从《网络安全法》《数据安全法》以及《个人信息保护法》的颁布施行,到 《数据出境安全评估办法》《个人信息出境标准合同办法》以及《个人信息保护 认证实施规则》相继出台,我国已逐步构建起以安全评估、标准合同备案和个人 信息保护认证为核心的数据出境监管框架(见附表)。

After the successive promulgation and implementations of the Cyber Security Law, Data Security Law, Personal Information Protection Law, Security Assessment Measures for Data Provision Abroad, Measures on the Standard Contract for Outbound Transfer of Personal Information and Personal Information Protection Certification Implementation Rules, China has steadily established a data outbound supervision framework with the core of security assessment, standard contract filing and personal information protection certification (see the Appendix).

然而,以上监管措施自施行以来,虽然一定程度上缓解了我国此前数据跨境 流动安全保障的缺失与监管无序的状态,但实践中也问题频出。为了深入贯彻落 实国务院提出的“探索便利化数据跨境流动安全管理机制”的整体目标,国家网信 办结合既有规范和数据出境实践,对数据出境申报标准进行动态调整,制定并颁 布《促进和规范数据跨境流动规定》(以下简称“《规定》”),主要有以下重点:

However, since the implementation of the above regulatory measures, the lack of security guarantees and disordered supervision of cross-border data flows have been alleviated to a certain extent, but problems have also occurred frequently in practice. In order to thoroughly implement the overall goal of exploring and facilitating the secure management mechanism for cross-border data flows proposed by the State Council, the Cyberspace Administration of China has dynamically adjusted the standards for data export declarations based on existing regulations and data export practices. The National Cyberspace Administration then formulated and promulgated the Provisions on Promoting and Regulating Cross-border Data Flows (hereinafter referred to as “the Provisions”) which mainly focuses on the following:

一是列举了免予适用数据出境监管流程的情形,意味着许多企业日常管理与 经营的场景不再需要办理个人信息出境标准合同备案或个人信息保护认证,在保 护个人信息权益,维护国家安全和社会公共利益的大前提下,促进数据出境安全、 自由地流动。

Firstly, the Provisions lists the situations that are exempt from the data export supervision process, which means that many enterprises no longer need to apply for personal information export standard contract filing or personal information protection certification in daily management and operation. In the prerequisite of protecting personal information rights and interests, safeguarding national security and social interests, the Provisions can promote safe and free flow of data abroad.

二是进一步明确重要数据处理者的范围,提出未被相关部门、地区告知或者 公开发布为重要数据的,数据处理者不需要作为重要数据申报数据出境安全评 估。

Secondly, the Provisions further clarifies the scope of important data processors. It proposes if the data has not been notified or publicly released as important data by relevant authorities or regions, the data processor need not to take it as important data and apply for data export security assessment.

三是在自贸区引入负面清单机制,提出自由贸易试验区在国家数据分类分级 保护制度框架下,可以自行制定区内负面清单,经省级网络安全和信息化委员会 批准后,报国家网信部门、国家数据管理部门备案。

Thirdly, the Provisions introduces a negative list in the free trade zone. It is proposed that the free trade zone can formulate a negative list within the zone under the framework of the national data classification and hierarchical protection system. The negative list should be approved by the provincial Cyberspace Affairs Commission and be reported to the National Cyberspace Administration and the national data management department for filing.

《规定》进一步优化了我国数据国际流动的监管,积极探索合规与商业的平 衡点,对此有外国投资者对《规定》的发布表示赞赏,认为这是解决外资企业在 华数据监管面临挑战迈出的积极一步。

The Provisions further optimizes the supervision of the international flow of data in China and actively explores the balance between compliance and business. Some foreign investors expressed their appreciation for the Provisions, and they believe that this is a positive step forward to solve the challenges faced by foreign-funded enterprises of data supervision in China.

附表:数据出境监管框架

Appendix: Data export regulatory framework

管措施
Measures
监管对象
Objects
适用条件
Conditions
法律责任
Liability
数据出境 安全评估
Data Abroad Security Assessment
关键信息基 础设施运营 者
Critical Information Infrastructure Operator
跨境传输 重要数据 或个人信息
Cross-border transfer of important data or personal information
违法向境外提供重要数据的,由有关主管部 门责令改正,给予警告,可以并处十万元以 上一百万元以下罚款,对直接负责的主管人 员和其他直接责任人员可以处一万元以上 十万元以下罚款;情节严重的,处一百万元 以上一千万元以下罚款,并可以责令暂停相 关业务、停业整顿、吊销相关业务许可证或 者吊销营业执照,对直接负责的主管人员和 其他直接责任人员处十万元以上一百万元 以下罚款
Anyone who illegally provides important data overseas will be ordered to make corrections and given a warning by the relevant competent authorities, and the person may also be fined not less than RMB 100,000 but not more than
RMB 1 million. The person in charge and other directly responsible personnel may be fined not less than RMB 10,000 but not more than RMB 100,000. If the circumstances are serious, the fine will be not less than RMB 1 million but not more than RMB 10 million may be imposed, and the relevant business may be suspended, suspended for rectification, revoked relevant business license. The directly responsible person in charge and other directly responsible persons shall be fined not less
than RMB 100,000 but not more than RMB 1 million.
非关键信息 基础设施运 营者
Non-critical Information Infrastructure Operator
跨境传输 重要数据
Cross-border transfer of important data
当年1 月1 日起 跨境传输100 万人以上个人 信息
More than 1 million cross-border transfer of personal information starting from January 1
违反跨境传输个人信息规定的,由履行个人 信息保护职责的部门责令改正,给予警告, 没收违法所得,对违法处理个人信息的应用 程序,责令暂停或者终止提供服务;拒不改 正的,并处一百万元以下罚款;对直接负 的主管人员和其他直接责任人员处一万元 以上十万元以下罚款。 情节严重的,由省级以上履行个人信息保护 职责的部门责令改正,没收违法所得,并处 五千万元以下或者上一年度营业额百分之 五以下罚款,并可以责令暂停相关业务或者 停业整顿、通报有关主管部门吊销相关业务 许可或者吊销营业执照;对直接负责的主管 人员和其他直接责任人员处十万元以上一 百万元以下罚款,并可以决定禁止其在一定 期限内担任相关企业的董事、监事、高级管 理人员和个人信息保护负责人。 构成违反治安管理行为的,依法给予治安管 理处罚;构成犯罪的,依法追究刑事责任。
Anyone who violates the provisions on cross-border transfer of personal information shall be ordered to make corrections by the department which performing personal information protection responsibilities. The department may give a warning, confiscate illegal gains and order the suspension or termination of services for applications that illegally handle personal information. Those who refuse to make corrections shall also be punished a fine of not more than RMB 1 million. The directly responsible person in charge and other directly responsible person shall be fined not less than RMB 10,000 but not more than RMB 100,000. If the circumstances are serious, the department which performing personal information protection duties at or above the provincial level shall order corrections, confiscate illegal gains, impose a fine of less than RMB 50 million or less than 5% of the violator’s previous year’s turnover. The department may order the relevant business to be suspended or closed down, rectify and notify the relevant competent authorities to revoke relevant business licenses or revoke business licenses, impose a fine of not less than RMB 100,000 but not more than RMB 1 million on the directly responsible person in charge and other directly responsible person, and may decide to prohibit them from serving as relevant enterprises within a certain period directors, supervisors, senior managers and
persons in charge of personal information protection.
If a violation of public security management is constituted, public security management penalties shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be pursued in accordance with the law.
当年1 月1 日起 跨境传输1 万 人以上敏感个 人信息
More than 10,000 Cross-border transfer of sensitive personal information starting from January 1 of that year
出境标准 合同备案
Standard contract filing for personal information abroad或
OR个人信息 保护认证
Personal Information Protection Certification
非关键信息 基础设施运 营者
Non-critical Information Infrastructure Operator
自当年1 月1 日 起,累计向境外 提供10 万人以
上、不满100 万 人个人信息
More than 100,000 and
less than 1 million personal
information provided to overseas receiver starting
from January 1 of that year
自当年1 月1 日 起,累计向境外
提供不满1 万 人敏感个人信 息的
Less than 10,000 sensitive personal information provided to overseas receiver starting from January 1 of that year

 

作者Authors:

王燕律师广东固法律师事务所合伙人

Ada Wang, Partner of PW & Partners Law Firm

  • ž 批司法部千人涉外律师领军人才
  • ž Top 1000 International Lawyers in China selected by Ministry of Justice
  • ž 中华全国律师协会首批跨境律师人 才库成员
  • ž Initial Member of Leading Lawyer in Foreign-related Legal Service Recognized by All China Lawyers Association
  • ž 中华全国律师协会律师法律服务“一 带一路”战略建设项目国别协调人
  • ž Country coordinator of the All-China Lawyers Association’s legal services for the „Belt and Road” strategy construction project
  • ž 广州十大涉外大律师
  • ž Top 10 Elite Leading Lawyer on Foreign-related Legal Affairs Recognized by Guangzhou Lawyers Association
  • ž 广东省涉外律师领军人才库成员
  • ž Member of Guangdong Foreign Lawyer Leaders Pool
  • ž 广州市律师协会公平贸易法律专业委员会副主任
  • ž Deputy Director of Fair-trade Committee of Guangzhou Lawyers Association
  • ž 广州仲裁委员会仲裁员
  • ž Arbitrator, Guangzhou Arbitration Commission
  • ž 广东省涉外律师顾问团法律顾问
  • ž Legal Adviser, Foreign Lawyers Advisory Panel of Guangdong Province
  • ž 英国著名法律评介机构LEGAL500 推荐中国律师
  • ž LEGAL500 Recommended Chinese Lawyer
  • ž 国际律师事务所联盟(ILF)亚洲地区负责人
  • ž Head of Asia at the International Law Firms (ILF)
  • ž 香港律师协会外国注册律师(曾任)
  • ž Recognized Foreign Lawyer in Hong Kong Law Society

 

欧占中律师广东固法律师事务所合伙人

Ozzie Ou, Partner of PW & Partners Law Firm

  • ž 广东省律师协会工作委员会数字经 济法律专业委员会委员
  • ž Member of the Digital Economy Law Committee of Guangdong Lawyers Association;
  • ž 广州市律师协会涉外专业委员会委 员
  • ž Member of Foreign-related Professional Committee of Guangzhou Lawyer Association
  • ž 广东省涉外律师先锋人才库成员
  • ž Member of the Guangdong Foreign-related Lawyers Pioneer Talent Pool;
  • ž 广州市涉外律师领军人才
  • ž Leading Talent in Guangzhou’s Foreign-related Lawyers;

Source: PW Partners