一般数据是指内容无涉的数据黑点。大数据时代，数据的存在形态和自身价值的独立性日益凸显，传统上依附于数据载体或数据内容的罪名已经无法为一般数据提供有效保护，有必要构建独立的一般数据法益并予以刑法保护。 在构建和保护一般数据法益时，应当优先考虑数据的流通利用，数据安全则是为了保障数据流通的持续、有效。既要赋予数据控制者有限的排他权，又必须使数据在特定制度框架内流通利用。这分别对应一般数据法益的双重面向：私法益的面向是数据控制者的有限排他权，公法益的面向是数据秩序。前者形成于数据行为规范的动态运行之中，每一条行为规范确定每一个权利束的内容。 《刑法》第285条第2款和第286条第2款是私法益面向的数据犯罪。作为两罪行为对象的“数据”包含所有的一般数据，不依附于数据内容或数据载体，同时运用数据分类分级规则，确定不同类型、不同级别数据的入罪门槛，符合刑法谦抑性原则，能够实现处罚范围的妥当性。第285条第2款保护有限排他权中的数据控制利益，“获取”行为妨害了权利人对数据流通的控制，使新的数据流通窗口成为可能，对入罪门槛量级较低的数据仅要求浏览知悉，对入罪门槛量级较高的数据要求复制传输；“非法”指没有数据获取权限的人避开或者突破数据控制者设置的技术障碍。第286条第2款保护有限排他权中的数据完整性和可用性，“破坏”行为不需要造成计算机信息系统不能正常运行的结果；该罪的故意不需要针对特定的数据，对“后果严重”仅要求具有预见可能性。 我国刑法尚未规定公法益面向的数据犯罪。考虑到现行刑法中的数据犯罪在规制主体层面缺失了数据控制者的视角、在规制行为层面缺失了数据全生命周期的视角，有必要以《数据安全法》等前置法为义务来源，设立拒不履行（重要）数据安全保护义务罪，并依据比例原则，合理限制处罚范围。 数据犯罪和有关数据内容的犯罪通常成立想象竞合。就有关数据载体的犯罪而言，《刑法》第285条第1款和第2款为包括的一罪，第286条第1款和第2款应当评价为数罪，科刑意义上的罪数依行为数具体判断。对利用非法获取的数据实施其他犯罪的，分别按牵连犯处理或者实行数罪并罚。

General data refers to black spots of data without related content. In the era of big data, the existence and value of data are growingly independent. Traditional crimes relying on data carrier or data content can no longer provide effective protection for general data. Therefore, it is necessary to construct independent legal interests of general data and protected them under criminal law. When constructing and protecting general data legal interests, priority should be given to the utilization of data, while data security serves to ensure the continuity and effectiveness of data flows. On one hand, data controllers should enjoy limited rights of exclusion; on the other hand, data must be utilized within the regulatory framework. These correspond to the dual orientation of general data legal interests: the private perspective is the data controller’s limited rights of exclusion, and the public perspective is the data order. The former arises from the dynamic operation of norms governing data. Each norm will determine a bundle of rights. Article 285(2) and 286(2) in the PRC Criminal Law are data crimes protect private legal interests of general data. “Data”, as the object of the two crimes include all general data regardless of their carrier or content. By applying the data classified and graded system, it is possible to determine the thresholds at which different data may establish a crime, and thereby comply with the modesty-and-restraint principle of criminal law and realize an appropriate scope of punishment. Article 285(2) aims to protect the data control interest in the limited exclusion rights. The act of “obtain” impairs right holder’s control over data circulation and enables a new window for it. In the case of data with a low threshold of incrimination, mere browsing and knowledge can constitute “obtain”, whereas in the case of data with a higher threshold, “obtain” requires a further act of copying or transfer. “Illegally” means that a person without access to the data avoid or break through the security protection measures set by the data controller. Article 286(2) aims to protect the integrity and availability of data in the limited exclusion rights. The act of “sabotage” does not necessarily result in the computer information system functioning abnormally. The crime does not require an intent to target particular data, and the “serious consequences” element requires only a probable foreseeability. The PRC Criminal Law has not yet stipulated data crimes that protect public legal interests of general data. The current data crime system lacks the perspective of data controllers at the subject level and lacks the perspective of the complete data life cycle at the behavioral level. Therefore, it is necessary to establish the crime of refusal to perform the obligations for (important) data security protection. Such a crime should be based on the PRC Data Security Law and other front-loading provisions as the source of obligations and should be based on the principle of proportionality to reasonably limit its scope of punishment. Data crimes usually constitute an ideal concurrence with crimes related to data content. In the case of crimes related to data carrier, Article 285(1) and (2) constitute inclusive offenses, while Article 286(1) and (2) should be evaluated as multiple crimes but depending on the number of acts to determine the number of sentences. If other crimes are committed by using the illegally obtained data, they should be treated as implicated offenses or cumulative sentences for several offenses, respectively.