Article 42: Where foreign organizations or individuals engage in personal information handling activities that infringe upon the personal information rights and interests of citizens of the People's Republic of China, or endanger the national security or public interest of the People's Republic of China, the state internet information departments may enter them into the list of restrictions or prohibitions on the provision of personal information, make a public announcement, and employ measures such as restricting or prohibiting the provision of personal information to them.
【Purpose of the Article】
This article provides that the CAC has the right to take measures against foreign organizations or individuals that infringe on the rights and interests of personal information or endanger the public interest.
[Understanding of the article]
While the rational use of personal information promotes economic development, it also brings new threats and challenges to personal privacy and data security protection. In order to better safeguard sovereignty in cyberspace, proactively respond to cyber attacks and sabotage at home and abroad, and further strengthen the state's measures to maintain network security and protect personal information security, Article 5 of the Cybersecurity Law stipulates that: "The State shall take measures to monitor, defend against and dispose of cyber security risks and threats originating within and outside the territory of the People's Republic of China, protect critical information infrastructure from attacks, incursions, interference and sabotage, punish illegal and criminal cyber activities in accordance with law, and maintain cyberspace security and order." "Cyber sovereignty is the embodiment and extension of national sovereignty in cyberspace, and the principle of cyber sovereignty is an important principle that the mainland adheres to in safeguarding national security and interests and participating in international cyber governance and cooperation. To ensure the security of personal information processing activities, it is necessary to appoint responsible persons to maintain national security, economic security, and people's livelihood. With the development and application of cloud computing, big data and other technologies, network information security is extremely important to maintain national security and economic security, protect citizens' personal information rights and interests, and promote data utilization. Strengthen the protection of citizens' personal information, preventing citizens' personal information from being illegally obtained, leaked, or illegally used. Article 44 of the Cybersecurity Law stipulates that "no individual or organization shall steal or obtain personal information by other illegal means, and shall not illegally sell or provide personal information to others." "In addition to personal information, enterprise data and government data security is also an important part of maintaining social stability or network security. While the security of personal information is threatened, it is not conducive to the security and stability of society. From the perspective of national data security, personal information security is an important part of national data security, and national data security can improve the protection of personal information to a certain extent. Based on this, this article stipulates that where foreign organizations or individuals carry out activities that infringe upon personal information or endanger the processing of personal information, the mainland cyberspace administration may take measures such as formulating laws or policies restricting or prohibiting the flow of personal information. Article 4 of the AFSL stipulates that: "The relevant departments of the State Council may decide to include in the countermeasures list individuals or organizations that directly or indirectly participate in the formulation, decision, and implementation of the discriminatory restrictive measures provided for in Article 3 of this Law." Therefore, the provisions of this article are consistent with the practices of many countries and regions in the world, and there is also a law to follow.
While enjoying the various conveniences brought by the high-tech information age, human beings also bear various risks of personal information abuse and privacy leakage. For example, there is a complete criminal chain of black and gray industry with the illegal acquisition of citizens' personal information as the upstream, the buying and selling of personal information as the midstream, and the use of citizens' personal information to commit network fraud as the downstream, which seriously threatens and disrupts the normal order of social life, and the victimized individuals are in a vulnerable and helpless situation. Therefore, any individual or organization using the network shall abide by the Constitution and laws, abide by public order, respect social morality, and must not endanger network security, and must not use the network to endanger national security, honor and interests, incite subversion of state power, incite separatism, undermine national unity, advocate terrorism and extremism, advocate ethnic hatred and ethnic discrimination, disseminate violent, obscene and pornographic information, fabricate or disseminate false information to disrupt economic and social order, and infringe on the reputation, privacy, and privacy of others. intellectual property rights and other legitimate rights and interests. The State actively carries out international exchanges and cooperation in areas such as cyberspace governance, cyber technology research and development, standard-setting, and combating cyber crimes, promoting the building of a peaceful, secure, open, and cooperative cyberspace, and establishing a multilateral, democratic, and transparent cyber governance system. Data security risks in the era of digital economy have brought great challenges to the existing security paradigm and legal system, and paradigm innovation and legislative guarantee are urgently needed to maintain data security. From the perspective of the stage of technological development, the information security risk faced by human society has gradually evolved from the threat of eavesdropping in the communication process to the risk of computer attacks and information systems being attacked. Article 8 of the Data Security Law stipulates that: "To carry out data processing activities, they shall comply with laws and regulations, respect social morality and ethics, abide by business ethics and professional ethics, be honest and trustworthy, fulfill data security protection obligations, assume social responsibilities, and shall not endanger national security and public interests, and shall not harm the legitimate rights and interests of individuals and organizations." "At present, the security threats faced by personal information protection include hacker attacks, insider leakage, etc., and the key to protecting personal information security lies in improving security prevention technology and improving management systems, which are not directly related to the geographical location of personal information storage. The disorderly free flow of personal information across borders will lead to the lack of effective protection of data security, which poses a huge threat to personal privacy and national security, and cannot be solved by market mechanisms alone, so it is necessary to restrict the cross-border flow of personal information through technical measures. The United Nations Global Principles on National Security and the Right to Information (Global?) Principles?on? National? Security?and?the? Right?to? Article 3 of the Information clearly stipulates that the restriction must comply with the principle of proportionality and must be the least restrictive means that can be used to prevent harm in the case of "restriction of information on the grounds of national security". Through compulsory certification, recognized standard contracts, etc., it provides the necessary channels for data export, and at the same time ensures that the necessary risk management and control can be carried out. The United States and the European Union have established a "white list mechanism" to include some regions in countries and regions that can move freely, so as to achieve the unification of standards. Essentially, the whitelist mechanism is a situation in which a country believes that the level of data protection of other countries meets its own minimum requirements, and then believes that the flow of its own data into other countries is fully protected, without harming the legitimate rights and interests of data subjects. However, it should be noted that the whitelist itself can be flexibly adjusted, and a system of regular assessment and ad hoc assessment should be established to ensure that the data receiving country always maintains a high standard of data protection.
[Applicable Provisions]
Acts that infringe upon the personal information rights and interests of mainland citizens or personal information processing activities that endanger the national security and public interests of mainland China may be carried out within China or from outside China, and the PIPL is only applicable within mainland China in principle. However, due to the particularity of the network and the complexity of network security issues, many network security risks and activities that endanger network security come from outside the country, so the provisions of this article are mainly aimed at overseas organizations or individuals. Although during the deliberation of the draft, there were opinions that "overseas organizations and individuals" should be amended to "any organization or individual", the current provisions of this article are in line with the principle of jurisdiction stipulated in the relevant laws of the mainland, and at the same time, considering that the institutions, organizations and individuals that have committed illegal and criminal acts are located outside the mainland, it may be more difficult to pursue their legal responsibilities in accordance with the law. Accordingly, in addition to pursuing legal responsibility in accordance with law, the State Internet Information Department may, in accordance with the provisions of this article, decide to include foreign organizations or individuals in the list of restricted or prohibited provision of personal information, and employ measures such as restricting or prohibiting the provision of personal information, in addition to pursuing their legal responsibility in accordance with law. Such measures include, but are not limited to, those listed below, such as other asset freezes or necessary sanctions that have the same effect and effect. It should be noted that the subject of measures that can be taken here is the national cyberspace administration, including the central and local levels, so as to effectively ensure the security of personal information and safeguard the legitimate rights and interests of citizens in cyberspace. On the premise of improving personal information protection policies and legal norms, the mainland can establish a whitelist mechanism to reduce the compliance burden of enterprises and smooth the channels for cross-border flow of personal information. In the 2020 Shenzhen Special Economic Zone Data Regulations (Draft for Comments), Shenzhen proposed two models for international cooperation on cross-border flow of personal data, namely the establishment of a multilateral cooperation mechanism model and the establishment of a whitelist model for cross-border flow of personal data, so as to achieve data development and data security. In Shenzhen's exploration of the path of cross-border data flow and practices in line with international development, the mainland can relax the standards accordingly and formulate whitelist rules on the basis of the operational procedures of the principle of adequate protection, and allow countries and regions on the whitelist to carry out data flow and data exchange.
At present, due to the increasing prevalence of conflicts of interest and jurisdiction over personal information, international cooperation is a reasonable and feasible way to resolve the conflict. As a major country in the digital economy, we should propose and vigorously advocate the mainland's personal information protection plan based on the principles of fairness, openness and impartiality through the United Nations and other international organizations, actively participate in the formulation of the relevant digital economy development agenda and rules for cross-border data flow, and actively use the Belt and Road cooperation platform to promote the establishment of bilateral or multilateral cross-border data flow cooperation mechanisms, so as to enhance the right to speak and take the initiative. At the same time, we can learn from the practices of relevant countries, actively negotiate and negotiate with relevant countries, promote mutual recognition of rules and standards with relevant countries in terms of personal information protection and cross-border data transfer, and establish a whitelist system for cross-border data flows. In addition, outside of the whitelist, corresponding extraterritorial law enforcement jurisdiction and accountability mechanisms should be provided, and where organizations or individuals on the whitelist carry out personal information handling activities that harm the national security of the People's Republic of China, the public interest, or the lawful rights and interests of citizens or organizations, their legal responsibility is to be pursued in accordance with law. On the basis of examining the degree of rule of law, data protection capabilities, and regulatory strength of the countries or regions that intend to achieve free movement, for countries that do not meet the requirements of the white list, on the premise of complying with the laws, regulations and regulatory requirements of the mainland, a model contract that adapts to the practices of the financial industry and international standards can be formulated, supplemented by clear and detailed operational guidelines.