动态与观点
▶ 引言
中国《个人信息保护法》(下称《个信法》)已经颁布,将于2021年11月1日生效。可以料定,中国社会中的个人信息处理活动(本文提到这个概念,是指受《个信法》管辖的个人信息处理活动。下同),将会出现一段由乱入治的过程。
欧盟2018年5月25日生效了《数据保护通用规定》 (General Data Protection Regulation。下称GDPR),对欧盟境内的个人信息处理活动进行了规范。
鉴于中欧经济交流的深度与广度,对于两部法规进行比较研读,对于机构,特别是有跨境业务的企业和其它私人机构,建立同时满足两部法律要求的组织架构及制度,十分有益。
▶立法目的:个人信息保护与个人信息利用平衡
中国:保护个人信息权益,但也要促进个人信息的合理利用 (第一、二条)。
欧盟:保护个人数据相关自由和权利,但不得因此限制或禁止欧盟范围内的信息自由流动(第1(2)(3)条)。
个人信息保护法的必要性,是随着电子信息产业的大发展而日益显现出来的。由于信息产业的发达,处理个人信息的规模、速度及对个人生活的影响与此前的时代大相迳庭,不可同日而语。但是个人信息的使用又是数字化经济环境下许多经济活动的基础。因此,中欧法律都同样强调了两者的平衡。
▶个人信息的定义
中国:个人信息是与已识别或者可识别的自然人有关的各种信息(第四条)。
欧盟:个人数据是与已识别或者可识别的自然人有关的各种信息(第 4(1))。
《个信法》使用个人信息一词,GDPR使用个人数据一词,但两者的内涵并无实质区别。
《个信法》强调,匿名化后的信息就不属于个人信息(第四条)。这只是对“与已识别或者可识别的自然人有关”这一点的进一步阐述,并未缩小个人信息概念的外延。
《个信法》还强调,是否以电子方式记录,不是定义个人信息的要件(第四条)。GDPR则规定,只要个人数据进入文档系统,便属于个人数据,无论该文档系统是否是自动化的(第2(1)条)。鉴于自动化的文档系统只能是电子的,而在电子文档系统中存在的信息只能是电子方式记录的,所以,在这一点上,两部法律表述方式不同,但效果是一样的。
▶个人信息的处理者与控制者
中国:个人信息处理者是指在个人信息处理活动中自主决定个人信息的收集、存储、使用、加工、传输、提供、公开、删除等处理目的、处理方式的组织、个人(第四条二款,七十三条一款一项)。
欧盟:数据控制者是指独自或联合决定数据处理目的和方式的个人或法人、公共当局、机构或其它组织(第4(7)条第一句);数据处理者是指代表数据控制者收集、记录、组织、建构、存储、改编或改变、取回、咨询、使用、披露、校准或合并、限制、删除或拆解数据的个人或法人、公共当局、机构或其它组织(第4(2),(8)条)。
《个信法》中只有“处理者”,而没有“控制者”。但是,《个信法》中的处理者是能决定处理目的和处理方式的个人或组织,因此应该理解为包含了欧盟法意义上的控制者,因为只有控制者才能决定处理的目的以及方式。
另一方面,因为即使是狭义意义上的处理者,比如提供数据处理服务的独立第三方,虽然在处理目的上不能自主,但在数据处理方式上必然有某种范围的自主权,比如存储服务器设于何处,服务器如何加密,采用光纤还是电缆传输等,否则就不成其为独立第三方,而是控制者的关联公司了。
因此,《个信法》中的个人信息处理者也包含欧盟法意义上的处理者。总之,《个信法》上的个人信息处理者的范围,与GDPR的“控制者+处理者”的范围,并没有实质区别。
▶境内管辖与境外管辖
中国:在中国境内进行的个人信息处理活动,受管辖(第三条一款)。在中国境外进行的处理中国境内自然人个人信息的活动,如果该活动是以向中国境内自然人提供产品或服务为目的,或该活动是在分析、评估中国境内自然人的行为,或有法律法规规定的其它情形,也受管辖(第三条二款)。
欧盟:由欧盟境内的信息控制人或处理人的机构进行的数据处理活动受管辖,无论处理活动是否发生在欧盟境内(第3(1)条)。设立的在欧盟境外的信息控制人或处理人进行的数据处理活动,如果该活动是为了向欧盟境内的数据主体提供产品或服务,或该活动是为了监控欧盟境内发生的行为,也受管辖(第3(2)条)。
显然,在信息主体(可能的受害者)所在地这一判断依据,中欧两部法律在实际效果上是一致的。
值得辨析的是中国“在境内进行的处理活动”与欧盟“境内控制人或处理人的机构进行的活动”两者的不同。因为问题较为复杂,所以我们举个例子来测试这个问题:假定,一家境内公司的境外机构处理有关境外人的信息,事情如何?
这要分两种情况分析。
第一种,当境外机构的行为是独立的,比如境外机构为境外第三方提供信息处理服务。此时,按PIPL的规定,因活动不在中国境内,故不适用。但在GDPR来看,答案就不明确。有的认为GDPR不适用,因为此时境内公司既非处理人,也不是控制人。但笔者曾服务的一家欧盟公司总部的信息安全专员认为适用GDPR,故其要求其中国子公司要遵守GDPR,尽管其中国公司中没有欧盟人的个人信息。
第二种,当境外机构的行为受境内机构某种范围的控制。此时,在GDPR来看,是明确有管辖权的,因为属于欧盟境内控制人的机构从事的活动。但在PIPL似乎就可以争议。因为,比如中国总部要求境外机构贯彻某种技术标准或服务标准,是不是PIPL定义的“自主决定处理方式”?答案尚不确定。
就这些问题,我们建议客户密切观察中欧两地的立法发展。
要提醒的是,信息控制人或处理人的“机构”,GDPR英文版的表述“establishment”不能理解为是一个公司,甚至不能理解为一个办公室。法律形式并不是标准。一个聘请的顾问,也可构成establishment。
▶境外管辖权的贯彻
中国:个人信息处理者应当采取必要措施,保障境外接收方处理个人信息的活动达到本法规定的个人信息保护标准(第三十八条3款)。
欧盟:个人数据控制人或处理人只有在采取了恰当保障措施,并且以数据主体的权利可以执行和法律救济途径可以获得为前提,除非欧盟已经认定第三国的保护水平足够。任何有关向境外传输个人数据的规定都应保障GDPR的保障水平没有削弱(第44、46(1)条)。
尽管法律为向境外传输个人信息设置了很多要求,如果境外接收人在得到数据后不执行怎么办?中欧两国法律都对其境内数据控制者、处理者赋予了“保障”义务。
这实际上一方面是要求境内机构审慎地审查境外接收方的保护理念、方法、能力等,另一方面是要求境内机构应当通过协议等工具对境外接收方加以控制,以便在发生侵害个人信息权时,个人信息主体、境内机构可以通过适当的途径寻求救济,比如依据协议对境外机构提起诉讼。
当然,没有履行“保障”义务的境内机构,根据情节不同,可能会受到行政处罚。在中国境内的责任人,也有可能被追究刑事责任。
个人信息保护合规问题,对于信息处理者,尤其是企业来说,是一个需要从治理层面上重点关注的问题:企业应当根据法律要求在内部设置合适的个人信息保护机构,投入足够的资金建设信息保护基础设施并对人员提供足够的培训,同时制订适当的规章制度,确保员工的职务行为合乎法律要求。
英文版
China Personal Information Protection Law and EU General Data Protection Regulation Comparative Reading: Five Basic Concepts
▶introduction
China has published the Personal Information Protection Law (PIPL), which takes effect on November 1, 2021. It can be expected that personal information processing activities will take some time to turn from chaos now into disciplined.
European Union has made the General Data Protection Regulation (GDPR) effective from May 25, 2018, that regulates personal data processing in the EU.
Given the depth and wideness of economic exchange between China and the EU, it is very useful for organizations, especially businesses and others with cross CN-EU border business, to read the PIPL and GDPR comparatively, in order that they can prepare their organization and institution pursuant to legislation in both regions.
▶Objectives: balance of protection and use of personal information
CN: protect personal information rights, but also promote use of personal information ( Art. 1;2).
EU: protect personal rights to the protection of personal data,while free movement of personal data within the Union should neither be restricted nor prohibited (Art. 1(2)(3)).
The necessity of personal information protection is getting prominent along the growth of electronic information industry. With advance of the e-information industry, the scope, speed of and impact on personal life by personal information processing activities are tremendously different from the days before. Use of personal information, however, is also the foundation for many economic activities in digital economy environment. Both China and EU therefore have emphasized the balance of the two sides.
▶Definition of personal information
CN: personal information means any type of information relating to an identified or identifiable natural person (Art. 4).
EU: personal data means any information relating to an identified or identifiable natural person (Art. 4(1)).
PIPL uses the word Personal Information whilst GDPR uses Personal Data, but there is no difference in essence between.
PIPL has affixed to the above definition a sentence "pseudonymized information" is not personal information. This however is just an additional emphasis of the point "relating to an identified or identifiable", with no further essential development in the definition.
PIPL has also emphasized that whether information is recorded electronically is not a component of the definition. GDPR on the other hand stipulates that it applies as long as personal data enter a filing system which no matter is automated or not. As an automated filing system can only be electronic, and data in a electronic filing system can only be recorded electronically, these two pieces of legislation therefore are talking about the same thing with different ways of expression.
▶Personal information controller and processor
CN: personal information processor is an individual or organization which autonomously determines in personal information processing activities the purposes and means of personal information processing, such as collection, storage, use, working on, transfer, providing, disclosure, deletion (Art. 4 par. 2;73 par.1 item 1).
EU: personal data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art4(7) sentence 1). Personal data processor means a natural or legal person, public authority, agency or other body which, on behalf of the controller, processes personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure or destruction (Art4(2),(8)).
In PIPL, only there is the concept of processor, no controller. Nonetheless, the processor in PIPL is an individual or organization which can determine the purposes and means of processing, thus should be understood in the way it covers the concept of controller in GDPR. After all it is the controller that determines purposes and means of data processing. On the other hand, a processor, even in a strict sense,for instance an independent third party data processing service provider, though without autonomy on processing purpose, must have some sort of autonomy on the means of processing to a certain scope, such as where to place servers, how to encrypt data, transfer data by what technique. Otherwise it is an associated organization, not a third party anymore.
Therefore a processor in PIPL also covers the concept of processor in GDPR. In short, a processor in PIPL is not essentially different from "controller + processor" in GDPR.
▶Application inside and outside border
CN: PIPL applies to personal information processing activities within China (Art. 3 par. 1). PIPL also applies to an activity conducted outside China to process personal information of natural persons within China when the activity is purported to provide goods or services to the natural persons within China, or analysis or assessment of behaviour of natural persons within China, or fall inside other criteria provided for by laws or regulations.
EU: GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (Art. 3 (1)). GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to such data subjects in the Union, or related to the monitoring of their behaviour as far as their behaviour takes place within the Union (Art. 3(2)).
Apparently, the two pieces of legislation by China and EU are consistent in effect on the point of taking location of information subjects as basis for law application.
It is interesting to compare the criterion "activity within border" by China and the criterion "activity of an establishment of a controller or a processor within border". Not to make it too complex, an example is here to test the question: what happens if, for example, an outside establishment of an inside company processing personal information of subjects outside the border?
It’s necessary to split it into two cases for analysis.
The first case is where outside establishment behaves independently, for example, it provides processing service to an outside third party. In this case PIPL does not apply as the activity is outside China border. But answer is not so definite when comes to GDPR. Some think GDPR does not apply either, because the inside company is neither a controller nor a processor in this case. The headquarter information security commissioner of a EU company I used to service seemingly thought differently. The China branch was requested to follow GDPR, though the China branch processed nothing in relation to EU persons.
The second one is where behaviour of outside establishment is controlled to a certain extent by inside company. In this case GDPR definitely applies as it is an "activity of an establishment of a controller in the Union". It is arguable when comes to PIPL. For example, when the China headquarter enforces a certain sort of technical or service quality standards, is it an activity of "autonomously determine processing means" as defined by PIPL?
For those just discussed, we recommend clients to closely observe legal development within the the two regions.
One tip here is, the expression in GDPR English version "establishment" of a controller or a processor, should not be understood simply as a company, even not simply as an office. Legal form is not the criterion. An engaged consultant may also constitute an establishment.
▶enforcement outside border
CN: personal information processor must take necessary measurements to assure personal information processing activities of an outside recipient reach the standards of personal information protection provided by PIPL. (Art. 38 par. 3).
EU: a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, unless EU has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. All provisions in relation to transfer of personal data to third country or international organization shall be applied in order to ensure that the level of protection of natural persons guaranteed by GDPR is not undermined.(Art 44、46(1))
Although many requirements are put up for transfer of personal data to recipient outside border, what if the outside recipient does not comply after reception? Both China and EU has impose duty of "assurance" on the insider controller and processor.
In practice, this requires the inside organization carefully examine personal information protection idea, method, capacity and the like of outside organizations on one hand and on the other hand the inside organization is required to control outside organizations via instruments such as agreements, so that, in case victimization takes place, an information subject is able to seek remedies via proper approach, for instance, sue the outside and/or inside organization in the light of agreements.
Meanwhile, the inside organization not properly performing "assurance" duty may, depending on situations, be given administrative punishment. Responsible person in China may also face criminal penalty.
conclusion
To a personal information processor, compliance to personal information protection law is a corporate governance issue , in some sense: a company must set up proper personal information protection institute internally in line to legal requirements, invest adequately to construct personal information protection infrastructure and give staff sufficient training, and in the meanwhile prepare proper corporate regulations to ensure staff behave in accordance to requirements of the law.