Monitoring and Evaluation Standards for the Protection of Personal Information by Internet Enterprises

Posted on Updated on

(Chinese Law Association on Science and Technology, Peking University Institute for Internet Law)

Official Version 1.0

I, Purpose

These Standards are formulated in order to implement the “NPC Standing Committee Decision concerning Strengthening the Protection of Online Information”, the “Law for the Protection of Consumer Rights and Interests”, the “Telecommunications and Internet User Personal Information Protection Regulations”, the “Online Trading Management Rules” and other normative and legal documents concerning the protection of personal information, safeguard users’ lawful rights and interests and standardize Internet enterprises’ personal information processing activities, and in order to realize a balance between the protection and use of personal information for the benign development of the industry.

The Monitoring and Evaluation Standards aim to establish effective and practical mechanisms for the protection of users’ personal information, through concrete provisions on Internet enterprises’ duties, and on the basis of existing normative legal documents, on the one hand, they promote Internet enterprises’ building of personal information protection mechanisms to conform to regulations, on the other hand, they realize a guarantee for users’ lawful rights and interests in the area of personal information.

II, Basis

These regulations are formulated on the basis of the “NPC Standing Committee Decision concerning Strengthening the Protection of Online Information”, the “Law for the Protection of Consumer Rights and Interests”, the “Telecommunications and Internet User Personal Information Protection Regulations”, and the “Online Trading Management Rules”, with reference to the OECD “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”, the APEC “Privacy Framework”, the “Guidelines on Personal Information Protection in Public and Commercial Systems” and other domestic and foreign documents in the area of personal information protection, and in integration with the current development circumstances of our country’s Internet industry.

III, Definitions

The terms used in the Standards are defined as follows:

  1. Internet enterprise

An Internet enterprise is an organizational entity that processes personal information during the process of using information networks to provide technological services or content services to users. “Information networks” includes computer networks, radio and television networks, fixed telecommunications networks, mobile telecommunications networks and other such information networks, as well as local area networks that are open to the public, which use computers, television sets, fixed telephones, mobile telephones and other electronic equipment as terminals.

  1. Initiating party, related party, third party

Initiating party refers to an Internet enterprise that directly collects personal information from users during the process of providing technological services or content services.

Related party refers to an Internet enterprise having a controlled relationship with a specific initiating Party, whose personal information protection policies are not substantially different from those of the initiating party. “Controlled” refers to having the power to use shareholding rights or agreements to decide on the financial or operating policies of an Internet enterprise, and can be based on obtaining profit from the operating activities of the said Internet enterprise.

Third party refers to an organizational entity or natural person that does not directly collect personal information fro users, but obtains personal information from initiating parties or related parties.

  1. User

User refers to natural persons who use services provided by Internet enterprises and can be identified through personal information. “Minor” as used in these Standards refers to persons with limited civil competences who are younger than 18, and persons who do not have civil action competence.

  1. Personal information

Personal information refers to information or information collections with which it is feasible to, alone or in integration with other information, distinguish the identity of a specific user, such as name, date of birth, identity card number, address, telephone number, account number, password, etc.

These Standards do not apply to the processing of irreversibly anonymized or de-identified information, ensuring that it is impossible to identify a specific user’s identity with that information or information collection.

  1. Processing

Processing refers to the acts of collecting, handling, using and transferring of users’ personal information by Internet enterprises, including:

Collection refers to the act of obtaining and storing personal information.

Handling refers to the act of conducting automatized system operations on collected personal information, to satisfy the needs of use and transmission.

Use refers to the acts of using personal information to provide technological services or information services, make policy decisions on the basis of personal information, as well as publishing personal information to the public or to specific groups.

Transmission refers to the act of transmitting personal information to related parties or third parties.

  1. Consent, explicit consent, implied consent

Consent refers to a positive and affirmative expression of intent by the user, or a user’s voluntary act of using a service, which expresses permission for an Internet enterprise to process their personal information. Including:

Explicit consent refers to a user’s positive and affirmative declaration of intent, expressing permission for an Internet enterprise to process their personal information.

Implicit consent refers to a user’s permitting an Internet enterprise to process their personal information by the act of voluntarily using its services.

Except where especially indicated, consent referred to in these Standards means implied consent.

  1. Substantial revision

Substantial revision refers to an Internet enterprising reducing the commitments made in their personal information protection policy, the rights of users concerning personal information processing or the duties of Internet enterprises.

IV, Basic principles

  1. The principle of informed consent

Except where laws provide otherwise, Internet enterprises shall fully notify users about important matters concerning personal information processing, and obtain users’ explicit consent or implied consent on the basis of that notification.

  1. The principle of legality and necessity

Internet enterprises’ personal information processing methods shall conform to the provisions of the law, and they shall only process personal information necessary for realizing proper commercial objectives and providing online services.

  1. The principle of clear purpose

Internet enterprises processing personal information shall have a lawful, proper and clear purpose, they may not process personal information in excess of the scope of that purpose.

  1. The principle of individual control

Users have the right to consult their personal information, and have the right to revise, amend or supplement their personal information.

  1. The principle of information quality

Internet enterprises shall provide the necessary channels for users to consult and correct their personal information, in order to guarantee that personal information is accurate, complete and up-to-date.

  1. The principle of security responsibility.

Internet enterprises shall adopt the necessary management measures and technological measures to protect the security of personal information, and prevent unauthorized retrieval, publication, loss, leakage, damage and alteration of personal information.

V, Indicator system

  1. Informed consent

1.1 Internet enterprises shall, before collecting personal information, truthfully notify its users about matters concerning personal information processes and its personal information protection policy, which includes but is not limited to:

  1. a) the objective, method and scope of collecting personal information;
  2. b) the objective, method and scope of handling, use and transmitting personal information;
  3. c) the Internet enterprise’s name, address, contact method and user complaint mechanism;
  4. d) channels for users to consult and revise their personal information;
  5. e) the consequences that may result where users refuse to provide personal information;
  6. f) the enterprise’s personal information security management systems and personal information security protection measures.

1.2 Internet enterprises shall publish their personal information protection policies on a suitable position on their website, software or service, remind users to pay attention to corresponding policies in a suitable manner, and notify them about the possible consequences of not agreeing with the personal information protection policies.

After Internet enterprises have fulfilled their duty of notification, users’ beginning or continuing the act of using technological services or content services shall be seen as consenting to the Internet enterprise’s handling of personal information.

  1. Collection

2.1 Internet enterprises collecting personal information shall have a lawful, proper and clear objective, and may not collect personal information outside the scope of that objective.

2.2 Internet enterprises shall clearly indicate the method they use to collect personal information, and ensure that corresponding methods are lawful and proper.

2.3. Internet enterprises shall clearly indicate the kinds of personal information they collect, and only collect personal information that is necessary to realize a proper commercial objective and provide online services.

2.4 Except under the following special circumstances, Internet enterprises that collect personal information in excess of the indicated objective, method or scope, shall notify users in a suitable form and obtain users’ explicit consent:

  1. a) where laws or regulations contain specific provisions, for instance on safeguarding public security, emergency response, etc.;
  2. b) where it is necessary for the purposes of academic research or the social and public interest;
  3. c) where an administrative body issued a coercive act according to the law;
  4. d) where judicial bodies have made a decision, ruling or judgment according to the law.
  5. Processing

3.1 Internet enterprises shall handle personal information within the objective and scope indicated before collection, and adopt the necessary measures and means to guarantee the security of personal information in the process of handling.

3.2 Except under the following special circumstances, Internet enterprises handling personal information in excess of the indicated objective, method or scope, shall notify users in a suitable form and obtain users’ explicit consent:

  1. a) where laws or regulations contain specific provisions, for instance on safeguarding public security, emergency response, etc.;
  2. b) where it is necessary for the purposes of academic research or the social and public interest;
  3. c) where an administrative body issued a coercive act according to the law;
  4. d) where judicial bodies have made a decision, ruling or judgment according to the law.
  5. Use

4.1 Internet enterprises shall use personal information within the objective and scope indicated before collection, and adopt the necessary measures and means to guarantee the security of personal information in the process of handling.

4.2 Except under the following special circumstances, Internet enterprises using personal information in excess of the indicated objective, method or scope, shall notify users in a suitable form and obtain users’ explicit consent:

  1. a) where laws or regulations contain specific provisions, for instance on safeguarding public security, emergency response, etc.;
  2. b) where it is necessary for the purposes of academic research or the social and public interest;
  3. c) where an administrative body issued a coercive act according to the law;
  4. d) where judicial bodies have made a decision, ruling or judgment according to the law.
  5. Transmission

5.1. Internet enterprises transmitting information to related parties shall notify users about the related party’s handling of personal information.

5.2 Except under the following special circumstances, Internet enterprises transmitting personal information to third parties, shall notify users and obtain users’ explicit consent:

  1. a) where laws or regulations contain specific provisions, for instance on safeguarding public security, emergency response, etc.;
  2. b) where it is necessary for the purposes of academic research or the social and public interest;
  3. c) where an administrative body issued a coercive act according to the law;
  4. d) where judicial bodies have made a decision, ruling or judgment according to the law.
  5. Individual control

6.1. Internet enterprises shall provide independent operating mechanisms to users, to realize users’ control over personal information.

6.2 Internet enterprises shall provide channels to users to consult and revise their personal information.

6.3 Internet enterprises shall provide users with channels to remove their account or number.

  1. Policy revisions

7.1 Internet enterprises shall timely renew personal information protection policies on the basis of normative and legal documents and the enterprise’s practice.

7.2 Internet enterprises that substantially revise their personal information protection policies shall notify users about the revised content in a clear manner, and notify users about the consequences if they do not accept this, as well as corresponding resolution mechanisms.

7.3 Internet enterprises that revise their personal information policies in a non-substantial manner, shall notify users about the revised content in a suitable manner.

8 Security responsibility

8.1 Internet enterprises shall establish personal information management responsibility systems, carry out personal information management responsibilities, strengthen personal information security management, and standardize personal information processing activities.

8.2Internet enterprises shall adopt the necessary technological measures and methods to protect personal information security, including but not limited to:

  1. a) establishing and perfecting internal compliance management departments, instituting and appointing chief privacy officers and corresponding management personnel;
  2. b) adopting legally obliged or common industrial technological methods to encrypt users’ personal information;
  3. c) adopting legally obliged or common industrial technological methods to anonymize or de-identify users’ personal information, and ensuring that this manner of processing information is irreversible, and the information cannot be used to identify individuals;
  4. d) during the process of providing services, using technological measures to guarantee that users can adopt preventive acts against unauthorized infringement of personal information by others.
  5. Personal information in particular areas

9.1 Internet enterprises shall provide for specific measures for handling persona information of minors, for instance, that their personal information is only handled after explicit agreement by their guardians, or as soon as they learn a user is a minor, ceasing the handling of their personal information until explicit consent from a guardian is obtained.

  1. Internet enterprises processing accurate geographic position information of users shall notify users in a reasonable manner, and provide users with selective mechanisms to terminate the handling of their accurate geographical positioning information.

Accurate geographical positioning information refers to information obtained through the equipment users by the user, used to promptly discern or describe the real physical location where the user is located at a specific point in time, within a margin of one kilometre or less.

VI, Implementation mechanisms

  1. Institutional monitoring and evaluation

The promulgating body of these Monitoring and Evaluation Standards will establish a monitoring and evaluation body, the monitoring and evaluation body will be composed of members from political, industrial, scholarly and research circles in related areas.

The monitoring and evaluation body will actively monitor and evaluate the Internet enterprises that fall within the scope of these Standards, on the basis of these Standards, the subjects of monitoring and evaluation are the personal information protection policies that Internet enterprises have established, as well as practical processes concerning personal information processing, including service or software installation, typical procedures, etc. The monitoring and evaluation body will, by reporting at regular or irregular intervals, publish monitoring and evaluation results.

The monitoring and evaluation body will, at a suitable time, publish a Standards logo for the application of the Standards, Internet enterprises conforming to the Standards may indicate this logo on a suitable position on their websites or services.

  1. Enterprise participation.

Internet enterprises may assess their personal information protection policies and practices on the basis of these Standards, and timely adjust their policy texts and practical methods. Outside of active adjustment, Internet enterprises may entrust the monitoring and evaluation body to evaluate their policy texts and practical methods, and timely adjust their policy texts and practical methods on the basis of the assessment’s results.

  1. User supervision

Internet users may monitor and evaluate Internet enterprises’ personal information protection policies and practical methods on the basis of these Standards. Users may, give feedback about the monitoring and evaluation results through a website that the monitoring and evaluation body will roll out at a suitable time.

VI, Supplementary provisions

The interpretation and basis for drafting of the basic provisions in these Monitoring and Evaluation Standards will be further explained and analysed in Appendix.

These Standards are promulgated on the basis of the Self-Help Copyright Licence Agreement (SCLA) published by the National Digital Copyright Research Base, the licensing conditions are:

[Right of Signature Reserved Only] The Licensor only reserves the right to indicate authorship, and to sign the work. Where licensees obtain permission for adaptation according to the provisions of this Agreement, they must indicate the author of the original work on the adapted work. The Licensor renounces all property-related rights s/he enjoys in the work.

 

互联网企业个人信息保护测评标准
(中国科学技术法学会 北京大学互联网法律中心)
正式版 v.1.0
一、宗旨
本标准的制定是为了贯彻《全国人民代表大会常务委员会关于加强网络信息保护的决定》《消费者权益保护法》《电信和互联网用户个人信息保护规定》《网络交易管理办法》等与个人信息保护相关的规范性法律文件,维护用户合法权益并规范互联网企业的个人信息处理行为,以实现产业良性发展中个人信息保护与利用的平衡。
测评标准通过对互联网企业义务的具体规定,致力于在现有规范性法律文件的基础上,建立有效的用户个人信息保护实践机制,一方面推动互联网企业构建合规的个人信息保护机制,另一方面实现用户在个人信息方面合法权益的保障。
二、依据
本标准依据《全国人民代表大会常务委员会关于加强网络信息保护的决定》《消费者权益保护法》《电信和互联网用户个人信息保护规定》《网络交易管理办法》,参照OECD《关于保护隐私和个人数据跨国流通的指导原则》、APEC《隐私保护纲领》、《公共及商用系统个人信息保护指南》等国内外个人信息保护领域相关文件,结合我国互联网产业发展现状制定。
三、定义
标准所涉及的术语定义如下:
1. 互联网企业
互联网企业是指利用信息网络向用户提供技术服务或内容服务的过程中处理个人信息的组织实体。“信息网络”包括以计算机、电视机、固定电话机、移动电话机等电子设备为终端的计算机互联网、广播电视网、固定通信网、移动通信网等信息网络,以及向公众开放的局域网络。
2. 初始方、关联方、第三方
初始方是指在提供技术服务或内容服务过程中直接向用户收集个人信息的互联网企业。
关联方是指与特定初始方有控制关系,且其个人信息保护政策与初始方不存在实质性差异的互联网企业。“控制”是指有权以股权或协议决定一个互联网企业的财务和经营政策,并能据以从该互联网企业的经营活动中获取利益。
第三方是指未直接向用户收集个人信息,但从初始方或关联方处获取个人信息的组织实体或自然人。
3. 用户
用户是指使用互联网企业提供的服务并可通过个人信息识别的自然人。本标准中所称的“未成年人”是指未满18周岁的限制民事能力人或无民事行为能力人。
4. 个人信息
个人信息是指能够切实可行地单独或通过与其他信息结合识别特定用户身份的信息或信息集合,如姓名、出生日期、身份证件号码、住址、电话号码、账号、密码等。
本标准不适用于经不可逆的匿名化或去身份化处理,使信息或信息集合无法合理识别特定用户身份的信息。
5. 处理
处理是指互联网企业对用户个人信息的收集、加工、使用、转移行为,其中:
收集是指获取并保存个人信息的行为。
加工是指将收集的个人信息进行自动化系统操作以满足使用、转移需要的行为。
使用是指利用个人信息提供技术服务或信息服务,依据个人信息作出决策,以及向公众公开或向特定群体披露个人信息的行为。
转移是指将个人信息传输给关联方或第三方的行为。
6. 同意、明示同意、默示同意
同意是指用户以其积极、肯定的意思表示,或以其自愿使用服务的行为,表达对互联网企业处理其个人信息的认可。其中:
明示同意是指用户以其积极、肯定的意思表示认可互联网企业处理其个人信息。
默示同意是指用户以其自愿使用服务的行为认可互联网企业处理其个人信息。
除经特别说明,本标准中的同意指默示同意。
7. 实质性修改
实质性修改是指互联网企业对其在个人信息保护政策中承诺的、与个人信息处理有关的用户权利或互联网企业义务的减少。
四、基本原则 1. 知情同意原则
除法律规定的情形外,互联网企业应充分告知用户有关个人信息处理的重要事项,并在告知的基础上获得用户的明示同意或默示同意。
2. 合法必要原则
互联网企业处理个人信息的方式应符合法律规定,并仅处理为实现正当商业目的和提供网络服务所必需的个人信息。
3. 目的明确原则
互联网企业处理个人信息应具有合法、正当、明确的目的,不得超出目的范围处理个人信息。
4. 个人控制原则
用户有权查询个人信息,有权对其个人信息进行修改、完善、补充。
5. 信息质量原则
互联网企业应为用户查询、更正其个人信息提供必要渠道,以保障个人信息的准确、完整、及时。
6. 安全责任原则
互联网企业应采取必要的管理措施和技术手段,保护个人信息安全,防止未经授权检索、公开、丢失、泄露、损毁和篡改个人信息。
五、指标体系
1. 知情同意
1.1 互联网企业在收集个人信息前应以个人信息保护政策如实告知用户个人信息处理相关事项,包括但不限于:
a) 收集个人信息的目的、方式、范围;
b) 加工、使用、转移个人信息的目的、方式、范围;
c) 互联网企业的名称、地址、联系方式和用户投诉机制;
d) 用户查询、修改个人信息的渠道;
e) 用户拒绝提供个人信息可能出现的后果;
f) 企业个人信息安全管理制度和个人信息安全保护措施。
1.2 互联网企业应在网站、软件或服务的适当位置公开其个人信息保护政策,并以适当方式提醒用户注意相关政策并告知不同意个人信息保护政策的可能后果。
在互联网企业履行其告知义务后,用户开始或持续使用技术服务或内容服务的行为视为同意互联网企业处理其个人信息。
2. 收集
2.1 互联网企业收集个人信息应有合法、正当、明确的目的,不得超出目的范围收集个人信息。
2.2 互联网企业应明确告知收集个人信息的手段,并确保相关手段合法、正当。
2.3 互联网企业应明确告知收集个人信息的种类,并仅收集为实现正当商业目的和提供网络服务所必需的个人信息。
2.5 除有以下特殊情况,互联网企业收集个人信息的行为超出告知的目的、方式、范围,应以合理形式告知用户并获得用户的明示同意:
a) 法律法规特别规定,如维护公共安全、紧急避险等;
b) 基于学术研究或社会公共利益目的;
c) 行政机关依据法律作出的强制行为;
d) 司法机关依据法律作出的决定、裁定或判决。
3. 加工
3.1 互联网企业应在收集前告知的目的和范围内加工个人信息,并采取必要的措施和手段保障个人信息在加工过程中的安全。
3.2 除有以下特殊情况,互联网企业超出收集时所告知的目的和范围加工个人信息,应以合理形式告知用户并获得用户的明示同意:
a) 法律法规特别规定,如维护公共安全、紧急避险等;
b) 基于学术研究或社会公共利益目的;
c) 行政机关依据法律作出的强制行为;
d) 司法机关依据法律作出的决定、裁定或判决。
4. 使用
4.1 互联网企业应在收集前告知的目的和范围内使用个人信息,并采取必要的措施和手段保障个人信息在使用过程中的安全。
4.2 除有以下特殊情况,互联网企业超出收集时所明确告知的目的和范围使用个人信息,应以合理形式告知用户并获得用户的明示同意:
a) 法律法规特别规定,如维护公共安全、紧急避险等;
b) 基于学术研究或社会公共利益目的;
c) 行政机关依据法律作出的强制行为;
d) 司法机关依据法律作出的决定、裁定或判决。
5. 转移
5.1 互联网企业向关联方转移个人信息,应告知用户关联方处理个人信息的情况。
5.2 除有以下特殊情况,互联网企业向第三方转移个人信息,应告知用户并征得用户的明示同意:
a) 法律法规特别规定,如维护公共安全、紧急避险等;
b) 基于学术研究或社会公共利益目的;
c) 行政机关依据法律作出的强制行为;
d) 司法机关依据法律作出的决定、裁定或判决。
6. 个人控制
6.1互联网企业应为用户提供独立操作机制,实现用户对个人信息的控制。
6.2 互联网企业应为用户提供个人信息查询、修改的渠道。
6.3 互联网企业应为用户提供注销账号或号码的渠道。
7. 政策修改
7.1 互联网企业应根据规范性法律文件和企业实践及时更新其个人信息保护政策。
7.2 互联网企业实质性修改其个人信息保护政策,应以显著方式告知用户修改的内容,并告知用户不接受的后果及相应的解决机制。
7.3 互联网企业非实质性修改其个人信息保护政策,应以适当方式告知用户修改的内容。
8. 安全责任
8.1 互联网企业应建立个人信息管理责任制度,落实个人信息管理责任,加强个人信息安全管理,规范个人信息处理活动。
8.2 互联网企业应采取必要的技术措施和手段保护个人信息安全,包括但不限于:
a) 建立完善的内部合规管理部门,设立并任命首席隐私官或相关管理人员;
b) 采用法律强制或业界通行的技术手段对用户个人信息进行加密;
c) 采取法律强制或业界通行的技术手段对用户个人信息进行匿名化或去身份化处理,并使处理后的信息不可逆及不能用于识别个人身份;
d) 在提供服务过程中,以技术手段保证用户对他人未经授权实施的个人信息侵害行为采取防御行为。
9. 特殊领域的个人信息
9.1 互联网企业应规定未成年人个人信息处理的特殊措施,如仅在征得其监护人的明示同意前提下处理其个人信息,或一旦明知其为未成年人,在未征得监护人明示同意时停止处理其个人信息。
9.2 互联网企业处理用户精确地理位置信息,应以合理方式告知用户,并为用户提供终止处理其精准地理位置信息的选择机制。
精确地理位置信息是指通过用户所使用的设备获取的,用于及时识别或描述用户在某一特定时间点误差小于1公里的实际物理位置的信息。

六、实现机制
1. 机构测评
本测评标准的发布机构将组建测评机构,测评机构由相关领域的政产学研各界人士组成。
测评机构将以标准为依据主动对本标准适用范围内的互联网企业进行测评,测评对象为互联网企业设置的个人信息保护政策以及与个人信息保护相关的实践做法,包括服务或软件设置、典型步骤等。测评机构将以定期或不定期报告的方式发布测评结果。
测评机构将适时发布标准标识使用标准,符合标准的互联网企业可以在网站或服务的适当位置显示相关标识。
2. 企业参与
互联网企业可以以本标准为依据对其个人保护政策及实践做法进行比照,及时调整政策文本及实践做法。除主动调整外,互联网企业可委托测评机构对政策文本及实践做法进行测评,根据测评结果及时调整政策文本及实践做法。
3. 用户监督
互联网用户可以以本标准为依据对互联网企业的个人信息保护政策及实践做法进行测评。用户可通过测评机构适时推出的网站反馈测评结果。
七、附件
本测评标准基本规定的释义和制定依据将在附件中作出进一步解释和说明。
本标准以国家数字版权研究基地发布的版权自助协议(Self-Help Copyright License Agreement,SCLA)发布,许可条件为:
互联网企业个人信息保护测评标准
[仅保留署名权] 许可人仅保留表明作者身份、在作品上署名的权利。被许可人依照本协议规定取得演绎权许可的,必须在演绎作品上标明原作品的作者。许可人放弃对其作品享有的所有财产性权利。

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s