×

Open WeChat and scan the QR code
Subscribe to our WeChat public account

×

Scan code and share

CN
Home>Research>Articles>Ten Q&A · Issues related to the compliance governance of Chinese personal information and data security from the perspective of regulatory development(1)

Ten Q&A · Issues related to the compliance governance of Chinese personal information and data security from the perspective of regulatory development(1)

2019-07-30   Charlie PEI, Nicole QIN, Guoqiang Jiang

目     录

一、个人信息与数据安全保护有哪些法律法规?

What are the laws and regulations on the protection of personal information and data security?

二、个人信息与数据安全的监管部门有哪些?

What are the regulatory departments of personal information and data security?

三、哪些市场主体需要遵守个人信息与数据安全合规要求?

What kind of market participants may comply with the compliance requirements of personal information and data security?

四、在中国境内没有实体可以收集境内用户的个人信息吗?

Can overseas companies without entity in China collect personal information in China?

五、违反个人信息与数据安全保护会有哪些后果?

What are the consequences of violating personal information and data security protection?


近日,有关 Facebook已经与美国联邦贸易委员会就隐私违规问题达成一致,并因此收到总额50亿美元巨额罚单的报道受到广泛关注;7月10日欧盟数据保护委员会报告称的美国《澄清境外数据的合法使用法案》(CLOUD Act)与欧盟《通用数据保护条例》(GDPR)下的个人信息保护法律体系存在冲突也凸显了国家/地区之间争夺数据监管权的矛盾正在升级。

Recently, the report that Facebook has reached an agreement with the Federal Trade Commission over privacy violations which resulted in a $5 billion fine has got a lot of attention. On July 10th, the EU Data Protection Committee reported that there were conflicts between the US’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the EU's General Data Protection Regulations (GDPR) on the legal system of personal information protection, and it also indicated the escalating conflict between countries/regions over the right of data supervision.

中国自2017年《网络安全法》生效以来,个人信息与数据安全的监管政策也一直受到各市场主体的关注。就在2019年1月法国国家信息与自由委员会以违反GDPR为由对谷歌开出5000万欧元罚单的4天后,中央网信办、工信部、公安部、市场监管总局就联合发布了《关于开展 App 违法违规收集使用个人信息专项治理的公告》,决定自 2019 年 1 月至 12 月,在全国范围组织开展 App 违法违规收集使用个人信息专项治理。

Since Cybersecurity Law came into effect in 2017, China's regulatory policies on personal information and data security have also attracted the attention of various market participants. Just four days after French Data Protection Authority fined Google €50 million for breach of GDPR in January 2019, China’s Office of the Central Cyberspace Affairs Commission, Ministry of Industry and Information Technology (MIIT), Ministry of Public Security (MPS) and General Administration of Market Supervision jointly issued Notice on the Special Governance of App's Illegal Collection and Use of Personal Information, and decided to launch a nationwide specialized-crackdown against the illegal collection and use of personal information on apps from January to December 2019.

2019年5月以来,中国监管部门明显加快了个人信息和数据安全相关监管立法的推进进程,陆续公布了多个法规或规章征求意见稿。本文将从监管发展脉络出发,对与中国个人信息和数据安全合规治理相关的十个问题进行分析,以供各市场主体参考与讨论。

Since May 2019, Chinese regulatory authorities have significantly accelerated the progress of legislation related to personal information and data security, and published a number of draft regulations or rules for comments. This article will analyze ten issues related to the compliance governance of Chinese personal information and data security from the perspective of regulatory development, for reference and discussion of market participants.

1、个人信息与数据安全保护有哪些法律法规?

What are the laws and regulations on the protection of personal information and data security?

现行有效的法律法规主要包括:

Currently effective laws and regulations mainly include:

配图1.png

配图2.png

目前仍处于征求意见稿阶段的文件主要包括:

The regulations still in the draft solicitation stage mainly include:

配图3.png

配图4.png

除此之外,还有《计算机信息系统 安全保护等级划分准则》(GB 17859-1999)、《信息技术安全 信息系统安全等级保护定级指南》(GB/T 2240-2008)、《信息安全技术 术语》(GB/T25069-2010)、《信息安全技术 云计算服务安全指南》(GB/T31167-2014)、《信息安全技术 云计算服务安全能力要求》(GB/T31168-2014)、《信息安全技术 工业控制系统安全控制应用指南》(GB/T32919-2016)、《信息安全技术 网络安全等级保护安全设计技术要求》(GB/T25070-2019)、《信息安全技术 网络安全等级保护测评要求》(GB/T28448-2019)、《信息安全技术 网络安全等级保护基本要求》(GB/T2239-2019)等行业标准和《网络安全实践指南——移动互联网应用基本业务功能必要信息规范》(TC260-PG-20191A)等行业标准。

Besides, there are other industry standards such as Classified Criteria for Security Protection of Computer Information System (GB 17859-1999), Information Security Technology – Classification Guide for Classified Protection of Information System Security (GB/T 2240-2008), Information Security Technology – Glossary (GB/T25069-2010), Information Security Technology – Security Guide of Cloud Computing Services (GB/T31167-2014), Information Security Technology – Security Capability Requirements of Cloud Computing Services (GB/T31168-2014), Information Security Technology – Application Guide to Industrial Control System Security Control (GB/T32919-2016), Information Security Technology – Technical Requirements of Security Design for Classified Protection of Cybersecurity (GB/T25070-2019), Information Security Technology - Network Security Level Protection Evaluation Requirement (GB/T28448-2019), Information Security Technology – Baseline for Classified Protection of Information System Security (GB/T2239-2019) as well as Practical Guide to Network Security – Information Specification for Basic Business Functions of Mobile Internet Applications (TC260-PG-20191A), etc..

2、个人信息与数据安全的监管部门有哪些?

What are the regulatory departments of personal information and data security?

个人信息与数据安全的监管部门主要包括:

The regulatory departments of personal information and data security mainly include:

1) 中国国家互联网信息办公室:根据《网络安全法》的规定,网络安全工作和相关监督管理的统筹协调工作由国家网信部门负责。

Cyberspace Administration of China (CAC): In accordance with the provisions of the Cybersecurity Law, the overall coordination of network security work and related supervision and management shall be in the charge of CAC.

2) 中国工业和信息化部及各地通信管理局、经济和信息化局:主要负责相关电信业务资质的许可、备案等。

Ministry of Industry and Information Technology of PRC (MIIT), local Communications Administration and Municipal Bureau of Economy and Information Technology: Mainly responsible for the licensing and filing of relevant telecom business qualifications.

3) 公安部及各地公安局:主要负责信息系统安全等级评估、各类侵犯个人信息案件的侦查等。

Ministry of Public Security (MPS) and local public security bureaus: Mainly responsible for the assessment of information system security level and the investigation of all kinds of criminal cases about personal information infringement.

4) 国家市场监督管理总局、国家标准化管理委员会:主要负责与网络安全、个人信息安全等相关的各类国家标准的制定。

State Administration for Market Regulation and Standardization Administration: Mainly responsible for the formulation of various national standards related to network security and personal information security.


3、哪些市场主体需遵守个人信息与数据安全合规要求?

What kind of market participants may comply with the compliance requirements of personal information and data security?


中国监管部门对个人信息与数据安全的监管范围是一个不断发展的过程。

The regulatory scope of personal information and data security in China is evolving in the past years.

2013年2月1日,国家标准化委员会发布的《信息安全技术 公共及商用服务信息系统个人信息保护指南》主要是用于指导电信、金融、医疗等领域服务机构的信息系统个人信息保护工作,并不具有强制性。

On February 1st, 2013, the Standardization Administration issued the "Information Security Technology – Guidelines for the Protection of Personal Information in Public and Commercial Service Information Systems", which is mainly used to provide guidance for the personal information protection of service institutions in the fields of telecommunications, finance and medical care, but not mandatory.

此后,工信部发布并于2013年9月1日生效的《电信和互联网用户个人信息保护规定》主要适用于在中国境内提供电信服务和互联网信息服务过程中收集、使用用户个人信息的活动。尽管该规定对“电信服务”和“互联网信息服务”并没有进一步的解释,但可以看出,其规制的主体限定在电信服务提供者和互联网信息服务提供者,传统非电信、互联网行业企业并不在规制范围之列。

Thereafter,Provisions on Protection of Personal Information of Telecommunications and Internet Users issued by MIIT and effective on September 1st, 2013 is mainly applicable to the activities of collecting and using personal information of users in the process of providing telecom services and Internet information services in China. Although there is no further explanation of "telecom services" and "Internet information services" in this regulation, it’s clear that the regulated subjects are limited to telecom service providers and Internet information service providers, traditional non-telecom and Internet enterprises are not included in the regulatory scope.

2017年6月1日生效的《网络安全法》以“网络”为规制核心,适用于在中国境内建设、运营、维护和使用网络,以及网络安全的监督管理;这其中的“网络”是指由计算机或者其他信息终端及相关设备组成的按照一定的规则和程序对信息进行收集、存储、传输、交换、处理的系统。由此可知,网络安全法的适用主体不再仅仅局限于与由计算机、手机组成的信息系统相关的市场参与主体,还包括“其他信息终端及相关设备组成的信息系统”,如由摄像头组成的视频监控系统、各类物联网系统等相关的市场参与主体。

Cybersecurity Law, which took effect on June 1st, 2017, takes "cyber" as the regulatory core and applies to the construction, operation, maintenance and use of the cyber/network, as well as the supervision and management of cyber security in China. "Cyber" here refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. It shows  that the applicable subject of Cybersecurity Law is no longer limited to the market participants related to the information system composed of computers and mobile phones, but also includes "the information system composed of other information terminals and related equipment". For example, video monitoring system composed of cameras, various Internet of Things systems and other relevant market participants.

更进一步而言,《网络安全法》对关键信息基础设施运营者在中国境内运营中收集和产生的个人信息与重要数据的本地化存储、出境安全评估,以及网络运营者收集、使用个人信息行为进行了原则性的规定。根据《网络安全法》的规定,网络运营者是指网络的所有者、管理者和网络服务提供者。

Furthermore, Cybersecurity Law established a fundamental provision on the localized storage and cross border security assessment of personal information and important data collected or generated by operators of critical information infrastructure during their operations in China. At the same time, the behaviors of collection and use of personal information by network operators are also regulated. According to Cybersecurity Law, "Network Operators" refers to network owners, managers and Internet service providers.

从概念上而言,网络的所有者和管理者相对边界较为清晰,但网络服务提供者的边界则比较模糊。目前对于何为网络服务提供者并没有具体的定义,但从《网络安全法》第十条关于“建设、运营网络或者通过网络提供服务”的表述来看,笔者认为,网络服务提供者对应的应该是指“通过网络提供服务的主体”。在《网络安全法》正式颁布之前,其征求意见稿对“网络运营者”的定义为网络的所有者、管理者以及利用他人所有或者管理的网络提供相关服务的网络服务提供者,包括基础电信运营者、网络信息服务提供者、重要信息系统运营者等。但是在正式生效的版本中,针对网络服务提供者,删除了“利用他人所有或者管理的网络提供相关服务”的限定,并且删除了“基础电信运营者、网络信息服务提供者、重要信息系统运营者”的列举。因此笔者认为,对于何为“网络运营者”需要采用较为宽泛的解释,其基本涵盖所有通过网络提供服务的主体;这也与欧盟GDPR框架下的“控制者”、“处理者”以对数据的控制、处理为标准所划定的适用范围更为接近。

Conceptually, the boundaries of network owners and managers are relatively clear, but the boundaries of internet service providers are difficult to define. At present, there is no specific definition of Internet Service Provider, but according to Article 10 of Cybersecurity Law on "construction, operation of the network or provide services through the network", we believe that the corresponding Internet service providers should refer to "subjects providing services through the network". Before Cybersecurity Law officially promulgated, in the draft version, "network operator" is defined as the owner of the network, managers and Internet service providers that provide related services using a network owned or managed by others, including basic telecom operators, Internet information service providers, important information system operators, etc. But in the official version, for Internet service providers, "provide related services using a network owned or managed by others" is deleted and the examples of "basic telecom operators, Internet information service providers, important information system operators" are also removed. Therefore, we believe that a broader explanation is preferable for what is a "network operator", which basically covers all the subjects providing services through the network. This is also closer to the application scope of "controller" and "processor" under the GDPR framework of the European Union.

综上所述,笔者认为,需要遵守个人信息与数据安全合规要求的市场主体不仅仅局限于与电信、互联网有关的新兴行业主体;还包括所有需要通过网络提供服务的市场主体,典型的如接入在线预订服务的酒店、通过APP或微信公众号提供衬衫等衣服定制的服装企业等;需要格外注意的是,此处的网络不仅仅局限于由计算机或手机终端组成的信息网络,还包括通过所有的能够相互通信的设备所组成的信息系统,比如能够实时记录地理位置的共享单车所组成的信息系统、能够通过各种传感器记录并向生产商回传设备使用情况的硬件系统等。

In conclusion, we believe that the market participants that need to comply with the compliance requirements of personal information and data security are not limited to the emerging industries related to telecommunications and the Internet, but also include all the market participants who need to provide services through the network. typical examples are hotels that have access to online reservation services, and clothing enterprises that provide shirts and other customized clothes through APP or WeChat official account. It should be noted that the network here is not limited to the information network composed of computer or mobile phone terminals, but also includes the information system composed of all the devices that can communicate with each other. For example, the information system of shared bikes’ in time geographical information, and the hardware system which can record and send back the usage of equipment to the manufacturer through various sensors.


4、在中国境内没有实体可以收集境内用户个人信息吗?

Can overseas companies without entity in China collect personal information in China?


《网络安全法》第三十七条提出了部分个人信息和重要数据的本地化存储要求,不过其规定的是关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据应当在境内存储。至于通过境外实体和境外服务器直接向境内用户收集个人信息的行为是否属于在中国境内运营并没有做进一步的解释。

Article 37 of Cybersecurity Law sets out local storage requirements for some types of personal information and important data, but it stipulates that personal information and important data collected and generated by operators of critical information infrastructure in the operation of the People's Republic of China should be stored in China. There was no further explanation as to whether the practice of collecting personal information directly from domestic users through overseas entities and servers was considered as operating within the territory of China.

对此,国家质量监督检验检疫总局和国家标准化管委会于2017年8月25日发布的《信息安全技术 数据出境安全评估指南(征求意见稿)》曾对此做出过解释,即:未在中华人民共和国境内注册的网络运营者,但在中华人民共和国境内开展业务,或向中华人民共和境内提供产品或服务的,属于境内运营。判断网络运营者是否在中华人民共和国境内开展业务,或向中华人民共和国境内提供产品或服务的参考因素包括但不限于:使用中文;以人民币作为结算货币;向中国境内配送物流等。

In this regard, Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft for comments) issued by General Administration of Quality Supervision, Inspection and Quarantine of PRC and Standardization Administration on August 25, 2017 once explained that: a network operator not registered within the territory of the PRC who carries out business within the territory of PRC or provides products or services within the territory of PRC shall be considered as operating within the territory of China. The factors for reference to determine whether the network operator is carrying out business within the territory of PRC or providing products or services within the territory of PRC include but  not limited to: Using Chinese language; Using RMB as the settlement currency; Distribution and logistics to China.

单纯根据该等解释,如果在中国境内没有实体,也可以收集中国境内用户的个人信息,只是收集行为需要遵守中国境内的法律法规。不过该等评估指南至今没有颁布正式版本,而且从2019年5月公布的《数据安全管理办法(征求意见稿)》和《个人信息出境安全评估办法(征求意见稿)》来看,具体监管思路有较大的变化,2017年发布的《信息安全技术 数据出境安全评估指南(征求意见稿)》也可能会有较大的修改。

According to such interpretation, if there is no entity in China, overseas companies can also collect personal information in China, but the collection should comply with laws and regulations in China. However, no official version of these assessment guidelines has taken effect so far. Moreover, according to the Measures for Data Security Management (Draft for Comments) and Measures for the Assessment of Data Cross-Border Transfer (Draft for Comments) released in May 2019, there have been great changes in specific regulatory ideas, and the Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment released in 2017 may also have major modifications.

根据《个人信息出境安全评估办法(征求意见稿)》第二十条的规定,境外机构经营活动中,通过互联网等收集境内用户个人信息,应当在境内通过法定代表人或者机构履行本办法中网络运营者的责任和义务。因此,如果本条规定最终生效,境外机构在经营活动中通过互联网等收集境内用户个人信息的,需要在境内设有法定代表人或机构。不过此处的境内机构和法代是否必须是收集境内用户个人信息的主体,该办法并未明确,笔者认为即使最终条文生效,可能仍然会有一定的解释空间;否则在没有适当缓冲期的情况下,诸多境外实体面向中国境内用户的需要收集个人信息才能提供的产品或服务都将被停止。

According to the Article 20 of Measures for the Assessment of Data Cross-Border Transfer (Draft for Comments), when an overseas company collects the personal information of domestic users through the Internet in the operation activities, it shall fulfill the responsibilities and obligations of the network operator in the present measures through its legal representative or institution in China. Therefore, if the provisions of this article finally take effect, overseas institutions that collect personal information of domestic users through the Internet or other means in their business activities need to have legal representatives or institutions in China. However, it is not clear whether the domestic institutions and legal representatives here must be the subject of collecting the personal information of domestic users. We think that even if the final provisions came into force, there may still be flexibility for interpretation. Otherwise, without an appropriate buffer period, many products or services offered by overseas companies to users in China who need to collect personal information in order to provide services will be stopped.

值得关注的是,《个人信息出境安全评估办法(征求意见稿)》规定了,个人信息出境前,网络运营者需要向监管部门申报个人信息出境安全评估,而且该等评估需要每2年进行一次,2年内向不同的接收者提供个人信息的也应当分别申报安全评估。如果该等规定生效,对于需要频繁向境外传输个人信息的市场主体而言,为了能够尽快完成个人信息出境安全评估,在中国境内设立专门的运营实体可能也是需要被重点考虑的方案。

It is worth concerning that according to Measures for the Assessment of Data Cross-Border Transfer (Draft for Comments), before personal information crosses the border, network operators need to report personal information cross-border transfer security assessment to the regulatory authorities, and such assessment needs to be conducted every 2 years, and those who provide personal information to different receivers within 2 years should also report security assessment separately. If the regulations take effect, the establishment of a special operating entity in China may also be a major consideration for market participants that need to send personal information abroad frequently in order to complete the assessment of data cross-Border transfer as soon as possible.


5、违反个人信息与数据安全保护会有哪些后果?

What are the consequences of violating personal information and data security protection?

我国违反个人信息与数据安全保护的处罚方式散见于《网络安全法》、《消费者权益保护法》、《电信和互联网用户个人信息保护规定》、《刑法》及相关司法解释中。根据现行有效的规定:

Punishments for violation of personal information and data security protection regulations in China can be found in Cybersecurity Law, Law on the Protection of Consumer Rights and Interests, Provisions on Protection of Personal Information of Telecommunications and Internet Users, Criminal Law of the People’s Republic of China and relevant judicial interpretations. According to the requirements in force:

1)依据《电信和互联网用户个人信息保护规定》进行处罚

According to Provisions on Protection of Personal Information of Telecommunications and Internet Users

根据《电信和互联网用户个人信息保护规定》第二十二至二十四条的规定,违反该规定要求的个人信息保护的行为,可以:1责令限期改正;2予以警告;3并处一万元以上三万元以下的罚款;4向社会公告;5构成犯罪的,依法追究刑事责任。

According to Article 22 to 24 of Provisions on Protection of Personal Information of Telecommunications and Internet Users, the violation of the personal information protection required by this regulation shall be punished to: 1. make rectification within a set time; 2. issue a warning; 3. impose a fine in the sum of between RMB 10,000 to 30,000; 4. announce to the public; 5. where it constitutes a crime, action will be taken to prosecute for criminal liability in accordance with law.

2)依据《消费者权益保护法》进行处罚

According to Law on the Protection of Consumer Rights and Interests

根据《消费者权益保护法》第五十六条的规定,侵害消费者个人信息依法得到保护的权利的(主要是第二十九条的规定,笔者注),除承担相应的民事责任外,其他有关法律、法规对处罚机关和处罚方式有规定的,依照法律、法规的规定执行;法律、法规未作规定的,由工商行政管理部门或者其他有关行政部门责令改正,可以根据情节单处或者并处警告、没收违法所得、处以违法所得一倍以上十倍以下的罚款,没有违法所得的,处以五十万元以下的罚款;情节严重的,责令停业整顿、吊销营业执照。

According to Article 56 of Law on the Protection of Consumer Rights and Interests, infringes upon the right of consumers' personal information to be protected by law (mainly the provisions of Article 29), in addition to bearing the corresponding civil liability, the provisions of the laws or regulations shall be applied; in absence of such provisions in the laws or regulations, administrative departments for industry and commerce or other relevant administrative departments shall order them to make corrections, and may, in light of the circumstances, punish the offenders exclusively or concurrently with warning, confiscation of illegal gains, or imposition of a fine not less than one time but not more than ten times the illegal gains; in case there involves no illegal gains, the offenders shall be punished with a fine of up to RMB 500,000, and if circumstances are serious, they shall be ordered to suspend business for rectification, and their business licenses shall be revoked.

3)依据《网络安全法》进行处罚

According to Cybersecurity Law

根据《网络安全法》第六十四条的规定:

对于侵害个人信息依法得到保护的权利的,由有关主管部门:1责令改正;2可以根据 情节单处或者并处警告、没收违法所得、处违法所得一倍以上十倍以下罚款,没有违法所得的,处一百万元以下罚款,对直接负责的主管人员和其他直接责任人员处一万元以上十万元 以下罚款;3情节严重的,并可以责令暂停相关业务、停业整顿、关闭网站、吊销相关业务许可证或者吊销营业执照。

According to Article 64 of Cybersecurity Law:

Network operators and network product or service providers infringing on the protections and rights of citizens’ personal information, 1. are ordered to make corrections by the relevant competent department and 2. may, either independently or concurrently, be given warnings, confiscation of unlawful gains, and/or fined from 1 to 10 times the amount of unlawful gains, and where there are no unlawful gains, fined up to RMB 1,000,000, persons who are directly in charge and other directly responsible personnel are fined from RMB 10,000 and 100,000; 3. where the circumstances are serious, the relevant competent department may order a temporary suspension of operations, a suspension of business for corrections, closing down of websites, revocation of relevant operations permits, or cancellation of business licenses.

对于窃取或者以其他非法方式获取、非法出售或者非法向他人提供个人信息,尚不构成犯罪的,由公安机关没收违法所得,并处违法所得一倍以上十倍以下罚款,没有违法所得的,处一百万元以下罚款。

Where violations in stealing or using other illegal means to obtain, illegally sell of illegally provide others with citizens’ personal information do not constitute a crime, the public security organs confiscate unlawful gains and give a fine of from 1 to 10 times the amount of unlawful gains, and where there are no unlawful gains, give a fine of up to RMB 1,000,000.

与此同时,根据该法第七十一条、七十四条的规定,有本法规定的违法行为的,依照有关法律、行政法规的规定记入信用档案,并予以公示;构成犯罪的,依法追究刑事责任。

Furthermore, according to Article 71&74, acts committed in violation of the provisions of this Law, will be entered into credit files according to the provisions of relevant laws and regulations, and published. Where it constitutes a crime, criminal liability will be prosecuted according to the law.

4)依据《刑法》及相关司法解释进行处罚

According to Criminal Law and relevant judicial interpretations

我国《刑法》第二百五十三条和第二百八十六条分别规定了侵犯公民个人信息罪和拒不履行信息网络安全管理义务罪。值得特别关注的是,根据《关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》,第二条的规定,违反法律、行政法规、部门规章有关公民个人信息保护的规定的,都应当认定为侵犯公民个人信息罪项下的“违反国家有关规定”。根据该等规定:

Article 253 and Article 286 of the Criminal Law of the People’s Republic of China respectively stipulate the crime of infringing citizens' personal information and the crime of refusing to fulfill the obligation of information network security management. It is worth noting that, according to Explanation on Several Questions of Applicable Law in Criminal Cases of Infringing on Citizen's Personal Information, the provisions of Article 2, those who violate the provisions of laws, administrative regulations and departmental rules on the protection of citizens' personal information shall be deemed as "violating the relevant provisions of the state" under the crime of infringing citizens' personal information. In accordance with these provisions:

犯侵犯公民个人信息罪,情节严重的,处3年以下有期徒刑或拘役,并处或者单处罚金;情节特别严重的,处3年以上7年以下有期徒刑,并处罚金。单位犯罪的,依照本解释规定的相应自然人犯罪的定罪量刑标准,对直接负责的主管人员和其他直接责任人员定罪处罚,并对单位判处罚金。

Whoever commits the crime of infringing upon citizens' personal information, if the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and shall be fined; if the circumstances are especially serious,  shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years, and shall also be fined. If a company commits a crime, it shall be convicted and punished according to the conviction and sentencing standards for the crimes committed by the corresponding natural persons stipulated in the present Interpretation, the persons who are directly in charge and the other persons directly responsible for the crime shall be punished, and the company shall be fined.

犯拒不履行信息网络安全管理义务罪的,处三年以下有期徒刑、拘役或者管制,并处或者单处罚金。

Whoever commits the crime of refusing to fulfill the obligation of information network security management shall be sentenced to fixed-term imprisonment of not more than three years, criminal detention or public surveillance and shall also, or shall only, be fined.

综合上述处罚规定可以看出,对于从业企业而言,违反我国个人信息保护相关规定的行为,可能带来的处罚主要包括:

In general, according to the above punishment regulations, the possible punishment for violations of relevant regulations on the protection of personal information in China mainly includes:

1) 在经济处罚方面,有直接违法所得的,最高可处没收违法并处违法所得十倍罚款;对于没有直接违法所得或者违法所得无法计算的,最高可处人民币100万元罚款;

In terms of economic penalties, those who have direct illegal gains may be confiscated and fined ten times as much as the illegal gains; where there is no direct illegal income or the illegal income cannot be counted, a maximum fine of RMB 1 million may be imposed;


2) 在行为处罚方面,最高可以吊销相关业务许可或营业执照

In terms of punishment for conduct, the maximum punishment is revoking related business license.

3)在刑事处罚方面,最高可处7年有期徒刑并处罚金

In terms of criminal penalties, the maximum penalty is seven years in prison and a fine.

需要特别注意的是,尽管我国法律规定对于行政处罚中的罚金规定与GDPR规定的相当于2000万欧元/企业“上一年全球总营业额4%的金额”(取较高的一项)的罚款相比少之又少,但二年内受过行政处罚后又非法获取出售或者提供个人信息的,将受到刑事处罚,而且处罚将涉及直接负责的主管人员和其他直接责任人员。此外,最新公布的《互联网信息服务严重失信主体信用信息管理办法(征求意见稿)》也规定了,对于多次被行政处罚的主体,可能会被列入严重失信主体黑名单或重点关注名单。从这个角度而言,行政处罚即使罚金再低,也不可轻视。

It should be noted that although China's law stipulates that the fine in administrative penalty is very little comparing with the GDPR's fine of up to 4% of annual global turnover or €20 Million (whichever is greater), but those who illegally obtain, sell or provide personal information within two years after receiving administrative penalties will be subject to criminal penalties, which will involve directly responsible supervisors and other directly responsible persons. In addition, the newly released Measures for Credit Information Management of Internet Information Service Subjects with Serious Breach of Credit (Draft for Comments) also stipulates that subjects who have been subject to multiple administrative penalties may be included in a blacklist of seriously dishonest subjects or a list of key concerns. From this point of view, although the fine amount of administrative penalty is low, it can still not be despised.


感谢实习生于宁馨、许语赏为本文写作付出的辛苦工作。

Thanks to the intern, Ningxin Yu and Yushang Xu for their hard work on preparing this article.




Research