目     录

一、个人信息与数据安全保护有哪些法律法规？

What are the laws and regulations on the protection of personal information and data security?

二、个人信息与数据安全的监管部门有哪些？

What are the regulatory departments of personal information and data security?

三、哪些市场主体需要遵守个人信息与数据安全合规要求？

What kind of market participants may comply with the compliance requirements of personal information and data security?

四、在中国境内没有实体可以收集境内用户的个人信息吗？

Can overseas companies without entity in China collect personal information in China?

五、违反个人信息与数据安全保护会有哪些后果？

What are the consequences of violating personal information and data security protection?

近日，有关 Facebook已经与美国联邦贸易委员会就隐私违规问题达成一致，并因此收到总额50亿美元巨额罚单的报道受到广泛关注；7月10日欧盟数据保护委员会报告称的美国《澄清境外数据的合法使用法案》（CLOUD Act）与欧盟《通用数据保护条例》（GDPR）下的个人信息保护法律体系存在冲突也凸显了国家/地区之间争夺数据监管权的矛盾正在升级。

Recently, the report that Facebook has reached an agreement with the Federal Trade Commission over privacy violations which resulted in a $5 billion fine has got a lot of attention. On July 10th, the EU Data Protection Committee reported that there were conflicts between the US’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the EU's General Data Protection Regulations (GDPR) on the legal system of personal information protection, and it also indicated the escalating conflict between countries/regions over the right of data supervision.

中国自2017年《网络安全法》生效以来，个人信息与数据安全的监管政策也一直受到各市场主体的关注。就在2019年1月法国国家信息与自由委员会以违反GDPR为由对谷歌开出5000万欧元罚单的4天后，中央网信办、工信部、公安部、市场监管总局就联合发布了《关于开展 App 违法违规收集使用个人信息专项治理的公告》，决定自 2019 年 1 月至 12 月，在全国范围组织开展 App 违法违规收集使用个人信息专项治理。

Since Cybersecurity Law came into effect in 2017, China's regulatory policies on personal information and data security have also attracted the attention of various market participants. Just four days after French Data Protection Authority fined Google €50 million for breach of GDPR in January 2019, China’s Office of the Central Cyberspace Affairs Commission, Ministry of Industry and Information Technology (MIIT), Ministry of Public Security (MPS) and General Administration of Market Supervision jointly issued Notice on the Special Governance of App's Illegal Collection and Use of Personal Information, and decided to launch a nationwide specialized-crackdown against the illegal collection and use of personal information on apps from January to December 2019.

2019年5月以来，中国监管部门明显加快了个人信息和数据安全相关监管立法的推进进程，陆续公布了多个法规或规章征求意见稿。本文将从监管发展脉络出发，对与中国个人信息和数据安全合规治理相关的十个问题进行分析，以供各市场主体参考与讨论。

Since May 2019, Chinese regulatory authorities have significantly accelerated the progress of legislation related to personal information and data security, and published a number of draft regulations or rules for comments. This article will analyze ten issues related to the compliance governance of Chinese personal information and data security from the perspective of regulatory development, for reference and discussion of market participants.

1、个人信息与数据安全保护有哪些法律法规？

What are the laws and regulations on the protection of personal information and data security?

现行有效的法律法规主要包括：

Currently effective laws and regulations mainly include:

目前仍处于征求意见稿阶段的文件主要包括：

The regulations still in the draft solicitation stage mainly include:

除此之外，还有《计算机信息系统 安全保护等级划分准则》（GB 17859-1999）、《信息技术安全 信息系统安全等级保护定级指南》（GB/T 2240-2008）、《信息安全技术 术语》（GB/T25069-2010）、《信息安全技术 云计算服务安全指南》（GB/T31167-2014）、《信息安全技术 云计算服务安全能力要求》（GB/T31168-2014）、《信息安全技术 工业控制系统安全控制应用指南》（GB/T32919-2016）、《信息安全技术 网络安全等级保护安全设计技术要求》（GB/T25070-2019）、《信息安全技术 网络安全等级保护测评要求》（GB/T28448-2019）、《信息安全技术 网络安全等级保护基本要求》（GB/T2239-2019）等行业标准和《网络安全实践指南——移动互联网应用基本业务功能必要信息规范》（TC260-PG-20191A）等行业标准。

Besides, there are other industry standards such as Classified Criteria for Security Protection of Computer Information System (GB 17859-1999), Information Security Technology – Classification Guide for Classified Protection of Information System Security (GB/T 2240-2008), Information Security Technology – Glossary (GB/T25069-2010), Information Security Technology – Security Guide of Cloud Computing Services (GB/T31167-2014), Information Security Technology – Security Capability Requirements of Cloud Computing Services (GB/T31168-2014), Information Security Technology – Application Guide to Industrial Control System Security Control (GB/T32919-2016), Information Security Technology – Technical Requirements of Security Design for Classified Protection of Cybersecurity (GB/T25070-2019), Information Security Technology - Network Security Level Protection Evaluation Requirement (GB/T28448-2019), Information Security Technology – Baseline for Classified Protection of Information System Security (GB/T2239-2019) as well as Practical Guide to Network Security – Information Specification for Basic Business Functions of Mobile Internet Applications (TC260-PG-20191A), etc..

2、个人信息与数据安全的监管部门有哪些？

What are the regulatory departments of personal information and data security?

个人信息与数据安全的监管部门主要包括：

The regulatory departments of personal information and data security mainly include:

1) 中国国家互联网信息办公室：根据《网络安全法》的规定，网络安全工作和相关监督管理的统筹协调工作由国家网信部门负责。

Cyberspace Administration of China (CAC): In accordance with the provisions of the Cybersecurity Law, the overall coordination of network security work and related supervision and management shall be in the charge of CAC.

2) 中国工业和信息化部及各地通信管理局、经济和信息化局：主要负责相关电信业务资质的许可、备案等。

Ministry of Industry and Information Technology of PRC (MIIT), local Communications Administration and Municipal Bureau of Economy and Information Technology: Mainly responsible for the licensing and filing of relevant telecom business qualifications.

3) 公安部及各地公安局：主要负责信息系统安全等级评估、各类侵犯个人信息案件的侦查等。

Ministry of Public Security (MPS) and local public security bureaus: Mainly responsible for the assessment of information system security level and the investigation of all kinds of criminal cases about personal information infringement.

4) 国家市场监督管理总局、国家标准化管理委员会：主要负责与网络安全、个人信息安全等相关的各类国家标准的制定。

State Administration for Market Regulation and Standardization Administration: Mainly responsible for the formulation of various national standards related to network security and personal information security.

3、哪些市场主体需遵守个人信息与数据安全合规要求？

What kind of market participants may comply with the compliance requirements of personal information and data security?

中国监管部门对个人信息与数据安全的监管范围是一个不断发展的过程。

The regulatory scope of personal information and data security in China is evolving in the past years.

2013年2月1日，国家标准化委员会发布的《信息安全技术 公共及商用服务信息系统个人信息保护指南》主要是用于指导电信、金融、医疗等领域服务机构的信息系统个人信息保护工作，并不具有强制性。

On February 1st, 2013, the Standardization Administration issued the "Information Security Technology – Guidelines for the Protection of Personal Information in Public and Commercial Service Information Systems", which is mainly used to provide guidance for the personal information protection of service institutions in the fields of telecommunications, finance and medical care, but not mandatory.

此后，工信部发布并于2013年9月1日生效的《电信和互联网用户个人信息保护规定》主要适用于在中国境内提供电信服务和互联网信息服务过程中收集、使用用户个人信息的活动。尽管该规定对“电信服务”和“互联网信息服务”并没有进一步的解释，但可以看出，其规制的主体限定在电信服务提供者和互联网信息服务提供者，传统非电信、互联网行业企业并不在规制范围之列。

Thereafter,Provisions on Protection of Personal Information of Telecommunications and Internet Users issued by MIIT and effective on September 1st, 2013 is mainly applicable to the activities of collecting and using personal information of users in the process of providing telecom services and Internet information services in China. Although there is no further explanation of "telecom services" and "Internet information services" in this regulation, it’s clear that the regulated subjects are limited to telecom service providers and Internet information service providers, traditional non-telecom and Internet enterprises are not included in the regulatory scope.

2017年6月1日生效的《网络安全法》以“网络”为规制核心，适用于在中国境内建设、运营、维护和使用网络，以及网络安全的监督管理；这其中的“网络”是指由计算机或者其他信息终端及相关设备组成的按照一定的规则和程序对信息进行收集、存储、传输、交换、处理的系统。由此可知，网络安全法的适用主体不再仅仅局限于与由计算机、手机组成的信息系统相关的市场参与主体，还包括“其他信息终端及相关设备组成的信息系统”，如由摄像头组成的视频监控系统、各类物联网系统等相关的市场参与主体。

Cybersecurity Law, which took effect on June 1st, 2017, takes "cyber" as the regulatory core and applies to the construction, operation, maintenance and use of the cyber/network, as well as the supervision and management of cyber security in China. "Cyber" here refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. It shows  that the applicable subject of Cybersecurity Law is no longer limited to the market participants related to the information system composed of computers and mobile phones, but also includes "the information system composed of other information terminals and related equipment". For example, video monitoring system composed of cameras, various Internet of Things systems and other relevant market participants.

更进一步而言，《网络安全法》对关键信息基础设施运营者在中国境内运营中收集和产生的个人信息与重要数据的本地化存储、出境安全评估，以及网络运营者收集、使用个人信息行为进行了原则性的规定。根据《网络安全法》的规定，网络运营者是指网络的所有者、管理者和网络服务提供者。

Furthermore, Cybersecurity Law established a fundamental provision on the localized storage and cross border security assessment of personal information and important data collected or generated by operators of critical information infrastructure during their operations in China. At the same time, the behaviors of collection and use of personal information by network operators are also regulated. According to Cybersecurity Law, "Network Operators" refers to network owners, managers and Internet service providers.

从概念上而言，网络的所有者和管理者相对边界较为清晰，但网络服务提供者的边界则比较模糊。目前对于何为网络服务提供者并没有具体的定义，但从《网络安全法》第十条关于“建设、运营网络或者通过网络提供服务”的表述来看，笔者认为，网络服务提供者对应的应该是指“通过网络提供服务的主体”。在《网络安全法》正式颁布之前，其征求意见稿对“网络运营者”的定义为网络的所有者、管理者以及利用他人所有或者管理的网络提供相关服务的网络服务提供者，包括基础电信运营者、网络信息服务提供者、重要信息系统运营者等。但是在正式生效的版本中，针对网络服务提供者，删除了“利用他人所有或者管理的网络提供相关服务”的限定，并且删除了“基础电信运营者、网络信息服务提供者、重要信息系统运营者”的列举。因此笔者认为，对于何为“网络运营者”需要采用较为宽泛的解释，其基本涵盖所有通过网络提供服务的主体；这也与欧盟GDPR框架下的“控制者”、“处理者”以对数据的控制、处理为标准所划定的适用范围更为接近。

Conceptually, the boundaries of network owners and managers are relatively clear, but the boundaries of internet service providers are difficult to define. At present, there is no specific definition of Internet Service Provider, but according to Article 10 of Cybersecurity Law on "construction, operation of the network or provide services through the network", we believe that the corresponding Internet service providers should refer to "subjects providing services through the network". Before Cybersecurity Law officially promulgated, in the draft version, "network operator" is defined as the owner of the network, managers and Internet service providers that provide related services using a network owned or managed by others, including basic telecom operators, Internet information service providers, important information system operators, etc. But in the official version, for Internet service providers, "provide related services using a network owned or managed by others" is deleted and the examples of "basic telecom operators, Internet information service providers, important information system operators" are also removed. Therefore, we believe that a broader explanation is preferable for what is a "network operator", which basically covers all the subjects providing services through the network. This is also closer to the application scope of "controller" and "processor" under the GDPR framework of the European Union.

综上所述，笔者认为，需要遵守个人信息与数据安全合规要求的市场主体不仅仅局限于与电信、互联网有关的新兴行业主体；还包括所有需要通过网络提供服务的市场主体，典型的如接入在线预订服务的酒店、通过APP或微信公众号提供衬衫等衣服定制的服装企业等；需要格外注意的是，此处的网络不仅仅局限于由计算机或手机终端组成的信息网络，还包括通过所有的能够相互通信的设备所组成的信息系统，比如能够实时记录地理位置的共享单车所组成的信息系统、能够通过各种传感器记录并向生产商回传设备使用情况的硬件系统等。

In conclusion, we believe that the market participants that need to comply with the compliance requirements of personal information and data security are not limited to the emerging industries related to telecommunications and the Internet, but also include all the market participants who need to provide services through the network. typical examples are hotels that have access to online reservation services, and clothing enterprises that provide shirts and other customized clothes through APP or WeChat official account. It should be noted that the network here is not limited to the information network composed of computer or mobile phone terminals, but also includes the information system composed of all the devices that can communicate with each other. For example, the information system of shared bikes’ in time geographical information, and the hardware system which can record and send back the usage of equipment to the manufacturer through various sensors.

4、在中国境内没有实体可以收集境内用户个人信息吗？

Can overseas companies without entity in China collect personal information in China?

《网络安全法》第三十七条提出了部分个人信息和重要数据的本地化存储要求，不过其规定的是关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据应当在境内存储。至于通过境外实体和境外服务器直接向境内用户收集个人信息的行为是否属于在中国境内运营并没有做进一步的解释。

Article 37 of Cybersecurity Law sets out local storage requirements for some types of personal information and important data, but it stipulates that personal information and important data collected and generated by operators of critical information infrastructure in the operation of the People's Republic of China should be stored in China. There was no further explanation as to whether the practice of collecting personal information directly from domestic users through overseas entities and servers was considered as operating within the territory of China.

对此，国家质量监督检验检疫总局和国家标准化管委会于2017年8月25日发布的《信息安全技术 数据出境安全评估指南（征求意见稿）》曾对此做出过解释，即：未在中华人民共和国境内注册的网络运营者，但在中华人民共和国境内开展业务，或向中华人民共和境内提供产品或服务的，属于境内运营。判断网络运营者是否在中华人民共和国境内开展业务，或向中华人民共和国境内提供产品或服务的参考因素包括但不限于：使用中文；以人民币作为结算货币；向中国境内配送物流等。

In this regard, Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft for comments) issued by General Administration of Quality Supervision, Inspection and Quarantine of PRC and Standardization Administration on August 25, 2017 once explained that: a network operator not registered within the territory of the PRC who carries out business within the territory of PRC or provides products or services within the territory of PRC shall be considered as operating within the territory of China. The factors for reference to determine whether the network operator is carrying out business within the territory of PRC or providing products or services within the territory of PRC include but  not limited to: Using Chinese language; Using RMB as the settlement currency; Distribution and logistics to China.

单纯根据该等解释，如果在中国境内没有实体，也可以收集中国境内用户的个人信息，只是收集行为需要遵守中国境内的法律法规。不过该等评估指南至今没有颁布正式版本，而且从2019年5月公布的《数据安全管理办法（征求意见稿）》和《个人信息出境安全评估办法（征求意见稿）》来看，具体监管思路有较大的变化，2017年发布的《信息安全技术 数据出境安全评估指南（征求意见稿）》也可能会有较大的修改。

According to such interpretation, if there is no entity in China, overseas companies can also collect personal information in China, but the collection should comply with laws and regulations in China. However, no official version of these assessment guidelines has taken effect so far. Moreover, according to the Measures for Data Security Management (Draft for Comments) and Measures for the Assessment of Data Cross-Border Transfer (Draft for Comments) released in May 2019, there have been great changes in specific regulatory ideas, and the Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment released in 2017 may also have major modifications.

根据《个人信息出境安全评估办法（征求意见稿）》第二十条的规定，境外机构经营活动中，通过互联网等收集境内用户个人信息，应当在境内通过法定代表人或者机构履行本办法中网络运营者的责任和义务。因此，如果本条规定最终生效，境外机构在经营活动中通过互联网等收集境内用户个人信息的，需要在境内设有法定代表人或机构。不过此处的境内机构和法代是否必须是收集境内用户个人信息的主体，该办法并未明确，笔者认为即使最终条文生效，可能仍然会有一定的解释空间；否则在没有适当缓冲期的情况下，诸多境外实体面向中国境内用户的需要收集个人信息才能提供的产品或服务都将被停止。

According to the Article 20 of Measures for the Assessment of Data Cross-Border Transfer (Draft for Comments), when an overseas company collects the personal information of domestic users through the Internet in the operation activities, it shall fulfill the responsibilities and obligations of the network operator in the present measures through its legal representative or institution in China. Therefore, if the provisions of this article finally take effect, overseas institutions that collect personal information of domestic users through the Internet or other means in their business activities need to have legal representatives or institutions in China. However, it is not clear whether the domestic institutions and legal representatives here must be the subject of collecting the personal information of domestic users. We think that even if the final provisions came into force, there may still be flexibility for interpretation. Otherwise, without an appropriate buffer period, many products or services offered by overseas companies to users in China who need to collect personal information in order to provide services will be stopped.

值得关注的是，《个人信息出境安全评估办法（征求意见稿）》规定了，个人信息出境前，网络运营者需要向监管部门申报个人信息出境安全评估，而且该等评估需要每2年进行一次，2年内向不同的接收者提供个人信息的也应当分别申报安全评估。如果该等规定生效，对于需要频繁向境外传输个人信息的市场主体而言，为了能够尽快完成个人信息出境安全评估，在中国境内设立专门的运营实体可能也是需要被重点考虑的方案。

It is worth concerning that according to Measures for the Assessment of Data Cross-Border Transfer (Draft for Comments), before personal information crosses the border, network operators need to report personal information cross-border transfer security assessment to the regulatory authorities, and such assessment needs to be conducted every 2 years, and those who provide personal information to different receivers within 2 years should also report security assessment separately. If the regulations take effect, the establishment of a special operating entity in China may also be a major consideration for market participants that need to send personal information abroad frequently in order to complete the assessment of data cross-Border transfer as soon as possible.

5、违反个人信息与数据安全保护会有哪些后果？

What are the consequences of violating personal information and data security protection?