Another supporting regulation of the Personal Information Protection Law is open for public comment. On June 30, the Cyberspace Administration of China (hereinafter referred to as the Cyberspace Administration of China) issued the "Standard Contract Regulations for the Transfer o

Another supporting regulation of the Personal Information Protection Law is publicly soliciting opinions. On June 30, the Cyberspace Administration of China (hereinafter referred to as the Cyberspace Administration of China) issued the "Standard Contract Regulations for the Export of Personal Information (Draft for Comments)" (hereinafter referred to as the "Regulations"), and attached the "Personal Information Transfer Standard Contract Regulations" "Standard Contract for Information Transfer" template.

Official website of the Cyberspace Administration of China

The "Regulations" intend to clarify that personal information processors who provide personal information overseas by signing a standard contract need to meet four situations at the same time: non-critical information infrastructure operators; those who process personal information for less than 1 million people. The cumulative amount of personal information provided to foreign countries since January 1 of the previous year does not exceed 100,000; the cumulative amount of sensitive personal information provided to foreign countries since January 1 of the previous year does not exceed 100,000.

Experts told Nandu reporters that the above-mentioned quantitative standards echoed the "Data Outbound Security Assessment Measures (Draft for Comments)" released last year, positioning the standard contract in relatively "small-scale, unimportant" data outbound scenarios. In addition, regarding the "Regulations" that intend to require personal information processors to register with the local provincial cybersecurity and informatization department within 10 working days from the date of the standard contract taking effect, some experts bluntly said that "it is a relatively special provision."

1

The standard contract filing system is "relatively special"

The Personal Information Protection Law (hereinafter referred to as the "Personal Protection Law"), which was officially implemented in November last year, stipulates that personal information processors must provide personal information outside China due to business and other needs. , should meet one of four conditions:

(1) Pass the security assessment organized by the national cyberspace department; (2) Conduct personal information protection certification by a professional organization in accordance with the provisions of the national cyberspace department; (3) In accordance with the national cyberspace department The standard contract formulated by the department is concluded with the overseas recipient to stipulate the rights and obligations of both parties; (4) other conditions stipulated by laws, administrative regulations or the national cybersecurity and informatization department.

The "Regulations" intend to clarify that if a personal information processor provides personal information overseas based on the third condition above, it shall sign a standard contract for the transfer of personal information abroad (hereinafter referred to as the "Standard Contract") in accordance with the "Regulations", and provides a standard contract. template.

According to Wu Shenkuo, assistant to the dean of the Internet Research Institute of Beijing Normal University and deputy director of the China Internet Society Research Center, the "Regulations" have three key contents: First, it clarifies the applicable situations of the standard contract, which must meet four conditions at the same time. The second is to require personal information protection impact assessment to be carried out in advance, and the third is to implement a filing system and require the filing of standard contracts and personal information protection impact assessment reports.

Among them, regarding the filing requirements, the "Regulations" intend to require personal information processors to register with the local provincial cybersecurity and informatization department within 10 working days from the date of the standard contract taking effect, and submit the standard contract and personal information protection impact assessment report. "This is a relatively special provision. Many countries do not have such a filing mechanism." Wu Shenkuo said.

Not long ago, National Information Security Standardization Technical Committee issued the "Security Certification Specifications for Cross-Border Processing of Personal Information" (hereinafter referred to as the "Certification Specifications"), in order to implement the aforementioned Personal Information Protection Law, Article 38, Paragraph 1 (2) ) to provide certification basis for the establishment of a personal information protection certification system required by item).

Nandu reporter noticed that while both are documents that implement the provisions of the Personal Protection Law regarding the export of personal information, the "Certification Specifications" and the "Regulations" have completely different legal effects - the former is a recommended national standard, and the latter is a departmental regulation.

In this regard, Wu Shenkuo pointed out that the "Certification Specification", as a standard document, is not certified in the name of a state agency, but the state recognizes the certification made by the certification agency. "Generally speaking, certification should be completed by market entities rather than directly certified by state agencies. The role of state agencies is to recognize the effectiveness of this certification - this is also an international practice. It is rare to hear that state agencies conduct certification certified."

2

Applicable to "small-scale, unimportant" data export scenarios

The "Regulations" are intended to clarify that if a personal information processor meets the following circumstances at the same time, it can provide personal information overseas by signing a standard contract: Non-critical information infrastructure Operator; handles personal information of less than 1 million people; has provided personal information of less than 100,000 people overseas since January 1 of the previous year; has provided sensitive information of less than 100,000 people overseas since January 1 of the previous year. Personal information.

It is worth noting that the three figures "1 million", "100,000" and "10,000" were included in the "Data Transfer Security Assessment Measures (Draft for Comment)" (hereinafter referred to as the "Assessment Measures") released last year. It has appeared in the

"Evaluation Measures" to stipulate that data processors provide data overseas, which meets the requirements of "personal information processors that process personal information of one million people provide personal information overseas" and "provide more than 100,000 personal information overseas in total". If one of the five circumstances including "personal information of more than 10,000 people or sensitive personal information of more than 10,000 people", a data export security assessment should be reported to the national cyberspace department through the local provincial cyberspace department.

Lu Jing, a partner at Shihui Law Firm It seems that the quantitative standard in the "Regulations" echoes the "Assessment Methods". "Those who exceed this quantitative standard need to apply for a security assessment by the cybersecurity and informatization department in accordance with the "Assessment Methods"; those who do not meet this quantitative standard can follow the "Evaluation Methods". Regulations" sign a standard contract on your own and file the contract with the cyberspace department. "

He also pointed out that the slight difference between the quantitative standards in the "Regulations" and the "Evaluation Methods" is that regarding the cumulative calculation quantitative standards, the former adds the expression "since January 1 of the previous year." This means , for the provision of personal information and sensitive personal information overseas, the cumulative calculation will be limited to two years, rather than continuous accumulation from one point in time.

Wu Shenkuo also holds a similar view. He believes that the standard of the "Regulations" is to be consistent with other standards. The relevant provisions of the data export mechanism are consistent, which reflects the legislative attention to the issue of strengthening the protection of personal information, and also echoes the principle of classification protection of personal information emphasized in the Personal Information Protection Law.

"This is basically the positioning of a standard contract. In relatively "small-scale, unimportant" data export scenarios, it is not an applicable template for all scenarios of data export. "Xiong Dingzhong, chief partner of Qinglu Law Firm, wrote an article.

Regarding the data magnitude in the above two documents, "people" are used as the calculation unit. Xiong Dingzhong believes that it is still worthy of discussion. "It is not ruled out that although the number of people is not enough, it is not ruled out. Standard, but the actual impact is greater because the field magnitude is too high. To give an example: the names of 10,000 people are nothing more than 10,000 pieces of information; but if 1,000 people have accumulated shopping data for a year, the order of magnitude may be millions. "

3

Overseas recipients need to have a dedicated contact person to handle inquiries and complaints

The "Regulations" are proposed to include the basic information of the personal information processor and the overseas recipient; the purpose, scope, type, and sensitivity of the personal information exported overseas. The extent, quantity, method, retention period, storage location, etc.; the responsibilities and obligations of personal information processors and overseas recipients to protect personal information, as well as the technical and management measures taken to prevent possible security risks caused by the export of personal information; The impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on compliance with the terms of this contract; the rights of personal information subjects, and the ways and means to protect the rights of personal information subjects; relief, contract termination, liability for breach of contract, dispute resolution, etc.

The "relief" clause of the standard contract states that the overseas recipient should identify a contact person within the organization and authorize him to respond to inquiries or complaints about the processing of personal information, and should promptly handle any inquiries or complaints from the personal information subject. The overseas recipient shall inform the personal information processor of the contact information and inform the personal information subject of the contact person's name and contact information in a simple and easy-to-understand manner through a separate notice or announcement on its website.

As for dispute resolution, the standard contract intends to stipulate that if the personal information subject files a lawsuit against the personal information processor or overseas recipient as a third-party beneficiary, the jurisdiction shall be determined in accordance with the provisions of the " Civil Procedure Law of the People's Republic of China ". How to understand this provision?

Wu Shenkuo said that the parties have the right to agree on the jurisdiction of civil litigation, and the legal application of the contract and the jurisdiction of the dispute litigation are two independent issues. "A lawsuit can be filed domestically or overseas according to statutory rules, and it does not necessarily fall under the jurisdiction of Chinese courts because the standard contract clauses provided by our country are used. This provision avoids the 'one size fits all' and leaves it to Civil Procedure Law for resolution - —The Civil Procedure Law has various rules to choose from regarding jurisdictional issues. The "

" standard contract is applicable to a wide range of scenarios. In such cases, it is difficult to make clear provisions through a single litigation jurisdiction rule, so civil litigation needs to be used. The relevant provisions of the Procedural Law shall be used to resolve contract dispute jurisdiction issues in various scenarios,” he further explained.

In terms of legal liability, the "Regulations" intend to propose that if a personal information processor fails to perform the filing procedures or submits false materials for filing, fails to perform the responsibilities and obligations stipulated in the standard contract and infringes on the rights and interests of personal information, causing damage, or affecting the rights and interests of personal information In other circumstances, the cybersecurity and informatization departments at or above the provincial level shall order corrections within a time limit in accordance with the Personal Protection Law; if the person refuses to make corrections or damages the rights and interests of personal information, he shall be ordered to stop the export of personal information and be punished in accordance with the law; if a crime is constituted, criminal liability shall be pursued in accordance with the law.

Interview and writing: Nandu reporter Fan Wenyang Jiang Lin intern Cheng Yuqi