Cybersecurity Compliance

网络安全合规

January 09, 2017 | BY

CLP Temp &clp articles &

Jet Deng and Ken Dai of Dentons describe the regulatory framework for data protection across key industries, the significance of the Cybersecurity Law and the harsh penalties for violations. 大成律师事务所的邓志松律师和戴健民律师对主要行业的数据保护监管框架、《网络安全法》的重要性以及违规面临的严厉处罚等进行介绍。

1. What have been the key legislative developments affecting data protection over the past 12 months?

Since 2015, China's legislation on data protection has been raised to a new level. The Amendment Bill of the PRC Criminal Law (IX) (Criminal Law), which came into effect on November 1, 2015, increases penalties and expands the scope of criminal liability to include violations such as selling or illegally offering others citizens' personal information. The Criminal Law also adds the criminal liability of internet service providers (ISPs) who fail to perform their data security management duties and subsequently cause unwanted disclosure of user information and other serious consequences.

In addition, the Implementing Regulations for the PRC Law on the Protection of the Rights and Interests of Consumers (Draft for Comments) (Consumer Protection Law Implementing Regulations) published by the State Administration for Industry and Commerce (SAIC) on August 5, 2016 provides a definition of consumers' personal information, explains what constitutes commercial electronic information and sales calls, and regulates the operators' collection and use of consumer data.

Furthermore, in June 2015, the Standing Committee of the National People's Congress (NPC) began reviewing the draft PRC Cybersecurity Law, which was published for comments. On July 5 this year, the NPC released the second draft, and five months later on October 31, the 24th Session of the 12th Standing Committee of the NPC reviewed the third and final draft and formally approved the Cybersecurity Law on November 7, 2016. The law will enter into force on June 1, 2017, and marks the first time that China is systematically regulating the protection of personal information on a national level and restricting the cross-border transfer of data.

Various other regulations were issued in 2016 to provide a more comprehensive data protection legislative framework and scope of liabilities for business operators across a range of industries, including:

  • The Measures for the Administration of the Network Payment Services of Non-bank Payment Institutions, for non-bank payment institutions to clients;
  • The Provisions for the Administration of Mobile Internet Application Programs, for mobile internet application program service providers to users;
  • The Tentative Measures for the Administration of the Business Activities of Peer-to-peer Lending Information Intermediaries, for online lending information intermediary (P2P lending) platforms to lenders and borrowers;
  • The Regulations on the Network Protection of Minors (Draft for Comments), for internet information service providers to minors and;
  • The Tentative Measures for the Administration of Online Taxi Hailing Services, for ride-sharing platform companies to drivers and passengers.

2. What are the specific regulations governing the collection, storage and use of personal data?

At the highest level, the Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks (Decision) and the Information Security Technology – Guidelines for Personal Information Protection within Information System for Public and Commercial Services (Guidelines) represent China's first national standard and systematic regulations for personal data protection. And although the Guidelines are not mandatory, they will very likely be referred to by the authorities for determining appropriate data processing practices.

A number of sector-specific regulations also exist, including:

3. What are the rules and requirements for data encryption and decryption?

The PBOC's circular on issuing the industry standards, Information Security Standards for Credit Collection Institutions requires storage mediums to be encrypted whenever they are taken out of the workplace, puts forward basic criteria for providing real-time encryption functions for clients when inputting sensitive information, and sets enhanced encryption requirements for entire messages or conversations relayed during the communication process. The China Banking Regulatory Commission's Measures for the Administration of the Electronic Banking Business provide that financial institutions' data encryption technology must comply with the relevant national provisions and that encryption methods must be regularly checked, evaluated and adjusted in accordance with the security needs of e-banking and the development of information technology.

In addition, the Tentative Measures for the Administration of the Business Activities of Peer-to-peer Lending Information Intermediaries and the MIIT's Guiding Opinions on Strengthening the Network Security Work in Telecommunications and Internet Industries also address the liabilities of online lending information intermediaries and telecommunications and internet industry players, respectively, to establish network security facilities for data encryption so as to ensure safe operations. Furthermore, the Cybersecurity Law, the PRC Law on the Protection of the Rights and Interests of Consumers (2nd Revision) (Consumer Protection Law), the Decision, the Measures for the Administration of Online Trading and the Guidelines all stipulate that information managers must take technical and other security measures to prevent the leakage and loss of information.

The data subject must decrypt the data if he/she wants to access the encrypted data by passing the identity authentication. The PBOC's circular on issuing the industry standards, Information Security Standards for Credit Collection Institutions requires the identity authentication system to be safe and reliable, and the relevant service provider to be authorized by the Ministry of Industry and Information Technology. For important clients with bulk information services, a two-way authentication between the server and client is required.

4. Can you describe the most significant implications of the PRC Cybersecurity Law?

The Cybersecurity Law is mainly aimed at the collection, use, deletion, correction, transfer and management of personal information and establishment of cybersecurity supervision, network real-name and critical information infrastructure (CII) protection systems by network operators (network owners, managers and service providers). The data localization requirement for citizens' personal data and important data collected and generated in the PRC by CII network operators has a profound impact on both domestic and foreign companies operating in China. The cross-border transfer of such data is subject to security assessments by the relevant departments in accordance with regulations.

The Cybersecurity Law illustrates the potentially broad range of CII while simultaneously leaving the specific scope to be determined by the State Council. The lack of clarity surrounding the security assessments may pose a greater challenge for companies. The businesses concerned should therefore closely follow the subsequent supporting regulations to be specified by the State Council and other ministry agencies.

5. What settlement mechanisms are available to victims of personal information misappropriation?

Most cases are settled out of court through civil proceedings. Victims can defend their rights through individual, group or public interest litigation. That is, they can choose to directly bring their own lawsuits, collectively take a group action, or seek help from relevant institutions or social organizations. Generally, the two parties are able to reach a settlement by themselves. In a joint litigation in which one party has multiple litigants, the elected representative may negotiate a settlement with the counterparty, the terms of which should be approved by the other members of the suit. Settlements regarding data leakage are common both in China and overseas. For instance, in the infringement case of 58 City, as the plaintiff's phone number had been maliciously posted on the 58 City website, he endured constant spam, seriously affecting his daily life. Eventually, 58 City reached an out-of-court settlement of Rmb1,500 with the plaintiff and then improved the verification system of its rental information. Private settlement is a more desirable solution for the enterprises concerned as there is no need to pay court and legal fees for experts and witnesses, significantly reducing costs. More importantly, the dispute will be greatly shortened, thereby reducing the negative impact on the enterprises' reputation.

6. What are the biggest cases from the past year that reflect the importance of data privacy?

The Suning personal information leakage was one of the most impactful events concerning data privacy last year. Since July 2015, a number of consumers had filed reports with the local police, claiming that they were defrauded by criminals using a fake Suning customer service phone number after shopping online. The criminals knew the exact details of the customers' purchases, including the names, order numbers and delivery addresses. It was reported that the number of customers joining the victim QQ group had surpassed 200 by March this year. On March 4, 2016, five victims sued Suning in court. Although there has been no further update, this case was the first group action in China's data protection sector and the first such case in e-commerce, resulting in subsequent litigations against Suning in other areas. This indicates an increasing awareness of personal information protection among consumers, who are beginning to safeguard their legitimate rights and interests through litigation. Also, in April 2015, many high-risk vulnerabilities were found in the social security systems of Shanghai, Chongqing, Shanxi, Guizhou and Henan. And in August the same year, more than 6 million user accounts of Damai.cn had been disclosed. All these events have demonstrated the seriousness of data leakage and the urgency of continuously enhancing citizens' awareness of data protection.

7. What are the roles of the SAIC, CAC and MIIT in this space?

The SAIC is responsible for drafting relevant laws, regulations and policies regarding market supervision and administrative enforcement, such as the Consumer Protection Law Implementing Regulations. The SAIC is also in charge of organizing and guiding consumers to safeguard their legitimate rights and interests such as their rights to data privacy.

The Cyberspace Administration of China (CAC) guides and supervises the relevant departments to strengthen the management of internet information content, and investigates and punishes website operators that violate relevant laws and regulations and infringe personal information. Furthermore, the CAC coordinates with other ministries in various fields on cyberspace affairs and formulates cyberspace policies. For instance, in August 2016, the CAC, General Administration of Quality Supervision, Inspection and Quarantine and the Standardization Administration of the PRC jointly issued the Several Opinions on Strengthening the National Cybersecurity Standardization to push network security values.

The MIIT bears the responsibility of managing the security of communication networks and other relevant information, as well as guiding and supervising government departments and key industries to guarantee information security, handling significant events concerning cybersecurity, and issuing and implementing regulations such as the Guidelines and the Telecom and Internet Provisions.

8. Can companies transfer data out of China? What are the data storage requirements?

The outflow of data must meet the corresponding conditions under specific circumstances. In accordance with the Guidelines, the data manager can only transfer data out of China with the explicit consent of the subject, under clear provisions of laws or regulations, or with the approval of the relevant authority. However, for operators of CII, the Cybersecurity Law requires citizens' personal information and important data collected or generated within China to be stored in China, and only be transferred out of the country if it is necessary for business operation and meets the security assessment requirements. In addition, regulators limit the transfer of certain data due to the nature of content, such as personal financial and health information.

The relevant provisions of the Guidelines and the Cybersecurity Law state that the data manager must keep user information strictly confidential and must not leak, alter, sell or illegally provide to others the data without authorization. In the event of leakage, alteration, loss or destruction, the data manager must immediately inform the affected subject and report the incident to the relevant departments.

9. What are the sanctions and penalties for non-compliance with data protection laws?

The sanctions and penalties are divided into criminal, civil and administrative aspects. In accordance with the Criminal Law, any individual or entity that violates regulations and sells or illegally offers others the personal information of citizens will be subject to criminal liability and a maximum sentence of seven years. ISPs also face a maximum penalty of three years in prison if they leak user data, causing serious consequences. Possible civil penalties include publicly apologizing, eliminating negative impacts, and making efforts to restore reputational damage where there is the misappropriation of personal information. However, the fine is generally compensatory rather than punitive, and so the amount is relatively small. From an administrative perspective, the Decision and the Telecom and Internet Provisions highlight the specific punishments for offenders. Furthermore, the new Cybersecurity Law states a fine will be imposed on both network operators as well as their executive or other directly responsible personnel.

10. Where do you see the data protection laws heading? What is your advice to companies on ensuring compliance?

With the increasing regulatory attention being given to data security in key areas and the strengthening awareness of consumers on personal information protection, data privacy laws will become more comprehensive and specific, with the aim to ensure the substantive protection of citizens' personal information and overall national data security. The Cybersecurity Law reflects the determination of the authorities to strengthen the legal responsibility of network operators and create a favorable network environment. Meanwhile, the Criminal Law has also extended the scope of criminal liability, which may effectively suppress network-related criminal activities to some degree.

As for advice, enterprises should firstly pay constant attention to domestic and foreign legislation and policies governing personal data protection, such as the definition and the cross-border transfer restrictions of CII network operators in the Cybersecurity Law, as well as the application scope of the EU Data Protection Directive. Secondly, data protection must be a priority for enterprises conducting supplier surveys, mergers and data exchanges. Thirdly, enterprises should take the necessary technical protection and management measures, such as conducting staff training and improving their user information protection mechanisms. In this regard, the Cybersecurity Law provides a perfect opportunity for enterprises to establish or revisit their internal data privacy compliance systems in China.

1. 过去12个月中,有哪些影响数据保护的主要立法进展?

自2015年来,中国有关数据保护的立法提升到新水平。2015年11月1日生效的 《中华人民共和国刑法》(《刑法》修正案九)加重了处罚的力度,并且扩大了刑事责任的范围,例如将向他人出售或非法提供公民个人信息的犯罪纳入其中。《刑法》还增加了因未能履行数据安全管理职责,致使用户信息泄露以及造成其他严重后果的网络服务提供者的刑事责任。

国家工商总局于2016年8月5日公布了《中华人民共和国消费者权益保护法实施条例(征求意见稿)》(《消费者保护法实施条例》),该实施条例对消费者个人信息进行界定,解释了什么构成商业性电子信息和商业性推销电话,并对运营商收集和使用消费者数据的行为进行规制。

此外,2015年6月,全国人大常委会初次审议《中华人民共和国网络安全法》草案并向社会公开征求意见。今年7月5日,全国人大发布二次审议稿;五个月后的10月31日,第十二届全国人大常委会第24次会议审议了草案第三稿(最终版),并在2016年11月7日最终通过了《网络安全法》。该法将在2017年6月1日生效,标志着中国第一次从全国性法律层面上对个人信息保护和数据跨境传输进行系统规制。

2016年还出台了其他各种法规,逐步建立了一个更加全面的数据保护立法框架,明确了各行业经营者的法律责任,主要包括:

  • 《非银行支付机构网络支付业务管理办法》,关于非银行支付机构对客户的保障;
  • 《移动互联网应用程序信息服务管理规定》,关于移动互联网应用程序服务提供商对用户的保障;
  • 《网络借贷信息中介机构业务活动管理暂行办法》,关于网络借贷信息中介 (P2P 借贷)平台对借款人和贷款人的保障;
  • 《未成年人网络保护条例(草案征求意见稿)》,关于网络服务提供者对未成年人的保障;
  • 《网络预约出租汽车经营服务管理暂行办法》,关于网约车平台对司机和乘客的保障。

2. 哪些法规专门规制个人数据的收集、储存和使用?

在最高层面上,《全国人民代表大会常务委员会关于加强网络信息保护的决定》(《决定》)和《信息安全技术公共及商用服务信息系统个人信息保护指南》(《指南》)是中国第一次对信息保护制定国家标准和进行系统规制。尽管《指南》并不具备强制性,但是相关执法部门仍很有可能参考《指南》来规制数据处理行为。

除此之外,还有一些与特定行业相关的法规,包括:

工信部的《电信和互联网用户个人信息保护规定》(《电信和互联网规定》),专门针对电信业务运营商和互联网信息服务提供者;

  • 《人民银行关于银行业金融机构做好个人金融信息保护工作的通知》,针对金融行业;
  • 《征信业管理条例》,针对征信业;
  • 《规范互联网信息服务市场秩序若干规定》、《互联网电子邮件服务管理办法》和《网络交易管理办法》,管辖互联网和网上通讯空间;
  • 卫生部的《医疗机构病历管理规定》,针对医疗行业;
  • 《寄递服务用户个人信息安全管理规定》,针对信件、邮件和物流服务提供者;
  • 以及上文提到的《消费者保护法实施条例》,这些发展都在一定程度上规制着个人数据的收集、储存和使用。

3. 有哪些关于数据加密和解密的规则和要求?

人民银行关于发布《征信机构信息安全规范》行业标准的通知,要求存储介质被带出工作场所时必须加密,提出为客户在输入敏感信息时提供即时加密功能的基本要求,并规定对通信过程中的整个报文或会话过程进行加密的增强要求。中国银监会《电子银行业务管理办法》规定,金融机构的数据加密技术必须遵守相关国家规定,且必须根据电子银行的安全需求和信息技术发展定期检查、评估和调整加密方法。

此外,《网络借贷信息中介机构业务活动管理暂行办法》和工信部《关于加强电信和互联网行业网络安全工作的指导意见》也分别涉及网络借贷信息中介机构及电信和互联网行业参与者应建立数据加密的网络安全设施的责任,以确保安全运营。《网络安全法》、《中华人民共和国消费者权益保护法(第二次修订)》(《消费者保护法》)、《决定》、《网络交易管理办法》和《指南》也都作出规定,信息管理者必须采取技术措施和其他安全措施来预防信息泄露和丢失。

如果数据主体希望访问加密数据,必须通过身份认证解密数据。人民银行关于发布《征信机构信息安全规范》行业标准的通知中规定,身份认证系统必须安全可靠,相关服务器须获工信部认证。对于提供批量信息服务的重要客户端,要求进行服务器和客户端之间的双向认证。

4. 《中华人民共和国网络安全法》最重要的影响是什么?

《网络安全法》主要针对网络运营者(即网络所有者、管理者和网络服务提供者)对个人信息的收集、使用、删除、纠正、传输和管理,建立网络安全监督、网络实名制以及关键信息基础设施 (CII)保护体系。该法对关键信息基础设施的运营者在中国境内收集和产生的个人信息和重要数据提出了本地化存储的要求,这将对在中国境内运营的国内外企业产生深刻影响。此类数据如要进行跨境传输,必须通过相关部门依法开展的安全评估。

《网络安全法》中对关键信息基础设施范围的界定相对比较广泛,同时将具体范围留给国务院决定。此外,安全评估标准的不明确性可能给企业带来更大的挑战。因此,相关企业应当密切关注国务院和其他相关部门制定的配套法律文件。

5. 个人信息被滥用的受害人可采取哪些和解机制?

多数案件通过民事程序庭外和解。受害人可以通过个人、集体或公益诉讼来捍卫权利,即他们可以直接提起个人诉讼,共同提起集体诉讼,或者向相关机构或社会组织寻求帮助。一般而言,双方可以自行达成和解。在一方涉及多个诉讼当事人的共同诉讼中,诉讼代表可与对方协商和解,和解的条款应获得其他诉讼当事人的同意。有关数据泄露案件的和解在国内外都很常见。例如,在58同城侵权案中,原告的电话号码被恶意公布在58同城网站上,导致原告受到持续性的电话骚扰,严重影响其日常生活。最终,58 同城以人民币1500元与原告达成庭外和解,并随后改进了租房信息的验证系统。对相关企业而言,私人和解是更可取的解决方案,因为不需要支付诉讼费和专家、证人的出庭费用,大幅减少支出。更重要的是,争议持续时间大大缩短,从而减小对企业声誉的负面影响。

6. 去年有哪些体现数据隐私重要性的重大案件?

苏宁易购泄露个人信息是去年有关数据隐私的影响最大的事件之一。自2015年7月起,一些消费者向当地警方报案,称他们在网络购物后,遭到使用假冒苏宁易购客服电话的不法分子诈骗。不法分子掌握了顾客购买的确切细节,包括姓名、订单编号和送货地址。据报道,截至今年三月,加入受害人QQ群的顾客人数已经超过200人。2016年3月4日,五名受害人在法院对苏宁易购提起诉讼。最新进展尚未更新,但本案是中国数据保护领域、同时也是电子商务领域的首例集体诉讼,随后苏宁易购又面临其他地区消费者提起的诉讼。这表明消费者对个人信息保护的意识加强,他们已经开始通过诉讼来捍卫个人合法权益。此外,2015年4月,上海、重庆、山西、贵州和河南等省的社保系统发现大量高危漏洞。同年八月,大麦网超过600万用户账户密码被泄露。所有这些事件都证明数据泄露的严重性和不断提高公民数据保护意识的迫切性。

7. 国家工商总局、国家互联网信息办公室和工信部在该领域各自扮演什么角色?

国家工商总局负责起草有关市场监督和行政执法的相关法律、法规和政策,例如《消费者保护法实施条例》。国家工商总局也负责组织和引导消费者捍卫数据隐私等的合法权益。

国家互联网信息办公室指导和监督相关部门加强对网络信息内容的管理,调查和处罚违反法律法规、侵犯个人信息的网站运营商。此外,国家互联网信息办公室统筹协调其他部门在各大领域的网络安全问题,制定网络安全政策。例如,2016年8月,国家互联网信息办公室、国家质量监督检验检疫总局、国家标准化管理委员会联合发布《关于加强国家网络安全标准化工作的若干意见》,推行网络安全价值观。

工信部负责通信网络和其他相关信息的安全管理,指导和监督政府部门和重点行业确保信息的安全性,处理有关网络安全的重大事件,发布、实施《指南》和《电信和互联网规定》等法规。

8. 企业可以将数据转移至中国境外吗?数据存储有哪些要求?

将数据转移至中国境外在不同情况下需满足相应的条件。根据《指南》,数据管理者只有经个人信息主体明确同意,或法律法规有明确规定,或经相关部门批准方可将数据转移至中国境外。此外,对于关键信息基础设施的运营者,《网络安全法》要求在中国境内收集和产生的公民个人信息和重要数据应当在境内存储。仅在因业务需要且符合安全评估要求的前提下,方可将数据转移至境外。此外,监管部门会根据数据内容的特性而限制数据的转移,例如个人金融信息和人口健康信息。

根据《指南》和《网络安全法》的相关规定,数据管理者必须对用户信息严格保密,未经授权不得泄露、篡改、出售或非法向他人提供数据。一经泄露、篡改、丢失或毁损,数据管理者必须立即通知受影响的个人信息主体,并向相关部门报告。

9. 不遵守数据保护法将面临哪些罚则和处罚?

罚则和处罚可分为刑事、民事和行政方面。根据《刑法》, 任何违反法规、向他人出售或非法提供公民个人信息的个人或单位将承担刑事责任,最高可处以七年有期徒刑。网络服务提供者如果泄露用户数据并导致严重后果,也将面临最高三年有期徒刑。若滥用个人信息,所要承担的民事责任可能包括公开道歉、消除不利影响及恢复名誉。但是,罚款一般是赔偿性而非惩罚性的,所以金额相对较小。在行政法方面,《决定》和《电信和互联网规定》明确了对违规者的具体处罚。此外,新的《网络安全法》规定,网络运营商、直接负责的主管人员和其他直接责任人员都有可能被处以罚款。

10. 您认为数据保护法的发展趋势如何?您对企业确保合规有何建议?

随着监管部门日益重视关键领域的数据安全,以及消费者对个人信息保护的意识增强,数据隐私方面的法律将变得更加全面和具体,以确保对公民个人信息和总体国家数据安全的实质性保护。《网络安全法》体现出有关部门加强网络运营商的法律责任、创造良好网络环境的决心。同时,《刑法》也扩大了刑事责任的范围,可在一定程度上打击网络相关的犯罪活动。

对企业而言,首先应当对个人数据保护的国内外立法和政策保持持续关注,例如《网络安全法》中对于关键信息基础设施网络运营者的定义和跨境传输的限制,欧盟数据保护指令中的适用范围等。其次,对从事供应商调查、合并和数据共享的企业,数据保护应当成为他们的重点关注对象。第三,企业应采取必要的技术保护和管理措施,如开展员工培训和改进用户信息保护机制。就此而言,《网络安全法》为企业建立或重新审查中国内部数据隐私合规体系提供了绝佳的机会。

1. What have been the key legislative developments affecting data protection over the past 12 months?

Since 2015, China's legislation on data protection has been raised to a new level. The Amendment Bill of the PRC Criminal Law (IX) (Criminal Law), which came into effect on November 1, 2015, increases penalties and expands the scope of criminal liability to include violations such as selling or illegally offering others citizens' personal information. The Criminal Law also adds the criminal liability of internet service providers (ISPs) who fail to perform their data security management duties and subsequently cause unwanted disclosure of user information and other serious consequences.

In addition, the Implementing Regulations for the PRC Law on the Protection of the Rights and Interests of Consumers (Draft for Comments) (Consumer Protection Law Implementing Regulations) published by the State Administration for Industry and Commerce (SAIC) on August 5, 2016 provides a definition of consumers' personal information, explains what constitutes commercial electronic information and sales calls, and regulates the operators' collection and use of consumer data.

Furthermore, in June 2015, the Standing Committee of the National People's Congress (NPC) began reviewing the draft PRC Cybersecurity Law, which was published for comments. On July 5 this year, the NPC released the second draft, and five months later on October 31, the 24th Session of the 12th Standing Committee of the NPC reviewed the third and final draft and formally approved the Cybersecurity Law on November 7, 2016. The law will enter into force on June 1, 2017, and marks the first time that China is systematically regulating the protection of personal information on a national level and restricting the cross-border transfer of data.

Various other regulations were issued in 2016 to provide a more comprehensive data protection legislative framework and scope of liabilities for business operators across a range of industries, including:

  • The Measures for the Administration of the Network Payment Services of Non-bank Payment Institutions, for non-bank payment institutions to clients;
  • The Provisions for the Administration of Mobile Internet Application Programs, for mobile internet application program service providers to users;
  • The Tentative Measures for the Administration of the Business Activities of Peer-to-peer Lending Information Intermediaries, for online lending information intermediary (P2P lending) platforms to lenders and borrowers;
  • The Regulations on the Network Protection of Minors (Draft for Comments), for internet information service providers to minors and;
  • The Tentative Measures for the Administration of Online Taxi Hailing Services, for ride-sharing platform companies to drivers and passengers.

2. What are the specific regulations governing the collection, storage and use of personal data?

At the highest level, the Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks (Decision) and the Information Security Technology – Guidelines for Personal Information Protection within Information System for Public and Commercial Services (Guidelines) represent China's first national standard and systematic regulations for personal data protection. And although the Guidelines are not mandatory, they will very likely be referred to by the authorities for determining appropriate data processing practices.

A number of sector-specific regulations also exist, including:

3. What are the rules and requirements for data encryption and decryption?

The PBOC's circular on issuing the industry standards, Information Security Standards for Credit Collection Institutions requires storage mediums to be encrypted whenever they are taken out of the workplace, puts forward basic criteria for providing real-time encryption functions for clients when inputting sensitive information, and sets enhanced encryption requirements for entire messages or conversations relayed during the communication process. The China Banking Regulatory Commission's Measures for the Administration of the Electronic Banking Business provide that financial institutions' data encryption technology must comply with the relevant national provisions and that encryption methods must be regularly checked, evaluated and adjusted in accordance with the security needs of e-banking and the development of information technology.

In addition, the Tentative Measures for the Administration of the Business Activities of Peer-to-peer Lending Information Intermediaries and the MIIT's Guiding Opinions on Strengthening the Network Security Work in Telecommunications and Internet Industries also address the liabilities of online lending information intermediaries and telecommunications and internet industry players, respectively, to establish network security facilities for data encryption so as to ensure safe operations. Furthermore, the Cybersecurity Law, the PRC Law on the Protection of the Rights and Interests of Consumers (2nd Revision) (Consumer Protection Law), the Decision, the Measures for the Administration of Online Trading and the Guidelines all stipulate that information managers must take technical and other security measures to prevent the leakage and loss of information.

The data subject must decrypt the data if he/she wants to access the encrypted data by passing the identity authentication. The PBOC's circular on issuing the industry standards, Information Security Standards for Credit Collection Institutions requires the identity authentication system to be safe and reliable, and the relevant service provider to be authorized by the Ministry of Industry and Information Technology. For important clients with bulk information services, a two-way authentication between the server and client is required.

4. Can you describe the most significant implications of the PRC Cybersecurity Law?

The Cybersecurity Law is mainly aimed at the collection, use, deletion, correction, transfer and management of personal information and establishment of cybersecurity supervision, network real-name and critical information infrastructure (CII) protection systems by network operators (network owners, managers and service providers). The data localization requirement for citizens' personal data and important data collected and generated in the PRC by CII network operators has a profound impact on both domestic and foreign companies operating in China. The cross-border transfer of such data is subject to security assessments by the relevant departments in accordance with regulations.

The Cybersecurity Law illustrates the potentially broad range of CII while simultaneously leaving the specific scope to be determined by the State Council. The lack of clarity surrounding the security assessments may pose a greater challenge for companies. The businesses concerned should therefore closely follow the subsequent supporting regulations to be specified by the State Council and other ministry agencies.

5. What settlement mechanisms are available to victims of personal information misappropriation?

Most cases are settled out of court through civil proceedings. Victims can defend their rights through individual, group or public interest litigation. That is, they can choose to directly bring their own lawsuits, collectively take a group action, or seek help from relevant institutions or social organizations. Generally, the two parties are able to reach a settlement by themselves. In a joint litigation in which one party has multiple litigants, the elected representative may negotiate a settlement with the counterparty, the terms of which should be approved by the other members of the suit. Settlements regarding data leakage are common both in China and overseas. For instance, in the infringement case of 58 City, as the plaintiff's phone number had been maliciously posted on the 58 City website, he endured constant spam, seriously affecting his daily life. Eventually, 58 City reached an out-of-court settlement of Rmb1,500 with the plaintiff and then improved the verification system of its rental information. Private settlement is a more desirable solution for the enterprises concerned as there is no need to pay court and legal fees for experts and witnesses, significantly reducing costs. More importantly, the dispute will be greatly shortened, thereby reducing the negative impact on the enterprises' reputation.

6. What are the biggest cases from the past year that reflect the importance of data privacy?

The Suning personal information leakage was one of the most impactful events concerning data privacy last year. Since July 2015, a number of consumers had filed reports with the local police, claiming that they were defrauded by criminals using a fake Suning customer service phone number after shopping online. The criminals knew the exact details of the customers' purchases, including the names, order numbers and delivery addresses. It was reported that the number of customers joining the victim QQ group had surpassed 200 by March this year. On March 4, 2016, five victims sued Suning in court. Although there has been no further update, this case was the first group action in China's data protection sector and the first such case in e-commerce, resulting in subsequent litigations against Suning in other areas. This indicates an increasing awareness of personal information protection among consumers, who are beginning to safeguard their legitimate rights and interests through litigation. Also, in April 2015, many high-risk vulnerabilities were found in the social security systems of Shanghai, Chongqing, Shanxi, Guizhou and Henan. And in August the same year, more than 6 million user accounts of Damai.cn had been disclosed. All these events have demonstrated the seriousness of data leakage and the urgency of continuously enhancing citizens' awareness of data protection.

7. What are the roles of the SAIC, CAC and MIIT in this space?

The SAIC is responsible for drafting relevant laws, regulations and policies regarding market supervision and administrative enforcement, such as the Consumer Protection Law Implementing Regulations. The SAIC is also in charge of organizing and guiding consumers to safeguard their legitimate rights and interests such as their rights to data privacy.

The Cyberspace Administration of China (CAC) guides and supervises the relevant departments to strengthen the management of internet information content, and investigates and punishes website operators that violate relevant laws and regulations and infringe personal information. Furthermore, the CAC coordinates with other ministries in various fields on cyberspace affairs and formulates cyberspace policies. For instance, in August 2016, the CAC, General Administration of Quality Supervision, Inspection and Quarantine and the Standardization Administration of the PRC jointly issued the Several Opinions on Strengthening the National Cybersecurity Standardization to push network security values.

The MIIT bears the responsibility of managing the security of communication networks and other relevant information, as well as guiding and supervising government departments and key industries to guarantee information security, handling significant events concerning cybersecurity, and issuing and implementing regulations such as the Guidelines and the Telecom and Internet Provisions.

8. Can companies transfer data out of China? What are the data storage requirements?

The outflow of data must meet the corresponding conditions under specific circumstances. In accordance with the Guidelines, the data manager can only transfer data out of China with the explicit consent of the subject, under clear provisions of laws or regulations, or with the approval of the relevant authority. However, for operators of CII, the Cybersecurity Law requires citizens' personal information and important data collected or generated within China to be stored in China, and only be transferred out of the country if it is necessary for business operation and meets the security assessment requirements. In addition, regulators limit the transfer of certain data due to the nature of content, such as personal financial and health information.

The relevant provisions of the Guidelines and the Cybersecurity Law state that the data manager must keep user information strictly confidential and must not leak, alter, sell or illegally provide to others the data without authorization. In the event of leakage, alteration, loss or destruction, the data manager must immediately inform the affected subject and report the incident to the relevant departments.

9. What are the sanctions and penalties for non-compliance with data protection laws?

The sanctions and penalties are divided into criminal, civil and administrative aspects. In accordance with the Criminal Law, any individual or entity that violates regulations and sells or illegally offers others the personal information of citizens will be subject to criminal liability and a maximum sentence of seven years. ISPs also face a maximum penalty of three years in prison if they leak user data, causing serious consequences. Possible civil penalties include publicly apologizing, eliminating negative impacts, and making efforts to restore reputational damage where there is the misappropriation of personal information. However, the fine is generally compensatory rather than punitive, and so the amount is relatively small. From an administrative perspective, the Decision and the Telecom and Internet Provisions highlight the specific punishments for offenders. Furthermore, the new Cybersecurity Law states a fine will be imposed on both network operators as well as their executive or other directly responsible personnel.

10. Where do you see the data protection laws heading? What is your advice to companies on ensuring compliance?

With the increasing regulatory attention being given to data security in key areas and the strengthening awareness of consumers on personal information protection, data privacy laws will become more comprehensive and specific, with the aim to ensure the substantive protection of citizens' personal information and overall national data security. The Cybersecurity Law reflects the determination of the authorities to strengthen the legal responsibility of network operators and create a favorable network environment. Meanwhile, the Criminal Law has also extended the scope of criminal liability, which may effectively suppress network-related criminal activities to some degree.

As for advice, enterprises should firstly pay constant attention to domestic and foreign legislation and policies governing personal data protection, such as the definition and the cross-border transfer restrictions of CII network operators in the Cybersecurity Law, as well as the application scope of the EU Data Protection Directive. Secondly, data protection must be a priority for enterprises conducting supplier surveys, mergers and data exchanges. Thirdly, enterprises should take the necessary technical protection and management measures, such as conducting staff training and improving their user information protection mechanisms. In this regard, the Cybersecurity Law provides a perfect opportunity for enterprises to establish or revisit their internal data privacy compliance systems in China.

1. 过去12个月中,有哪些影响数据保护的主要立法进展?

自2015年来,中国有关数据保护的立法提升到新水平。2015年11月1日生效的 《中华人民共和国刑法》(《刑法》修正案九)加重了处罚的力度,并且扩大了刑事责任的范围,例如将向他人出售或非法提供公民个人信息的犯罪纳入其中。《刑法》还增加了因未能履行数据安全管理职责,致使用户信息泄露以及造成其他严重后果的网络服务提供者的刑事责任。

国家工商总局于2016年8月5日公布了《中华人民共和国消费者权益保护法实施条例(征求意见稿)》(《消费者保护法实施条例》),该实施条例对消费者个人信息进行界定,解释了什么构成商业性电子信息和商业性推销电话,并对运营商收集和使用消费者数据的行为进行规制。

此外,2015年6月,全国人大常委会初次审议《中华人民共和国网络安全法》草案并向社会公开征求意见。今年7月5日,全国人大发布二次审议稿;五个月后的10月31日,第十二届全国人大常委会第24次会议审议了草案第三稿(最终版),并在2016年11月7日最终通过了《网络安全法》。该法将在2017年6月1日生效,标志着中国第一次从全国性法律层面上对个人信息保护和数据跨境传输进行系统规制。

2016年还出台了其他各种法规,逐步建立了一个更加全面的数据保护立法框架,明确了各行业经营者的法律责任,主要包括:

  • 《非银行支付机构网络支付业务管理办法》,关于非银行支付机构对客户的保障;
  • 《移动互联网应用程序信息服务管理规定》,关于移动互联网应用程序服务提供商对用户的保障;
  • 《网络借贷信息中介机构业务活动管理暂行办法》,关于网络借贷信息中介 (P2P 借贷)平台对借款人和贷款人的保障;
  • 《未成年人网络保护条例(草案征求意见稿)》,关于网络服务提供者对未成年人的保障;
  • 《网络预约出租汽车经营服务管理暂行办法》,关于网约车平台对司机和乘客的保障。

2. 哪些法规专门规制个人数据的收集、储存和使用?

在最高层面上,《全国人民代表大会常务委员会关于加强网络信息保护的决定》(《决定》)和《信息安全技术公共及商用服务信息系统个人信息保护指南》(《指南》)是中国第一次对信息保护制定国家标准和进行系统规制。尽管《指南》并不具备强制性,但是相关执法部门仍很有可能参考《指南》来规制数据处理行为。

除此之外,还有一些与特定行业相关的法规,包括:

工信部的《电信和互联网用户个人信息保护规定》(《电信和互联网规定》),专门针对电信业务运营商和互联网信息服务提供者;

  • 《人民银行关于银行业金融机构做好个人金融信息保护工作的通知》,针对金融行业;
  • 《征信业管理条例》,针对征信业;
  • 《规范互联网信息服务市场秩序若干规定》、《互联网电子邮件服务管理办法》和《网络交易管理办法》,管辖互联网和网上通讯空间;
  • 卫生部的《医疗机构病历管理规定》,针对医疗行业;
  • 《寄递服务用户个人信息安全管理规定》,针对信件、邮件和物流服务提供者;
  • 以及上文提到的《消费者保护法实施条例》,这些发展都在一定程度上规制着个人数据的收集、储存和使用。

3. 有哪些关于数据加密和解密的规则和要求?

人民银行关于发布《征信机构信息安全规范》行业标准的通知,要求存储介质被带出工作场所时必须加密,提出为客户在输入敏感信息时提供即时加密功能的基本要求,并规定对通信过程中的整个报文或会话过程进行加密的增强要求。中国银监会《电子银行业务管理办法》规定,金融机构的数据加密技术必须遵守相关国家规定,且必须根据电子银行的安全需求和信息技术发展定期检查、评估和调整加密方法。

此外,《网络借贷信息中介机构业务活动管理暂行办法》和工信部《关于加强电信和互联网行业网络安全工作的指导意见》也分别涉及网络借贷信息中介机构及电信和互联网行业参与者应建立数据加密的网络安全设施的责任,以确保安全运营。《网络安全法》、《中华人民共和国消费者权益保护法(第二次修订)》(《消费者保护法》)、《决定》、《网络交易管理办法》和《指南》也都作出规定,信息管理者必须采取技术措施和其他安全措施来预防信息泄露和丢失。

如果数据主体希望访问加密数据,必须通过身份认证解密数据。人民银行关于发布《征信机构信息安全规范》行业标准的通知中规定,身份认证系统必须安全可靠,相关服务器须获工信部认证。对于提供批量信息服务的重要客户端,要求进行服务器和客户端之间的双向认证。

4. 《中华人民共和国网络安全法》最重要的影响是什么?

《网络安全法》主要针对网络运营者(即网络所有者、管理者和网络服务提供者)对个人信息的收集、使用、删除、纠正、传输和管理,建立网络安全监督、网络实名制以及关键信息基础设施 (CII)保护体系。该法对关键信息基础设施的运营者在中国境内收集和产生的个人信息和重要数据提出了本地化存储的要求,这将对在中国境内运营的国内外企业产生深刻影响。此类数据如要进行跨境传输,必须通过相关部门依法开展的安全评估。

《网络安全法》中对关键信息基础设施范围的界定相对比较广泛,同时将具体范围留给国务院决定。此外,安全评估标准的不明确性可能给企业带来更大的挑战。因此,相关企业应当密切关注国务院和其他相关部门制定的配套法律文件。

5. 个人信息被滥用的受害人可采取哪些和解机制?

多数案件通过民事程序庭外和解。受害人可以通过个人、集体或公益诉讼来捍卫权利,即他们可以直接提起个人诉讼,共同提起集体诉讼,或者向相关机构或社会组织寻求帮助。一般而言,双方可以自行达成和解。在一方涉及多个诉讼当事人的共同诉讼中,诉讼代表可与对方协商和解,和解的条款应获得其他诉讼当事人的同意。有关数据泄露案件的和解在国内外都很常见。例如,在58同城侵权案中,原告的电话号码被恶意公布在58同城网站上,导致原告受到持续性的电话骚扰,严重影响其日常生活。最终,58 同城以人民币1500元与原告达成庭外和解,并随后改进了租房信息的验证系统。对相关企业而言,私人和解是更可取的解决方案,因为不需要支付诉讼费和专家、证人的出庭费用,大幅减少支出。更重要的是,争议持续时间大大缩短,从而减小对企业声誉的负面影响。

6. 去年有哪些体现数据隐私重要性的重大案件?

苏宁易购泄露个人信息是去年有关数据隐私的影响最大的事件之一。自2015年7月起,一些消费者向当地警方报案,称他们在网络购物后,遭到使用假冒苏宁易购客服电话的不法分子诈骗。不法分子掌握了顾客购买的确切细节,包括姓名、订单编号和送货地址。据报道,截至今年三月,加入受害人QQ群的顾客人数已经超过200人。2016年3月4日,五名受害人在法院对苏宁易购提起诉讼。最新进展尚未更新,但本案是中国数据保护领域、同时也是电子商务领域的首例集体诉讼,随后苏宁易购又面临其他地区消费者提起的诉讼。这表明消费者对个人信息保护的意识加强,他们已经开始通过诉讼来捍卫个人合法权益。此外,2015年4月,上海、重庆、山西、贵州和河南等省的社保系统发现大量高危漏洞。同年八月,大麦网超过600万用户账户密码被泄露。所有这些事件都证明数据泄露的严重性和不断提高公民数据保护意识的迫切性。

7. 国家工商总局、国家互联网信息办公室和工信部在该领域各自扮演什么角色?

国家工商总局负责起草有关市场监督和行政执法的相关法律、法规和政策,例如《消费者保护法实施条例》。国家工商总局也负责组织和引导消费者捍卫数据隐私等的合法权益。

国家互联网信息办公室指导和监督相关部门加强对网络信息内容的管理,调查和处罚违反法律法规、侵犯个人信息的网站运营商。此外,国家互联网信息办公室统筹协调其他部门在各大领域的网络安全问题,制定网络安全政策。例如,2016年8月,国家互联网信息办公室、国家质量监督检验检疫总局、国家标准化管理委员会联合发布《关于加强国家网络安全标准化工作的若干意见》,推行网络安全价值观。

工信部负责通信网络和其他相关信息的安全管理,指导和监督政府部门和重点行业确保信息的安全性,处理有关网络安全的重大事件,发布、实施《指南》和《电信和互联网规定》等法规。

8. 企业可以将数据转移至中国境外吗?数据存储有哪些要求?

将数据转移至中国境外在不同情况下需满足相应的条件。根据《指南》,数据管理者只有经个人信息主体明确同意,或法律法规有明确规定,或经相关部门批准方可将数据转移至中国境外。此外,对于关键信息基础设施的运营者,《网络安全法》要求在中国境内收集和产生的公民个人信息和重要数据应当在境内存储。仅在因业务需要且符合安全评估要求的前提下,方可将数据转移至境外。此外,监管部门会根据数据内容的特性而限制数据的转移,例如个人金融信息和人口健康信息。

根据《指南》和《网络安全法》的相关规定,数据管理者必须对用户信息严格保密,未经授权不得泄露、篡改、出售或非法向他人提供数据。一经泄露、篡改、丢失或毁损,数据管理者必须立即通知受影响的个人信息主体,并向相关部门报告。

9. 不遵守数据保护法将面临哪些罚则和处罚?

罚则和处罚可分为刑事、民事和行政方面。根据《刑法》, 任何违反法规、向他人出售或非法提供公民个人信息的个人或单位将承担刑事责任,最高可处以七年有期徒刑。网络服务提供者如果泄露用户数据并导致严重后果,也将面临最高三年有期徒刑。若滥用个人信息,所要承担的民事责任可能包括公开道歉、消除不利影响及恢复名誉。但是,罚款一般是赔偿性而非惩罚性的,所以金额相对较小。在行政法方面,《决定》和《电信和互联网规定》明确了对违规者的具体处罚。此外,新的《网络安全法》规定,网络运营商、直接负责的主管人员和其他直接责任人员都有可能被处以罚款。

10. 您认为数据保护法的发展趋势如何?您对企业确保合规有何建议?

随着监管部门日益重视关键领域的数据安全,以及消费者对个人信息保护的意识增强,数据隐私方面的法律将变得更加全面和具体,以确保对公民个人信息和总体国家数据安全的实质性保护。《网络安全法》体现出有关部门加强网络运营商的法律责任、创造良好网络环境的决心。同时,《刑法》也扩大了刑事责任的范围,可在一定程度上打击网络相关的犯罪活动。

对企业而言,首先应当对个人数据保护的国内外立法和政策保持持续关注,例如《网络安全法》中对于关键信息基础设施网络运营者的定义和跨境传输的限制,欧盟数据保护指令中的适用范围等。其次,对从事供应商调查、合并和数据共享的企业,数据保护应当成为他们的重点关注对象。第三,企业应采取必要的技术保护和管理措施,如开展员工培训和改进用户信息保护机制。就此而言,《网络安全法》为企业建立或重新审查中国内部数据隐私合规体系提供了绝佳的机会。

This premium content is reserved for
China Law & Practice Subscribers.

  • A database of over 3,000 essential documents including key PRC legislation translated into English
  • A choice of newsletters to alert you to changes affecting your business including sector specific updates
  • Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
For enterprise-wide or corporate enquiries, please contact our experienced Sales Professionals at +44 (0)203 868 7546 or [email protected]