世辉观点 | 《数据出境安全评估办法》中英双语版
国家互联网信息办公室(“网信部门”)于2022年7月7日出台了《数据出境安全评估办法》(“《办法》”),自2022年9月1日起生效。《办法》旨在落地执行《网络安全法》、《数据安全法》和《个人信息保护法》中有关数据出境安全评估的法律要求。世辉律师事务所准备了《办法》的英文翻译,以供参考。
作者:世辉律师事务所 | 王新锐 | 卢璟 | 王嘉瑛
为了规范数据出境活动,保护个人信息权益,维护国家安全和社会公共利益,促进数据跨境安全、自由流动,根据《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国个人信息保护法》等法律法规,制定本办法。
In order to regulate outbound data transfer, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of outbound data, the Measures for Security Assessment for Outbound Data Transfer (the “Measures”) are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and administrative regulations of the People’s Republic of China.
第二条 Article 2
数据处理者向境外提供在中华人民共和国境内运营中收集和产生的重要数据和个人信息的安全评估,适用本办法。法律、行政法规另有规定的,依照其规定。
The Measures apply to the security assessment of Important Data and personal information collected and generated during operation within the territory of the People’s Republic of China and transferred abroad by a data handler. Where laws and administrative regulations provide otherwise, such provisions shall prevail.
第三条 Article 3
数据出境安全评估坚持事前评估和持续监督相结合、风险自评估与安全评估相结合,防范数据出境安全风险,保障数据依法有序自由流动。
Security assessment for outbound data transfer shall adhere to the combination of a prior assessment and on-going supervision, as well as the combination of risk self-assessment and security assessment, so as to prevent security risks to outbound data transfer and ensure the orderly free-flow of data in accordance with the law.
第四条 Article 4
数据处理者向境外提供数据,有下列情形之一的,应当通过所在地省级网信部门向国家网信部门申报数据出境安全评估:
Where a data handler transfers data abroad under any of the following circumstances, it shall, through the local Cyberspace Administration at the provincial level, apply to the State Cyberspace Administration for security assessment for the outbound data transfer:
(二)关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息;(2) a critical information infrastructure operator, or a data handler processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad;
(三)自上年1月1日起累计向境外提供10万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息;
(3) a data handler who has, since January 1 of the previous year cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals, or
(四)国家网信部门规定的其他需要申报数据出境安全评估的情形。
(4) other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration.
第五条 Article 5
数据处理者在申报数据出境安全评估前,应当开展数据出境风险自评估,重点评估以下事项:
Prior to applying for the security assessment for the outbound data transfer, a data handler shall, in advance, conduct a self-assessment on the risks of the outbound data transfer, and the self-assessment shall focus on the following matters:
(一)数据出境和境外接收方处理数据的目的、范围、方式等的合法性、正当性、必要性;
(1) the legality, legitimacy and necessity of the purpose, scope and methods of the outbound data transfer, and the processing of the data by the foreign recipient;
(二)出境数据的规模、范围、种类、敏感程度,数据出境可能对国家安全、公共利益、个人或者组织合法权益带来的风险;
(2) the scale, scope, type and sensitivity of the outbound data transfer, and the risks to national security, the public interest or to the legitimate rights and interests of individuals or organizations, caused by the outbound data transfer;
(三)境外接收方承诺承担的责任义务,以及履行责任义务的管理和技术措施、能力等能否保障出境数据的安全;
(3) the duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities in terms of performing the duties and obligations can guarantee the security of the outbound data transfer;
(四)数据出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险,个人信息权益维护的渠道是否通畅等;
(4) the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer, and whether there is a smooth channel for safeguarding personal information rights and interests;
(五)与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件等(以下统称法律文件)是否充分约定了数据安全保护责任义务;
(5) whether the responsibilities and obligations for data security protection are fully agreed in relevant contracts for the outbound data transfer, or other legally binding documents to be concluded with the foreign recipient (hereinafter collectively referred to as the “Legal Documents”); and
(六)其他可能影响数据出境安全的事项。
(6) other matters that may affect the security of the outbound data transfer.
申报数据出境安全评估,应当提交以下材料:
To apply for security assessment for the outbound data transfer, the following materials shall be submitted:
(一)申报书;
(1) an application letter;
(二)数据出境风险自评估报告;
(2) a self- assessment report on the risks of the outbound data transfer;
(三)数据处理者与境外接收方拟订立的法律文件;
(3) the Legal Documents to be concluded between the data handler and the foreign recipient; and
(四)安全评估工作需要的其他材料。
(4) other materials necessary for security assessment.
省级网信部门应当自收到申报材料之日起5个工作日内完成完备性查验。申报材料齐全的,将申报材料报送国家网信部门;申报材料不齐全的,应当退回数据处理者并一次性告知需要补充的材料。
The Cyberspace Administration at the provincial level shall conduct a completeness check of application materials within 5 working days upon receipt thereof. Where the application materials are complete, they shall be submitted to the State Cyberspace Administration; where the application materials are incomplete, they shall be returned to the data handler and the data handler shall be informed (on a one-time basis) of all supplementary materials still required.
国家网信部门应当自收到申报材料之日起7个工作日内,确定是否受理并书面通知数据处理者。
The State Cyberspace Administration shall, within 7 working days after receipt of the application materials, determine whether to accept the application and will inform the data handler of the same in writing.
数据出境安全评估重点评估数据出境活动可能对国家安全、公共利益、个人或者组织合法权益带来的风险,主要包括以下事项:
The security assessment for outbound data transfer shall focus on the evaluation of the possible risks to national security, public interests, or the legitimate rights and interests of individuals or organizations arising from the activity of outbound data transfer, including the following major points:
(一)数据出境的目的、范围、方式等的合法性、正当性、必要性;
(1) the legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer;
(二)境外接收方所在国家或者地区的数据安全保护政策法规和网络安全环境对出境数据安全的影响;境外接收方的数据保护水平是否达到中华人民共和国法律、行政法规的规定和强制性国家标准的要求;
(2) the impact of the data security protection policies and regulations as well as network security environment of the country or region where the foreign recipient is located, and the effect thereof on the security of the data to be transferred abroad; whether the data protection level of the foreign recipient meets the requirements under the laws, regulations and mandatory national standards of the People’s Republic of China;
(三)出境数据的规模、范围、种类、敏感程度,出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险;
(3) the scale, scope, types and sensitivity of the data to be transferred abroad, and risks that the data may be tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used before or after the outbound data transfer;
(四)数据安全和个人信息权益是否能够得到充分有效保障;
(4) whether data security and personal information rights and interests can be fully and effectively guaranteed;
(五)数据处理者与境外接收方拟订立的法律文件中是否充分约定了数据安全保护责任义务;
(5) whether the responsibilities and obligations for data security protection are fully agreed in the Legal Documents to be concluded by the data handler and the foreign recipient;
(六)遵守中国法律、行政法规、部门规章情况;
(6) compliance with the laws, regulations and agency rules of the People’s Republic of China; and
(七)国家网信部门认为需要评估的其他事项。
(7) other matters that the State Cyberspace Administration considers necessary to assess.
数据处理者应当在与境外接收方订立的法律文件中明确约定数据安全保护责任义务,至少包括以下内容:
A data handler shall expressly agree on the responsibilities and obligations for data security protection in the Legal Documents concluded with the foreign recipient, which shall, at least, include the following matters:
(一)数据出境的目的、方式和数据范围,境外接收方处理数据的用途、方式等;
(1) the purpose, method and scope of the data to be transferred abroad, and the purpose and method for processing the data by the foreign recipient;
(二)数据在境外保存地点、期限,以及达到保存期限、完成约定目的或者法律文件终止后出境数据的处理措施;
(2) the location and duration for the storage of the data located abroad, as well as how to process the data located abroad upon the expiry of the storage period, achievement of the agreed purpose, or termination of the Legal Documents;
(三)对于境外接收方将出境数据再转移给其他组织、个人的约束性要求;
(3) restrictions on the foreign recipient’s re-transfer of the data located abroad to another organization or individual;
(四)境外接收方在实际控制权或者经营范围发生实质性变化,或者所在国家、地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形导致难以保障数据安全时,应当采取的安全措施;
(4) security measures which should be taken in case of a material change to the actual control or business scope of the foreign recipient, or in case of a change to the data security protection policies or regulations, or network security environment of the country or region where the foreign recipient is located, or in case that the data security cannot be guaranteed as a result of any other force majeure event;
(五)违反法律文件约定的数据安全保护义务的补救措施、违约责任和争议解决方式;
(5) remedial measures, liability for breach of contract and dispute resolution mechanism in the event of a violation of data security protection obligations as agreed in the Legal Documents; and
(六)出境数据遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险时,妥善开展应急处置的要求和保障个人维护其个人信息权益的途径和方式。
(6) requirements on properly responding to a data security incident, as well as channels and method to safeguard individuals’ personal information rights, when the data located abroad is tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used.
国家网信部门受理申报后,根据申报情况组织国务院有关部门、省级网信部门、专门机构等进行安全评估。
After accepting an application, the State Cyberspace Administration shall organize relevant departments of the State Council, Cyberspace Administrations at the provincial level and specialized agencies to conduct a security assessment based upon application materials submitted by a data handler.
安全评估过程中,发现数据处理者提交的申报材料不符合要求的,国家网信部门可以要求其补充或者更正。数据处理者无正当理由不补充或者更正的,国家网信部门可以终止安全评估。
Where the application materials submitted by a data handler are found to be non-compliant during the security assessment process, the State Cyberspace Administration may require the data handler to supplement or correct the non-compliant materials. If the data handler fails to supplement or correct the materials without justified reasons, the State Cyberspace Administration may terminate the security assessment.
数据处理者对所提交材料的真实性负责,故意提交虚假材料的,按照评估不通过处理,并依法追究相应法律责任。
A data handler shall be responsible for the authenticity of the materials submitted. If a data handler purposely submits false materials, it shall be deemed as a failure of the assessment, and the data handler shall be held liable according to the Regulations.
国家网信部门应当自向数据处理者发出书面受理通知书之日起45个工作日内完成数据出境安全评估;情况复杂或者需要补充、更正材料的,可以适当延长并告知数据处理者预计延长的时间。
The State Cyberspace Administration shall, within 45 working days from the date of issuing a written notice of acceptance to the data handler, complete the security assessment for the outbound data transfer; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended, and the data handler shall be notified of the expected extension period.
评估结果应当书面通知数据处理者。
The data handler shall be informed of the assessment results in writing.
数据处理者对评估结果有异议的,可以在收到评估结果15个工作日内向国家网信部门申请复评,复评结果为最终结论。
Where a data handler disagrees with the assessment results, it may, within 15 working days after receipt of the assessment results, apply to the State Cyberspace Administration for re-assessment, and the re-assessment results shall be final.
通过数据出境安全评估的结果有效期为2年,自评估结果出具之日起计算。在有效期内出现以下情形之一的,数据处理者应当重新申报评估:
The results of the security assessment for the outbound data transfer are valid for 2 years, commencing from the date of issuance of the assessment results. A data handler shall re-apply for assessment if any of the following circumstances occurs during the period of validity:
(一)向境外提供数据的目的、方式、范围、种类和境外接收方处理数据的用途、方式发生变化影响出境数据安全的,或者延长个人信息和重要数据境外保存期限的;
(1) the purpose, method, scope and type of data to be transferred abroad, or the purpose and method of data processing by a foreign recipient have changed, affecting the security of the data to be transferred abroad, or extending the period of storage of personal information and Important Data located abroad;
(二)境外接收方所在国家或者地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形、数据处理者或者境外接收方实际控制权发生变化、数据处理者与境外接收方法律文件变更等影响出境数据安全的;
(2) the security of the data to be transferred abroad is affected due to changes in the data security protection policies or regulations, or the network security environment of the country or region where the foreign recipient is located, or any other force majeure event has occurred, or a change to the actual control of the data handler or the foreign recipient has occurred, or any Legal Document between the data handler and the foreign recipient has been amended or ceased to be valid, etc.; and
(三)出现影响出境数据安全的其他情形。
(3) any other circumstance affecting the security of the data to be transferred abroad.
有效期届满,需要继续开展数据出境活动的,数据处理者应当在有效期届满60个工作日前重新申报评估。
If it is necessary to continue the outbound data transfer after the expiration of the valid period, the data handler shall re-apply for assessment 60 working days before the expiration of the valid period.
参与安全评估工作的相关机构和人员对在履行职责中知悉的国家秘密、个人隐私、个人信息、商业秘密、保密商务信息等数据应当依法予以保密,不得泄露或者非法向他人提供、非法使用。
The relevant institutions and personnel participating in security assessment work shall keep information confidential in accordance with the law, including matters such as state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they come to know in fulfilling their duties, and shall not divulge or illegally provide the same to others, or illegally use such data.
任何组织和个人发现数据处理者违反本办法向境外提供数据的,可以向省级以上网信部门举报。
Any organization or individual may report the case to the Cyberspace Administration at the provincial level or above if it finds that a data handler engaged in outbound data transfer in violation of the Measures.
国家网信部门发现已经通过评估的数据出境活动在实际处理过程中不再符合数据出境安全管理要求的,应当书面通知数据处理者终止数据出境活动。数据处理者需要继续开展数据出境活动的,应当按照要求整改,整改完成后重新申报评估。
As for an outbound data transfer that has passed the security assessment, if the State Cyberspace Administration finds out that the actual data processing activities no longer meet the security management requirements in terms of the outbound data transfer, the State Cyberspace Administration shall notify the data handler in writing to terminate the outbound data transfer. If the data handler needs to continue the outbound data transfer, it shall make rectification as required, and re-apply for assessment after completing the rectification.
违反本办法规定的,依据《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国个人信息保护法》等法律法规处理;构成犯罪的,依法追究刑事责任。
Any violation of the Measures shall be punished in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations; if any act is held to constitute a criminal act, criminal liabilities shall be investigated in accordance with the laws and regulations of the People’s Republic of China.
本办法所称重要数据,是指一旦遭到篡改、破坏、泄露或者非法获取、非法利用等,可能危害国家安全、经济运行、社会稳定、公共健康和安全等的数据。
For the purpose of the Measures, the term “Important Data” refers to the data that, once tampered with, destroyed, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, public health and security, etc.
本办法自2022年9月1日起施行。本办法施行前已经开展的数据出境活动,不符合本办法规定的,应当自本办法施行之日起6个月内完成整改。
The Measures shall come into force on September 1, 2022. For the data transferred abroad prior to the effectiveness of the Measures, if it is found that such transfer is not in compliance with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures.
We hope the above is helpful. Feel free to contact us if you have any questions. Thanks.
希望以上内容对您有所帮助。如果您有任何问题,请随时与我们联系。谢谢。
版权与免责
本文章仅供业内人士参考,不应被视为任何意义上的法律意见。未经世辉律师事务所书面同意,本文章不得被用于其他目的。如需转载,请注明来源。如您对本文章的内容有任何疑问,可联系世辉律师事务所。
wangxr@shihuilaw.com
luj@shihuilaw.com
wangjy@shihuilaw.com
王嘉瑛律师为世辉律师事务所常驻上海的合伙人,其执业范围专注于兼并与收购、私募股权投融资、外商直接投资、网络安全和数据合规。
在数据合规领域,王律师擅长处理企业投融资、并购、上市过程中涉及的各类网络安全和数据合规问题。王律师长期为多家跨国公司提供网络安全合规法律服务,协助跨国公司进行数据安全合规自查和评估、建立数据安全合规制度代表企业应对监管机构核查和处理安全危机事件。
世辉观点 | 《个人信息出境标准合同规定(征求意见稿)》要点解读 世辉观点 | 企业境外上市过程面临的数据合规问题和相关风险 2021版 世辉观点 | 如何基于个人信息保护法的要求去修改临床试验协议,包括知情同意书等(上)—— 临床试验协议的修改 世辉观点 | 如何基于个人信息保护法的要求去修改临床试验协议,包括知情同意书等(下)—— 临床试验协议的修改 世辉观点 | HCP的个人信息保护 世辉观点 | 人遗资源条例细则问答 世辉观点 | 脱敏临床试验数据的《个人信息保护法》合规 PIPL Compliance of Coded Clinical Trial Data Shihui Articles | What does the PIPL mean for an HR manager? How should a company conduct compliance investigation under PIPL?