Article 41: The competent organs of the People's Republic of China are to handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored within the territory of China on the basis of relevant laws and international treaties and agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent authorities of the People's Republic of China, personal information handlers must not provide personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement agencies.
【Purpose of the Article】
This article is about the processing of personal information requested by foreign judicial or law enforcement agencies.
[Understanding of the article]
In the course of foreign-related judicial or law enforcement in a country or region, it may be necessary to obtain data or citizens' personal information within the territory of other countries, and such cross-border collection of personal information is usually carried out through international judicial or law enforcement assistance.
1. Treaty precedence
Strict compliance with international treaties and agreements concluded or acceded to is a basic obligation of the state and a commitment to the international community. International treaties are the main source of international law and do not fall within the scope of continental domestic law, but through legal procedures, international treaties can have the same binding force as domestic law. To this end, this article first provides for the handling of requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China in accordance with relevant laws and international treaties and agreements concluded or acceded to by the mainland.
With regard to the observance and implementation of international treaties, it is a question of the effectiveness of international treaties within a country. In particular, when certain provisions of international treaties are inconsistent with domestic laws, whether to apply the provisions of international treaties or to apply the provisions of domestic laws has become one of the issues of great concern to the international community. As far as a sovereign state is concerned, the international treaties it has concluded or acceded to express its will to abide by the treaties and put them into practice, but it should independently exercise judicial or law enforcement powers in accordance with its own laws in its territory and not be subject to any external constraints. There are roughly two specific ways to deal with the relationship between international treaties and domestic laws: one is to recognize an international treaty and enact corresponding laws in the country, so that the content of the international treaty appears in the form of domestic law, and the application of the domestic law also implements the content of the treaty; The other is to establish in domestic law the principles for the recognition and enforcement of international treaties, and where the principles are complied with, their validity is recognized and put into practice. The latter method is used by a larger number of countries, as well as on the mainland. With regard to international treaties, each sovereign state acts in accordance with its own national interests, and may or may not participate in it, and even if it does, it is not necessarily necessary to agree to all the contents of the treaty; it has the right to declare that it reserves its own views on one or more of the articles in it, and it is not bound to the articles with reservations, as long as there is a clear declaration at the time of participation, and this is the general practice of international treaties in treating treaties. Paragraph 2 of Article 38 of the Personal Information Protection Law of the People's Republic of China clearly stipulates that "where international treaties and agreements concluded or acceded to by the People's Republic of China have provisions on the conditions for providing personal information outside the territory of the People's Republic of China, they may be implemented in accordance with such provisions." "This provision directly reflects the principle of the primacy of treaties. In the context of deepening economic globalization, some developed countries or regional organizations have started the legal practice of cross-border data flow to achieve the unification of personal information protection standards, such as the US-led "USMCA" digital trade chapter, the EU-U.S. Privacy Shield (EU-U.S. Privacy Shield) agreement between the United States and the European Union. Shield) and GDPR, the rules on cross-border data flow in these three regulations provide a model for cross-border data sharing. Article 48 of the GDPR stipulates that if a third country requires the data controller to transfer or disclose data based on court judgments, arbitration awards and administrative decisions, there must be an international treaty or judicial agreement in force with the EU member state, and the data collection activities carried out by the third country must not violate the many restrictive provisions set by the EU in the GDPR.
As for the clauses that the mainland expressly states to be reserved when it concludes or participates in international treaties, they are clauses that the mainland has not recognized and accepted, and the mainland has no obligation to abide by them, and they are not applicable when handling requests for assistance in the personal information of foreign-related judicial or law enforcement, and have no legal effect in the territory of the mainland. The People's Republic of China is a sovereign and independent socialist country. The mainland does not recognize and accept international treaties in general, nor is it an international treaty concluded or acceded to by the mainland, which has no binding force on the mainland and certainly does not have any effect within the territory of the mainland.
2. Equality and reciprocity
As a socialist country, the mainland adheres to an independent foreign policy and adheres to the five principles of peaceful coexistence of "mutual respect for sovereignty and territorial integrity, mutual non-aggression, non-interference in each other's internal affairs, equality and mutual benefit, and peaceful coexistence." The principle of reciprocity, also known as the principle of reciprocity, is an important principle of international law and a common law of international relations. The principle of reciprocity is widely used in the fields of private international law, recognition and enforcement of foreign court judgments. The basic meaning of the principle of reciprocity or reciprocity in international law is that if a State asserts rights against another State by virtue of a norm of international law, then that State itself must be bound by that norm. [1] In highly developed domestic legal systems, the principle of reciprocity has largely been replaced by uniform domestic legal rules, such as in the field of domestic criminal law, where reprisals between private individuals are prohibited by law. However, in the less systematic international legal system, the principle of reciprocity is still an important way to maintain the international legal order.
The sovereignty of the state is a sacrosanct right. When sovereign states have neither concluded an assistance agreement nor jointly acceded to relevant international treaties with assistance content, the two sides are not obliged to assist each other. However, a State that has established diplomatic relations may, for the convenience of both parties, form a de facto relationship of assistance in accordance with international practice in accordance with a relationship of reciprocity. Once a de facto assistance relationship is established, the competent authorities of the two countries can provide each other with certain acts of assistance. On the basis of respecting national sovereignty and safeguarding national security and public interests, the mainland advocates and actively promotes the free flow of personal information across borders. Article 12 of the PIPL stipulates that "the State shall actively participate in the formulation of international rules for the protection of personal information, promote international exchanges and cooperation in the protection of personal information, and promote mutual recognition of personal information protection rules and standards with other countries, regions and international organizations." "Establish mechanisms for assistance in the collection of personal information across borders, and establish smooth channels for providing personal information for international judicial assistance or administrative law enforcement assistance.
3. Approval by the competent authority
Based on defensive data sovereignty, the mainland has been restricting or prohibiting data access from other countries. Similarly, where foreign judicial and law enforcement agencies request the collection of domestic personal information, they must not provide it without the approval of the competent authority. In the course of soliciting comments on the draft of this Law, some departments and experts suggested that provisions on penalties for providing information without approval should be added to provide a more adequate legal basis for relevant organizations and individuals to refuse unreasonable requests from foreign countries. On the one hand, the "quiet" security of personal information is still a prerequisite for access, and no country may abuse information technology to monitor personal information of other countries, illegally collect the personal information of citizens of other countries, and undermine the integrity, availability and confidentiality of personal information. U.S. Clarifying? Lawful? Overseas? Use?of? Data? Act,CLOUD? By adopting a long-arm jurisdictional model, the ACT is able to directly access data collected by U.S. "network service providers" outside the country without having to go through criminal justice assistance procedures. However, personal information involves national sovereignty, security and development interests. The transmission of personal information has provided a lot of convenience for the people's production and life, and at the same time, the ownership of various types of data has become more diverse, and the processing activities have become more complex, and the problems of some enterprises and institutions ignoring the security protection of personal information and using personal information to infringe on the legitimate rights and interests of the people are also very prominent. By strictly regulating personal information processing activities, we will earnestly strengthen the security protection of personal information, continuously promote the construction of a cyber power, a digital China, and a smart society, vigorously develop the digital economy with information as a new factor of production, and accelerate the formation of a digital economy with innovation as the main guide and support, so as to better serve the economic and social development of the mainland. The protection of security interests and the protection of individual citizens' rights is the core of the value judgment of the mainland's data transmission legislation, and the principle of "there are always exceptions where there are principles", and the principle of free flow of data does not mean that there are no "exceptional" restrictions, in fact, there are no countries in the world that do not impose any restrictions on cross-border data flow. A country's principle of protecting personal information is no exception. The personal information and important data collected and generated by network operators in the course of their operations within mainland China shall be stored within the mainland. Where it is truly necessary to provide it overseas due to business needs, a security assessment shall be conducted in accordance with the relevant measures; The provision of data to foreign countries must be approved by the competent authorities of the mainland.
Personal information is aggregated into data, strengthening personal information security protections and assessments of exports, and avoiding illegal export of important data and sensitive personal information that endangers citizens' lawful rights and interests and national security. In today's society, the convergence and integration of information technology and economy and society has triggered the rapid growth of data, which has become a basic strategic resource of the country, and big data is increasingly having an important impact on global production, circulation, distribution, consumption activities, economic operation mechanisms, social lifestyles and national governance capabilities. The value of data is fully reflected in government management, public security, commercial transactions, etc., and the development of cross-border e-commerce and the business logic of the global operation of Internet companies make the cross-border storage, transmission, analysis and processing of massive information inevitable, and it is urgent to regulate the cross-border transfer of personal information.
The continuous advancement of big data, artificial intelligence and other technologies has enabled the identification of human behavior patterns hidden in personal information, including food preferences, lifestyle habits, health conditions, career choice preferences, and so on. Through the free cross-border flow of personal information and the use of big data analysis, a country may accurately profile the social conditions of other countries, and carry out targeted intelligence collection and research and judgment, threatening the national security of other countries. The content of data may be manifested as personal privacy, commercial interests, and national security and public interests. A small amount of data flow may only harm the legitimate rights and interests of individuals or enterprises, while a large number of large-scale data flows may affect a country's economic and social security. To this end, the state will inevitably adopt an attitude of restricting or prohibiting the Internet equipment, data collection, transmission, and use within its own territory to protect national sovereignty from infringement, and national security challenges will also become an important consideration for all countries, including the mainland, in formulating rules for the cross-border flow of personal information.
The provisions of this article on the need for approval by the competent authorities for the export of personal information are in line with the provisions of the Cybersecurity Law and the Data Security Law. Article 37 of the Cybersecurity Law stipulates that "personal information and important data collected and generated by critical information infrastructure operators in the course of operating within the territory of the People's Republic of China shall be stored within the territory of the People's Republic of China." Where it is truly necessary to provide it overseas due to operational needs, a security assessment shall be conducted in accordance with the measures formulated by the State Internet Information Department in conjunction with the relevant departments of the State Council; Where laws and administrative regulations provide otherwise, follow those provisions. Article 31 of the Data Security Law stipulates that: "The provisions of the Cybersecurity Law of the People's Republic of China shall apply to the security management of the export of important data collected and generated by critical information infrastructure operators in the course of their operations within the territory of the People's Republic of China; Measures for the security management of important data collected and produced by other data handlers in the course of operations within the mainland territory of the People's Republic of China are to be formulated by the State Internet Information Department in conjunction with the relevant departments of the State Council. ”
[Applicable Provisions]
"pacta sunt servanda" is derived from the principle of "pacta sunt servanda" in domestic law, which is a general legal principle recognized by the legal systems of various countries, which is not only a universally recognized basic principle of international law, but also a treaty obligation specified in the Charter of the United Nations and the Vienna Convention on the Law of Treaties, and has also been recognized by the International Court of Justice as an official principle of modern international law. Where the People's Republic of China concludes or accedes to international treaties that are concluded and recognized in the name of the state, their validity shall be confirmed by civil law. If the provisions of the international treaty are different from the Personal Information Protection Law of the mainland, the mainland also has the obligation to abide by the international treaty, recognize its validity, and apply the relevant norms of the international treaty. General mutual legal assistance is carried out in accordance with the channels and procedures provided for in international treaties concluded or acceded to by the Mainland, usually through a central authority designated by the respective State to assist on its behalf. If sovereign states have neither concluded an agreement on mutual legal assistance nor jointly acceded to relevant international treaties with the content of mutual legal assistance, the country that has established diplomatic relations may, for the convenience of both parties, form a de facto mutual legal assistance relationship in accordance with international practice and in accordance with a reciprocal relationship. In addition, without the permission of the competent authorities of the mainland, no foreign agency or individual may provide personal information stored in the territory of the People's Republic of China to foreign judicial or law enforcement agencies within the territory of the People's Republic of China, which is a symbol of a country's judicial sovereignty.
The laws and documents regulating the export of data such as the Law on International Criminal Judicial Assistance, the Cybersecurity Law, the Measures for the Security Assessment of the Cross-border Transfer of Personal Information and Important Data (Draft for Comments), and the Guidelines for the Security Assessment of Cross-border Data Transfer (Draft for Comments) all stipulate that the personal information, key information and important data collected and generated by network operators (including network owners, managers and network service providers) in electronic form during their operations within the mainland shall adopt a localized storage mode for domestic storage. Network operators shall carry out a mechanism for conducting security assessments of outbound personal data and important data in advance. [6] Based on the localized storage model, the mainland extends the scope of sovereignty to the data stored in the mainland, and in this case, other countries have no right to collect data within the mainland on their own based on the principle of national sovereignty. Paragraph 3 of Article 4 of the Law on International Criminal Justice Assistance stipulates: "Without the consent of the competent organs of the People's Republic of China, foreign institutions, organizations and individuals shall not carry out criminal proceedings provided for in this Law within the territory of the People's Republic of China, and institutions, organizations and individuals within the territory of the People's Republic of China shall not provide evidence materials or assistance provided for in this Law to foreign countries." "According to these provisions, without the consent of the competent authorities, foreign institutions, organizations and individuals must not obtain electronic data through criminal justice assistance within the territory of the mainland; Institutions, organizations and individuals within the territory of China are also prohibited from providing electronic data and other assistance to foreign countries. In other words, the relevant foreign authorities can only obtain data in mainland China through formal criminal justice assistance procedures and after the above-mentioned strict segmented review.
Article 38 of Chapter 3 of the PIPL stipulates the basic rules for the cross-border provision of personal information, and for personal information stored in mainland China, if requested by a foreign judicial or law enforcement agency, this article shall be subject to the approval of the competent authority. China's Cybersecurity Law and Data Security Law establish the basic framework for the export of important data, and important data should be stored within China in principle. When it is truly necessary to leave the country, a security assessment shall be conducted. In view of the fact that the large-scale provision of personal information abroad and the provision of important data collected and generated by critical information infrastructure operations will have a significant impact on national security and public interests, it is important to assess the security risks of data export, and adopt regulatory measures such as prohibiting and conditionally leaving the country based on the security risks, so as to prevent the loss of critical data and safeguard national security. Although in the process of soliciting opinions on the Personal Information Protection Law (Draft), the relevant entities suggested that "clarify the applicant subject, the competent authority, the application approval procedure, and the exemption circumstances, such as: information disclosed by multinational companies in cross-border internal investigations; Personal information that does not endanger national security or public interest; Only store the information of foreign individuals through cloud servers in China; The purpose of personal information export is to assist in anti-money laundering and anti-terrorism activities within the group, to provide personal information to international organizations such as Interpol, etc., and to provide personal information to overseas government agencies in accordance with the requirements of the laws of the country where it is located; disclosure of personal information for the purpose of stopping harm to the public interest". It should be noted that the personal information subject to approval by the competent authority under this article is not limited to the personal information of Chinese citizens, but should also include all personal information stored in China. Since it is necessary for judicial or law enforcement assistance to leave the country, it is not necessary to obtain the separate consent of the personal information subject. These provisions are interconnected with the requirements of the Cybersecurity Law. For example, article 37 of the Cybersecurity Law stipulates that "personal information and important data collected and generated by critical information infrastructure operators in the course of operating within the territory of the People's Republic of China shall be stored within the territory of the People's Republic of China." Where it is truly necessary to provide it overseas due to operational needs, a security assessment shall be conducted in accordance with the measures formulated by the State Internet Information Department in conjunction with the relevant departments of the State Council; Where laws and administrative regulations provide otherwise, follow those provisions. "Where critical information infrastructure operators store citizens' personal information and other important data within the mainland, and truly need to store it overseas or provide it overseas, they shall conduct a security assessment in accordance with provisions. It has also been suggested that a cross-border data regime would require a concession system for exceptions to allow for emergency data transfers between regulators. If mainland legislation turns a blind eye to such situations, or implements non-open and transparent law enforcement strategies, it is not conducive to the integration of mainland criminal justice activities with the international community, let alone international law enforcement cooperation.
At present, the Central Committee of the Communist Party of China and the State Council have issued the "Overall Plan for the Development of the Guangdong-Macao In-Depth Cooperation Zone in Hengqin", under the framework of the national security management system for cross-border data transmission, to carry out pilot projects on the security management of cross-border data transmission, study the construction of green channels for fixed networks to access the Internet, and explore the formation of a mechanism that can facilitate data flow and ensure security. Support relevant universities and scientific research institutions in Zhuhai and Macao to realize cross-border interconnection and interoperability of scientific research data on the premise of ensuring the security of personal information and important data, and promote the safe and orderly flow of data across borders. Although in the process of soliciting opinions on the Personal Information Protection Law (Draft), some institutions suggested that this provision should be deleted that requires the approval of the competent authority, or that it is clarified that multinational companies carry out internal investigations, or assist in anti-money laundering and combating terrorists, provide personal information that does not endanger national security, public interest or have already been disclosed, provide information on foreign individuals stored in China, provide it to international organizations, and provide it in accordance with the requirements of the host country, etc., this provision does not apply. It should be noted that data, including personal information, involves national sovereignty and social public interests, while justice and law enforcement are related to sovereignty issues and brook no interference or consultation. Even if the existing legislation does not provide for the need for approval by the competent authority, in accordance with the principle that the new law prevails over the old law, where personal information is provided overseas for the purpose of international judicial assistance or administrative law enforcement assistance, approval from the relevant competent authority shall be applied for in accordance with law. Article 3 of the PIPL stipulates the scope of spatial application of this Law, and paragraph 1 of the PIPL stipulates that "this Law shall apply to the processing of personal information of natural persons within the territory of the People's Republic of China. "The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information, and the act of providing personal information abroad is essentially part of the processing of personal information, and this Law should be applied.