Data security is related to national security and social stability, and it is both necessary and urgent to protect data security through criminal law. After the improvement of the amendments and the supplementation of judicial interpretations, China's criminal law has formed a management security model to protect data security, which aims to regulate the confidentiality, integrity, and availability of static data, and relies on the crime of illegally obtaining computer information system data and the crime of damaging computer information systems as normative standards for data security protection. The establishment of the management security protection model has gone through three stages of development: data as an incidental part of computer information system protection, data becoming a relatively independent object of criminal law protection, and expanding the scope of data security coverage through judicial interpretation. The management security protection model has closed and static characteristics, which is difficult to adapt to the trend of dynamic and shared development of data in the digital society. It has failed to achieve orderly connection with pre-existing laws such as the Data Security Law, and has led to the problem of ambiguity in the judicial application of data crime clauses in the criminal law. The arrival of the digital society has created new types of data security risks, namely the risks generated by analyzing data, as well as the risks caused by using the knowledge and information generated by analyzing data to make decisions. Faced with new types of risks, data security protection urgently needs to shift towards a utilization security model centered on the confidentiality, integrity, availability, controllability, and legitimacy of dynamic data. In terms of protection philosophy, data should be treated as an independent object, shifting from dependent protection to specialized and systematic protection; In terms of regulatory focus, expand from focusing on data collection and storage nodes to other nodes, and shift from one-sided protection to full chain protection; In terms of protection strategy, there is a shift from general protection to classification and protection. Therefore, on the basis of optimizing existing data crime clauses, new data crimes should be added and a data classification and protection system should be introduced. Specifically, firstly, the relationship between data, information, and computer information systems should be clearly defined in legislation, and independent data clauses should be separated to achieve specialized protection of data security. At the same time, criminal offenses that endanger data security should be stipulated in the specific provisions of the Criminal Law for systematic protection. Secondly, crimes such as illegal disclosure, provision, sale, and export of data, illegal analysis of data, and illegal use of data analysis results should be added for comprehensive protection. Thirdly, a data security classification and protection system should be established, which combines data classification with the identification of data crimes at the conviction level, and connects data classification with the punishment discretion of data crimes at the sentencing level.