2019年6月13日,国家互联网信息办公室(以下简称“网信办”)发布《个人信息出境安全评估办法(征求意见稿)》(以下简称“《新稿》”)公开征求意见。
On June 13, 2019, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of the Cross-Border Transfer of Personal Information (the “New Draft”).
2017年4月11日,网信办曾发布《个人信息和重要数据出境安全评估办法(征求意见稿)》(以下简称“《2017稿》”)向社会公开征求意见;此后《2017稿》也经几次变动。2019年5月28日,网信办发布《数据安全管理办法》征求意见稿,对个人信息和重要数据分别管理,其中对于重要数据的发布、共享和出境作出了原则性审批规定。《新稿》则将与《数据安全管理办法》一起,代替《2017稿》之中未区分个人信息和重要数据审批的模式,对个人信息出境专门进行规范。
Earlier, in April 2017, the CAC released its Measures on Security Assessment of the Cross-Border Transfer of Personal Information and Important Data (the “2017 Draft”) for public comment. The 2017 Draft has subsequently been amended on several occasions. On May 28, 2019, the CAC released for public comment the Measures for Data Security Management, which sets out to provide separate regulations for personal information and important data, and which stipulates the main approval requirements for the publication, sharing and export of important data. The New Draft, when taken together with the Measures for Data Security Management, provides an updated framework for the management of the transfer of personal information, and in doing so supersedes the 2017 Draft, in which there was no clear delineation between personal information and important data.
与《2017稿》相似,《新稿》适用于所有网络运营者,但在评估程序、评估重点、合同内容、责任主体等多个方面有较大变化。
As was the case for the 2017 Draft, the New Draft applies to all network operators, but includes changes in the assessment process, the key points for assessment, the content of contracts, subject of liability and other aspects.
一 、安全评估对象
I. Objects of Security Assessment
《新稿》第二条和第三条明确了安全评估的对象,即网络运营者向境外提供在境内运营中收集的个人信息,网络运营者应当向所在地省级网信部门申报个人信息出境安全评估。《2017稿》下特定情形方需要向监管部门申报的监管模式变更为个人信息出境前均需要向网信部门申报安全评估。
Articles 2 and 3 of the New Draft clarify the objects of security assessment, that is, the export of personal information collected and produced by network operators in the course of their operations within China. The New Draft specifies that the cross-border transfer of personal information should be submitted to network officers for security assessment at their provincial level local office of the CAC. Whereas the 2017 Draft indicated that the application for security assessment was only required under certain conditions, the New Draft replaces this with the requirement that all personal information exports should be submitted to the CAC for security assessment.
《新稿》第20条同时规定,当境外机构在经营中通过互联网等收集境内用户个人信息,应在境内通过法定代表人或者机构履行本办法中网络运营者的责任和义务。该等规定也将扩宽《2017稿》之中出境审查的适用范围。
Article 20 of the New Draft further provides that overseas institutions that collect the personal information of Chinese users through the internet or other channels should fulfill their obligations as network operators under the New Draft through their local legal representatives or institutions. Such requirement would actually expand the application scope of the security assessment under the 2017 Draft.
二、安全评估领导机制
II. Authority with Responsibility for Security Assessment
《新稿》将省级网信部门作为个人信息出境审查的主要监管部门,其职能包括个人信息出境安全评估的申报材料接收、核查和安全评估、定期检查、举报受理和督促整改等。与《2017稿》之中由于涉及重要数据,而需要报行业主管部门不同,涉及个人信息的安全评估仅需要由网信部门进行。
The New Draft designates the provincial level local offices of the CAC as the principal regulators for the security assessment of the cross-border transfer of personal information. Their roles include the receipt, review and security assessment of application materials, periodic inspections, receiving “tipoffs”, and supervision of any rectification, etc. Personal information related security assessment shall only be conducted by the CAC. In this respect it differs from the 2017 Draft, which requires the security assessment by relevant in charge industrial regulators due to the involvement of important data.
三 、安全评估的程序
III. Security Assessment Procedure
安全评估的申报主体是网络运营者,而不是数据的接收者 (第2条)。
The submission objects of security assessment are network operators, as opposed to the data recipients. (Article 2)
安全评估次数取决于个人信息的接收者数量,向不同的接收者提供个人信息应当分别申报安全评估,向同一接收者多次或连续提供个人信息无需多次评估(第3条)。
The number of assessments will be dependent upon the number of data recipient. A separate security assessment is required when data is transferred to different recipients. No further assessment is required for multiple or continuous transfers to the same single recipient. (Article 3)
安全评估的申报材料包括申报书、网络运营者与接收者签订的合同、个人信息出境安全风险及安全保障措施分析报告以及其它要求的材料(第4条)。
The application materials include: any prospectus, contracts between network operators and recipients, analysis reports of the security risks of cross-border transfer of personal information, security measures, and any other materials requested. (Article 4)
正常情况下网信部门的评估期限由60个工作日缩短为15个工作日(第5条)。
The assessment period has been shortened from 60 working days to 15 working days under normal condition. (Article 5)
四、安全评估的重点内容
IV. Key Points of Security Assessment
《新稿》对重点评估内容做出了明确的规定。第8条列举了六项评估内容:
Article 8 of the New Draft specifies six key points to be assessed:
是否符合国家有关法律法规和政策规定;
Whether the transfer is in compliance with relevant Chinese laws, regulations and policies;
合同条款是否能够充分保障个人信息主体合法权益;
Whether the contract provisions fully guarantee the lawful rights and interests of personal information subjects;
合同能否得到有效执行;
Whether the contract could be executed effectively;
网络运营者或接收者是否有损害个人信息主体合法权益的历史、是否发生过重大网络安全事件;
Whether there is a history of infringing or damaging the lawful rights and interests of personal information subjects or whether there have been any significant network security incidents;
网络运营者获得个人信息是否合法、正当;
Whether network operators collect the personal information in a legal and proper manner;
其他应当评估的内容。
Other matters for assessment.
由此可见,立法者更关注网络运营者的信息源、信息出境的合同条款以及网络运营者本身是否有违规历史。《新稿》未加入《2017稿》之中对于出境必要性和信息主体同意的出境审查要求。
To summarize, when compared with the 2017 Draft, in the New Draft the legislator has focused much more on the data sources of network operators, the contract provisions for data export and any violation record on the part of network operators; the requirements for necessity and consent from data subject has not been included in the New Draft.
五、个人信息出境合同
V. Contracts for the Cross-border Transfer of Personal Information
《新稿》第13条至第16条要求网络运营者与个人信息接收者应当签订合同或其他有法律效力的文件,合同内容应包含以下三个方面:
Articles 13 to 16 of the New Draft require network operators to enter into contracts or other forms of legally valid document. They stipulate that the content of the contracts should cover the following three aspects:
对个人信息出境本身的约定;
Agreement on the cross-border transfer of personal information;
网络运营者、信息接收者的责任和义务,以及
The duties and obligations for network operators and data recipients; and
向第三方传输个人信息的限制。
Limitations on the transfer of personal information to third parties.
值得注意的是,当个人信息主体合法权益受到损害时,可选择向网络运营者或者接收者索赔,或者选择同时向双方索赔,网络运营者或者接收者应当予以赔偿,除非证明没有责任;同时网络运营者在一定情形下还负有先行赔付责任。
It is worth noting that when the lawful rights and interests of personal information subjects have been infringed or damaged, they can make claim for compensation against network operators, data recipients or both. Network operators and data recipients should provide compensation, unless it is proven that they have no responsibility for the infringement/damage. Network operators should bear the burden of compensation in advance in certain circumstances.
此外,当信息出境后法规发生变化,接收者有义务主动通知网络运营者,以应对境外法律变化后可能对个人信息安全带来的不利影响。
If overseas laws or regulations change after data have been exported, data recipients have an obligation to notify network operators in order that they can manage any potential adverse impact on personal information security.
六、个人信息出境安全风险及安全保障措施分析报告
VI. Analysis Report on Security Risks of Personal Information Cross-Border Transfer and Protective Measures
与个人信息出境合同一样,个人信息出境安全风险及安全保障措施分析报告是安全评估的申报材料之一。《新稿》第17条列举了报告应当包括的内容:
As is the case for contracts for the cross-border transfer of personal information, analysis reports of the security risks of personal information cross-border transfer and security arrangements are considered as application materials. Article 17 of the New Draft lists the content to be covered in the analysis report:
网络运营者和接收者的基本情况;
Basic information of network operators and data recipients;
个人信息出境计划;以及
Personal information cross-border transfer plans; and
风险分析和保护措施。
Risk analysis and protective measures.
七、我们的观察
VII. Our Observations
我们认为《新稿》删除了《2017稿》中评估考虑的一些要点,如对于出境必要性和信息主体同意审查的要求。但《新稿》要求所有个人信息出境均需审批、且纳入了境外机构在境内收集信息也需履行相应义务的要求,监管范围较早先的讨论稿相比有大幅扩大。《新稿》也强调了通过协议方式保护个人信息的要求,并且将境外实体发生安全事件的情形作为审查的基本要素和可以停止传输的基本要素之一。对于《新稿》将具体如何通过和执行,我们将继续观察。
In our view, the New Draft removed a few elements to be evaluated in the security assessment required in the 2017 Draft, for example, necessity of data export and the requirement for data subject’s consent. However, the New Draft requires all personal information export to be approved by government, and applies to information collection in China by overseas institutions as well, which expands the approval scope of in the 2017 Draft. The New Draft also emphasizes on protection of personal information by agreement, and make security incidents of overseas recipients as a basic element for the security assessment as well as whether to terminate the data cross-border transfer (if the recipient has any security incident, the authority may require termination). We will further observe how the New Draft will be finalized and how it will be implemented.
《个人信息出境安全评估办法(征求意见稿)》发布
作者:董潇 袁琼 冯毅捷 刘青宇来源:君合律师事务所

2019年6月13日,国家互联网信息办公室(以下简称“网信办”)发布《个人信息出境安全评估办法(征求意见稿)》(以下简称“《新稿》”)公开征求意见。