中国个保法下，跨国企业如何做到成本与合规的平衡？（上）

Following the promulgation of the Personal Information Protection Law of the People's Republic of China (hereinafter the “PIPL”) in November 2021, the legal systems regarding personal information protection in China have been improving gradually. It becomes an urgent task for multinational companies to review the compliance of their cross-border activities under China's personal information protection regime. We have provided PIPL compliance advice to numerous multinational companies on cross-border data processing, which enables us to understand and unscramble the practical requirement about the PIPL. Based on our experiences, we will publish 3 articles to analyze how multinational companies balance the costs and risks of compliance from the practical perspective of PIPL.

 

继2021年11月《中华人民共和国个人信息保护法》（以下简称“《个保法》”）出台后，中国关于个人信息保护的法律法规日趋完善。对于跨国企业而言，审查企业跨境活动在中国个人信息保护制度下的合规性已成为一项迫在眉睫的工作。笔者曾为多个跨国企业的跨境数据处理项目提供合规建议，对《个保法》的实践有着深刻的认识和解读。对此，笔者将分为三篇文章，从《个保法》的实操角度出发结合实践经验分析跨国企业如何平衡合规的成本与风险。

 

1.Where overseas collection and processing of personal information is subject to the extraterritorial jurisdiction of the PIPL
境外收集和处理个人信息的活动会受《个保法》域外管辖的情形

 

Multinational companies usually have multiple subsidiaries or branches worldwide. If its overseas headquarter/subsidiaries/branches process the personal information of natural persons in China’s territory (including not only PRC nationalities, but also foreign nationalities in China’s territory), which satisfies the conditions in Clause 2 of Article 3 of the PIPL, the PIPL has extraterritorial jurisdiction on such overseas subsidiaries. The PIPL applies to overseas companies under the following circumstances: (1) with the purpose to provide products or services to PRC natural persons; (2) analyzing and evaluating the activities of PRC natural persons; and (3) other circumstances stipulated by laws and administrative regulations.

 

跨国企业往往在世界范围内设有多个子公司或分支机构，若其境外总部/子公司/分公司处理中国境内自然人（不仅包括中国国籍的个人，还包括位于中国境内的外籍人士）个人信息满足《个保法》第三条第二款的条件的，则《个保法》对该境外公司有域外管辖权，境外公司适用《个保法》的情形有：（一）以向境内自然人提供产品或者服务为目的；（二）分析、评估境内自然人的行为；（三）法律、行政法规规定的其他情形。

 

We once offered advice on data compliance under the PIPL for an overseas bank in North America which provided online account opening services to PRC residents. In this matter, it is relatively unlikely that the overseas bank's collection of Chinese clients' information through its website will be determined as "analyzing and evaluating the activities of PRC natural persons", but it is highly likely that it will be determined as "with the purpose to provide products or services to PRC natural persons". Because the collection of Chinese clients' information is to facilitate more banking services to PRC residents, it should be subject to the extraterritorial jurisdiction of the PIPL. 

 

笔者曾为北美某境外银行向未入境的中国居民客户提供网上开户服务事宜提供关于《个保法》的数据合规建议。在该项目中，该境外银行在其网站上收集中国客户信息的行为被认定为“分析、评估境内自然人的行为”的可能性较低，但是极有可能被认定为“向境内自然人提供产品或者服务为目的”，因为该境外银行收集中国客户信息是为了更便利地向中国居民客户提供更多银行服务，因此该银行应受到《个保法》管辖。

 

In practice, under different circumstances, the risk of being subject to extraterritorial jurisdiction by the PIPL varies. From the regulator's perspective, we understand there is relatively little possibility and risk of triggering the extraterritorial supervision of PIPL when the collection and processing of data happened when the individuals in China access the foreign websites. However, the following circumstances may pose higher risks: 

 

实践中，不同情形下，受《个保法》域外管辖的风险高低不同。从监管者的角度出发，笔者认为，对于中国境内个人自行访问境外网站所发生的数据收集和处理活动，触发《个保法》域外监管的可能性和风险较小。但是以下情形风险可能较高：

 

a) Setting up websites in Simplified Chinese, targeting individuals in China, and promoting the company’s product and service

跨国企业设立对中国境内个人开放的简体中文网站，并通过网站宣传企业产品和服务

 

Under such circumstance, the multinational companies are highly likely to be determined as an overseas personal information processor according to Section 2 of Article 3 of the PIPL because its purpose in providing products or services to PRC natural persons is highly obvious.

 

在该情形中，跨国企业被认定为《个保法》第三条第二款规定的境外个人信息处理者的可能性较高，因为其向境内自然人提供产品或者服务的目的指向性较强。

 

b) Cross-border Internal Data Flows of Multinational Companies

跨国企业集团内部数据的跨境流动

 

We once advised a European bank on information sharing between its China branch and its headquarter in Europe. In practice, there are mainly two ways for a domestic company of a multinational group to transfer personal information overseas: (1) to transfer personal information collected by it through an outsourcing agreement to an overseas server and to deliver the same to the owner of the server (which is not a member of the multinational group) for processing; or (2) to transfer personal information collected in China to a central server held by its overseas headquarter, or to use the computer system within the multinational group to transfer the data to an overseas member in the group. We understand that the second way is the information sharing method adopted by this bank between its PRC branch and its overseas headquarter. It is highly possible the data flow within the bank will be determined as a kind of cross-border data transfer and the PRC branch may be required to undertake the obligations of cross-border transfer of personal information. Such actions will be subject to the supervision of PIPL. We will elaborate in our next article what should be taken care in the cross-border transfer of personal information.

 

笔者曾为某欧洲银行的中国分行向总行共享信息事宜提供法律咨询。实践中，跨国公司的境内主体将个人信息跨境传输至境外的方式主要表现为两种：一、通过外包协议将其收集的个人信息直接传输至境外服务器并交由集团外的境外公司处理；二、将在中国境内收集的个人信息传输至境外母公司数据中心服务器，或通过母子公司之间共享的计算机系统实现数据传输。笔者认为，该境外银行中国分行向境外总部共享信息属于第二种方式，被认定为跨境数据传输可能性较高，且需要承担跨境传输个人信息的义务，将会受《个保法》管辖。关于跨境传输个人信息的注意事项，我们将会在下篇文章中详细介绍。

 

c) Large Amount of Personal Information Processed by Overseas Companies

境外公司处理的个人信息数量巨大

 

PRC laws and regulations do not expressly define the term "large amount". By reference to Section 1, Article 9 of the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft), if the data to be transmitted abroad contains or contains in aggregate the personal information of more than 500,000 users, the network operators should report to the competent authority or supervisory department to organize a security assessment. Therefore, if the number of PRC personal information processed by an overseas company is huge (for example, over 500,000 individuals), the company may be at high risks of being subject to extraterritorial supervision under the PIPL.

 

目前现行法规中并未对“数量巨大”作出明确规定，参考《个人信息和重要数据出境安全评估办法（征求意见稿）》第九条第1款的规定，出境数据如含有或累计含有50万人以上的个人信息的，网络运营者应报请行业主管或监管部门组织安全评估。因此，当境外公司处理境内个人信息的数量巨大（如超过50万人）时受到《个保法》域外监管的风险可能较高。

 

2.Fully Establishing the Legal Basis for the Collection and Processing of Personal Information

充分建立收集和处理个人信息的合法性基础

 

When collecting or processing personal information of PRC natural persons, multinational companies should fully establish and evaluate the legal basis for such activities. Article 13 of the PIPL establishes an "inform-consent" principle for personal information processing, and provides six exemptions for individual consent. We would suggest multinational companies to pay special attention to the following:

 

跨国企业在处理涉及中国的个人信息时，应当充分建立和评估对个人信息收集和处理的合法性基础，现行《个保法》第十三条建立了以告知-同意为核心的个人信息处理原则，以及六种豁免个人同意的情形。其中，跨国企业需要重点关注的有：

 

a) Method of Obtaining Individual Consent

 取得个人同意的方式

 

Audit trail shall be available for obtaining individual consent. According to Article 69 of the PIPL, the principle of liability fixation for personal information processors is "the principle of presumption of fault", that is to say, personal information processors who want to be exempted from liability shall bear the burden of proof that they are not at fault. This puts forward a higher requirement for evidence preservation for personal information processors. Therefore, in order to avoid difficulty in evidence proving of the disputes, multinational companies, as personal information processors, are suggested to make proper records and archive the procedures of obtaining individual consent, compliance audit and impact assessment on personal information protection, and to be cautious in applying any other legal basis in addition to individual consent, so as to better protect their rights and interests in disputes.

 

取得个人同意应当有迹可循。根据《个保法》第六十九条的规定，个人信息处理者的归责原则为“过错推定原则”，即个人信息处理者若想免责则需要承担证明自己不存在过错的举证责任，这对个人信息处理者的证据保存工作提出了较高的要求。因此，跨国企业作为个人信息处理者为避免在产生的纠纷中举证难的问题，应当在取得个人同意、合规审计、保护影响评估等过程中做好记录、留存档案，并且谨慎适用除个人同意之外的其他合法性依据，以更好地保障跨国企业在《个保法》下的权益。

 

b) The Risk of Violating the PIPL Without Individual Consent is Low for the Following Legal Basis

未取得个人同意但是因为有以下合法性基础，违反《个保法》的风险较低

 

If a multinational corporation: (i) as one of the parties to the contract, shall collect and process the personal information to achieve the purposes of concluding and performing the contract, (ii) or collect the employees' personal information for the purpose of human resource management, (iii) or collect the personal information for performance of legal duties or obligations, the individual's consent can be exempted. Therefore, if a multinational company conducts any of the aforesaid activities, the risk of violating the PIPL is relatively low even if the individual's consent is not obtained. Nevertheless, we still recommend our client to take legal advice from professionals before they adopt the above items as the legal basis.

 

如果跨国公司作为合同一方当事人:（i）必须收集、处理个人信息才能达到订立、履行合同目的的，（ii）因人力资源管理需要收集员工个人信息的，（iii）因履行法定职责或法定义务而收集个人信息的，不需取得个人同意。因此，跨国公司若有前述情形，尽管未征得个人同意，其违反《个保法》风险较低。但是，我们仍建议客户使用以上合法性基础前充分征询专业人士意见。

 

3.Evaluating and Refining the Company’s Privacy Policy and Cookie Policy

评估和完善企业的隐私声明和Cookie政策

 

a) Evaluating and Refining the Company’s Privacy Policy 

评估和完善隐私声明

 

Under PIPL, the principles of openness and transparency should be followed in processing personal information. Multinational companies are therefore advised to explicitly indicate a privacy notice/policy/statement on their websites or elsewhere where personal information of users may be involved, to alert users and obtain their consent. To be compliant under PIPL, the privacy policy shall mainly include the following contents: (i) the name and contact information of the processor, (ii) the purpose and method of processing, (iii) the types of information collected and processed and the storage period, and (iv) the way and procedure for the data subject to exercise their legal rights.

 

根据《个保法》的规定，处理个人信息应当遵循公开、透明原则，跨国企业应当在其网站或任何可能涉及用户个人信息之处明示隐私声明，以提醒用户注意并征得其同意，主要应当包括以下内容：处理者的名称、联系方式；处理的目的和方式；收集和处理的类型和保存期限；信息主体行使法律权利的方式和流程。

 

b) Evaluating and Refining Cookie Policy

评估和完善Cookie政策

 

Although the cookie policy is not an essential element of a website under PIPL, in our observation, most companies display their cookie policy on their websites in practice. In order to comply with the compliance requirements of the PIPL and other relevant laws and regulations, the multinational company is advised to display its cookie policy and set up the Chinese version thereof. The cookie policy can be set aside with the privacy statement, or presented separately for users to tick or choose. For example, in one of the matter we engaged, the client provided its cookie policy on its website with the options of deleting cookies, clearing cookies and blocking cookies for users to choose at their own discretion.

 

虽然Cookie政策并非《个保法》的强制性要求，但是据笔者观察，实践中普遍企业均在其网站上展示其Cookie政策。企业应当在网站上展示其Cookie政策并设置中文版本，其可以与隐私声明并列，也可以单独呈现供用户勾选，以符合《个保法》及其他相关法律法规的合规要求。比如，笔者曾负责的某跨国公司其Cookie政策为用户提供删除、清除和拦截选项，以供用户自主选择。

 

 

4.To reviewing the compliance of processing employees’ data

审查企业员工数据处理合规性

 

 

a) Reference checks and Human Resource Management

入职背景调查和人力资源管理

 

According to Article 13.1.(2) of the PIPL, a company's collection or processing of employee's personal information could be based on the following two approaches, which do not require the employee's consent:

 

根据《个保法》第十三条第一款第二项的规定，公司收集或处理员工的个人信息的合法性基础可以来源于以下2种途径，且这2种途径不需要获得员工的事前同意：

 

 

(i) Reference checks: Necessary for conclusion and performance of a contract to which an individual is a part

入职背景调查：为订立、履行个人作为一方当事人的合同所必需

 

According to Article 8 of the Labor Contract Law, an employer is entitled to know an employee's basic information in relation to the labor contract, and the employee shall truthfully provide relevant information. Therefore, if the purpose of the reference check is to collect and process an employee's basic information in relation to the labor contract for better performance of the labor contract, the employer may process the employee's personal information without the employee's consent.

 

根据《劳动合同法》第八条的规定，企业有权了解劳动者与劳动合同直接相关的基本情况，劳动者应当如实说明。因此，入职背景调查如果是为了更好地履行劳动合同而收集和处理与劳动合同直接相关的员工基本情况的，公司可以不经员工个人同意对其个人信息进行处理。

 

(ii) Human resource management: with reference to internal labor rules and regulations legally formulated and collective contracts legally concluded

按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理所必需

 

In addition to the employee’s basic information mentioned in the item (i), companies may also need to collect other personal information of employees to meet the needs of human resources management, such as salary information, sick leave information, attendance information, etc. Generally speaking, companies may stipulate and publicize the collection and processing of employees' personal information in the company's labor rules and regulations formulated in accordance with the laws, but the collection and processing of such information shall be limited to the range of "necessary for human resources management". Companies shall not arbitrarily collect and process employees' sensitive personal information such as religious belief and whereabouts and tracks merely for the purpose of human resources management.

 

除了上述第(i)项所涉员工基本信息外，公司因为人力资源管理的需要可能还需要收集员工的其他个人信息，如薪酬信息、病假信息、考勤信息等，一般而言，公司可以通过依法制定的公司劳动规章制度中对需要收集和处理的员工个人信息进行约定并公示，但是必须以“实施人力资源管理所必需”为限度，不得仅以实施人力资源管理为由任意收集和处理员工的敏感个人信息，例如宗教信仰、行踪轨迹等。

 

b) Content and Manner of Notification by the Employer

用人单位履行告知的内容和方式

 

Under the PIPL, as an employer, a company shall, when collecting and processing employees' personal information and performing its duty of notification to employees during induction, training and other human resources management activities, comply with the following requirements of PIPL in terms of contents and manners:

 

公司作为用人单位，在收集和处理员工的个人信息，并履行告知员工的义务时，应当注意在员工入职、员工培训等人力资源管理环节，遵守《个保法》所要求的以下关于履行告知的内容和方式上的要求：

 

(i) Companies shall inform employees of the name and contact information of personal information processor, purpose and method of processing, information types, storage period and location in a concise, transparent, easy-to-understand and obvious way.

 

公司应当以简洁、透明、易于理解和显著的形式向员工告知个人信息处理者的名称和联系方式、处理目的、处理方式、信息种类以及保存的期限和地点。

 

(ii) Separate consents from the employees shall be obtained before processing employee’s sensitive personal information. Companies shall inform employees of the necessity and impact of such processing, conduct an impact assessment on personal information protection in advance and keep records of processing afterwards.

对于个人敏感信息的处理要取得员工的单独同意，告知员工处理的必要性及影响，并在事前进行个人信息保护影响评估，事后对处理情况进行记录。

 

(iii) Companies shall inform employees of their legal rights and provide convenient and feasible channels for exercising such rights.

公司应当告知员工可行使的权利与方式，并提供便捷可行的权力行使渠道。

 

When entrusting a third party to collect or process employees' personal information, companies shall inform employees of the name and contact information of the third party and enter into an agreement with the third party on its rights and obligations such as the processing method, information types, purposes and period. Companies are also required to supervise the third party's processing of personal information under PIPL.

当公司委托第三方进行员工信息收集或处理的，要告知员工第三方的名称与联系方式、与第三方约定处理方式、信息种类、目的、期限等双方的权利义务，并对第三方的处理活动进行监督。

 

5.De-identification and Anonymization of Personal Information

个人信息的去标识化和匿名化

 

The definition of personal information under the PIPL explicitly provides that the information of individuals before anonymization is personal information, which shall be protected by the PIPL. Article 51 of PIPL stipulates the obligations of the personal information processor to prevent divulgence, falsification and loss of personal information, including adopting corresponding technical security measures such as encryption and de-identification. Therefore, multinational companies are advised to adopt necessary technical measures regarding de-identification and anonymization of personal information if they store such information.

在《个保法》的个人信息定义中，未经匿名化处理的信息属于个人信息受到《个保法》保护。《个保法》第五十一条中规定了个人信息处理者防范信息泄露、篡改和丢失的义务，包括采取相应的加密、去标识化等安全技术措施，因此，跨国企业在个人信息合规过程中要注意对个人信息去标识化和匿名化。

 

In a project that we participated, a Hong Kong-based bank used an identity information comparison service to help PRC customers open banks accounts in Hong Kong. In this project, although the identity information comparison service provider encrypted the comparison result during cross-border data flow, the comparison result was finally decrypted before presented to the HK bank. From our understanding, the clients' personal information was not successfully anonymized and cross-border flow of such personal information shall still be governed by the PIPL. 

笔者参与的某香港银行通过身份信息比对服务为内地客户到港开户提供服务这一项目中，身份信息比对服务软件虽然在跨境传输过程中对比对结果进行加密，但是最终呈现给香港银行时是解密后的比对结果，因此，笔者认为客户的个人信息并未成功匿名化，因此跨境传输个人信息的行为仍需受《个保法》管辖。