中国个保法下，跨国企业如何做到成本与合规的平衡（中）

In the previous article, based on our experiences in relevant matters, we discussed how multinational companies and financial institutions should balance costs and compliance in five aspects under PIPL. This article will continue to discuss this topic about the costs and compliance balance under PIPL from other perspectives.

 

在上篇文章，笔者结合曾参与的项目经验谈到了跨国企业和金融机构在中国个保法下，如何从5个方面做到成本与合规的平衡。本篇为中篇，将延续上篇的话题继续探讨跨国企业成本与合规的平衡：

 

This article will introduce how multinational companies are advised to refine their compliance system under the PIPL from the following four aspects:

 

本篇将从以下4个方面介绍跨国企业如何在《个保法》框架下完善合规体系：

 

1. Building channels to protect the rights of data subjects;

构建数据主体权利保护的渠道；

 

2. Supervision and control on third-party data processors;

对第三方数据处理者的控制监督；

 

3. Personal information collected by the critical information infrastructure operators (the “CIIO”) shall be saved within the territory of the PRC;

关键信息基础设施运营者收集的个人信息应当在境内储存；

 

4. Assessing the compliance of cross-border data flow. 

评估跨境数据流动的合规性。

 

1Building channels to protect the rights of data subjects

构建数据主体权利保护的渠道
 

Chapter 4 of the PIPL provides the data subjects with rights to know, to decide, to consult and duplicate, to transfer, to supplement and correct, to delete, to explain and other rights in relation to their personal information. When conducting data compliance reviews, multinational companies are advised to build up a convenient and complete mechanism to protect the rights of data subjects. The following aspects need to be aware of:

 

中国《个保法》第四章中规定了数据主体享有知情权、决定权、查阅复制权、可转移权、补充更正权、删除权、解释说明权等权利。跨国企业在开展数据合规审查工作时，应当为数据主体构建一个便利的、完善的权利保护机制，需要注意以下几点：

 

(1)Focusing on the protection of data subjects' rights to know based on the principle of "notification-consent”

围绕告知-同意原则，着重保护数据主体的知情权

 

The right to know is an important right of data subjects, but the PIPL has not provided detailed protection measures for it. We suggest that multinational companies could refer to the provisions of GDPR when carrying out compliance work, and provide corresponding protection of the right to know to data subjects. For example, companies shall reply to data subjects' requests for the right to know within a reasonable period of time and provide information in the way requested by data subjects. The company shall provide information in a concise and easy-to-understand manner while free of charge, and may verify the identification of the data subject before providing the information if necessary. 

 

知情权是数据主体享有的一项重要权利，但《个保法》暂未对其保障措施有细致的规定。建议跨国企业在开展合规工作时，可以参考GDPR中的条款，相应地向数据主体提供知情权保障。如，企业应当在合理期限内回复数据主体关于知情权的请求，并按照数据主体所请求的方式提供信息。企业提供信息时应当以简洁易懂、免费的方式提供，并可在必要时核验数据主体身份再向其提供信息。 

 

(2)Building a classified and graded data protection system

建立数据分类分级保护制度

 

According to Article 5 of Regulations for the Administration of Network Data Security (Exposure Draft), China establishes a classified and graded data protection system. Multinational companies could refer to the state classification standards to classify and grade their internal network data. The data can be divided into general data, important data and core data. Different protection measures can be adopted for different classification of data so as to improve the efficiency and pertinence of data protection. 

 

根据《网络数据安全管理条例（征求意见稿）》第五条的规定，中国建立数据分类分级保护制度。跨国企业可以参照国家的分类标准，对企业内部的网络数据进行分类分级，将数据分为一般数据、重要数据、核心数据，对不同级别的数据采取不同的保护措施，提高数据保护的效率和针对性。

 

Generally, data should be classified by referring to the state classification standards and the industry classification standards. If the industry does not have such standards, data could also be classified from the perspective of business management. 

 

数据分级分类一般优先参照国家、所在行业的分类标准进行分类分级，如果所在行业没有行业数据分类规则，也可从企业的经营管理角度进行数据分类。

 

(3)Providing convenient ways for data subjects to refuse

为数据主体的拒绝提供便捷方式

 

According to Article 44 of PIPL, an individual has the right to restrict or refuse others to process his/her personal information; according to Article 47 of PIPL, an individual has the right to withdraw the consent he/she has given and has the right to request the processor to delete the personal information which has been collected or processed. When processing personal information, multinational companies shall protect the right of data subjects to refuse and provide convenient and feasible methods for data subjects to quit. 

 

根据《个保法》第四十四条，个人有权限制或者拒绝他人对其个人信息进行处理；根据《个保法》第四十七条，个人有权撤回已作出的同意，要求个人信息处理者删除已收集处理的个人信息。跨国企业在涉及个人信息处理时，应当保护数据主体拒绝的权利，为其提供便利可行的退出方式。

 

In a project of explicit consent for the processing of personal images and personal identification data that we reviewed and revised, the company provides two options of "Yes" and "No" for employees to choose. Besides, in the website privacy policy project of another multinational company that we participated, the multinational company provides two options of “Unsubscribe” and “Opt-out” for its employees, and employees can choose to refuse to receive some or all of the notifications sent by the website at any time by setting their own preferences on the website or by directly exiting. 

 

在笔者审阅修订的一个跨国企业处理员工数据和图像的同意书中，员工进行授权的表格处，企业提供了“是”和“否”两个明显的可选选项让员工对授权进行选择。笔者协助的另一跨国企业的网站隐私政策项目中，该跨国企业为员工提供了取消订阅（Unsubscribe）、选择退出（Opt-out）的两个选项，员工可以通过在网站上设置自己的偏好或直接退出而随时选择拒绝接收网站发来的部分或所有通知。

 

 

 

2 Supervision and control on third-party data processors

对第三方数据处理者的控制监督
 

In a project we advised where a bank in the North America collected personal information of Chinese clients for account-opening, we combined practical experience with regulations in PIPL, and gave the suggestion that either in a way that (1) the bank entrusts a third party to process the collected data, or (2) the third party collects and processes the data before providing the data to the bank, the collecting party shall inform the clients of the recipient’s related information and supervise the personal information processing activities by the third party. 

 

笔者曾参与的某北美银行收集中国客户的个人信息进行开户的项目中，笔者结合实践和中国《个保法》的规定建议，无论是由银行收集数据后，委托第三方机构进行处理，还是先由第三方机构进行收集处理后，向银行提供数据结果，收集数据一方应当告知客户该信息接收者的相关信息，并监督第三方的信息处理活动。

 

(1)Prudently selecting third party processor and making sure its data processing capability meets standards specified in PIPL

审慎选择第三方处理者，确认其数据处理能力达到我国《个保法》的标准

 

When selecting a third-party data processor, the multinational companies are advised to make prudent selection and conduct due diligence on the third-party data processor so as to make sure that its data processing capability can meet the requirements of PIPL and ensure the security of data processing. According to Article 38 of PIPL, if multinational companies selects a foreign third party processor, they shall pass security assessment or personal information protection certification, and enter into a contract with the overseas third party in accordance with the model contract developed by the national cyberspace administration. 

 

跨国企业选择第三方数据处理者时应当审慎选择，并对第三方数据处理者进行尽职调查，以确定其数据处理能力能达到我国《个保法》的要求，确保数据的处理安全。根据《个保法》第三十八条规定，如果选择境外的第三方处理者，还需要通过安全评估或进行个人信息保护认证，并按照国家网信部门制定的标准合同与接收数据的境外第三方订立合同。

 

(2)Obligation to inform data subjects

对于数据主体的告知义务

 

In practice, if a company entrusts a third party to process personal information, it shall obtain prior consent of data subjects before supervising and controlling the third party. Article 24 of PIPL does not compulsorily require the client to inform the data subject of the name, contact information, purpose, method of processing and the type of personal information to be processed by the third party, nor to obtain the individuals’ exclusive consent. However, as a way of processing personal information, the third party entrusted by the company constitutes changes to the processor, which triggers the requirement under Article 17 (2) of the PIPL. We suggest that the company shall inform the data subject of the changes to the information in relation to personal information processing, such as the name of the third party, processing purpose, method, type and storage period. 

 

在实践中，企业委托第三方处理个人信息，企业对其控制监督前应先得到数据主体的同意，《个保法》第二十四条并未强制性要求委托方应当告知数据主体受托方的名称或者姓名、联系方式、处理目的、处理方式和个人信息的种类，并取得个人的单独同意。但是，笔者认为企业委托第三方处理作为一种处理方式，发生了主体的变更，触发了《个保法》第十七条第二款的规定，建议仍然应当向数据主体告知变更的部分即委托第三方的名称、处理目的、方式、种类、保存期限。

 

(3)Conducting personal information protection impact assessment before providing data

提供数据前进行个人信息保护影响评估

 

In accordance with Article 55 of PIPL, if a company entrusts a third party to process personal information or provides a third party with personal information, it shall conduct a personal information protection impact assessment in advance, record processing results and save such records for three years. In practice, the legal department, compliance department or information security department of the company may take the lead in the assessment work. They could decide to conduct the assessment work by themselves or hire an external independent third party to undertake the assessment work based on the actual situation of the company. 

 

根据《个保法》第五十五条，企业委托第三方处理或向第三方提供个人信息的均应当事前进行个人信息保护影响评估，并对处理情况进行记录，并保存三年。实践中企业的法务部门、合规部门或其信息安全部门可以牵头开展评估工作，可以根据自身实际情况，决定自行开展评估工作，或聘请外部独立的第三方来承担具体的评估工作。

 

(4)Signing a data processing contract with unambiguous rights and obligations

签订权利义务明确的委托处理信息的合同

 

When entrusting a third party with the processing of personal information, the company shall sign a data processing contract with the third party. In order to better control and supervise the information processing by the third party, the entrusting party shall, in the contract, expressly define the rights and obligations of both parties, limit the methods and contents of the third party's processing of the information, particularly define the liabilities of each party, and establish a supervision method for the entrusting party. 

 

在委托第三方处理个人信息时，企业应当与第三方签订个人数据处理委托合同。为了更好地控制并监督第三方对信息的处理，委托方应当在合同中明确双方的权利义务，限定第三方信息处理的方式和内容，尤其需要明确各方的责任承担，设立并落实委托方的监督方式。

 

3 Personal information collected by the CIIO shall be saved within the territory of the PRC

 

关键信息基础设施运营者收集的个人信息应当在境内储存

Article 40 of the PIPL provides that the critical information infrastructure operators ("CIIO") shall save the personal information they collect within the territory of the PRC. As the main participants of cross-border data activities, multinational companies, if they are one of the CIIOs, need to actively comply with the various requirements on data storage under the PIPL when carrying out cross-border data compliance. 

 

《个保法》第四十条规定了关键信息基础设施运营者（CIIO）需要将收集的个人信息存储在境内。跨国企业作为跨境数据活动的主要参与者，如果属于关键信息基础设施运营者的，在开展跨境数据合规时，需要积极遵循《个保法》对数据储存的各项要求。

 

(1)Localized storage principle

本地化储存原则

 

According to Security Protection Regulations for Critical Information Infrastructure, CIIO refers to the important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people's livelihood and public interests. Whether a multinational company is a CIIO is subject to the determination of the competent authorities and supervisory authorities of the aforesaid important industries and sectors. 

 

根据《关键信息基础设施安全保护条例》的规定，关键信息基础设施，是指公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务、国防科技工业等重要行业和领域的，以及其他一旦遭到破坏、丧失功能或者数据泄露，可能严重危害国家安全、国计民生、公共利益的重要网络设施、信息系统等。跨国企业是否属于关键信息设施运营者，需要由上述重要行业和领域的主管部门、监督管理部门进行认定。

 

(2) Main methods of localized storage

本地储存的主要方式

 

All domestic or foreign companies shall use servers located in China to collect and save personal information and data related to critical areas. For example, a famous US tech giant has migrated its online data of PRC clients to a data storage company in China and all data collected on servers located in China, and a foreign new energy vehicle company has set up an onshore data center to save all data generated from the vehicles sold in China. As representatives of the critical information infrastructure operators, automobile data security and communication data security take the lead to be localized in practice, and may lead to the data compliance in relation to local storage in other industries. 

 

任何本国或者外国企业在采集和存储与个人信息和关键领域相关数据时，必须使用中国境内的服务器。如，一家著名的美国科技巨头公司将其国内用户的数据迁移至中国的一家大数据公司并全部使用国内的服务器；一家美国的新能源汽车公司已在中国建立数据中心，将所有在中国大陆市销售车辆所产生的数据都将储存在境内。汽车数据安全、通信数据安全作为关键信息基础设施中的代表，在实践中率先走向本地化，推动各行业数据合规要求。

 

4 Assessing the compliance of cross-border data flow

 

评估跨境数据流动的合规性

Digital economy is playing an increasingly important role in modern society. If a company only focuses on data localization, it will limit the effective and orderly flow of data and the globalization development of the multinational companies. Multinational companies are advised to always be aware of the compliance requirements in the cross-border data flow, so as to make sure the data flow complies with national regulations and declines business risks caused by violations. 

 

数字经济在现代社会中的角色越来越重要，如果片面地仅仅强调数据本地化，则会限制数据的有效有序流动，进而影响跨国企业的全球化发展，跨国企业在数据的跨境流动中要时刻注意数据的合规要求，使数据流动符合国家规定，降低因不合规造成的企业风险。

 

(1)Assess the legality of cross-border data related activities under PRC law

评估跨境数据相关行为在中国法下的合法性

 

We used to participate in a project regarding the collection of personal information of Chinese clients by a Hong Kong bank. The bank inquired how such collection would be censored under PRC law. We analyzed the legality of the collection of domestic client information, collection of domestic client information through official websites and apps, obtaining domestic client’s credit information, and cross-border data transfer under PRC law, and provided a legal basis for the bank's references and advised the bank on what can and cannot be done. The legality of cross-border data- related activities shall not be assessed solely based on specific laws. Such activities shall be placed within the broad framework of PRC information security laws and regulations, and the legal risks of each activity shall be analyzed individually, so as to ensure the legality of the data activities of multinational companies in China. 

 

笔者参与的某香港境外银行收集境内客户的个人信息项目中，该银行咨询了该行为在中国法的框架下会如何受到审查。笔者为其分析了收集客境内户信息、通过官网或app收集境内客户信息、取得内地客户个人征信信息、数据跨境传输等在中国法下的合法性，提供了相关法律依据，并明确告知可做和不可做的具体内容。评估跨境数据相关行为的合法性，不能仅依据个别法律，需将该行为置于中国信息安全法律法规的大框架下，针对每一个具体行为进行法律风险分析，才能确保跨国企业在中国从事数据活动时的合法性。

 

(2)Cross-border data flows need to be assessed for the risk of overlapping jurisdictions

跨境流动的数据需评估不同法域的重叠管辖风险

 

Multinational companies not only need to pay attention to the relevant laws and regulations within China, but also need to be aware of any legislative developments regarding data storage and cross-border data transmission in the destination country. For example, the data exported to the EU shall comply with the relevant rules of the GDPR. The data exported to the United States shall pay attention to the Cloud Act and other relative regulations of the USA, so as to facilitate effective data transmission. 

 

跨国企业不仅要关注中国域内的法律规定，也需要了解数据出境目的地所在国的数据存储和跨境传输数据的相关立法动态，比如，出境到欧盟的要遵循GDPR的相关规定，出境到美国的要注意CLOUD法案等相关规定，以便跨国企业更有效地进行数据传输。

 

We will continue to share more insights in our final article on how multinational companies balance cost and compliance under the PIPL. 

 

对于跨国企业在《个保法》下如何平衡成本与合规，我们将在最后一篇文章中继续分享我们的更多见解。

---