中国企业境外投资中儿童个人信息保护(DPO社群成员观点)
编者按:
本公号在刊登DPO沙龙和相关社群活动的同时,还将刊登DPO社群成员的精彩文章。本篇作者为上海元达律师事务所北京办公室的王源律师。本文并非法律意见,仅代表个人观点。
正文:
中国国家层面鼓励向境外投资的政策发轫于20世纪末和21世纪初,距今20年左右。2017年,中国向境外直接投资额为1582.9亿美元[i],同时,2019年实际使用境外向中国的投资额为1383亿美元[ii]。中国是发展中国家最大的对外投资国和吸收外资国,世界范围内,对外投资仅次于美国和日本,吸收外资仅次于美国[iii]。
China’s policy ofencouraging overseas investment at the national level began in the late 20thand early 21th century, about 20 years ago. In 2017, the amount ofChina’s outward foreign direct investment is USD158.29 billion[i], while the actual use of overseas investment in China in 2019 was USD138.3billion[ii]. Among all developing countries, China is the largest foreigninvestor as well as the largest country absorbing foreign capital. In theworldwide, China's outbound investment is second only to that of the UnitedStates and Japan, and its foreign investment absorption is second only to thatof the United States[iii].
2017年中国加强了对企业对外直接投资真实性和合规性审查。于2018年陆续颁布了《合规管理体系指南(GB/T 35770-2017)》,《中央企业合规管理指引(试行)》和《企业境外经营合规管理指引》,2018年也被称为中国的“合规元年”。
In 2017, China enhancedthe inspection on the authenticity and compliance of outbound direct investmentof enterprises. In 2018, China successively promulgated the Guidelines for the Compliance Management System(GB/T 35770-2017), the Guidelines forCentrally Administered Enterprises on Compliance Management (for TrialImplementation), and the Guidelinesfor Enterprises on the Compliance Management of Overseas Operations.Therefore, 2018 was also known as China’s “first compliance year”.
对海外投资的监管,从中国来看,将主要采用“双随机一公开”[iv]的方式,简化事前审批,加强经营过程中的监管;从国际形势来看,受贸易政策的影响,中国企业对美国的投资经营中的不确定因素增大,欧盟也正欲对来自海外的关键技术领域的投资进行特殊审查[v]。这两方面均使得企业海外实体以符合当地法律规定的方式进行运营变得尤其重要和敏感。
When it comes to thesupervision of overseas investment, from the perspective of China, it willmainly adopt the "double random and one open"[iv] approach to simplify pre-approval and strengthen supervision in theoperation process. In terms of the international situation, influenced by tradepolicies, Chinese enterprises are facing more uncertainties in their investmentand operation in the United States. The European Union is also about to conductspecial review on investments from overseas in key technology fields[v]. Both make it particularly important and sensitive for overseasentities to operate in a manner consistent with local laws.
2019年2月27日,在经过美国加州地区法院[vi]的开庭审理后,某中国社交平台在美国的运营实体与美国联邦贸易委员会(FederalTrade Commission, FTC)达成和解,同意因违法收集儿童信息而支付 570万美元的罚款,这是美国历史上类似儿童隐私案件中最高额的罚款。而联邦贸易委员会依据的正是《儿童网络隐私保护法》(Children’s Online Privacy Protection Act, COPPA),也充分体现了美国对特殊群体特别保护的法律传统和分行业分类别对个人信息保护的特点。对于在美国和欧盟投资的企业,要尤其注意儿童信息保护的如下方面:
After a hearing at CentralDistrict of California[vi] in the United States on February 27, 2019, A social mediacorporation owned by Chinese has settled with the Federal Trade Commission (“FTC”), agreeing to pay a USD5.7 million fine for illegally collecting children’s information.It is the largest fine in similar children’s privacy cases in the history ofUS. The FTC’s claim is based on the Children’s Online Privacy Protection Act (“COPPA”),which fully reflects the legal tradition of special protection for specialgroups in the US and the protection of personal information by industry andclassification. For companies investing in the US and the European Union,particular attention should be paid to the following aspects of the protectionof children’s information:
1. 什么样的APP和网站受到COPPA管辖。COPPA的目的是保护儿童个人信息和隐私权,如果在美国运营的APP或者网站并不专门(directed to)收集儿童信息,则不受COPPA管辖。什么样的APP或者网站专门收集儿童信息,需要根据细节事实来判断。在该案中,法院考虑了如下因素:APP或者网站的主题(subject matter),视频内容,音乐音频内容,出现童星或者貌似童星的名人和受众群体。此外,在1998年颁布的COPPA中,运营方或者在线服务提供方以商业目的运营是适用COPPA的前提,但是,2012年COPPA修正案扩大了适用范围,如果APP或者网站运营方允许第三方以商业目的(广告链接,提供商品或者服务)收集儿童访问者的个人信息,也将适用COPPA。也就是说,虽然以商业目的运营APP或者网站是仍然适用COPPA的前提,但是即使运营方自己不以商业目的运营,提供给第三方以商业目的收集儿童个人信息的途径,也将受到COPPA的管辖。[vii]
1. What apps and websites are under the jurisdictionof COPPA? The aim of COPPA is to protect children’spersonal information and privacy. If an app or website operating in the US isnot directedto collecting children’s information, it is not subject to COPPA. Theapps or websites directed to collecting children’s information need to bejudged by the details and facts. In this case, the court considers thefollowing factors: subject matter, visual content, music or other audiocontent, the presence of child celebrities or celebrities who appeal tochildren. In addition, in the COPPA issued in 1998, the prerequisite for theapplication of COPPA is that the operator or online service provider operatesfor commercial purposes. However, the amendment of COPPA (2012) expanded thescope of application. COPPA will also apply if the app or website allows athird party to collect personal information of child visitors for commercialpurposes (advertising links, providing goods or services). In another words,operating apps or websites for commercial purposes is still a prerequisite forapplying COPPA. But even if the operators themselves do not operate forcommercial purposes, providing a third party with a way to collect children'spersonal information for commercial purposes will also be subject to COPPA[vii].
2. 多大为儿童。根据美国COPPA,13岁以下为儿童;根据欧盟的《通用数据保护条例》(GDPR),16岁以下为儿童,同时成员国也可以降低年龄标准,但不能低于13岁。中国的《未成年人网络保护条例(送审稿)》未专门针对网络保护另行设立年龄界限,而是援引《未成年人法》,统一为18岁以下。《个人信息保护法》已经在2019年两会后被列入全国人大立法规划,单独规定中国儿童信息保护的年龄界限也不是不可能。而中国《信息安全技术 个人信息安全规范(草案)》将在收集未成年人信息前需要征得父母同意的年龄规定为14岁。因此,在适用境外投资目的国法律时,要仔细考量每个国家的不同规定,甚至是否规定了确定儿童年龄的“硬性”数字标准,还是参考年龄和心智成熟度设定“软性”标准。
2. How old a person can be regarded as a child? Under the COPPA of the US, a child means anindividual under the age of 13. Under the European Union’s General Data Protection Regulations (“GDPR”), achild means an individual under the age of 16, while the member states maylower the age standard, but not below 13. China’s Regulations on Online Protection for Minors (submission for review)has not separately set an age limit specifically for online protection, butrefers to the Law on the Protection ofMinors, which uniformly stipulates that individuals under 18 are children.The Personal Information protection Lawhas been included in the legislative plan of the National People's Congressafter the two sessions (the National People's Congress and the Chinese Political ConsultativeConference) in 2019, so it is not impossible toset a separate age limit for the purpose of the protection of children'sinformation in China. China's InformationSecurity Technology - Personal Information Security Specification (draft) prescribesthat without the prior consent of parents, it is not allowed to collect theinformation of minors under 14. Therefore, when the laws of overseas target investmentcountries are applied, we should carefully consider the different regulationsof each country, and consider whether there is a "hard" numericalstandard for determining what age is a child, or a "soft" standard withreference to age and mental maturity.
3. 为什么保护儿童信息很重要。美国1998颁布了COPPA,最新版本是2018年的修订,从各方面增强对儿童信息的保护。还于1974年颁布了《家庭教育权和隐私法》( Family Educational Rights and Privacy Act),此外还有《儿童在线保护法》 (Child Online Protection Act,COPA),《儿童互联网保护法》(Children's Internet Protection Act, CIPA),《学生数据隐私和家长权利法》 (SDPPRA)。根据COPPA[viii],儿童信息的保护非常重要,强调运营商必须“建立和维持合理流程”,以确保儿童信息的保密性、安全性和信息完整性,还规定只能在“合理必须”的时间内储存信息。
3. Why is it important to protect children’sinformation? The United States promulgated COPPA in1998, and amended it in 2018 to enhance the protection of children’sinformation from all aspects. In 1974, it also enacted the Family Educational Rights and Privacy Act, the Child Online Protection Act (“COPA”), the Children’s Internet Protection Act (“CIPA”), the Students Data Privacy and Parental RightsAct (“SDPPRA”). In accordance with COPPA[viii], the protection of children’s information is important. Itemphasizes that operators must “establish and maintain reasonable procedures”to ensure the confidentiality, security and integrity of children’sinformation. It also stipulates that the information can only be stored withinthe “reasonable and necessary” time limit.
GDPR有10处左右专门提及了儿童信息保护,强调儿童值得(merit)在用户画像和收集等方面受到特殊保护(序言(38)),强调成员国应该尤其促使公众关注专门针对儿童的行为(57.1.(b)),禁止自动化处理儿童个人数据(序言(71))。这里面就有很多模糊不清的问题,例如啥是“专门针对儿童的行为”,如何区分专门针对儿童的行为和既针对儿童又针对大人的行为?这需要中国企业海外运营实体先判断应该同时适用GDPR和某一个甚至几个特定欧盟国家的法律后,再结合当地的法律进行分析。
GDPR has about 10 provisionsconcerning children's information protection, which emphasizes that children meritspecial protection in terms of users’ profiling and collection (preface(38)), and that member states should promote public awareness of activitiesaddressed to children (57.1.(b)) and prohibit the automated processing ofchildren's personal data (preface (71)) . There are numerous ambiguousquestions here, for example, what constitute activities addressed especially tochildren and how to distinguish between the behavior addressing both childrenand adults. To answer these questions, it requires the overseas operatingentities of Chinese enterprises to first judge whether GDPR and the laws of oneor more specific EU countries should be applied simultaneously, and thenanalyze it in combination with local laws.
4. 父母同意。欧盟、美国和中国基本都确立了“知情-同意”的个人信息收集原则,收集儿童信息需要征得父母同意。但是同意应该如何做出又是个特别复杂的问题。GDPR第8条1项和COPPA定义条款(9)又如出一辙的规定企业需要采取“合理努力(reasonable effort)”征得父母同意。啥是合理努力?怎么就算同意了?这需要去阅读一些官方的解释,需要根据事实和经验进行判断,需要合理设计核实儿童年龄的线上或者线下机制,需要以合理方便的方式取得父母同意,需要制定儿童隐私政策申明等等。这些都需要在精准分析当地法律和判例、深刻理解企业业务模式和产品、技术结构的基础上进行整体设计,专项应对。在该案中,很多父母表示并不知道其儿童进行了注册、不能直接删除账户和必须单独发邮件请求、关闭账户后儿童部分信息并未从服务器删除等,均为违法因素。
4. Consent of parents. TheEU, the US and China have all basically established the personal informationcollection principal of “informed-consent”, and the collection of children’sinformation needs the consent of parents. While how to make consent is aparticularly complicated question. Article 8 (1) of GDPR and Article 9 Definitionsof COPPA both stipulate that enterprises need to take "reasonableeffort" to obtain the consent of parents. What is the reasonableeffort? What constitutes consent? This requires efforts including, among others, reading official explanations, makingjudgments based on facts and experience, reasonably designing online andoffline mechanisms to verify children's ages, obtaining consent of parents in areasonable and convenient way, formulating children's privacy policystatements. All these require the overall design and specific treatment basedon an accurate analysis of local laws and cases, and profound understanding ofbusiness modes, products, and technical structure of the enterprise. In this case,many parents are not aware of the illegal factors including their children’ssubscription, no access to directly delete the accounts and a must to requestby an email, and part of children’s information remaining in the server afterclosing the accounts.
5. 哪些儿童信息。在美国,儿童个人信息包括姓或者名,住址、城市或者街道名称,电子邮箱地址,电话号码,社会保障号码,其他FTC认为能实际(physical)或者通过网络关联上儿童个人的信息,和能够结合前述信息关联上儿童或者儿童父母的其他信息,共7种。可以看出来,最后两种这个蹩脚的翻译实际上是拗口的原文[ix]的真实体现,也可以理解为,COPPA对儿童个人信息规定的范围之广,几乎可以理解为所有与儿童相关的信息,这也留下了执法的不确定性,无论在产品的合规设计之初还是危机应对时,均需要结合历史判例进行抽丝拨茧。在COPPA 2012年修正案中,还增加了地理信息、照片、记录儿童样貌和声音的录像和录音文件。
5. What kind of children’s information is protected? In the US, children’s information are divided into seven types, includingfirst or last name, address, city name or street name, e-mail address, telephonenumber, Social Security number, any other identifier that the FTC determinespermits the physical or online contacting of a specific individual orinformation concerning the child or the parents of that child that the websitecollects online from the child and combines with an identifier described inthis paragraph. It can be seen that the last two awkward translations areactually the true reflection of the lengthy original text[ix]. It can also be understood that the scope of COPPA on children'spersonal information is so broad that almost all information related tochildren is included, resulting in uncertainty of the law enforcement. Either atthe beginning of the compliance design of products or in response to the crisis,it needs to be precisely analyzed in combination with precedents. In theamendment of COPPA in 2012, geographic information, photographs, video andaudio files recording children's appearance and voice are also included.
6.告知与保护措施。GDPR在序言(58)重申和强调对于传递给儿童的网络信息应当简单易于儿童理解,例如利用图标图画等方式,这是GDPR对“透明度(transparency)”做出的明确要求。虽然COPPA中没有出现透明度这种关键词,但也要求在收集儿童信息时要对信息的收集、使用和披露等使用合理努力(reasonable effort)进行告知,告知方式和内容简单易懂好操作是合理努力自然包含的意思。 该案中,法院认定儿童信息没有得到足够的保护,例如通知不充分、无法确认对告知信息进行相应的为父母本人而非儿童自己、储存信息长于必要时间等。
6. Notifications and protection measures. In the preface (58) of GDPR, it reiterates and emphasizes that the internetinformation addressed to children should be clear and plain and easy tounderstand, such as using visualization, which is the explicit requirement ofGDPR for "transparency". Although there is no such keyword astransparency in COPPA, it also requires that operators make reasonable effort tonotify the parents of the collection, as well as the use and disclosure ofinformation when collecting children’s information. The reasonable effortnaturally means that the method and content of notifications should be simpleand easy to understand and easy to operate. In this case, the court found thatchildren's information is not adequately protected, such as insufficientnotice, the inability to confirm that the notification is targeting parents orthe children themselves, and storing children’s information for anunnecessarily long time.
7. 执法。美国COPPA也充分体现了法律条文原则性和法官造法的特点,例如针对禁止非法收集儿童信息,要求运营者“实际知悉(actual knowledge)”其行为非法,但是遵守“合理程序(reasonable procedures)”下“善意收集(good faith)”又不违法。这些缺少确定性的描述对于中国企业是一个很大挑战,如何遵守?如何在被控违规时提出有效抗辩?需要了解其文化、洞察其人情。
7. Law enforcement. COPPA also fully reflects the characteristic of judge-made law tradition of the US. For instance, in relation to the prohibition ofillegal collection of children’s information, the operator is required of actualknowledge that his behavior is illegal, while collecting in goodfaith and following reasonable procedures is legal.These uncertain descriptions are challenging for Chinese enterprises. How toobey there laws? How to defense effectively being accused of violation? It requiresinsights into American culture and customs.
COPPA本身的规定多是原则性的,逐年的修正案增加了一些细节规定和更严格的要求(例如经父母同意才可以向儿童推送定向广告[x])。同时,COPPA承认运营商可以根据“安全港”条款选择适用行业规范(例如TRUSTe的规范,有点类似中国用《信息安全技术 个人信息安全规范(草案)》保护个人信息的立法路径),其对运营商的要求比较具体,只要遵守了该等行业自律性规范,也被视为符合COPPA的规定。因此,在美国投资的中国企业还应当尤其关注行业规范。
Most COPPA provisionsare generic, while the annual amendments have added more detailed regulationsand stricter requirements (for example, targeted advertisements can only bedelivered to children with the consent of their parents[x]). At the same time, COPPA acknowledges that the operators canchoose to apply industrial regulations (like regulations of TRUSTe, to whichcan draw an analogy to China’s InformationSecurity Technology - Personal Information Security Specification (draft) interms of legislative methodology) in accordance with safe harbor clause, inwhich the requirements for operators are more specific. For operators, as longas they comply with the industrial self-discipline industrial regulations, theirconducts will also be considered to be in line with the COPPA provisions.Therefore, Chinese enterprises investing in the US should also particularly payattention to the industrial regulations.
此外,在该案中,法院同时判定美国的实体和开曼的实体违法,即COPPA的“长臂”触及到了开曼,理由为开曼实体“有意的(purposefully)针对美国消费者进行广告、推广和分发”。因此,对于即使不在美国注册公司但实际有运营行为的中国本土企业,也要注意遵守COPPA的规定。
Besides, in this case,the court found that both the US entity and the Cayman entity were in violationof the law, indicating that the long-arm jurisdiction was exercised over Caymanin accordance with COPPA. The reason for long-arm jurisdiction in this case isthat the Cayman entity is “purposefully directed its advertising, marketing anddistributing to the US consumers”. Therefore, for domestic Chinese enterpriseswhich are not registered but actually operate in the US, special attentionshould be paid to comply with the provisions of COPPA.
综上,中国企业在美国和欧洲投资涉及收集个人信息时,除遵守当地普遍的个人信息或者隐私保护的法律规定外,还应该特别关注对特殊人群的法律规定。就儿童人群来讲,要确定所运营的APP或者网站是否有收集或者供他人收集儿童信息的行为,各法域儿童的年龄、和儿童相关的信息种类、征得父母同意及如何有效做出同意及其他禁止性和限制性规定。
In conclusion, when the investment of Chinese enterprises in the US andEurope involves the collection of personal information, these Chineseenterprises should pay special attention to the legal provisions for specialgroups in addition to complying with the local laws and regulations on personalinformation or privacy protection. In terms of the group of children, it isnecessary to determine whether an app or website operated by the enterprisecollects or allows others to collect children's information, and find out the definedage of children in each jurisdiction, the types of information concerning children,how to obtain the consent of children’s parents and how to make effectiveconsent, as well as other prohibitive and restrictive provisions.
[i]《商务部对外投资发展报告》Report of the Ministry of Commerce on the developmentof foreign investment
[ii]《2019年国务院政府工作报告》2019 State Council government work report
[iii]《世界投资报告2018》2018 world investment report
[iv]随机指派执法检查人员随机抽查企业,并向社会公开。Randomly dispatch enforcement officer toconduct a spot check, and make the results public.
[v]https://www.ftc.gov/system/files/2012-31341.pdf or https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule
[vi] UNITED STATES DISTRICT COURT CENTRALDISTRICT OF CALIFORNIA, Case No. 2:19-cv-1439
[vii]https://www.ftc.gov/system/files/2012-31341.pdf or https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule
[viii] COPPA第15 U.S.C.A. § 6502(b)(1)D条
[ix] Definition (8) (G) information concerningthe child or the parents of that child that the website collects online fromthe child and combines with an identifier described in this paragraph.
[x] Tianna Gadbaw, Legislative Update:Children's Online Privacy Protection Act of 1998, 36 Child. Legal Rts. J.228(2016)
关于DPO沙龙活动的有关情况,请见:
DPO社群成果
线下沙龙实录见:
线上沙龙见:
时评见:
DPO社群成员观点