Article 36: Personal information handled by state organs shall be stored within the mainland territory of the People's Republic of China; Where it is truly necessary to provide it overseas, a security assessment shall be conducted. The security assessment may require the support and assistance of the relevant authorities.
【Purpose of the Article】
This article is about the relevant rules for the storage and provision of personal information processed by state organs.
[Understanding of the article]
1. Personal information handled by state organs shall be stored within the mainland
In the era of big data, state agencies inevitably have to process a large amount of personal information in order to better perform their statutory duties and manage public affairs. Compared with other data, personal information, as a kind of personality rights, carries a variety of interests protected by law, including not only the personal information rights and interests of natural persons, but also the rights to privacy, name, portrait, reputation and other personality interests. In addition, the processing of personal information may also involve freedom of expression, public safety, and national security. In addition, due to the nature and functions of state organs, the personal information processed by state organs is more comprehensive, richer and more sensitive than ordinary personal information processors. Judging from the existing practice on the mainland, state organs have processed a large amount of personal information, especially sensitive personal information, through data processing technologies such as fingerprint collection, identity registration, video surveillance, and real-name registration, for the purposes of ensuring social stability, cracking down on crime, and strengthening public security. Therefore, the personal information processed by state organs is a very important strategic resource in terms of breadth and depth, as well as in terms of use value and strategic value, which is not only related to the personal and property safety of the information subject, but also related to public safety and even national security. If the above-mentioned information is stored overseas, it will inevitably bring great risks to the storage of personal information due to the differences in overseas storage environment, storage capacity, and relevant laws and regulations. Once the above-mentioned personal information is leaked or lost, it will inevitably cause irreparable losses and even catastrophic consequences. Therefore, in order to increase the security of personal information and strengthen the security management capacity of personal information, this article stipulates that personal information handled by state organs shall be stored within the territory of the People's Republic of China, whether from the overall situation of the overall national security concept or from the protection of personal dignity and personality rights and interests.
The storage of personal information within the territory of the People's Republic of China is commonly referred to as storage localization. Article 37 of the Cybersecurity Law stipulates that "personal information and important data collected and generated by critical information infrastructure operators in the course of operating within the territory of the People's Republic of China shall be stored within the territory of the People's Republic of China." However, the article limits the obligation to store and localize personal information to "critical information infrastructure operators". On April 11, 2017, the Cyberspace Administration of China (CAC) issued the Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comments), which further expands the scope of obligations for the localization of personal information storage, Article 2 of the Measures stipulates that "personal information and important data collected and generated by network operators in the course of operations within the territory of the People's Republic of China shall be stored within the territory of the People's Republic of China." According to this article, all personal information collected by network operators shall be stored within the territory of China.
The PIPL provides for the localization of personal information storage through two provisions, one is the provision of this article on the localization of personal information handled by state organs, and the other is article 40 of this law, which stipulates that critical information infrastructure operators and personal information processors that process personal information in the amount specified by the CAC shall store personal information collected and generated within the territory of the People's Republic of China within the territory of the People's Republic of China. Among them, Article 40 is a general provision on the storage of personal information in China, and this article is a special provision on the storage of personal information in China. Regardless of whether a state organ is a critical information infrastructure operator, or the amount of personal information it handles reaches the amount specified by the state internet information department, as long as it has the nature of a state organ, the personal information it handles shall be stored within the territory of the country, without exception.
II. The necessity of cross-border provision of personal information handled by state organs
Personal information is related to the personal and property safety of individuals, as well as public safety and even national security, and strengthening the protection of personal information has become the consensus of all countries. Based on this consensus, this article clearly stipulates that personal information processed by state organs must be stored within the territory of China.
However, mobility is a natural attribute of personal information, and if personal information does not flow, it will lose its value of existence. In the era of digital economy, both trade in goods and services are inseparable from the global interconnection of information and the cross-border flow of data. The flow of personal information includes both internal and external flows, and external flows involve the cross-border provision of personal information. Therefore, the cross-border provision of personal information is an unavoidable part of our formulation of personal information protection laws and regulations.
With the deepening of countries' understanding of the significance and impact of cross-border data flow, cross-border data flow has gradually become an important issue in the game between countries and regions. Based on national security, economic development, industrial capacity and other considerations, countries have established different cross-border data flow strategies, and based on this, they have accelerated the construction of their own cross-border data flow rule system. In addition to the need for countries to share certain personal information for the common interests of mankind, the mainland also needs to actively build its own rules and mechanisms for cross-border data flow, put forward China's plan for cross-border flow of personal information, and strive for more voice in the rules for cross-border processing of personal information.
At present, the mainland has adopted a number of laws and regulations to regulate the cross-border flow of data, including personal information, from the Cybersecurity Law to the Measures for the Security Assessment of the Cross-border Transfer of Personal Information and Important Data (Draft for Comments) and the Measures for the Security Assessment of Cross-border Transfer of Personal Information (Draft for Comments), as well as from the Measures for the Administration of Data Security (Draft for Comments) to the Data Security Law and the Personal Information Protection Law. At the same time, the mainland actively participates in the formulation of international rules in the digital field by multilateral mechanisms such as the United Nations, the G20, BRICS, APEC and the WTO, and advocates the launch of the G20 Digital Economy Development and Cooperation Initiative, the Belt and Road Initiative for International Cooperation in the Digital Economy, the Action Initiative for Building a Community with a Shared Future in Cyberspace, and the Global Data Security Initiative, contributing China's solutions to the development of the global digital economy and cyberspace governance.
III. Security Assessment of Cross-border Provision of Personal Information
As countries become more aware of the significance and impact of cross-border data flows, the international community is aware of the huge benefits that cross-border data flows can bring, as well as the potential impact on national security and individual rights and interests. There are multiple risks associated with the cross-border provision of personal information: First, there is uncertainty in the ability of overseas recipients to protect their personal information. If the overseas institution fails to properly keep the personal information, it will easily lead to the leakage or abuse of personal information, which will have a serious impact on the personal information security of domestic users. Second, there are differences in laws and regulations on personal information protection in different countries. The different levels of understanding and attention to the rights and interests of personal information in different countries will inevitably lead to differences in the regulation of personal information rights and interests in the laws and regulations of various countries. For example, the Cybersecurity Law of the People's Republic of China clearly stipulates that users have rights and interests such as deletion, correction, complaints and reports, informed consent, and security protection of personal information, but after the personal information is exported, the protection of the user's personal information rights and interests by overseas recipients is subject to the laws and regulations of the local country and region. If the overseas recipient country does not have the laws and regulations related to personal information protection, or if the laws and regulations on personal information protection are different from those in mainland China, it will be difficult to protect the personal information rights and interests of domestic users. Third, there are difficulties in collecting evidence for overseas rights protection. If domestic personal information is infringed abroad, due to objective reasons such as different laws and regulations, limited scope of supervision, language and cultural differences, international police cooperation and coordination, etc., there will be certain difficulties in protecting users' rights, investigating and collecting evidence, and eliminating the impact of personal information leakage.
In view of this, the Cybersecurity Law for the first time stipulates the rules that a security assessment must be conducted for the cross-border provision of personal information, and the subsequent Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comments) and the Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comments) further refine and clarify the security assessment of cross-border provision of personal information. According to Article 38 of this Law, security assessment is only one of the bases for the legality of cross-border provision, but it is not the only basis for legality. However, a security assessment must be conducted in the circumstances provided for in Article 40 of this Law, i.e., where critical information infrastructure operators and personal information processors that process personal information up to the amount specified by the CAC provide personal information across borders, as well as in the circumstances provided for in this article, where state organs truly need to provide personal information overseas.
[Applicable Provisions]
I. Applicable rules for the cross-border provision of personal information by state organs
This article makes special provisions on the storage and cross-border provision of personal information handled by state organs. In addition, Chapter III of this Law specifically stipulates the rules for the cross-border provision of personal information. According to Article 33 of this Law, "This Law shall apply to the activities of state organs in the processing of personal information; Where there are special provisions in this section, the provisions of this section shall apply. "The processing of personal information by state organs is subject to this Law, therefore, when state organs provide personal information across borders, in addition to the special provisions of this Article, for matters not provided for in this Article, they shall comply with the general provisions of Chapter III of this Law on "Rules for Cross-border Provision of Personal Information", for example, Article 39 of this Law provides: "Where a personal information processor provides personal information outside the territory of the People's Republic of China, it shall inform the individual of the name of the overseas recipient, contact information, purpose of processing, method of processing, Matters such as the types of personal information and the methods and procedures for individuals to exercise their rights under this Law to overseas recipients, and obtain the individual's separate consent. "When state organs provide personal information overseas, they are also required to fulfill the obligation to inform the information subject and obtain the individual's separate consent.
provided, however, that in the event of any contradiction or conflict between the relevant provisions of Chapter III of this Law and the provisions of this Article, the special provisions of that Section shall apply in accordance with the provisions of Article 33. For example, there are three articles in this law that refer to security assessment, namely this article, article 38 and article 40. In trial practice, attention should be paid to distinguishing the differences and connections between the three, so as to accurately apply the law.
Article 38 of this Law stipulates the conditions that personal information processors shall meet for cross-border provision of personal information, of which conducting a security assessment is only one of the bases for personal information processors to obtain the legality of cross-border provision of personal information. Administrative regulations or other conditions provided by the state internet information department may also provide personal information overseas. Compared with Article 38, this Article shall be a "special provision" as provided for in Article 33, and the rules of this Article may only be applied to conduct security assessments when state organs provide personal information overseas, and state organs may not provide personal information overseas simply by following the provisions of the State Cyberspace Administration by conducting personal information protection certification by a professional institution or entering into a contract with an overseas recipient in accordance with the standard contract formulated by the State Cyberspace Administration.
Article 40 of this Law is a specific provision for security assessment. However, if the state organ happens to be a critical information infrastructure operator or handles personal information up to the amount specified by the CAC, there is no objection to the application of this article if the state organ happens to be a critical information infrastructure operator or handles personal information up to the amount specified by the CAC, but if the state organ is not a critical information infrastructure operator and the amount of personal information it handles does not reach the amount specified by the CAC, the special provisions of this article shall apply. The relevant provisions of Article 40 cannot be applied. In addition, Article 40 also stipulates exceptions to the security assessment, that is, "where laws, administrative regulations and the cyberspace administration of the People's Republic of China stipulate that a security assessment may not be conducted, such provisions shall prevail". However, this article does not provide for any exceptions for state organs to conduct security assessments, that is, as long as state organs are involved in providing personal information abroad, security assessments shall be conducted, and there are no exceptions.
II. Procedural rules for state organs providing personal information security assessments across borders
Both the Cybersecurity Law and this Law provide for a security assessment system, but both are mentioned in passing terms and lack specific operational rules. In 2017 and 2019, the Cyberspace Administration of China (CAC) issued the Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft for Comments) and the Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comments), respectively, which set out detailed provisions on the security assessment of personal information. Although the two drafts have not yet been finalized, the content and procedures of the security assessment set out in them can provide reference and reference for state authorities to apply the provisions to conduct security assessments.
Article 5 of the Measures clarifies the scope of responsibilities of the CAC and the industry authorities, and stipulates that the CAC shall coordinate the security assessment of the cross-border data transfer and guide the industry supervisor or regulatory department to organize and carry out the security assessment of the cross-border data transfer. Article 6 stipulates that the industry supervisor or regulatory department shall be responsible for the security assessment of the data export of the industry, and shall regularly organize and carry out the security inspection of the data export of the industry. In addition, the Measures clearly stipulate the form, time and requirements of the security assessment, the main content of the security assessment, and the specific circumstances under which data shall not be allowed to be exported. Article 4 of the Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comments) clarifies that the materials to be submitted for the application for security assessment include the declaration form, the contract signed between the network operator and the recipient, the analysis report on the security risks and security measures of the cross-border transfer of personal information, and other materials required by the CAC. Articles 13~17 standardize the content of the contract and the main content of the security risk analysis report.