Article 39: Where personal information handlers provide personal information outside the territory of the People's Republic of China, they shall inform the individual of matters such as the name or contact information, the purpose and method of handling, the type of personal information, and the methods and procedures for individuals to exercise the rights provided for in this Law to the overseas recipient, and obtain the individual's separate consent.
【Purpose of the Article】
This article is about the matters to be notified when providing personal information overseas, and the provisions on obtaining the individual's separate consent.
[Understanding of the article]
With the rapid development of economic globalization and network technology, the cross-border flow of personal information is becoming more and more frequent. Due to the differences in the legal system, level and degree of protection of personal information in different countries or regions, the issue of cross-border risks of personal information is more complicated. In such circumstances, the lawful rights and interests of personal information subjects are more likely to be harmed, so they must be given adequate and effective warnings. To this end, this Law sets stricter requirements for "notification-consent" for cross-border provision of personal information, aiming to effectively protect individuals' right to know and decision-making. This Article and Article 38 together constitute the core provisions of the cross-border provision of personal information, but the difference is that the conditions for the export of personal information stipulated in Article 38 are more focused on meeting national regulatory requirements, while Article 39 is the obligation that personal information processors need to perform in order to protect the rights and interests of personal information and protect the rights and interests of individuals.
1. The content of the notice and the form of the notice
(1) The content of the notice
For all personal information processing activities that require the consent of the individual, the processor is required to fulfill the obligation to inform the individual, and the personal information processing activities can only be carried out after obtaining the individual's consent. Valid consent means that the person concerned must be informed, i.e. when consent is requested, he or she should be provided with all necessary information relating to it; This information shall include all the substance of the data processing, otherwise the consent concerned will not be sufficient to legitimize the processing of such data. This involves the issue of information transparency. While transparency alone is not sufficient to legitimize data processing, it is nevertheless necessary to ensure that any subject has control over their own data and that they can give valid consent. This article adopts the method of "enumeration + exhaustion" in the content of the notification, including "the identity of the overseas recipient, contact information, the purpose of processing, the method of processing, the type of personal information, and the way in which the individual exercises the rights provided for in this Law to the overseas recipient". Compared with the notification obligation stipulated in the first and second drafts, the PIPL amends the notification of "the identity of the overseas recipient" to "the name or name of the overseas recipient", further clarifying the content of the notification.
The obligation to notify when personal information is transferred abroad must also comply with the requirements of the general notification rules. Article 17 of this Law is the basic provision on the form, content, and method of notification before the processing of personal information, and on this basis, this article further makes special provisions on the content of notification in the case of cross-border transmission of personal information. Before personal information is transferred abroad, relevant personal information processors need to comply with both the content requirements of this article and the form of notification provided for in article 17 of this Law, including truthful, accurate, and complete notification of relevant matters to the Personal Data Subject in a conspicuous manner and in clear and understandable language.
On January 20, 2020, the National Information Security Standardization Technical Committee issued the Guidelines for Notification and Consent of Personal Information in Information Security Technology (Draft for Comments), which provides special guidance in this regard, including "applicable circumstances of notification and consent", "circumstances of exemption from notification and consent", "basic principles of notification and consent", "content, method, display and appropriateness of notification", "mode selection and mechanism design of consent, change and withdrawal, and evidence retention". It can be used as a reference when the guidelines come into effect.
(2) The form of notification
The core requirement of this article for "notification of consent" is "separate consent". Separate consent means "separate notification". Before this Law came into effect, the laws and regulations only provided that "consent" was also required in the case of personal information transfer, but there was no requirement for "separate consent", and the personal information transfer clause in the App's privacy policy was often mixed with other personal information processing scenarios, and the user only had to check a unified consent option. This means that the "consent" to all personal information processing activities, i.e., the so-called typical "blanket consent", was relatively common in the past, and with the promulgation of this law, the consent obtained in the form of "blanket consent" on the export of personal information will no longer be valid. Before the personal information is exported, the relevant personal information processor must inform the user of the relevant matters through a separate prompt, such as a separate pop-up window on the app or web page, and the user's consent is only valid after the user's separate consent.
2. Separate Consent
(1) Consent to the status of personal information in the export of personal information
Some countries or regions stipulate that consent is on the same status as risk assessment and the conclusion of standard contracts, which are one of the channels for personal information to be exported abroad. For example, the Queensland Information Privacy Act stipulates that information processors may transfer personal information overseas after obtaining the individual's consent.
However, according to this article, consent is not an independent channel for personal information to leave the country, and obtaining consent does not mean that personal information processors can circumvent other provisions. Where personal information processors provide personal information overseas, they are still required to obtain the separate consent of the information subject in accordance with this article after meeting the conditions specified in Article 38. In other words, if an information processor provides personal information overseas, it must not only meet the requirements of Article 38 of this Law, but also obtain the individual's separate consent in accordance with the provisions of this Article.
(2) The connotation and form requirements of separate consent
"Separate consent" refers to the fact that the personal information processor should effectively inform the personal information subject in a separate, specific and different way of notification from other personal information handling matters, and obtain the individual's specific and explicit consent for the export of personal information on this basis, in summary, "one processing act + one notification + one consent".
With regard to the formal requirements for separate consent, as well as the similarities and differences between separate consent and written consent, the commonality between the two is that they are particularly strict requirements for the form of consent in specific personal information processing situations under this Law. In conjunction with the provisions of article 29 of this Law, the processing of sensitive personal information shall obtain the individual's separate consent; Where laws and administrative regulations provide that written consent shall be obtained for the handling of sensitive personal information, follow those provisions. From the perspective of literal interpretation, "separate consent" and "written consent" are intersecting, and this law does not stipulate that "separate consent" must be made in writing, so the form of separate consent may include written, oral or other forms. In addition, from the point of view of whether or not the information subject is actively acting, individual consent can be either express or implied.
Combined with the provisions of Articles 14, 22 and 23 of this Law, when there is a change in the privacy rules of a personal information processor, a major change in the purpose, scope, type, and quantity of data export, a change in the data recipient, or a major change in the risk of data export, the separate consent of the Personal Data Subject shall be obtained again.
[Applicable Provisions]
1. About the time of notification
In general, personal information processors must notify the individuals whose personal information is processed before processing personal information, and cannot inform individuals after the personal information processing has already been carried out. According to Article 18 of the Personal Information Protection Law, if it is not possible to notify individuals in a timely manner in order to protect their lives, health and property safety in some emergency situations, the information processor may first carry out the information processing acts. Of course, after the emergency has been eliminated, the processor should still fulfill the obligation to inform.
2. Language requirements for notification
Personal information handlers shall truthfully, accurately, and completely inform individuals in a conspicuous manner and in clear and understandable language. If the processor informs the processor through some technical terms that are difficult to understand, it is difficult for individuals to predict the impact of information processing on their rights and interests, so it is difficult to make a free decision. The conspicuous method refers to the method in which the content of the processor's notice is easily recognized and understood by ordinary people, and cannot use very small fonts, redundant text, etc., so that individuals cannot identify the content of the processor's notification. Clear and understandable language means that the processor should inform the processor in a language that ordinary people can understand, so that any individual who does not have expertise in the processing of personal information can understand what the processor is informing.
3. Circumstances in which consent is not required
Where personal information processors provide personal information overseas, in principle, they must fulfill the obligation to inform and obtain the individual's consent. However, in accordance with paragraph 1 of Article 18 of the Personal Information Protection Law, where a personal information processor handles personal information that is required by laws or administrative regulations to be kept confidential or does not need to be notified, it may not notify the individual. For example, according to the Law on International Criminal Legal Assistance, a foreign country may request an investigation and evidence collection from China, which may include personal information such as financial accounts and whereabouts.
4. Subjects of obligations to obtain separate consent
In the course of the enactment of this Law, there is a view that the subject of the obligation to inform and the individual consent should be clearly defined. From the meaning of this provision, this obligation shall be borne by the processor that provides personal information. It should be noted that in previous judicial practice, the "Sina Weibo v. Maimai Software Unfair Competition Case" established the "triple authorization principle" in the case of personal information sharing, that is, not only the personal information provider must obtain the individual's consent, but also the recipient must obtain the individual's consent, and the recipient must also obtain the provider's consent. Obviously, this rule protects the rights and interests of personal information subjects to the greatest extent, but it also sets up too many obstacles to the circulation and use of personal information, which is not conducive to the full development and utilization of personal information resources. Therefore, in judicial adjudication, it is recommended to abandon the aforesaid principle of triple authorization, and adopt the "notification and separate consent" model of this article as the legal basis for the circulation of personal information, and leave the obligation to inform and obtain consent to the personal information provider. The personal information provider may provide personal information overseas after obtaining the individual's separate consent and complying with other provisions of this Law.
5. Regarding the object of notification and the subject of separate consent
If the information processor wants to export personal information, it must notify the "individual" and obtain his or her separate consent. "Individual" here generally refers to the information subject, and under special circumstances, if the personal information of a minor under the age of 14 is involved, the information processor shall obtain the consent of the minor's guardian. Of course, in order to ensure that the guardian's consent is made on the premise of being fully informed and after reasonably considering the impact of the information export on the rights and interests of the minor, the object of the information processor's notification shall also be the minor's guardian.