跳转到主要内容

文章分类

022年6月26日,中国国家信息安全标准化技术委员会发布了《个人信息跨境处理认证网络安全标准规范》(“规范”)指南。本规范为合法开展跨境数据处理活动的方法之一,即第三方认证提供了实施规则。该规范包含适用场景、获得认证的方式、基本原则、基本要求和保护数据主体权利的特殊要求。中伦律师事务所合伙人郑自清讨论了该规范及其内容。

性质和作用

本规范是推荐标准,而非强制性标准,因此,本规范下的要求不构成数据控制器或处理器的法定义务。本规范第3条还规定,自愿认证是获得认证的基本原则之一。

《个人信息保护法》(“PIPL”)第38条规定了五种跨境合法处理个人信息的方法,如下表所示。获得认证是一种方式。本规范旨在为可能参与该过程的机构和数据控制器/处理器提供认证指南。

Ways

Authority

Implementation rules

Passing the security assessment in accordance with Article 40 of the PIPL.

Cyberspace Administration of China ('CAC') or its local counterparts.

Mandatory for significant data controllers/processors, in draft form.

Obtaining certification.

Certification institutions approved by the CAC.

Voluntary.

Concluding a contract stipulating both parties' rights and obligations with the overseas recipient in accordance with the standard contract formulated by the CAC.

Data controllers/processors, under the supervision of the CAC.

Pending, likely voluntary.

Passing the security assessment required by industry regulators.

Industry regulators.

Mandatory for the relevant industries, such as intelligent connected vehicles, healthcare, and finance.

International treaties, if any.

Relevant authorities.

None.

申请认证

本规范第1条规定了数据控制器/处理器可申请认证的两种情况:

  • 由属于同一跨国公司或单一经济或商业实体的数据处理器进行的个人信息处理。实际上,当外国母公司打算处理其中国子公司收集的个人信息时,这种情况适用(“单一实体情况”)。
  • 根据PIPL第3条第2款,由中国境外的数据控制员/处理器进行的个人信息处理,其中规定了以下情况:
    • 为中国境内的自然人提供产品或服务;
    • 分析或评估中国境内自然人的行为;或
    • 任何法律或行政法规规定的任何其他情况(“PIPL第3条情形”)。

责任方

Scenario

Applicant

Party responsible for legal consequences

Single Entity Scenario

Data controller/processor located within China.

Domestic or foreign data controllers/processors involved.

PIPL Article 3 Scenario

Established or designated representative located within China.

Representative, and domestic or foreign data controllers/processors involved.

尽管根据本规范第2条、第3e条和第4.1g条,本规范未明确提及与数据泄露事件或争议相关的法律后果的责任方,我们了解到,该规范提供了一个与CAC于2019年6月13日颁布的《个人信息出口安全评估办法草案》第13(3)条类似的责任方案。即,这意味着国内外数据控制者/处理者可能会对数据主体的权益遭受任何损害承担连带责任。在发生此类损害的情况下,为方便起见,数据主体可以向国内数据控制器/处理器提出索赔,这也可以适用于国外数据控制器/处理程序。

待评估的因素

本规范概述了发布认证前应考虑的基本原则、要求和数据主体权利。

Basic principles

  • lawfulness, legitimacy, necessity, and integrity;
  • publicity and transparency;
  • accuracy and integrity of the personal information processed;
  • same level of protection;
  • accountability; and
  • voluntary certification.

Basic requirements

  • executing binding and enforceable instruments to ensure data subject rights, including the types and scope of personal information, warranties on compliance, warranties of being subject to the supervision of certifying institutions and designated organisations, and taking legal responsibility;
  • designating a responsible person (e.g. a data protection officer) and establishing an organisation in charge of personal information protection;
  • complying with uniform rules on how to process personal information across borders, including but not limited to retention periods, data security measures, and emergency plan; and
  • conducting prior Data Protection Impact Assessments.

Data subject rights

  • how data subjects' rights can be guaranteed, including:
    • the data subject being the beneficiary party of a relevant legal instrument and entitled to request a copy of the relevant sections regarding its rights;
    • the right to know, decide, restrict, and/or refuse its personal information to be processed by a certain data processor;
    • the right to review, copy, correct, supplement, and delete its personal information;
    • the right to request explanations on relevant processing rules;
    • the right to refuse automatic decision as the only available decision-making mechanism;
    • the right to complain and report to competent PRC authorities; and
    • the right to sue at the venue of its residence.
  • how a participating data controller/processor's responsibility can be fulfilled, including:
    • notifying the data subject of the identity of the data processors and obtaining the data subject's separate consent;
    • complying with the executed legal instruments;
    • providing ways for data subject to exercise its rights to check, copy, correct, supplement, or delete its personal information;
    • terminating processing activities in events of uncertainties to ensure the security of personal information;
    • taking measures in events of potential or actual personal information security incidents and notifying competent authorities as well as data subjects;
    • providing, at the data subject's request, a copy of the relevant sections of the legal instrument;
    • cooperating and complying with inspections and other enforcements by the certifying institution; and
    • complying with relevant laws and regulations and being subject to the jurisdiction of PRC courts.

与PIPL第38条的宽泛语言相比,该规范展示了更详细的认证方案,但仍需澄清一些问题,如认证的时间框架、程序和有效期限,以及授予和监督认证的主管机构。我们期待未来制定更多的实施规则。

本文:

 

文章链接

标签