境外金融机构逆向信息科技外包的合规分析
2022-11-03 09:53:00 作者:周亮、张宇峰
中国银行保险监督管理委员会于2021年12月30日印发了《银行保险机构信息科技外包风险监管办法》(“《信息科技外包风险监管办法》”),对银行保险机构信息科技外包风险管理提出全面要求,其中对跨境外包的相关流程亦提出了相应的监管要求。而笔者近期参与了一项逆向跨境外包项目,即境外金融机构将其信息系统外包至境内机构(“逆向外包”)。笔者认为,逆向外包属于一种个人信息的委托处理行为。在实践中,境外金融机构应根据外包服务提供商是否具有独立的控制权和处理权以确定是否需要取得个人信息主体的单独同意,并应在进行逆向外包前进行个人信息保护影响评估。
China Banking and Insurance Regulatory Commission issued the Measures for the Regulation of Risks in the Information Technology Outsourcing by Banking and Insurance Institutions (Regulation of Risk in the IT Outsourcing) on 30 December 2021 which sets out comprehensive requirements on IT outsourcing risk management of banking and insurance institutions, including regulatory requirements on the process of cross-border outsourcing. Recently we participated in a reversed cross-border IT outsourcing project, in which a foreign financial institution outsourced its IT system to domestic institution (Reversed Outsourcing). From our perspective, Reversed Outsourcing would be deemed as the engagement of processor. In practice, whether foreign financial institutions need to obtain separate consents of personal information subject depends on whether the processor can control and process the data without the instructions of foreign financial institutions. In addition, foreign financial institutions shall conduct personal information protection impact assessment before the Reversed Outsourcing.
一、逆向外包的业务模式
Business model of the Reversed Outsourcing
二、逆向外包业务的法律分析
1. 逆向外包的行为适用《个人信息保护法》(“《个保法》”)
根据《信息科技外包风险监管办法》的规定,信息科技外包,是指银行保险机构将原本由自身负责处理的信息科技活动委托给服务提供商进行处理的行为。其中,跨境信息科技外包(“跨境外包”),通常指的是境内银行保险机构将信息科技活动委托给境外服务提供商处理的行为,跨境外包的服务流向为从境内流向境外。
According to the Regulation of Risk in the IT Outsourcing, IT Outsourcing refers that a banking or insurance institution engages service providers to process personal information. Specifically, Cross-border IT Outsourcing (Cross-border Outsourcing) refers that domestic banking or insurance institution engages foreign service providers to process personal information, of which the flow of the service is from onshore to offshore.
与前述跨境外包不同的是,笔者所处理的项目中,境外金融机构将其信息系统外包至境内机构,境内机构提供系统的开发及运行维护、数据处理等服务,因该外包模式下的服务流向为从境外流向境内,与跨境外包的流向相反,因此称为逆向外包。逆向外包通常涉及2个阶段:
Different from the aforementioned Cross-border Outsourcing, in the project that we participated in, the foreign financial institution outsourced its IT system to domestic institution for system development, maintenance, data processing and other services. Since the flow of service under this outsourcing business model is from offshore to onshore, which is contrary to the flow of Cross-border Outsourcing, it is so called Reversed Outsourcing. Reversed Outsourcing usually includes 2 steps:
(1)在开展业务过程中,境外金融机构收集境内客户个人信息(“客户个人数据”);
Step 1: foreign financial institutions collect personal information of domestic clients (Clients’ Personal Data);
(2)境外金融机构根据外包协议约定将全部客户个人数据委托境内机构储存,并委托境内机构提供金融系统维护、数据处理等服务。
Step 2: Foreign financial institutions engage domestic institutions for the storage of the Clients’ Personal Data, system maintenance, data processing and other services in accordance with the outsourcing agreement.
二、逆向外包业务的法律分析
The legal analysis of Reversed Outsourcing
Personal Information Protection Law (PIPL) is applicable to Reversed Outsourcing
根据《个保法》第四条,个人信息的处理包括个人信息的收集、存储、使用、加工、传输、提供、公开、删除等。因此,境外金融机构收集境内客户个人数据、委托境内机构储存并处理客户个人数据的行为均属于《个保法》项下的处理行为。
According to Article 4 of PIPL, the processing of personal information includes but not limited to, the collection, storage, usage, processing, transmission, provision, disclosure, and deletion of personal information. Therefore, foreign financial institutions collect clients’ personal data and engage domestic institutions to store and process clients’ personal data will be defined as the engagement of processor under PIPL.
此外,根据《个保法》第三条第二款的规定,以向境内自然人提供产品或者服务为目的在境外处理境内自然人个人信息的活动,适用《个保法》。因此,境外金融机构以向境内自然人客户提供产品或服务为目的,收集客户个人数据并进行信息系统外包,应当适用《个保法》。
Besides, according to Section 2 of Article 3 of PIPL, PIPL is applicable to any offshore processing activities of domestic individuals’ personal information for the purpose of providing products or services to the individuals located in China. Therefore, the collection of clients’ personal data and outsourcing the IT system for the purpose of providing products or services to domestic clients of foreign financial institutions shall be governed by PIPL.
2. 逆向外包属于个人信息的委托处理行为
Reversed Outsourcing would be deemed as the engagement of processor
根据《个人金融信息保护技术规范》(JR/T 0171—2020,“《金融信息规范》”)第6.1.4.4条的规定,委托处理具体是指金融业机构因金融产品或服务的需要,将收集的个人金融信息委托给第三方机构(包含外包服务机构与外部合作机构)处理。
According to Article 6.1.4.4 of the Personal Financial Information Protection Technical Specification (JR/T 0171—2020, Financial Information Specification), engagement of processor specifically refers that financial institutions engage third-party organizations (including outsourcing service providers and external cooperation agencies) to process the collected personal financial information for the purpose of providing financial products or services.
而个人信息的提供,在实践中通常包括转让和共享个人信息两种情形。根据《金融信息规范》第3.8条和3.9条的规定,转让是指将个人金融信息控制权由一个控制者向另一个控制者转移的过程;共享是指个人金融信息控制者向其他控制者提供个人金融信息,且双方分别对个人金融信息拥有独立控制权的过程。综上,个人信息的提供更着重在于控制权的转移,体现的更多的是提供者与接收者自主意志的行使。
The provision of personal information, on the other hand, usually includes two circumstances: transferring personal information and sharing personal information. According to Articles 3.8 and 3.9 of the Financial Information Specification, transferring refers to the process of transferring the control of personal financial information from one controller to another controller; sharing refers to the process of providing personal financial information by the controller of personal financial information to other controllers, and both parties have independent control over the personal financial information respectively. In summary, the provision of personal information is more focused on the transfer of control, reflecting the exercise of independent control by the provider and the receiver.
而在逆向外包项目中,境内机构仅可根据境外金融机构的指示对客户个人数据进行处理,对客户个人数据没有单独的控制权和处理权。因此,逆向外包在中国法项下应定性为个人信息的委托处理。
In the Reversed Outsourcing, domestic institutions can only process clients' personal data according to the instructions of foreign financial institutions. Therefore, we understand that Reversed Outsourcing should be deemed as the engagement of processor under PRC law.
但个人信息的委托处理行为和个人信息的提供都属于个人信息处理的合作关系,而这种合作关系的具体定性需要通过合作模式及相关处理活动等因素综合判断而得。因此,在实践中,个人信息的委托处理与个人信息的提供通常难以精确划分。例如,笔者在为某银行提供数据合规服务时就曾发现,其外包服务提供商可依照自主意志处理客户个人数据。因此,这种外包项目表明上看属于个人信息的委托处理,但实际上则有可能被认定为个人信息的提供。
However, both the engagement of processor and the provision of personal information show the cooperative relationship of personal information processing, and it needs to dig into several factors to distinguish such cooperative relationships, i.e. how they cooperate and how they process the data. Therefore, in practice, it is usually difficult to precisely distinguish between the engagement of processor and the provision of personal information. For example, in a data compliance project of a commercial bank, we found that its outsourcing service provider could process clients' personal data without the instruction of the bank. Such outsourcing appeared to be the engagement of processor, but actually they may be considered as the provision of personal information.
三、逆向外包业务的合规建议
Compliance advice on Reversed Outsourcing
1. 根据外包服务提供商是否具有独立的控制权和处理权以确定是否需要取得个人信息主体的单独同意
Depending on whether the outsourcing service provider can control and process the data independently to determine whether separate consent of the subject of personal information is required
根据《个保法》第二十一条的规定,个人信息处理者委托处理个人信息的,应当与受托人约定委托处理的目的、期限、处理方式、个人信息的种类、保护措施以及双方的权利和义务等,并对受托人的个人信息处理活动进行监督。根据上述规定,委托处理个人信息并未要求事前征得个人信息主体的同意。
According to Article 21 of PIPL, a personal information processor engages other processors shall be both governed by a contract which sets out the purposes and period of the processing, processing methods, categories of personal information, protection measures, as well as the rights and obligations of both parties, among others, and oversee the personal information processing activities of the third-party processors. According to such provision, the prior consent of the subjects of personal information is not required for the engagement of processor.
而在个人信息的提供中,由于接收者具有更强的自主控制权,为确保个人信息主体对其个人信息处理行为的知情权和同意权,《个保法》第二十三条规定,个人信息处理者向其他个人信息处理者提供其处理的个人信息的,应当取得个人的单独同意。
However, in the provision of personal information, the receiver can control and process the personal information independently. Therefore, in order to ensure that the personal information subject has the right to know and consent, personal information controller shall obtain separate consent when providing other processors with the personal information in accordance to Article 23 of PIPL.
因此,在是否需要取得客户单独同意的问题上,委托处理行为和个人信息的提供完全不同。从理论上看,逆向外包属于个人信息的委托处理行为,无需事前征得个人信息主体的同意。但正如前文所述,个人信息的委托处理与个人信息的提供极易混淆,实践中存在逆向外包被认定为个人信息的提供的风险。因此,笔者建议,境外金融机构进行逆向外包前应明确外包服务提供商的处理范围:
Therefore, it is totally different between the engagement of processor and provision of personal information regarding whether the separate consents of clients need to be obtained. At the angle of analyzing the legal provisions, Reversed Outsourcing is an engagement of processor, and prior consent of the subject of personal information is not required. However, as mentioned above, it is difficult to distinguish between the engagement of processor and the provision of personal information. In practice, there is a risk that Reversed Outsourcing will be recognized as the provision of personal information. Therefore, we suggest that foreign financial institutions shall clarify the scope of the processing before Reversed Outsourcing:
(1)如外包服务提供商仅能在境外金融机构的授权范围内,且仅能根据境外金融机构的指示处理客户个人数据的,则境外金融机构在进行逆向外包前可无需取得个人信息主体的单独同意;
If the outsourcing service provider only processes clients’ personal data within the authorization scope of foreign financial institutions and can only process the clients’ personal data on the instruction of foreign financial institutions, foreign financial institutions are not required to obtain separate consents from personal information subjects;
(2)如外包服务提供商对客户个人数据具有独立的处理权,或可超越委托范围自主处理客户个人数据的,则境外金融机构在进行逆向外包前应取得个人信息主体的单独同意。
If the outsourcing service provider has the independent right to process clients’ personal data or can process clients’ personal data independently beyond the authorization scope of foreign financial institutions, foreign financial institutions shall obtain the separate consent of the personal information subject before Reversed Outsourcing.
2. 个人信息保护影响评估
Personal information protection impact assessment
根据《个保法》第五十五条的规定,委托处理个人信息、向其他个人信息处理者提供个人信息,均应在事前进行个人信息保护影响评估。因此,笔者建议境外金融机构实施外包业务前应进行个人信息保护影响评估,具体的评估方法可参考《信息安全技术 个人信息安全影响评估指南》(GB/T39335-2020)。
According to Article 55 of PIPL, engagement of processor and providing personal information to other personal information processors are required to conduct personal information protection impact assessment in advance. Therefore, we suggest that foreign financial institutions shall conduct personal information protection impact assessment before Reversed Outsourcing. The specific assessment methods can be found in the Information security technology—Guidance for personal information security impact assessment (GB/T39335-2020).
四、结语
Conclusion
随着互联网金融等业务模式的不断创新,境外金融机构收集境内客户个人数据并外包给境内机构处理的需求越来越大,特别是对于有中资背景的境外金融机构来说,通常都需要将收集到的客户个人数据提供给境内集团公司统一存储及处理。根据上述分析,我们建议境外金融机构在进行逆向外包时,应根据外包服务提供商是否具有独立的控制权和处理权来决定是否需要取得个人信息主体的单独同意,并做好个人信息保护影响评估,以降低合规风险。
With the continuous innovation of business models such as Internet finance, there is an increasing demand for foreign financial institutions to collect clients’ personal data of domestic individuals and outsource it to domestic institutions for processing, especially for those Chinese-funded foreign financial institutions which need to transfer the clients’ personal data to the group companies in China for storage and processing. Based on the above analysis, we suggest that foreign financial institutions shall determine whether separate consent of the subject of personal information is required depending on whether the outsourcing service provider can control and process the data independently, and shall conduct personal information protection impact assessment before the Reversed Outsourcing.
特别声明:
大成律师事务所严格遵守对客户的信息保护义务,本篇所涉客户项目内容均取自公开信息或取得客户同意。全文内容、观点仅供参考,不代表大成律师事务所任何立场,亦不应当被视为出具任何形式的法律意见或建议。如需转载或引用该文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源。未经授权,不得转载或使用该等文章中的任何内容。
