繁琐or便捷,跨国企业如何选择个人数据出境的最佳路径

MBTI职业性格测试 0 13

原标题:周亮等:科技创新与法律前沿系列文章之六 - 繁琐or便捷,跨国企业如何选择个人数据出境的最佳路径

一、要点Key Points

近期,《数据出境安全评估办法》(下称“《安全评估办法》”)《个人信息跨境处理活动安全认证规范》(下称“《安全认证规范》”)和《个人信息出境标准合同规定(征求意见稿)》(下称“《标准合同规定》”)相继出台,为数据出境提供了三种路径的选择。

Recently, the Measures for the Security Assessment of Data Cross-border Transfer ("Security Assessment Measures"), the Security Certification Specifications for Cross-Border Processing of Personal Information ("Security Certification Specifications") and the Provisions on Standard Contract for Cross-border Transfer of Personal Information (Draft for Comments) ("Draft Standard Contracts") have been promulgated successively, which provide three different approaches to cross-border transfer of personal information data.

根据上述各项规定,三种路径对比来看,安全评估的手续较繁琐,而安全认证和标准合同路径则较为简便,其中:

According to the regulations above, the formalities of security assessment approach are relatively complicated, while the security certification approach and the standard contract approach are simpler by comparison. In particular:

繁琐or便捷,跨国企业如何选择个人数据出境的最佳路径

1. 繁琐路径:对于重要数据的处理者和关键信息基础设施运营者,以及有大规模数据出境需求的其他企业,如果达到法定申报标准,则只能采用申报安全评估的路径。

Complicated way: for the handlers of important data, critical information infrastructure operator (“CIIO”) and other companies with the requirement of large-scale data cross-border transfer, if any aspect of the statutory threshold is met, only the security assessment approach can be adopted.

2. 简便路径:对于不需要进行安全认证的情形,企业可以申请安全认证或备案标准合同。其中,安全认证可以使大型跨国企业等需要频繁进行个人信息跨境处理活动的主体获得较大便利;而标准合同对于传输固定种类个人信息或者单次传输小体量数据的小型企业更具灵活性。

Simple way: in any circumstance where a declaration for security assessment is not required, companies can choose security certification approach or standard contract approach. Specifically, the security certification approach would be more convenient for those large international companies which need to frequently transfer personal information, while the standard contract approach provides more flexibility for small companies to transfer fixed type personal information or small-volume data at one time.

二、数据出境路径选择

Approaches to Cross-border Transfer of Personal Information Data

1. 路径一:数据出境安全评估Approach I: Security Assessment

(1)申报标准

Application Thresholds

根据《安全评估办法》第四条,有下列情形之一的,应当申报数据出境安全评估:(一)数据处理者向境外提供重要数据;(二)关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息;(三)自上年1月1日起累计向境外提供10万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息;(四)国家网信部门规定的其他情形。

Pursuant to Article 4 of the Security Assessment Measures, a company shall apply for security assessment for data cross-border transfer under any of the following circumstances: (1) the data handler provides important data to overseas entities; (2) the CIIO and data handler who has processed the personal information of more than 1 million individuals provide personal information to overseas entities; (3) the data handler who has provided overseas entities with the personal information of 100,000 individuals or the sensitive personal information of 10,000 individuals in aggregate since January 1 of the preceding year provides personal information to overseas entities; and (4) other circumstances specified by the Cyberspace Administration of China (“CAC”).

因此,如果满足以上任一条件的,则企业在数据出境时,只能采用申报安全评估的路径。

Therefore, if any of the conditions above is met, the security assessment would be the only approach for data cross-border transfer.

繁琐or便捷,跨国企业如何选择个人数据出境的最佳路径

(2)应用场景

Application Scenarios

A. 传输重要数据

Transfer of Important Data

根据《重要数据识别指南(征求意见稿)》的定义,重要数据,是指一旦遭到篡改、破坏、泄露或者非法获取、非法利用等,可能危害国家安全、经济运行、社会稳定、公共健康和安全等的数据。例如,可被利用实施对关键信息基础设施的网络攻击的数据,描述出口管制物项的设计原理、工艺流程、制作方法等的信息,重点企业的金融交易数据、重要装备生产制造信息等。企业需要跨境传输以上数据的,必须进行安全评估。

According to the Guidelines for the Identification of Important Data (Draft for Comments), important data refers to the data that, once tampered with, destroyed, leaked, illegally obtained or utilized, may endanger national security, economic operation, social stability, public health and safety, etc. For example, data that may be used to conduct network attack on critical information infrastructures, information describing the design principles, technical processes and manufacturing methods of export-controlled items, financial transaction data of key companies, manufacturing information of important equipment would be deemed as important data. If a company needs to transfer the above data to overseas entities, it must complete security assessment.

B. 关键信息基础设施运营者的数据出境

Transfer by CIIO

根据《关键信息基础设施安全保护条例》第二条,关键信息基础设施,是指公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务、国防科技工业等重要行业和领域的,以及其他一旦遭到破坏、丧失功能或者数据泄露,可能严重危害国家安全、国计民生、公共利益的重要网络设施、信息系统等。例如,卫生医疗行业、食品药品科研领域,以及提供云计算、大数据的网络设施和信息系统。而关键信息基础设施运营者由相应主管部门进行认定,被认定的企业在进行数据出境活动时,需要进行安全评估。

According to Article 2 of the Regulation on Protecting the Security of Critical Information Infrastructure, critical information infrastructure (CII) refers to any of important network facilities and information systems in important industries and fields—such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, science and technology industry for national defense and other industries which may seriously endanger national security, national economy and people's livelihood, and public interests in the event that they are damaged or lose their functions or their data are leaked. For instance, healthcare industry, food and drug scientific research field and cloud computing and big data area would be deemed as such important industries and fields. In addition, CIIO will be identified by the regulatory departments and required to conduct security assessment when conducting data cross-border transfer activities.

C. 大规模的数据出境

Large-Scale Transfer of Data

大规模数据主要指以下场景:(一)业务涉及处理100万人以上体量个人信息的境内企业向境外提供数据;(2)自上一年1月1日起,境内企业向境外提供个人信息达10万人、或者提供身份证号、健康状况等敏感个人信息累计达1万人。如果累计数量超出标准,无论是否已取得安全认证或备案标准合同,境内企业均应该立即停止提供数据,待安全评估后再行处理。

Large-scale data mainly refers to the following scenarios: (1) a domestic company whose business involves the processing of the personal information of more than 1 million individuals provides data to overseas entities; and (2) as of January 1 of the preceding year, a domestic company has provided the personal information of more than 100,000 individuals to overseas entities or the sensitive personal information (e.g. ID card number, health status) of more than 10,000 individuals in total. If the cumulative volume exceeds the thresholds above, the domestic company shall immediately cease the provision of the data and suspend handling until the completion of the security assessment regardless of whether the domestic company has completed security certification or filed standard contracts or not.

需要明确的是,此处的计数单位为“人数”而非“人次”,单人个人信息的重复提供,不累计计算。

However, it should be clarified that only the "number of individual" but not the “number of transfer” shall be considered in the calculation in the scenarios above, meaning that repeated transfer of personal information of the same person will not be accumulatively counted.

D. 涉及部门规章的特殊要求

Special Requirements by Rules and Regulations

一些部门规章对特定行业的企业做出特殊约定,要求该等企业的数据出境必须进行安全评估,例如:《汽车数据安全管理若干规定(试行)》第三条及第十一条规定,汽车数据处理者向境外提供的包含人脸信息、车牌信息等的车外视频、图像,以及涉及个人信息主体超过10万人的个人信息等数据属于“重要数据”,必须申报安全评估;此外,医疗机构向境外提供个人健康医疗数据,及任何数据处理者意图赴境外上市的,均需完成安全评估程序。

Some rules and regulations make special requirements for companies in certain industries, requiring those companies to conduct security assessment before their data cross-border transfer. For example, Articles 3 and 11 of Several Provisions on the Management of Automobile Data Security (for Trial Implementation) stipulate that the video and image data outside vehicles, including face information and license plate information and the personal information involving more than 100,000 individuals are important data. Such automobile data processors must declare for security assessment. In addition, medical institutions that provide personal health and medical data to overseas entities and any data handlers that intend to be listed overseas are also required to complete security assessment.

(3)路径特点

Approach Features

该路径适用于重要数据的处理者和关键信息基础设施运营者,以及有大规模数据出境需求的其他企业。如达到上文所述标准,则需根据《安全评估办法》进行安全评估。

This approach is applicable to the handlers of important data and CIIO, as well as other companies with the requirement of large-scale data cross-border transfer. If the thresholds above are met, security assessment shall be carried out in accordance with the Security Assessment Measures.

2. 路径二:信息出境安全认证Approach II: Security Certification

(1)申报标准

Application Thresholds

如上述分析,如不涉及《安全评估办法》中规定的四种情形的,则企业可通过申报安全认证以完成数据出境。此外,根据《安全认证规范》第一章,安全认证明确适用于跨国企业、同一经济、事业实体下属子企业及关联企业之间的个人信息跨境处理活动,以及《个人信息保护法》第三条第二款规定的、境外处理境内自然人个人信息的活动。

As analyzed above, if the four circumstances prescribed under the Security Assessment Measures are not involved, companies can apply for security certification before the transfer of the data to overseas entities. Additionally, according to Chapter I of the Security Certification Specifications, security certification specializes for cross-border processing activities of personal information within international companies, subsidiaries and affiliates of the same economic or public institution, as well as the processing of personal information of PRC natural persons by overseas entities as specified in the second paragraph of Article 3 of the Personal Information Protection Law (“PIPL”).

(2)应用场景

Application Scenarios

例如,对于在中国境内拥有分支机构的跨国企业,在取得安全认证后,可以较为便利地处理中国员工的个人信息跨境处理事项。此外,对于某些境内企业固定向境外信息处理者传输境内个人信息,以对境内个人行为进行分析、评估的,采用此种路径也可以简化合规手续。

For example, an international company with subsidiaries in the PRC can facilitate its cross-border personal information processing activities of its PRC employees if it completes security certification. Besides, for those domestic companies which regularly transfer personal information to overseas information handlers to analyze or assess the conduct of domestic individuals, the adoption of this approach may also simplify the compliance procedures.

(3)路径特点Approach Features

A. 与签订标准合同相比,对境外主体的合规要求与责任承担较高

Compared with the standard contract approach, the compliance requirements on and responsibility by the overseas entities in security certification would be higher

《安全认证规范》第五章强调了境外接收方对个人信息主体权利的系统性保障义务,相较于《个人信息保护法》仅对境内处理者有所规定,此规范对境外主体的合规要求更为严格。境内处理者和境外接收方还需要遵守统一的个人信息跨境处理规则,并确保个人信息保护水平不低于境内法律法规的标准。双方必须共同承诺接受认证机构的答复问询、例行检查等监督,以及中国境内的司法管辖等。

Chapter V of the Security Certification Specification emphasizes the systematical obligations of overseas recipient to protect the rights of the owner of the personal information. Compared with the PIPL which only stipulates the protection obligations of domestic handlers, this specification imposes more stringent compliance requirements on overseas recipient. Also, domestic handlers and overseas recipient need to comply with the consistent rules on cross-border processing of personal information and ensure that the personal information will be protected at the level not lower than the standards set out under the PRC laws and regulations. Both parties must undertake to accept the inquiries, routine inspections and other supervision by the certification agency and the jurisdiction of PRC courts.

B. 单次认证长期有效,较适合有多频次数据出境需求的企业

Single certification is long-term valid and it is suitable for companies with needs of multi-frequency data transfer

虽然安全认证对境外主体的合规要求与责任承担较高,但由于单次取得认证后长期有效,且规范中没有对重新申请认证提出硬性要求,因此较适合有多频次数据出境需求的企业。

Although the security certification approach imposes higher compliance requirements on overseas entities, a single security certification has long-term validity and there is no mandatory requirement on reapplication for security certification. Therefore, the security certification approach would be more suitable for companies that need to transfer their data to overseas entities in multiple times.

3. 路径三:信息出境标准合同Approach III: Standard Contract

(1)使用标准

Application Thresholds

《标准合同规定》第四条规定,不属于任何应当申报安全评估的情形的,相关主体可以采用标准合同进行数据出境活动。

Article 4 of the Draft Standard Contracts provides that in any circumstance where a declaration for security assessment is not required, the relevant entities may transfer data abroad by signing a standard contract.

(2)应用场景

Application Scenarios

标准合同可应用于境内企业小体量数据的单次出境场景,或者境内企业传输的数据特征(例如敏感程度、保存期限、存储地点、用途等)不会发生实质性变化的多次出境场景。

The standard contract can be applied in the scenarios where domestic companies transfer small-volume data in a single time, or where the characteristics of the data transferred (such as the sensitivity, storage duration, storage location, purpose, etc.) will not change substantially.

繁琐or便捷,跨国企业如何选择个人数据出境的最佳路径

(3)路径特点

Approach Features

A. 效率较高

High efficiency

境内企业与境外数据接收方签订的标准合同生效后即可开展个人信息出境活动,备案仅为事后监督管理之用,对于境内企业而言效率较高。

Domestic companies will be able to transfer personal information once the standard contract with overseas recipient becomes effective and the post-filing system is only for the purpose of supervision and management. Therefore, this approach is relatively efficient for domestic companies.

B. 可能需要多次备案

Filings in multiple times may be required

相较于安全认证的长效性,《标准合同规定》第八条对重新签订标准合同并备案的情形做出了明确规定,比如所提供个人信息的类型、用途或者境外个人信息保护政策法规发生变化的,可能需要频繁进行签署、评估、备案的合规流程。

In comparison to the long-term effectiveness of security certification, Article 8 of the Draft Standard Contracts clearly specifies the circumstances in which standard contracts need to be re-signed and re-file. For example, if the category or purpose of personal information to be transferred or the overseas policies or regulations on personal information protection change, the compliance procedures of re-signing, re-assessing and re-filing may need to be conducted more frequently.

因此,我们认为如企业采取此种数据出境方式,应对其需要出境的数据种类、形式、范围等等进行评估。如企业需要传输的个人信息较固定,则我们认为采用标准合同的路径比安全认证的路径更简化;但如企业需要传输不同性质的个人信息,则安全认证的路径对企业较便利。

Therefore, we understand that if the company plans to adopt this approach, it shall make an assessment to the purpose, format and scope of the data to be transferred. If the personal information to be transferred is relatively constant, the standard contract approach will be more simplified than the security certification approach. However, if a company needs to transfer personal information of different natures, the security certification approach will be more convenient.

三、结语Conclusion

数据出境的路径选择日趋清晰,对于重要数据的处理者和关键信息基础设施运营者,以及有大规模数据出境需求的其他企业,如达到上文所述标准,则只能采用申报安全评估的路径。不涉及上述情形的,如企业需要传输的个人信息较固定,则标准合同的路径更为简化、灵活;但如企业需要频繁传输不同性质的个人信息,则安全认证的路径更为便利。

The approaches for data cross-border transfer are becoming more and more clear. For the handlers of important data, CIIOs and other companies with the requirement of large-scale data cross-border transfer, if the thresholds mentioned above are met, the only approach available is to declare a security assessment. In any circumstance where a declaration for security assessment is not required, if the personal information to be transferred is constant, the standard contract approach would be more simplified and flexible. However, if a company needs to transfer personal information of different natures frequently, the security certification approach would be more convenient.

特别声明:

以上内容属于作者个人观点,不代表其所在机构立场,亦不应当被视为出具任何形式的法律意见或建议。

相关推荐:

网友留言:

我要评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。