首页» Home» Research» Viewpoints

Personal information and important data outbound security assessment of the "provided to the outsid

THE 26.06.2017  Source:
It is necessary to review the "Network Security Law" Article 37: "due to business needs, do need to provide overseas, should be in accordance with the State Network Department in conjunction with the relevant departments of the State Council to develop a safety assessment." But what is particularly called "to provide outside", in fact, a variety of situations. Take five more scenarios as follows:
A. To the organization, institutions, individuals located outside
This is the most widely accepted explanation, and is also very consistent with the legal documents on the "outside" interpretation. It is also the case that the "Personal Information and Important Data Exit-Entry Security Assessment Method (Draft for Solicitation)" published on 11 April states that "data exit means that the network operator will operate in the territory of the People's Republic of China Collection and production of personal information and important data provided to the institutions, organizations and individuals located outside.
Here is strictly in accordance with the provisions of the territory.
B. Consulate, aircraft, ship
On 18 April 1961, the Vienna Convention on Diplomatic Relations stipulates that foreign embassies, consulates and diplomatic personnel are not subject to our jurisdiction and subject to their own jurisdiction.
Article 3, paragraph 1, of the Convention on Offenses and Certain Other Acts Committed in Aircraft, Tokyo, September 14, 1963, provides that: "The State of Registry of the aircraft shall have jurisdiction over the offenses and acts committed in that aircraft "
Article 6 (1) of the Convention on the Suppression of Unlawful Acts against the Safety of Maritime Navigation, Rome, dated 10 March 1988, provides that if the offense referred to in the Convention is committed against a ship flying its flag or on the ship, , The flag State shall take the necessary measures to determine its criminal jurisdiction.
Therefore, foreign embassies and consulates, aircraft, ships even in our territory, do not accept our jurisdiction. That the data from our territory to the territory of China's foreign embassies and consulates, as well as anchored in our territory on the aircraft, ships, be considered "to provide outside"
Perhaps a small partner believes that foreign embassies and consulates, aircraft, ships can be considered an extension of foreign territory, so it can be considered "located outside", so as in case a, are strictly in accordance with the territory to delineate what is the territory And outside.
But I personally think that the foreign embassies and consulates in China, aircraft, ships, should be located in our territory, but only under international agreements, China should be held accountable for its responsibility, should be from another channel, rather than direct exercise of law enforcement that power.
For this reason, I think that case b is divided by territory outside the territory of jurisdiction: that is, outside the territory of our country, and in our territory but not subject to our jurisdiction.
C. Foreign organizations and institutions located in the territory (not registered in China through the law), as well as foreign individuals in China to collect information, analysis and processing, is not "data exit"?
In this case, the data are not out of the country, but are temporarily located in China's foreign organizations, institutions, individuals received [Note: not incorporated in the territory, so temporary].
An exaggerated example is that foreign security personnel have acquired a large amount of data in our country, but have not transmitted the data to their home country, but are in situ and used.
A slightly not exaggerated example is that foreign parent companies temporarily send a data analyst to China to participate in a project, the data analyst did not bring any data back home.
In the case of territory (case a), jurisdiction (case b), there is no data exit in such a situation and does not appear to be subject to the jurisdiction of the data outbound security assessment system.
But let's take a look at the United States. In the US export control system, there is a very unique concept, "as the export." "Incidentally exported" covers a wide range of activities, including any attempt to enable foreigners to get sensitive technology, such as reading technical materials, oral communication, telephone telex, and the ability to master sensitive technology under the guidance of the operation. According to the provisions of the US Export Administration Ordinance, there are three main categories of exports: foreigners to view US equipment, information; oral information exchange in the United States or abroad; foreign use of personal knowledge gained in the United States or Carry out technical experiments.
However, the "Export Control Law of the People's Republic of China (draft of the draft)", which is currently being consulted, has also set up the requirement of "as export".
If from the "as the export" point of view, it seems that the situation c should also belong to "to provide outside."
The above three cases in essence put forward three kinds of that "to provide outside" theory. Then in the data outbound security assessment system to choose which theory, need to have a decision.
And the next case d and the situation e, from the behavior point of view, in line with "to provide outside", but according to policy considerations, and should be given from "to provide" in the exemption:
D. Legal disclosure of information (including those already on the Internet)
Since the information has been legally open, any unspecified organization and individual in the world can access it, so it can be considered that it does not belong to a subjective intention exclusively to provide it abroad.
Of course, there is a prerequisite for the situation - "legal public", such as formal news reports, government data and so on.
E. Personal information and important data collected and generated in domestic operations are not subject to data leaving the country without any change or processing
This situation belongs to the ordinary data transit, should not belong to "to provide outside", one is no data provider, the second is there is no subjective intent, just because of routing reasons.

Internet development research center of Peking University, all rights reserved Beijing ICP for 191043088