Research

首页» Home» Research» Viewpoints

Personal information and important data outbound security assessment of the "domestic operations"

THE 21.06.2017  Source:

The "cybersecurity laws" have entered into force, which means that the requirements of Article 37 for the storage of data in key information infrastructure operators are in force. Although the "personal information and important data outbound security assessment approach" has not yet officially released, but the data outbound security assessment of this system is already a certainty.

 

 

In order to implement the "cybersecurity law" and "personal information and important data outbound security assessment approach", some seemingly clear but the problem is actually vaguely need to clarify the problem. This article specifically discusses "domestic operations" for your comments.

 

Article 37 of the Internet Security Act states: "Personal information and important data collected and generated by operators of key information infrastructure operators in the territory of the People 's Republic of China shall be stored in the territory.

 

"Personal information and important data outbound security assessment approach (draft)" also provides: "network operators in the territory of the People's Republic of China to collect and produce personal information and important data ... ... need to provide Shall be carried out in accordance with these Measures for safety assessment.

 

But what exactly is the domestic operation? In fact, very vague. For example:

 

A. Chinese citizens from the domestic computer login to the United States a taxi website, registered account, and booking car rental. The US car rental website in China without legal registration, its personnel, servers and so on in the United States. Does the network operator operate within the territory of the People's Republic of China?

 

Comment: In this case, if it is found that it belongs to the domestic operation, almost all of the world's public visit to the site, are subject to China's data outbound security assessment of the jurisdiction. Obviously unreasonable. But no matter what, there are two questions:

 

First of all, after all, it collects personal information about our citizens. And then extended, if such a network operator, there are more than 500,000 or even more Chinese citizens registered in the above. According to the spirit of "personal information and important data exit security assessment (draft)", the 500,000 Chinese citizens of personal information is equivalent to "important data", is our data outbound security assessment should not be given attention? If 50 million is not enough, that 100 million, 10 million it? Or is it that the situation is not governed by a data outbound security assessment, but that there should be other regulations?

 

Second, if not, then there will be no Chinese network operators to see this loopholes, decided to set up a company in the offshore, the staff, servers and so moved to the outside, then do not have to do data outbound security assessment. And it is also unfair to companies that are struggling to make data outbound security assessments because those foreign counterparts can not continue to engage in the original business without the obligation to compete on level playing ground.

 

B. If the American car rental website set up a special Chinese interface, its support to the RMB as the settlement currency, but in China without legal registration, its personnel, servers, etc. in the United States. Does the network operator operate within the territory of the People's Republic of China?

 

Commentary: This situation, according to the EU "General Data Protection Ordinance" provisions, should be subject to "General Data Protection Ordinance." If you learn the practice of the EU, this car rental site is considered to belong to the domestic operation, seems to be able to reduce the previous example in the same level of competition on the issue.

 

But another question is coming soon, who will launch the assessment? Car rental website will say that this is the personal initiative to log on to the server in the United States and register the account, should be regarded as a personal initiative to provide personal information outside. And whether the "Network Security Law" and "personal information and important data outbound security assessment approach" provides that "network operators" to provide data outside the need to assess the individual is not a network operator, then do not have to assess.

 

But do not evaluate it, intuition and feel not right. Or for this reason: if such an entity, also collected more than 500,000 Chinese citizens of personal information. According to the spirit of "personal information and important data exit security assessment (draft)", the 500,000 Chinese citizens of personal information is equivalent to "important data", is our data outbound security assessment should not be given attention?

 

C. A business fancy China's relatively low labor costs, set up in China, the customer service center, but the customer service center only for US customers to carry out services. Does the call center operate within the territory of the People's Republic of China?

 

This example, literally, this customer service center is operating in China. But the personal information they deal with is all American customers, in the process does not provide any other additional information. Equal to say that the US customer information is stored in China, its analysis, mining, use and other aspects are in China, in the process of generating derivative information is also in China. From the paper in full compliance with the "in the People's Republic of China in the operation of the collection and the production of personal information", then this situation, subject to data exit security assessment requirements of the jurisdiction of it? If so, it is likely that many foreign companies will not choose China to set up a similar customer service center, and even only for foreign customers in the data center. Moreover, does the data of these foreigners really conform to the legislative and regulatory spirit of data outbound safety assessment?

 

From these three examples, it seems that the interpretation of "domestic operations" should be based on the context of the scene, rather than strictly follow the concept of the region.

 

This is only a small problem in accurately establishing a data outbound security assessment system, and there are more ...

Internet development research center of Peking University, all rights reserved Beijing ICP for 191043088