Article 38: Where personal information handlers truly need to provide personal information outside the territory of the People's Republic of China due to business and other needs, they shall meet any of the following requirements:
(1) Pass a security assessment organized by the state internet information department in accordance with article 40 of this Law;
(2) In accordance with the provisions of the State Internet Information Department, personal information protection certification is carried out by a professional body;
(3) Conclude a contract with the overseas recipient in accordance with the standard contract formulated by the State Internet Information Department, stipulating the rights and obligations of both parties;
(4) Other requirements provided for by laws, administrative regulations, or the state internet information department.
Where international treaties and agreements concluded or participated in by the People's Republic of China have provisions on the requirements for providing personal information outside the territory of the People's Republic of China, they may be implemented in accordance with those provisions.
Personal information handlers shall employ necessary measures to ensure that the overseas recipient's handling of personal information meets the personal information protection standards provided for in this Law.
【Purpose of the Article】
This article is about the conditions for providing personal information overseas.
[Understanding of the article]
1. The overall logical structure of this article
In the era of big data, the value of data resources is self-evident, and it is closely related to the personal safety of citizens and even national security, and most developed countries have realized the importance of data resource protection and development, and have continuously introduced regulations and policies to seize the commanding heights of data protection, or maintain their digital sovereignty through various means, among which, the requirements for cross-border data transfer constitute an important aspect of data protection and personal information protection. For example, the GDPR has set up a special Chapter 5 to provide for the "transfer of personal data to a third country or international organization", and the export of personal data can only be carried out if the relevant conditions stipulated in the GDPR are met. The U.S. Clarification of the Lawful Use of Foreign Data Act (CLOUD Act) gives law enforcement agencies the ability to obtain data across borders to maintain their hegemony in the data field. The conflict of international data jurisdiction and the competition for the dominance of data governance suggest that we should attach great importance to the issue of cross-border data transfer in the digital era. In this context, this article stipulates the specific conditions that need to be met before personal information can be exported abroad, so as to ensure the safe and orderly development of personal information export activities.
Paragraph 1 of this article integrates the rules for the export of personal information in laws and regulations such as the Cybersecurity Law, the Data Security Law, and the Regulations on the Administration of the Credit Reporting Industry, and provides four ways for providing personal information overseas, providing a more diversified legal basis for the export of personal information, and also providing a unified normative basis and a higher-level legal basis for the effective implementation of specific provisions on the export of personal information such as the Measures for the Security Assessment of Personal Information Export. Paragraph 2 stipulates that international treaties and agreements concluded or acceded to by the mainland may serve as a lawful basis for the provision of personal information abroad. Paragraph 3 stipulates the rules that information processors shall take measures to ensure that overseas recipients comply with the mainland's personal information protection standards. Where personal information is exported through the four channels specified in paragraph 1 and the circumstances related to paragraph 2, the conditions specified in paragraph 3 must be met, i.e., "necessary measures shall be taken to ensure that the overseas recipient's processing of personal information meets the personal information protection standards provided for in this Law". It can be seen that this article stipulates the five major channels for the export of personal information from the mainland in terms of the overall logical structure, and the following is an analysis of each specific situation.
2. The understanding of "it is really necessary to provide it outside the territory of the People's Republic of China due to business and other needs".
(1) "It is truly necessary to provide it outside the territory of the People's Republic of China due to business needs".
1. Due to business needs. "Business needs" means that the export of personal information should be directly related to the realization of the business function of the product or service, and the function of the product or service cannot be realized without the participation of the above-mentioned personal information. For example, if a domestic airline does not transmit passengers' ticketing information to overseas airports, it will not be able to carry out international aviation business in an orderly manner. "Genuine need" means that cross-border transmission of personal information shall comply with the principle of minimum necessity. In the specific determination of "genuine need", a comprehensive judgment may be made based on factors such as the frequency and amount of personal information transmitted overseas.
2. The understanding of "etc.". The "etc." here means that the export of personal information can also be used for other purposes of legitimacy and legitimacy. Specifically, it includes the following situations: (1) scientific research needs. For example, in order to carry out international cooperative scientific research, it is necessary to transport, mail, or carry relevant personal information out of the country. (2) The legitimacy of the company's internal management. Typically, the headquarters of an overseas company conducts anti-commercial bribery or anti-fraud compliance investigations on the behavior of domestic subsidiaries, and requires domestic subsidiaries to provide relevant personal information to the parent company. (3) Official needs. Where it is necessary to provide personal information overseas due to participation in judicial proceedings or administrative investigations abroad, it is necessary to apply for approval from the relevant competent departments in accordance with law. (4) Other circumstances with legal and legitimate purposes.
(2) Provision outside the territory of the People's Republic of China
1. The understanding of "offshore". Paragraph 1 of Article 89 of the Law on the Administration of Exit and Entry stipulates: "Leaving the country means going from Chinese mainland to other countries or regions, from Chinese mainland to the Hong Kong Special Administrative Region and the Macao Special Administrative Region, and from Chinese mainland to Taiwan." "Considering the differences between the legal systems of mainland China and Hong Kong, Macao and Taiwan, the term "overseas" in this article focuses more on "customs borders" rather than "national borders", and if relevant entities transfer personal information to Hong Kong, Macao and Taiwan regions of the mainland, it is "provided outside the territory of the People's Republic of China" as provided for in this article, and it shall comply with the relevant requirements provided for in this Law. In addition, in order to implement the "Overall Plan for Comprehensively Deepening the Pilot Program for the Innovative Development of Trade in Services" issued by the Ministry of Commerce, 28 provinces and cities including Beijing and Shanghai have issued relevant documents to actively explore cross-border data mechanisms in free trade zones and free trade ports. Considering the special status and functions of FTZs, as well as the application of other legal regimes, the status and nature of these zones in the cross-border data regime need to be further clarified by legislation.
2. The connotation of "providing overseas". "Outbound transfer of personal information" refers to a one-time activity or continuous activity in which a network operator provides its personal information collected and generated in the course of its operations within the territory of the People's Republic of China to an institution, organization or individual outside the People's Republic of China through direct provision or conduct of business, provision of services, products, etc., except for data provided by the network operator that has been publicly disclosed in accordance with law. "Provision of personal information abroad" essentially refers to the export of personal information, and its specific methods can be divided into offline and online. Offline means that personal information is directly recorded on a tangible carrier and mailed or transported overseas; Online means refers to the transfer of personal information overseas through the Internet.
It should be noted that the common situation of "personal information export" is the transfer of personal information beyond the geographical borders of a country, but the two are not the same. First, in some cases, the transfer of personal information "overseas" does not necessarily constitute the transfer of personal information. For example, personal information that is not collected or generated in the course of domestic operations is exported through the country without any changes or processing, it is not a personal information export. Second, failure to transfer personal information "overseas" may also constitute an export of personal information. In practice, there are also cases where even within a sovereign State, crossing a certain area is generally considered to be cross-border. For example, the provision of personal information to entities located within the territory of the country but not under the jurisdiction of the country or not registered in the territory of the country is regarded as the export of personal information. Where personal information is not transferred or stored outside of the home country, but is accessed and viewed by foreign institutions, organizations, or individuals, it is also considered to be personal information being exported.
3. Specific understanding of the five major channels for personal information to leave the country
(1) Pass a security assessment organized by the state internet information department
In principle, if an information processor wants to provide personal information overseas, it can conduct a security assessment or choose other channels. In exceptional cases, the information processor can only choose the security assessment. For example, according to Article 40 of this Law, critical information infrastructure operators and personal information processors that process personal information in the amount prescribed by the CAC must pass a security assessment organized by the CAC if they want to export personal information. The reason why the PIPL focuses on strengthening the personal information security protection responsibilities of the above two types of entities is that the amount of personal information controlled by the above two types of entities is large and closely related to the national economy and people's livelihood, and the unified security assessment by the cyberspace administration can strengthen the state's control over national security and national security. For the identification of these two types of entities, please refer to the understanding of Article 40 of this Law.
The specific requirements and methods for safety assessment are not clearly defined in the current law. For details, please refer to the Guidelines for Security Assessment of Cross-border Data Transfer of Information Security Technology (Draft for Comments) and the Measures for Security Assessment of Cross-border Transfer of Personal Information (Draft for Comments). For example, the first point of security assessment is "the purpose of exit" and the second is "security risk". The purpose of leaving the country needs to meet the requirements of "legality, legitimacy and necessity" at the same time. For the assessment of "security risk", it is necessary to comprehensively consider the nature of the exported data and the possibility and impact of a security incident in the cross-border data export. The judgment of data attributes mainly includes the type, quantity, scope, degree of sensitivity and technical processing, etc., and the judgment of the possibility and degree of impact of a security incident in the cross-border transfer of data needs to be considered in combination with the technical and management capabilities of the sender for data export, the security protection capabilities of the data recipient, the measures taken, and the political and legal environment of the country or region where the data recipient is located.
(2) Personal information protection certification
The second channel for personal information to be transferred abroad is "personal information protection certification". In accordance with the provisions of the State Cyberspace Administration and after being certified for personal information protection by a professional body, relevant entities may provide the personal information under their control overseas. At present, the relevant provisions are not clear as to what kind of personal information export scenarios are in compliance with the provisions of the national cyberspace administration and require personal information protection certification by a professional institution, and the subsequent cyberspace administration will further issue specific detailed rules. In addition, how to carry out certification, which professional institutions have the right to certification, etc., have yet to be followed up with supporting measures.
(3) Sign a standard contract
In the case of the cross-border transfer of personal information by entering into a contract with an overseas recipient, the Personal Information Protection Law (Draft) only stipulates that "a contract shall be entered into with the overseas recipient, stipulating the rights and obligations of both parties, and supervising its personal information processing activities to meet the personal information protection standards stipulated in this Law". The Personal Information Protection Law (Second Reading Draft) amends this to "enter into a contract with the overseas recipient in accordance with the standard contract formulated by the CAC, stipulating the rights and obligations of both parties", and at the same time puts the content of "ensuring that the personal information processing activities of the overseas recipient meet the personal information protection standards provided for in this Law" into paragraph 3 of Article 38 of this Law. This approach is based on the GDPR's Standard Contractual Clauses.
According to Chapter 5 of the GDPR, personal data may be transferred across borders to third countries or international organizations that have been recognized by the EU as having an "adequate level of data protection", such as New Zealand, Switzerland, Argentina, Japan, etc., i.e. data under the "Adequacy Decision". If data is to be transferred across borders to countries or regions or organizations that do not comply with the "adequacy decision", the data can also be cross-border if the "Appropriate Safeguards" are met, and the "Standard Clauses Contract" (SCC) is an important way to export data. Relevant entities in the EU may transfer personal data abroad if they enter into a standard contract with a foreign entity and undertake to comply with the Standard Contractual Clauses.
Since the relevant authorities have not yet issued a standard contract for the export of personal information from the mainland, this channel is not operable for the time being. With reference to the provisions of the Comparative Law, we believe that the specific content of the contract should include facts such as the scope, method, and frequency of transmission, as well as the rights and obligations of both parties under different data processing relationships, and specific measures for the protection of personal information, so as to ensure that the degree of protection of personal information in the contract meets the standards stipulated in this Law.
(4) Other requirements provided for by laws, administrative regulations, or the state internet information department
1. Laws. For example, Article 36 of this Law stipulates that personal information processed by state organs is provided abroad, that is, "where personal information processed by state organs truly needs to be provided overseas, a security assessment shall be conducted." The security assessment may require the support and assistance of the relevant authorities." Another example is the provision of personal information to foreign judicial or law enforcement agencies under Article 36 of the Data Security Law and Article 41 of this Law, that is, the request of a foreign judicial or law enforcement agency to provide personal information stored within the territory of the People's Republic of China shall not be provided to the foreign judicial or law enforcement agency without the approval of the competent authority of the People's Republic of China.
2. Administrative Regulations. A typical administrative regulation with special provisions on the export of personal information is the Regulations on the Administration of Human Genetic Resources promulgated by the State Council. Considering that human genetic resources on the mainland are related to national security, social ethics, and the personal safety of citizens, and that once misused, there will be serious consequences, and their exit must be strictly controlled. According to article 27 of the Regulations, where human genetic resources are exported, a series of conditions shall be met and a certificate of export of human genetic resources materials issued by the State Council's administrative department for science and technology shall be obtained.
3. Other provisions of the internet information department. For example, the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Ministry of Transport jointly issued the "Several Provisions on the Security Management of Automotive Data (Trial)", which proposes an annual reporting system and an annual supplementary reporting system for the provision of important data containing personal information abroad, that is, the automotive data processor shall, in accordance with the provisions of Article 13, report to the provincial, autonomous region, and municipal cyberspace and relevant departments before December 15 of each year to the person in charge of automotive data security management. The name and contact information of the contact person for user rights and interests, the annual automotive data security management such as the automotive data security incident and disposal.
(5) International treaties and agreements concluded or acceded to by the mainland
1. Content. Paragraph 2 of this article clarifies that international treaties and agreements concluded or acceded to by the mainland may be used as the lawful basis for providing personal information abroad. Article 12 of this Law also stipulates that the State shall actively participate in the formulation of international rules for the protection of personal information, promote international exchanges and cooperation in the protection of personal information, and promote mutual recognition of personal information protection rules and standards with other countries, regions and international organizations. At present, relevant international cooperation is still in its infancy, and needs to be continuously improved in the follow-up relevant systems.
In judicial practice, cross-border litigation cases may involve the provision of domestic personal information to foreign courts in the process of presenting evidence, which may lead to the intersection of "judicial assistance" and "cross-border transfer of personal information". Cross-border judicial assistance is often premised on the corresponding international treaty, and the conclusion of an international treaty requires a certain domestic law as the basis. Different from the "long-arm jurisdiction" established by the U.S. Law on Clarifying the Lawful Use of Foreign Data, the Law on International Criminal Justice Assistance promulgated by the mainland adheres to the principle of equality and reciprocity, provides a domestic legal basis for the government to conclude criminal justice assistance treaties in the future, and to perform its obligations and exercise rights on this basis, and fills the legal gap in international cooperation in criminal justice assistance.
2. The understanding of "can". "Can" often means "can not" or "can be other", but according to the legislative language of the mainland, the word "may" is not strictly limited to its semantics. In our view, the word "may" in this article does not mean "may not". When concluding or acceding to international treaties and agreements, the mainland may declare that it will retain certain clauses, and when it comes to these reserved clauses, the relevant provisions of the mainland laws, administrative regulations, or the relevant provisions of the cyberspace administration on the export of personal information shall apply. If there is no "clause on a reservation made by the mainland", the international treaties and agreements concluded or acceded to shall be observed, and the international treaties and agreements concluded or acceded to shall not be refused on the grounds of "may" in this article.
IV. Paragraph 3 - The conditions that need to be met in the circumstances of the export of personal information as specified in paragraphs 1~2
There are differences in legal culture and value recognition between countries on the issue of cross-border data flows, which leads to inconsistent and even conflicting data protection standards. On the one hand, it will bring challenges to the supervision of the competent authorities after the personal information is exported; On the other hand, it will also make it more difficult for individuals to exercise their rights and interests in personal information, and will pose more threats to the security of personal information. To this end, this paragraph imposes a legal obligation on personal information processors to take necessary measures to ensure that the overseas recipient's processing of personal information meets the personal information protection standards set forth in this Law. Regardless of the method by which personal information is exported, the aforementioned necessary conditions must be met.
Our preliminary research believes that the first three situations in paragraph 1, i.e., security assessment by state departments, personal information protection certification by professional institutions, and adoption of standard contracts, have to some extent assessed the feasibility of providing reciprocal protection to overseas recipients, but if personal information is exported abroad through "other conditions" or "international treaties and agreements", the law needs to clarify the bottom line standard of "reciprocal protection".
[Applicable Provisions]
In the specific application of this article, attention should be paid to the following issues:
1. Before conducting security assessments, protection certifications, etc., as provided for in this article, information handlers shall conduct prior assessments. Article 55 of the PIPL stipulates that where personal information is provided overseas, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing. According to Article 56 of the Personal Information Protection Law, the assessment mainly includes whether the purpose and method of processing personal information are legal, justified and necessary; impact on personal rights and interests and security risks; Whether the protective measures taken are lawful, effective and proportionate to the level of risk. Personal information protection impact assessment reports and records of disposition shall be kept for at least 3 years. In addition to the above, we believe that enterprises can also assess whether the recipient has had a personal information security incident in recent years, the political and legal environment of the country or region where it is located, and other factors that may pose security risks to the cross-border transfer of personal information.
2. In principle, the entity conducting a formal assessment of information before leaving the country shall be an internet information department at the provincial level or above. According to paragraph 2 of Article 9 of the Measures for Security Assessment of the Cross-border Transfer of Personal Information and Important Data (Draft for Comments), the subject of the assessment is the competent authority or regulatory authority of the industry, and if the competent authority or regulatory authority of the industry is unclear, the CAC shall make the assessment. However, Article 4 of the Measures for the Security Assessment of Cross-border Transfer of Personal Information (Draft for Comments) released later stipulates that the subject of the assessment shall be the provincial-level cyberspace administration. The reason for this change is that the former is a mixture of personal information and important data, and important data needs to be refined by the competent authority of the industry, so it needs to be evaluated by the competent authority when designing the system. The latter only involves personal information, and it is reasonable for the CAC, as the main body for personal information protection and supervision, to have it uniformly organize supervision and assessment.