Viewpoint | Interpretation of Highlights of the Personal Information Protection Law and Corporate Compliance Guidelines

With the rapid development of information technology and the continuous improvement of the global network, "data information" has become an indispensable element in social production. While enjoying the convenience of data information in daily life, the exposure of personal information and the risk of infringement are also greatly increased. Therefore, my country's legislation on the protection of personal information is also on the agenda. On August 20, 2021, after three reviews and three readings, the 30th meeting of the Standing Committee of the 13th National People's Congress deliberated and passed the personal information protection law and promulgated it, which will come into force on November 1, 2021.

The "Personal Information Protection Law" is divided into eight chapters, which clearly stipulate the definition of personal information, processing rules, cross-border rules, processor obligations, departmental responsibilities and legal responsibilities. On the basis of the "first review", the "second review draft" adds important provisions such as the protection of the personal information of the deceased and the personal information protection obligations of super-large Internet platforms; and the "Personal Information Protection Law" just released has made many language expressions. In addition to amendments and improvements, such as separate provisions on the protection of personal information of minors under the age of 14, amendments to provisions such as the adoption of reciprocal measures for discriminatory prohibitions, restrictions or other similar measures. The most important significance of the promulgation of the "Personal Information Protection Law" is that there are clear imputation methods and corresponding punishments for the infringement of personal information, which reflects my country's firm determination to protect the rights and interests of personal information. Violations of "personal information" If the circumstances are serious, they will face more than just administrative penalties of "a fine of up to 50 million or 5% of the turnover, it may even include other more stringent civil and criminal liabilities.

This article will interpret the highlights of the "Personal Information Protection Law" and discuss the legislative impact and rationalization proposals from the perspective of corporate compliance, for reference only.

Overview of the main content of this article:

Application and Object of 1. Personal Information Protection

Compliance recommendations:

Any entity engaged in personal information processing activities within the territory of China shall comply with the requirements of this Law. If the processing of personal information outside China involves the provision of products or services to domestic natural persons, or the analysis and evaluation of the conduct of domestic natural persons, the same compliance requirements as the processing of personal information in China should also be followed.

For example, an overseas e-commerce company does not set up any entity in China, but its global website provides a multilingual interface including Chinese, and supports Chinese users to place online orders and cross-border distribution. Personal information obtained in this process is also protected by this law.

2. Enterprises can use the "identification association" standard to determine whether the data processed is personal information:

(1) Identification: From information to individuals, that is, the particularity of the information itself can identify a specific natural person. For example, the ID number, mobile phone number points to a specific individual;

(2) Association: from individuals to information, that is, information generated by a specific natural person in its activities. For example, location information, personal preferences, etc. of a particular natural person are known.

Enterprises should fulfill their compliance obligations throughout the collection-deletion cycle of personal information, but in the process of using the information for commercial purposes, after irreversible anonymization, legal and compliant use will also be allowed.

Basic Principles of 2. Personal Information Processing

Compliance recommendations:

1. Enterprises shall not collect personal information by means of fraud, deception or misleading; they shall not conceal the function of collecting personal information of products or services; they shall not obtain personal information from illegal channels; enterprises shall strictly examine whether there is a direct demand for data and it is absolutely necessary for each business in the course of enterprise operation.

2. Enterprises should formulate internal personal information protection system, the specific content may include: to convey the customer/user information should be true, accurate and complete; Clearly inform the purpose, methods and rules of personal information collection, processing and use; External disclosure channels and complaint handling channels.

Specific rules 3. the handling of personal information

(I) separate consent

Compliance recommendations:

Before collecting personal information, the personal information processor shall inform the individual of specific matters in a conspicuous manner and in a clear and easy-to-understand language, and the individual's consent to the processing of his or her personal information shall be made voluntarily and clearly on the premise that he or she is fully informed.

1. The user shall be prompted personally in a prominent way to obtain the "consent" of the other party ".

2. Means and mechanisms for personal information processors to obtain the consent of personal information subjects, including: App/website contains privacy statements, authorized consent interactive windows or other means, such as written agreements and contracts.

3. The situation of "forced or disguised forced consent" shall be absolutely excluded. If the personal information obtained is not necessary for the provision of products or services, the use of products or services by individuals after refusal shall not be affected or restricted.

4. The privacy statement should include the "right of revocation" function and an explanation of the function, and can quickly respond to the (possible) high concurrent user withdrawal of consent.

Enterprises in special fields, such as the pharmaceutical field and the financial field, shall obtain personal information in accordance with industry regulations and have corresponding qualifications.

(II) obligation to inform

Compliance recommendations:

Before processing personal information, personal information processors can achieve compliance through the following measures and mechanisms:

1.App/Website's privacy statement, which shall contain the matters specified in Article 17 of this Law.

2. Revise and improve the notification information, and avoid using "etc., for example" and other methods for incomplete listing.

(III) joint processing, entrusted processing and providing personal information to others

Compliance recommendations:

The situation of joint processing and entrusted processing often occurs when an enterprise cooperates with a third party, and can negotiate in detail and sign an agreement based on the purpose and method of cooperation.

If the processing of personal information is entrusted, compliance can be achieved through the following measures and mechanisms:

1. Agreements and contracts agreed upon by both parties, including matters stipulated in the legal provisions and the division of obligations of both parties;

2. The entrusted processing party provides the client with a personal information processing report to prove compliance;

3. The entrusting party destroys personal information and provides compliance report;

4. Take measures such as auditing and continuous monitoring in the dynamic process of cooperative processing of personal information to avoid subsequent disputes.

(IV) automated decision-making

Compliance recommendations:

In order to avoid the infringement of user browsing records, reverse identification of personal identity by hitting the database, perfect user portrait, and precision marketing, in the scenario of automated decision-making of personal information, compliance can be achieved through the following measures and mechanisms:

1. In commercial marketing and information push scenarios, the portal (window, button) for users to refuse automated decision-making services.

The processing of personal information shall be based on the legal basis of consent.

3. Provide users with selectable, automated decision-making reports.

Information Collection in (V) Public Places

Compliance recommendations:

In particular, this article reminds enterprises to install image acquisition and personal identification equipment in public places. In addition to obtaining individual consent, the information collected can only be used for the purpose of maintaining public safety, and must be set up with prominent prompt signs.

(VI) sensitive information processing rules

Compliance recommendations:

For sensitive information processing, enterprises should focus on:

1. Clarify what kind of personal information belongs to the category of sensitive information, pay special attention to the fields of biometrics, health care, etc., and ensure that the acquisition of this part of information must have a specific and necessary purpose.

2. The user should be informed and confirmed in the form of a prominent pop-up window in the App/website.

3. For the information of minors under the age of 14, enterprises should design a youth model on the product/service side, ensure the compliance of personal information processing through parent identity verification, and formulate special personal information processing rules for publicity.

Cross-border transmission of 4. personal information

Compliance recommendations:

On the issue of cross-border transmission of personal information, it is recommended that enterprises can achieve compliance through the following measures and mechanisms:

1. To assess whether the personal information really needs to be provided abroad, strictly in accordance with the conditions stipulated in Article 38 of this Law.

2. To achieve security risk assessment and personal information protection certification, the contract with the cross-border parties must be based on the standard contract established by the national network information department.

3. Personal information processors involved in cross-border transmission can obtain individual consent through privacy statement on websites and App, notification in the form of pop-up windows, or notification by mail or telephone.

4. If the amount of personal information handled by an enterprise reaches the requirements of the Internet and Information Department, it should be stored in the territory and must be evaluated when leaving the country.

Rights of 5. Personal Information Subjects

Compliance recommendations:

Enterprises shall, in combination with the basic rights enjoyed by personal information subjects under this Law, provide individuals with full convenience for exercising the above-mentioned rights, and shall pay attention to the following issues:

1. Before the acquisition of personal information, the explanation of each right shall be made.

2. Provide user rights application acceptance and processing mechanism, such as website/App can be embedded in the user's various rights request interactive window.

3. Provide compliance reports to users on a regular basis.

4. Quickly respond to user withdrawal consent requirements.

5. Pay attention to the timely deletion or destruction of stored personal information after the expiration of the personal information retention period.

Obligations of 6. Personal Information Processor

Compliance recommendations:

General personal information processors shall perform their basic obligations in accordance with the provisions of Article 51 of this law. If an enterprise constitutes a key information infrastructure operator, if it has a large amount of personal information and is sensitive to the type of industry, it shall, in accordance with the provisions of Article 58 of this law, regularly issue evaluation reports and accept social supervision as the first step on the basis of Article 51 basic obligations. Article 58 of this law is also the connection between the field of personal information protection and the field.

Compliance recommendations:

If the personal information handled by the enterprise reaches the amount specified by the national network information department, the person in charge of personal information protection shall be designated, and the contact information of the person in charge of personal information protection shall be disclosed on the public page, and the name and contact information of the person in charge of personal information protection shall be submitted to the department performing the duty of personal information protection.

An overseas personal information processor to which this Law applies shall set up a special agency or designate a representative within the territory of China, and submit the name of the agency or the name and contact information of the representative to the department that performs the duty of personal information protection.

Compliance recommendations:

Compliance audit, evaluation mechanism and timely remedial measures are special mechanisms for enterprises to protect personal information as personal information processors.

1. Compliance audits of data processing activities include system log-based compliance audit techniques and data flow audit techniques. It is used to solve the compliance audit of internal personal information processing and the compliance audit of activities such as data sharing or entrusted processing between personal information processors.

2. The assessment mechanism should pay attention to the situation that should be assessed and the matters to be assessed, and pay attention to the personal information protection impact assessment report and processing record should be kept for at least three years.

3. Establish a remedial mechanism for the protection of personal information, such as leakage, tampering and other personal information security incidents, timely analysis of the reasons to reduce risks.

Conclusion

For individuals who are the subject of personal information rights, the formulation and implementation of this law will definitely upgrade the protection of personal information in an all-round way, be familiar with the basic rights enjoyed by individuals, and refuse unnecessary information acquisition more directly. For enterprises as personal information processors, the law has become the basic guidelines that enterprises must follow in the future when processing personal information. From the perspective of national supervision, the law stipulates a maximum fine of 50 million yuan or 5% of the previous year's turnover. The severe punishment provides a strong guarantee for the protection of personal information.

From the perspective of enterprise compliance, this paper interprets the necessary legal provisions followed by enterprises in this law, and provides compliance suggestions for reference by enterprises. On November 1, this law will come into effect. In the future, more real cases and bloody penalties will be given more real feedback from the perspective of practice. Enterprises need to strictly abide by and actively explore in the future development.