What kind of personal information and data have localized storage requirements?七、如果需要将个人信息或数据进行跨境传输需要遵守哪些监管要求？What regulatory requirements shall be met for cross-border transfer of personal information or data?八、中国境内公司的员工信息可以直接传输到集团公司的境外服务器吗？
Whether the staff information of companies in China can be directly transferred to the overseas servers of the group company?九、在中国境内运营APP需要重点关注哪些合规要求？
What compliance requirements should be particularly noted when operating an APP in China?十、从第三方批量获取个人信息或数据需要注意哪些合规要求？
What compliance requirements should be particularly paid attention to when obtaining personal information or data from a third party in bulk?
近日，有关 Facebook已经与美国联邦贸易委员会就隐私违规问题达成一致，并因此收到总额50亿美元巨额罚单的报道受到广泛关注；7月10日欧盟数据保护委员会报告称的美国《澄清境外数据的合法使用法案》（CLOUD Act）与欧盟《通用数据保护条例》（GDPR）下的个人信息保护法律体系存在冲突也凸显了国家/地区之间争夺数据监管权的矛盾正在升级。
Recently, the report that Facebook has reached an agreement with the Federal Trade Commission over privacy violations which resulted in a $5 billion fine has got a lot of attention. On July 10th, the EU Data Protection Committee reported that there were conflicts between the US’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the EU's General Data Protection Regulations (GDPR) on the legal system of personal information protection, and it also indicated the escalating conflict between countries/regions over the right of data supervision.
中国自2017年《网络安全法》生效以来，个人信息与数据安全的监管政策也一直受到各市场主体的关注。就在2019年1月法国国家信息与自由委员会以违反GDPR为由对谷歌开出5000万欧元罚单的4天后，中央网信办、工信部、公安部、市场监管总局就联合发布了《关于开展 App 违法违规收集使用个人信息专项治理的公告》，决定自 2019 年 1 月至 12 月，在全国范围组织开展 App 违法违规收集使用个人信息专项治理。
Since Cybersecurity Law came into effect in 2017, China's regulatory policies on personal information and data security have also attracted the attention of various market participants. Just four days after French Data Protection Authority fined Google €50 million for breach of GDPR in January 2019, China’s Office of the Central Cyberspace Affairs Commission, Ministry of Industry and Information Technology (MIIT), Ministry of Public Security (MPS) and General Administration of Market Supervision jointly issued Notice on the Special Governance of App's Illegal Collection and Use of Personal Information, and decided to launch a nationwide specialized-crackdown against the illegal collection and use of personal information on apps from January to December 2019.
2019年5月以来，中国监管部门明显加快了个人信息和数据安全相关监管立法的推进进程，陆续公布了多个法规或规章征求意见稿。本文将从监管发展脉络出发，对与中国个人信息和数据安全合规治理相关的十个问题进行分析，以供各市场主体参考与讨论。Since May 2019, Chinese regulatory authorities have significantly accelerated the progress of legislation related to personal information and data security, and published a number of draft regulations or rules for comments. This article will analyze ten issues related to the compliance governance of Chinese personal information and data security from the perspective of regulatory development, for reference and discussion of market participants.
What kind of personal information and data have localized storage requirements?
As mentioned above, Article 37 of the Cybersecurity Law sets out the requirements for localized storage of some personal information and important data. According to such provisions: personal information and important data collected and produced by critical information infrastructure operators during their activities within the territory of PRC, shall be stored within the territory; where due to business requirements it is truly necessary to provide it outside the mainland, a security assessment shall be conducted according to the measures jointly formulated by CAC and the relevant departments of the State Council.
"Critical information infrastructure operators" here refers to the operators of public telecommunications and information services, energy, transportation, irrigation, finance, public services, e-government, etc., as well as other critical information infrastructure that, whenever it is destroyed, loses its ability to function or encounters data leaks, may gravely harm national security, the national economy, the people’s livelihood and the public interest, according to Article 31 of the Cybersecurity Law.
After the issuance of the Cybersecurity Law, CAC issued the Measures for Assessment of Cross-Border Transfer Security of Personal Information and Important Data (Draft for Comments) on April 11, 2017. Article 2 of the Measures directly stipulates that, "personal information and important data collected and generated by network operators in the operation within the territory of PRC shall be stored within the territory of China". It doesn’t distinguish whether the operators are in charge of critical information infrastructure. The validity of the provisions expanding the superior law was questioned at the beginning of the publication, and according to the newly released Measures for Data Security Management (Draft for Comments) and Measures for the Assessment of Data Cross-Border Transfer (Draft for Comments) on May 2019, such provisions have been deleted.
It is worth noting that, according to the Guidelines for the Internet Security and Protection of Personal Information issued by the Ministry of Public Security, personal information stored on cloud computing platforms and collected and generated when operating in China shall be stored in China. The guidelines are not mandatory and are intended to be "for reference by Internet service units in the protection of personal information". However, based on our experience and our understanding, whether complying with the guidelines may have certain influence on the application of relevant market participants to the regulatory authorities for relevant qualifications.
What regulatory requirements shall be met for cross-border transfer of personal information or data?
At present, the most direct regulation is the provisions of Article 37 of the aforementioned Cybersecurity Law: where the operator of a critical information infrastructure has to provide personal information and important data abroad, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council.
对于具体的安全评估细则，国家互联网信息办公室曾于2017年4月11日公布了《个人信息和重要数据出境安全评估办法（征求意见稿）》，国家质量监督检验检疫总局和国家标准化委员会也曾于2017年8月25日发布了《信息安全技术 数据出境安全评估指南（征求意见稿）》，然而时至今日，两份征求意见稿均没有正式实施。从今年5月公布的《数据安全管理办法（征求意见稿）》和《个人信息出境安全评估办法（征求意见稿）》来看，监管部门有意将个人信息和重要数据的出境进行区别对待。As for the specific rules of security assessment, CAC has issued the "the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Draft for Comments)" on April 11th, 2017; the General Administration of Quality Supervision, Inspection and Quarantine and Standardization Administration have issued “Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment”. However, the two Drafts for Comments have not been formally implemented. From the perspective of the Administrative Measures on Data Security (Draft for Comments) and the Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft for Comments), which are both issued in May 2019, the regulatory authorities intend to distinguish the requirements of personal information and important data, and regulate them separately.
值得关注的是，无论是2017年还是2019年的征求意见稿，均对《网络安全法》规定的需要进行安全评估的情形进行了拓展。It is worth noting that both the 2017 and 2019 drafts have expanded the circumstances that require security assessment under the Cybersecurity Law.
根据《个人信息出境安全评估办法（征求意见稿）》的规定，网络运营者向境外提供在中国境内运营中收集的个人信息，应当按照本办法进行安全评估。结合该办法及《网络安全法》对于网络、网络运营者和个人信息的定义，笔者理解，如果该规定最终生效，只要是通过网络提供服务的主体，需要向境外提供其在中国境内运营过程中收集的个人信息的，均需要根据《草案》的规定进行安全评估。According to the Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft for Comments), when network operators transfer personal information collected during operations within China across borders, they shall conduct security assessment in accordance with these Measures. Combined with the definition of network, network operators and personal information in the Measures and Cybersecurity Law, we understand that if the Measures is finally effective, as long as the subject providing services through the network needs to provide personal information collected during its operation in China to overseas, it is necessary to conduct a security assessment in accordance with the provisions of the Draft.
另根据《数据安全管理办法（征求意见稿）》第二十八条的规定，网络运营者向境外提供重要数据前，应当评估可能带来的安全风险，并报经行业主管部门同意；行业主管监管部门不明确的，应经省级网信部门批准。其中，“重要数据”是指：一旦泄露可能直接影响国家安全、经济安全、社会稳定、公共健康和安全的数据，如未公开的政府信息，大面积人口、基因健康、地理、矿产资源等。重要数据一般不包括企业生产经营和内部管理信息、个人信息等。Furthermore, according to Article 28 of the "the Administrative Measures on Data Security (Draft for Comments)", network operators shall assess the potential security risks prior to transferring such data abroad, and shall report to the competent regulatory department for approval. If the competent regulatory department is unclear, network operators shall report to the cyberspace administrations at the provincial level for approval. And “Important data” refer to the kind of data, if divulged, may directly affect national security, economic security, social stability and public health and security, such as undisclosed government information, large-scale population, genetic health, geography and mineral resources, etc. Important data shall usually not include information related to the production and operation and internal management of enterprises or personal information, etc.
综上所述，从目前公布的征求意见稿所体现的监管趋势来看，未来不仅仅是《网络安全法》规定的关键信息基础设施运营者向境外传输个人信息和重要数据需要进行安全评估，一般的网络运营者在向境外传输在中国境内运营过程中收集和产生的个人信息与重要数据均需要进行安全评估，区别在于个人信息的安全评估由监管部门直接进行，重要数据的安全评估可能可以由网络运营者自行或委托第三方进行，但需要报经监管部门同意。In summary, from the perspective of the regulatory trends reflected in the current Draft for Comments, not only the operator of a critical information infrastructure under Cybersecurity Law that shall conduct security assessments before transferring personal information and important data abroad but the general network operators shall also conduct security assessments for the personal information and important data collected and generated during the operation of the overseas transmission in China. The difference is that the security assessment of personal information is directly carried out by the regulatory authorities, and the security assessment of important data may be carried out by the network operators themselves or by a third party, but it shall be reported to the regulatory authorities for approval.
除此之外，与欧盟采取“充分性决定”(adequate decision)、有约束的公司规则(binding corporate rules, BCR)、标准合同条款(standard contractual clauses)、经批准的行为准则(codes of conduct)、经批准的认证机制、封印或者标识(approved certification mechanism, seal or mark)等方式促进国家间的制度协同、提高数据跨境流通效率相似，《个人信息出境安全评估办法（征求意见稿）》也为个人信息出境安全评估预留了例外情形的规定。In addition, similar to the adoption of "adequate decision", binding corporate rules (BCR), standard contractual clauses, codes of conduct, approved certification mechanism, seal or mark and other means by EU to promote institutional coordination between countries and improve the efficiency of data cross-border circulation, the Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft) provides regulations to the security assessment of personal information abroad for exceptions.
根据该办法第十九条的规定，我国参与的或者与其他国家和地区、国际组织缔结的条约、协议等对个人信息出境有明确规定的，适用其规定，我国声明保留的条款除外。笔者注意到，2019年6月28日，中国、美国、法国、德国等共24个国家的领导人签署了《数字经济大阪宣言》，宣布启动“大阪轨道”；中国领导人习近平也公开表示，“作为数字经济大国，中国愿积极参与国际合作，保持市场开放，实现互利共赢”。因此，不排除未来针对特定情形，随着国际谈判的深入，可能会有针对个人信息出境的便捷性措施安排；对此，还有待未来进一步观察。According to Article 19 of the Measures, if there are clear provisions on the cross-border transfer of personal information in the treaties or agreements that China has acceded to or concluded with other countries, regions and international organizations, these provisions shall apply. However, the articles about which China has stated its reservations are exceptions. We noticed that on June 28, 2019, presidents of 24 countries including China, the United States, France, and Germany signed the Osaka Declaration on Digital Economy and announced the launch of the Osaka Track. Chinese president Xi Jinping also publicly stated that "as a big country with digital economy, China is willing to actively participate in international cooperation, keep the market open, and achieve mutual benefit and win-win". Therefore, it is possible that in the future, for specific situations, with the development of international negotiations, there may be convenient measures for the cross-border transfer of personal information; this remains to be further observed in the future.
Whether the staff information of companies in China can be directly transferred to the overseas servers of the group company?
China's regulatory regulations have a process of continuous expansion and improvement of the scope covered by the concept of "personal information".
根据最初由国家标准化委员会发布的《信息安全技术 公共及商用服务信息系统个人信息保护指南》，个人信息是指，可为信息系统所处理、与特定自然人相关、能够单独或通过与其他信息结合识别该特定自然人的计算机数据。根据该等规定，个人信息被限定在计算机数据的范畴，通过线下收集并保存的个人信息并不在此列。According to Information Security Technology – Guidelines for the Protection of Personal Information in Public and Commercial Service Information Systems issued by Standardization Administration, personal information refers to computer data that can be processed by an information system, associated with a particular natural person, and can identify the natural person, either alone or by combining with other information. Accordingly, personal information is limited to the scope of computer data, personal information collected and stored offline is not included here.
此后，根据工信部发布的《电信和互联网用户个人信息保护规定》，个人信息是指电信业务经营者和互联网信息服务提供者在提供服务的过程中收集的用户姓名、出生日期、身份证件号码、住址、电话号码、账号和密码等能够单独或者与其他信息结合识别用户的信息以及用户使用服务的时间、地点等信息。根据该规定，个人信息不再局限于“计算机数据”，但是有了对收集主体的限定，即电信业务经营者和互联网服务提供者在提供服务过程中收集。Thereafter, according to Provisions on Protecting the Personal Information of Telecommunications and Internet Users issued by MIIT, personal information refer to the information collected by telecommunications business operators and Internet information service providers in the course of providing services, such as the users' names, dates of birth, ID numbers, addresses, phone numbers, account numbers, passwords, etc. which may be used to identify them either independently or in combination with other information as well as the time, place, etc. for the use of services by the users. Accordingly, personal information is no longer limited to "computer data", but there is a limitation on the collection subject: the data shall be collected by telecommunication service operators and Internet service providers when providing services.
此后，根据2017年实施的《网络安全法》的规定，个人信息是指以电子或者其他方式记录的能够单独或者与其他信息结合识别自然人个人身份的各种信息，包括但不限于自然人的姓名、出生日期、身份证件号码、个人生物识别信息、住址、电话号码等。根据该规定，个人信息既不再局限于“计算机数据”，也不再局限于“电信业务经营者和互联网服务提供者”这一收集主体，并且明确了可以以电子方式以外的其他方式记录，其范畴进一步得到拓展。Thereafter, according to Cybersecurity Law effective in 2017, personal information refers to various information which is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person, including but not limited to name, date of birth, ID number, personal biological identification information, address and telephone number of the natural person. Accordingly, personal information is neither limited to "computer data", nor limited to "collected by telecommunication service operators and Internet service providers", and it is clear that it can be recorded in other ways than electronic means, so the scope is further expanding.结合前述《个人信息出境安全评估办法（征求意见稿）》关于“网络运营者向境外提供在中国境内运营中收集的个人信息，应当按照本办法进行安全评估”的规定，笔者认为，如果该等评估办法最终生效，只要网络运营者需要将内部员工信息向境外提供，无论该等员工信息最初是否以电子方式收集，亦无论该等员工信息是通过网络传输还是通过存储设备进行物理空间上的转移，只要该等个人信息涉及的主体是在境内工作的员工或者是员工在中国境内时收集的，均需要按照评估办法的规定进行安全评估。
Combined with the provision that "when network operators transfer personal information collected during operations within China across borders, they shall conduct security assessment in accordance with these Measures" in the Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft for Comments), we understand that if the Measures is finally effective, as long as the network operators need to transfer internal staff information electronically across borders, regardless of whether the staff information is initially collected electronically, and whether the staff information is transferred through network transmission or storage device, as long as the subject involved in such personal information of staff working in China or being in China when the information was collected, then the network operators need to comply with the provisions of the Assessment Measures.
What compliance requirements should be particularly noted when operating an APP in China?
First of all, as for whether there is a need for filing or approval to MIIT when running the APP in China, in “Guidelines for Telecommunications Business Licensing Approval Service” issued by MIIT, in view of the " what business shall be applied for to operating APP", the ministry had explicitly response: not all kinds of APPs can be treated as same. It depends on what specific service the APP offers. If it is in accordance with relevant business characteristics stipulated in Promulgating the Classification Catalogue of Telecommunications Services, it should apply for the business. This is also consistent with our practical experience. Not all APPs need to apply for the qualification of telecommunications service, but it needs to be determined by what specific service the APP offers.
其次，关于APP运营过程中需要遵守的个人信息与数据安全保护要求，中央网信办、工信部、公安部、市场监管总局曾于2019年初联合发布了《关于开展App违法违规收集使用个人信息专项治理的公告》，决定开展为期一年的专项治理；此后，《App违法违规收集使用个人信息自评估指南》、《移动互联网应用程序（App）安全认证实施规则》、《App违法违规收集使用个人信息行为认定方法（征求意见稿）》相继发布。除此之外，分别于2019年1月和6月公布的《信息安全技术 个人信息安全规范（草案）》与《信息安全技术 个人信息安全规范（征求意见稿）》也值得关注，该等国家标准对APP运营的个人信息与数据安全合规提出了诸多新的要求。（具体可参见笔者此前发布的“用户觉醒，监管增强，APP收集个人信息都有哪些新要求？”一文）
Secondly, when it comes to security protection requirements of personal information and data that shall be complied with in the process of the operating of APP ,CAC, MIIT, MPS and State Administration for Market Regulation jointly issued "Notice on the Special Governance of App's Illegal Collection and Use of Personal Information" in 2019, to launch a one-year special projects; Since then, "App Self-assessment Guide for Illegal Collection and Use of Personal Information" "Implementation Rules for Security Certification of Mobile Internet Applications" "Identification Method of App's Illegal Collection and Use of Personal Information (Draft for Comments)" have been released successively. In addition, "Information Security Technology – Personal Information Security Specification (Draft)" and "Information Security Technology – Personal Information Security Specification (Draft for Comments)" released in January and June 2019 respectively are also worth paying attention to, and such national standards put forward many new requirements for personal information and data security compliance of APP operation. (For details, please refer to the author's previous post "User awareness, enhanced supervision, what are the new requirements for APP collection of personal information?"）
What compliance requirements should be particularly paid attention to when obtaining personal information or data from a third party in bulk?
First of all, the current laws and regulations on the supervision of personal information or data cover the process of collection, storage, use, sharing, transfer, public disclosure and so on. The bulk acquisition of personal information or data from a third party does not exempt compliance responsibility of the acquisition party in the process of storage, use, sharing, transfer, and public disclosure.
Secondly, for the collection itself, although a bulk collection of personal information and data from a third party is different from the collection of relevant personal information and data directly from the subject of personal information, it still needs to fulfill the basic obligation of compliance review. According to the provisions of “Notice on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens”, those who illegally obtain a large amount of citizens' personal information by means of stealing, purchasing or other means, or obtain a large amount of illegal gains through that, or cause other serious consequences, shall be investigated for criminal responsibility for the crime of illegally acquiring personal information of citizens according to law. "Interpretation of Several Issues regarding Application of Law to Criminal Cases of Infringement of Citizen’s Personal Information" explains some issues further: "unlawfully obtaining citizens' personal information by other means" mentioned in the third paragraph of one of the clauses of Article 253 of the Criminal Law refers to obtaining citizen's personal information by way of purchase, acceptance or exchange, or collecting such information during the process of performance of duties. And according to the provisions of Article 5 of the interpretation, in certain circumstances, as long as the use of illegally purchased and accepted citizens' personal information gain profit for more than 5,000 yuan, then it constitutes a "serious circumstance".
In addition, according to Article 14 of “Measures for Data Security Management (Draft for Comments)” published in May 2019, network operators shall have the same responsibilities and obligations to protect the personal information obtained from other channels with the personal information directly collected by themselves.
据此，笔者建议，个人信息与数据获取方为了防范相关合规风险，在获取相关个人信息与数据前，需要要求提供方书面承诺相关个人信息及重要数据来源合法（必要时还可以对客户数据来源的合法性开展尽职调查，以证明自身尽到了足够的谨慎义务），同时要求客户就个人信息转让安排提前通知个人信息主体并获得个人信息主体的同意。Based on this, we suggested that in order to prevent the related compliance risk, acquisition party of personal information and data needs to require the provider to promise the legality of the sources of personal information and important data in writing before acquiring the relevant personal information and data (and carry out the due diligence on the legality of the customer’s data source if necessary to prove the fulfillment of sufficient duty of being cautious ) and require the provider to notify the subjects of personal information in advance and get the consent of the subjects on the transfer of personal information at the same time.
Thanks to the intern, Ningxin Yu and Yushang Xu for their hard work on preparing this article.