PIPL Second Draft Highlights

来源:君合律师事务所

文章摘要
Legislative Progress and Significance 立法进展和重要意义 On October 21, 2020, after deliberation at the 22nd

Legislative Progress and Significance
立法进展和重要意义
On October 21, 2020, after deliberation at the 22nd meeting of the Standing Committee of the 13th National People's Congress (“NPC”), the full text of the Personal Information Protection Law of the People's Republic of China (Draft) (“First Draft”) was officially published on the NPC’s website for public comment. On April 29, 2021, the Personal Information Protection Law of the People's Republic of China (Draft for Second Review) (“Second Draft”) was released to the public again for soliciting feedback until May 28, 2021 after deliberation at the 28th meeting of the Standing Committee of the 13th NPC.
2020年10月21日,经第十三届全国人大常委会第二十二次会议审议后,《中华人民共和国个人信息保护法(草案)》(以下简称“《一审稿》”)全文正式在中国人大网公布,并向社会征求意见。2021年4月29日,《中华人民共和国个人信息保护法(草案二次审议稿)》(以下简称“《二审稿》”)在经第十三届全国人大常委会第二十八次会议审议后再次面向社会公布并征求意见至2021年5月28日。
The legislation of the Personal Information Protection Law has entered the final stages. This means that the first unified law on personal information protection in China will soon be finalized and formally issued. There will soon be a more complete, comprehensive, and systematic legal protection scheme for personal information.
至此,个人信息保护法的立法已步入最后冲刺阶段,这意味着我国第一部个人信息保护专门法律将很快正式面世,公民的个人信息保护将拥有更加完善、全面、系统的法律保护体系。
Key Amendments of the Second Draft
二审稿的重点修改内容
The framework and layout of the Second Draft remains basically the same as those of the First Draft. There are eight chapters under the Second Draft, and the chapter names remain unchanged. It does, however, have three more articles than the First Draft, amounting to 73 articles in total. The Second Draft revises and improves several provisions of the First Draft from the aspect of language expression, and has also added provisions such as the personal information protection of the deceased and the personal information protection obligations of very large-scale online platforms. The major amendments to the Second Draft as compared to the First Draft are summarized as follows:
从总体上看,《二审稿》与《一审稿》的框架和体例基本一致,同样分为八章,且章节名称保持不变,但《二审稿》在条文数目上多出三条,共计七十三条。《二审稿》主要从语言表述方面对《一审稿》的若干条款进行修订和完善,同时增加了死者个人信息保护、超大型互联网平台的个人信息保护义务等重要规定。有关《二审稿》相较于《一审稿》的重点修改内容总结如下:
Basic Rules for Processing Personal Information
个人信息处理的法律基础
The Second Draft adds one legal provision for the processing of personal information on the basis of the First Draft, i.e. “Processing disclosed personal information within a reasonable scope in accordance with the provisions of this law”, and specifies that in principle, an individual’s consent should be obtained for personal information processing, but there is no need to obtain consent under six different circumstances, other than “obtaining personal consent” under Article 13. (Article 13 of the Second Draft)
《二审稿》在《一审稿》基础上增加了一项个人信息处理的法定情形:“依照本法规定在合理的范围内处理已公开的个人信息”,同时明确原则上处理个人信息应当取得个人同意,但有第十三条项下除“取得个人的同意”外的六项情形时不需取得个人同意。(《二审稿》第十三条)
Entrust Processing
委托处理个人信息
In addition to retaining the provisions of the First Draft on the entrusted processing of personal information, the Second Draft is also linked to the Civil Code, with newly added provisions: If the entrustment contract does not take effect, or is void, revoked, or terminated, the personal information shall be returned to the personal information processor or deleted, and shall not be retained by the entrusted party. (Article 22 Paragraph 2 of the Second Draft)
除保留《一审稿》有关委托处理个人信息的规定外,《二审稿》还与民法典有关规定相衔接,补充规定:委托合同不生效、无效、被撤销或者终止的,受托方应当将个人信息返还个人信息处理者或者予以删除,不得保留。(《二审稿》第二十二条第二款)
Rules for the Cross-border Transfer of Personal Information
个人信息跨境提供的规则
Regarding the rules for the cross-border provision of personal information, the Second Draft for the first time clarifies that personal information processors should enter into contracts with overseas recipients “in accordance with the standard contract formulated by the national cyberspace administration” (Article 38 of the Second Draft), while no revisions have been made to the rest of the relevant provisions in this regard.
关于个人信息的跨境提供的规则,《二审稿》相较于《一审稿》,首次明确个人信息处理者应“按照国家网信部门制定的标准合同”与境外接收方订立合同(《二审稿》第三十八条),除此之外其余内容未做任何修订。
In terms of providing domestic personal information to overseas judicial or law enforcement agencies, the Second Draft has more stringent and specific regulations in terms of the scope of the application and the approval requirements than the First Draft. Article 41 of the Second Draft stipulates that if an overseas judicial or law enforcement agency requires the provision of personal information stored in China, no information can be provided without the approval of the competent authorities of the People’s Republic of China.
在向境外的司法或执法机构提供境内个人信息方面,《二审稿》相较于《一审稿》从规定适用范围、审批要求等方面做出了更加严格和明确的规定。《二审稿》第四十一条规定:境外的司法或者执法机构要求提供存储于境内的个人信息的,非经中华人民共和国主管机关批准,不得提供。
Adding Requirements on the Protection of the Personal Information of the Deceased
增加死者个人信息保护要求
Article 49 of the Second Draft adds requirements for the protection of the personal information of the deceased in terms of the rights of personal information subjects, stipulating that if a natural person has died, the individual’s rights in personal information processing activities shall be exercised by his/her close relatives. This provision is in line with the requirements of Article 994 of the Civil Code on the protection of the deceased’s personality rights and interests, and clearly grants relevant parties the right to exercise the deceased’s personal information rights from the legal level.
《二审稿》第四十九条在个人信息主体的权利方面增加了有关死者个人信息保护的要求:自然人死亡的,个人在个人信息处理活动中的权利由其近亲属行使。本项规定与《民法典》第九百九十四条关于死者的人格权益保护要求相衔接,从法律层面明确赋予了相关主体行使死者的个人信息权利的权利。
Obligations of Personal Information Processors
个人信息处理者的义务
The Second Draft does not substantially revise the obligations of a personal information processor under the First Draft, but it adds a provision and clarifies that the entrusted party in the case of entrusted processing should perform the relevant obligations of a personal information processor: “The entrusted party who is entrusted to process personal information shall perform the relevant obligations stipulated in this chapter and take necessary measures to ensure the safety of the personal information processed”. (Article 58).
《二审稿》对《一审稿》项下的个人信息处理者的义务未做实质修订,但相比之下增加、明确了对委托处理情形下的受托方应履行个人信息处理者相关法律义务的要求:“接受委托处理个人信息的受托方,应当履行本章规定的相关义务,采取必要措施保障所处理的个人信息的安全”(第五十八条)。
Personal Information Protection Obligations of large-scale online Platforms
超大型互联网平台的个人信息保护义务
As a new provision, Article 57 of the Second Draft specifies the personal information protection obligations of “personal information processors who provide basic Internet platform services with a huge number of users and involves complex business types”, including: (a) establishing an independent organization mainly composed of external members to supervise personal information processing activities; (b) halting services to product or service providers on platforms that process personal information that are in serious violation of laws and administrative regulations; (c) regularly publishing social responsibility reports on personal information protection and accept social supervision.
《二审稿》在第五十七条新增关于“提供基础性互联网平台服务、用户数量巨大、业务类型复杂的个人信息处理者”的个人信息保护义务,包括:(1)成立主要由外部成员组成的独立机构,对个人信息处理活动进行监督;(2)对严重违反法律、行政法规处理个人信息的平台内的产品或者服务提供者,停止提供服务;(3)定期发布个人信息保护社会责任报告,接受社会监督。
The above-mentioned provisions reflect the recent trend of regulatory authorities to strengthen the supervision of large-scale Internet platforms and tightens the regulation of security incidents such as data breaches. However, topics such as determining the criteria for “basic Internet platform services” and other terms such as “external members”, as well as how to implement the requirements for the preparation method and content, release frequency and the scope of “social responsibility reports on personal information protection”, are subject to follow-up implementation rules and/or explanations by regulatory authorities.
上述规定也体现了近期监管机关强化对大型互联网平台的监管、加大对信息泄露等安全事件监管的趋势。但是,“基础性互联网平台服务”的判断标准和“外部成员”等定义如何界定,“个人信息保护社会责任报告”的编写方式和内容、发布频率和范围等要求如何实施,均有待后续的实施细则或监管机关的解释。
Refine the Duties of the National Cyberspace Administration
细化国家网信部门的职责
The Second Draft further refines and specifies the duties of the national cyberspace administration. It provides that it shall coordinate the relevant departments to promote the work of personal information protection in accordance with this law and the new provisions are as follows: (a) formulate specific rules and standards for personal information protection; (b) formulate special personal information protection rules and standards for sensitive personal information and new technologies and applications such as face recognition and artificial intelligence; (c) support the research and development of safe and convenient electronic identity authentication technology. (Article 61)
《二审稿》在《一审稿》的基础上,对国家网信部门的职责进行细化和明确,规定国家网信部门统筹协调有关部门依据本法推进个人信息保护工作(新增内容如下):(1)制定个人信息保护具体规则、标准;(2)针对敏感个人信息以及人脸识别、人工智能等新技术、新应用,制定专门的个人信息保护规则、标准;(3)支持研究开发安全、方便的电子身份认证技术。(第六十一条)
Legal Liability
法律责任
In terms of civil liability, the Second Draft adjusts the provisions of the First Draft and links with the relevant provisions of the Civil Code, clarifying that the principle of “presumption of fault” should be applied to the infringement of personal information rights. Specifically, the Second Draft stipulates that if personal information rights and interests are infringed due to personal information processing activities, and the personal information processor cannot prove that it is not at fault, it shall be liable for damages and other torts. The liability for damages is determined in accordance with the individual’s consequent loss or the personal information processor’s benefit; if it is difficult to determine the individual’s consequent loss and the personal information processor’s benefit, the amount of compensation should be determined based on the specific situation. (Article 68)
在民事责任方面,《二审稿》对《一审稿》的规定进行了调整,并与《民法典》相关条款相衔接,明确侵害个人信息权益应适用“过错推定”的归责原则。具体而言,《二审稿》规定,个人信息权益因个人信息处理活动受到侵害,个人信息处理者不能证明自己没有过错的,应当承担损害赔偿等侵权责任。损害赔偿责任按照个人因此受到的损失或者个人信息处理者因此获得的利益确定;个人因此受到的损失和个人信息处理者因此获得的利益难以确定的,根据实际情况确定赔偿数额。(第六十八条)
Processing of Personal Information by State Agencies
国家机关处理个人信息
The Second Draft adds a new stipulation that the provisions on the processing of personal information by state agencies shall apply to the personal information processing by organizations authorized by the laws and regulations with the function of managing public affairs, and with the purpose of performing statutory duties. (Article 33 to 37 of the Second Draft)
《二审稿》在《一审稿》基础上新增规定了法律、法规授权的具有管理公共事务职能的组织为履行法定职责处理个人信息适用关于国家机关处理个人信息的规定。(《二审稿》第三十三至三十七条)
Our Observation
我们的观察
The Personal Information Protection Law, as the first special law on the protection of personal information in China, will become an important legal basis for the establishment of the personal information protection legal regime of China.
个人信息保护法作为我国第一部个人信息保护的专门法律,将成为建立我国个人信息保护法律制度的重要法律基础。
From a content perspective, the Second Draft, on the basis of retaining the basic framework and most of the provisions of the First Draft, and in response to current outstanding problems in the field of personal information protection and the trends in supervision and law enforcement, revises the First Draft, improves the rules of legal basis for personal information processing and cross-border transfer of personal information, and adds new requirements for personal information protection of the deceased and personal information protection obligations of large-scale Internet platforms.
从本次发布的《二审稿》内容来看,其在保留了《一审稿》的基本框架和绝大部分规定基础上、并针对当前个人信息保护领域存在的突出问题以及监管和执法的趋势,对《一审稿》进行增删减补,完善、充实合法处理个人信息的情形、跨境提供个人信息等方面的规则,新增了有关死者个人信息保护要求和超大型互联网平台的个人信息保护义务。
Basically, the Second Draft maintains a certain degree of consistency with the current laws, regulations or drafts that provide for personal information protection and is further linked to the Civil Code, but also provides many new requirements and regulations at the same time. How the specific provisions of the draft of Personal Information Protection Law will be connected with the existing laws and regulations and how the scope of application will be divided remains to be clarified. In addition, there are a number of issues that have yet to be clarified in the First Draft, such as the definition of "separate consent", the security assessment of the cross-border transfer of personal information, and how the protection certification is to be carried out, which are still not clarified and improved in this Second Draft. The clarification of these contents may require subsequent legislative improvement or the further introduction of related implementation rules and interpretations.
整体上看,《二审稿》与目前规定有个人信息保护内容的法律、法规或草案在内容上保持了一定程度的一致性,并与《民法典》规定进一步相衔接,但与现行法规相比也提出了不少新的要求及新的规定。个人信息保护法草案的具体条款如何与上述法律法规衔接,以及适用范围如何划分,仍有待清晰。此外,对于此前《一审稿》存在若干尚待明确和完善的问题,例如“单独同意”的定义,个人信息跨境传输的安全评估、保护认证如何进行等,在本次的《二审稿》中仍未进行明确,这些要求的实施仍有待后续的立法完善或相关细则和解释的进一步出台。
We recommend that companies fully understand the relevant content of the Second Draft and prepare to summarize and rectify incompliance in the current corporate compliance work before the promulgation of the Personal Information Protection Law as soon as possible. We will also continue to pay close attention to the follow-up legislative process of the Personal Information Protection Law and share the latest updates with our clients.
我们建议企业进一步学习和理解《二审稿》的相关内容,提前对目前企业合规工作中的不足之处进行梳理和总结,并做好相关准备工作。我们也会持续密切关注个人信息保护法的后续立法进程,并与我们的客户分享最新的进展。

技术驱动法律,专业成就未来