2023年9月28日国家互联网信息办公室就《规范和促进数据跨境流动规定》(以下简称为“《规定》”)向社会公开征求意见,截止到10月15日(点击阅读原文查看)。《规定》是国家互联网信息办公室在发布《个人信息出境标准合同办法》和《数据出境安全评估办法》之后,制定的又一部与数据出境相关的部门规章。
《规定》旨在促进数据跨境安全、自由流动,在对《中华人民共和国数据安全法》和《中华人民共和国个人信息保护法》中有关数据出境的要求进行细化和具体的同时,对《个人信息出境标准合同办法》和《数据出境安全评估办法》中有关数据出境的要求进行了简化,具体如下:
1.重要数据定义的进一步明确
《数据出境安全评估办法》中对于“重要数据”的定义比较宽泛,即指一旦遭到篡改、破坏、泄露或者非法获取、非法利用等,可能危害国家安全、经济运行、社会稳定、公共健康和安全等的数据。如何辨别自身跨境提供的数据是否属于重要数据以及是否需要申报数据出境安全评估,是数据处理者在实践中经常会遇到的难题之一。而结果导向的判定标准使得数据处理者在处理数据时不得不采取非常保守的态度。《规定》则特别对此进行了说明,只要未被相关部门、地区告知或者公开发布为重要数据的,就不需要作为重要数据申报数据出境安全评估。这意味着数据处理者只需要检索所在的行业、地区公开发布的信息,确认自身跨境提供的数据是否已经被相关部门、地区的通知和公开文件划分为重要数据即可,不需要自行对数据本身的重要程度进行分析和界定。这一标准相较之前明确很多。
2.数据出境定义的进一步明确
《规定》强调了构成个人信息跨境的前提之一是向境外提供的个人信息是在境内收集产生的,否则该行为不属于个人信息出境,也不适用申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证等相关法律要求。
根据现执行的《个人信息出境标准合同办法》和《数据出境安全评估办法》,数据处理者需要从以下四个角维度判断和识别自身在进行数据跨境传输之前要满足的前置法律要求:
(1)自身是否属于关键信息基础设施运营者;
(2)自身向境外提供的数据是否是重要数据;
(3)自身在此次数据跨境传输之前累计处理的个人信息数量;以及
(4)自身在此次数据跨境传输之前累计向境外提供的个人信息或敏感个人信息的数量。
以上四个维度集中在跨境传输的数据性质以及数据处理者过往累积的个人信息处理数量之上,导致在目前操作中,只要满足安全评估的门槛,即使日常只有少量个人信息出境的数据处理者,也需要进行数据出境安全评估(例如,处理100万人以上个人信息的数据处理者以及自上年1月1日起累计向境外提供10万人个人信息或1万人敏感个人信息的数据处理者);同时,对于可以通过签订标准合同的形式向境外提供信息的,同样适用范围较广,一些较少数量的个人信息出境,仍然需要完成签订标准合同+个人信息保护影响评估+备案这三个步骤。合规成本较高,流程也较为复杂。而此次《规定》将上述四个维度调整为了以下维度:
(1)自身是否属于关键信息基础设施运营者(不变);
(2)自身向境外提供的数据是否是重要数据(不变);
(3)自身在此次数据跨境传输之前累计向境外提供的敏感个人信息的数量(不变);
(4)自身预计1年内向境外提供的个人信息数量(新规);以及
(5)自身此次向境外提供的个人信息数量(新规)。
除了跨境传输的数据性质以外,以上维度更加关注数据处理者将来会跨境传输的个人信息数量,使得日常只有少量个人信息出境的数据处理者不再需要履行前置的法律要求,合规成本大大降低。
此外,《规定》还明确了3种不需要履行任何前置合规要求的即可进行个人信息跨境传输的例外情况,并给予了自由贸易试验区自行制定需要纳入数据出境安全评估、个人信息出境标准合同、个人信息保护认证管理范围的数据清单(以下简称“”负面清单“”)的权利。
综上,具体要求对比如下:
|
|
|
处理100万人以上个人信息的数据处理者,或者自上年1月1日起已经累计向境外提供10万人及以上个人信息的数据处理者向境外提供任何数量的个人信息
|
通过所在地省级网信部门向国家网信部门申报数据出境安全评估
|
• 如果需要向境外提供100万人以上个人信息的,应当申报数据出境安全评估
• 如果预计一年内向境外提供不满1万人个人信息,无需申报数据出境安全评估即可出境
• 如果预计一年内向境外提供1万人以上、不满100万人个人信息,可以不申报数据出境安全评估,但需要与境外接收方订立个人信息出境标准合同并向省级网信部门备案或者通过个人信息保护认证
• 如果是为订立、履行个人作为一方当事人的合同所必需,如跨境购物、跨境汇款、机票酒店预订、签证办理等,必须向境外提供个人信息的,无需申报数据出境安全评估即可出境
• 如果是按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理,必须向境外提供内部员工个人信息的,无需申报数据出境安全评估即可出境
• 如果是紧急情况下为保护自然人的生命健康和财产安全等,必须向境外提供个人信息的,无需申报数据出境安全评估即可出境
|
累积处理个人信息不满100万人、自上年1月1日起累计向境外提供个人信息不满10万人且不是关键信息基础设施运营者的数据处理者向境外提供任何个人信息
|
需要与境外接收方订立个人信息出境标准合同并向省级网信部门备案或者通过个人信息保护认证
|
• 如果预计一年内向境外提供不满1万人个人信息,无需订立个人信息出境标准合同或通过个人信息保护认证即可出境
• 如果是为订立、履行个人作为一方当事人的合同所必需,如跨境购物、跨境汇款、机票酒店预订、签证办理等,必须向境外提供个人信息的,无需订立个人信息出境标准合同或通过个人信息保护认证即可出境
• 如果是按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理,必须向境外提供内部员工个人信息的,无需订立个人信息出境标准合同或通过个人信息保护认证即可出境
• 如果是紧急情况下为保护自然人的生命健康和财产安全等,必须向境外提供个人信息的,无需订立个人信息出境标准合同或通过个人信息保护认证即可出境
|
自由贸易试验区自行制定并经过相应政府部门批准备案后的负面清单之外的数据出境
|
需按要求分别申报数据出境安全评估、订立个人信息出境标准合同或通过个人信息保护认证
|
无需申报数据出境安全评估、订立个人信息出境标准合同或通过个人信息保护认证即可出境
|
除了上述两方面的变动之外,《规定》特别强调国家机关和关键信息基础设施运营者向境外提供个人信息和重要数据的,以及任何数据处理者向境外提供涉及党政军和涉密单位敏感信息、敏感个人信息的,都还是按照原本的法律、行政法规、部门规章规定执行。
按照目前《规定》的内容,在其后续生效后,数据处理者应当着重从以下角度注意自身的数据出境行为,做好相关合规工作。
• 确认自身是否属于自贸试验区以及自身跨境提供的数据是否在该自贸试验区制定的负面清单范围之外
• 持续关注自身所在相关行业部门、地区制定和发布的有关重要数据的目录、清单和文件
• 核查需要进行跨境提供的数据的数量并与《规定》中最新的数量要求进行对比
• 核查需要进行跨境提供的数据的内容,属于涉密敏感类数据的仍按照原本的法律要求执行,涉及到订立和履行个人作为一方当事人的合同、依据劳动规章或集体合同实施人力资源管理以及紧急情况下为保护自然人的生命健康和财产安全等情形的,可能适用《规定》中的简化要求。
《规定》仅为意见征求稿,在未生效之前,仍应依据现行的效的法律法规执行。
《规范和促进数据跨境流动规定(征求意见稿)》英文版
Information of seeking public advice — ‘The Regulation for Standardizing and Promoting Cross-border Data Flow (Draft for Comments)’
Publisher: National Internet Information Office
Publish Date: September 28, 2023
To ensure national data security, protect personal information rights, and further regulate and promote data to flow freely in accordance with law and order, the office made following provisions, according to relevant laws and implementation of regulations on data export, such as “Assessment Methods of Data Export Security” and “Standard Contract Methods of Personal Information Export”:
1. Data generated from international trade, academic cooperation, cross-border production, and marketing activities that do not involve personal information or important data, are not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection.
2. Data handlers are not required to report for assessment of data export security if they are not informed or publicly disclosed by relevant departments or regions as handling important data.
3. Providing foreign entities with personal information that was not collected within the borders is not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection.
4. The following circumstances are not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection:
(a) Providing foreign entities with personal information is required, for the necessity of conclusion or performance of a contract which the individual is one of the parties, such as cross-border shopping, remittances, plane tickets and hotel reservations, visa applications;
(b) Providing foreign entities with internal employee personal information is required, for the implementation of human resources management in accordance with legally formulated labor regulations and collective contracts;
(c) Providing foreign entities with personal information is required, for the protection of natural person’s life, health, and property security in emergency.
5. If it is predicted that foreign entities will be provided with less than 10,000 individuals’ personal information in a year, it is not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection. However, if foreign entities are provided with personal information according to consent, it is required to receive the consent of the individual whose personal information is provided.
6. If it is predicted that foreign entities will be provided with more than 10,000 but less than one million individuals’ personal information in a year, but standard contracts for personal information export will be established with foreign recipients and provincial-level cyberspace administration will be filed, or personal information protection will be verified, it is not required to report for assessment of data export security. However, if foreign entities are provided with personal information according to consent, it is required to receive the consent of the individual whose personal information is provided.
7. Pilot free trade zones may independently formulate the data list (below referred to as the “negative list”) that is required to be included in the management of assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection. The negative list is required to be approved by the provincial-level cyberspace administration and filed to the national cyberspace administration.
Data export beyond the negative list is not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection.
8. Providing foreign entities with personal information and important data, state organs and operators of key information infrastructure shall comply with relevant laws, administrative rules, and departmental regulations.
Providing foreign entities with sensitive information involving the Party, the government and the armed forces, sensitive information involving secret-related institutions and sensitive personal information, state organs and operators of key information infrastructure shall comply with relevant laws, administrative rules, and departmental regulations.
9. Providing foreign entities with important data and personal information, data handlers shall comply with laws and administrative rules, fulfill the obligations of data security protection and guarantee data export security. In occurrence of data export security incident or increased risk of data export security, data handlers shall take remedy measures and report to the cyberspace administration in time.
10. Local cyberspace administrations shall strengthen the guidance and supervision over data handlers’ data export activities, enhance regulation before, during, and after the data export activities and require data handlers to rectify and eliminate hidden risks in cases where significant risks are found in data export activities. If a data handler refuses to correct mistakes or the activities cause serious consequences, the data handler shall be required to stop data export activities in accordance with the law to ensure data security.
11. In case of any inconsistency between this regulation and relevant regulations, such as the “Methods for Data Export Security Assessment” and the “Methods for Standard Contracts of Personal Information Export,” this regulation shall prevail.
NOTE: Unofficial translation for reference only