A New Era of Data Compliance

On that basis, the Regulations for Protection of the Security of Critical Information Infrastructure (Draft for Comments) (Draft CII Regulations), published on July 11, 2017, further provide that if the destruction, loss of function or data leak of the network infrastructure and information systems operated by the following entities could severely jeopardize national security, economy, people's livelihood or the public interest, such facilities and systems will be included in the scope of protection for CII:

• government agencies and entities in sectors of energy, finance, transportation, water resources, healthcare, education, social insurance, environmental protection and public utilities;
• information networks, including telecommunication networks, radio and television networks and the internet, as well as entities providing cloud computing, big data and other large public information network services;
• scientific research and manufacturing entities in sectors including science and technology for national defense, large-scale equipment, chemical industry and food and drugs;
• news entities, including radio stations, television stations and news agencies; and
• other key entities.

Enterprises in these industries are therefore at high risk of being deemed CII operators. It is also worth noting that sectors not addressed above may still be regarded as targets for CII protection as both lists in the CSL and the Draft CII Regulations are not exhaustive.

3. What are the specific regulations governing the collection, storage and use of “personal information” and “important data”?

Apart from various effective rules regulating the collection, storage and use of personal information and important data in specific sectors (such as finance, internet, healthcare, and logistics), several newly enacted or drafted judicial interpretations, regulations, guidelines and national standards set forth more compliance requirements and guidance on the processing of such data. On June 1, 2017—the day the CSL came into force—the Interpretation on Several Issues Concerning the Application of the Law in the Handling of Criminal Cases Involving the Infringement of the Personal Information of Citizens (Judicial Interpretation) also entered into effect and elaborates on critical issues including the definition of “personal information” and the specific factors pertaining to “serious circumstances” in the context of criminal prosecution for a violation of the PRC Criminal Law. In addition, the Draft Cross-border Data Transfer Measures as well as its supporting guidelines, the Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (Draft Cross-border Data Transfer Guidelines), which provide explicit guidance on the storage and overseas transfer of personal information and important data, are being drafted. Notably, the Draft Cross-border Data Transfer Guidelines identify important data in various specific sectors. A national standard, namely the Draft of the Information Security – Specification for Personal Information Protection (Draft Personal Information Specification), provide detailed guidance on the collection, storage, usage, sharing, transfer and disclosure of personal information.

4. What are the key pieces of legislation relating to cross-border transfer of data? What do MNCs need to bear in mind?

The key regulations relating to data cross-border transfer include the CSL, the Draft CII Regulations, the Draft Cross-border Data Transfer Measures, as well as the Draft Cross-border Data Transfer Guidelines. According to the current drafts, all network operators must at least conduct security assessments for overseas data transfers and CII operators will need to fulfill other stricter requirements. Therefore, preparation and modification of data compliance policies in advance and close monitoring of relevant legislation processes are strongly recommended.

5. What are the regulations for data encryption and decryption? What is the impact of the draft Cryptography Law?

The Regulations for the Administration of Commercial Encryption (Commercial Encryption Regulations) and its supporting administrative provisions, including the Provisions for the Administration of the Production of Commercial Encryption Products, the Provisions for the Administration of the Sale of Commercial Encryption Products, and the Provisions for the Administration of the Use of Commercial Encryption Products, all constitute a basic legal framework for commercial encryption in China. There is a great range of sector-specific regulations for encryption matters. For instance, the People's Bank of China's Circular on Issuing the Specification for Information Security of Credit Information Service Agencies, which regulates the finance sector, provides that storage mediums must be encrypted whenever they are taken out of the workplace, and stipulates the basic requirements of providing real-time encryption functions for clients when inputting sensitive information, as well as an enhanced requirement whereby the entire communication process must be encrypted.

The CSL requires all network operators to encrypt important data. Furthermore, networks that store and process any information related to state secrets must comply with, in addition to the CSL, all applicable laws and administrative regulations on confidentiality.

On April 13, 2017, the first national and fundamental law applying to the research, production, management, import, export, testing, authentication, use and regulation of encryption, namely the PRC Cryptography Law  (Draft for Comments), was released for public comments after years of drafting. Compared with the Commercial Encryption Regulations, the draft Cryptography Law, if enacted, would regulate all three classifications of encryption, including core, ordinary, and commercial encryption. However, it does not stipulate in detail the production, sale and usage of core and ordinary encryption other than specifying that they can be used for protecting state secrets and must not be exported. The distinction between core encryption and ordinary encryption also remains unclear.

In addition, the draft Cryptography Law calls for national security reviews for encrypted products, encryption services and supporting systems of encryption used for CII protection, if they have a potential impact on China's national security. With respect to enforcement powers, the draft authorizes cryptography administrations to conduct on-site inspections, access and copy relevant materials, as well as seize illegal equipment and facilities. This high level of supervision and enforcement power of the authorities means increased compliance risks for the enterprises concerned.

As for decryption issues, the PRC Anti-terrorism Law, which took effect on January 1, 2016, prescribes that telecommunications operators and internet service providers must provide technical support and assistance, such as technical interfaces and decryption for the prevention and investigation of terrorist activities by public security bureaus and state security agencies, according to law. The CSL also mandates network operators to cooperate with any monitoring and inspection actions by cyberspace administrations and other authorities according to law.

6 . What settlement mechanisms are available to victims of personal information misappropriation?

Victims can defend their rights through individual litigation, group action or public interest litigation. That is, victims can choose to directly bring their own lawsuits, or collectively take a group action, or seek help from relevant institutions or social groups. In most cases, out-of-court settlement is an option, where the parties can reach a settlement by themselves. The lawsuit settlement regarding data leakage is common both in China and abroad. For instance, in the 58 City case, the plaintiff's phone number being allegedly maliciously registered on the 58 City website had a serious impact on the plaintiff's daily life due to the constant spam. Eventually, 58 City reached an out-of-court settlement of Rmb1,500 with the plaintiff and improved its verification system of rental information. Private settlement is a more desirable solution for the enterprises concerned—as they do not need to pay for experts and witnesses, it significantly reduces the total cost, and potential harm to their commercial reputation can also be avoided.

Other than litigation, victims are also entitled to report violations to the authorities, including the cyberspace administrations, public security bureaus (for suspected criminal cases), administrations for industry and commerce, etc. Under the PRC Law on the Protection of Rights and Interests of Consumers, for example, if business operators send commercial information to consumers without their consent, the consumers could lodge a complaint with the relevant administrative authorities, who will handle the matter and notify the consumer within seven working days from the receiving the initial complaint.

Victims also have the right to require the wrongdoers to correct their misconduct directly. According to Article 43 of the CSL, an individual is entitled to require a network operator to delete his or her personal information if he or she finds that the collection and use of such data has violated laws, administrative regulations, or the agreement by and between the operator and individual.

7. What are the biggest cases in the past year that reflect the importance of data privacy?

The infringement of pregnant women's personal information by Nestlé employees' was one of the largest and most famous data privacy cases in the past year. This was the first privacy violation case involving one of the top 500 companies. From 2011 to September 2013, for the purpose of promoting formula milk powder, six Nestlé employees paid benefits to medical staff at a number of hospitals in Lanzhou city in return for more than 120,000 pieces of personal information on pregnant women and women who have just given birth, including their names and mobile phone numbers. On October 31, 2016, the first instance court of Lanzhou Chengguan District convicted six employees of Nestlé of infringement of personal information and sentenced them to detention or imprisonment. After that, the six employees appealed on the grounds that the entity Nestlé is the infringer, rather than its staff. On May 31, 2017, the Intermediate Court of Lanzhou city dismissed the appeal and affirmed the original judgment. The court had acknowledged that Nestlé's Employee Code of Conduct and other company policies contained personal data protection provisions, which was sufficient to prove “Nestlé's prohibition on infringing citizens' personal information by its employees”, and therefore ruled that the offense can only be attributed to the six individuals.

In June 2017, employees of Apple were also involved in a criminal privacy violation and were accused of illegally obtaining Apple users' personal information and providing or selling the data to third parties. A police investigation found that at least 20 employees, including employees of both Apple's distributing and outsourcing companies, were involved and that sales reached Rmb50 million.

The Supreme People's Court also released “Six Typical Cases Involving the Infringement of Citizens' Personal Information” on its official website in May, which showed an increasing number of personal information infringement cases have gathered the attention of judiciary authorities.

For the past three months, internet polices in various provinces and municipalities, including Beijing, Zhejiang, Jiangsu, and Chongqing, have implemented their first enforcement actions under the CSL. Most of these investigations targeted failures to perform the obligations under the graded system for data protection in Article 21 of the CSL. For example, on August 1, the Public Security Bureau of Chongqing city found that a technology company failed to maintain its cyber-related logs for at least six months as required by Paragraph 3, Article 21 of the CSL. Enterprises should bear in mind that maintaining cyber-related logs has become a strict requirement since the enactment of the CSL.

8. What are the key authorities and administrative agencies responsible for cybersecurity and data protection?

The Cyberspace Administration of China (CAC) guides, coordinates and supervises the relevant departments to strengthen the management of online content and investigates and punishes website operators who violate relevant laws and regulations and infringe personal information. Furthermore, CAC coordinates cyberspace affairs in various fields and formulates regulations, guidelines, standards on cyberspace and data protection. For instance, the Measures for Security Reviews of Network Products and Services, the Provisions for the Administration of Internet News Information Services, the Draft Cross-border Data Transfer Measures, the Draft CII Regulations, among others, are drafted by the CAC independently or in concert with other relevant authorities. The CAC is the most important authority in both legislation and law enforcement concerning cybersecurity and data protection in China.

The Ministry of Industry and Information Technology (MIIT) bears the responsibility of managing the security of communication networks and other relevant information, including guiding and supervising government departments and key industries to guarantee data security, handling with significant events concerning cybersecurity, and issuing and implementing the relevant laws and regulations, such as the Provisions on the Protection of Personal Information of Telecommunications and Internet Users.

The State Administration for Industry and Commerce (SAIC) enforces and drafts laws and regulations regarding market supervision and administrative enforcement, such as the Implementing Regulations for the PRC Law on the Protection of Consumer Rights and Interests (Draft for Comments). It is also in charge of matters related to the protection of consumers' personal information.

The Ministry of Public Security is responsible for directing the work of crime prevention and investigation by local public security bureaus. The Amendment Act of Criminal Law(9) included violating citizens' personal data as a crime and the related judicial interpretation provides further elaboration. According to the Measures for the Administration of Graded Protection in Connection with Information Security, the public security organs are in charge of supervising, inspecting and guiding the graded protection in respect of information security.

9. What are the sanctions and penalties for non-compliance with data protection laws?

The sanctions and penalties are divided into criminal, civil and administrative aspects: – Criminal: In accordance with the Amendment Act for the PRC Criminal Law (9), any individual or entity that sells or illegally offers others the personal information of citizens will be subject to criminal liability and may face a sentence of up to seven years. Internet service providers will also face a maximum penalty of three years in prison if they leak user information and cause serious consequences.

- Civil: Possible civil penalties for the infringement of personal information protection include apologizing, limiting any negative impact, and reversing reputational damage. These are generally compensatory rather than punitive, which means the monetary amount is relatively small.

- Administrative: The CSL provides that both the network operators and the executive personnel or other staff directly responsible may be imposed fines. The authorities may impose further penalties, such as suspending related businesses, winding up for rectification, shutting down websites, and revoking business licenses, and record these violations and penalties in integrity files and publish them.

10 . Where do you see the data protection laws heading? What is your advice to companies on ensuring compliance?

Together with the CSL and its various supporting regulations and guidelines, including the Draft CII Regulations around the corner, the government has established a preliminary legal framework for cybersecurity and data protection. Despite that certain issues require further clarification, protecting personal information, ensuring cybersecurity, and regulating CII will become the focus of supervision and enforcement for the authorities.

For enterprises, regardless of domestic or foreign, compliance in the fields of cybersecurity and data protection will be crucial in their business operations. It is advisable to pay close attention to the legislation and policies on cybersecurity and data protection, such as the identification and scope of CII and important data in specific sectors. These areas will also be priorities for enterprises when conducting business, supplier surveys, mergers and transferring and sharing data. It is also prudent to take necessary technical protection and management measures, such as training staff and carrying out background investigations into employees holding key positions. In this regard, the CSL and its supporting regulations and guidelines provide an opportunity for stakeholders to build or revisit their data security and privacy compliance systems in China.

Jet Deng, Senior Partner (Bejing)

Dentons

Jet Deng is a partner of Dacheng Law Offices. Jet has 14 years professional experience, including ten years practising as a lawyer, and four years serving in the commercial sector. His major practice areas cover anti-monopoly law/anti-unfair competition law, international trade, litigation and arbitration. He specializes in handling complex projects and cases. He received his JM degree in 2005 and his PhD degree in International Economic Law in 2012 at the University of International Business and Economics. Jet has been a part-time researcher at the Competition Law Centre of the University of International Business and Economics since 2005. He enjoys interacting with the media circle, as he has frequently interviewed on mainstream Chinese media such as CCTV, China National Radio and various newspapers.

As an experienced antitrust lawyer, Jet's practice also covers the emerging field of data protection in China. He has been following and monitoring the legislation process of data protection for years. He has provided legal advice on privacy compliance for many business transactions and has helped enterprises on developing data protection policy under Chinese laws. He also assisted clients in dealing with data collection and processing of customers and employees. Jet is familiar with enforcement practices and specializes in designing response strategies.

Jet's working languages include Mandarin and English.

Ken Dai, Partner (Shanghai)

Dentons

Ken Dai is a partner of Dacheng Law Offices. He earned his LLB and LLM respectively from the China University of Political Science and Law and the University of Bristol in the UK. Currently, Ken is a member of the Antitrust Committee of IBA, the Competition Committee of IPBA, the Outbound Investment and Antitrust Committee at the Shanghai Bar Association and Asian Competition Forum. He is also a columnist at Forbes China.

Ken Dai is one of the first lawyers in China to practice in the data protection field. Since 2012, he has provided legal services for numerous multinational companies and large enterprises in the rapidly-developing practice area of data protection & privacy, and cybersecurity, including but not limited to: (a) reviewing and revising privacy policy; (b) assessing the legality of business mode in the view of date and privacy protection; (c) advising on cross-border data transfer; (d) dealing with legal matters pertain to workplace privacy; (e) advising on data protection & privacy issues in the contexts of cross-border litigation, arbitration and investigation; (f ) advising on legislation development and enforcement trends relating to data protection & privacy, and cybersecurity in China.

In addition, Ken also specializes in antitrust, including competition law compliance, merger control filing and private antitrust litigation. He stands at the cutting edge of Chinese antitrust, with significant experience and insight.

Ken's working languages include Chinese, English and Cantonese.

1. 对于遵守新生效的《中华人民共和国网络安全法》，跨国企业面临的最大挑战是什么？ 

2017年6月1日生效的《中华人民共和国网络安全法》（《网络安全法》）首次提出“关键信息基础设施”（CII）这一概念，并规定对CII运营者在中国境内收集和产生的个人信息和重要数据出境加以限制。这项限制可能是跨国企业遵守《网络安全法》面临的最大挑战。此外，《个人信息和重要数据出境安全评估办法（征求意见稿）》（《数据出境办法草案》）要求所有网络运营者的数据出境须接受有关安全评估。如果草案得以通过，限制对象将扩大至CII运营者以外的更大范围。

2. 关键信息基础设施涉及哪些行业？

在《网络安全法》的制定过程中，有关CII的条款经历了三次修改，最终将关键信息基础设施确定为重要行业的网络或系统，包括“信息服务、能源、交通、水利、金融、公共服务、电子政务等重要行业和领域，以及其他一旦遭到破坏、丧失功能或者数据泄露，可能严重危害国家安全、国计民生、公共利益的关键信息基础设施”。

在此基础上，2017年7月11日公布的《关键信息基础设施安全保护条例（征求意见稿）》（《CII条例草案》）进一步规定，如果单位运行的网络设施和信息系统一旦遭到破坏、丧失功能或者数据泄露，可能严重危害国家安全、国计民生、公共利益的，应当纳入关键信息基础设施保护范围。这些单位包括：

• 政府机关和能源、金融、交通、水利、卫生医疗、教育、社保、环境保护、公用事业等行业领域的单位；
• 电信网、广播电视网、互联网等信息网络，以及提供云计算、大数据和其他大型公共信息网络服务的单位；
• 国防科工、大型装备、化工、食品药品等行业领域科研生产单位；
• 广播电台、电视台、通讯社等新闻单位；
• 其他重点单位。

因此，这些行业的企业很有可能被认定为CII运营者。同样值得注意的是，由于《网络安全法》和《CII 条例草案》没有提供详尽清单，上文没有提到的行业仍有可能被认定为CII保护目标。

3. 有哪些专门监管“个人信息”和“重要数据”收集、存储和使用的法规？

除了各项监管特定行业（如金融、互联网、医疗卫生和物流）个人信息和重要数据收集、存储和使用的有效法规外，最近发布或起草的若干司法解释、条例、指南和国家标准也对此类数据的处理提出了更多的监管要求和指引。

2017年6月1日，《关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》（《司法解释》）与《网络安全法》在同一天生效，该《司法解释》就违反《中华人民共和国刑法》的刑事检控，详细阐述了“个人信息”的定义以及有关“情节严重”的具体因素等关键问题。

此外，《数据出境办法草案》及其配套指南，即《信息安全技术数据出境安全评估指南（征求意见稿）》（《数据出境指南草案》）也处于起草阶段，旨在为个人信息和重要数据的存储和出境提供明确指引。值得注意的是，《数据出境指南草案》明确了多个特定行业的重要数据。此外，正在起草中的国家标准，即《信息安全技术-个人信息安全规范》（《个人信息规范草案》）将为个人信息的收集、存储、使用、分享、转移和披露提供具体指引。

4. 有关数据出境的主要法规有哪些？跨国企业需要注意哪些要点？

有关数据出境的主要法规包括《网络安全法》、《CII条例草案》、《数据出境办法草案》和《数据出境指南草案》。根据现有的这些草案，所有网络运营者必须至少开展数据出境的安全评估，CII运营者还需要满足其他更严格的要求。因此，强烈建议跨国企业事先制定/修改数据合规政策，同时密切关注相关立法进展。

5. 适用于数据加密和解密的法规有哪些？《密码法草案》有何影响？

《国家商用密码管理条例》（《商用密码条例》）及其配套管理规定，包括《商用密码产品生产管理规定》、《商用密码产品销售管理规定》和《商用密码产品使用管理规定》，构成中国商用密码的基本法律框架。此外，还有针对不同行业密码事项的各类具体规定。例如，中国人民银行印发了《征信机构信息安全规范》的通知，旨在对金融行业实施监管，规定带出工作场景的存储介质必须加密、在客户输入敏感信息时必须提供实时加密功能，并对整个通信过程中提出更严格的加密要求。

《网络安全法》要求所有网络运营者对重要数据实施加密。除《网络安全法》外，存储或处理有关国家秘密的任何信息的网络必须遵守所有有关保密的适用法律和行政法规。

2017年4月13日，《中华人民共和国密码法（草案征求意见稿）》经数年起草后发布，这是中国第一部有关密码科研、生产、经营、进出口、检测、认证、使用和监管的国家基本法。与《商用密码条例》相比，《密码法草案》一旦获得通过，将监管所有三种类别的密码，即核心密码、普通密码和商用密码。但是，除了规定核心密码、普通密码可用于保护国家秘密信息且不得出口外，《密码法草案》没有就核心密码和普通密码的生产、销售和使用作具体规定。核心密码与普通密码之间的区别仍不明确。

此外，如果用于CII保护的密码产品、密码相关服务和密码保障系统影响或者可能影响中国国家安全，《密码法草案》要求对此类密码产品、服务和系统作国家安全审查。就执法权而言，草案授权密码管理部门开展现场检查、查阅和复制相关材料、扣押违法设备和设施。主管部门这样高度的监察和执法权意味着相关企业将面临更高的合规风险。

就解密问题而言，2016年1月1日实施的《中华人民共和国反恐怖主义法》规定电信业务经营者和互联网服务提供商应当为公安机关、国家安全机关依法进行防范、调查恐怖活动提供技术接口和解密等技术支持和协助。《网络安全法》也规定，网络运营者应对网信部门和有关部门依法实施的监督检查予以配合。

6. 对于个人信息滥用的受害人，有什么解决机制？

受害人可通过个人诉讼、集体诉讼或公共利益诉讼的方式来捍卫个人权利，即受害人可选择直接提起个人诉讼、提起集体诉讼，或向相关机构或社会团体寻求帮助。庭外和解是多数情况下的选择，即由当事方自行达成和解。有关数据泄露的诉讼和解在国内外都常见。例如，在58同城案例中，原告称其电话号码在58同城网站上被恶意注册，致使原告的日常生活因频繁骚扰而受到严重影响。最终，58同城以人民币1500元与原告达成庭外和解，并改进网站的租赁信息验证系统。对于涉事企业而言，私人和解是更理想的解决方案，因为这样无需支付专家和证人费用，大幅度降低总成本，并避免了对商业信誉的潜在损害。

除诉讼外，受害人也有权向有关部门报告违规情况，包括网信部门、公安局（若涉嫌刑事案件）和工商管理部门等。例如，根据《中华人民共和国消费者权益保护法》，如果经营者未经消费者同意向其发送商业性信息，消费者可向有关行政部门投诉，该部门应当自收到投诉之日起七个工作日内，予以处理并告知消费者。

此外，受害人有权直接要求违规者纠正其不当行为。根据《网络安全法》第43条，如果个人发现网络运营者违反法律、行政法规的规定或者双方的约定收集、使用其个人信息的，有权要求网络运营者删除其个人信息。

7. 去年有哪些反映数据隐私重要的重大案件？

雀巢员工侵犯孕妇个人信息是去年最重大、最知名的数据隐私案件之一。这也是首起涉及500强企业的隐私侵犯案件。2011年至2013年9月期间，为推销配方奶粉，六名雀巢员工向兰州多家医院的医疗人员支付好处费，以获取12万余条孕产妇个人信息，包括姓名和手机号码。2016年10月31 日，兰州市城关区一审法院判决雀巢六名员工侵犯个人隐私，判处拘役或监禁。此后，六名员工以侵权人为雀巢公司而非雀巢员工为由，提出上诉。2017年5月31日，兰州市中院驳回上诉，维持原判。法院认可了雀巢员工行为规范等公司政策包含个人信息保护规范，足以证明“雀巢禁止员工侵犯公民个人信息”，因此判决此案系六名个人违法。

2017年6月，苹果员工也涉及隐私违反刑事案件，被控非法取得苹果用户个人信息，并向第三方提供或出售信息。警方调查发现，案件涉及至少20名员工（包括苹果的直销和外包公司员工），销售额超过人民币5000万元。

今年五月，最高人民法院在其网站上发布“六起侵犯公民个人信息犯罪典型案例”，表明日益俱增的侵犯个人信息案件已引起司法部门的关注。

过去三个月中，包括北京、浙江、江苏和重庆在内的多个省市根据《网络安全法》采取了首次执法行动。多数调查系针对企业未履行《网络安全法》第21条有关网络安全等级保护制度的义务。例如，今年8月1日，重庆市公安局发现某技术公司未遵守《网络安全法》第21条第3款的规定（留存相关的网络日志不少于六个月）。企业应当注意，在《网络安全法》实施后，网络日志留存已成为一项严格的要求。

8. 负责网络安全和数据保护的主要部门和行政机关有哪些？

中国国家互联网信息办公室（网信办）指导、协调和监督相关部门加强对互联网信息内容的管理，调查和处罚违反相关法律法规、侵犯个人信息的网站运营商。此外，网信办协调各领域的网络空间事务，制定有关网络空间和数据保护的法规、指南和标准。例如，网信办独立或与相关部门共同制定了《网络产品和服务安全审查办法》、《互联网新闻信息服务管理规定》、《数据出境办法草案》和《CII条例草案》等规定。网信办是中国网络安全和数据保护立法和执法领域最重要的部门。

工业和信息化部（工信部）负责通信网络和其他相关信息安全的管理，包括指导和监督政府部门和主要行业确保数据安全，处理有关网络安全的重大事件，出台并执行相关法律法规，例如《电信和互联网用户个人信息保护规定》。

国家工商总局执行和起草有关市场监督和行政执法的法律法规，例如《中华人民共和国消费者权益保护法实施条例（征求意见稿）》，并负责有关消费者个人信息保护的事项。

公安部负责指导地方公安局的犯罪预防和调查工作。《刑法修正案（九）》将侵犯公民个人信息定为犯罪，相关司法解释也对此作出进一步阐释。根据《信息安全等级保护管理办法》，由公安机关负责对信息安全等级保护的监督、检查和指导。

9. 不遵守数据保护法规将面临哪些处罚？

处罚可分为刑事、民事和行政三类：

-刑事：根据《中华人民共和国刑法修正案(九)》，向他人出售或者非法提供公民个人信息的任何个人或单位应承担刑事责任，并可能被处以最高七年有期徒刑。如果互联网服务提供商泄漏用户信息并导致严重后果，将面临最高三年监禁。

-民事：侵犯个人信息保护可受到的民事处罚包括道歉、消除负面影响、恢复名誉等。此类处罚通常具有补偿性而非惩罚性，因此金额相对较小。

-行政：《网络安全法》规定，网络运营商及其直接负责的主管人员和其他直接责任人员可被处以罚款。主管部门还可实施进一步的处罚，例如责令暂停相关业务、停业整顿、关闭网站、吊销相关业务许可证或者吊销营业执照，将违规和处罚情况记入信用档案并予以公示。

10. 数据保护法规有什么发展趋势?为了确保合规，您会对企业提出哪些建议？

随着《网络安全法》及其各项配套规定和指南，包括《CII条例草案》的相继出台，政府已建立起网络安全和数据保护的基本法律框架。尽管某些问题还需要进一步的厘清，但保护个人信息、确保网络安全、监管关键信息基础设施会成为主管部门的监管和执法重点。

不论是本地或外国企业，网络安全和数据保护方面的合规对商业运营至关重要。建议企业密切关注网络安全和数据保护的法规和政策，例如对特定行业的 CII和重要数据的认定和范围。在企业开展经营活动、供货商调查、兼并以及数据转移和分享时，这些方面也应成为企业的重点关注目标。此外，企业应采取必要的技术保护和管理措施，例如组织人员培训，并对关键岗位员工开展背景调查。在这一方面，《网络安全法》及其配套法规和指引让利益相关方借此建立/检查在华数据安全和隐私合规体系。

邓志松 高级合伙人（北京）

大成律师事务所

邓志松律师是大成律师事务所的合伙人。邓律师工作14 年，其中10 年投身律师业务，4 年服务于商业领域。主要从事反垄断法/ 反不正当竞争法、国际贸易、诉讼与仲裁法律业务，经常处理复杂案件和疑难项目。他在对外经济贸易大学接受法学教育，于2005 年获得硕士学位，2012 年获得博士学位。他自2005 年起一直在对外经济贸易大学竞争法中心从事兼职研究员工作。此外，他与媒体关系良好，曾就相关法律问题多次接受包括中央电视台、中央人民广播电台和多家报纸在内的有关媒体访问。

作为实务经验丰富的反垄断律师，他在数据保护这一中国的新兴领域也有广泛涉足。他长期关注中国有关数据保护的立法进程并积极提供建设性意见。他曾为许多商业交易就隐私保护提供专业法律意见，并协助多家企业根据中国法律建立数据保护合规政策。他还曾协助客户处理其用户和员工的信息收集及加工。邓律师熟知相关的执法实践并擅长设计应对策略。

邓律师的工作语言为普通话和英文。

戴健民 合伙人（上海）

大成律师事务所

戴健民律师是大成律师事务所的合伙人。他分别在中国政法大学和英国布里斯托尔大学获得了法学学士和法学硕士学位。目前，戴律师分别是国际律师协会反垄断委员会委员、环太平洋律师协会竞争委员会成员、上海律师协会的国际投资与反垄断业务研究委员会委员，以及亚洲竞争法论坛的成员，同时也是福布斯中国的专栏作家。

戴律师是第一批在中国数据保护领域进行实践的律师之一，其自2012 年开始就已经就数据与隐私保护相关法律的适用和执法政策为众多跨国公司和大型企业提供法律服务，，包括但不限于：(1)审阅和修订隐私政策；(2) 从数据和隐私保护方面论证商业模式的可行性；(3)就数据的跨境转移出具合规意见；(4) 处理涉及员工管理方面的数据和隐私保护法律问题；(5) 就跨境诉讼，仲裁和调查过程中所涉及的数据与隐私保护法律问题提供法律服务；(6) 就中国在数据和隐私保护，以及网络安全方面的立法发展和执法趋势提供法律咨询意见。

此外，戴律师还专门处理反垄断、竞争法合规、合并控制申报和私人反垄断诉讼。作为站在中国反垄断法前沿的律师，他具有丰富的实践经验和深刻的理论见解。

戴律师的工作语言为：普通话、英文和粤语。