辛小天、史蕾、杨玥祺：数据出境新政开启企业自治与监管创新的双重奏——新政适用概述和企业应对准备

近期，《数据出境安全评估办法》（下称“《评估办法》”）、《个人信息跨境处理活动安全认证规范》（下称“《认证规范》”）及《个人信息出境标准合同规定（征求意见稿）》（下称“《标准合同规定（征求意见稿）》”）纷纷出台，至此对应《个人信息保护法》（下称“《个保法》”）第三十八条的主要数据出境渠道原则已被打通。面对箭在弦上的数据出境管理，相关中国企业应如何练好内功助力数据境外交流合作，新政又会在国际贸易规则中面临哪些挑战，本文将结合现有法规要义理解和典型场景和问题尝试汇总与展望。

三项新规简介

《评估办法》是由国家网信办发布的部门规章，包括个人数据与非个人数据出境要求进行了规范细化，要求企业准确识别分类数据资产，将数据出境对国家安全、公共利益以及个人和组织的影响纳入评估监管范畴。较2021年10月发布的征求意见稿，结构未做大的改动，主要新增了数据处理者对评估结果异议的处理，以及作为首部具有效力的法规对重要数据的定义进行了明确。

《认证规范》是由全国信息安全标准化技术委员会秘书处于2022年6月24日发布并实施的规范性文件，属于国家推荐的自愿性认证。与4月29日的征求意见稿相比，主要变化体现在规范对象、适用情形，以及增加“撤回权”等方面。

《标准合同规定（征求意见稿）》由国家互联网信息办公室于2022年6月30日发布，对同时满足特定条件的企业（非关键信息基础设施企业+处理个人信息累计数量少于一百万+近期处理个人信息数量少）数据出境，提供了相较前两种合规方式而言更具自主性，灵活性的数据出境方式。

适用范围

必要性（违规后果）

根据《数据安全法》《个人信息保护法》规定，企业在数据出境前未进行个人信息保护影响评估，或数据出境未满足、安全评估、标准合同和认证等数据出境要求的；将面临对最高企业停业整顿、吊销营业执照以及直接负责的主管人员和其他直接责任人员一百万元以下罚款和竞业的处罚后果。

根据《标准合同规定（征求意见稿）》规定，未履行备案程序或者提交虚假材料进行备案的；未履行标准合同约定的责任义务，侵害个人信息权益造成损害的；出现影响个人信息权益等情形的，会被责令停止个人信息出境活动。

适用场景

针对数据出境，在现有规定中多以“向境外提供”作为定义描述，参考信安标委于2017年发布的《信息安全技术 数据出境安全评估指南（征求意见稿）》等文件，企业实践中常见的数据未转移存储至本国以外的地方，但被境外的机构、组织、个人访问查看的（公开信息、网页访问除外）也属于数据出境。 另外，针对过境数据（非在境内运营中收集和产生的个人信息和重要数据经由本国出境，未经任何变动或加工处理的），在现有实践理解以及其他国家地区的立法规定中（例如新加坡、香港等）不归于数据出境的监管范畴。

企业自治和评估重点

我国的数据出境监管兼顾国家安全、公共利益以及个人或组织合法权益，从宏观到微观对数据出境进行全方位的监管，追求数据保护与利用的平衡，对企业而言，实践中应在事前事中事后出境活动中均确保持续的评估和记录监控。

英文版：

Recently, the Measures for the Security Assessment of Outbound Data Transfer (hereinafter referred to as the "Assessment Methods"), the Personal Information of Cross-border Processing Activities Safety Certification Standard "(hereinafter referred to as the "Certification Standard ") and the Personal Information Exit Standard Contract Provisions (Draft for Comment)"(hereinafter referred to as the " Standard Contract Provisions (Draft for Comment)") are introduced, So far, the principle of the main data exit channel corresponding to Article 38 of the Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the " Personal Information Protection Law") has been opened up. In the face of the data exit management, how should the relevant Chinese enterprises practice their internal skills to help the data exchange and cooperation abroad, and what challenges will the new policy face in the international trade rules? This article will try to summarize and outlook  on the basis of the existing regulations and typical scenarios and issues.

Brief introduction of

three new regulations

The Assessment Methods, a departmental regulation issued by the Cyberspace Administration of China (hereinafter referred as the CAC), detailed the requirements for outbound personal data and non-personal data, requiring enterprises to accurately identify classified data assets and bring the impact of data outbound on national security, public interests and individuals and organizations into the scope of evaluation and supervision.Compared with the draft published in October 2021, the final structure of the regulation has not been significantly changed, with the main additions being the handling of objections to assessment results by data processors, and the definition of important data as the first regulation with effect.

The Certification Standard is a normative document issued and implemented by the Secretariat of the National Information Security Standardization Technical Committee on June 24, 2022, which belongs to the voluntary certification recommended by the state. Compared with the draft for comment on April 29, the main changes are reflected in the regulated object, the application situation, and the increase of the "right of withdrawal".

The Standard Contract Provisions (Draft for Comment), issued by the CAC on June 30, 2022, provides a more autonomous and flexible data exit approach compared to the first two compliance approaches for enterprises that meet specific conditions (non-critical information infrastructure enterprises + processing less than one million cumulative personal information + processing less personal information in the near future).

Scope of application

Necessity

 (consequences of violation)

According to the Data Security Law and Personal Information Protection Law, enterprises that do not conduct personal information protection impact assessment before data exit, or data exit does not meet the data exit requirements such as, security assessment, standard contracts and certification; will face the consequences of enterprise suspension and rectification, revocation of business licenses and directly responsible supervisors and other directly responsible personnel a fine of up to one million yuan and competing penalties.

According to the Standard Contract Provisions (Draft for Comments), those who fail to fulfill the filing procedures or submit false materials for filing; those who fail to fulfill the responsibilities and obligations agreed in the standard contract and infringe on the rights and interests of personal information causing damage; those who appear to affect the rights and interests of personal information and other circumstances will be ordered to stop personal information exit activities.

Applicable scenario

With regard to data exit, the definition is mostly described as "providing to overseas" in the existing regulations, referring to other governmental guidance ,such as the Information Security Technology- Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comments) issued by the Information Security Standards Committee in 2017. Organizations and individuals who access and view the data (except for public information and web access) are also considered as data exit. In addition, data in transit (personal information and important data not collected and generated in the course of operations in the country, without any changes or processing) are not regulated as data exit in the existing China practice as well as referred to in the legal principal of other countries and regions (such as Singapore, Hong Kong, etc.).

Enterprise autonomy and

assessment focus

China's data exit regulation takes into account national security, public interest and the legitimate rights and interests of individuals or organizations, and carries out all-round regulation of data exit from macro to micro, pursuing a balance between data protection and utilization. For enterprises, in practice, continuous assessment and record monitoring should be ensured in both ex ante and ex post exit activities. 

❈实习生段佳葆对本文亦有贡献

或许您还想看

辛小天、史蕾、郑茂锋：速递 | 《数据出境安全评估办法（征求意见稿）》对比版

周杨、辛小天、史蕾：《数据安全法》正式稿的概览和粗议—— 全球数据保护政策下的中国处方

辛小天、周杨、史蕾：实务视野 ｜《个人信息保护法》正式稿之重点条款导览

周杨、史蕾：赴港上市无需审查？《网络安全审查办法》尚无定论

辛小天、史蕾、周杨：追寻数据流动公平之渠——欧盟《数据法案》提案简介

史蕾、辛小天：“清朗·打击网络直播、短视频领域乱象”专项行动与合规要点解读（上）

史蕾、辛小天：“清朗·打击网络直播、短视频领域乱象”专项行动与合规要点解读(下)

史蕾、毕静静：“清朗·MCN机构信息内容乱象整治”专项行动与合规要点解读

史蕾、辛小天：“清朗·打击网络谣言”专项行动解读与平台合规要点

史蕾、刘琳：“清朗·整治应用程序信息服务乱象”专项行动及合规要点解读

史蕾、杨玥祺：中央网信办部署开展“清朗·打击流量造假、黑公关、网络水军”专项行动合规要求以及企业合规建议

作者简介

辛小天

北京德和衡（深圳）律师事务所合伙人

辛小天，数字经济与人工智能业务中心总监，网络空间安全战略与法律委员会委员，清华大学创业引导年度荣誉导师。

曾就职于MayerBrown JSM 律师事务所，美国美富律师事务所，通用电气及奇虎360 。擅长数据合规、互联网法律及合规风控、投融资以及并购法律、反垄断法、公司法及劳动相关法律、外商投资及外资公司设立相关法律。

手机：13911159437

邮箱：xinxiaotian@deheheng

史  蕾

北京德和衡律师事务所合伙人

史蕾，数字经济与人工智能业务中心秘书长。曾就职于环球资源（NASQ：GSOL）和奇虎360公司法务部，拥有十多年的公司内部法务工作经验。擅长股权激励、公司治理及互联网产品合规风控；专注互联网游戏、直播、互联网教育与出版、大数据和网络安全等行业领域；新三板挂牌及公司治理。

手机：15810040811

邮箱：shilei@deheheng

杨玥祺

北京德和衡律师事务所执业律师

杨玥祺，毕业于中国政法大学，法学、英语学双学位。曾为某大型通讯公司撰写PbD（Privacy by Design）合规调研报告、为南方某省级大型银行金融机构进行金融数据合规、个人信息合规体检并出具风险评估报告以及配套管理制度、为某国际电子商务平台进行合规体检，出具法律文件、为某国际冻品购销公司撰写隐私政策与服务协议。

擅长领域：数据合规、电商合规、个人信息保护、投融资、GDPR、CCPA

手机：15650793473

邮箱：yangyueqi@deheheng