网信办就《个⼈信息出境安全评估办法》公开征求意见(双语)

来源:北京植德律师事务所

文章摘要
前言 2019年6月13日,网信办发布了关于《个⼈信息出境安全评估办法(征求意见稿)》(“《办法》”)公开征求意见的通知。这份业界期待已久的新规,甫一发布便引发热议。

前言
2019年6月13日,网信办发布了关于《个⼈信息出境安全评估办法(征求意见稿)》(“《办法》”)公开征求意见的通知。这份业界期待已久的新规,甫一发布便引发热议。
On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the Circular on seeking public comment on the Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comment) (“Measures”). The long-awaited Measures has become a huge hit since its first release.
我国对于数据安全和个人信息保护的法律体系由《网络安全法》的概括性规定以及零散见于部门规章中的行业性规范构成,尚无统一适用的可操作性的规定。但是对该领域的监管环境随着监管方式的探索一直在演进。网信办近期发布的一系列数据安全和个人信息保护相关的规范性文件,均引起了业界和学界的广泛关注。迄今为止,涉及数据出境的法规(包括草案)已有如下规定(按草案发布日期或法规实施日期排序):
China’s legal framework of data security and personal information protection consists of only a general application of Cybersecurity Law and a patchwork of fragmented rules in sector-specific regulations. But the regulatory landscape is continuously evolving with more administration being explored. The release of a series of rules governing data security and personal information protection by CAC in recent days has aroused wide concern from both industry and academia. So far, the laws and regulations (including draft) governing cross-border data transfer at large are organized chronologically as follows (organized based on the enactment date of draft or implementation date of regulations).
2017.04.11《个人信息和重要数据出境安全评估办法(征求意见稿)》Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comment)
2017.06.01《中华人民共和国网络安全法》Cybersecurity Law of the People's Republic of China
2017.08.30《信息安全技术数据出境安全评估指南(征求意见稿)》Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comment)
2019.02.01《信息安全技术个人信息安全规范(草案)》Information security technology-Personal information security specification (Draft)
2019.06.13《个人信息出境安全评估办法(征求意见稿)》Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comment)
此外,各行业监管机构也对本行业的数据出境进行合规监管。特别规定优于一般规定,这也在征求意见稿第二条得以体现。以金融行业为例,关于数据出境的规定包括:
In addition, relevant sectoral government authorities also supervise the cross-border data transfer within the scope of their respective functions. Sectoral rules shall prevail over general rules. This rule is provided in Article 2 of the Draft for Comment. Take financial industry as an example, specific rules regulating cross-border transfer of personal information include:
2007.08.01《金融机构客户身份识别和客户身份资料及交易记录保存管理办法》Administrative Measures for the Identification of Financial Institution Clients and the Preservation of Clients' Identities and Transaction Records
2011.05.01《中国人民银行关于银行业金融机构做好个人金融信息保护工作的通知》Circular of the People's Bank of China on Doing a Good Job by Banking Financial Institutions in Protecting Personal Financial Information
2013.02.16《银行业金融机构信息科技外包风险监管指引》Guidelines for the Regulation of Information Technology Outsourcing Risks of Banking Financial Institutions
2018.05.21《银行业金融机构数据治理指引》Guidelines for the Data Governance of Banking Financial Institutions
总体而言,本《办法》和此前的几个规范性文件的征求意见稿差异较大,具体要点如下:
In general, the Measures differ greatly from the earlier versions of rules on cross-border data transfer, the key requirements are summarized as follows:
1、仅针对个人信息,排除重要数据
Focusing on personal information and carving out important data
区别于之前发布的《个人信息和重要数据出境安全评估办法》,本次办法的发布专门针对个人信息的出境,仅适用于“个人信息出境”,而关于重要数据的出境,结合5月28日发布的《数据安全管理办法(征求意见稿)》第38条中提及“重要数据一般不包括企业生产经营和内部管理信息、个人信息等”,监管部门很可能根据重要数据的不同特点,另行制定监管制度。
Different from the previously released Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comment), the newly released Draft Measures only apply to “cross-border transfer of personal information”. With respect to the “cross-border transfer of important data”, it is very likely that the cyberspace administrations may stipulate specific rules governing important data based on its different characteristics, according to the draft Measures for Data Security Management (Draft for Comment) released by CAC on May 28, which provides that “Important data usually doesn’t include information related to the production and operation of enterprises, internal management information or personal information” (Article 38).
2、个人信息出境均需进行评估审查
All cross-border transfer of personal information shall be subject to security assessment
根据《办法》规定的字面理解,网络运营者(指“网络所有者、管理者和网络服务提供者”)进行的任何个人信息出境均需向省级网信部门申报安全评估。不同于《个人信息和重要数据出境安全评估办法》,本《办法》并未规定数据出境安全的自评估程序。如果这确系法规的本意,则该《办法》施加的义务将会大大提高企业的未来合规成本。
Based on literally understanding of the Measures, all cross-border transfer of personal information conducted by network operators (refers to “owners and managers of networks, as well as network service providers”) shall be submitted to CAC branch at the provincial level for security assessment. Different from the Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comment), the Measures do not provide self-assessment procedures of cross-border data transfer. If this is the original intention of the Measures, the future compliance with the Measures can lead to cost escalation, given the obligations imposed under this Measures.
3、引入“标准合同条款”
Introducing “Standard Contract Clauses”
本办法引入类似于欧盟GDPR的“标准合同条款”,规定个人信息跨境流动的保护,合同中必须包含特定输出方和接收方的权利义务安排,如合同应当包含的内容(第十三条)、网络运营者和接收者应当承担的责任和义务(第十四条、第十五条)、以及接收者将其接受到的个人信息传输给第三方的例外情形(第十六条)。此外,网络运营者在向省级网信部门申报个人信息出境安全评估时,应当提交网络运营者和接收者签订的合同(第四条),并将重点审查合同条款是否能够充分保障个人信息主体合法权益,以及合同能否得到有效执行(第六条)。
The Measures introduce provisions that are similar in certain respects to the Standard Contract Clauses (“SCCs”) under the European Union’s General Data Protection Regulations, which provide the protection of personal information transfer on an international scale. The contract shall include specific rights and obligations between personal information exporter and recipient, for example, what shall be specified in the contract (Article 13), the responsibilities and duties of network operator and recipient (Article 14 and Article 15), as well as the exceptions when the recipient can transfer personal information to a third party (Article 16). Moreover, network operator shall submit the contract between the network operator and the recipient to the CAC branch at the provincial level when applying for the security assessment of the cross-border transfer of personal information (Article 4). The security assessment shall focus on whether the contract terms can adequately protect the legal rights and interests of the subject of personal information, and whether the contract can be effectively enforced (Article 6).
4、增设民事责任条款
Newly added civil liability clauses
《办法》通过对“标准合同条款”内容的强制性规定,实质增设了民事责任条款。具体而言,《办法》第十三条规定,个人信息主体合法权益受到损害时,可以自行或者委托代理人向网络运营者或者接收者或者双方索赔,网络运营者或者接收者应当予以赔偿,除非证明没有责任。即对于个人信息主体主张的责任设定了举证责任倒置。而根据《办法》第十六条规定,信息接收者将接收到的个人信息传输给第三方的前提是,在“因向第三方传输个人信息对个人信息主体合法权益带来损害时”,网络运营者同意先行承担赔付责任。也即设定了网络运营者需要对数据的二次输出向信息主体承担责任。
The Measures essentially set out civil liability clauses through mandatory provisions on the content of the SCCs. To be more specific, according to Article 13, when the legitimate rights and interests of the personal information subject are abused, the personal information subject may, on its own behalf or through a authorized agent, claim compensation from either the network operator or recipient separately, or from both parties jointly. The network operator or recipient shall then compensate the personal information subject unless they are proved to be not liable for the damages. This reverseonus provision shifts the burden of proof onto the network operator and/or recipient. And according to Article 16, one of the preconditions for the recipient to transfer the received information to a third party is “the network operator agrees to assume the liability for compensation to be paid to the personal information subject where the transfer of personal information to a third party causes damages to the legitimate rights and interests of the personal information subject”. That is to say, the network operator needs to take responsibility for the onward transfer of personal information to the personal information subject.

技术驱动法律,专业成就未来