To change it
Professor, School of Criminal Law, East China University of Political Science and Law
Chen Bowen
Master student of School of Criminal Law, East China University of Political Science and Law
Objectives
First, the question is raised
Second, the doctrinal shaping of data crime in the context of criminal compliance
3. Criminal law risks faced by enterprise data compliance
Fourth, the path construction of enterprise data crime prevention and control criminal compliance
epilogue
The construction of criminal compliance in the data field is a two-way process of benefit, and the establishment of a long-term risk prediction mechanism has its historical inevitability. Through the research methods of criminal law theology, the theoretical background of risk criminal law and the legitimate basis of comprehensive criminal punishment theory are highly in line with the purpose of data compliance construction; the derivation of the "organizational responsibility" of the unit constitutes the basis of its responsibility; and it is necessary to explore the doctrinal boundary of compliance with the help of the theory of normative protection purposes, and find the theoretical basis for the amount of compliance crimes through the channel of justification. Combined with the industry operation defects and major criminal risks of enterprise data compliance, from the threshold of risk prevention and control, it is necessary to follow a three-level theoretical path. On the basis of strengthening the hierarchical classification protection and crime determination of data compliance construction, further improve the participation mechanism of multiple parties and clarify the details of responsibilities, and complete the two-way reshaping of the "rights-obligations" concept in the data compliance system at the normative value level.
Since the United States sanctioned ZTE in 2018, in the context of globalization, in order to prevent the "long-arm jurisdiction" principle of other countries from "blocking" mainland enterprises, through criminal policy incentives and judicial leniency, to encourage mainland enterprises to establish a set of perfect compliance systems, which is the first judicial attempt to face international challenges in the current process of internationalization of multinational enterprises. Since then, all walks of life in the mainland have been in full swing advocating the establishment of corporate compliance systems. In terms of the essence of compliance, from the perspective of corporate governance and corporate social responsibility, the purpose of the compliance plan can be summarized into three aspects: one is to ensure that the company complies with laws and regulations, and thus avoid legal liability; the other is to control the company's internal risks and prevent the "internal ghost" behavior of the enterprise; the third is to fulfill corporate social responsibility and avoid business behaviors that cause harm to society. The establishment of a compliance system is a two-way benefit process for mainland criminal law systems and companies and other entities. Taking the standpoint of the state contributes to the effect of general prevention, thus ensuring the increased competitiveness of mainland enterprises in the international market. As far as companies are concerned, they can try their best to avoid the impact of bad systems such as the United States to gain long-term institutional advantages. It is undeniable that the compliance system has become an indispensable part of the process of reforming the criminal law system, thus giving great research value to criminal compliance in theory.
The exploration of data compliance is a highly cutting-edge topic. Trump's 2018 signing of the "Clear Act on the Lawful Use of Foreign Data" is considered to be an important symbol of the United States' realization of "long-arm jurisdiction" in the field of data, extending the hand of US law enforcement to multinational companies around the world, which is essentially a strong desire for control of their data hegemony. Therefore, the exploration of data compliance has been given an important role in countering data hegemony, especially at present, some mainland enterprises listed in the United States will inevitably face the long-arm jurisdiction of the United States, at this time, the mainland's data (including trade secrets, state secrets, etc.) are exposed to the high pressure of the US system, which is bound to cause an unfavorable situation. This paper is intended to respond to the current academic exploration of the compliance system, focus on the prevention of data crime, seek to establish a set of perfect risk prediction mechanism from the main body of the enterprise, timely discover the risk of data compliance, and timely carry out compliance construction according to this conclusion, and safeguard the data interests of citizen subjects, social subjects and national subjects within the framework of the system. Previously, the justification of data compliance in criminal compliance was a proposition worth exploring and extremely necessary, and the method of using doctrinalism was an inevitable and effective path. Therefore, starting from the theoretical background, combined with the purpose of the punishment itself and the basis of the "organizational responsibility" of the unit, this paper first constructs a reasonable basis for its existence, and seeks the doctrinal boundary of compliance by standardizing the purpose of protection, and finally ensures that the compliance system can fully enter the class crime theory system through justification. I also look forward to providing some effective suggestions in the field of data compliance through my own insights, and ask teachers and friends for this article.
In the context of criminal compliance, through the doctrinal path, the purpose is to find the basis for the legitimacy of the mitigating and mitigating causes of criminal subjects in criminal compliance. The realization of criminal compliance purposes can be shaped through the doctrinal pipeline, and it must also be through the doctrinal pipeline to highlight the high degree of independence of substantive law itself. Whether it is the three levels of Germany and Japan or the two levels of the Crime Composition System in the United Kingdom and the United States, all require the corresponding judgment path to find a basis, and the criminal compliance system does not have much room for discussion on the characterization itself, but on the issue of illegality and attribution, why to mitigate and mitigate lack of corresponding basis. Therefore, there are at least three reasons for shaping criminal compliance through the doctrinal method: First, both are based on the study of positive law. In terms of self-theology itself, what constitutes its object of study is the order of positive law. It is a science of existing law, not of the Dhamma; it is a science of positive law, not of the law of what it should be. It is thus distinguished from the science of law which is the object of study of the law, that is, from the science-philosophy of law concerning the purpose of law, and from the science of law policy with regard to the means of such ends. Although criminal compliance contains many criminal policy considerations, its institutional basis is still based on actual law, which is essentially an institutional innovation of the traditional adjudicator's conviction and sentencing logic. Second, the interpretive path of theology is an inevitable path of criminal compliance. Criminal compliance to prevent criminal risks requires a correct understanding of criminal law norms. Divorced from the teachings of criminal law, the understanding of criminal law is only based on intuition, and without understanding the values reflected in the provisions of criminal law, the understanding of criminal law will be wrong, and the so-called criminal compliance measures based on wrong understanding may be invalid from the beginning. Third, the two have a high degree of consistency in historical evolution. As far as criminal compliance itself is concerned, the social basis for its existence is the evolution of the modern enterprise system and the continuous popularization of technology, data crime is a derivative of the technical means that the current era and the future have long relied on, at this time the purpose of compliance is prevention and control, and it can be called the targeted prevention and control means under the derivatives, which has the characteristics of the times. Theology is also a typical symbol of the rapid development of the current field of criminal law. After nearly two decades of prosperity, Chinese criminal law theory based on Soviet criminal law has gradually shown a low level of knowledge and lack of progress. Under the vigorous promotion of Chen Xingliang, Zhang Mingkai, Zhou Guangquan and other scholars, German and Japanese knowledge has once again entered China on a large scale, and the pattern of academic opening has initially taken shape. The original single knowledge structure of Chinese criminal law has undergone subtle changes. In particular, a large number of legal theoretical knowledge from Germany and Japan has become the engine and driving force for a new round of development of Chinese criminal law theory. The high degree of consistency between the two, and the important role that the doctrinal approach plays in criminal policy and the penal system, gives us reason to believe that the methodology of theology of doctrine can build a bridge between criminal compliance and positive law. However, in the context of why it arose in this era, how to combine it with the relationship with the positive law deserves further discussion. Specifically, there are the following aspects:
Theoretical Background: Criminal Law Changes and Data Compliance in the Context of Risk Criminal Law
In today's era, the advent of a risk society is contributing to the transformation of criminal law, which has become a broad consensus in the academic community. The long-standing view is that in the face of a "risk society", criminal law should actively respond to it and play an important role in risk control. Generally speaking, according to the requirements of risk control, some amendments to the criminal law and adjustment of criminal law theory to a certain extent belong to the scope of reasonable response. In the context of the risk society, the most typical aspects of criminal law reform, the most important of which is the further development of the preventive view of criminal law, has contributed to the transformation of criminal law to positivism, and a large number of "dangerous criminals" have appeared in legislation, focusing on the early punishment of criminal punishment and the expansion of the scope of punishment in criminal law. Regardless of its legitimacy, this trend, embodied in criminal law legislation, seems to prove that the risks of current society are being "typed". Data crime is exactly like this, the current collection of all personal information through a variety of ways, in the data terminal to form a huge database, can be called "data pool", and the data terminal manager is not always by the state, the government to play this role. With the popularity of APP and various types of digital technology software, ordinary data technology companies also have the right to collect users' personal data within a certain range, such as AutoNavi Map can obtain the real-time positioning of users, and obtained the country's nearly full coverage of urban and rural road planning maps, all personal data is ultimately kept by AutoNavi Map. Similarly, travel software such as Didi and mini programs in the catering industry also have the function of obtaining user positioning, and shopping software can even fully obtain the user's shopping information and form a so-called user-exclusive shopping orientation. Along with it, the risk of personal information leakage, theft and even sale exists at all times, and there are extensive commercial interests in all data, so it has become a piece of "fat meat" that the black and gray market focuses on seizing. Such acts have seriously violated the social order and the individual rights of citizens, and the criminal law provides for relevant crimes to regulate. Equally worth protecting are trade secrets, where lawmakers strictly set the red line for criminalization in criminal law. However, there are still many acts that are not punished by the criminal law, but there is no doubt that some dangers have been posed to the legal interests of society and the personal legal interests of citizens. For example, the so-called big data killing involves the protection of consumers' personal rights and the danger of deception of property rights. With the continuous deepening of the preventive view of criminal law, if the evil of the act continues to expand and endangers the legal interests protected by the criminal law, it is foreseeable that there is a possibility of criminalization in the legislation. It can be seen that data crimes are accompanied by risks generated by criminal law, and black and gray transactions are carried out around valuable data such as personal information and trade secrets, which seriously damages the orderliness of social public order and business environment, and endangers the protection of citizens' personal rights. Therefore, we can conclude that the rationalization basis for the prevention and regulation of data crimes is precisely the change of criminal law in the context of risk criminal law.
It is precisely in this way that data compliance is aimed at preventing and preventing a series of violations of laws and regulations such as data crimes, and there is a high degree of correlation between it and the criminal law reform of the risk society, which is the background of data compliance. There are several reasons for taking the criminal law reform of the risk society as the background of data compliance: First, the background of data compliance is in line with the main trend of criminal law reform in the risk society. In terms of the demand for data compliance itself, it is generated with the high popularity of data. Massive, multi-source, heterogeneous data poses challenges for data management, storage, processing, and application. While seeking new technologies that support big data applications and gain greater application value, data openness and sharing expose personal privacy to the front end of the platform. Data openness and privacy protection, data application innovation, and risk compliance have become huge challenges in the field of data governance. Legislative work in the field of criminal law is mainly embodied in article 253 of the Criminal Law" "Crime of infringing on citizens' personal information", which was added by the Amendment (VII) of the Criminal Law in February 2009, which aims to protect the personal safety of citizens and punish serious violations of personal, property and personal privacy caused by illegal disclosure of personal information. Among them, "citizens' personal information" that is the object of this crime includes citizens' names, ages, valid certificate numbers, marital status, units, academic qualifications, resumes, and other information and materials that can identify a citizen's personal identity or involve the citizen's personal privacy. The above information and data are also the main protection objects of data compliance, and at this level, the direction and purpose of the two protections are consistent. Second, data compliance needs to enter the criminal law system through criminal policy with the help of the background of the risk society. The entry of criminal policy into the criminal law system is an important proposition for the development of contemporary criminal law, and it is also another important aspect of the criminal law system of the risk society. The criminal policy of a specific period is formed under the influence of the social background and threatens the legal interests protected by the criminal law, so it is adopted by the criminal law, and the normative protection purpose of specific provisions is formed under the premise of conforming to the normative protection purpose of the criminal law, and it enters the criminal policy through legislation. Although this trend is often considered an "instrumentalist" tendency of criminal law, it is undeniable that criminal policy is indispensable to the criminal law system. Data compliance is precisely the product of criminal policy. In 2007, the China Insurance Regulatory Commission (CIRC) promulgated the Guidelines for Compliance Management of Insurance Companies. Compliance by Chinese enterprises has taken the lead in developing, developing and maturing in the financial industry. In recent years, the relevant state departments have successively promulgated a number of compliance management regulations, such as the Measures for the Compliance Management of Securities Companies and Securities Investment Fund Management Companies, the Guidelines for comprehensive risk management of banking financial institutions, the Basic Norms for Internal Control of Enterprises, and the Guidelines for the Compliance Management of Overseas Operations of Enterprises. On December 29, 2017, the Standardization Administration of China issued the SO19600 Compliance Management System Guidelines (GB/T35770-2017), which came into effect on July 1, 2018. On May 4, 2018, the National Enterprise Compliance Committee was established by the China Council for the Promotion of International Trade and other organizations. In this process, the improvement of the compliance system is heralding the gradual evolution of criminal policy. In the end, data compliance enters the criminal law system, is adopted by the criminal law and becomes the basis for the lightening and mitigation of criminal subjects, and still has to be completed through the essence of its criminal policy, which is also in line with the background of the criminal law reform of the risk society.
Justification: Comprehensive penal theory and data compliance
The penalty principle of data compliance is that after the adoption of the compliance plan, the data management subject can comply with the rules within the scope of compliance, and if it touches the criminal risk, it can become the basis for mitigating and mitigating it. Among them, it not only highlights the positive general preventive concept of punishment, but also reflects the penal purpose of retributionism and special prevention. The so-called comprehensive penal theory refers to the general term for various penal theories between absolute punishment theory and relative punishment theory, and strives to learn from each other's strong points and complement each other's weaknesses to achieve the best combination of theories. Among them, the theory supported by the mainland academic circles is a comprehensive theory that determines the purpose of punishment according to the type and stage of punishment. The theory includes two important contents: First, in terms of the type of punishment, it basically reflects the integration of the theory of justice retribution in the death penalty with the theory of prevention in other types of punishment. Secondly, in the institutional application stage of criminal punishment, it is mainly embodied in the general concept of prevention in legal provisions, which more embodies the special prevention and retribution viewpoints in judicial procedures, and especially reflects the synthesis of the principle of special prevention in the enforcement of criminal punishments. Among them, prevention refers to the precaution of a certain thing. In the theory of criminal law, retribution for the purpose of punishment refers to the nature and pursuit of punishment, which is the reward and compensation for the crime. In short, the comprehensive theory is to apply and select the purpose of punishment at different levels, and to adopt preventiveism in the case of legislation involving the stereotyping of criminal acts, that is, to pay attention to general preventiveism and special preventiveism within the scope of retribution, which is also known as "unionism".
The penalty principle of data compliance is in line with the above-mentioned theory of the purpose of criminal punishment, which has become the basis for justifying the punishment of data compliance. In data compliance, the most important question to be solved is why compliance can be mitigated and mitigated. The above problems can be solved through the theory of penal purposes. First of all, the general preventive doctrine has been the most typical embodiment in data compliance, because the purpose of data compliance itself is to prevent and prevent data crimes, which is reflected in the prevention of the risk of data leakage by reminding business owners in advance through compliance, thanks to the prompt function of the compliance, the possibility of data compliance and subjective illegality of the enterprise expectation has been reduced, and the active participation of compliance in the above process is the embodiment of the general preventiveism. Special preventionism fits the post-punishment era of enterprise operation, enterprises in the data operation suffered administrative penalties or criminal penalties, the judicial organs forced it to develop a compliance plan, can effectively prevent it from stepping on the red line again, especially most of the criminal subjects on the data-related subjective form is negligent, at this time through data compliance reasonable improvement of their prudent results to foresee the ability (possibility) and avoidance of the possibility, is conducive to the realization of special prevention of data crimes. In the same way, the leniency and mitigation of data compliance reflects the spirit of retribution, and the enterprise fulfills the obligation of prudence, so at this time its possibility of criticism is reduced, the reprehensibility is correspondingly reduced, and it is reasonable to reduce the punishment lightly and mitigate it. The ultimate goal of corporate compliance is to ensure that the enterprise operates in compliance and ensures that the business objectives of the enterprise are achieved. In order to protect their own survival and interests and make up for the lack of a weak position, they must strengthen self-discipline and ensure the bottom line of the law. At this point, the theory of the purpose of punishment provides a justification for it.
Basis of responsibility: "organizational responsibility" of the unit and data compliance
Whether a company legal person can independently assume the "organizational responsibility" of the unit is a theoretical proposition that cannot be avoided in the establishment of data compliance. As we all know, the original essence of criminal law is to punish natural persons who commit criminal acts, but in companies it is often a combination of natural groups and has independent decision-making bodies, and important decisions can be made by a small number of high-level collectives or by leadership collectives based on the will of all employees. However, the decisions made by companies have stepped on the red lines set by the criminal law and infringed on the legal interests protected by the criminal law, and they face confusion about who to punish. Early Roman law resolutely did not punish corporate collectives, only natural persons, but in reality it was difficult to fully achieve the purpose of punishment for punishing natural persons, because the representative of natural persons gradually weakened with the development of the company system, especially in joint-stock companies, and the right to speak of shareholders could not represent the orientation of the company's decision-making, and the possibility of re-offending was difficult to ensure that it was completely curbed. At this time, it seems that legal persons have become the main body of criminal liability, which seems to be an inevitable trend, even if they have not yet been recognized in civil law countries such as Germany and Japan. In practice, it has become a subject of political, economic, cultural and even the entire social life with an independent identity. It is the emergence of a large number of legal persons as a real special type of social person and their criminal activities as legal persons that make it inevitable that the criminal law will punish the crimes of legal persons. But to investigate the essence of the problem, we still have to find the source of illegal consciousness and where the illegality comes from. Unfortunately, a corporate legal person has no independent will, which can be equated with a machine, and the ultimate trader is still the actor behind it. In other words, does the enterprise bear self-responsibility for its own sins, or does it bear joint and several or pass on the responsibility for the illegal and criminal acts of its employees? This question is the key to the theory of corporate crime that has long plagued it. Later theories held that companies were punished because they did not work hard enough, and that they were responsible for their own actions, rather than subrogation for the actions of their employees. As a result, the theory of criminal law has undergone a long period of evolution.
The "organizational responsibility" of unit crimes has become a punishable wrongful act, which has undergone the development of legal person fiction to legal person reality, and has now been formally recognized by the mainland criminal law. It seems that corporate "organizational responsibility" can be the justification for data compliance, and this problem has been solved. However, a one-size-fits-all approach to corporate "organizational responsibility" itself does not achieve the desired effect. The current data managers are too complicated, from the national department to all kinds of app companies that can obtain user permissions, which have a certain ability to receive data. In the case of small companies, there may be only a very small number of people in the upper layer of their own decision-making, and in the process of forming the database, they have the intention to sell, and at this time, they must not only punish the perpetrators of the company but also bear criminal liability for it. And it should be noted that if the enterprise itself is established for data crime, then at this time the enterprise has become a tool for crime, and the status of its responsible subject should be deprived, and the perpetrator can be directly punished. Similarly, whether a company is subject to criminal liability for an employee for a breach of fault or for committing a crime without the company's knowledge? The principle based on responsibility doctrine requires, at a minimum, that the perpetrator should meet the requirement of negligence at the time of the commission of the crime, otherwise there is no realistic reprehensibility. Therefore, in the above-mentioned occasions, it is not in line with the requirements of responsibility doctrine to punish the unit according to the usual practice and let it take responsibility on behalf of the employee. However, after the establishment of corporate compliance, the dual obligation of predicting the outcome of the enterprise and the possibility of avoiding the outcome is given to the enterprise, so when the employee violates the law without permission or without knowing it, the company also needs to prove that it has complied with the duty of care, which is undoubtedly a more standardized path of attribution.
All in all, the changes in corporate structure and the infiltration of the concept of risk into corporate criminal law have transformed the form of legal person liability from individual responsibility to organizational responsibility, thus moving the defense base point forward. The pursuit of the responsibility of legal persons has shifted from the indirect model of "individual-organization" to the direct investigation of the organizational responsibility of legal persons. While acknowledging this trend, the establishment of the compliance system further meets the requirements of responsibility doctrine and constitutes the basis for the justification of data compliance in the hierarchical criminological system.
Doctrinal Boundaries: Regulate protection purposes and data compliance
In a broad sense, positive law is the basis for the establishment of data compliance, then theology is the methodology for achieving compliance boundary control, in which the purpose of normative protection plays an important role. The so-called normative protection purpose refers to the purpose that the legislator wants to achieve when formulating the law and norm, and is the value judgment or evaluation position formed by the legislator to coordinate different conflicts of interest. Accordingly, "norm" refers to the norm of law, and "purpose" refers to the purpose of law, including the purpose of the law as a whole, the purpose of the departmental law, the purpose of the legal system, and the purpose of the provisions of the law. The value of normative protection is to limit the doctrinal boundaries of data compliance. Why limit the boundaries of data compliance? As we all know, although the criminal law is modest, the severity of its punishment is the guarantee for guarding the last wall of society. Overly inflated criminal compliance gives enterprises more room for behavior and more reasons for committing crimes, resulting in the loss of the significance of the function of criminal law, and enterprises can use the loopholes of compliance to further realize their tools and means of illegal acts such as leakage and trafficking, at this time, the compliance system is useless and drags its feet. Then the method of controlling the compliance boundary cannot only be done by procedural law or judges, which lacks a clear standard of positive law and is not fair enough. Third-party jurisdictions need a certain basis for assessing data compliance to ensure that enterprises can stably maintain operations within the framework of data operations. The minimum basis for this is the boundary value, that is, setting a bottom line to measure whether compliance meets the minimum requirements of criminal law. The difficulty is that this criterion cannot be concrete, because the bottom line value of criminal law and the numbers can be measured, at this time it must be deeply grasped with the help of abstract theory. As the bottom line and boundary created by the compliance system, the purpose of normative protection has a certain basis of reality and the value of being selected by regulation.
The next question to be answered is why normative protection purposes were chosen as a measure of this boundary. Combined with the essence of the purpose of normative protection, it was chosen. According to the concept of normative purpose of protection, its role lies in achieving the desired purpose of the provisions of the criminal law itself. Under the purpose of the overall legal order, it also contains the normative protection purpose of each departmental law itself, for example, what the criminal law wants to protect is explained through the independent normative protection purpose of the departmental law. Taking the "crime of infringing on citizens' personal information" as an example, the purpose of normative protection is to protect citizens' independent personality rights such as privacy and reputation rights, while protecting the stability of social information order. On top of the normative protection purpose, the hermeneutics of criminal law can construct a variety of hermeneutic paths around the legal benefits of its protection, which is understandable, but all the interpretations of the criminal law provisions themselves cannot exceed their own normative protection purposes, and a consensus has been formed. Therefore, the choice of normative protection purpose as an indicator of boundary measurement is the most stable and convincing. In addition, it should also be noted that the purpose of normative protection here is not the normative protection purpose of the overall legal order, nor is it the normative protection purpose of other departments, but the normative protection purpose of the criminal law itself and even the provisions themselves. For example, the normative purpose of protection in criminal law is different from the purpose of protection in administrative law, which, although sometimes has the purpose of protecting legal benefits, most of the provisions of the law take administrative management as the main objective, so whether a violation of administrative law is a crime needs to be re-evaluated according to the normative protection purpose of criminal law. In terms of methodology, the design of compliance should be combined with the normative protection purpose of the provisions behind all criminal acts, and be framed on top of them. Therefore, it is necessary to determine the specific crimes that may be involved in compliance and their criminal risks, which will be discussed in Part III below.
Theoretical channel: criminal law justification of the cause and data compliance
The concept of compliance is not only a concept in criminal law, but many scholars also believe that compliance is a concept of criminal procedure. As a criminal compliance, its systematic status has sufficient space for discussion, especially how to play its role under the criminological system, it is necessary to find the theoretical basis and system positioning of its role. Compliance, as the name suggests, requires enterprises to develop within the framework of compliance with legal norms, and in order to reward them for compliance with the law, legal norms can reduce their liability in the event of illegal consequences. From this point of view, criminal compliance seems to play a greater role in the sentencing mechanism of criminal law criminalization. However, in the author's view, the reason why criminal compliance can trigger the incentive mechanism of leniency and mitigation lies in the negligence and expectation possibilities of the responsible class.
From the perspective of negligence theory, the justification basis for data compliance to trigger mitigating and mitigating causes is hidden in many of its theories. This point has been recognized by some academic circles, such as the Japanese scholar Kafiq pointed out: "According to the theory that the nature of negligent crimes is grasped at the level of illegality, the law-abiding plan can be grasped as a criterion for objective duty of care, and in the event of a personal accident in corporate activities, there is room for connection with the function of legitimacy." "Tracing the evolution of the theory of negligence, it has gone through three stages: from the old theory of negligence to the new theory of negligence, and then to the theory of danger (also known as the new new theory of negligence). In the stage of the old theory of negligence, the theory of consequivalence advocates the theory of foreseeable possibilities, emphasizes that foreseeing possibilities is the essence of negligence, and uses cognitive defects as the basis for negligence. In this period, there is not much room for compliance, but the basis for the company to bear criminal liability for employees is found here, and it can be said that the "old fault theory" is a proof of the company's "organizational responsibility". However, the old theory of negligence cannot provide a complete justification basis for compliance, because it completely ignores the appropriateness and illegality of the constituent elements, and it cannot explain why compliance can be mitigated or mitigated. The new theory of negligence, also known as the benchmark behavior theory, is a theory of fault developed by the worthlessness of behavior based on the obligation to avoid results. If, according to the standards of the average person, if the subject of the crime adopts a reasonable benchmark act to avoid the occurrence of the outcome, even if there is a foreseeable possibility, then the danger is allowed to limit the scope of punishment for negligence. So far, the theoretical exposition of the new negligence theory has laid the basis for the justification of compliance in the theory of negligence. It is through compliance that enterprises implement the so-called benchmark behavior of avoiding the obligation to avoid the occurrence of results, so their illegality is reduced, and the degree of condemnation of negligence by the responsible class should also be reduced, which is the theoretical basis for why compliance can be mitigated and mitigated. If we look further, we can actually think that compliance fits precisely with the principle of trust in the theory of negligence. The principle of reliance means that when there is sufficient trust to prevent the victim or a third person (especially the victim) from taking inappropriate action, and conversely, there is no circumstance in which it is not appropriate to believe that the other party will take appropriate action, and it is sufficient for the perpetrator to act appropriately under this premise, even if the other party violates the trust and ultimately leads to the infringement of legitimate interests, we cannot hold the perpetrator liable for fault. The original principle of trust was applied to the traffic field, as long as the driver obeyed the traffic rules, even if he bumped into the perpetrator who violated the traffic rules, there was reason to rely on the driver as a reasonable act. This is precisely the case when applied to compliance, if the enterprise can comply with the premise of the compliance plan, then even if the fact of legal interest infringement occurs, then the criminal liability of the enterprise cannot be pursued (mitigating the criminal liability of the enterprise).
In addition to the fault theory as a legitimate theoretical basis for enterprise data compliance, the expected possibility theory also provides a theoretical channel for it to mitigate and mitigate the causes. Among the earliest levels of responsibility, the theory of psychological responsibility based on the theory of moral responsibility prevailed, which advocated moral responsibility as long as there was capacity for responsibility and the psychological fact of intentional or negligence. Under the concept of responsibility that was popular in theory at that time, if the employees of the enterprise committed violations of the norms, then the moral enterprise needed to bear the substitutionary responsibility for them, which was the same as the first stage of the above fault theory. The "Fetish Horse" case is the key to the transformation of the theory of responsibility, especially the normative theory of responsibility proposed by Witzel with the expectation of possibility as the core, and finally completed the transformation to the teleological behavior theory. The likelihood of expectation refers to the possibility that the actor can be expected to act lawfully under the specific circumstances at the time of the act. Compliance follows such a layer of logic, through the implementation of the compliance plan, it is expected that the company will not engage in related acts involving data crimes. In the case of compliance, enterprises can be expected to carry out legitimate acts. It can be said that the expectation of possibilities is consistent with the main purpose of compliance. At the same time, the law can not be strong, after the enterprise complies with the compliance system, even if it touches the legal interests of the criminal law, resulting in criminal results, it can also be mitigated and mitigated because of its compliance with the compliance system.
It is also worth mentioning the illegal class, which may also involve the justification of compliance. On the basis of the theory of Japanese criminal law, three theories are borrowed: First, the theory of the reduction of illegality. The theory holds that the protection of attackers can be (partially) reduced due to the existence of legitimate defense, which just reduces the illegality of excess defense. The second is the theory of illegality and responsibility reduction. This theory adds to the argument for reducing illegality the grounds that liability can be reduced because it is an emergency hedge. The third is the theory of responsibility reduction. According to the theory, psychological shocks (horror, consternation, excitement, and embarrassment) during emergency actions reduce liability. Excessive defense is the excessive result of excess behavior outside the legitimate defense system, and the principle of punishment is also to mitigate and mitigate punishment. Even if it is identified as an illegal act in the sense of criminal law, it is theoretically impossible to completely exclude the intervention of the illegal reduction cause, and at this time, the illegal obstruction coexists with the illegality of the act. In the author's view, the grounds for illegal obstruction can also be used as a legitimate basis for mitigating and mitigating compliance. Theoretical positioning can focus on the two common reasons for the execution of orders and legitimate business behaviors, the violation of laws and regulations, the execution of orders refers to the implementation of acts in accordance with the instructions of superiors, and legitimate business behaviors refer to the legitimate engagement of certain business activities based on certain business needs, all of which are similar to compliance. Therefore, it is not excluded to consider criminal compliance as a possible reason for illegal obstruction beyond the regulations.
Clarification of the system content of criminal compliance with corporate data crimes
Compliance, as the name suggests, requires the subject of compliance to implement legitimate business within the framework defined by the compliance plan, while the criminal compliance of data refers to the delineation of the framework of the compliance plan around the possible criminal risks in the operation of enterprise data, to prevent and prevent the whole or internal implementation of harmful acts that infringe on the legal interests of data, and to regulate the business ecology of the data operation industry to ensure the data interests of the national society and citizens. The clarification of the concept is the precursor to the data crime criminal compliance system, and there are several specific contents involved in the criminal compliance of enterprise data crimes that can be further developed.
First of all, it is necessary to clarify the subject of the criminal compliance system for corporate data crimes. The subjects referred to herein are not the compliance circle with data enterprises as the core in the narrow sense, but should also include the subjects of data jurisdiction, the subjects of data standard formulation and other relevant data generating entities, which are discussed separately below. The first is the main body of data operation, the main body of data operation is gradually increasing in the mainland, whether in the type of industry, or the number of data operation enterprises, especially in recent years showing explosive growth. For example, the subject of privacy management can list shopping (such as Taobao Pinduoduo Jingdong and other online shopping software), Internet financial payment terminals (such as Alipay, various handheld banks), search engines (such as Google Baidu, etc.), various video entertainment software (such as iQIYI Youku Video, etc.) news and information (such as various news websites Tencent News, etc.) Chat video software (Tencent QQ WeChat, etc.), and so on, if you list them one by one, it is not realistic, because the number of terminals that currently obtain data is basically the same as the number of APP registrations , the number is basically difficult to fully grasp. It is worth mentioning that the above data operators have some commonalities: 1. They all have the right to obtain personal privacy data such as location information and address book information or photo albums, although users have the right to cancel their permissions, but according to the current feedback on software operation, if such data is not provided, it means that the right to use is abandoned, and the software will automatically quit, and such behaviors are not in the minority. Therefore, at present, all types of software can become the main body of data operation, and a large number of data pools exist in the background. The second is the subject of data jurisdiction that can be obtained. As the name suggests, it is the department that can obtain its terminal data from the data operator, and in the mainland, as long as it is based on the needs of the investigation, each department has the right to obtain the personal data of the enterprise, so the jurisdiction is completely open to the departments of the state organs. This is not the focus of attention, but on whether other threatening entities have jurisdictional powers. It has to be mentioned that the recent hot discussion of the "Didi" incident, according to the media revealed that Didi was removed by the regulatory authorities and strictly investigated mainly because of its listing in the United States, at this time, once the listing is successful, then the United States is convenient to have authority to provide data through the principle of "long-arm jurisdiction", at this time, because Didi has a large number of user data and road data that is almost fully covered in China, there is a risk of personal information and state secrets being leaked. In particular, as the hegemon of about 80% of the domestic online ride-hailing market share, Didi has hundreds of millions of personal user information, including information related to national security, which has military strategic value. At this time, Didi held a sharp weapon in his hand, but he tried to sneak into the village, shoot without a gun, bypass the regulatory layer, and do not conduct a safety assessment, so he vaguely passed the market in the United States. At the jurisdiction level of data, focusing on preventing the "long-arm jurisdiction" of other countries has become the top priority, but the country still emphasizes the self-discipline of enterprises, and Didi is undoubtedly a negative case in this incident. Third, the main body of data standard setting. In the mainland, legislation can realize the formulation of data standards, for example, the Ministry of Network Information and Information Technology can provide relevant guidelines through the issuance of administrative regulations and departmental rules. In other areas of data governance, there are several influential actors. Fourth, other relevant data subjects refer to enterprises that do not have data operation as their business, but generate a large amount of data in the process of operation. For example, "Internet + finance", from a technical point of view, the Internet is a technical means. "Internet + Finance" is simply the use of Internet technology to develop financial business from offline to online. In addition to financial technology, it also includes other technical elements, such as artificial intelligence blockchain biometrics, etc. These technical elements have profoundly changed the risk composition and supervision model of customer objects in the supply entity business model of the financial industry. Once the subject of the corporate data crime criminal compliance system is clarified, the pertinence and integrity of the compliance formulation will be more perfect.
Second, the standard of the corporate data crime criminal compliance system needs to be further discussed. Focusing on the issue of privacy leakage, the Criminal Law provides relevant criminalization standards for related crimes such as trade secret crimes and state secrets, which are mainly based on the pre-existing data security law and the cybersecurity law. In terms of preventing data breaches, the relevant collection or confidentiality standards are already very clear. In addition, in the field of data security, the state has also established a classification and grading protection mechanism, and there are also some outstanding achievements in this field, for example, some scholars have proposed that on the basis of data classification and grading, according to the legal nature of data security and the infringement it suffers, the quality of data crimes and the amount of crimes are evaluated, and the related crimes of data security protection are demarcated.
Finally, it is also necessary to clarify the relevant normative guidelines of the criminal compliance system for corporate data crimes, and focus on combing the institutional network of the current compliance system. In the field of criminal law, it mainly involves article 219 "crime of infringing trade secrets", article 219 of the criminal law "crime of stealing, spying, buying, illegally providing trade secrets for the outside world", article 111 "crime of stealing, spying, buying, illegally providing state secrets and intelligence for abroad", article 253 "crime of privately opening, concealing, destroying mail and telegraph", article 253 one "crime of infringing on citizens' personal information" "crime of stealing, spying, buying or illegally providing military secrets outside the country", article 432 There are six articles, including the crime of deliberately leaking military secrets and the crime of negligent disclosure of military secrets. Criminal legislation has paid close attention to the field of data security, which provides a further statutory basis for the promotion of data compliance.
Operational deficiencies in the area of criminal compliance systems for data crimes
The main body of the compliance plan is the enterprise, and its own self-discipline is the necessary guarantee for the compliance plan to pass. However, as far as the current enterprise data governance model is concerned, there are still many operational deficiencies that deserve reflection, specifically the following four aspects.
First of all, the generalization of data rights leads to trade barriers between enterprises, which leads to the continuous one-dimensional development of compliance construction between enterprises, and ultimately due to insufficient rights remedies, compliance plans are failing. The generalization of data rights refers to the generalization of data management rights, as long as the legal data terminal has the ability to process its data, in which case it often violates the duty of care and causes a series of consequences such as leakage. There are two reasons for this phenomenon, one is the emergence of data privatization, and the other is the misunderstanding and improper use of the right to data self-determination. In recent years, some scholars have put forward the proposition of "the inherent conflict between data privatization and data sharing". Data privatization emphasizes particularity. It divides the "public goods" created and produced by members of society into private goods of different subjects, and does not allow subjects to cross boundaries, otherwise it will constitute an infringement on the legitimate rights of others. The existence of data privatization is undeniable, and at present, there is a variety of enterprises that take over their own data and classify the collected data as private property, which eventually leads to the awareness of data privatization and sells it arbitrarily, and leads to the stagnation of the data cooperation mechanism, which can be said to be an industry norm. Although data privatization is more conducive to the commercial development prospects of companies and enterprises, and it also retains the corresponding data storage rights, this is not an excuse for its data privatization, but it is easy for private rights awareness to emerge and be improperly disposed of. From a deeper theoretical level, the more essential reason for data privatization is the generalization of the right to information self-determination. What is the right to information self-determination? Citizens themselves enjoy personality rights and the right not to disclose their privacy to the outside world, and the law itself protects them. Companies and enterprises also have corresponding rights to commercial data, which may not be disclosed to the outside world. However, the essence of the right to self-determination is definitely not the right to execute the information of others, because the information that is more valuable and worthy of criminal protection at present is not the data of the enterprise itself, but the data pool collected by it through various means, at this time, the enterprise no longer has the right to self-determination for the data it collects, because the ownership of rights still belongs to citizens, and it is only temporarily stored in the terminal. At this time, the right to self-determination of data is transformed into the right to retain data in the hands of data enterprises. But in fact, data-operating companies do not fully understand this right. On the mainland, it is very difficult to achieve the basic protection of rights, and the ultimate cause still belongs to the generalization of rights.
Secondly, the excessive functionality of data legal benefits has led to enterprises not being able to understand the incentive mechanism behind the policy, and compliance plans cannot be fully integrated into the industry ecology of data operation enterprises. From the above disclosure of data legislation, it can be seen that compliance with data enterprises is the main criminal policy advocated at present. At present, courts and procuratorates vigorously support the promotion of the compliance system, and even form cooperative relations with law firms to help enterprises build compliance plans. In the legislation, the legislation on the protection of data legal benefits has also been gradually improved, and the voice of academic initiatives is also endless. This reflects the current risk society background, criminal law penalties continue to move forward, typically criminal policy continues to enter the criminal law system, playing a certain role in influencing legislation. Since the seventh amendment to the Criminal Law, the voice of legislative instrumentation has been continuous, which to a certain extent reflects the functionalization (functionalism) of criminal law protection. Undoubtedly, strengthening the protection of legal interests is a good thing in itself, and it has also played a guarantee effect on the maintenance of social order. However, it cannot be ignored that in the field of compliance, because it is difficult for compliance makers or partners such as law firms to fully grasp the spirit of criminal policy, it is easy to deviate. Especially in the field of data, there are not many scholars who span the two major theoretical fields of data and criminal law, and it is not easy to achieve theoretical integration between the two disciplines. At this time, the frequency of innovation of criminal policy is too fast, it may be difficult to require enterprises to fully absorb, and in the end, it is natural that compliance plans cannot be fully integrated into the industry ecology of data operators.
Third, the complexity of the international environment has led to a rising level of potential risks, and the speed of update of enterprise data compliance has lagged behind, resulting in poor adaptability and adaptability. For example, the current "long-arm jurisdiction" of the United States and European countries is eyeing mainland data enterprises, which not only have a large number of commercial and economic interests, but more importantly, they involve a wide range of state secrets. For enterprises, their vigilance is poor, whether it is a series of events such as ZTE in 2018 or the recent Didi incident, which reflects the great lack of preparation of enterprises and underestimates the coldness of the environment. At present, the goal of data companies is still in the financial field, seeking further development by taking advantage of the rising East Wind of the Internet. Taking financial technology as an example, it has greatly reduced the connection cost between the supply and demand sides of funds, achieving high efficiency and low cost, but the characteristics of financial risks such as concealment, suddenness, contagion and negative externalities still exist. At the same time, financial, technological and cyber risks are more likely to have a superposition and aggregation effect, making risks faster and more widely spread, and more prominent in terms of technical risks, operational risks and systemic risks. At this time, let alone making a full plan for going abroad, it is ultimately equivalent to stepping into the tiger's mouth and becoming the food of other countries' data hegemony.
Finally, there are also hidden leaks in the process of data transmission and mining, and enterprises rarely pay attention to it. Data security and privacy highlights: The mining, analysis, and open sharing of big data not only increases the value of data applications, but also increases the transparency of data. Especially when data is concentrated in a large environment, some sensitive and private data may be leaked or illegally used, which brings more serious challenges to data security and privacy protection. For example, the transmission process of Bitcoin transactions or network data, if the accuracy of the technology cannot be ensured, the risk of leakage is extremely great. Therefore, it is important to pay attention to the rigor of data transmission and mining is an important issue in the construction of corporate compliance.
The main criminal risks faced by the corporate data crime criminal compliance system
This part of the article mainly explains the specific crimes involved in the criminal risks of criminal compliance, because the data involves many levels, and only typical crimes can be selected for interpretation. The details are as follows.
1. Selling or obtaining citizens' personal information by illegal means: the crime of infringing on citizens' personal information
According to mainland general information, this crime is objectively manifested as the perpetrator committing one of the following two types of acts: First, selling or illegally providing citizens' personal information to others. "Sale" refers to the sale for the commercial purpose of obtaining consideration, and "illegal provision" refers to the commercial purpose of not obtaining consideration, but is provided in violation of national regulations and professional ethics. Second, stealing or otherwise illegally obtaining citizens' personal information. In the author's opinion, the concept of data and information referring to in the perspective of legal interest protection is not completely encompassing the relationship, and the overlapping parts (especially the parts referred to in the information) are the objects of criminal law protection. The mainland criminal law strictly stipulates the direction of protection of personal information and the characterization of behavior, which is relatively specific and covers a wide range of acts as far as legislation is concerned. In addition, the strict protection of citizens' personal information has become a consensus worldwide. A search of the judgment documents related to the personal information protection laws of Germany, Japan and other countries in recent years shows that there are very few cases of infringement of personal information in these countries, and in fact, there are very few cases of criminal punishment. Although both Germany and Japan adhere to the basic position of strictly protecting citizens' personal information at the level of criminal law legislation, based on the importance of personal information and the actual background of the problems related to information infringement, it is easy to derive the conclusion that the illegal collection of personal information and other acts directly set penalties. In Germany, fines and fines for violations of data protection are extremely rare. The application of penalties is limited to acts such as obtaining, providing and selling information for profit-making or harmful purposes.
In specific judicial practice, it also involves how to apply this provision, which is an important proposition for data compliance to prevent criminal risks. For example, in the "Du Mingxing and Du Minglong crimes of infringing on citizens' personal information", in this case, the defendant Du Mingxing and his defender and Du Minglong's defenders proposed that the purchased commercial registration information was public and should not fall within the scope of citizens' personal information protected by the Criminal Law. In this regard, the court held that the industrial and commercial registration information of enterprises can be queried through legal channels, but the personal information involving citizens still falls within the scope of legal protection. In this case, it can be seen that the mainland's protection of personal information is relatively large, which also provides a direction for criminal compliance. The criminal compliance of data crimes must inevitably be in line with the current mainland management system for information, especially if the crime is a typical statutory offender with dual illegality, it is not only necessary to carry out compliance construction in the criminal field, but also to focus on the scope of normative basis involved in the field of administrative law, such as the data security law.
2. Dissemination of other people's works or various services other than works through information networks: copyright infringement
At present, copyright infringement is very common in judicial practice. On the mainland, written works, audio and video recordings, etc. can be included in the concept of data and become the object of protection by criminal law. Take a novel, for example, which consists of literal symbols, in which the author tells the story or conveys ideas with the help of the expression of words, and records them in the book by writing or printing. It can be seen that a novel reflects at least three levels of information, one is the meaning content of the information, that is, the story or thought that the author wants to express through words; the second is the form of expression of the information, that is, the text symbols used by the author; the third is the material carrier of the information, that is, the paper book that records the novel. These three levels of information not only exist independently in the actual process of information transmission, storage and use, but also can initially draw boundaries for the regulation and protection of information by law. Therefore, not only data enterprises have the need to build compliance, but all enterprises involved in copyright should also carry out compliance design work.
There is no shortage of typical cases of copyright infringement in practice, especially with the development of data transmission technology, the criminal base is increasing day by day.
Such as the following cases:
At the end of 2013, the defendant Duan Mou established the "Wowo Movie Network" on the Internet. The website can collect, aggregate and link the film and television works resources of major domestic video websites such as LeTV and Tudou, and block the title advertisements of the film and television works of the linked websites; the website page editor has film and television works catalogs, indexes, content introductions, ranking lists and other columns for users to click and browse. After the establishment of the website, the defendants joined two advertising alliances and charged advertising fees for users clicking on and browsing film and television works by publishing paid advertisements on the website. According to statistics, from January 2014 to May 2016, defendant Duan collected a total of more than 530,000 yuan in advertising fees through the advertising alliance.
The typical significance of this case is that it provides a huge perspective to judge the concept of data, the concept of current data is constantly innovating, expanding the conceptual scope of the qualitative nature of the behavior involved in the data, for example, the judicial authorities pointed out in this case that including the provision of various acts of providing network services other than works, all original and secondary communications, including but not limited to the dissemination (providing) of works, making the dissemination of works possible, facilitating the dissemination of works, expanding the scope of authorized dissemination of works, etc., All should belong to the information network propagation behavior. Undoubtedly, in the design of data compliance, it is necessary to more accurately grasp the trend of explanatory theory, and do not omit the content covered by compliance. Otherwise, once the crime is committed, and the prevention mechanism for copyright infringement is omitted from the compliance plan, the compliance cannot play a lighter and mitigated role in sentencing.
3. Improper application of web crawler technology: the crime of illegally obtaining computer information system data
Web crawlers are a very typical way to crawl data today, but the risks they bring should not be underestimated. A web crawler is a program or script that automatically acquires information and data according to certain rules, and it compensates for the technical shortcomings of search engines. Chapter 23 of the Criminal Law, "Crimes of Obstructing the Order of Social Management," stipulates the "crime of illegally obtaining data from computer information systems." It is worth noting that the data terminal targeted by this crime is a computer information system other than a computer information system in the field of state affairs, national defense construction, and cutting-edge science and technology, or the use of other technical means to obtain stored data, processing, transmitting, or illegally controlling a computer information system in a computer information system, with serious circumstances. For example, in the case of "Illegal Acquisition of Computer Information System Data by a Network Technology Co., Ltd. in Shanghai", the complexity and secrecy of the web crawler technology can be seen, and the data stored by others can be easily obtained, and special attention must be paid to its serious technical consequences. The best option is to focus on prevention at the level of compliance and define the boundaries of technology. At present, there is no shortage of hackers who have set up companies to operate for data crimes, and compliance is also conducive to cleaning up this part of the company and shaping a good network environment.
4. Transmission of protected data to lawless forces: crimes of infringement of trade secrets or crimes of endangering military secrets
This crime is complementary to the protection object of the above-mentioned crime of illegally obtaining data from computer information systems. The "trade secret" in the crime of infringement of trade secrets refers to technical information and commercial information that is not known to the public, can bring economic benefits to the right holder, is practical, and is confidential for the right holder. The crime of endangering military secrets includes three categories, namely, "the crime of illegally obtaining military secrets," "the crime of stealing, spying, buying, and illegally providing military secrets outside the country," and "the crime of deliberately leaking military secrets and the crime of negligently leaking military secrets." Although such crimes are rare, they are extremely harmful and difficult to recover once they occur. Therefore, countries attach great importance to the legislative process, such as the United States, data security is protected by the network infrastructure of the Clinton era, to the Bush era of cyber counter-terrorism, and then to the creation of the Obama era of cyber command, the U.S. data security strategy has undergone an evolutionary process of "from passive prevention to active attack". As far as the field of compliance is concerned, being able to prevent the relevant criminal risks is undoubtedly an important measure for the country to take data security.
The main types of criminal risks involved in data compliance above all suggest the importance of establishing data compliance to prevent data crimes. In the following, it will be further explained if the compliance mechanism is further constructed and criminal risks are prevented.
Strengthen hierarchical and categorical protection and determination of crimes in the construction of data compliance
1. Definition of priority and division of crimes in the level of protection of data crimes
In data compliance, different levels of data protection have different levels, and the mainland criminal law system distributes the crime of infringing on different data objects in different chapters. In the criminal legislation system, the scattered distribution of provisions cannot be concluded about the priority of data protection ranking, and the ranking of importance between data objects cannot be fully distinguished. Therefore, to be improved in the construction of data compliance, it is necessary to classify and protect the data at different levels, and the significance lies in determining the necessity of compliance construction. For example, if an enterprise stores and operates the data with the highest level of protection, then the law has a reason to force it to carry out compliance construction, correspondingly, the data with a weaker level of protection can optionally carry out compliance construction, and if the data has no protection value, then there is no need for compliance construction. To distinguish the above hierarchical classification protection standards, it is first necessary to reasonably subdivide all the current domestic data, and in the author's opinion, it can be sorted according to the following standards:
Table 1 List of data hierarchy
According to the above table, in accordance with the order of I., II., III., IV., V., the level of protection gradually decreases, and the necessity and mandatory force of compliance construction decrease accordingly. The highest level is I. (national core data, military secrets), such data refers to important information controlled by enterprises, such as autoNavi map and didi taxi and other software saved by the national urban and rural road map, etc., although such enterprises are not many, but the degree of information protection is the highest, the state should force it to carry out compliance construction. The second level is trade secrets, such data criminal law legislation for protection, but its level is relatively weak, will not cause immeasurable damage to the country as a whole, so it can be selectively protected, the state can designate individual state-controlled enterprises and institutions to carry out compliance construction. Personal privacy data pools and data pools generated from daily life and work shall actively advocate compliance construction, in an attitude of non-coercion but actively advocate, give play to the sentencing incentive role of criminal compliance, and reasonably protect personal data. Consent and acquiescence to the disclosure of data mainly refers to the information obtained by the consent software in daily work, of which subjectively there must be no cognitive defects to be recognized as acquiescence, such information protection is the lowest, and it is not the object of criminal law protection, so compliance construction can not be carried out. The significance of advocating hierarchical and classified protection is that enterprises with high protection levels can carry out data protection in an impermeable manner, and the data that is not the object of legal protection can be saved judicial resources without construction, preventing the "long-arm jurisdiction" of other countries from maliciously obtaining high-level data on the mainland, and gradually building a compliance construction system for small and medium-sized enterprises to facilitate national management.
2. The amount of guilt with serious circumstances is determined
Taking the "crime of infringing on citizens' information" as an example, the judicial interpretation delineates the standard of the amount of crime with serious circumstances. In the judicial interpretation, we can draw several conclusions on the amount of crimes with serious circumstances: First, there are clear criteria for defining the type of information and the number of crimes committed, and the scope of consideration covers both subjective and objective fields. Second, the criteria for "serious circumstances" are all defined for the perpetrators, and there is a lack of clarity on the standards for enterprises. In particular, it is very noteworthy that the criteria for determining that an enterprise infringes on citizens' personal information are very noteworthy, and the question involved at this time is whether the enterprise and the individual commit the crime by adopting the same amount of crime standard. The Provisions on Standards for Filing and Prosecuting Criminal Cases under the Jurisdiction of Public Security Organs (II) issued by the Supreme People's Procuratorate and the Ministry of Public Security in 2010 stipulates that among the 62 types of economic crimes that can be composed of two kinds of criminal entities, individuals and units, the Supreme People's Procuratorate and the Ministry of Public Security stipulate that in principle, 56 crimes such as contract fraud will no longer distinguish between the standards for filing and prosecuting crimes committed by individuals and units, and only stipulate that the remaining 6 types of crimes such as fund-raising fraud and bill fraud are different from the amount of crimes committed by units and individuals. At this time, what the author advocates is that the amount of crime committed by the unit and the individual in this crime should adopt the same standard, because the circumstances of the unit's infringement of citizens' personal information are more serious, and the adoption of unified standards with individual crimes can lower the threshold for criminalization and can play a better positive general prevention purpose. In particular, the personal information infringed by the unit does not reduce the degree of infringement because of the nature of the unit itself, and the degree of infringement of legal interests is equal, and there is no need to distinguish between standards at this time. On the contrary, greater efforts to crack down on criminal law can better deter crime.
3. The logic of judging the illegality of data crimes
"Violations of relevant national regulations ,......" are common in the provisions of data crimes, and such legislative forms are called statutory offence legislation. The typical feature of statutory offenders is that they have a double illegality, that is, the general theory that the establishment of statutory offenders needs to be premised on the violation of the provisions of the preceding law. The principle is that, according to the theory of constitutive elements in civil law systems, an act is unlawful when it should be a constituent element under the criminal law and does not have a statutory cause of unlawful obstruction. Therefore, the basis for judging whether a person's behavior is illegal is to meet the constituent elements, and when the acts committed by the actor meet the constituent elements, it is considered that the constituent elements are appropriate, and the general theory that the constituent elements are illegal types is generally formed, that is, what we call the constituent elements of the illegal constituent elements. The crimes stipulated in the criminal law all have specific criminal compositions, and the acts they point to have a certain degree of social harm, and the objects protected by the criminal law as a whole have corresponding legal benefits and infringements. With the advent of the era of statutory offenders, the number of statutory offenders has soared, and the types of crimes of statutory offenders have become more and more difficult to grasp, affected by the identification deviations of policies, public opinion and judicial personnel, and some conclusions are difficult to meet the requirements of criminal law, so it is extremely important to reiterate the criteria for judging illegality, according to the principle of unity of legal order and the principle of criminal law, the judgment logic of administrative violations → criminal violations should be followed. Similarly, in the field of compliance construction in the data field should also follow the above principles, one is to follow the spirit of humility of the criminal law, to prevent the expansion of criminal penalties leading to compliance can not play a role, as far as compliance itself is concerned, in the process of planning the formulation of the criminal law also needs to have the possibility of foreseeing the law, the foresight ability comes from the understanding of the pre-law, such as the data security law, if the illegality judgment logic does not follow the judgment logic of double illegality, then compliance will lose the legal expectability at the time of formulation. Second, for compliance, it can also be further combined with the pre-existing law to avoid being improperly guided and misunderstood by criminal policies, resulting in the inability to pass the compliance plan. Therefore, the logic of judging illegality is a very important factor in the consideration of the amount of crime in the construction of compliance.
Improve the participation mechanism of multiple entities and clarify the details of responsibilities
The usual view is that the main body of compliance construction is mainly concentrated between the court, the procuratorate and the enterprise, and the enterprise, as the formulator of the compliance plan, the court and the procuratorate are responsible for reviewing the legality and feasibility of the compliance plan. In the field of criminal compliance, if only the above subjects are involved, the completion of the compliance program will be mechanical and inefficient. The reasons for improving the participation mechanism of multiple parties are as follows: First, according to the nature of criminal offenses, courts and procuratorates do not legally stipulate their responsibility for conducting compliance reviews, and the unclear power and responsibility mechanism will also lead to doubts about the effectiveness of compliance. As we all know, the duty of the procuratorate is to review the prosecution and supervise the trial work of the court, and the duty of the court is to try the case, especially the essence of criminal procedure is the confrontation between unequal subjects, if once the enterprise is involved in the sentencing mechanism, it actually undermines the credibility of the trial. Therefore, it is necessary for the court and the procuratorate to draw a reasonable demarcation with the defendant in the compliance work, and it is more appropriate for the other party to bear the responsibility for compliance review. If the procuratorate and the court openly participate, it will inevitably lead to a series of adverse consequences.
Secondly, according to the main content of compliance, it is unrealistic to expect courts and procuratorates to help enterprises complete compliance, because the content of the compliance plan itself is huge and exceeds the scope of the courts and procuratorates' own responsibilities. From the perspective of national legislation, compliance programs generally include the following constituent elements: (1) a complete code of ethics or code of conduct; (2) clear policies and procedures for the prevention of violations; (3) the active participation of top management in the development, implementation and maintenance of compliance programs; (4) independent and skilled compliance personnel, including chief compliance officers or officials of the same status; (5) regular and effective training programs for employees; and (6) appropriate reporting systems for violations to ensure the privacy of whistleblowers ;(7) Disciplinary measures against violators; (8) Reward the effectiveness of the compliance program to employees who contribute to the formation of a culture of compliance and integrity; (9) dynamic monitoring and auditing of the compliance program; (10) Regular evaluation and improvement of the compliance program. The content of compliance is so large that it is too much work to expect the court and procuratorate to identify the above elements one by one, which is contrary to the principle of efficiency from the perspective of procedural law, so it is more appropriate for other institutions to evaluate.
The participation of other entities in the construction of compliance mechanisms has formed a certain industry foundation in the field of compliance in the mainland, and what needs to be further improved is the detailed list of rights and responsibilities. Participation in the development of compliance has always been the main business of law firms, and many law firms have been able to achieve a level of specialization. From the perspective of the duties of lawyers, the traditional legal counsel's work focuses on the scope of contract review and service to a single lawsuit or a single legal affair of the enterprise, while in the criminal field, after a criminal legal incident occurs in the enterprise, the legal counsel participates in the criminal procedure of the enterprise and carries out after-the-fact remediation. Lawyers are primarily responsible for the identification of review and legal norms, but they are often not well understood in the industry. You can join the data analyst as the main body to further evaluate the standards of data operation, and at the same time, you can also establish effective associations with the Ministry of Network Information, the Bureau of Industry and Commerce and other departments to examine the effectiveness of rule making. In terms of the aspect of the evaluation, it can be roughly divided into three aspects: first, the identification of laws and regulations can be completed by a professional team of lawyers; second, the identification of data transmission, operation, storage technology, can be invited to participate in the evaluation, engineers, etc., can be invited to participate in the evaluation, its security rating, the main prevention is the above-mentioned data leakage phenomenon in the transmission process; the third is the data level assessment, which should be participated in by the relevant national networks and data departments, and the data content in its operation is graded. And in accordance with the hierarchical classification standards for compliance recommendations, if the data protection level is high, reaching the level of the state's core protection data and military secrets, then it should be supervised to enforce compliance construction, and evaluate the effectiveness of its post-construction system.
The two-way reshaping of the "rights-obligations" concept in the data compliance system
In the past, the concept in the data compliance system was that the construction of data compliance was a rights-oriented rather than an obligation of the enterprise's operation, but with the increasing importance of the current data, if the concept of rights as the main and obligations as the supplement is still maintained, it is not conducive to the construction of the data compliance system. Therefore, the author advocates the two-way reshaping of the "rights-obligations" concept in the data compliance system.
The two-way reshaping of the so-called "rights-obligations" concept refers to the reduction of the proportion of enterprises' self-determination rights in data compliance, and the obligation concept of data compliance occupies the dominant weight. It is undeniable that there is a certain degree of "inertia" in the construction of compliance, and its main motivation is to enjoy the criminal compliance system, rather than consciously fulfilling its obligations. The result is that the compliance system cannot become a guide for operation within the enterprise, but a "face project" for the procuratorate and the court. The main reason is that the current advocacy of corporate compliance construction is not enough, and the data industry is still dominated by leading, rather than actively advocating compliance construction within the legal framework, which is caused by the current market environment. For enterprises, the data dividend is currently the object of competition among various companies, and some companies do not hesitate to step on the red line of the law in order to expand their competitiveness, with a fluke mentality to obtain improper competitive advantages. For example, in the case of "Shenzhen Gumi Company v. Wuhan Yuanguang Company Unfair Competition Dispute Case", in this unfair competition dispute case, we can find that if we only take compliance construction as a right of an enterprise and advocate its active participation, in fact, it cannot stimulate the determination of the enterprise. For enterprises, data is only the "props" of operation, its non-physical existence is often difficult to be captured by criminal procedures, with the continued development of digital technology, its cross-domain, complexity is beyond the scope of the current technical investigation methods, if only by relying on the supervision of regulatory authorities and judicial organs, it is easy to let go of many criminal acts that infringe on legal interests but cannot be verified for technical reasons. At this time, self-discipline can only be guided by compliance incentives, which seems to be effective, but it is not an attractive method from the perspective of the enterprise. First of all, for data technology, its criminal means are often difficult to be discovered by the judicial organs, and it cannot become the object of criminal punishment, so why pursue the theory of leniency and mitigating sentences? Secondly, enterprises are not willing to spend too much money on compliance, because the participation of many and many entities in compliance construction, and the need to connect with judicial organs and regulatory agencies, are easy to affect their business plans, so even if they are lucky, they will continue to carry out illegal business activities. Finally, the compliance mechanism itself lacks a mandatory legal basis, if the enterprise does not carry out compliance construction, the law can not punish its non-self-discipline behavior, at least in the subjective malignancy of special prevention is powerless. Therefore, it is necessary to reshape the "rights-obligations" view.
The two-way reshaping of "rights-obligations" requires that the right of enterprises to self-determination in the field of data circulation be reduced in terms of rights. Too much enterprise data self-determination often leads to excessive expansion of data private rights, and enterprise data protection awareness will be greatly reduced. Therefore, the author advocates that legislation should reduce the right of enterprises to self-determination in data operations, including the right of enterprises to store data for processing, the freedom of enterprises in the field of data circulation and the ultimate ownership of management authority, and the freedom of enterprises should be appropriately reduced.
The two-way reshaping of "rights-obligations" urgently needs to give data operation enterprises positive obligations in criminal law for compliance construction in terms of obligations. From the perspective of criminal law, because of the intrinsic link between compliance management and the violation of responsibility and duty of care, it is reasonable to promote corporate self-discipline with punishment incentives. A feasible direction is to carry out a "multi-faceted attack" on compliance management through management negligence and criminal incentives, and giving guarantee obligations to specific personnel. Among them, more importantly, the legislation needs to add several criminal offences, the provisions on the crime of enterprise negligence, due to the preciousness and particularity of the data, should maintain the principle of "rather strict investigation, not letting go", and recommend a strict enterprise obligation mechanism. In addition, the obligation to alienate the guarantor of the enterprise is also the top priority, in most of the data crimes, there are acts of the enterprise in the form of inaction to infringe on the interests of the law, the law does not provide for the implementation of the crime by omission, at this time it should be proved through the guarantor obligation that it is not true.
With the application and popularization of data in finance and science and technology, it is urgent to attach importance to data protection in the field of criminal law. In the context of compliance, data crimes must be established in an orderly manner for the purpose of active general prevention, and it should be noted that the effectiveness of data compliance will eventually return to the scope of positive law, and its justification basis can only be obtained through the channel of doctrinalism. As a product of standardization, such as the theory of comprehensive criminal purpose and the normative protection purpose of the provisions, the principle of trust and the theory of the possibility of expectation, etc., all play a role in the theoretical system of compliance, especially in the setting of boundaries, it is necessary to grasp the spirit of humility in the actual law, and it is also highly related to the theory of illegality, recency and other criminal constituent classes. There is no doubt that the emergence of compliance has played a certain impact on traditional criminal law theory, but the strong innovative force of compliance is not subversively outside the theory of criminal law theology, but through criminal policy, through the teleological channel, into the criminal law system, just as the lightening of compliance, mitigating reasons can be derived from many criminal law theories, in the future compliance construction, we must not ignore the role that theology may play. In addition, in the field of data compliance, we still need to emphasize the right to self-determination and the trap of data privatization, although data management and supervision is a small proposition in practice, but it is often the root of the problem, that is, in the process of data operation, enterprises will collect the data pool as a tool for their own development, fully commercialized private information, personal information is sold privately, so that information can not be effectively protected, resulting in the national data management order, social information systems, personal personality rights and interests are infringed, Trigger a chain reaction. Finally, from the perspective of the historical process of the development of compliance in the mainland, the development trend of risk theory and criminal policy, the development of compliance and the difficulties it faces have its historical inevitability, jumping out of the constraints of interests, and criminal law scholars need to uphold a critical and innovative spirit, find the basis for its justification and break through the compliance dilemma through path construction, which is the unshirkable mission of researchers.