動(dòng)態(tài)與觀點(diǎn)
? 引言
中國(guó)《個(gè)人信息保護(hù)法》(下稱《個(gè)信法》)已經(jīng)頒布,將于2021年11月1日生效。可以料定,中國(guó)社會(huì)中的個(gè)人信息處理活動(dòng)(本文提到這個(gè)概念,是指受《個(gè)信法》管轄的個(gè)人信息處理活動(dòng)。下同),將會(huì)出現(xiàn)一段由亂入治的過(guò)程。
歐盟2018年5月25日生效了《數(shù)據(jù)保護(hù)通用規(guī)定》 (General Data Protection Regulation。下稱GDPR),對(duì)歐盟境內(nèi)的個(gè)人信息處理活動(dòng)進(jìn)行了規(guī)范。
鑒于中歐經(jīng)濟(jì)交流的深度與廣度,對(duì)于兩部法規(guī)進(jìn)行比較研讀,對(duì)于機(jī)構(gòu),特別是有跨境業(yè)務(wù)的企業(yè)和其它私人機(jī)構(gòu),建立同時(shí)滿足兩部法律要求的組織架構(gòu)及制度,十分有益。
?立法目的:個(gè)人信息保護(hù)與個(gè)人信息利用平衡
中國(guó):保護(hù)個(gè)人信息權(quán)益,但也要促進(jìn)個(gè)人信息的合理利用 (第一、二條)。
歐盟:保護(hù)個(gè)人數(shù)據(jù)相關(guān)自由和權(quán)利,但不得因此限制或禁止歐盟范圍內(nèi)的信息自由流動(dòng)(第1(2)(3)條)。
個(gè)人信息保護(hù)法的必要性,是隨著電子信息產(chǎn)業(yè)的大發(fā)展而日益顯現(xiàn)出來(lái)的。由于信息產(chǎn)業(yè)的發(fā)達(dá),處理個(gè)人信息的規(guī)模、速度及對(duì)個(gè)人生活的影響與此前的時(shí)代大相逕庭,不可同日而語(yǔ)。但是個(gè)人信息的使用又是數(shù)字化經(jīng)濟(jì)環(huán)境下許多經(jīng)濟(jì)活動(dòng)的基礎(chǔ)。因此,中歐法律都同樣強(qiáng)調(diào)了兩者的平衡。
?個(gè)人信息的定義
中國(guó):個(gè)人信息是與已識(shí)別或者可識(shí)別的自然人有關(guān)的各種信息(第四條)。
歐盟:個(gè)人數(shù)據(jù)是與已識(shí)別或者可識(shí)別的自然人有關(guān)的各種信息(第 4(1))。
《個(gè)信法》使用個(gè)人信息一詞,GDPR使用個(gè)人數(shù)據(jù)一詞,但兩者的內(nèi)涵并無(wú)實(shí)質(zhì)區(qū)別。
《個(gè)信法》強(qiáng)調(diào),匿名化后的信息就不屬于個(gè)人信息(第四條)。這只是對(duì)“與已識(shí)別或者可識(shí)別的自然人有關(guān)”這一點(diǎn)的進(jìn)一步闡述,并未縮小個(gè)人信息概念的外延。
《個(gè)信法》還強(qiáng)調(diào),是否以電子方式記錄,不是定義個(gè)人信息的要件(第四條)。GDPR則規(guī)定,只要個(gè)人數(shù)據(jù)進(jìn)入文檔系統(tǒng),便屬于個(gè)人數(shù)據(jù),無(wú)論該文檔系統(tǒng)是否是自動(dòng)化的(第2(1)條)。鑒于自動(dòng)化的文檔系統(tǒng)只能是電子的,而在電子文檔系統(tǒng)中存在的信息只能是電子方式記錄的,所以,在這一點(diǎn)上,兩部法律表述方式不同,但效果是一樣的。
?個(gè)人信息的處理者與控制者
中國(guó):個(gè)人信息處理者是指在個(gè)人信息處理活動(dòng)中自主決定個(gè)人信息的收集、存儲(chǔ)、使用、加工、傳輸、提供、公開、刪除等處理目的、處理方式的組織、個(gè)人(第四條二款,七十三條一款一項(xiàng))。
歐盟:數(shù)據(jù)控制者是指獨(dú)自或聯(lián)合決定數(shù)據(jù)處理目的和方式的個(gè)人或法人、公共當(dāng)局、機(jī)構(gòu)或其它組織(第4(7)條第一句);數(shù)據(jù)處理者是指代表數(shù)據(jù)控制者收集、記錄、組織、建構(gòu)、存儲(chǔ)、改編或改變、取回、咨詢、使用、披露、校準(zhǔn)或合并、限制、刪除或拆解數(shù)據(jù)的個(gè)人或法人、公共當(dāng)局、機(jī)構(gòu)或其它組織(第4(2),(8)條)。
《個(gè)信法》中只有“處理者”,而沒(méi)有“控制者”。但是,《個(gè)信法》中的處理者是能決定處理目的和處理方式的個(gè)人或組織,因此應(yīng)該理解為包含了歐盟法意義上的控制者,因?yàn)橹挥锌刂普卟拍軟Q定處理的目的以及方式。
另一方面,因?yàn)榧词故仟M義意義上的處理者,比如提供數(shù)據(jù)處理服務(wù)的獨(dú)立第三方,雖然在處理目的上不能自主,但在數(shù)據(jù)處理方式上必然有某種范圍的自主權(quán),比如存儲(chǔ)服務(wù)器設(shè)于何處,服務(wù)器如何加密,采用光纖還是電纜傳輸?shù)?,否則就不成其為獨(dú)立第三方,而是控制者的關(guān)聯(lián)公司了。
因此,《個(gè)信法》中的個(gè)人信息處理者也包含歐盟法意義上的處理者??傊秱€(gè)信法》上的個(gè)人信息處理者的范圍,與GDPR的“控制者+處理者”的范圍,并沒(méi)有實(shí)質(zhì)區(qū)別。
?境內(nèi)管轄與境外管轄
中國(guó):在中國(guó)境內(nèi)進(jìn)行的個(gè)人信息處理活動(dòng),受管轄(第三條一款)。在中國(guó)境外進(jìn)行的處理中國(guó)境內(nèi)自然人個(gè)人信息的活動(dòng),如果該活動(dòng)是以向中國(guó)境內(nèi)自然人提供產(chǎn)品或服務(wù)為目的,或該活動(dòng)是在分析、評(píng)估中國(guó)境內(nèi)自然人的行為,或有法律法規(guī)規(guī)定的其它情形,也受管轄(第三條二款)。
歐盟:由歐盟境內(nèi)的信息控制人或處理人的機(jī)構(gòu)進(jìn)行的數(shù)據(jù)處理活動(dòng)受管轄,無(wú)論處理活動(dòng)是否發(fā)生在歐盟境內(nèi)(第3(1)條)。設(shè)立的在歐盟境外的信息控制人或處理人進(jìn)行的數(shù)據(jù)處理活動(dòng),如果該活動(dòng)是為了向歐盟境內(nèi)的數(shù)據(jù)主體提供產(chǎn)品或服務(wù),或該活動(dòng)是為了監(jiān)控歐盟境內(nèi)發(fā)生的行為,也受管轄(第3(2)條)。
顯然,在信息主體(可能的受害者)所在地這一判斷依據(jù),中歐兩部法律在實(shí)際效果上是一致的。
值得辨析的是中國(guó)“在境內(nèi)進(jìn)行的處理活動(dòng)”與歐盟“境內(nèi)控制人或處理人的機(jī)構(gòu)進(jìn)行的活動(dòng)”兩者的不同。因?yàn)閱?wèn)題較為復(fù)雜,所以我們舉個(gè)例子來(lái)測(cè)試這個(gè)問(wèn)題:假定,一家境內(nèi)公司的境外機(jī)構(gòu)處理有關(guān)境外人的信息,事情如何?
這要分兩種情況分析。
第一種,當(dāng)境外機(jī)構(gòu)的行為是獨(dú)立的,比如境外機(jī)構(gòu)為境外第三方提供信息處理服務(wù)。此時(shí),按PIPL的規(guī)定,因活動(dòng)不在中國(guó)境內(nèi),故不適用。但在GDPR來(lái)看,答案就不明確。有的認(rèn)為GDPR不適用,因?yàn)榇藭r(shí)境內(nèi)公司既非處理人,也不是控制人。但筆者曾服務(wù)的一家歐盟公司總部的信息安全專員認(rèn)為適用GDPR,故其要求其中國(guó)子公司要遵守GDPR,盡管其中國(guó)公司中沒(méi)有歐盟人的個(gè)人信息。
第二種,當(dāng)境外機(jī)構(gòu)的行為受境內(nèi)機(jī)構(gòu)某種范圍的控制。此時(shí),在GDPR來(lái)看,是明確有管轄權(quán)的,因?yàn)閷儆跉W盟境內(nèi)控制人的機(jī)構(gòu)從事的活動(dòng)。但在PIPL似乎就可以爭(zhēng)議。因?yàn)?,比如中?guó)總部要求境外機(jī)構(gòu)貫徹某種技術(shù)標(biāo)準(zhǔn)或服務(wù)標(biāo)準(zhǔn),是不是PIPL定義的“自主決定處理方式”?答案尚不確定。
就這些問(wèn)題,我們建議客戶密切觀察中歐兩地的立法發(fā)展。
要提醒的是,信息控制人或處理人的“機(jī)構(gòu)”,GDPR英文版的表述“establishment”不能理解為是一個(gè)公司,甚至不能理解為一個(gè)辦公室。法律形式并不是標(biāo)準(zhǔn)。一個(gè)聘請(qǐng)的顧問(wèn),也可構(gòu)成establishment。
?境外管轄權(quán)的貫徹
中國(guó):個(gè)人信息處理者應(yīng)當(dāng)采取必要措施,保障境外接收方處理個(gè)人信息的活動(dòng)達(dá)到本法規(guī)定的個(gè)人信息保護(hù)標(biāo)準(zhǔn)(第三十八條3款)。
歐盟:個(gè)人數(shù)據(jù)控制人或處理人只有在采取了恰當(dāng)保障措施,并且以數(shù)據(jù)主體的權(quán)利可以執(zhí)行和法律救濟(jì)途徑可以獲得為前提,除非歐盟已經(jīng)認(rèn)定第三國(guó)的保護(hù)水平足夠。任何有關(guān)向境外傳輸個(gè)人數(shù)據(jù)的規(guī)定都應(yīng)保障GDPR的保障水平?jīng)]有削弱(第44、46(1)條)。
盡管法律為向境外傳輸個(gè)人信息設(shè)置了很多要求,如果境外接收人在得到數(shù)據(jù)后不執(zhí)行怎么辦?中歐兩國(guó)法律都對(duì)其境內(nèi)數(shù)據(jù)控制者、處理者賦予了“保障”義務(wù)。
這實(shí)際上一方面是要求境內(nèi)機(jī)構(gòu)審慎地審查境外接收方的保護(hù)理念、方法、能力等,另一方面是要求境內(nèi)機(jī)構(gòu)應(yīng)當(dāng)通過(guò)協(xié)議等工具對(duì)境外接收方加以控制,以便在發(fā)生侵害個(gè)人信息權(quán)時(shí),個(gè)人信息主體、境內(nèi)機(jī)構(gòu)可以通過(guò)適當(dāng)?shù)耐緩綄で缶葷?jì),比如依據(jù)協(xié)議對(duì)境外機(jī)構(gòu)提起訴訟。
當(dāng)然,沒(méi)有履行“保障”義務(wù)的境內(nèi)機(jī)構(gòu),根據(jù)情節(jié)不同,可能會(huì)受到行政處罰。在中國(guó)境內(nèi)的責(zé)任人,也有可能被追究刑事責(zé)任。
個(gè)人信息保護(hù)合規(guī)問(wèn)題,對(duì)于信息處理者,尤其是企業(yè)來(lái)說(shuō),是一個(gè)需要從治理層面上重點(diǎn)關(guān)注的問(wèn)題:企業(yè)應(yīng)當(dāng)根據(jù)法律要求在內(nèi)部設(shè)置合適的個(gè)人信息保護(hù)機(jī)構(gòu),投入足夠的資金建設(shè)信息保護(hù)基礎(chǔ)設(shè)施并對(duì)人員提供足夠的培訓(xùn),同時(shí)制訂適當(dāng)?shù)囊?guī)章制度,確保員工的職務(wù)行為合乎法律要求。
英文版
China Personal Information Protection Law and EU General Data Protection Regulation Comparative Reading: Five Basic Concepts
?introduction
China has published the Personal Information Protection Law (PIPL), which takes effect on November 1, 2021. It can be expected that personal information processing activities will take some time to turn from chaos now into disciplined.
European Union has made the General Data Protection Regulation (GDPR) effective from May 25, 2018, that regulates personal data processing in the EU.
Given the depth and wideness of economic exchange between China and the EU, it is very useful for organizations, especially businesses and others with cross CN-EU border business, to read the PIPL and GDPR comparatively, in order that they can prepare their organization and institution pursuant to legislation in both regions.
?Objectives: balance of protection and use of personal information
CN: protect personal information rights, but also promote use of personal information ( Art. 1;2).
EU: protect personal rights to the protection of personal data,while free movement of personal data within the Union should neither be restricted nor prohibited (Art. 1(2)(3)).
The necessity of personal information protection is getting prominent along the growth of electronic information industry. With advance of the e-information industry, the scope, speed of and impact on personal life by personal information processing activities are tremendously different from the days before. Use of personal information, however, is also the foundation for many economic activities in digital economy environment. Both China and EU therefore have emphasized the balance of the two sides.
?Definition of personal information
CN: personal information means any type of information relating to an identified or identifiable natural person (Art. 4).
EU: personal data means any information relating to an identified or identifiable natural person (Art. 4(1)).
PIPL uses the word Personal Information whilst GDPR uses Personal Data, but there is no difference in essence between.
PIPL has affixed to the above definition a sentence "pseudonymized information" is not personal information. This however is just an additional emphasis of the point "relating to an identified or identifiable", with no further essential development in the definition.
PIPL has also emphasized that whether information is recorded electronically is not a component of the definition. GDPR on the other hand stipulates that it applies as long as personal data enter a filing system which no matter is automated or not. As an automated filing system can only be electronic, and data in a electronic filing system can only be recorded electronically, these two pieces of legislation therefore are talking about the same thing with different ways of expression.
?Personal information controller and processor
CN: personal information processor is an individual or organization which autonomously determines in personal information processing activities the purposes and means of personal information processing, such as collection, storage, use, working on, transfer, providing, disclosure, deletion (Art. 4 par. 2;73 par.1 item 1).
EU: personal data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art4(7) sentence 1). Personal data processor means a natural or legal person, public authority, agency or other body which, on behalf of the controller, processes personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure or destruction (Art4(2),(8)).
In PIPL, only there is the concept of processor, no controller. Nonetheless, the processor in PIPL is an individual or organization which can determine the purposes and means of processing, thus should be understood in the way it covers the concept of controller in GDPR. After all it is the controller that determines purposes and means of data processing. On the other hand, a processor, even in a strict sense,for instance an independent third party data processing service provider, though without autonomy on processing purpose, must have some sort of autonomy on the means of processing to a certain scope, such as where to place servers, how to encrypt data, transfer data by what technique. Otherwise it is an associated organization, not a third party anymore.
Therefore a processor in PIPL also covers the concept of processor in GDPR. In short, a processor in PIPL is not essentially different from "controller + processor" in GDPR.
?Application inside and outside border
CN: PIPL applies to personal information processing activities within China (Art. 3 par. 1). PIPL also applies to an activity conducted outside China to process personal information of natural persons within China when the activity is purported to provide goods or services to the natural persons within China, or analysis or assessment of behaviour of natural persons within China, or fall inside other criteria provided for by laws or regulations.
EU: GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (Art. 3 (1)). GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to such data subjects in the Union, or related to the monitoring of their behaviour as far as their behaviour takes place within the Union (Art. 3(2)).
Apparently, the two pieces of legislation by China and EU are consistent in effect on the point of taking location of information subjects as basis for law application.
It is interesting to compare the criterion "activity within border" by China and the criterion "activity of an establishment of a controller or a processor within border". Not to make it too complex, an example is here to test the question: what happens if, for example, an outside establishment of an inside company processing personal information of subjects outside the border?
It’s necessary to split it into two cases for analysis.
The first case is where outside establishment behaves independently, for example, it provides processing service to an outside third party. In this case PIPL does not apply as the activity is outside China border. But answer is not so definite when comes to GDPR. Some think GDPR does not apply either, because the inside company is neither a controller nor a processor in this case. The headquarter information security commissioner of a EU company I used to service seemingly thought differently. The China branch was requested to follow GDPR, though the China branch processed nothing in relation to EU persons.
The second one is where behaviour of outside establishment is controlled to a certain extent by inside company. In this case GDPR definitely applies as it is an "activity of an establishment of a controller in the Union". It is arguable when comes to PIPL. For example, when the China headquarter enforces a certain sort of technical or service quality standards, is it an activity of "autonomously determine processing means" as defined by PIPL?
For those just discussed, we recommend clients to closely observe legal development within the the two regions.
One tip here is, the expression in GDPR English version "establishment" of a controller or a processor, should not be understood simply as a company, even not simply as an office. Legal form is not the criterion. An engaged consultant may also constitute an establishment.
?enforcement outside border
CN: personal information processor must take necessary measurements to assure personal information processing activities of an outside recipient reach the standards of personal information protection provided by PIPL. (Art. 38 par. 3).
EU: a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, unless EU has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. All provisions in relation to transfer of personal data to third country or international organization shall be applied in order to ensure that the level of protection of natural persons guaranteed by GDPR is not undermined.(Art 44、46(1))
Although many requirements are put up for transfer of personal data to recipient outside border, what if the outside recipient does not comply after reception? Both China and EU has impose duty of "assurance" on the insider controller and processor.
In practice, this requires the inside organization carefully examine personal information protection idea, method, capacity and the like of outside organizations on one hand and on the other hand the inside organization is required to control outside organizations via instruments such as agreements, so that, in case victimization takes place, an information subject is able to seek remedies via proper approach, for instance, sue the outside and/or inside organization in the light of agreements.
Meanwhile, the inside organization not properly performing "assurance" duty may, depending on situations, be given administrative punishment. Responsible person in China may also face criminal penalty.
conclusion
To a personal information processor, compliance to personal information protection law is a corporate governance issue , in some sense: a company must set up proper personal information protection institute internally in line to legal requirements, invest adequately to construct personal information protection infrastructure and give staff sufficient training, and in the meanwhile prepare proper corporate regulations to ensure staff behave in accordance to requirements of the law.