【北邮国院大三下】Cybersecurity Law 网络安全法 Week4

北邮国院大三电商在读，随课程进行整理知识点。仅整理PPT中相对重要的知识点，内容驳杂并不做期末突击复习用。个人认为相对不重要的细小的知识点不列在其中。如有错误请指出。转载请注明出处，祝您学习愉快。

编辑软件为Effie，如需要pdf/docx/effiesheet/markdown格式的文件请私信联系或微信联系

Week4

PRC核心法律：Personal Information Protection Law 2021（PIPL）

Why does PIPL matter to business?

Operating within the law! 在法律范围内行动

• (GDPR Compliant companies have a head start here!) (符合GDPR标准的公司在这方面已经领先一步了!)

Avoiding reputational damage

避免名誉受损

Penalties: 处罚

• A66: Correction, confiscation of “unlawful income” 纠正、没收“违法所得”
  • Failure to correct: fine for company of up to RMB 1 million 未改正的:对公司处以最高100万元的罚款
  • Individuals directly responsible can be fined RMB10k-100k 直接责任人员可处1 -10万元罚款
  • In “grave” circumstances – RMB 50 million /5% annual turnover, suspension or termination of business licence 情节严重的——5000万元/年营业额5%，暂停或终止营业执照
  • In “grave” circumstances – individuals can be fined RMB100k- RMB1million 情节严重的，个人可被处以10万元至100万元的罚款
• A67 – a ‘name and shame’ approach 一种“点名羞辱”的方法
• A69 – where cannot prove lack of liability for infringements: 不能证明无侵权责任的;
  • requirements to compensate loss 赔偿损失的要求
  • Based on loss to individual and/or unjust enrichment 基于个人损失和/或不当得利
• A70 – potential prosecution for breach 可能因违规而被起诉

Oversight Bodies (A60-65) 监管机构

At National & Regional Level

在国家和区域一级

State Cybersecurity & Information Department at top level

最高级别的国家网络安全和信息部门

Responsible for:

• Guidance on law & compliance 法律与合规指导
• Enforcement 执行
• Dealing with complaints from individuals 处理个人投诉
• Creation of clear rules & standards for applying the PIPL 为应用PIPL制定明确的规则和标准
• Support for R&D and adoption of privacy protection tech 支持隐私保护技术的研发和应用
• Support for industry certification schemes 支持行业认证计划

Scope of the PIPL:

1. Within PRC borders (A3) 在中国境内

2. Outside PRC (A3) borders where:

• Purpose is to provide products or service into China 目的是向中国提供产品或服务
• Analysis / Assessment of Chinese citizens’ activities within PRC (e.g. market research, targeted advertising) 分析/评估中国公民在中国境内的活动(如市场调查、定向广告)

3. “natural persons” (A3)

• Living people
  • (But special arrangements for sensitive handling of the deceased’s information – A49) (但为妥善处理死者资料而作出的特别安排- A49)

4. Personal Information (A4)

• “all kinds of information recorded by electronic or other means” “以电子或其他方式记录的各种资料”
  • “related to identified or identifiable natural persons…” “与已识别或可识别的自然人有关……”

5. “identified or identifiable natural persons…” “已识别或可识别的自然人……”

• Identifying from the information 从信息中识别
• Identifying from that information plus other information 通过这些信息加上其他信息进行识别

6. Exceptions?

• “…not including information after anonymization handling.” “……不包括匿名处理后的信息。”
  • De-identification (the information alone) (A73) 去识别化(信息本身)
  • Anonymisation (impossible to id and restore) (A73) 匿名化(无法识别和恢复)
• The Profiling problem… 分析问题
  • If in doubt, treat as personal information 如有疑问，视为个人信息

7. Sensitive Personal Information (A28)

• “…once leaked or illegally used, may easily cause harm to…” “……一旦泄露或非法使用，很容易对……造成伤害。”
  • personal dignity / privacy 个人尊严/隐私
  • Serious harm to personal or property security (e.g. use for fraud) 严重危害人身或财产安全(例如用于诈骗)
  • Includes:
    • Biometrics, religious belief, health records, finances, location tracking… 生物特征，宗教信仰，健康记录，财务状况，位置追踪
    • Personal information of minors under 14 years of age 14周岁以下未成年人的个人信息
    • Non-exhaustive list 非详尽无遗的清单

8. Additional safeguards; Necessity.

Who has responsibilities?

Public & Private Sector application

公共及私营部门应用

Personal Information Handlers

个人信息处理者

• Organisations/ Individuals who “autonomously decide handling processes” “自主决定处理程序”的机构/个人
  • Data Controllers 数据控制者
  • Also responsible for activities of processors 还负责处理器的活动
• Any business collecting & using personal information is affected by this law 任何收集、使用个人信息的企业均受本法的影响

Key principles affecting businesses

Collection of personal information must be:

收集个人资料必须符合:

• Legal, necessary & honest 合法，必要和诚实
• Only collect information necessary for intended use 只收集预期用途所必需的信息
• Clarity (for data subject) 清晰性(适用于资料当事人)

Obligations to ensure:

有义务确保:

• Data integrity & security 数据完整性与安全性
• Treatment and use in line with the law 依法处理和使用

Consent (A13-18) 同意收集数据的情况

• Required for collection and use of individual data 收集及使用个人资料所需
• must be informed 必须通知
• Must be voluntary and explicit 必须是自愿和明确的
• Only applies to purposes for specified which information collected (including entrusting information to sub- contractors) 只适用于收集资料的指定目的(包括将资料委托予分包商)
• May be withdrawn 可以撤回
• If declined, service may only be refused if information is necessary 如果被拒绝，只有在需要提供信息的情况下才可以拒绝服务
• Exceptions where provided by law, e.g. police investigation 法律规定的例外情况，例如警方调查

Compliance 合规收集的方法

By management and design 通过管理和设计

• E.g. website design: 网站设计
  • Clear privacy policy with ‘tick box’ (opt-in) type requirement to progress 明确隐私政策，并注明“选择加入”类型要求
• E.g. recorded message (telephone sign-up) 录音留言(电话报名)
• “using clear and easily understood language.” “使用清晰易懂的语言。”
• Key information must be provided, including: 必须提供关键信息，包括:
  • Name and details of information collector 信息采集器的名称和详细信息
  • Purpose and duration of collection and use 收集和使用的目的和期限
  • Information about exercise of data subject rights 关于行使数据主体权利的信息
• Children’s consent (A31) 孩子们的同意
  • For U14, Parent or Guardian must consent (Age verification, service limitations) 对于小于14岁的孩子，家长或监护人必须同意(年龄验证，服务限制)

基于这些合规收集的方法，consent还需要什么呢

Consent (A13-18): （这里感觉可以接在上一个Consent下面，但是它在conpliance这个标题下，就放在这里了，也算是一个对上面的某些点的详细解释）

• Requires careful management: 需要精心管理的:
  • Not to exceed clear purpose for which collected 不得超过收集的明确目的
  • Time limitation – not to be kept longer than needed for that purpose 时间限制-保存时间不得超过所需时间
• Consent can be withdrawn: 可以在下列情况下撤回同意:
  • Need to provide clear information on process 需要提供有关流程的明确信息
    • E.g account settings on website, dedicated email address, telephone number 例如，在网站上的帐户设置，专用电子邮件地址，电话号码
  • Best practice: regular checks 例如，在网站上的帐户设置，专用电子邮件地址，电话号码
    • E.g requirement to re-confirm consent every few months or after period of non-use of service / not logging in 例如，要求每隔几个月或在不使用服务/不登录一段时间后重新确认同意
• The business model and ‘necessity’ (incl, onward data sale) 商业模式和“必要性”(包括后续数据销售)

Alternative to Consent: Necessity

• Legal compliance 法律合规
  • E.g. tax laws, criminal investigations 税法，刑事调查
  • Fulfilment of contracts 履行合同
    • Payment details, addresses (for distance selling) 付款详情，地址(用于远程销售)
• Emergencies 紧急事件
  • E.g. health emergency, employee collapse at work 例如，突发健康事件，员工在工作中昏倒
• Public interest 公共利益
  • Including “news reporting” 包括“新闻报道”
• Information already put in the public domain 已经公开的信息

Further Obligations for Personal Information Handlers 个人信息处理者的进一步义务

（其他义务在A50左右，不知道PPT怎么设计的，先按PPT的顺序来吧）

A22 Mergers, sale, company dissolution, bankruptcy et cetera:

合并、出售、公司解散、破产等等:

• Notification requirements re pi to be transferred 通知要求将被转移
• New holder bound by original conditions absent further consent 未经进一步同意，新持有人受原有条件约束

A23 transfer of personal information to another 将个人信息转移给他人

• Only with full, informed & voluntary consent 只有在充分、知情和自愿同意的情况下

Automated decision-making (A24) 自动决策

E.g. considering credit card applications

例如，考虑信用卡申请

Must be transparent and fair

必须透明和公平

“unreasonable differential treatment of individuals in trading conditions” forbidden

“个人在交易条件上的不合理差别待遇”是被禁止的

• E.g. offering different prices on ecommerce site based on profiling of individual 例如，根据个人概况在电子商务网站提供不同的价格

Must be “convenient method to refuse” targeted advertising / offers

是否有“方便的方法拒绝”定向广告/优惠

Individuals have a right to challenge & refuse automated decision making

个人有权质疑和拒绝自动决策

Additional rights for individuals 个人的附加权利

A44-A46: 个人对信息的控制权，查阅并获得副本的权利和可移植性

Right of control over their information 对其信息的控制权

• Includes right to limit/refuse (ref: consent) 包括限制/拒绝的权利(参考:consent部分)

Right of access and to be given a copy 有权查阅并获得一份副本

• Exceptions where provided by law 法律规定的例外情况
• Must be provided “in a timely manner” 必须“及时”提供

Information portability 信息的可移植性

• PI handler must facilitate transfer, e.g. to new service provider PI处理员必须协助转移，例如转移到新的服务提供商

Right to ensure information held about them is accurate 确保所掌握的有关他们的信息准确无误的权利

• Includes right to have inaccuracy corrected 包括要求更正错误的权利

A47：被遗忘权

“Right to be forgotten”: information deletion “被遗忘权”:信息删除

• Where purpose collected for achieved, is impossible, or information no longer necessary 在不可能达到收集目的，或者不再需要信息的情况下
• Service or product no longer available 服务或产品不再可用
• Consent withdrawn 同意取消
• Legally required retention period ended 法律规定的保留期结束
  • If not ended but consent withdrawn, must cease use and only store & ensure secure (same rule if deletion is “technically hard to realise” 如果没有终止，但撤回同意，必须停止使用，只存储和确保安全(如果删除“技术上难以实现”，同样的规则)。
• Personal Information handlers found to have breached the rules 被发现违反规定的个人信息处理者

A48-49：要求解释pi处理规则的权利，死后信息处理

Right to request clear explanation of rules on handling of personal information (to ensure legal compliance)

要求明确解释个人信息处理规则的权利(以确保合法合规)

• Need for clarity: relevant to specific audiences, e.g. Children, visually impaired… 需要清晰:与特定受众相关，例如儿童、视障人士……

Posthumous treatment of information 死后信息处理

• PIPL designed to protect living individuals PIPL旨在保护活着的个体
• BUT (unless prior arrangements made by individual) rights on death can be exercised by next of kin 但是(除非个人事先作出安排)死亡的权利可以由近亲行使
  • “for the sake of their own lawful, legitimate interests” “为了他们自己的合法、正当利益”
  • E.g. dealing with assets, closing accounts 处理资产，结帐

Obligations for Personal Information Handlers

A50：机制和流程

To establish mechanisms & processes to deal with individual requests re data rights

建立处理个人数据权利要求的机制和流程

Must provide explanation if refuse a request

如果拒绝请求必须提供解释

• Individuals entitled to file a lawsuit to challenge such refusal 个人有权对这种拒绝提出诉讼

A51-53：数据安全要求

Data Security requirements

数据安全要求

• Clear information available on how information is stored, potential risks, and protections 明确信息的存储方式、潜在风险和保护措施
  • Includes requirements of use of technological protections, regular staff training, clear operational limits [codes of conduct], incident response plans ready in advance 包括使用技术保护的要求，定期的员工培训，明确的操作限制[行为准则]，提前准备好事件响应计划
  • Dedicated protection staff (where company dealing with certain quotas set by State Cybersecurity & Informatisation Department) 专门的保护人员(公司处理国家网络安全和信息化部门设定的特定配额)
  • Contact details for protection staff to be provided (inc specific individuals) 提供保护人员的联络资料(包括个别人士)
  • International companies to whom PIPL applies must appoint rep. in PRC PIPL申请的国际公司必须在中国指定代表
• (Works in tandem with Data Security Law 2021) (与《2021年数据安全法》协同工作)

A54-56：审查合规与安全、评估影响

Regular review and audits of pi handling & compliance, including security provisions (e.g. encryption up to date)

定期审查和审核pi处理和合规性，包括安全规定(例如加密更新)

In some circumstances must be impact assessment before information collected

在某些情况下，在收集信息之前必须进行影响评估

• Sensitive pi, automated decision making, using subcontractor, sending pi outside China, or otherwise “major impact” on data subject 敏感pi，自动化决策，使用分包商，将pi发送到中国境外，或对数据主体有其他“重大影响”

A57：pi泄露的补救，通知要求

Response to data leak Immediate remedial measures (based on existing processes)

对数据泄漏的响应立即采取补救措施(基于现有流程)

Notification requirements 通知要求

• Government departments dealing with pi protection 处理pi保护的政府部门
• Must include:
  • Information category, cause, potential harm 信息类别，原因，潜在危害
  • Measures taken to mitigate harm 减轻伤害:为减轻伤害而采取的措施
  • Contact details 联系方式
• No need to notify individuals if can be sure harm avoided by action taken 如果采取行动可以避免伤害，则无需通知个人
• If believe harm may have been caused, must notify affected individuals 如果认为可能造成伤害，必须通知受影响的个人

A58：公司

Providers of “important internet platform services. That have a large number of users and whose business models are complex…”

重要互联网平台服务提供商。那些拥有大量用户且商业模式复杂的公司……”

• E.g. social media; scale/quantity of personal information 社交媒体;个人信息的规模/数量
• Additional requirements 附加要求
  • Oversight bodies “composed mainly of outside members” 监督机构“主要由外部成员组成”
  • Public social responsibility reports 公共社会责任报告

Working with other companies

A59：第三方

Third party subcontractors processing personal information? must ensure data security

处理个人信息的第三方分包商?确保数据安全

A20: 不止一个pi handler的情况

Clear agreement required on division of rights and responsibilities

对权利和责任的划分需要明确的协议

Individuals can still demand action re rights from any one pi handler

个人仍然可以向任何一个pi处理程序请求操作权限

A21: 转包商，次承包商

Subcontractors (A21): 转包商，次承包商

• Can only be done with data subject consent 只能在数据主体同意的情况下进行
• Must be an agreement setting out key issues, including: 必须是一份列出关键问题的协议，包括:
  • Time limitations 时间限制
  • Handling method 处理方法
  • Types of personal information to be collected 收集的个人信息类型
  • Protection measures 保护措施
  • Rights and Duties of each side 双方的权利和义务
• Achievable by contractual agreement, binding corporate rules, etc. 双方的权利和义务
• Legal responsibility for oversight remains with the PI handler 监督的法律责任仍然由PI处理人员承担

A38: 跨境数据转移

Cross-border operations: transferring data out of China for processing and use elsewhere (A38)

跨境业务:将数据转移出中国，在其他地方进行处理和使用

• Data localization 数据本地化
  • May only export data where “truly necessary” 只可在“真正需要”时导出数据
• Must fulfill one of following: 必须符合下列条件之一:
  • Pass State Cybersecurity & Informatisation Dept security assessment 通过国家网络安全和信息化部门的安全评估
  • Certification by a specialised body recognized by C&I Dept 由C&I部认可的专业机构出具的证书
  • Standard contractual terms provided by C&I Dept C&I部提供的标准合同条款
  • Other conditions set out in law / regulation / by C&I Dept 法律/法规/工伤部规定的其他条件
• OR - data export to company in country China recognizes law 数据出口到中国国家公司承认法律
• NB: Exporter liable to ensure compliance 注:出口商有责任确保符合规定
• Compliance strategies: 合规策略:
  • Training 训练
  • Oversight (legal advice) 监督(法律意见)
  • Contract: get everything in writing! 合同:一切都要写下来!
  • Pay close attention to C&I Dept advice 密切关注C&I部门的建议

A39：跨境数据转移必须当事人同意

Consent of the data subject is required (A39)

必须取得资料当事人的同意

• All standard consent requirements apply (fully informed, et cetera) 适用所有标准同意要求(充分知情，等等)
• All details must be provided to permit full exercise of data subject rights 必须提供所有细节，以允许充分行使数据主体的权利

A40：跨境数据转移必须在中国存储信息

“Critical information infrastructure operators and pi handlers [who meet set data quotas]” must store information within PRC (A40)

“关键信息基础设施运营商和pi处理者(符合设定的数据配额)”必须在中国境内存储信息

• State C&I Dept to oversee 国家C&I部负责监督
• Unless a standard arrangement in place with destination country, must be specific security assessment 除非与目的地国家有标准安排，否则必须进行具体的安全评估

A41; 国家安全问题（只给许可的机构）

National Security issues (A41) 国家安全问题

• Personal information stored in PRC may only be provided to foreign judicial or LEAs where PRC authorities have granted permission 存储在中国境内的个人信息仅可提供给经中国当局许可的外国司法机构或许可机构

A42：黑名单

Blacklist Provision (A42) 黑名单的条款

• If foreign organisations or individuals violate PRC law on information protection or harm national security, State C&I Dept can add to list requiring their access to Chinese PI be limited or prohibited 外国组织或个人违反中华人民共和国信息保护法或危害国家安全的，国家信息产业部可列入限制或禁止其访问中国信息系统的名单

Key practical advice for compliance 合规的关键实用建议（暗示是重点部分！！！）

1. If in doubt, treat it as personal information

如有疑问，将其视为个人信息

• The profiling question (especially online) 分析问题(尤其是在线问题)

【猜测会考，或者会涉及有疑问的地方。无脑当个人信息就完了】

2. Informed Consent is King 知情同意为王

• Invest in ensuring consent properly acquired 投资于确保适当获得同意
  • Web design, training of telephone staff 网页设计，电话人员培训
  • Clearly explained privacy policies with appropriate attention drawn 清楚地解释隐私政策，并引起适当的注意
  • Recording for telephone (or a script) 电话录音(或脚本录音)
• Consent trumps necessity! 同意胜过需要!

3. Sensitive Personal Data 敏感个人资料

• Easier to avoid where possible 尽可能避免
• Extra care, only process where strictly necessary 特别小心，只在绝对必要的情况下处理

4. If children are target market or among it: 如果儿童是目标市场或其中之一:

• Remember all U14’s data is sensitive 记住所有 低于14岁的儿童的数据是敏感的
  • Parental consent requirements 家长同意要求
  • age verification – citizenship number, credit card… 年龄验证-公民号码，信用卡…
  • Need extra flagging – website design, telephone procedure. 需要额外标记-网站设计，电话程序。

5. Consent is an ongoing process, and can be withdrawn 同意是一个持续的过程，可以撤销

• Need for regular dialogue with user (e.g. cooking warnings and regular reminders) 需要与用户定期对话(例如烹饪警告和定期提醒)

6. Facilitating User rights 便利用户权限

• Key contact details available, specialist staff where appropriate 关键联系方式可用，专家人员在适当情况下
• Proper internal organization & processes 适当的内部组织和流程
• Website design and access 网站设计与访问
• Procedure in place for posthumous dealing with data, deletion whenever appropriate 死后处理数据的程序，在适当的时候删除

7. Data Security 数据安全

• Comply with all guidance per regulatory authorities 遵守监管机构的所有指导
• Ensure encryption, firewalls et cetera are kept up to date 确保加密，防火墙等保持最新状态
• Procedures in place for handling a data leak should one arise 如果出现数据泄漏，处理数据泄漏的适当程序
• Prevention better than cure! 预防胜过弥补

8. Working with others

• Individual consent 个人同意
• The liability rules and importance of trusted partners 可信赖伙伴的责任规则及其重要性
  • Oversight responsibilities 监管的责任
  • Importance of clear (written) rules 明确(书面)规则的重要性
• Transfer of personal information outside China
  • Ensure compliance with data localization rules 确保符合数据本地化规则
  • Necessity: not just convenience or cost-saving 必要性:不仅仅是方便或节省成本
  • Informed Consent 知情同意
  • Clear contractual agreements 明确的合同协议
    • May help with liability questions even where law recognized by PRC 可以帮助解决中国承认的法律责任问题

9. Clear record keeping! 记录清晰

• Information sent to customers, security procedures, actions in event of breach, audit requirements, dealing with individuals, showing followed all the rules… 发送给客户的信息、安全程序、违规时的行动、审计要求、与个人打交道、显示遵守所有规则……
• Evidence Matters! 凭证事项

Protection of Communications Privacy in Postal Law

Postal Law of China: Article 4: 中国邮政法:第四条:

Freedom and privacy of correspondence shall be protected by law. No organization or individual shall infringe the freedom and privacy of correspondence of other persons for any reason, except when the inspection of correspondence in accordance with legal procedures by the public security organ, the State security organ or the procuratorial organ is necessary for the State’s safety or the investigation of a criminal offence.

通信自由和通信秘密受法律保护。任何组织和个人不得以任何理由侵犯他人的通信自由和通信隐私，但公安机关、国家安全机关、检察机关因国家安全或者侦查刑事犯罪需要依照法定程序进行通信检查的除外。

Protection of personal information in Chinese Criminal Law

China’s Criminal Law Article 252:

中国刑法第二百五十二条:

“[t]hose infringing upon the citizen’s right of communication freedom by hiding, destroying, or *illegally *opening others’ letters, if the case is serious, are to be sentenced to one year or less in prison or put under criminal detention.”

“隐匿、销毁或者非法拆拆他人信件，侵犯公民通信自由权利，情节严重的，处一年以上有期徒刑或者拘役。”

Article 284 Whoever unlawfully uses any special equipment or devices for eavesdropping or secret photographing, if the consequences are serious, shall be sentenced to fixed-term imprisonment of not more than two years, criminal detention or public surveillance.

第二百八十四条非法使用窃听、偷拍的专用设备、器材，造成严重后果的，处二年以下有期徒刑、拘役或者管制。

Article 253(A) of the Criminal Law:

“where any staff member of a state organ or an entity in such a field as finance, telecommunications, transportation, education or medical treatment, in violation of the state provisions, sells or illegally provides personal information on citizens, which is obtained during the organ’s or entity’s performance of duties or provision of services, to others shall, if the circumstances are serious, be sentenced to fixed- term imprisonment not more than three years or criminal detention, and/or be fined.”

“国家机关、金融、电信、交通、教育、医疗等领域的工作人员违反国家规定，向他人出售或者非法提供在执行职务或者提供服务过程中取得的公民个人信息，情节严重的，处三年以下有期徒刑或者拘役;或者被罚款。”

“whoever illegally obtains the aforesaid information by stealing or any other means shall, if the circumstances are serious, be punished under the preceding paragraph.”

以盗窃或者其他方法非法获取上述信息，情节严重的，依照前款的规定处罚。

“where any entity commits either of the crimes as described in the preceding two paragraphs, it shall be fined, and the direct liable person in charge and other directly liable persons shall be punished under the applicable paragraph.”

有前两款之罪的，对单位判处罚金，并对其直接负责的主管人员和其他直接责任人员，依照前款的规定处罚。

Communications Privacy in China

Article 7:Measures for Security Protection Administration of the International Networking of Computer Information Networks in the People’s Republic of China:

第七条中华人民共和国计算机信息网络国际联网安全保护管理办法:

Users’ freedom of communication and communications secrecy are protected by law. No unit or individual shall use the international networking to infringe on users’ freedom of communication and communications secrecy in violation of the provisions of law.

用户的通信自由和通信保密受法律保护。任何单位和个人不得利用国际网络违反法律规定侵犯用户的通信自由和通信保密。

Article 18 of the Implementation Rules for Provisional Regulations of the Administration of International Networking of Computer Information in the People’s Republic of China:

《中华人民共和国计算机信息国际联网管理暂行条例实施细则》第十八条:

It is prohibited to infringe on the privacy of others by accessing computer systems without authorization, tampering with the information of others or sending information in the name of others.

禁止擅自进入计算机系统、篡改他人信息或者以他人名义发送信息等侵犯他人隐私的行为。

Measures for the Administration of Internet E-mail Services 2006

Protects Chinese citizens privacy of correspondence in using Internet e-mail services.

保护中国公民使用互联网电子邮件服务的通信隐私。

No organization or individual should infringe upon any citizens privacy of correspondence

任何组织和个人不得侵犯公民的通信隐私

Public Security Organ or Prosecutorial Organ can inspect the contents of correspondence pursuant to the procedures prescribed in law when required by national security or investigation of crimes

公安机关、检察机关根据国家安全或者侦查犯罪的需要，可以依照法律规定的程序对通信内容进行检查

Obligations on Email Providers

Internet e-mail service provider obliged to keep confidential the users personal registered information and Internet e-mail addresses

互联网电子邮件服务提供者有义务对用户的个人注册信息和互联网电子邮件地址保密

Internet e-mail service provider or any of its employees should not illegally use any users personal registered information or Internet e-mail address, or should not divulge the uses personal registered information or Internet e-mail address without consent of the user.

互联网电子邮件服务提供者及其工作人员不得非法使用用户的个人注册信息和互联网电子邮件地址，未经用户同意，不得泄露用户的个人注册信息和互联网电子邮件地址。

email services must comply with technical specifications established by the MII;

电子邮件服务必须符合信息产业部制定的技术规范;

anonymous email forwarding must be prevented by disabling open-relays;

匿名电子邮件转发必须通过禁用开放中继来防止;

security management is required, and remedial measures must be immediately undertaken when network security flaws are discovered;

需要进行安全管理，发现网络安全漏洞必须立即采取补救措施;

service providers must maintain copies of all emails sent and received, as well as the email addresses and IP addresses of senders/receivers for at least 60 days

服务提供商必须保存所有发送和接收的电子邮件副本，以及发件人/收件人的电子邮件地址和IP地址至少60天

• c/f European ePrivacy Directice 参阅欧洲电子隐私指令（与GDPR的相同点？）
  • Provisions on retention of Traffic Data 关于保留交通数据的规定

Penalties for breach 违约处罚

Fines of up to RMB 30,000 per occurrence and, in severe cases, criminal prosecution.

每次最高罚款3万元，情节严重者，可提起刑事诉讼。

Reporting Obligations 报告义务

Establishment of Complaint and Handling Centre for Email Abuse

成立滥用电子邮件投诉及处理中心

Anti-Spam Provisions 反垃圾邮件的规定

Labeling Obligation 标签的义务

• Advertising emails must be clearly labelled ‘AD’ (or Mandarin characters) in subject line 广告邮件必须在标题栏注明“AD”(或中文字符)

Opt-in consent to receiving advertising email 可选择同意接收广告电子邮件

• Unsolicited advertising emails forbidden 禁止不请自来的广告邮件

Prohibited Activities 禁止的行为

• Sending of email from someone else’s computer without authorisation 未经授权从他人的电脑发送电子邮件
• Email harvesting 电子邮件获取
• Selling, sharing or distributing harvested emails 出售、分享或分发收集到的电子邮件
• Anonymous / mislabelled emails 匿名/贴错标签的邮件

Content Restrictions 内容限制

• Certain email content forbidden, includes: state secrets, hate speech, defamation, obscenity, pornography, gambling, violence, incitement to criminal activity. 某些邮件内容被禁止，包括:国家机密、仇恨言论、诽谤、淫秽、色情、赌博、暴力、煽动犯罪活动。

Prohibitions on hacking, theft of others’ information on a network, spreading viruses, attacks on network security

禁止黑客攻击、窃取他人网络信息、传播病毒、破坏网络安全

信息允许在网上披露的情况

Disclosure online permissible if: 以下情况允许在网上披露:

• Consent in writing 书面同意
• Disclosure is necessary in the public interest 为了公众利益，披露信息是必要的
• Educational or scientific entity makes disclosure in public interest, academic research, or statistical analysis 教育或科学单位为公共利益、学术研究或统计分析之披露
  • with consent in writing to publication AND 经书面同意方可发表
  • Publication will not identify individual 出版物不会指明个人
• Information already made public, online or otherwise* 已经公开、在线或以其他方式发布的信息
• Personal information legitimately obtained* 合法获取的个人信息
• *Disclosure in these categories still subject to civil liability if against public interest or public morality, or publication causes harm to subject. 上述披露如违反公共利益或公共道德，或对当事人造成损害，仍须承担民事责任。

IISPs & Personal Information

核心法律：– “Several Provisions on Regulating the Market Order for Internet Information Services” 《关于规范互联网信息服务市场秩序的若干规定》

Article 11：用户对个人信息收集的同意

User consent required for: 以下需要用户同意:

• Collection of personal data 个人资料的收集
• Disclosure to Third Party 向第三方披露
• Subject to exceptions provided for by law / administrative regulation 法律、行政法规另有规定的除外

Once consent obtained: 征得同意后:

• Clear information to user how data will be collected / processed, & what personal data collected 向用户明确如何收集/处理数据，以及收集哪些个人数据

Collection limited: 收集的限制

• Only data necessary to provide service 仅提供服务所需的数据
• Use Restriction 使用限制

Article 12：保护信息

Website operators: duty to protect information

网站运营者:保护信息的义务

Leakage must be reported to local telecommunications authority if may cause “serious consequences”

如果泄漏可能造成“严重后果”，必须向当地电信主管部门报告。

Article 13：用户对信息的权利，运营商保护信息

User rights to use / modify / delete information they upload

用户有权使用/修改/删除他们上传的信息

Operators may not modify or delete information without legitimate reason

无正当理由，经营者不得修改、删除信息

Operators may not disclose or transfer without user consent

未经用户同意，运营商不得披露或转让

User consent must be genuine – no deception, coercion or misleading

用户同意必须是真实的-没有欺骗，胁迫或误导

Article 14 申诉

Complaints procedure

申诉程序

• Clear contact information for Operator on website 15 day response period 在网站上明确运营商的联系方式，15天响应期

Articles 15-18：惩罚

Penalties 惩罚

• RMB10,000-30,000
• Telecommunication authorities empowered to make public announcement of wrongdoing 电信主管部门有权对违法行为进行公告

Provisions on Telecommunication & Internet User Personal Information Protection 2013

Article 4 - ‘Personal information’

Information relating to individuals, collected by telcos and IISPs in course of service provision

电讯公司及互联网服务供应商在提供服务过程中所收集的个人资料

• Includes name, DOB, ID no, address, phone, account info, passwords and other info that can be used separately orwith other information to ID an individual. 包括姓名、出生日期、身份证号码、地址、电话、账户信息、密码和其他信息，这些信息可以单独使用，也可以与其他信息一起使用，以识别个人身份。
• Includes log details 包括日志详细信息

Article 5：收集信息合法

Collection must be legal, proportionate, necessary

收集必须是合法的、适当的、必要的

Though note other laws require retention for security purposes

尽管注意到其他法律出于安全目的要求保留

Article 9

Consent requirement

需要同意

No mention of opt in/out, BUT 2013 Guidelines suggest opt in for sensitive personal information (e.g. religious details)

没有提到选择加入/退出，但2013年指南建议选择加入敏感的个人信息(例如宗教细节)

Further requirements throughout for transparency

透明度的进一步要求贯穿始终

• INFORMED consent 知情同意

Guidelines for the supervision of IT Outsourcing risks of Banking Financial Institutions (2014)

Applies to all banks & finance institutions established in PRC (A2)

适用于所有在中国境内设立的银行及金融机构(A2)

Designed to regulate outsourcing (A3)

旨在规范外包(A3)

• E.g. bank hires a subsdiary company to run customer- service call centre 银行雇佣了一家子公司来经营客户服务电话中心

Banks must guarantee confidentiality of “client information” (A15)

银行必须保证“客户资料”的机密性(A15)

Consumer Protection Law

Aims (Article 1)

Consumer protection

消费者保护

And to promote “development of the socialist market economy”

促进“社会主义市场经济的发展”

• c/f EU Digital Single Market strategy 参考欧盟数字单一市场战略

Scope (Article 3)

Consumer transactions

消费者交易

• “Proprietors producing or selling goods to provide to consumers…” “生产或者销售向消费者提供的商品的经营者……”

Mix of obligations for sellers and rights for consumers

卖方的义务和消费者的权利混合在一起

Consumers – “right to have their personal information protected” (A14)

消费者-“个人资料受保障的权利”(A14)

SAIC: Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers 工商总局:《侵害消费者权益行为处罚办法》

Article 11：消费者个人信息的定义

List of forbidden actions re infringement of consumer privacy in personal information

禁止的行为清单是侵犯个人信息中的消费者隐私

“Consumer personal information” = “information collected by an enterprise operator during the sale of products or provision of services, that can, singly, or in combination with other information, identify a consumer.”

“消费者个人信息”=“企业经营者在销售产品或者提供服务过程中收集的能够单独或者与其他信息结合识别消费者身份的信息”。

• Specific examples of “consumer personal information” – “name, gender, occupation, birth date, identification card number, residential address, contact information, income and financial status, health status, and consumer status”. “消费者个人信息”的具体示例——“姓名、性别、职业、出生日期、身份证号码、居住地址、联系方式、收入和财务状况、健康状况和消费者状况”。

Forbidden activities (see A29):

Collection & use without consent

未经同意收集及使用

Disclosure, sale or illegal transfer to third parties

披露、出售或非法转让给第三方

Commercial communications (SPAM) where either no consent or clear indication not wanted

未经同意或明确表示不需要的商业通讯(SPAM)

Obligations (see esp. A29):

Lawfulness, rationality, necessity

合法性，合理性，必要性

Expressly state purpose, method, scope of collection & use

明确说明收集和使用的目的、方法、范围

Consent

同意

Security (and duty to act if breach)

安全(以及违规时采取行动的责任)

Publicise Privacy Policy

公布隐私政策

Observe additional laws and/or contractual obligations

遵守其他法律和/或合同义务

Penalties – Article 56

Warning

警告

Confiscation of illegal gains

没收违法所得

Fine of up to 10 x illegal gain or if none, up to RMB500.000

违法所得十倍以下罚款，若没有，五十万元以下罚款

Closure of business for remediation or revocation of business licence

停业整顿或者吊销营业执照

Potential civil liabilities

潜在的民事责任

China’s eCommerce Law

Article 24: 清楚列明

ecommerce businesses must:

• Clearly state methods / procedures to facilitate individuals to: 清楚列明方法/程序，方便个人:
  • Make enquiries about what information is held about them 询问有关他们的信息
  • Correct wrong information 纠正错误信息
  • Delete user information where requested 删除请求的用户信息
  • De-registration of user-accounts (no unreasonable consitions to be appied) 注销用户账号(不得提出不合理的条件)

Article 25：提供信息

Provide information to relevant authorities on request

应要求向有关当局提供信息

• Criminal investigation, et cetera 刑事调查，等等