United States: 《网络安全法》时代数据跨境传输的企业合规挑战

2016年11月7日,《中华人民共和国网络安全法》(以下简称"《网络安全法》")正式通过,2017年6月1日起施行。《网络安全法》共包括七章,七十九条,对网络安全等级保护制度、关键信息基础设施保护和用户个人信息保护制度等从法律层面上进行了规定。其中,限制关键信息基础设施的数据跨境传输的有关规定自《网络安全法(草案)》初次审议(以下简称"一审稿")以来倍受全球范围的广泛关注。限制数据跨境条文的最终落地,将对企业跨国经营产生巨大的实际影响,也将成为跨国企业的首要合规挑战。

一、数据跨境传输的崭新变局

作为中国网络安全领域的基本法律,《网络安全法》第三十七条规定,"关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据应当在境内存储。因业务需要,确需向境外提供的,应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估;法律、行政法规另有规定的,依照其规定。"这一规定将为在华运营的企业,尤其是跨国公司带来的全球化运营产生重大影响。需要明确的是,跨国公司并不仅限于传统意义上的"外企",随着中国企业在海外业务的不断拓展,许多中国企业也已加入到跨国公司的行列,也将同样面临数据跨境传输的法律限制。
近年来,中国政府已开始逐渐关注数据跨境传输问题,但先前已有的法规在规制数据类型及领域等方面还比较局限。例如,2013年1月21日国务院公布的行政法规《征信业管理条例》第二十四条规定,"征信机构在中国境内采集的信息的整理、保存和加工,应当在中国境内进行。征信机构向境外组织或者个人提供信息,应当遵守法律、行政法规和国务院征信业监督管理部门的有关规定";2011年1月21日中国人民银行发布的部门规章《人民银行关于银行业金融机构做好个人金融信息保护工作的通知》第六条规定,"在中国境内收集的个人金融信息的储存、处理和分析应当在中国境内进行。除法律法规及中国人民银行另有规定外,银行业金融机构不得向境外提供境内个人金融信息"。可以看出,以上两个文件所针对的领域仅限于征信领域及银行业金融领域,涉及的数据范围也较为局限。

此外,作为中国首部对个人信息保护制定国家标准的《信息安全技术公共及商用服务信息系统个人信息保护指南》在第5.4.5条规定,"未经个人信息主体的明示同意,或法律法规明确规定,或未经主管部门同意,个人信息管理者不得将个人信息转移给境外个人信息获得者,包括位于境外的个人或境外注册的组织和机构"。显然,该指南涵盖的领域与数据范围要比前述两个文件广泛许多,但该指南作为"指导性技术文件"对相关企业及个人并不具有强制力。

相比而言,《网络安全法》系首次从国家法律层面限制数据的跨境传输,无论是从法律层级、规制领域范围、数据类型,还是规制程序、法律责任等角度来看,都显著超越之前的规范性文件。

二、加速出台的立法背景及条文演化

自2014年中国接入国际互联网20周年,中国已经全面迈入互联网时代。蓬勃发展的互联网在经济、社会、文化等各个领域建功卓著,然而,人们在享受互联网所带来的财富与便利的同时,也面临着互联网本身隐含的诸多风险与威胁,其间滋生着诸如网络侵权、互联网不正当竞争、黑客攻击、数据泄露等大量问题,而其中的网络安全问题则已上升为世界各国关注的重要议题,网络安全已成为关系国家安全和发展,关系人民群众切身利益的重大问题。为防止公民个人信息被窃取、泄露和非法使用,《网络安全法》在《全国人民代表大会常务委员会关于加强网络信息保护的决定》的基础上,进一步完善公民个人信息保护制度,规范网络信息传播活动。

《网络安全法》的立法进程可谓一直在"加速前进"。2015年6月,全国人大常委会对草案进行了初次审议并在接下来的一个月内完成了草案的意见征集。2016年6月,仅一年之后,全国人大常委会对二次审议稿("二审稿")进行了第二次审议。2016年10月,在全国人大常委会第二十四次会议上,原本不在预先公布的草案审议议程中的《网络安全法(草案)》在开幕首日便提请审议,并最终获得通过。从2015年6月草案一审到最终审议通过,历时仅短短一年半左右的时间。

在三次公布的草案审议稿中,有关数据跨境传输的规定也一直在不断变化,具体体现在对"关键信息基础设施"的定义与范围规定的不同。一审稿中,关键信息基础设施有明确的范围,包括(1)基础信息网络,主要包括广电网、电信网、互联网;(2)重要行业和公共服务领域的重要信息系统,例如核岛控制系统、银联交易系统、智能交通系统、供水管网信息管理系统、社保信息系统等;(3)军事网络,例如军事通信网、军队指挥自动化系统等;(4)地市级以上政务网络,例如电子政务系统、政府门户网站等;(5)用户数量众多的网络服务商系统。而在公布的二审稿中,对关键信息基础设施的概念采取了概括性规定,并删除了有关关键信息基础设施的具体范围的表述,规定具体范围由国务院进行制定。最终通过的《网络安全法》将一审稿与二审稿的表述进行结合,进一步界定了关键基础设施的范围,既列举了一些具体行业和领域,如公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务,又用"其他一旦遭到破坏、丧失功能或者数据泄露,可能严重危害国家安全、国计民生、公共利益的关键信息基础设施"进行了兜底规定,具体范围仍然授权国务院进行制定。

三、主管部门、规范体系与发展趋势

《网络安全法》规定关键信息基础设施的范围由国务院制定,在中国网络安全领域问题逐渐突出,立法需求逐渐增强,立法进程逐步加快的背景之下,可以预见国务院的后续相关规范也会在不远的将来落地。届时,结合已有的《征信业管理条例》、《人民银行关于银行业金融机构做好个人金融信息保护工作的通知》等行政法规和规范性文件,中国的数据跨境传输规范体系将初步建成。

从国际上来看,数据跨境传输的不同规范模式已经基本形成。如美国基于其信息产业的优势地位以及对数据自由流动的依赖性,在法律层面并没有对数据跨境传输做出限制性规定。而针对特定行业的外国资本进入,美国则通过与其签订安全协议的形式对数据本地化(Data Localization)作出要求。欧盟虽然不禁止数据的跨境传输,但即将生效的《一般数据保护条例》(General Data Protection Regulation)对向欧盟境外的国家传输做出了非常严格的条件,其中之一即为由欧盟委员会对接收国的数据保护体系作出"充分保护认定"(Adequate Decision),确认接收国可以为数据提供充分的保护后才可传输。看上去充分保护认定与中国《网络安全法》第三十七条中"因业务需要,确需向境外提供的,应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估"的规定略有相似。在将来中国的数据传输的安全评估体系中,对充分保护的类似认定也可能会作为考量因素之一。其他一些国家如澳大利亚则采取禁止特定领域的数据跨境传输的规制模式,与之相反,俄罗斯的《个人数据法》中的数据本地化要求则普遍适用于在境内收集个人数据的企业。中国的数据跨境传输规范会采取哪种形式,有待国务院及相关部门出台各类规定和实施细则。

《网络安全法》第八条第一款规定,"国家网信部门负责统筹协调网络安全工作和相关监督管理工作。国务院电信主管部门、公安部门和其他有关机关依照本法和有关法律、行政法规的规定,在各自职责范围内负责网络安全保护和监督管理工作。"由此条款可知,《网络安全法》在国家层面的实施将至少涉及国家网信部门、国务院电信主管部门和公安部门,这和网络安全本身牵涉甚广的现实是相符的,相关配套规范的研究制定及后续执法工作,尚需各相关部门的相互协调与通力合作。此外,通观整部法律,有关"网信部门"的描述(含近似描述)共在条文中出现13次,所涉职权包括负责统筹协调网络安全工作和相关监督管理工作;会同国务院有关部门制定、公布网络关键设备和网络安全专用产品目录,并推动安全认证和安全检测结果互认,避免重复认证、检测;对关键信息基础设施的运营者采购的可能影响国家安全的网络产品和服务,会同国务院有关部门组织的国家安全审查等等。可见,网信部门在《网络安全法》相关配套规范制定及实施监管中担任着十分重要的角色,其在以往出台和正在制定的相关规范文件及执法实践,亦值得企业重点关注与参考。

四、企业法律风险管理

贸易全球化与企业运营国际化的当下,信息的跨境传输每时每刻都在世界各地发生,尤其对跨国公司来说,海量信息伴随着其内部运营、现金流转、业务往来等在各国、各地区间频繁传递。根据《网络安全法》第六十六条的规定,"关键信息基础设施的运营者违反本法第三十七条规定,在境外存储网络数据,或者向境外提供网络数据的,由有关主管部门责令改正,给予警告,没收违法所得,处五万元以上五十万元以下罚款,并可以责令暂停相关业务、停业整顿、关闭网站、吊销相关业务许可证或者吊销营业执照;对直接负责的主管人员和其他直接责任人员处一万元以上十万元以下罚款。"违反有关限制数据跨境传输的规定,不但将面临网信部门的行政调查和罚款,更严重的法律后果包括吊销有关许可证和执照,从而对企业的跨境运营造成根本性影响。

尽管《网络安全法》最终删掉了一审稿中"用户数量众多的网络服务提供者所有或管理的网络和系统"的具体表述,但这并不意味一般企业就不会成为限制数据跨境传输的规制对象。首先,"公共通信和信息服务"的表述可以做广泛的解释。仅就信息服务业而言,其本身所涉范围甚广,一般认为可分为三大类:即信息传输服务业;IT服务业(信息技术服务业);信息资源产业(主要指信息内容产业)。其次,国务院在出台后续规范时,会将"关键信息基础设施"、"重要数据"等圈定在多大的范围之内尚不明确。

因运《网络安全法》时代的崭新变革,就限制数据跨境传输方面,我们对企业的提出如下合规建议:

  1. 梳理现有数据系统,做好信息本地化的技术准备梳理本企业进行跨境传输的信息和数据,准确识别所涉"个人信息与重要数据"。对于那些可以本地化存储和加工的信息和数据,做好在中国境内存储相关信息的技术准备。对于调整经营模式可以缩小跨境传输范围的数据,则应提前做好相关技术准备。如果企业运营确实需要跨境传输部分业务,同时企业有可能被包括在关键信息基础设施经营者范围之内,则应区分不同具体情况:对可以将关键信息基础设施剥离处置的应当尽早准备预案;对于无法剥离和隔离的,则应制定合规手册,以适应《网络安全法》的评估和报备要求。
  2. 密切关注后续实施细则的制定与实施《网络安全法》授权国务院对关键信息基础设施的具体范围和保护办法进行制定,目前虽尚未从公开渠道获取国务院在此方面的制定动向,但可以预见相关规范会在不远的将来相继出台。企业应对相关规范的制定与实施进行密切关注,并可在必要时通过合法途径提出合理建议和意见。此外,《网络安全法》还授权国家网信部门和国务院有关部门就因业务需求确实需要向境外传输时进行安全评估,安全评估的相关依据文件相信也在制定当中,企业应当一并予以高度关注。
  3. 进行跨境数据传输的安全评估工作《网络安全法》第三十七条明确要求"关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据应当在境内存储。因业务需要,确需向境外提供的,应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估;法律、行政法规另有规定的,依照其规定"。有关数据跨境传输安全评估制度的确立在一定程度上强化了对信息保护的力度,同时也对相关企业提出了更高的合规要求。在日后的运营中,相关企业因业务需要需向境外传输相关信息的,应注意依法配合进行安全评估工作。
  4. 积极应对数据跨境传输的国际冲突全球化背景下,跨境数据传输是企业在国际经济贸易中的业务需求,而基于国家主权、国家安全、经济发展和个人隐私等方面诸多考虑,各国会在不同程度上对数据的跨境传输进行限制(或称为保护)。如此,需求与限制之间便产生冲突。随着中国对网络安全和数据保护提出新的要求,数据跨境传输业已成为企业合规的一大痛点。特别是对于跨国经营的企业,其在许多情境下都需要跨境传输数据,而同时其可能面对数据所在国、加工国和使用国法律的在限制跨境传输方面的不同限制。如何协调数据跨境传输的需求与限制之间的冲突,成为中国企业走出去、外国企业在华经营都必须面对的问题。

在此之外,我们也建议商业运营与数据跨境传输密切关联的企业未雨绸缪,基于中国目前的法律框架,先行建立有关数据跨境传输的合规体系,并对有关法律风险包括可能的法律冲突与全球运营商业模式进行充分的评估。

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
24 Oct 2017, Seminar, Washington, DC, United States

The Dentons Forum for Women Executives invites you to join us for a luncheon featuring guest speaker Liza Mundy, journalist and author. Ms. Mundy recently released her latest book, Code Girls, the riveting untold story of more than 10,000 spirited young American women who cracked German and Japanese codes to help win World War II.

27 Oct 2017, Seminar, New York, United States

Please join us for a milestone event, our 10th annual CLE Seminar for In-House Counsel.

1 Nov 2017, Seminar, Washington, DC, United States

Celebrate the 58th anniversary of Dentons' Government Contracts practice

 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.