中国个保法下,跨国企业如何做到成本与合规的平衡(下)
In the previous two articles, we discussed, based on our experiences in data privacy projects, how multinational companies and financial institutions balance cost and compliance in nine aspects under the PIPL. In this last article of the PIPL series, we will continue to discuss how multinational companies can achieve the balance between cost and compliance.
在前两次分享中,笔者结合曾参与的项目经验谈到了跨国企业和金融机构在中国个保法下如何从9方面做到成本与合规的平衡。本篇为个保法系列的最后一篇文章,我们将继续探讨跨国企业如何实现成本与合规的平衡。
We will introduce, in the following five aspects, how multinational companies can improve their compliance systems under the PIPL:
本篇将从以下5个方面介绍跨国企业如何在《个保法》框架下完善合规体系:
1. Ensuring legality and compliance when using personal information in automated decision-making
利用个人信息进行自动化决策应确保合法合规
2. Conducting personal information protection impact assessment before launching new projects or promoting new systems
在开展新项目/推出新系统前开展个人信息保护影响评估
3. Designation of the data protection officer (DPO)
数据保护官的设置
4. Building up a response mechanism of data security incidents
构建数据安全事故响应机制
5. Properly handling conflicts of personal information compliance requirements in different legal jurisdictions
妥善处理不同法律管辖区域个人信息合规要求的冲突
1
Ensuring legality and compliance when using personal information in automated decision-making
利用个人信息进行自动化决策应确保合法合规
Automated decision-making refers to the activities of automatically analyzing and assessing individuals' behavioral habits, hobbies, or financial, health and credit status through computer programs and making decisions thereon. With the rapid development of the internet, all kinds of video websites and shopping platforms have mushroomed. Price discrimination enabled by big data-enabled price discrimination against existing customers, and recommendations based on users' habits or search history shared by different Apps have a common occurrence. Article 24 of the PIPL stipulates in detail for automated decision-making When making automated-decision, companies shall:
自动化决策,是指通过计算机程序自动分析、评估个人的行为习惯、兴趣爱好或者经济、健康、信用状况等,并进行决策的活动。随着互联网的迅速发展,各种视频网站、购物平台井喷式增长,大数据杀熟、App之间相互关联根据用户使用习惯或搜索历史对其进行相关内容的推荐屡见不鲜。《个保法》第二十四条对自动化决策事宜进行了详细的规定,企业在进行自动化决策时应当:
(1) Ensure the transparency of decision making and the fairness and impartiality of the results. Avoid imposing unreasonable discrimination on individuals in terms of transaction conditions. Forbid companies to exploit big data to result in price discrimination against existing customers. Inform the data subjects of the adopted mechanism of automated decision-making in a place where they can notice the announcement.
保证决策的透明度和结果公平、公正,不对个人在交易条件上实行不合理的差别待遇。禁止企业利用大数据杀熟或杀生,在数据主体能注意到的位置告知其将采用自动化决策的机制。
(2) When conducting information push service or commercial marketing to individuals, options not based on personal characteristics shall be provided, or a convenient way for the individuals to turn off shall be offered. For example, the settings to delete personal preferences and the options to refuse to receive pop-up advertisements should be provided to the data subjects.
向个人进行信息推送、商业营销时,应当同时提供不针对其个人特征的选项,或者向个人提供便捷的拒绝方式。比如,向信息主体提供清除个人喜好的设置及拒绝接收广告推送的选项。
(2) At the request of the data subjects, the companies shall explain the decisions which may have a significant impact on personal rights and interests, and the data subjects have the right to refuse the decisions made by the personal information processor merely via automated decision-making. Companies shall protect the autonomous decision-making right of the data subjects, reduce reliance on automated decision-making, and conduct comprehensive data analysis in multiple ways for business development and management.
应数据主体要求,企业应当对个人权益影响重大的决定予以说明,且数据主体有权拒绝个人信息处理者仅通过自动化决策的方式作出决定。企业应当保障数据主体的自主决定权,并且减少对自动化决策的依赖,通过多渠道综合分析数据进行业务拓展和管理。
2
Conducting personal information protection impact assessment before launching new projects or promoting new systems
在开展新项目或推出新系统前开展个人信息保护影响评估
In the first court decision regarding face recognition in China in 2020, a zoo in Hangzhou changed the entrance verification method of the annual admission card from fingerprint recognition to face recognition and sent a text message to the plaintiff, requesting the plaintiff to activate the new method by customers’ faces. The plaintiff was not satisfied with the arrangement made by the zoo and filed a lawsuit. The court held that the change of the annual admission card method from fingerprint recognition to face recognition and the intention to activate the face recognition with collected photos exceeded the purpose of prior collection and violated the principle of legitimacy. The zoo was ruled to delete the information on facial features including photos that the zoo collected when the plaintiff applied for the annual admission card.
2020年,中国人脸识别第一案中,杭州某动物园将年卡入园方式由指纹识别调整为人脸识别,并发送短信通知至原告,请求其进行人脸激活,原告不满动物园安排遂诉至法院。法院认为将年卡入园方式由指纹识别调整为人脸识别,并欲将其已收集的照片激活处理为人脸识别信息,超出事前收集目的,违反了正当性原则,该动物园应当对收集的原告办卡时提交的包括照片在内的面部特征信息进行删除。
From our point of view, the zoo shall carry out a personal information protection impact assessment before upgrading the verification method of annual admission cards, which will assess the impact and security risks of the upgrading requirement on personal information, and shall assess whether the measures taken are legal, effective and appropriate to the degree of risks, so as to prove the legality, legitimacy, and necessity of the upgrading, reduce corporate data compliance risks and disputes arising therefrom. According to Article 55 of the PIPL, the personal information processor should conduct an impact assessment of personal information protection in advance and keep a record of the following actions: (i) processing sensitive personal information; (ii) using personal information to make automatic decisions; (iii) entrusting others to process personal information, providing personal information to other personal information processors and publicizing personal information; (iv) providing personal information to overseas parties; (v) other personal information processing activities which have significant effects on personal rights and interests. Since face recognition and tracks of individuals are sensitive information, multinational companies shall, before carrying out new projects or promoting new systems, complete an assessment of the impact of personal information protection on information collection activities, which shall be used as the justification for their collection of personal information, so as to reduce data compliance risks faced by multinational companies or financial institutions in developing new projects or new systems.
笔者认为,该动物园在开展年卡入园方式升级之前应当开展个人信息保护影响评估,评估升级对个人信息的影响和安全风险,并评估所采取的措施是否合法、有效并与风险程度相适应,以用于佐证该升级行为的合法性、正当性、必要性,降低企业数据合规的风险,减少由此引起的纠纷。根据《个保法》第五十五条规定,个人信息处理者应当事前进行个人信息保护影响评估,并对处理情况进行记录:(一)处理敏感个人信息;(二)利用个人信息进行自动化决策;(三)委托处理个人信息、向其他个人信息处理者提供个人信息、公开个人信息;(四)向境外提供个人信息;(五)其他对个人权益有重大影响的个人信息处理活动。人脸识别、行踪轨迹均属于敏感信息,跨国企业在开展新项目或推出新系统前应当对信息收集活动进行事前的个人信息保护影响评估,作为企业收集个人信息的正当性证明,降低跨国企业或金融机构开发新项目、新系统面临的数据合规风险。
3
Designation of the data protection officer (DPO)
数据保护官的设置
In a project where we assisted a bank in North America to conduct online account opening and landing activation for Chinese residents who are not in North America back then, we provided a negative answer to the question of whether the bank needed to establish the post of data protection officer (DPO) because from our perspective, the number of such services provided by the bank would not exceed the number regulated by the national cyberspace authority. Therefore, it was not necessary for this client to appoint a DPO. On the other hand, in order to meet data compliance requirements, a multinational company is advised to designate a DPO in charge of data protection if it processes a large amount of information when engaging in data activities.
在笔者协助的某北美银行为未入境的中国居民办理网上提前开户落地激活项目中,笔者对于该银行是否需要设置数据保护官这一问题提供了否定的回答,因为笔者判断该银行此业务不会超过国家网信部门规定的数量,因此并不需要指定数据保护官。跨国企业在从事数据活动时,若处理信息的数量较多时,为了更好地符合数据合规的要求,可以在企业内部设置数据保护官负责专门的数据保护:
(1) Function of the data protection officer
数据保护官的作用
In accordance with Article 52 of the PIPL, a personal information processor that processes the personal information reaching the threshold specified by the national cyberspace authority in terms of quantity shall appoint a person in charge of, among the others, personal information protection to be responsible for overseeing personal information processing activities as well as the protection measures taken. The person in charge of personal information protection stipulated in this article is similar to the DPO (data protection officer) in GDPR. And this article aims to set up a relatively independent data protection officer within a company to supervise and manage activities related to data, maintain contact with supervisory authorities, be responsible for communication and contact with data subjects and independently perform his/her duties and responsibilities, without any impact on objective facts and conclusions caused by the instructions or directions of the company. In practice, a few government departments and companies have established such positions (data protection officer or chief data officer) to manage data security. For example, after Guangdong Province promulgated the Work Plan of Guangdong Province for the Pilot Program of Chief Data Officer System in 2021, Shenzhen, Zhuhai, and Guangzhou successively promulgated notices for the implementation thereof. Another example is that a large communication company has appointed a full-time data protection officer and designated compliance officers or a safe product officers in its headquarters, departments, and subsidiaries, which will form a vertically penetrated, coordinated, and complete operational framework for risk prevention.
在《个保法》第五十二条中,处理个人信息达到国家网信部门规定数量的个人信息处理者应当指定个人信息保护负责人,负责对个人信息处理活动以及采取的保护措施等进行监督。该条款的个人信息保护负责人与欧盟GDPR条例中的DPO(数据保护官)相类似,旨在企业内部设置相对独立的数据保护者对数据活动进行监督和管理、作为沟通渠道同监管部门保持联系、负责同数据主体沟通和联系、客观独立地履行自己的职责,不应因企业雇主的指令而影响客观事实和结论。实践中,已有不少政府部门和企业设置了数据保护官或首席数据官等职位进行数据安全管理。如,广东省于2021年发布了《广东省首席数据官制度试点工作方案》后深圳、珠海、广州先后颁布通知进行落实。又如,大型通讯企业某通讯公司设置专职数据保护官,并在公司总部、各业务领域及各子公司配置了合规总监或产品安全总监,形成纵向贯穿、协调完备的风险预防运行机制。
(2) Appointment of the data protection officer
数据保护官的任职
Currently, under the PIPL, there are no mandatory requirements regarding the qualifications for a data protection officer. A company may appoint an employee or hire a third party to act as the data protection officer. As the data protection officer needs to be independent and professional in his or her function, a company should pay attention to the conflict of interests between the functions of the data protection officer and the functions of his or her original job, so as to guarantee that the independent judgment of the data protection officer will not be affected by other factors. In addition, the data protection officer shall have professional capabilities in data management and protection, be familiar with relevant laws and regulations, and be able to provide reliable suggestions for the company's data protection.
数据保护官目前在《个保法》项下并未有关于任职资格的强制性规定,因此企业可以再企业内部委任员工担任,也可以从外部聘请第三方担任企业的数据保护官。鉴于数据保护官在职能上需要一定的独立性和专业性,因此,若企业从内部委任员工担任数据保护官的,应当注意数据保护官职能与其原本职位的职能上的利益冲突,保证数据保护官的独立判断不受其他因素影响,并且该员工应当具有数据管理和保护的专业能力、对相关法律法规较为熟悉,切实能为企业的数据保护提出可靠的建议。
4
Building up a response mechanism of data security incident
构建数据安全事故响应机制
The promulgation of the PIPL renders data compliance obligatory for multinational companies, and data security becomes an important part of institutional construction that multinational companies shall pay attention to and improve. Data security not only emphasizes risk prevention and incidents prevention but also requires the establishment of a sound emergency response mechanism to deal with data security issues. As provided in Section 5, Article 51 of PIPL, companies shall formulate emergency plans for personal information security incidents and be responsible for its implementation. Such emergency plans shall ensure that the handling of personal information complies with the provisions of laws and administrative regulations and prevent unauthorized visits and leakage, alteration, and loss of personal information.
《个保法》的出台,使得数据合规成为跨国企业的法定义务,数据安全成为跨国企业必须注重并完善的制度建设中的重要一环,数据安全不仅要强调预防风险防止数据安全事故的发生,还需要构建完善的应对数据安全问题时的应急制度。《个保法》第五十一条第(五)款规定,企业应当制定并组织实施个人信息安全事件应急预案,该措施确保个人信息处理活动符合法律、行政法规的规定,并防止未经授权的访问以及个人信息泄露、篡改、丢失。
From the perspective of corporate governance, multinational companies may prepare for emergency plans in case of personal information security incidents in the following three aspects: (1) Establishing an internal data security committee. The data security committee consists of internal members from various departments. Its function is to discuss and approve a data security management plan internally, according to which each member of each department shall timely collect data security management information of their departments and report to the data security committee; (2) Conducting regular drills. Companies shall develop emergency plans for data security incidents, organize employees to conduct drills on a regular basis (at least once a year) to summarize drill results, and conduct data security training for employees so that they could be familiar with the data security protection duties of their positions; and (3) Establishing a sound, timely and effective reporting mechanism. According to Article 29 of the Data Security Law, when conducting data processing activities, risk monitoring shall be reinforced. When risks such as defects and bugs in data security are discovered, remedial measures shall be taken immediately. When a data security incident occurs, measures shall be taken immediately, users shall be timely notified, and the incidents shall be reported timely to the relevant authorities. In summary, when a data security incident occurs, the multinational companies shall timely report the incident to the relevant authorities, timely inform the relevant data subjects, and keep proper records for future investigations.
从企业管理的角度,跨国企业可以从以下3个方面进行个人信息安全时事件应急预案的准备:(1)企业内部建立数据安全委员会。数据安全委员会成员由企业内部的不同部门成员组成,在内部讨论并通过数据安全管理方案,根据方案由每个部门的成员按时收集部门的数据安全管理信息,向数据安全委员会汇报;(2)企业定期演练。企业应制定数据安全事件应急预案,并定期(至少每年一次)组织企业员工进行演练,总结演练成果,对员工进行针对性数据安全培训,使其熟练掌握自身岗位的数据安全保护义务;(3)建立健全及时有效的报告机制。根据《数据安全法》第29条的规定,开展数据处理活动应当加强风险监测,发现数据安全缺陷、漏洞等风险时,应当立即采取补救措施;发生数据安全事件时,应当立即采取处置措施,按照规定及时告知用户并向有关主管部门报告。因此,出现数据安全事件时,跨国企业需要及时向当地有关主管部门报告并及时将事件情况告知信息主体,做好事件记录以备调查。
5
Properly handling conflicts of personal information compliance requirements in different legal jurisdictions
妥善处理不同法律管辖区域个人信息合规要求的冲突
Multinational companies are involved in multiple jurisdictions. The internal data flow within the companies shall not only meet the cross-border requirements of the output places, but also those of recipient destinations so that data flow can be compliant in both places. Different laws and regulations in different jurisdictions may cause conflicts in the process of data flow, a typical case of which is that the US Securities and Exchange Commission requested audit documents of companies listed in the US from five Chinese accounting firms. According to the relevant PRC laws and regulations, the accounting firms are obliged to keep the audited documents confidential. However, the US Department of Justice required PRC accounting firms to provide materials in order to cooperate with the investigation of a suspected fraud committed by China-based US-listed companies. Therefore, close internal communication shall be maintained within a multinational company, and it shall be closely aware of the changes in data security laws and regulations at the locations of different branches and subsidiaries. Companies are advised to process data in an insulated pattern and reduce unnecessary data transmission.
跨国企业主体涉及多个法域,企业内部的数据流动不仅需要满足输出地的数据跨境要求,也要满足接收地的数据跨境要求,达到数据流动的双向合规。国内外法律规定的不一,可能会在数据流动过程中产生冲突,其中的典型案例就是美国证券交易委员会要求中国五家会计师事务所提供在美国上市的公司的审计底稿一案。根据中国的相关法律规定,会计师事务所对审计的档案负有保密义务,而美国则要求中国会计师事务所提供材料以配合中概股涉嫌欺诈的调查。因此,跨国企业在跨境数据流动时,跨国企业内部应当保持密切的沟通,时刻关注不同分公司、子公司所处地的数据安全法规的变化,尽量隔离数据的处理,减少非必要的数据出境。
This is all about the final article of the PIPL series, with specific suggestions for multinational companies and financial institutions on how to balance costs and compliance based on our experiences. If you have any queries or suggestions after reading this series of articles, please feel free to contact us.
以上内容为本系列文章最终篇的内容,是笔者结合目前实践经验为跨国企业和金融机构实现成本与合规平衡的具体建议。如您在阅读该系列文章后有任何问题或建议,欢迎通过文末的联系方式与我们交流和探讨。
特别声明:
以上内容属于作者个人观点,不代表其所在机构立场,亦不应当被视为出具任何形式的法律意见或建议。
