Ten Q&A · Issues related to the compliance governance of Chinese personal information and data security from the perspective of regulatory development(2)
Whether the staff information of companies in China can be directly transferred to the overseas servers of the group company?
What compliance requirements should be particularly noted when operating an APP in China?
What compliance requirements should be particularly paid attention to when obtaining personal information or data from a third party in bulk?
Recently, the report that Facebook has reached an agreement with the Federal Trade Commission over privacy violations which resulted in a $5 billion fine has got a lot of attention. On July 10th, the EU Data Protection Committee reported that there were conflicts between the US’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the EU's General Data Protection Regulations (GDPR) on the legal system of personal information protection, and it also indicated the escalating conflict between countries/regions over the right of data supervision.
Since Cybersecurity Law came into effect in 2017, China's regulatory policies on personal information and data security have also attracted the attention of various market participants. Just four days after French Data Protection Authority fined Google €50 million for breach of GDPR in January 2019, China’s Office of the Central Cyberspace Affairs Commission, Ministry of Industry and Information Technology (MIIT), Ministry of Public Security (MPS) and General Administration of Market Supervision jointly issued Notice on the Special Governance of App's Illegal Collection and Use of Personal Information, and decided to launch a nationwide specialized-crackdown against the illegal collection and use of personal information on apps from January to December 2019.
What kind of personal information and data have localized storage requirements?
如前所述,《网络安全法》第三十七条提出了部分个人信息和重要数据的本地化存储要求,根据该等规定:关键信息基础设施的运营者在中国境内运营中收集和产生的个人信息和重要数据应当在境内存储。因业务需要,确需向境外提供的,应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估。
As mentioned above, Article 37 of the Cybersecurity Law sets out the requirements for localized storage of some personal information and important data. According to such provisions: personal information and important data collected and produced by critical information infrastructure operators during their activities within the territory of PRC, shall be stored within the territory; where due to business requirements it is truly necessary to provide it outside the mainland, a security assessment shall be conducted according to the measures jointly formulated by CAC and the relevant departments of the State Council.
此处的“关键信息基础设施运营者”根据《网络安全法》第三十一条的规定,是指:公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务等重要行业和领域,以及其他一旦遭到破坏、丧失功能或者数据泄露,可能严重危害国家安全、国计民生、公共利益的关键信息基础设施的运营者。
"Critical information infrastructure operators" here refers to the operators of public telecommunications and information services, energy, transportation, irrigation, finance, public services, e-government, etc., as well as other critical information infrastructure that, whenever it is destroyed, loses its ability to function or encounters data leaks, may gravely harm national security, the national economy, the people’s livelihood and the public interest, according to Article 31 of the Cybersecurity Law.
《网络安全法》发布之后,国家互联网信息办公室曾于2017年4月11日发布了《个人信息和重要数据出境安全评估办法(征求意见稿)》,该评估办法第二条直接规定,“网络运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据,应当在境内存储”,并没有区分是否是关键信息基础设施的运营者。该等拓展上位法律规定的条款是否有效在发布之初就受到了质疑;从2019年5月新公布的《数据安全管理办法(征求意见稿)》和《个人信息出境安全评估办法(征求意见稿)》来看,该等条款已经被删除。
After the issuance of the Cybersecurity Law, CAC issued the Measures for Assessment of Cross-Border Transfer Security of Personal Information and Important Data (Draft for Comments) on April 11, 2017. Article 2 of the Measures directly stipulates that, "personal information and important data collected and generated by network operators in the operation within the territory of PRC shall be stored within the territory of China". It doesn’t distinguish whether the operators are in charge of critical information infrastructure. The validity of the provisions expanding the superior law was questioned at the beginning of the publication, and according to the newly released Measures for Data Security Management (Draft for Comments) and Measures for the Assessment of Data Cross-Border Transfer (Draft for Comments) on May 2019, such provisions have been deleted.
值得关注的是,根据公安部发布的《互联网个人信息安全保护指南》的规定,存储于云计算平台的个人信息及在中国境内运营时收集和产生的个人信息均需要存储在中国境内。该指南并非强制性适用,其性质为“供互联网服务单位在个人信息保护工作中参考借鉴”;但结合我们的经验,我们的理解,是否遵守该指南规定将可能会对相关市场主体在向监管部门申请获得相关资质时产生一定影响。
It is worth noting that, according to the Guidelines for the Internet Security and Protection of Personal Information issued by the Ministry of Public Security, personal information stored on cloud computing platforms and collected and generated when operating in China shall be stored in China. The guidelines are not mandatory and are intended to be "for reference by Internet service units in the protection of personal information". However, based on our experience and our understanding, whether complying with the guidelines may have certain influence on the application of relevant market participants to the regulatory authorities for relevant qualifications.
7、如果需要将个人信息或数据进行跨境传输需要遵守哪些监管要求?
What regulatory requirements shall be met for cross-border transfer of personal information or data?
目前最直接的规定即为前述《网络安全法》第三十七条的规定,关键信息基础设施的运营者因业务需要,确需向境外提供的,应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估。
At present, the most direct regulation is the provisions of Article 37 of the aforementioned Cybersecurity Law: where the operator of a critical information infrastructure has to provide personal information and important data abroad, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council.
Whether the staff information of companies in China can be directly transferred to the overseas servers of the group company?
中国监管法规对“个人信息”概念所涵盖的范畴有一个不断扩展与完善的过程。
China's regulatory regulations have a process of continuous expansion and improvement of the scope covered by the concept of "personal information".
Combined with the provision that "when network operators transfer personal information collected during operations within China across borders, they shall conduct security assessment in accordance with these Measures" in the Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft for Comments), we understand that if the Measures is finally effective, as long as the network operators need to transfer internal staff information electronically across borders, regardless of whether the staff information is initially collected electronically, and whether the staff information is transferred through network transmission or storage device, as long as the subject involved in such personal information of staff working in China or being in China when the information was collected, then the network operators need to comply with the provisions of the Assessment Measures.
9、在中国境内运营APP需要重点关注哪些合规要求?
What compliance requirements should be particularly noted when operating an APP in China?
首先,对于在中国境内运营APP是否需要向工信部进行备案或者审批的问题,在工信部发布的《电信业务经营许可审批服务指南》中,针对“APP业务要申请什么业务”的问题,工信部曾明确回应:不能一概而论,要看APP具体实现的是什么服务,凡符合《电信业务分类目录》中相关业务特征的,就应申请该业务。这也与笔者经历的实践经验相一致,并非所有的APP都需要申请电信业务资质,而是需要根据APP具体实现的是什么服务而定。
First of all, as for whether there is a need for filing or approval to MIIT when running the APP in China, in “Guidelines for Telecommunications Business Licensing Approval Service” issued by MIIT, in view of the " what business shall be applied for to operating APP", the ministry had explicitly response: not all kinds of APPs can be treated as same. It depends on what specific service the APP offers. If it is in accordance with relevant business characteristics stipulated in Promulgating the Classification Catalogue of Telecommunications Services, it should apply for the business. This is also consistent with our practical experience. Not all APPs need to apply for the qualification of telecommunications service, but it needs to be determined by what specific service the APP offers.
Secondly, when it comes to security protection requirements of personal information and data that shall be complied with in the process of the operating of APP ,CAC, MIIT, MPS and State Administration for Market Regulation jointly issued "Notice on the Special Governance of App's Illegal Collection and Use of Personal Information" in 2019, to launch a one-year special projects; Since then, "App Self-assessment Guide for Illegal Collection and Use of Personal Information" "Implementation Rules for Security Certification of Mobile Internet Applications" "Identification Method of App's Illegal Collection and Use of Personal Information (Draft for Comments)" have been released successively. In addition, "Information Security Technology – Personal Information Security Specification (Draft)" and "Information Security Technology – Personal Information Security Specification (Draft for Comments)" released in January and June 2019 respectively are also worth paying attention to, and such national standards put forward many new requirements for personal information and data security compliance of APP operation. (For details, please refer to the author's previous post "User awareness, enhanced supervision, what are the new requirements for APP collection of personal information?")
What compliance requirements should be particularly paid attention to when obtaining personal information or data from a third party in bulk?
首先,现行法律法规对于个人信息或数据的监管涵盖其收集、存储、使用、共享、转让、公开披露等各个环节,从第三方批量获取个人信息或数据并不免除获取主体在存储、使用、共享、转让和公开披露环节的合规责任。
First of all, the current laws and regulations on the supervision of personal information or data cover the process of collection, storage, use, sharing, transfer, public disclosure and so on. The bulk acquisition of personal information or data from a third party does not exempt compliance responsibility of the acquisition party in the process of storage, use, sharing, transfer, and public disclosure.
其次,对于收集本身而言,尽管从第三方批量获取个人信息和数据有别于直接从个人信息主体收集相关的个人信息和数据,但其仍然需要尽到基本的合规审查义务。根据《依法惩处侵害公民个人信息犯罪活动的通知》的规定,对于窃取或者以购买等方法非法获取公民个人信息数量较大、或者违法所得数额较大、或者造成其他严重后果的,应当依法以非法获取公民个人信息罪追究刑事责任。《关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》更进一步规定,违反国家有关规定,通过购买、收受、交换等方式获取公民个人信息,或者在履行职责、提供服务过程中收集公民个人信息的,属于刑法第二百五十三条之一第三款规定的“以其他方法非法获取公民个人信息”;并且根据该解释第五条的规定,特定情况下只要利用非法购买、收受的公民个人信息获利五千元以上的即构成“情节严重”。
Secondly, for the collection itself, although a bulk collection of personal information and data from a third party is different from the collection of relevant personal information and data directly from the subject of personal information, it still needs to fulfill the basic obligation of compliance review. According to the provisions of “Notice on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens”, those who illegally obtain a large amount of citizens' personal information by means of stealing, purchasing or other means, or obtain a large amount of illegal gains through that, or cause other serious consequences, shall be investigated for criminal responsibility for the crime of illegally acquiring personal information of citizens according to law. "Interpretation of Several Issues regarding Application of Law to Criminal Cases of Infringement of Citizen’s Personal Information" explains some issues further: "unlawfully obtaining citizens' personal information by other means" mentioned in the third paragraph of one of the clauses of Article 253 of the Criminal Law refers to obtaining citizen's personal information by way of purchase, acceptance or exchange, or collecting such information during the process of performance of duties. And according to the provisions of Article 5 of the interpretation, in certain circumstances, as long as the use of illegally purchased and accepted citizens' personal information gain profit for more than 5,000 yuan, then it constitutes a "serious circumstance".
除此之外,2019年5月公布的《数据安全管理办法(征求意见稿)》在第十四条直接明确,网络运营者从其他途径获得个人信息,与直接收集个人信息负有同等的保护责任和义务。
In addition, according to Article 14 of “Measures for Data Security Management (Draft for Comments)” published in May 2019, network operators shall have the same responsibilities and obligations to protect the personal information obtained from other channels with the personal information directly collected by themselves.
感谢实习生于宁馨、许语赏为本文写作付出的辛苦工作。
Thanks to the intern, Ningxin Yu and Yushang Xu for their hard work on preparing this article.
Scan code and share
Search
Research
-
02-172020
Answers to the labor issues of enterprises during the prevention and controlling period of New Coronavirus Pneumonia(1)
Regarding the labor issues concerned by enterprises during the prevention and controlling period of New Coronavirus Pneumonia (“NCP”), Attorney Ms. Yuling Li and her team analyze the following legal issues for the enterprises’ reference. -
06-282019
Best Time Ever: Foreign Investment of ABS in PRC
Back in 2009, it was utterly difficult for any Chinese financiers to even think of issuing large-scale asset-backed securities (ABS) -
05-142019
Cookies Walls and scrolling web pages constitute
The European Data Protection Board (“EDPB”) has adopted on 4 May 2020 their latest Guidelines 05/2020 (the “Updated Guidelines”) on consent under the EU Regulation 2016/679 (“GDPR”). -
07-302019
Ten Q&A · Issues related to the compliance governance of Chinese personal information and data security from the perspective of regulatory development(1)
Recently, the report that Facebook has reached an agreement with the Federal Trade Commission over privacy violations which resulted in a $5 billion fine has got a lot of attention. On July 10th, the EU Data Protection Committee reported that there were conflicts between the US’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the EU's General Data Protection Regulations (GDPR) on the legal system of personal information protection, and it also indicated the escalating conflict between countries/regions over the right of data supervision.
沪公网安备 31011502009353号