor. In the course of judicial practice, an important principle of data circulation compliance is the "triple authorization principle", that is, the data collector needs to be authorized by the data subject during the data collection process, and the data controller needs to be authorized by the data controller to obtain data products，Users agree that data products can be used by third-party companies, as shown in the following figure:

Data controller (Data collectors) is the tort-feasor
From the previous article, data subjects enjoy many rights in the process of data circulation. When a data controller or data processor violates the above rights of the data subject, the data controller or data processor should bear corresponding civil, administrative, and criminal responsibilities. Regarding the acceptance of tort liability, China's Criminal Law Amendment (VII) and Criminal Law Amendment (9) have successively added crime of infringement of citizens' personal information, crime of destruction of computer systems and the amount of fines and sentencing standards for violating the relevant regulations; the chapter 4 of the Cyber Security Law of the People's Republic of China stipulates the norms for network operators, any individuals and organizations to collect and protect citizens' personal information and the supervisory responsibilities of the network information department and relevant departments.

The third-party organization is the tort-feasor
Service data products are data products formed by service providers through algorithm desensitization and system integration. They are independent of network user personal information and original network data. Therefore, service providers should enjoy independent property rights for the data products they develop. However, due to the unclear legal system in China, in the course of judicial practice, the court will generally deny that the data controller has the property ownership of the data product, and most of them use the competition law as the path to determine the tort liability.
In addition to improving my country's legislative system, the infringing party should perform its legal responsibilities in accordance with the Law of the People's Republic of China on Tort Liability and the Civil Code to be implemented. If the circumstances are so serious as to constitute a crime, criminal responsibility shall be investigated. The form of civil liability is shown in the table below: Cease the infringing act The infringing party should stop the acts of leaking or disseminating service data products.

Removal of obstacle
The affected company can make a request and notice to the infringing party to stop the infringement, and request that the obstruction be eliminated.

Elimination of danger
The data owner has the right to require the platform to bear the cost of patching vulnerabilities and make all actions to eliminate the danger to make up for it. Eliminate ill effects; Extend a formal apology; Rehabilitate one's reputation These three methods usually apply at the same time. If the infringement of the infringer damages the reputation of the data controller, then the aggrieved party's enterprise must be paid an apology, in addition to the restoration of the reputation of the damaged enterprise; infringement of the data property rights enjoyed by the data controller , then it is necessary to compensate the data controller for property losses. Fig. 2 The form of civil liability According to the seventh part of the Civil Code and the relevant provisions of the Competition Law, the author recommends that the people's court comprehensively consider the specific infringement circumstances can refer to the table：  Table 3 The specific infringement circumstances The amount of commercial amount If the infringer incorrectly obtained the data product and profited from the transaction, punitive damages may be considered.

Scale of Tort
The sensitivity of data products is lower than personal information, and can usually be considered in terms of scope of impact, duration, and serious social harm.

Means of acquisition
According to the provisions of Article 268 of the Criminal Law, the crime of illegal acquisition of computer information system data can be committed.

Frequency
For more than two intentional infringements, punitive damages can be adjusted to two to three times. If it exceeds three times within two years, the punitive damages may be adjusted to four to five times.

Conclusions and deficiencies
Based on discussions presented above, the conclusions are obtained as below: (1) The legal attribute of service data is a new type of special intangible property right. Service data that can identify personal information involves the personality rights of the data subject and cannot be directly traded; service data products after anonymity and desensitization process involve data control property rights.
(2) When the personal rights of the data subject are infringed, the legal rights can be protected according to the relevant legal provisions of personal information protection; when the property rights of the data controller are infringed, the infringers can be held accountable according to relevant data protection regulations or tort liability laws, as described above.
Security and development are always the two themes that must deal with the relationship in the field of data law and policy. In the era of big data, the development and utilization of data has become a trend. Improve the data sharing, opening, and trading platform to fully release the value of data while also managing and standardizing the use of data, relatively objectively protecting the data subject's personality rights from infringement, reducing data controller's concealed intervention.
The establishment of infringement punishment methods and compensation standards has a certain deterrent effect on criminals, and to a certain extent can reduce the occurrence of infringements. In addition to enacting special network data product protection laws at the legislative level, it is also necessary to improve the burden of proof, strengthen the self-discipline of network service providers, and establish an effective third-party monitoring agency to promote the healthy development of the big data industry and maximize the value of data products.