世辉观点 | 中国数据保护法规如何影响Web3.0市场
In 2021, China officially promulgated the Data Security Law (the “DSL”) and the Personal Information Protection Law (the “PIPL”). It is expected that in 2022, a series of specific rules will be finalized to support implementation of the two laws. This article aims to introduce how these data protection rules may affect the Web 3.0 market.
2021年,中国正式颁布了《数据安全法》和《个人信息保护法》。预计在2022年,将有一系列具体法规出台以配合这两部法律的实施。本文旨在介绍这些数据保护法律法规将如何影响 Web3.0市场。
作者:世辉律师事务所 | 卢璟 | 夏彦 | 曾铮
On May 27, 2022, the Web 3.0 move-to earn app STEPN announced that starting from July 15, 2022, it would stop providing Global Positioning System and Internet Protocol location services to users in China. STEPN also said the move was made to actively comply with relevant regulatory requirements in China, although it is unclear what specific requirements STEPN was referring to.
2022年5月27日,Web3.0“边运动边赚”应用STEPN发布公告称,自2022年7月15日起停止向中国用户提供GPS和IP定位服务。STEPN还表示,此举是为了积极遵守中国的相关监管要求。但是,尚不清楚STEPN所提及的监管要求具体是指什么。
In China, two types of data are subject to enhanced regulatory scrutiny: Important Data, and Personal Information. In particular, cross-border transfer of these data may trigger a state security concern by the Chinese government.
在中国,有两类数据会受到监管的特别关注:重要数据和个人信息。尤其是,这些数据的跨境传输有可能引起主管部门对国家安全问题的关注。1. Rules Related to Important Data
与重要数据相关的规定
什么是重要数据?
Important Data is a concept under the DSL, which refers to those data which, once tampered with, destroyed, divulged or illegally used, may cause a material adverse impact to state security or the public interest. The DSL does not further specify what types of data will be regulated as Important Data, but delegates government agencies in different industries to formulate a Catalogue of Important Data. The catalogues will clarify the scope of the Important Data in each industry. Up to now, the Catalogue of Important Data for the Automobile Industry has been promulgated, while the catalogues for the other industries have not been issued.
重要数据是《数据安全法》下的一个概念,是指一旦被篡改、损毁、泄露或非法使用,可能对国家安全和社会公共利益造成重大不利影响的数据。《数据安全法》并未进一步明确重要数据的具体类型,而是授权政府部门就相关行业制定重要数据目录。重要数据目录将明确每个行业的重要数据范围。截至目前,汽车行业的重要数据目录已经颁布,而其他行业的重要数据目录尚未出台。
According to the Catalogue of Important Data for the Automobile Industry, the following data are regulated as Important Data:
汽车行业重要数据目录将以下数据作为重要数据监管:
Geographical information, flows of people or vehicles and other data in respect of any sensitive location such as a military administrative zone, an entity responsible for science and technology development for national defense, or government agency at or above the county level;
军事管理区、国防科工单位以及县级以上党政机关等重要敏感区域的地理信息、人员流量、车辆流量等数据;
Traffic volume, logistics and other data that reflect the performance of the economy;
车辆流量、物流等反映经济运行情况的数据;
Data related to the operation of a vehicle charging network;
汽车充电网的运行数据;
Videos or photos of human facial images or license plate information; and
包含人脸信息、车牌信息等的车外视频、图像数据;以及
Personal information involving more than 100,000 individuals.
涉及个人信息主体超过10万人的个人信息。
Although the above catalogue is only applicable to the automobile industry, it reflects the regulatory attitude regarding what data is viewed by the government as important enough to have an impact on state security or the public interest. For instance, it is of a high likelihood that government agencies in other industries (e.g., the Web 3.0 industry) would also regulate the following data as Important Data: (i) the geographical information of any sensitive location (e.g., military base or government agency); and (ii) Personal Information involving a huge number of individuals.
尽管上述目录仅适用于汽车行业,但其反映出了一定的监管思路,即:哪些数据有可能被主管部门视为足以影响国家安全和社会公共利益。例如,监管其他行业(如Web3.0行业)的主管部门很有可能将(i)敏感区域(如军事基地或政府机关)的地理信息,以及(ii)涉及大量主体的个人信息等数据也作为重要数据予以监管。
b) General Rules about Protection of Important Data
重要数据保护的一般规定
Under the DSL, anyone who collects and uses Important Data within China shall: (i) designate a Data Security Officer responsible for the protection of the Important Data; (ii) regularly conduct a risk assessment of the Important Data processing activities and submit the risk assessment report to the competent authorities; and (iii) comply with relevant rules on the cross-border transfer of Important Data, as further explained in Section II.1.c) below.
根据《数据安全法》,在中国境内收集和使用重要数据的任何主体应:(i)指定数据安全负责人和管理机构负责重要数据保护工作;(ii)定期对重要数据处理活动进行风险评估,并向相关主管部门提交风险评估报告;以及(iii)遵守重要数据出境的相关规定,详见下文第 II.1.c)部分。
c) Cross-Border Transfer of Important Data
重要数据的出境
The cross-border transfer of Important Data is subject to a prior security assessment conducted by the Cyberspace Administration of China (“CAC”).
重要数据的出境应事先向国家网信部门申请进行安全评估。
Since the Important Data may have an impact on China’s state security or public interests, it is reasonable to expect that the Chinese government will be very serious about the CAC security assessment requirement. In other words, if anyone transfers Important Data outside of China without obtaining the CAC’s clearance, or if anyone outside of China bypasses the CAC security assessment to collect Important Data from within China, the Chinese government may take enforcement action to crack down on the cross-border data transfer.
由于重要数据可能会影响国家安全和社会公共利益,因此可以预见,有关网信部门安全评估的要求会被认真地落地实施。换言之,如果任何主体在未通过网信部门评估的情况下向境外传输重要数据,或者境外主体绕过网信部门的安全评估要求从中国境内收集重要数据,执法部门很可能会制止相关数据跨境传输活动。
2. Rules Related to Personal Information
与个人信息相关的规定
a) What is Personal Information?
什么是个人信息?
As defined under the PIPL, Personal Information means any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized.
根据《个人信息保护法》,个人信息是指任何以电子或其他方式记录的与已识别或可识别的自然人有关的信息,不包括经过匿名化处理后的信息。
Therefore, to identify whether certain data is regarded as Personal Information under the PIPL, the key is whether the data can be used to identify a natural person. For instance, a mobile number in China is classed as Personal Information under the PIPL, because the mobile number in China is registered in reliance upon a natural person’s ID certificate. However, as is the case with an overseas mobile number, if the number is not bound with a natural person’s ID certificate, there is a strong basis to argue that the mobile number is not Personal Information.
因此,要确定某一数据是否属于《个人信息保护法》项下的个人信息,关键在于该数据能否被用于识别自然人身份。例如,中国境内的手机号码属于《个人信息保护法》项下的个人信息,因为申请中国境内的手机号码需要登记自然人的身份证信息。但是,对于一个境外的手机号码,如果该号码没有与自然人的身份证明绑定,则有充分的理由主张该手机号码不属于个人信息。
b) General Rules about the Protection of Personal Information
个人信息保护的一般规定
The PIPL requires that anyone who collects and uses the Personal Information of natural persons within China shall: (i) appropriately notify the natural persons about how their Personal Information will be used and collected; (ii) obtain a legal basis for collecting the Personal Information, e.g., the consent of the natural persons; (iii) conduct a Personal Information Protection Impact Assessment (“PIA”) for processing Sensitive Personal Information, cross-border transfer of Personal Information, and some other potentially high-risk scenarios; and (iv) comply with relevant rules on cross-border transfer of Personal Information, as further explained in Section II.2.c) below.
根据《个人信息保护法》,任何在中国境内收集和使用自然人个人信息的主体应当:(i)以适当方式向自然人告知有关其个人信息的收集和使用方式;(ii)取得有关收集个人信息的合法依据,例如取得该自然人的同意;(iii)在涉及处理敏感个人信息、个人信息出境等高风险情形时,应当进行个人信息保护影响评估;以及(iv)遵守个人信息出境的相关规定,详见下文第 II.2. c)部分。
c) Cross-Border Transfer of Personal Information
个人信息的出境
As required by the PIPL, anyone who transfers Personal Information outside of China shall, among other requirements: (i) to the extent applicable, obtain the natural persons’ separate consent for the cross-border transfer; (ii) conduct the PIA; and (iii) sign a data protection contract with the overseas data recipient.
根据《个人信息保护法》,向境外传输个人信息的任何主体应当:(i)在适用的情况下,取得自然人关于个人信息出境的单独同意;(ii)进行个人信息保护影响评估;以及(iii)与境外数据接收方签订数据保护协议。
More importantly, for anyone who processes a large volume of Personal Information, the cross-border transfer shall be subject to a prior security assessment by the CAC.
更重要的是,如果涉及大量的个人信息出境,则应当事先向网信部门申请安全评估。
Under the draft Measures on Security Assessment of Cross-Border Data Transfer issued by CAC in October 2021 to solicit public comments, anyone who reaches either of the following thresholds must pass the CAC security assessment before the cross-border transfer of the Personal Information:
根据网信部门于2021年10月公布的《数据出境安全评估办法(征求意见稿)》,符合以下情形之一的数据处理者向境外传输个人信息前,应当通过网信部门的安全评估:
Processing within China the Personal Information of more than 1,000,000 natural persons; or
在中国境内处理个人信息达到一百万人的;或
Accumulatively transferring outside of China: (i) the Personal Information of more than 100,000 natural persons; or (ii) the sensitive Personal Information (e.g., health-related information or financial account information) of more than 10,000 natural persons.
累计向境外传输超过十万人以上个人信息或者一万人以上敏感个人信息(如健康信息、金融账户信息等)的。
1. Nature of the Web 3.0 Business Mode
Web3.0商业模式的本质
The vision and nature of the Web 3.0 business mode is to achieve the rights authentication of data on blockchain by which clients can own, control and make a profit from, the data they have created on the Internet. Unlike the Web 2.0 business mode, Web 3.0 users may utilize anonymous information, or encrypted personal identities (from which the companies can only get proxy smart contract addresses but have no way to recognize personally identifiable information), to log in to the product or platform account. Moreover, the data produced by clients will be stored in decentralized servers, meaning that the power of the Web 3.0 service provider companies to control the data will be greatly reduced.
Web3.0商业模式的愿景和本质是在区块链上实现数据的确权,用户由此可以拥有、控制其在互联网上创造的数据并从中获利。与Web2.0商业模式不同的是,Web3.0用户可以使用匿名信息或加密的个人身份登录到产品或平台账户(公司只能从这些加密的个人身份中获取代理智能合约地址,但无法获知可识别到个人身份的信息)。此外,用户产生的数据将被存储在去中心化的服务器中,这意味着提供Web3.0服务的公司对这些数据的控制权将被极大地减弱。
Due to the prohibition of crypto currency related business and transactions in China, Web 3.0 companies involved in crypto currency business can only be registered outside China and may not provide any service targeting users within China. However, some users from China may still have access to visit the websites and use the products of such offshore Web 3.0 companies by means of certain technical solutions.
由于中国禁止与加密货币相关的业务和交易,涉及加密货币业务的Web3.0公司只能在中国境外注册,并且不能向中国境内的用户提供任何服务。然而,一些来自中国境内的用户仍然可以通过某些技术手段访问这些境外Web3.0公司的网站和使用其产品。
Regarding Web 3.0 companies which are not engaged in any crypto currency business (or any other prohibited business in China), user data may be collected, stored and otherwise processed within China, or transferred outside of the territory if such companies are registered in China, or providing services to clients within Chinese borders.
对于在中国境内没有从事任何加密货币业务和其他被禁止业务的Web3.0公司,如果这些公司在中国境内注册或向中国境内的客户提供服务,则可以在中国境内收集、存储和处理用户数据,或者将用户数据传输到境外。
2. Web 3.0 Companies Collecting Chinese Clients’ Data Outside of China
在境外收集中国客户数据的Web3.0公司
As for companies located outside of China, it is advisable for them to closely monitor the catalogues of Important Data and assess in a timely manner whether any data collected from China falls into the catalogues. As mentioned in Section II.1.c) above, the Chinese government will be serious about regulating the cross-border transfer of Important Data and may take enforcement action to crack down on the cross-border data transfer activities that bypass the CAC security assessment requirement. Therefore, to the extent that any data falls into the catalogues, the companies shall either stop collecting such data, or apply for the CAC security assessment (although such application may not be practically feasible, considering that individual users directly provide relevant data to the companies outside of China). However, as for the other rules discussed in Section II.1.b) above (e.g., designation of a Data Security Officer or regular risk assessment), the likelihood is low that these rules would directly apply to companies outside of China.
对于位于中国境外的公司,我们建议其密切关注重要数据目录,并及时评估其从中国收集的数据是否落入重要数据目录。如上文第 II.1.c)部分所述,有关重要数据的跨境传输的监管要求会被认真地贯彻实施,并且规避网信部门安全评估要求的数据跨境传输行为有可能被执法部门制止。因此,对于落入重要数据目录内的数据,公司或应停止收集该等数据,或应申请网信部门的安全评估(但考虑到个人用户直接将相关数据传输给中国境外的公司,该等申请在现实当中难以操作)。但是,上文第 II.1.b)部分所述的其他规则(例如,设立数据安全负责人和管理机构、定期进行风险评估)直接适用于中国境外的公司的可能性较低。
As for the rules about Personal Information, it is true that the PIPL has an extra-territorial effect. Theoretically speaking, companies located outside of China shall also comply with those rules as discussed in Section II.2.b) above when the companies collect the Personal Information of natural persons within China. However, we do not see a high enforcement risk in terms of PIPL compliance, because of the following:
就有关个人信息的法律法规而言,《个人信息保护法》确实具有域外效力。理论上,当收集中国境内自然人的个人信息时,位于中国境外的公司也应当遵守上文第 II.2.b)部分所述的规定。但是,从《个人信息保护法》合规的角度而言,基于以下原因,我们认为在现实当中,相关规定直接适用于境外公司的可能性不高:
The Chinese government has not issued any specific regulation on how to apply the PIPL to an overseas company, and up to now, we have not observed any enforcement case in this regard.
主管部门尚未出台有关《个人信息保护法》域外适用的具体实施细则,截至目前,我们也未观察到有这方面的实际执法案例。
To the extent that the overseas companies are not aiming to collect the Personal Information of natural persons within China, and the volume of the Personal Information from China is not huge (e.g., not more than 100,000 individuals), the likelihood that the Chinese government would be interested in taking enforcement action against the overseas companies is low.
如果境外公司并非专注于收集中国境内自然人的个人信息,且来自中国境内的个人信息数量并不庞大(例如,不超过十万人),则主管部门针对境外公司采取执法行动的可能性较低。
Further, due to the decentralized and anonymized nature of the Web 3.0 business, many Web 3.0 companies do not need to collect their users’ Personal Information. If there is no collection of Personal Information, the companies will not be subject to the PIPL.
此外,由于Web3.0业务的去中心化和匿名化特性,许多Web3.0公司并不需要收集用户的个人信息。如果不收集个人信息,则公司也不受《个人数据保护法》的管辖。
3. Web 3.0 Companies Collecting Chinese Clients’ Data within China
在中国境内收集中国客户数据的Web3.0公司
Regarding Web 3.0 companies within China which are not engaged in any crypto currency business (or any other prohibited business in China), as compared to those located outside of China, such companies will face a heavier regulatory burden.
对于在中国境内的没有从事任何加密货币业务和其他被禁止业务的Web3.0公司,相较于位于中国境外的公司,这些公司将面临更多的合规义务。
First of all, to the extent that any data they collect falls into the catalogues of Important Data, the companies shall comply with all the rules related to Important Data, as described in Section II.1.b) above. In particular, if the companies intend to transfer the Important Data outside of China, they must apply for the CAC security assessment. Again, it is advisable for these companies to closely monitor the catalogues of Important Data to be issued by the Chinese government in the future.
首先,如果收集的任何数据落入重要数据目录范围,则公司应当遵守上文第 II.1.b)部分所述的与重要数据有关的所有规定。尤其当公司计划向中国境外传输重要数据时,其应当向网信部门申请安全评估。我们再次建议这些公司密切关注主管部门将来发布的重要数据目录。
Second, if the companies collect any Personal Information, they shall also comply with all the rules related to the Personal Information, as discussed in Section II.2.b) and c) above. In particular, if the companies intend to transfer the Personal Information outside of China and they reach a threshold that requires the CAC security assessment, the companies shall apply for the assessment.
其次,如果公司收集任何个人信息,则应当遵守上文第 II.2.b)和 c)部分所述的与个人信息有关的所有规定。尤其当公司计划向中国境外传输个人信息,并且达到需要向网信部门申请安全评估的标准时,其应当申请安全评估。
The Web 3.0 business mode may achieve better protection of personal privacy, and in terms of data, realize the maximum economic benefits for clients. However, concerns about related data security, money-laundering, terrorism financing, tax evasion, hacking and other unlawful activities are continually raised, which may cause competent authorities to promulgate more stringent regulatory concerns about users' personal identification and impose more stringent KYC duties for service providers. More stringent KYC examination means greater likelihood of collecting Personal Information. Thus, it is advisable for service providers to be more careful when considering the foregoing issues analyzed in this article. In addition, since issues related to Important Data will be the focus of enforcement for the Chinese government, Web 3.0 companies should closely monitor whether any data they collect falls into the catalogues of Important Data to be issued by the government authorities in China.
Web3.0商业模式可以更好地保护个人隐私,为用户实现最大的数据方面的经济效益,但人们对相关数据安全、洗钱、资助恐怖主义、逃税、黑客攻击和其他非法活动等问题的担忧不断增加,可能会促使主管部门对用户的个人身份进行更严格的监管,并对服务提供者施加更严格的KYC责任。更严格的KYC审查意味着收集个人信息的可能性更大,因此建议服务提供者更加谨慎地考虑本文所分析的上述问题。此外,由于与重要数据有关的问题将是主管部门的执法关注点,因此Web3.0公司应当密切关注其收集的数据是否落入主管部门将来发布的重要数据目录。
We hope the above is helpful. Feel free to contact us if you have any questions. Thanks.
希望以上内容对您有所帮助。如果您有任何问题,请随时与我们联系。谢谢。
版权与免责
本文章仅供业内人士参考,不应被视为任何意义上的法律意见。未经世辉律师事务所书面同意,本文章不得被用于其他目的。如需转载,请注明来源。如您对本文章的内容有任何疑问,可联系世辉律师事务所。
luj@shihuilaw.com
xiay@shihuilaw.com
夏彦律师擅长私募股权和风险投资、兼并和收购、资本市场、外商直接投资、投资基金设立、企业重组改制、股权激励等业务领域,在区块链、智能制造、AI、企业服务、医药等新经济行业有深度的服务经验。
夏彦律师曾入选LEGALBAND中国顶级律师排行榜(私募股权)、LEGALBAND中国律届俊杰榜三十强、DAWKINS中国顶级律师排行榜(私募股权)、广东省涉外先锋律师人才库等,并被中国政法大学聘为校外特聘导师。
曾铮曾为数家投资机构的境内人民币和境外美元私募股权和风险投资项目、基金设立项目提供法律服务;曾为众多境内公司的红筹架构重组、兼并收购、私募股权融资等项目提供法律服务。