Personal Information Protection Law (Expert Suggestion Draft)

Posted on Updated on

Editorial note:

This suggestion draft is one of the outcomes of the National Social Science Fund Major Project “Important Legislative Questions for Internet Security” (14ZDC021) at Renmin University of China Law School, of which Professor Zhang Xinbao is lead expert, its objective is to provide reference for legislation, its authors are Zhang Xinbao and Ge Xin. On deficiencies in the suggestion draft, the submission of valuable opinions and suggestions is welcomed, to be sent to gexinde@126.com. After further revision and perfection, the suggestion draft and statement of grounds for legislation will be published in the near future by Renmin University of China Press, further attention is respectfully invited.

Foreword

The “Personal Information Protection Law (Expert Suggestion Draft)” is based on the theoretical idea of “strengthening two pillars, balancing three sides”, through strengthening the protection of sensitive personal information and strengthening the use of ordinary personal information, it realizes balance between the interest of subjects on three sides: information subjects, information businesses and state bodies. Concerning the legislative model, the “Expert Suggestion Draft” uses a legislative model with uniform provisions, it is divided into nine chapters, with over 100 articles in total. The first through third chapters are largely the part with general principles, including basic provisions on personal information processing, basic principles and basic structures, they clarify a framework for personal information processing jointly constructed and upheld by multiple parties: government, enterprises, sectors, societies, etc., they basically adopt international commonly held personal information processing principles such as informed consent, limited purposes, etc. in terms of basic principles, in the area of basic structures, they put forward basic structures for building personal information processing standards systems, certification and labelling systems, risk assessment, de-identified processing, etc. The Fourth and fifth chapters respectively regulate personal information processing norms for information businesses and government departments. In these two sections, apart from detailing the general principles part, the information business part provides dedicated standards for commercial and marketing acts by information businesses, learning from legislative experience abroad such as Singapore, it establishes prohibitions on commercial and marketing number registration systems; in the part regulating personal information processing by government departments, there is a dedicated section providing for personal information processing structures in government information openness, sharing and publication. The sixth through eighth chapters provide for matters such as supervision and management, dispute resolution, liability, etc. The legal supervision part provides for multi-element supervision including government supervision, sectoral self-discipline, news supervision, social supervision, and citizen participation, moreover, in the area of government supervision and management structures, it attempts to build a comprehensive coordination mechanism with cybersecurity and informatization departments in the lead; in the part on dispute resolution, it clarifies how information subjects may uphold their own rights and interests through channels such as consultation, complaints, mediation, litigation and arbitration; the eighth chapter is the legal liability part, apart from providing concrete administrative liability for each matter, it also includes causal provisions on civil liability and criminal liability. The ninth chapter is the supplementary provisions part, and it mainly provides uniform definitions for terminology in the expert suggestion draft.

Table of contents

Chapter I: Basic provisions

Article 1: Legislative objective

Article 2: Scope of application / jurisdiction

Article 3: Personal information processing supervision structures

Article 4: Supervision and management structures

Article 5: Expert consultation committee

Article 6: Social responsibility

Article 7: Sectoral organizations

Article 8: Personal information protection organizations

Article 9: Personal information processing socialized service system

Article 10: Personal information processing technology development

Article 11: Personal information protection international cooperation

Chapter II: Basic personal information processing principles

Article 12: The principle of legality

Article 13: The principle of individual participation

Article 14: The principle of openness and transparency

Article 15: The principle of knowledge

Article 16: The principle of consent

Article 17: The principle of explicit purposes

Article 18: The principle of limited coals

Article 19: The principle of information quality

Article 20: The principle of information security

Article 21: The principle of special protection for sensitive personal information

Article 22: The principle of special protection for personal information of minors

Chapter III: Basic personal information protection structures

Article 23: Personal information protection standards

Article 24: Personal information protection certification and labelling systems

Article 25: Internal personal information protection work mechanisms

Article 26: Personal information security management structures

Article 27: Personal information protection risk assessment

Article 28: Personal information security incident notification structures

Article 29: Personal information de-identification and anonymization structures

Chapter IV: Personal information processing in information businesses

Section 1: Provisions on ordinary acts by information businesses

Article 30: Legal basis for personal information collection and processing

Article 31: Information businesses’ duty of notification

Article 32: Circumstances for exemption of notification

Article 33: Effective consent

Article 34: Limited purposes and reasonable use outside of purposes’ scopes

Article 35: Inspection for foreign provision of personal information

Article 36: Consent for foreign provision of personal information

Article 37: Personal information openness

Article 38: Provision and openness of anonymized information

Article 39: Automated personal information analysis and decision-making

Article 40: Adoption of audio recording, video recording and other such monitoring and surveillance

Article 41: Management of audio recording, video recording and other such monitoring and surveillance

Article 42: Information subjects’ right of inquiry

Article 43: Information subjects’ right of rectification

Article 44: Information subjects’ right of deletion

Article 45: Entrustment of other persons to conduct personal information processing

Article 46: Usage of third-party storage or computing services

Section 2: Provisions on commercial and marketing activities by information businesses

Article 47: Prohibition of commercial and marketing number registration

Article 48: Prohibition of commercial and marketing registration applications, inquiries and changes

Article 49: Information businesses’ prohibition of commercial and marketing number registration inquiry

Article 50: Voice calls and information transmission for commercial or marketing purposes

Article 51: Voice calls or text messages for commercial or marketing purposes

Article 52: E-mails for commercial or marketing purposes

Article 53: Targeted commercial or marketing information

Section 3: Provisions on foreign provision of personal information

Article 54: Ordinary requirements for personal information export security assessment

Article 55: Ordinary provisions for exemption of assessment

Article 56: Personal information provision to countries or regions with equivalent personal information protection levels

Article 57: Provision of personal information by information businesses to foreign subsidiary companies or branches

Article 58: Foreign business investment information businesses providing personal information to foreign parent companies or company head offices

Article 59: Requirements for our country’s information businesses to establish data centres abroad

Article 60: Limitations on the re-provision by foreign personal information receiving sides

Article 61: Limitations on gathering by foreign law enforcement bodies and judicial bodies.

Chapter V: Personal information processing by government departments

Section 1: Provisions for ordinary activities by government departments

Article 62: Legal basis for personal information processing

Article 63: Duty of notification towards information subjects

Article 64: Circumstances for exemption of notification

Article 65: Effective consent

Article 66: Limitations of purposes and use outside a reasonable scope of purpose

Article 67: Information subjects’ right of inquiry

Article 68: Information subjects’ right of rectification

Article 69: Information subjects’ right to cessation of processing

Article 70: Inquiry with information businesses or requiring information businesses to provide data

Section 2: Provisions on government information openness, sharing and publishing activities

Article 71: Provisions on personal information protection in government information openness

Article 72: Categories for personal information and government information resource sharing

Article 73: Personal information and government information resource sharing catalogue

Article 74: Personal information and government information resource sharing mechanisms

Article 75: Personal information and government information resource sharing usage limitations

Article 76: Personal information and government information resource sharing objection and rectification mechanisms

Article 77: Personal information and government information resource publication catalogue

Article 78: Personal information and government information resource publication mechanisms

Article 79: Personal information and government information resource publication usage limitations

Article 80: Personal information and government information resource publication usage feedback mechanisms

Article 81: Personal information and government information resource publication supervision mechanisms

Article 82: Protection of information subjects’ rights and interests in relation to personal information and government information publication

Chapter VI: Supervision and management

Article 83: The duties of cybersecurity and informatization departments

Article 84: Sectoral organizations

Article 85: News supervision

Article 86: Social supervision

Article 87: Citizen participation

Chapter VII: Relief

Article 88: Relief channels

Article 89: Preference for consultation with information businesses

Article 90: Mediations by personal information processing organizations or other lawfully established mediation organizations

Article 91: Sectoral organizations

Article 92: Competent authorities’ complaints reception mechanisms

Article 93: Joint litigation

Article 94: Public interest litigation

Article 95: Administrative relief

Chapter VIII: Legal liability

Article 96: Information businesses’ administrative liability for not carrying out personal information security protection duties

Article 97: Information businesses’ administrative liability for infringing information subjects’ lawful rights and interests

Article 98: Administrative liability for unlawful commercial and marketing activities

Article 99: Other legal liability

Article 100: Social credit records

Article 101: Government departments’ legal liability

Article 102: Foreign information businesses’ legal liability

Chapter IX: Supplementary provisions

Article 103: Terminology definitions

Article 104: Application by reference to other countries’ bodies

Article 105: The application of international treaties

Article 106: Date of entry into effect of the Law

Chapter I: Basic provisions

Article 1: Legislative objective

In order to standardize the personal information processing activities of information businesses and government departments, protect the lawful rights and interests of information subjects, and stimulate the lawful use of big data, on the basis of the provisions of the “National People’s Congress Standing Committee Decision concerning Strengthening Online Information Protection”, the “Cybersecurity Law of the People’s Republic of China” and other laws, this Law is formulated.

Personal information as mentioned in this Law refers to all kinds of information recorded electronically or through other methods, with which it is possible, singly or in combination with other information, to identify a natural person’s identity, including but not limited to citizens’ names, dates of birth, identity card number, personal biometric identification information, address, telephone number, etc.

Article 2: Scope of application / jurisdiction

This Law applies to the processing of personal information s well as the supervision and management of personal information processing activities, within the borders of the People’s Republic of China.

This Law shall be respected when processing personal information of citizens of the People’s Republic of China within the borders of the People’s Republic of China.

This Law applies to personal information matters where the People’s Republic of China has concluded, or participated in, international treaty provisions, that fall within the scope of treaty commitments undertaken by the People’s Republic of China and within its jurisdiction.

Article 3: Personal information processing supervision structures

The State implements personal information processing mechanisms that prioritize prevention, manage risk, control the entire process, with in joint governance with society, it establishes scientific and strict supervision and management structures.

Article 4: Supervision and management structures

The national cybersecurity and informatization department is responsible for the comprehensive planning, coordination and guidance of personal information processing work and related supervision and management work. All State Council competent departments are, according to the provisions of this Law and relevant laws and administrative regulations, responsible for personal information processing work and supervision and management work within their respective scope of duties.

Country-level and higher local People’s Government relevant departments’ personal information processing, supervision and management duties will be determined through relevant State regulations.

Article 5: Expert consultation committee

The national cybersecurity and informatization department establishes a personal information processing expert consultation committee, to provide consultation on major questions concerning our country’s personal information processing, and stimulate the scientific nature of personal information processing and big data use work.

Article 6: Social responsibility

Information businesses launching commercial and service activities must abide by laws and administrative regulations, respect the human dignity of information subjects and social morals, observe commercial ethics, be sincere and trustworthy, perform personal information security protection duties, accept supervision from government and society, and bear social responsibility.

Article 7: Sectoral organizations

Related sectoral organizations will, on the basis of laws and administrative regulations, and according to the provisions of their Charters, strengthen sectoral self-discipline, establish and complete sector standards, reward and punishment mechanisms, formulate personal information processing behavioural norms, guide their members in strengthening personal information processing, support and assist members in raising personal information processing protection levels, and stimulate the healthy development of their sector.

Article 8: Personal information protection organizations

The State supports lawfully established personal information processing organizations, to conduct social supervision of personal information processing and related data use activities, protect the lawful rights and interests of information subjects, and implement public welfare responsibilities.

Article 9: Personal information processing socialized service system

The State stimulates the construction of socialized personal information processing service systems, and encourages relevant enterprises and bodies to lawfully conduct personal information processing certification, risk assessment and other such activities, in performance of their social service responsibilities.

Article 10: Personal information processing technology development

The State encourages the research and development of personal information processing and big data use technologies, it stimulates data use, and promotes technological innovation and economic and social development.

The State supports innovation of personal information security management methods, the use of new technologies, and the increase of personal information processing levels.

Article 11: Personal information protection international cooperation

The State vigorously conducts international exchange and cooperation in areas including personal information processing governance, personal information processing technology research and development, standards formulation, attack of unlawful and criminal acts involving personal information processing, etc., and for the establishment of a multilateral democratic and transparent personal information processing governance system.

Chapter II: Basic personal information processing principles

Article 12: The principle of legality

Information business and government departments conducting personal information processing activities shall abide by and protect the personal dignity rights and interests of information subjects, abide by this Law as well as the provisions concerning personal information processing in other laws and administrative regulations, and may not illegally process another person’s personal information.

Article 13: The principle of individual participation

Natural persons are the subjects of their personal information. Information subjects may, according to the law, participate in processing activities of their personal information, they enjoy the rights to know, right of consent, right of inquiry, right of correction, right of refusal and right to deletion with regard to personal information processing activities.

Article 14: The principle of openness and transparency

Information businesses and government departments engaging in personal information processing activities shall, in a way convenient for information subjects to understand and access, publish their personal information processing rules and major items.

Article 15: The principle of knowledge

Information businesses and government departments shall, in clear and easy-to-understand language, completely, accurately and timely notify information subjects of the objective, method, scope and other such relevant matters pertaining to the processing of their personal information, information subjects have the right, according to the law, to demand information businesses and government departments to provide information related to the processing of their personal information, except where laws provide otherwise.

Article 16: The principle of consent

Information businesses and government departments processing personal information shall first obtain consent of information subjects, except where laws and administrative regulations provide otherwise.

The consent of information subjects shall be made with a clear statement or action of intent, except where laws and administrative regulations provide otherwise, or a different agreement is reached with the information subject, cases where an information subject has remained silent without refusal are not considered as consent.

Article 17: The principle of explicit purposes

Information businesses and government departments collecting personal information shall have a specific, concrete and proper objective for personal information processing.

Where information businesses and government departments changing the objective of personal information processing, the personal information processing objective after the change shall be reasonably connected to the personal information processing objective before the change.

Article 18: The principle of limited purposes

Information businesses and government departments collecting personal information shall collect the necessary information required to realize a purpose, within the specific scope of that purpose. Without consent from the information subject, the scope of personal information processing of the specific purpose as established at the time of personal information collection, or a scope reasonably connected with it may not be exceeded, except where laws and administrative regulations provide otherwise.

Article 19: The principle of information quality

Information businesses and government departments shall adopt measures to ensure the accuracy, integrity and up-to-dateness of processed personal information.

Article 20: The principle of information security

Information businesses and government departments collecting and processing personal information shall adopt security protection measures suited to personal information security risks and threats, to ensure personal information security, and avoid security incidents where the personal information they process is subject to leaks, damage, distortion, etc.

Article 21: The principle of special protection for sensitive personal information

Sensitive personal information enjoys special legal protection. Information businesses and government departments shall, when processing sensitive personal information according to the law, provide special protection to information subjects.

No organization or individual may collect sensitive personal information of which the collection is prohibited by laws and administrative regulations.

Where sensitive personal information falls within the scope of personal privacy, relevant legal protections on protection to the right of privacy shall also apply to its protection.

Article 22: The principle of special protection for personal information of minors

The personal information of minors enjoys special legal protection. Information businesses and government departments collecting and processing minors’ personal information shall uphold the principle of priority for minors’ interests and the principle of guardians’ consent, and respect and protect the human dignity rights and interests of minors.

Chapter III: Basic personal information protection structures

Article 23: Personal information protection standards

The State establishes and perfects uniform personal information processing standards systems. The State Council administrative department in charge of standardization and other relevant State Council departments will, according to their respective duties, organize the formulation and timely revision of national standards and sectoral standards concerning personal information processing and its supervision and management, and stimulate international exchange and cooperation on personal information processing standards.

The State encourages enterprises, research bodies, tertiary schools, related sectoral organizations, personal information processing organizations, etc., to participate in the formulation of national and sectoral standards for personal information processing.

Article 24: Personal information protection certification and labelling systems

The State establishes and perfects a uniform personal information processing certification and labelling system, formulates personal information processing standard certification symbols and certification implementation rules, promulgates management rules on the use of certification symbols, and stimulates international exchange and cooperation on personal information processing certification and labelling.

Only after having passed certification by a qualified body, may information businesses use personal information processing certification symbols. The national cybersecurity and informatization body will, together with relevant State Council departments, formulate and promulgate personal information processing-certified information business catalogues, and promote mutual recognition of personal information processing certification results, to avoid duplicate certification.

Article 25: Internal personal information protection work mechanisms

The State establishes and perfects a uniform personal information processing certification and labelling system, formulates personal information processing standard certification symbols and certification implementation rules, promulgates management rules on the use of certification symbols, and stimulates international exchange and cooperation on personal information processing certification and labelling.

Only after having passed certification by a qualified body, may information businesses use personal information processing certification symbols. The national cybersecurity and informatization body will, together with relevant State Council departments, formulate and promulgate personal information processing-certified information business catalogues, and promote mutual recognition of personal information processing certification results, to avoid duplicate certification.

Article 26: Personal information security management structures

Information businesses and government departments processing personal information shall ensure personal information security, establish and complete internal personal information security management structures according to the provisions of laws and administrative regulations, and the mandatory requirements of national standards, including but not limited to personal information processing documentation management structures, personal information hierarchical authorization management structures, multi-level personal information security risk assessment structures, personal information security incident response mechanisms and other such structures.

Article 27: Personal information protection risk assessment

Information businesses and government departments shall, when the personal information processing elements they intend to conduct include large amounts of residents’ uniform identification code information and other such sensitive personal information, minors’ personal information or automated personal information decision-making, before conducting personal information processing, conduct a personal information processing risk assessment, investigate, forecast and assess the risk that personal information may be leaked, damaged, distorted, abused after personal information processing elements are implemented and put forward related risk prevention measures.

After personal information processing elements as provided in the previous clause are implemented, information businesses and government departments shall conduct a tracing analysis on the basis of the personal information risk assessment outcome, and timely identify and respond to personal information protection risks.

Article 28: Personal information security incident notification structures

Information businesses and government departments shall adopt technical measures and other necessary measures to ensure the security of the personal information they collect, and prevent information leaks, damage and loss. When it occurs or may occur that personal information is leaked, damaged or lost, they shall immediately adopt remedial measures, and timely report the matter to users and the relevant competent department according to regulations.

Article 29: Personal information de-identification and anonymization structures

Information businesses and government departments conducting personal information processing shall, where it does not influence the necessary limits of personal information processing, give preference to conducting de-identified and anonymized processing of personal information, reducing personal information processing risks.

Chapter IV: Personal information processing in information businesses

Section 1: Provisions on ordinary acts by information businesses

Article 30: Legal basis for personal information collection and processing

Information businesses processing personal information shall have a specific purpose, and conform to one of the following conditions:

(1) having consent from the information subject;

(2) [acting] as required for concluding or implementing a contract between information subjects;

(3) [acting] as truly required for the protection of information subjects’ or other persons’ major personal and property interests, but where circumstances make it difficult to obtain information subjects’ consent;

(4) [acting] where the personal information involved is published by the information subject themselves or other personal information lawfully made public, and the personal information processing does not exceed the reasonable scope for the aforementioned publication;

(5) [acting] as required to implement duties provided in laws and administrative regulations;

(6) [acting] as required to execute a lawful order from an administrative department.

Article 31: Information businesses’ duty of notification

Information businesses collecting personal information shall, through user agreements, privacy policies, real-time notifications and other such methods inform information subjects in clear and easy-to-understand language about the following matters:

(1) The name, contact method, personal information processing rules and other such basic information about the information business;

(2) Basic matters concerning personal information processing, including the nature of the personal information, the processing purpose, method, scope, storage period, etc.;

(3) Special matters concerning personal information processing, including the potentially conducted automated personal information decision-making, foreign personal information provision, personal information export, de-identified use, etc.;

(4) The influence that information subjects’ consent or refusal of personal information processing, may bring about for them;

(5) The various rights of consent, inquiry, rectification, and deletion that information subjects enjoy, and the channel to exercise them;

(6) When collecting sensitive personal information, they shall also especially point out to information subjects that the collected information is sensitive personal information;

(7) when collecting minors’ personal information, they shall also notify their guardians as much as possible;

(8) when indirectly collecting personal information, they shall also notify information subjects about the source of personal information.

When information businesses directly collect personal information from information subjects, they shall notify information subjects about each matter listed in the previous clause before collecting personal information; when information businesses indirectly collect information subjects’ personal information, they shall notify information subjects about each matter listed in the previous clause within a reasonable period not exceeding one month after collecting personal information; when indirectly collecting personal information for use in contacting information subjects; they shall notify them about each matter listed in the previous clause at the time of first contacting the information subject.

Article 32: Circumstances for exemption of notification

When they conform to one of the following conditions, information businesses may, within the limits of necessity, be exempted from the duty of notification as provided in Article 31:

(1) Where information subjects are already aware of each matter listed in Article 31 Clause 1

(2) When indirectly collecting personal information, and the cost of notifying information subjects about each matter listed in Article 31 Clause 1 is extremely high;

(3) When indirectly collecting personal information, and the collected [information] is published by information subjects themselves or other information subjects’ personal information lawfully made public;

(4) Where notifying information subjects about each matter listed in Article 31 Clause 1 may harm social or public interests;

(5) Where notifying information subjects about each matter listed in article 31 Clause 1 may gravely influence government departments’ exercise of their duties and responsibilities;

(6) Other circumstances provided in laws and administrative regulations.

Article 33: Effective consent

When information businesses collect information subjects’ personal information according to the provisions of Article 31 Clause 1, they shall obtain information subjects’ consent to process their personal information through methods that are easy for user subjects to choose and operate, in clear and easy-to-understand language.

When information businesses obtain information subjects’ consent, and they have in fact eliminated information subjects’ right to refuse consent, this consent will be invalid. When one of the following circumstances is present, the said consent is invalid:

(1) Obtaining information subject consent by generalized clauses, by providing information subject consent item lists not on the basis of concrete personal information processing circumstances;

(2) Making information subjects’ consent to processing personal information into a condition for concluding or implementing contracts, processing information subjects’ personal information in excess of the necessary scope required for the conclusion or implementation of contracts with information subjects;

(3) Obtaining information subjects’ consent to process their personal information in combination with other matters in written form or electronic form, not having adopted reasonable measures to clearly indicate matters and clauses concerning personal information processing, or not having provided information subjects with a stand-alone consent choice.

Even though information subjects have not provided effective consent, where they provide personal information to information businesses, and on the basis of concrete circumstances, information subjects’ acts of providing their personal information are reasonable, it shall be considered that information subjects have consented to the collection of their personal information.

Article 34: Purpose limitations and reasonable use outside of purposes’ scopes

Information businesses shall use personal information within the scope of the specific purpose determined at the time of personal information collection or a scope reasonably connected with this, to use personal information in excess of the aforementioned scope, they shall notify information subjects and obtain their consent, except where laws and administrative regulations provide otherwise.

Where information businesses change the purpose of personal information processing, and where the processing purpose after the change in comparison with the processing purpose before the change is able to be reasonably considered to not significantly increase influence on information subjects’ lawful rights and interests, and an easy-to-operate refusal mechanisms is provided to information subjects, until information subjects have exercised their right of refusal, it shall be considered that the information subject consents to the personal information processing purpose after the change, except where the processed personal information is sensitive personal information.

Article 35: Inspection for foreign provision of personal information

Where information businesses provide personal information abroad, they shall conduct an inspection of the personal information protection levels and personal information processing purposes of the information businesses on the receiving side, they may not provide personal information to information businesses who do not meet the personal information processing levels required by this law or who have improper processing purposes.

The information business on the receiving side shall cooperate with the inspection by the information business on the providing side, and provide materials related to personal information processing levels and personal information processing purposes to the information business on the providing side.

Article 36: Consent for foreign provision of personal information

Where information businesses provide information subjects’ personal information to other persons, they shall timely notify the information subject about concrete matters concerning the foreign provision of personal information, including personal information categories, methods, basic information concerning the receiving side, their personal information processing purpose and other such matters concerning foreign provision of personal information, and obtain the information subject’s consent.

Where information businesses provide information subjects’ personal information to other information businesses who have received their entrustment to provide personal information processing services for them, the matter does not fall under foreign provision of personal information as provided in the previous clause.

Article 37: Personal information publication

Except for the following circumstances, information businesses may not publish information subjects’ personal information:

(1) With information subjects’ written consent and publication within the agreed scope;

(2) Within a necessary scope to stimulate the social and public interest;

(3) Publication based on the public interest, with academic research or statistical objectives, in a manner insufficient to identify particular information subjects, except for sensitive personal information;

(4) Publication according to the provisions of laws and administrative regulations.

Article 38: Provision and openness of anonymized information

Information businesses providing anonymized information abroad shall inspect personal information security protection measures, capabilities and levels of the information business on the receiving side, explain to the information business on the receiving side that the said information is anonymized information, and conclude a written agreement with the information business on the receiving side, requiring that they may not attempt to recover the identifiability of anonymized data.

Where information businesses use online public anonymized information, they shall conduct a personal information processing influence assessment before publishing anonymized information, this focuses on assessing the necessity of publishing anonymized data, circumstances affecting the anonymized data, the possibility of recovering the identifiability of anonymized data, as well as the harm that publication of anonymized data may bring to national security, the social and public interest, and the lawful rights and interest of information subjects.

Article 39: Automated personal information analysis and decision-making

Automated personal information analysis refers to information businesses conducting automated processing of information subjects’ personal information, and obtaining analysis concerning the information subject’s work performance, economic situation, health situation, personal hobbies, etc. Except with the consent of information subjects or as provided in laws and administrative regulations, information businesses may not collect information subjects’ sensitive personal information for use in automated personal information analysis.

Ehen information business obtain information subjects’ personal information for automated analysis, to be used to decide whether or not to grant the information subject credit, insurance, provide employment opportunities and other such matters influencing information subjects’ lawful rights and interests or having a major influence on the information subjects, they shall explain to the information subject the purpose, scope and content of automated personal information processing, and obtain their consent. Without having given consent, information subjects have the right to require manual intervention or refuse the constrains of the said decision, except where laws and administrative regulations provide otherwise.

Article 40: Adoption of audio recording, video recording and other such monitoring and surveillance

Before information businesses use audio recording, video recording and other such modern technological means to implement monitoring or surveillance in order to safeguard security in commercial premises, enhance service quality and other such proper purposes, they shall file the adopted technological measures, equipment categories, position distribution and other such basic information with their local county-level or higher People’s Government public security body

It is prohibited to install audiovisual information collection equipment in hotel guestrooms, collective dormitories and public bathrooms, changing rooms, toilets and other such places and locations where other persons’ privacy may be leaked.

Article 41: Management of audio recording, video recording and other such monitoring and surveillance

Information businesses shall, when information subjects enter the scope of monitoring or surveillance collection, clearly indicate this to the information subjects.

With regard to the collection of auditive or visual information, information businesses shall adopt measures such as authorized management and controlled access to control the consultation, replication, transmission and illegal leaking of the obtained auditive or visual information, except as required by bodies performing investigations, prosecutions or judicial duties for judicial work, as required by public security bodies and national security bodies for exercising law enforcement, or as required by county-level or higher People’s Governments’ administrative competent departments for investigating and handling sudden incidents, when consulting, duplicating or adjusting the obtained auditive or visual information, information businesses provide cooperation according to the law.

Article 42: Information subjects’ right of inquiry

Information subjects have the right to inquire with information businesses into the processing of their personal information and related matters, information businesses shall provide facilitation for information subjects’ inquiry into their personal information.

Article 43: Information subjects’ right of rectification

When information subjects discover that their personal information processed by information businesses contains errors or omissions, they may notify the information business in writing to grant rectification. After the information business preliminarily affirms this, they shall mark the related personal information as being objected to

Where after examination, it is determined that the related personal information actually contains errors or omissions, the information business shall rectify them; where it is determined there are no errors or omissions, the objection marking shall be removed; where no determination was made after inspection, the inspection situation and significant content shall be recorded.

Article 44: Information subjects’ right of deletion

Where information subjects have consented to the conduct of personal information processing, and information subjects revoke their consent or believe the information businesses no longer meet another lawful basis for personal information processing as provided in Article 30 of this Law, they may notify the information business to delete already processed personal information, except where laws and administrative regulations stipulate deletion is prohibited or preservation is required.

In the following circumstances, where information subjects believe personal information in cyberspace is not accurate, no longer relevant or infringe their lawful rights and interests, and the matter does not affect the public interest, information subjects have the right to demand that information businesses adopt the necessary measures of deletion, screening, breaking links, etc.

(1) Where, after an information business providing online platform services receives notification from an information subject, it determines that the personal information on the platform is not related to the public interest, it shall timely adopt the necessary measures of deletion, screening, breaking links etc., and assist the information subject to notify other information businesses they know or should know that have linked to or reproduced the aforementioned personal information, to adopt the necessary measures;

(2) Where, after an information business providing online search engine services receives notification from an information subject, it determines that the search engine result link content related to the personal information is not related to the public interest, it shall timely adopt the necessary measures of deletion, screening, breaking links, etc.;

(3) Where a minor or their guardian demands an information business to delete or screen the aforementioned minor’s personal information in cyberspace, the information business shall timely adopt the necessary measures of deletion, screening, breaking links, etc.

For information subject to exercise the right of deletion stipulated in the previous Clause, they shall notify in the information business in writing, notify the information business of their name and contact method, the network address related to the personal information of which deletion is demanded or other information sufficient to locate the aforementioned personal information, the reason to demand deletion of the information concerned and other such matters. After the information business receives the notification from the information subject, it shall timely delete the information concerned. Where information businesses believes that the information subject’s deletion demand does not conform to the provisions of the previous Clause, it may refuse deletion, but shall timely notify the information subject and explain the reasons to the information subject.

Article 45: Entrustment of other persons to conduct personal information processing

Information businesses entrusting other information businesses with conducting personal information processing, shall assess the entrusted side’s personal information security protection measures, capabilities and levels, they may not entrust [processing to] information businesses who do not meet personal information security protection levels as provided in this Law. Information businesses shall, through methods such as contracts, etc., determine the scope of authorization with the information business on the entrusted side, including the categories, scopes, processing objectives, etc., of personal information processing, and supervise personal information security management by the information business on the entrusted side.

Information businesses accepting entrustment from other information businesses to conduct personal information processing shall abide by this Law and the provisions concerning personal information processing in other laws and administrative regulations, ensure personal information security, and appropriately conduct personal information processing according to the contract with the information business on the entrusting side, accept supervision from the information business on the entrusting side, and report the personal information processing situation to the information business on the entrusting side, they may not process personal information en excess of the scope authorized by the information business on the entrusting side.

Article 46: Usage of third-party storage or computing services

Where information businesses use third-party storage or computing services, they shall abide by this Law and other relevant laws, administrative regulations and national standards, clarify third-party personal information security management standards through methods such as concluding contracts with the third party, etc., ensure personal information security, and continuously supervise the process of using third-party storage or computing services.

Third parties shall, according to laws, administrative regulations, national standards, and agreements with information businesses ensure the security of personal information provided by the information business as well as personal information collected, produced or stored through information businesses’ business system operations, ensure the information business can access, use and control the aforementioned personal information, and accept continuous supervision from the information business, without authorization from the information business, they may not access, revise, disclose, use or transmit the aforementioned personal information. When services are terminated, they shall conduct transfer or deletion according to laws, administrative regulations, national standards, and the demands of the information business.

Section 2: Provisions on commercial and marketing activities by information businesses

Article 47: Prohibition of commercial and marketing number registration

The State establishes a system to register fixed telephone and mobile telephone numbers of which commercial and marketing [contact] is prohibited (hereafter simply named “prohibited commercial and marketing number registration)

The State Council competent department for telecommunications advances and supervises prohibited commercial and marketing number registration work, and organizes the construction of prohibited commercial and marketing number registration systems.

Article 48: Prohibition of commercial and marketing registration applications, inquiries and changes

Information subjects may, when providing their real identity information to arrange fixed telephone or mobile telephone connection formalities, apply for registration or change of their prohibited commercial or marketing matters or cancel registration for fixed telephone or mobile telephone number through the prohibited commercial or marketing number registration system.

The State Council competent department for telecommunications will, through the prohibited commercial and marketing number registration system, handle prohibited commercial and marketing number registration, change or cancellation of registration for information subjects, except for fees to cover necessary costs, they may not collect any other fee.

Article 49: Information businesses’ prohibition of commercial and marketing number registration inquiry

Information businesses who, with a commercial or marketing purpose, call fixed telephone or mobile telephone numbers or send them text messages, shall in advance inquire through the prohibited commercial or marketing number registration system whether the said number is registered as prohibited for commercial or marketing [contact] and the scope of prohibited items, the period of validity for each inquiry is 30 natural days.

The State Council competent department for telecommunications may collect necessary reasonable fees for providing inquiry services to information businesses through the prohibited commercial or marketing number registration system.

Article 50: Voice calls and information transmission for commercial or marketing purposes

When information businesses intend to conduct voice calls or information transmissions that fall within the scope of prohibited items of fixed telephone and mobile telephone numbers that have already entered into prohibited commercial or marketing registration, they may not contact the said information subjects because of a commercial or marketing purpose, through voice calls or information transmission methods, except where the information subject consents or the information subject should request this.

Article 51: Voice calls or text messages for commercial or marketing purposes

Information businesses engaging in commerce or marketing through ways such as voice calls or sending text messages, etc., shall indicate their true and accurate identity to information subjects, they may not conceal or falsify this, and will transmit the sending side’s telephone number or code at the same time, the sending side’s telephone number or code may not be absent, be false or illegally used.

Where information businesses use automated voice call or text message sending services to engage in commerce or marketing, they shall apply with telecommunication service providers for the use of specific fixed numbers for commerce or marketing. Telecommunications service providers shall examine and register the real identity information of the information business.

Information businesses shall, in their voice calls or text messages, provide information subjects with an easy-to-use refusal mechanism, and ensure one-click unsubscription. Where information subjects refuse acceptance, it is prohibited to again send voice calls or text messages with identical or similar content to them.

Article 52: E-mails for commercial or marketing purposes

Without an information subject’s consent or request, information businesses may not send e-mail to the information subject’s personal e-mail for commercial or marketing purposes.

Information businesses sending e-mails to information subjects for commercial or marketing purposes shall provide their real and accurate e-mail address information to information subjects, they may not conceal or falsify their e-mail address information, and clearly indicate it before the e-mail title.

Information businesses sending e-mails to information subjects for commercial or marketing purposes shall provide information subjects with easy-to-operate refusal mechanisms in clear and easy-to-understand language, and ensure one-click unsubscription. Where information subjects refuse acceptance, it is prohibited to again send e-mails with identical or similar content to them.

Article 53: Targeted commercial or marketing information

Information businesses sending commercial or marketing information content based on information subjects’ personal information including online browsing histories, interests and hobbies, consumption records and habits, etc., shall clearly indicate an unsubscription symbol, and ensure one-click unsubscription. Where information subjects unsubscribe, information businesses may no longer send to them, and shall provide information subjects with ways to delete or anonymize the personal information they used for commercial and marketing activities.

Section 3: Provisions on foreign provision of personal information

Article 54: Ordinary requirements for personal information export security assessment

Where information businesses, for business needs, truly need to provide abroad personal information collected and created during operations within the borders of the People’s Republic of China, they shall conduct a personal information export security assessment, and may only export it when they believe that personal information export will not result in major risk to personal information subjects’ right and interest protection.

Information businesses conducting a personal information export security assessment shall focus on assessing the following content:

(1) the legality, propriety and necessity of personal information export;

(2) the basic circumstances of exported personal information, including quantity, scope, categories, degree of sensitivity, etc.;

(3) the basic situation of the foreign data receiving side, including their security protection measures, capabilities and levels, as well as the cybersecurity environment in their local country or region, etc.

Article 55: Ordinary provisions for exemption of assessment

Where one of the following circumstances is present, information businesses may, when providing personal information abroad, be exempt from the personal information export security assessment as provided in Article 54;

(1) Necessity to safeguard the life, property and other such major lawful rights and interests of information subjects or other persons’

(2) Necessity to implement duties provided in laws, regulations and administrative rules;

(3) Personal information export initiated on the initiative of the information subject.

Article 56: Personal information provision to countries or regions with equivalent personal information protection levels

Where the national cybersecurity and informatization department actively or in response to an information business’ request assesses the personal information protection level of a specific country or region, it shall determine whether or not a specific country or region satisfies our country’s personal information processing levels on the basis of the legislative and law enforcement situation in the foreign country or region, its participation in international treaties, etc., and publish to society a list of countries or regions with equivalent personal information processing levels,

Information businesses providing personal information to countries or regions of which the national cybersecurity and informatization department has determined as having equivalent personal information processing levels may be exempt from the personal information export security assessment elements provided in Article 54, but shall record the basic circumstances of personal information export, such as the exported personal information categories, quantities, purposes, basic information on the foreign receiving side, etc.

Article 57: Provision of personal information by information businesses to foreign subsidiary companies or branches

Where information businesses need to provide personal information collected and created during business operations within the borders of China to subsidiary companies or branches abroad for business purposes, they commit that their foreign subsidiary companies or branches apply similar personal information processing regulations and structures as their domestic ones, they ensure equivalent personal information processing protection levels, and bear due legal responsibility for personal information processing activities by foreign subsidiary companies or branches, they may be exempted from personal information export security assessment items as provided in Article 54, but shall file the matter with the national network department, State Council competent department for telecommunications and other relevant departments.

Article 58: Foreign business investment information businesses providing personal information to foreign parent companies or company head offices

Where information businesses established with foreign investment truly need to provide personal information collected and created during business operations within the borders of China to parent companies or head offices abroad, they commit that their foreign parent company or head office applies similar personal information processing regulations and structures as their domestic company for the aforementioned personal information processing, they ensure equivalent personal information processing kevels, and bear corresponding legal responsibility for personal information processing activities by their parent company or head office, they may be exempted from personal information export security assessment items as provided in Article 54, but shall file the matter with the national network department, State Council competent department for telecommunications and other relevant departments.

Article 59: Requirements for our country’s information businesses to establish data centres abroad

Where information businesses provide services within the borders of China, and need to establish data centres abroad for business needs, they shall abide by the following provisions:

(1) Where they establish data centres in countries or regions determined by the national cybersecurity and informatization department as having equivalent personal information processing protection levels, they shall file the matter with the national cybersecurity and informatization department;

(2) Where they establish data centres in countries or regions not determined by the national cybersecurity and informatization department as having equivalent personal information processing protection levels, they shall obtain permission from the national cybersecurity and informatization department,

Article 60: Limitations on the re-provision by foreign personal information receiving sides

Where information businesses need to provide personal information collected or created during operations within the borders of the People’s Republic of China abroad for business requirements, they shall agree with the foreign personal information receiving side that without [information businesses’] consent, [the receiving side] may not re-transfer the received personal information to a third party.

Article 61: Limitations on gathering by foreign law enforcement bodies and judicial bodies.

Where information businesses’ subsidiary companies, branches or data centres established abroad receive orders from law enforcement bodies or judicial bodies from the country or region of establishment to obtain personal information collected or created within the borders of the People’s Republic of China, they shall timely notify the national cybersecurity and informatization department or relevant competent departments, and may only provide it after approval.

Where information businesses provide personal information collected and created within the borders of the People’s Republic of China abroad for business reasons, they shall agree with the foreign personal information receiving side that when receiving an order from law enforcement bodies or judicial bodies from their country or region to obtain the aforementioned personal information, they shall timely notify the information business After the information business receives notification, it shall timely file the matter with the national cybersecurity and informatization department or relevant competent department

Chapter V: Personal information processing by government departments

Section 1: Provisions for ordinary activities by government departments

Article 62: Legal basis for personal information processing

Government departments conducting personal information processing activities within the scope of their statutory duties and powers, based on a specific purpose, shall conform with one of the following conditions:

(1) Necessity to fulfil statutory duties;

(2) Having consent from the information subject

(3) Necessity to protect major personal and property interests of the information subject or third persons, but in circumstances making it difficult to obtain the information subject’s consent;

(4) Necessity to conduct statistics and research based on the public interest;

(5) Other circumstances provided by laws and administrative regulations.

Article 63: Duty of notification towards information subjects

Government departments collecting personal information shall, through methods such as notifications or announcements, notify information subjects of the following matters in clear and easy-to-understand language;

(1) Basic information about the government department, such as its name, contact method, personal information processing rules, etc.;

(2) Basic matters on personal information processing, including the nature of the personal information, legal basis, processing purpose, method, scope and storage period, etc.;

(3) Particular matters on personal information processing, including the potentially conducted personal information publication, sharing, openness, etc.;

(4) Whether or not the information subject has a statutory duty to provide personal information, and the influence that consent or refusal of personal information processing may bring about on them;

(5) Various rights of information subjects, including consent, inquiry, rectification, deletion, etc. and the channels to exercise them;

(6) When collecting minors’ personal information, they shall also notify their guardian to the greatest possible extent;

(7) When indirectly collecting personal information, they shall also notify the information subject about the source from which it obtained the personal information.

When directly collecting personal information through information subjects, they shall notify the information subjects about the matters in the previous Clause at the time of personal information collection; when indirectly collecting information subjects’ personal information, they shall notify the information subjects about the matters in the previous Clause within a reasonable period not exceeding one month after collecting the personal information; when indirectly collecting personal information for use in contacting the information subject, they shall notify them about the matters in the previous clause at the first moment of contact.

Article 64: Circumstances for exemption of notification

When one of the following conditions is met, government departments may, to the extent necessary, be exempt from the duty of notification as provided in Article 63 Paragraph I:

(1) The information subject already knows about the various matters provided in Article 63 Paragraph I

(2) When indirectly collecting personal information, the cost of notifying information subjects about the various matters provided in Article 63 Paragraph I is too high;

(3) Notifying information subjects about the various matters provided in Article 63 Paragraph I may bring about grave negative influence in the exercise of statutory duties and powers;

(4) Notifying information subjects about the various matters provided in Article 63 Paragraph I may harm the interests of third parties, or the social and public interest;

(5) Other circumstances provided in laws and administrative regulations.

Article 65: Effective consent

When government departments collect information subjects’ personal information according to Article 62 Clause (2) of this Law, they shall obtain the information subject’s consent for the processing of their personal information using clear and easy-to-understand language, and methods that are easy for the information subject to choose and operate. When government departments obtain information subjects’ consent, and in fact have eliminated the information subject’s exercise of their right to consent, it shall be considered as the information subject not having given consent.

If information subjects have not given effective consent, but provides personal information to the government department, and on the basis of circumstances, the information subject’s act of provision of their personal information is reasonable, it shall be considered as the information subject having given consent for the collection of their personal information

Article 66: Limitations of purposes and use outside a reasonable scope of purpose

Government departments shall, when collecting personal information, determine a specific scope or use the personal information within a reasonably connected scope.

Article 67: Information subjects’ right of inquiry

Information subjects have the right to inquire with government departments about their own personal information these process and related matters, government departments shall provide convenient [ways] for information subjects to inquire into their personal information, except where laws and regulations provide otherwise.

Article 68: Information subjects’ right of rectification

Where information subjects believe the personal information processed by a government departments contains errors or omissions, they have the right to raise objections with the corresponding government department. After the government department receives preliminary confirmation, it shall indicate with a symbol that the related personal information is under objection.

Where, after examination, it is determined that the related information truly contains errors or omissions, the government department shall rectify it; where it is determined it contains no errors or omissions, the symbol shall be removed; where it cannot be determined after examination, the examination situation and content of the objection shall be recorded.

Article 69: Information subjects’ right to cessation of processing

Where one of the following circumstances exists, information subjects have the right to request the relevant government department to cease using, delete or cease providing related personal information to other persons:

(1) Where the government department has collected personal information in violation of laws and regulations;

(2) Where a government department has used personal information outside of the processing purpose and this does not fall under statutory exemptions;

(3) Where a government department has unlawfully provided [personal information] to third parties.

After a government department receives a request, and examination [proves] one of the circumstances provided in the previous Paragraph applies, it shall cease using, delete, or cease provision to other persons within 20 working days. Where it believes the circumstances provided in the previous Paragraph do not apply, it shall notify the information subject within 20 working days and explain the reasons.

Article 70: Inquiry with information businesses or requiring information businesses to provide data

When government, in the process of carrying out statutory duties, need to inquire with or demand information businesses to provide personal information-type data, they shall have a legal or regulatory basis, undergo a strict approval procedure, notify the information business in writing, and exercise the duty of notification towards the information subject concerned according to the provisions of Article 63 and Article 64, except for use in technical investigation measures, intelligence information collection and other such matters provided in laws and regulations.

When government departments lawfully inquire with or demand information businesses to provide personal information, they shall inquire or store the related personal information within the limitations of actual necessity to exercise their statutory duties, they may not use it for purposes unrelated to the exercise of duties.

Section 2: Provisions on government information openness, sharing and publishing activities

Article 71: Provisions on personal information protection in government information openness

Government departments shall investigate government information planned for publication according to this Law, other relevant laws, regulations and relevant State provisions. Where it involves personal information, they shall abide by the following rules:

(1) Where non-publication has no major influence on the public interest, it may not be published, but where it is possible to separate personal information from other information, the other information is to be published after separation from the personal information;

(2) Where non-publication may bring about major influence on the public interest, it shall be published, but [the government department] shall only publish it after anonymising the personal information;

(3) Where non-publication may bring about major influence on the public interest, but anonymization renders it impossible to realize the purpose of information publication, the opinion of the information subject shall be sought in writing. Where information subjects have not put forward an opinion within 15 working days from receiving the opinion request letter, the government department decides according to the law on whether or not publication takes place. Where the information subject dues not consent to publication and has a lawful reason for doing so, the government department shall not publish it. Where the government department believes that non-publication may bring about grave influence on the public interest, it may decide to publish it, and will notify the information subject in writing about the content and reasons of the government information decided to be published.

Where government departments cannot determine where the personal information involved in government information may be published, it shall report the matter to the same level’s cybersecurity and informatization department for determination.

Article 72: Categories for personal information and government information resource sharing

Where government information contains personal information, it is to be divided into three sharing categories: unconditional sharing, conditional sharing, and non-sharing.

Population information, electronic identification information and other such basic information resources’ basic information matters and other such personal information that may be provided to all government departments for shared use falls in the unconditional sharing category. All personal information included in the unconditional sharing category shall have a basis in laws, administrative regulations or Party Centre and State Council policies.

Personal information that may be provided to related government departments for shared use or that can only be partially provided to all government departments for shared use falls under the conditional sharing category.

Personal information that should not be provided to other government departments for shared use falls under the non-sharing category.

Article 73: Personal information government information resource sharing catalogue

Departments creating or collecting personal information-type government information resources (hereafter simply named “providing departments” shall, according to the requirements of personal information processing-related laws and regulations, establish a personal information-type government information resource sharing catalogue, listing the sharing categories of personal information-type government information resources.

Providing department shall, under the guidance of the cybersecurity and informatization departments at the same level, establish dynamic adjustment mechanisms for their personal information-type government information resource sharing catalogues, to conduct personal information sharing risk assessment for personal information-type government information resources that have not been listed in the unconditional sharing or conditional sharing categories, and where it is determined that the rights and interests of the information subject will not be negatively influenced, to timely revise the personal information-type government information resource sharing catalogue.

Article 74: Personal information government information resource sharing mechanisms

Departments who need to use shared personal information to exercise their duties (hereafter simply named “using departments”) shall provide a clear sharing requirement and information use purpose.

Using departments may directly obtain personal information falling into the unconditional sharing [category] through government data sharing and exchange platforms as a data download, interface transfer and other such methods.

For information falling into the conditional sharing [category], using departments shall submit an application to the providing department through the government data sharing and exchange platform, the providing department shall reply within 10 working days. Where sharing is granted, it shall clarify the conditions and concrete requirements for personal information use. Where sharing is not granted, the providing department shall explain the reasons.

For personal information falling into the non-sharing category, as well as personal information in the conditional sharing category where the providing department has not granted sharing, where the using department truly requires to use it in order to exercise duties, the using department and the providing department will consult on a solution, where consultation does not lead to an outcome, the matter will be consulted and resolved by the same level’s cybersecurity and informatization department which has the power to decide [this], where central relevant departments are involved, the matter will be consulted and resolved by the Interministerial Joint Conference to Stimulate Big Data Development.

Article 75: Personal information government information resource sharing usage limitations

Using department shall, with respect to shared personal information they obtained, abide by the personal information use conditions and concrete requirements put forward by the providing department, and may only use it to exercise the duties of the department in question according to the clarified use purpose, they may not directly, by changing data, or other such methods provide it to third parties, and may also not use it or use a modified [version] for other purposes.

Article 76: Personal information government information resource sharing objection and rectification mechanisms

Where a using department discovers that shared personal information they obtained contains errors or omissions, they shall timely provide feedback to the providing department. After preliminary confirmation by the providing department, it shall indicate with a symbol that the related personal information is under objection

Where, after examination, it is determined that the information concerned truly does contain errors or omissions, the providing department shall rectify it; where it is determined there is no error or omission, the objection symbol shall be removed, where it cannot be determined after examination, the examination situation and objection content shall be recorded.

Article 77: Personal information government information resource publication catalogue

Where a department producing or collecting personal information-type government information (hereafter named “publishing department”) intends to increase conditional publication-type or unconditional publication-type government information resources, it shall conduct a personal information processing influence assessment, and adopt methods such as hearings and discussion meetings, to hear opinions from grass-roots and mass representatives, departments, people’s organizations, experts, People’s Congress representatives and relevant social sides.

The publishing department shall report the necessity for data publication, the influence that may be engendered on personal information processing, as well as the hearing and discussing meeting to the same level’s cybersecurity and informatization department. After approval by the same level’s cybersecurity and informatization department, it will be listed on the conditional publication or unconditional publication catalogue, and made public to society through the publication platform.

Article 78: Personal information government information resource publication mechanisms

Personal information-type government information resources falling into the unconditional publication category can be directly obtained by natural persons, legal persons and non-legal person organizations through the government data integrated publication platform as a data download or gateway transfer.

For personal information-type government information resources falling into the conditional publication category, the publishing department shall publish requirements such as technical data use capabilities and security protection measures through the government data integrated publication platform, and publish it to natural persons, legal persons and non-legal person organizations (hereafter simply named “data using subjects”) meeting conditions, and sign a data use agreement, clarifying the conditions and concrete requirements for data use, and make public to society information relating to the data using subject through the government data integrated publication platform.

Article 79: Personal information government information resource publication usage limitations

In the process of using personal information-type published government information resources, data subjects shall adopt the necessary technical protection measures, they may not use personal information-type published government information resources with the purpose of identifying natural persons, and accept supervision and inspection from data publication departments and relevant departments.

For personal information-type government information resources falling into the conditional publication category, data using subjects shall also abide by the conditions and concrete requirements in the data use agreement.

Article 80: Personal information government information resource publication usage feedback mechanisms

Data using subjects shall, in the process of using personal information-type published government information resources, regularly provide feedback on the data use situation to the publishing department, and when it occurs or might have occur that personal information identifiability is recovered in published government information, they shall timely provide feedback to the publishing department.

Article 81: Personal information government information resource publication supervision mechanisms

Government departments shall establish effective supervision structures, to conduct continuous supervision of the usage of conditional publication-type personal information resources.

Article 82: Protection of information subjects’ rights and interests in relation to personal information and government information publication

Where natural persons, legal persons or non-legal person organizations believe that the publication of personal information-type government information infringes an information subject’s lawful rights and interest, they may notify the publishing department through the government information integrated publication platform, and submit related evidence materials.

Where the publishing department, after receiving corresponding evidence material, believes it is necessary, it shall immediately suspend publication, and simultaneously conduct verification. On the basis of the verification result, respective measures of withdrawing data, restoring publication or republication after processing are adopted, and feedback timely provided.

Chapter VI: Supervision and management

Article 83: The duties of cybersecurity and informatization departments

The national cybersecurity and informatization department is responsible for organizing guiding, coordinating and supervising personal information processing work, and carrying out the following duties:

(1) Guiding and supervising the work of local cybersecurity and informatization departments, personal information processing certification bodies and personal information processing organizations;

(2) Individually or jointly with local cybersecurity and informatization departments conducting supervision and inspection of information businesses’ personal information processing work;

(3) Coordinating all competent State Council departments in launching personal information processing law enforcement work, regularly or temporarily convening the Interministerial Joint Conference to Stimulate Personal Information Protection;

(4) Organizing surveys and assessments of the personal information processing situation, and publishing assessment reports;

(5) Publishing and revising full national and local personal information processing lists, approving and revising foreign personal information processing symbol lists;

(6) Representing the countries in international personal information processing cooperation with other countries and international organizations;

(7) Other duties and powers provided in laws and administrative regulations.

Local cybersecurity and informatization departments are responsible for, according to this Law and with the authorization of the national cybersecurity and informatization department, organizing, guiding, coordinating and supervising personal information processing work within their localities, and carrying out duties corresponding to those of the national cybersecurity and informatization department.

Article 84: Sectoral organizations

Relevant sectoral organizations shall voluntarily establish sectoral associations according to the law for information subjects and information businesses, to strengthen sectoral self-discipline and management, be responsible for approval of sectoral personal information processing symbols and certification, as well as to receive complaints from information subjects, organize supervision and inspection of their members, assist relevant competent departments with compliance inspections, etc. and stimulate the healthy development of the sector.

Article 85: News supervision

News media shall launch public interest propaganda on personal information processing law, regulation as well as personal information processing standards and knowledge, and conduct public opinion supervision on unlawful personal information processing acts. Personal information processing-related propaganda reports shall be accurate and fair.

Where information businesses and government departments conduct major affairs concerning personal information processing, they shall actively accept news media public opinion supervision, and timely publish related information to news media through news conferences, journalist receptions, news releases, communiqués, Internet sites and other such channels.

Article 86: Social supervision

Personal information processing organizations, consumer rights protection organizations and other such public interest organizations will lawfully conduct social supervision over acts violating the provisions of this Law and infringing information subjects’ lawful rights and interests.

Personal information processing organizations, consumer rights protection organizations and other such public interest organizations may provide information protection education and consulting to information subjects, and may provide reflections and suggestions to relevant departments concerning questions such as the protection of information subjects’ lawful rights and interest, etc., and participate in hearing processes, etc., concerning laws, administrative regulations, normative documents, and standard formulation related to protecting information subjects’ lawful rights and interests.

Article 87: Citizen participation

Any organization or individual has the right to report unlawful personal information processing acts, lawfully supervise and stimulate information businesses and government departments to abide by this law and other personal information processing-related laws and administrative regulations, and to put forward opinions and suggestions concerning personal information processing work.

Chapter VII: Relief

Article 88: Relief channels

Where an information subject believes an information business’ personal information processing activities harm their lawful rights and interests, they may resolve the matter through the following channels:

(1) Consultation with the information business;

(2) Requesting mediation through a personal information processing organization or other lawfully established mediation organization;

(3) Filing a complaint with a sectoral organization to which the information business belongs;

(4) Filing a complaint with a relevant competent department

(5) Requesting arbitration by an arbitration body on the basis of an arbitration agreement reached with the information business;

(6) Filing a lawsuit with a People’s Court.

Article 89: Preference for consultation with information businesses

Where information subjects [believe] their lawful rights and interests are harmed when information businesses conduct personal information processing, they have the right to notify the information business to cease the infringement or demand compensation from the information business, and resolve the matter through consultation.

Where an information business receives notification from an information subject and refuses to deal with the matter, or has not dealt with it within a limited time, or the information subject believes that the outcome from the information subject is unreasonable, the information subject may choose other dispute resolution methods provided in Article 88 of this Law.

Article 90: Mediations by personal information processing organizations or other lawfully established mediation organizations

Personal information processing organizations or other lawfully established mediation organizations may lawfully accept complaints from information subjects against information businesses, notify the information business under complaint, conduct investigation about the matter under complaint, and conduct mediation between the information subject and information business on a voluntary, lawful, reasonable and fair basis, based on the facts and evidence.

Concerning complaints with complex content or relatively large disputes, the aforementioned mediation organizations may handle the matter jointly with the sectoral association to which the information business belongs, or relevant competent departments; major complaints with a broad area of involvement, endangering the rights and interests of the broad information subjects, or harming an information subject’s rights and interests with grave circumstances, shall be timely reported to the relevant competent department, cessation and timely punishment of the information business demanded, and it is permitted to expose and criticize this through mass propaganda media.

Article 91: Sectoral organizations

Related sectoral organizations shall, according to their Charters, supervise that association’s members in implementing the association’s behavioural norms, and accept complaints from information subjects against member information businesses, stimulating the healthy development of the sector.

Article 92: Competent authorities’ complaints reception mechanisms

Where all levels’ competent departments receive a complaint from an information subject, falling into the scope of duties of that department, it shall accept and timely investigate, verify, handle and provide feedback on it; where it does not fall into that department’s scope of duties, it shall timely notify the information subject and transfer it to a relevant department for investigation, verification, handling and feedback; where it involves multiple competent departments, it shall be timely notified to the same level’s cybersecurity and informatization department, the same level’s cybersecurity and informatization department will coordinate related competent departments to investigate, verify, process and provide feedback on it.

All levels’ competent departments as provided in the previous Paragraph shall handle the matter within 7 days after receiving the complaint and notify the information subject.

Article 93: Joint litigation

Where the number of information subjects subject to harm due to personal information processing activities by an information business is high, the information subjects may lawfully choose a representative to engage in joint litigation.

Article 94: Public interest litigation

All provincially, autonomous regionally and municipally established personal information processing organizations, consumer rights protection associations and other such social organizations may file lawsuits with a People’s Court concerning acts infringing the lawful rights and interests of large numbers of information subjects.

People’s Procuratorates may, when discovering in the process of exercising their duties, acts harming the lawful rights and interests of large numbers of information subjects, under circumstances where there is no suitable subject or a suitable subject has not filed a lawsuit, file a lawsuit with a People’s Court.

Article 95: Administrative relief

Where information subjects believe government departments’ personal information processing activities violate the provisions of this Law and other laws and administrative regulations, infringing their lawful rights and interest, they may file a complaint or report with the corresponding competent department, and may lawfully apply for administrative redress or file an administrative lawsuit.

Chapter VIII: Legal liability

Article 96: Information businesses’ administrative liability for not carrying out personal information security protection duties

Where an information business violates the provisions of this Law by insufficiently implementing their personal information security protection duties, and relatively large personal information security risks exist, the cyberspace and informatization departments or relevant competent departments will order rectification and issue a warning; where rectification is refused or personal information security incidents occur, a fine of 1 per cent or more but less than 5 per cent of their turnover of the previous year within the Chinese borders will be imposed, and the directly responsible management personnel will be subject to a fine of 5.000 Yuan or more but less than 50.000 Yuan.

Article 97: Information businesses’ administrative liability for infringing information subjects’ lawful rights and interests

Where an information business violates the provisions of this Law by infringing the right of information subjects’ personal information to receive lawful protection, the cybersecurity and informatization departments or relevant competent departments order rectification, and may singly or additionally issue a warning, confiscate unlawful income, and impose a fine of a fine of 1 per cent or more but less than 5 per cent of their turnover of the previous year within the Chinese borders in view of the circumstances, the directly responsible management personnel will be subject to a fine of 10.000 Yuan or more but less than 100.000 Yuan; where circumstances are grave, they are permitted to order temporary cessation of related operations, cessation for rectification, closure of websites, revocation of related operational permits or revocation of business licences.

Article 98: Administrative liability for unlawful commercial and marketing activities

Where an information business violates the provisions of this Law by sending commercial and marketing information to information subjects without implementing behavioural norms for commercial and marketing activities, the competent departments for telecommunications will punish the matter according to relevant State laws and administrative regulations.

Article 99: Other legal liability

Where an information business violates the provisions of this Law, resulting in harm to information subjects or other persons, they will bear civil liability according to the law.

Where an information business violates the provisions of this Law, constituting an act violating public order management, public order management punishment will be imposed according to the law; where it constitutes a crime, criminal liability will be prosecuted according to the law.

Article 100: Social credit records

Acts by information businesses violating the provisions of this Law will be entered into their credit file according to provisions of relevant laws and administrative regulations, and this will be published.

Article 101: Government departments’ legal liability

Where a government departments violates the provisions of this Law by not implementing personal information security protection duties, the government department of one higher level will order rectification; where circumstances are grave, the responsible leading personnel and directly responsible personnel will be disciplined according to the law.

Where a government departments violates the provisions of this Law by infringing the right of information subjects’ personal information to receive lawful protection, the government department of one level higher will order rectification; where circumstances are grave, the responsible leading personnel and directly responsible personnel will be disciplined according to the law; where it constitutes a crime, criminal liability will be prosecuted according to the law.

Article 102: Foreign information businesses’ legal liability

Where a foreign information business violates the provisions of this Law by infringing the right of Chinese and Chinese citizens’ personal information to receive lawful protection, resulting in grave consequences, legal liability will be prosecuted according to the law; the State Council public order department and relevant departments may also decide to adopt freezing of assets or other necessary punitive measures against the foreign information business.

Chapter IX: Supplementary provisions

Article 103: Terminology definitions

The definition of the following terms in this Law:

(1) Information subject, refers to a particular living natural person who can be identified through a name, date of birth, identity card number, personal biological identification information, address, telephone number and other such personal identity codes, etc.

(2) Sensitive personal information, refers to personal information that, due to its nature, content or relation to the information subject’s core privacy, or once it is leaked or abused, may harm the information subject’s personal and property security or trigger discriminatory and other such harmful consequences for information subjects.

(3) Information business, refers to legal persons and non-legal person organizations other than government departments, conducting one or more of the following: personal information collection, use, treatment and transmission activities; natural persons engaging in one or more of the following: personal information collection, use, treatment and other such personal information-related activities for a commercial purpose shall, within the scope of application of this Law, be considered as information businesses.

(4) Government department, refers to government departments as well as undertaking work units and social organizations authorized by laws and regulations to have administrative functions.

(5) Personal information collection, refers to the act of obtaining information subjects’ personal information through electronic, manual or any other means and recording it.

(6) Personal information use, refers to the specific purpose other than personal information treatment.

(7) Personal information treatment, refers to the compilation, encoding, encryption, de-identification, storage, comparison, excavation and other such operations of personal information.

(8) Personal information provision, refers to transmitting collected or treated personal information to other persons in data copy or providing data access, retrieval, etc.

(9) Personal information sharing, refers to the process of providing personal information to other persons, where both sides separately have independent control rights over the personal information.

(10) Personal information transfer, refers to the process of transferring personal information control rights to others.

(11) Personal information export, refers to operations providing access channels, etc., to citizens, legal persons or other organizations outside of the borders of the People’s Republic of China, enabling them to process personal information stored on servers within the borders of the People’s Republic of China; or providing personal information copies stored on servers within the borders of the People’s Republic of China to citizens, legal persons or other organizations outside the borders of the People’s Republic of China, enabling them to obtain the aforementioned personal information.

(12) De-identified processing, refers to the process of technological processing of personal information, ensuring that under circumstances without external information, it is impossible to distinguish the personal information subject.

(13) Anonymized processing, refers to ensuring that personal information subjects are impossible to identify or contact through technical personal information processing, and on the basis of current technology levels and reasonable cost considerations, the information after processing can no longer reasonably identify the information subject. Information having undergone anonymized processing is no longer considered personal information.

(14) Personal information processing, refers to any operations conducted on personal information, including collection, use, treatment, sharing, transfer, cross-border transfer, de-identification, anonymization, etc.

Article 104: Application by reference by other State bodies

Where authority bodies, judicial bodies, prosecutorial bodies, military bodies and other such State bodies involves citizens’ personal information processing matters, except where otherwise provided in laws and administrative regulations, the relevant provisions of this Law shall be followed.

Article 105: The application of international treaties

Where the People’s Republic of China has concluded or participated in international treaties concerning personal information processing, that contain provisions different from this Law, the provisions of the international treaty apply; except articles where the People’s Republic of China has stated a reservation.

Article 106: Date of validity of the Law

This Law will take effect on (day, month, year).

《个人信息保护法(专家建议稿)》

编者按:

本建议稿为中国人民大学法学院张新宝教授担任首席专家的国家社会科学基金重大项目“互联网安全主要立法问题”(14ZDC021)成果之一,目的在于为立法提供参考,作者为张新宝、葛鑫。建议稿不足之处,欢迎研提宝贵意见和建议发送至gexinde@126.com。进一步修改完善后,建议稿及立法理由书将在近期由中国人民大学出版社出版,敬请关注。

导语:

《个人信息保护法(专家建议稿)》以“两头强化、三方平衡”理论为基础理念,通过强化个人敏感信息保护和强化个人一般信息利用,实现信息主体、信息业者、国家机关三方主体之间的利益平衡。在立法模式上,《专家建议稿》采用统一规定立法模式,分为九章,共计一百余条。第一章至第三章大致为总则部分,包括个人信息保护的基本规定、基本原则和基本制度,明确了政府、企业、行业、社会等多方主体共同构建和维护个人信息保护秩序的框架,在基本原则方面基本上采纳了国际上通行的知情同意、目的限定等个人信息保护原则,在基本制度方面提出了构建个人信息保护标准体系、认证与标志体系、风险评估、去识别性处理等基本制度。第四章、第五章分别规定了信息业者和政务部门的个人信息处理规则。在这两个章节中,除了对总则部分予以细化之外,在信息业者部分专业规范信息业者的商业营销行为,借鉴域外如新加坡等国家立法经验,确立禁止商业营销号码登记制度;在政务部门个人信息处理规则部分,也专节规定了政府信息公开、共享、开放中的个人信息保护制度。第六章到第八章规定了监督管理、争议解决、法律责任等事项。在法律监督部分,明确了政府监管、行业自律、新闻监督、社会监督、公民参与等多元监督,并且在政府监管体制方面,试图构建以网信部门为主导的统筹协调机制;在争议解决部分,明确信息主体可以通过协商、投诉、调解、诉讼与仲裁等渠道维护其自身权益;第八章为法律责任部分,除了规定了各项具体的行政责任之外,也对民事责任、刑事责任进行了引致性规定。第九章为附则部分,主要是对专家建议稿中的术语进行了统一定义。

目录

第一章 基本规定 

第一条. 立法目的 

第二条. 适用范围/管辖权 

第三条. 个人信息保护监管制度 

第四条. 监管体制 

第五条. 专家咨询委员会 

第六条. 社会责任 

第七条. 行业组织 

第八条. 个人信息保护组织 

第九条. 个人信息保护社会化服务体系 

第十条. 个人信息保护技术发展 

第十一条. 个人信息保护国际合作 

第二章 个人信息保护基本原则 

第十二条. 合法性原则 

第十三条. 个人参与原则 

第十四条. 公开透明原则 

第十五条. 知情原则 

第十六条. 同意原则 

第十七条. 目的明确原则 

第十八条. 目的限定原则 

第十九条. 信息质量原则 

第二十条. 信息安全原则 

第二十一条. 个人敏感信息特别保护原则 

第二十二条. 未成年人个人信息特别保护原则 

第三章 个人信息保护基本制度 

第二十三条. 个人信息保护标准 

第二十四条. 个人信息保护认证、标志体系 

第二十五条. 个人信息保护内部工作机制 

第二十六条. 个人信息安全管理制度 

第二十七条. 个人信息保护风险评估 

第二十八条. 个人信息安全事件通知制度 

第二十九条. 个人信息去识别化、匿名化制度 

第四章 信息业者的个人信息处理 

第一节 信息业者一般行为规定 

第三十条. 个人信息收集、处理合法性依据 

第三十一条. 信息业者的告知义务 

第三十二条. 免于告知的情形 

第三十三条. 有效同意 

第三十四条. 目的限定及合理的目的范围外利用 

第三十五条. 个人信息对外提供的审查 

第三十六条. 个人信息对外提供的同意 

第三十七条. 个人信息的公开 

第三十八条. 匿名化信息的提供与公开 

第三十九条. 个人信息自动化分析与决策 

第四十条. 录音、录像等监听、监控的采用 

第四十一条. 录音、录像等监听、监控的管理 

第四十二条. 信息主体查询权 

第四十三条. 信息主体更正权 

第四十四条. 信息主体删除权 

第四十五条. 委托他人进行个人信息处理 

第四十六条. 使用第三方存储或计算服务

 

第二节 信息业者商业营销行为规定 

第四十七条. 禁止商业营销号码登记 

第四十八条. 禁止商业营销号码登记申请、查询与变更 

第四十九条. 信息业者禁止商业营销号码登记查询 

第五十条. 商业营销目的语音呼叫、信息发送 

第五十一条. 商业营销目的语音呼叫、短信息 

第五十二条. 商业营销目的电子邮件 

第五十三条. 定向商业营销信息 

第三节 向境外提供个人信息规定 

第五十四条. 个人信息出境安全评估的一般要求 

第五十五条. 免于评估的一般规定 

第五十六条. 向同等个人信息保护水平的国家或地区提供个人信息 

第五十七条. 信息业者向境外子公司、分公司提供个人信息 

第五十八条. 外商投资信息业者向境外母公司、总公司提供个人信息 

第五十九条. 我国信息业者在境外设立数据中心的要求 

第六十条. 境外个人信息接收方再次提供的限制 

第六十一条. 境外执法机关、司法机关调取的限制 

第五章 政务部门的个人信息处理 

第一节 政务部门一般行为规定 

第六十二条. 个人信息处理的合法性依据 

第六十三条. 对信息主体的告知义务 

第六十四条. 免于告知的情形 

第六十五条. 有效同意 

第六十六条. 目的限定及合理目的范围外使用 

第六十七条. 信息主体查询权 

第六十八条. 信息主体更正权 

第六十九条. 信息主体停止处理权 

第七十条. 向信息业者查询或要求信息业者提供数据 

第二节 政务信息公开、共享、开放行为规定 

第七十一条. 政务信息公开个人信息保护规定 

第七十二条. 个人信息政务信息资源共享类型 

第七十三条. 个人信息政务信息资源共享目录 

第七十四条. 个人信息政务信息资源共享机制 

第七十五条. 个人信息政务信息资源共享使用限制 

第七十六条. 个人信息政务信息资源共享异议更正机制 

第七十七条. 个人信息政务信息资源开放目录 

第七十八条. 个人信息政务信息资源开放机制 

第七十九条. 个人信息政务信息资源开放利用限制 

第八十条. 个人信息政务信息资源开放利用反馈机制 

第八十一条. 个人信息政务信息资源开放监督机制 

第八十二条. 个人信息政务信息资源开放信息主体权益保护

第六章 监督管理 

第八十三条. 网信部门职责 

第八十四条. 行业组织 

第八十五条. 新闻监督

第八十六条. 社会监督 

第八十七条. 公民参与 

第七章 救济 

第八十八条. 救济途径 

第八十九条. 与信息业者协商优先

第九十条. 个人信息保护组织或者其他依法成立的其他调解组织调解

第九十一条. 行业组织 

第九十二条. 主管部门投诉受理机制 

第九十三条. 共同诉讼 

第九十四条. 公益诉讼 

第九十五条. 行政救济 

第八章 法律责任 

第九十六条. 信息业者未落实个人信息安全保护义务的行政责任

第九十七条. 信息业者侵害信息主体合法权益的行政责任 

第九十八条. 违法商业营销行为的行政责任 

第九十九条. 其他法律责任 

第一百条. 社会信用记录 

第一百〇一条. 政务部门法律责任 

第一百〇二条. 境外信息业者的法律责任 

第九章 附则 

第一百〇三条. 术语定义 

第一百〇四条. 其他国家机关参照适用 

第一百〇五条. 国际条约的适用 

第一百〇六条. 法律生效日期 

第一章 基本规定

第一条. 立法目的

为规范信息业者和政务部门的个人信息处理活动,保护信息主体的合法权益,促进大数据的合法利用,根据《全国人民代表大会常务委员会关于加强网络信息保护的决定》、《中华人民共和国网络安全法》等法律的规定,制定本法。

本法所称个人信息,是指以电子或者其他方式记录的能够单独或者与其他信息结合识别自然人个人身份的各种信息,包括但不限于公民的姓名、出生日期、身份证件号码、个人生物识别信息、住址、电话号码等。

第二条. 适用范围/管辖权

在中华人民共和国境内处理个人信息,以及对个人信息处理行为的监督管理,适用本法。

在中华人民共和国境外处理中华人民共和国公民的个人信息,应遵守本法。

中华人民共和国缔结或者参加的国际条约中规定的个人信息保护事项,中华人民共和国在所承担条约义务的范围内行使管辖权的,适用本法。

第三条. 个人信息保护监管制度

国家对个人信息实行预防为主、风险管理、全程控制、社会共治的保护机制,建立科学、严格的监督管理制度。

第四条. 监管体制

国家网信部门负责统筹、协调、指导个人信息保护工作和相关监督管理工作。国务院各主管部门依照本法和有关法律、行政法规的规定,在各自职责范围内负责个人信息保护和监督管理工作。

县级以上地方人民政府有关部门的个人信息保护和监督管理职责,按照国家有关规定确定。

第五条. 专家咨询委员会

国家网信部门设立个人信息保护专家咨询委员会,就我国个人信息保护相关重大问题开展咨询,促进个人信息保护与大数据利用工作的科学性。

第六条. 社会责任

信息业者开展经营和服务活动,必须遵守法律、行政法规,尊重信息主体人格和社会公德,遵守商业道德,诚实信用,履行个人信息安全保护义务,接受政府和社会的监督,承担社会责任。

第七条. 行业组织

相关行业组织依据法律、行政法规,按照章程的规定,加强行业自律,建立健全行业规范和奖惩机制,制定个人信息保护行为规范,指导会员加强个人信息保护,支持、协助会员提高个人信息保护水平,促进行业健康发展。

第八条. 个人信息保护组织

国家支持依法成立的个人信息保护组织,对个人信息保护和相关数据利用活动进行社会监督,保护信息主体合法权益,履行公益性职责。

第九条. 个人信息保护社会化服务体系

国家推进个人信息保护社会化服务体系建设,鼓励有关企业、机构依法开展个人信息保护认证、风险评估等服务,履行社会服务职责。

第十条. 个人信息保护技术发展

国家鼓励研究开发个人信息保护和大数据利用的技术,促进数据利用,推动技术创新和经济社会发展。

国家支持创新个人信息安全管理方式,运用新技术,提升个人信息保护水平。

第十一条. 个人信息保护国际合作

国家积极开展个人信息保护治理、个人信息保护技术研发和标准制定、打击个人信息违法犯罪等方面的国际交流与合作,建立多边、民主、透明的个人信息保护治理体系。

第二章 个人信息保护基本原则

第十二条. 合法性原则

信息业者、政务部门进行个人信息处理活动,应当尊重并保护信息主体人格权益,遵守本法及其他法律、行政法规有关个人信息处理的规定,不得非法处理他人个人信息。

第十三条. 个人参与原则

自然人是其个人信息的主体。信息主体可以依法参与其个人信息处理活动,对个人信息的处理活动享有知情权、同意权、查询权、更正权、拒绝权、删除权。

第十四条. 公开透明原则

信息业者、政务部门开展个人信息处理活动,应当通过信息主体便利了解和获取的方式,公开其个人信息处理规则、重大事项。

第十五条. 知情原则

信息业者、政务部门应当清晰、易懂的用语,全面、准确、及时地告知信息主体其个人信息处理的目的、方式、范围等相关事项,信息主体有权依法要求信息业者、政务部门提供其个人信息处理相关事项信息,但法律另有规定的除外。

第十六条. 同意原则

信息业者、政务部门处理个人信息,应当事先征得信息主体的同意,但法律、行政法规另有规定的除外。

信息主体的同意应当以明确的意思表示或者行为作出,除法律、行政法规另有规定或与信息主体另有约定外,信息主体未予拒绝的沉默不被视为同意。

第十七条. 目的明确原则

信息业者、政务部门收集个人信息应当具有特定、具体和正当的个人信息处理目的。

信息业者、政务部门变更个人信息处理目的的,变更后的个人信息处理目的应当与变更前的个人信息处理目的具有合理的关联。

第十八条. 目的限定原则

信息业者、政务部门收集个人信息,应当在特定目的范围内,收集为实现该目的所需的必要信息。未经信息主体同意,不得超出个人信息收集时确立的特定目的范围或者与之具有合理关联的范围内处理个人信息,但法律、行政法规另有规定的除外。

第十九条. 信息质量原则

信息业者、政务部门应当采取措施,确保所处理的个人信息的准确性、完整性和时效性。

第二十条. 信息安全原则

信息业者、政务部门收集、处理个人信息,应采取与个人信息安全风险、威胁相适应的安全保障措施,确保个人信息安全,避免其所处理的个人信息发生泄露、毁损、篡改等安全事件。

第二十一条. 个人敏感信息特别保护原则

个人敏感信息受法律特别保护。信息业者、政务部门依法处理个人敏感信息时,应当为信息主体提供特别保护。

法律、行政法规规定禁止收集的个人敏感信息,任何组织和个人不得收集。

个人敏感信息中属于个人隐私内容的,其保护还应适用隐私权保护的有关法律规定。

第二十二条. 未成年人个人信息特别保护原则

未成年人个人信息受法律特别保护。信息业者、政务部门收集、处理未成年人个人信息,应坚持未成年人利益优先原则和监护人同意原则,尊重和保护未成年人的人格权益。

第三章 个人信息保护基本制度

第二十三条. 个人信息保护标准

国家建立和完善统一的个人信息保护标准体系。国务院标准化行政主管部门和国务院其他有关部门根据各自的职责,组织制定并适时修订有关个人信息处理及其监督管理的国家标准、行业标准,推进个人信息保护标准的国际交流与合作。

国家支持企业、研究机构、高等学校、相关行业组织、个人信息保护组织等参与个人信息保护国家标准、行业标准的制定。

第二十四条. 个人信息保护认证、标志体系

国家建立和完善统一的个人信息保护认证、标志体系,制定个人信息保护标准认证标志和认证实施规则,发布认证标志使用管理办法,推进个人信息保护认证、标志的国际交流与合作。

经具备资格的机构认证合格后,信息业者经方可使用个人信息保护认证标志。国家网信部门会同国务院有关部门制定、公布个人信息保护认证信息业者目录,并推动个人信息保护认证结果互认,避免重复认证。

第二十五条. 个人信息保护内部工作机制

信息业者、政务部门应当建立健全个人信息保护工作机制,建立个人信息保护工作专职部门或者指定牵头部门,明确部门及人员职责,确保其能够独立开展工作。

信息业者、政务部门个人信息保护工作部门或负责人员,应当勤勉地履行职责,监督信息业者、政务部门遵守个人信息保护相关法律、行政法规的状况,及时处理信息主体有关个人信息保护的咨询、投诉,配合网信部门和其他主管部门的检查监督。

第二十六条. 个人信息安全管理制度

信息业者、政务部门处理个人信息,应当确保个人信息安全,依照法律、行政法规规定和国家标准的强制性要求,建立健全内部个人信息安全管理制度,包括但不限于个人信息处理文档化管理制度、个人信息分级授权管理机制、个人信息安全风险等级评估制度、个人信息安全事件应急机制等制度。

第二十七条. 个人信息保护风险评估

信息业者、政务部门将要进行的个人信息处理项目中包含大规模居民统一身份识别代码信息等敏感个人信息、未成年人个人信息、个人信息自动化决策时,在进行个人信息处理前,应当进行个人信息保护风险评估,对个人信息处理项目实施后可能的个人信息被泄露、毁损、篡改、滥用等风险进行调查、预测、评估,并提出相应风险防范措施。

前款规定的个人信息处理项目实施后,信息业者、政务部门应当依据个人信息风险评估结果进行跟踪评估,及时识别和应对个人信息保护风险。

第二十八条. 个人信息安全事件通知制度

信息业者、政务部门应当采取技术措施和其他必要措施,确保其收集的个人信息安全,防止信息泄露、毁损、丢失。在发生或者可能发生个人信息泄露、毁损、丢失的情况时,应当立即采取补救措施,按照规定及时告知用户并向有关主管部门报告。

第二十九条. 个人信息去识别化、匿名化制度

信息业者、政务部门进行个人信息处理,在不影响个人信息处理目的必要限度内,应当优先对个人信息进行去识别化、匿名化处理,降低个人信息处理风险。

第四章 信息业者的个人信息处理

第一节 信息业者一般行为规定

第三十条. 个人信息收集、处理合法性依据

信息业者处理个人信息应当具有特定目的,并符合下列情形之一:

(一) 经信息主体同意;

(二) 为订立或履行与信息主体之间的合同所必要;

(三) 为保护信息主体或他人重大人身、财产利益确有必要,但依其情形难以获得信息主体同意;

(四) 所涉及的个人信息是信息主体自行公开或其他已经合法公开的个人信息,且个人信息处理未超出前述公开目的的合理范围;

(五) 为履行法律、行政法规规定的义务所必要;

(六) 为执行政务部门依法作出的命令所必要。

第三十一条. 信息业者的告知义务

信息业者收集个人信息,应当通过用户协议、隐私政策、即时通知等方式,以清晰、易懂的用语告知信息主体下列事项:

(一) 信息业者的名称、联系方式、个人信息保护规则等基本信息;

(二) 个人信息处理的基本事项,包括个人信息的性质、处理目的、方式、范围和存储期限等;

(三) 个人信息处理的特殊事项,包括可能进行的个人信息自动化决策、个人信息对外提供、个人信息出境、去识别化利用等;

(四) 信息主体同意或拒绝个人信息的处理,可能对其造成的影响;

(五) 信息主体享有的同意、查询、更正、删除等各项权利及行使途径;

(六) 收集个人敏感信息时,还应当特别提示信息主体其所收集的为个人敏感信息;

(七) 收集未成年人个人信息时,还应当尽可能告知其监护人;

(八) 间接收集个人信息时,还应当向信息主体告知个人信息的来源。

信息业者从信息主体处直接收集其个人信息时,应当在收集个人信息前告知信息主体前款各项事项;信息业者间接收集信息主体个人信息时,应当在收集个人信息后不超过一个月的合理期限内告知信息主体前款各项事项;间接收集的个人信息用于联络信息主体时,应当在初次联络信息主体时告知其前款各项事项。

第三十二条. 免于告知的情形

符合下列情形之一时,信息业者在必要限度内,可免为第三十一条规定的告知义务:

(一) 信息主体已知第三十一条第一款规定的各项事项;

(二) 间接收集个人信息时,向信息主体告知第三十一条第一款规定的各项事项,代价极高;

(三) 间接收集个人信息时,所收集的为信息主体自行公开或其他合法公开的信息主体个人信息;

(四) 向信息主体告知第三十一条第一款规定的各项事项,有可能损害社会公共利益;

(五) 向信息主体告知第三十一条第一款规定的各项事项,有可能严重影响政务部门行使职权;

(六) 法律、行政法规规定的其他情形。

第三十三条. 有效同意

信息业者据本法第三十条第一项规定收集信息主体个人信息时,应当以清晰、易懂的用语,通过信息主体易于选择和操作的方式,征求信息主体对处理其个人信息的同意。

信息业者在征求信息主体同意时,事实上排除信息主体拒绝同意的权利的,该同意无效。具有下列情形之一时,该同意无效:

(一) 未根据个人信息处理的具体情形,为信息主体提供同意事项清单,而以概括式条款征求信息主体的同意;

(二) 以信息主体对处理其个人信息的同意作为订立或履行合同的条件,超出为订立或履行与信息主体之间的合同所需的必要范围处理信息主体个人信息;

(三) 与其他事项一并以书面形式或电子形式向信息主体征求对处理其个人信息的同意,未采取合理的方式显著标识有关个人信息处理事项条款,或未为信息主体提供单独的同意选项。

信息主体虽未作出有效同意,但向信息业者提供其个人信息,且依具体情形,信息主体提供其个人信息的行为存在合理性,视为信息主体同意对其个人信息的收集。

第三十四条. 目的限定及合理的目的范围外利用

信息业者应当在个人信息收集时所确定的特定目的范围内或者与之具有合理关联的范围内利用个人信息,超出该范围利用个人信息,应当告知并征求信息主体的同意,但法律、行政法规另有规定的除外。

信息业者变更个人信息的处理目的,变更后的处理目的较之于变更前的处理目的,能够被合理地认为未显著增加对信息主体合法权益的影响,并为信息主体提供易于操作的拒绝机制的,信息主体未行使拒绝权前,视为信息主体同意变更后的个人信息处理目的,但所处理的个人信息为个人敏感信息除外。

第三十五条. 个人信息对外提供的审查

信息业者对外提供个人信息的,应当对接收方信息业者的个人信息保护水平、个人信息处理目的进行审查,不得将个人信息提供至不具有本法要求的个人保护水平或不具有正当处理目的的信息业者。

接收方信息业者应当配合提供方信息业者的审查,向提供方信息业者提供有关其个人信息保护水平、个人信息处理目的的相关材料。

第三十六条. 个人信息对外提供的同意

信息业者向他人提供信息主体个人信息的,应当及时告知信息主体个人信息对外提供具体事项,包括个人信息的类型、方式、接收方基本信息及其个人信息处理目的等个人信息对外提供事项,征求信息主体的同意。

信息业者向接受其委托、为其提供个人信息处理服务的其他信息业者提供信息主体个人信息的,不属于前款规定的对外提供个人信息。

第三十七条. 个人信息的公开

除下列情形外,信息业者不得公开信息主体的个人信息:

(一) 经信息主体书面同意且在约定范围内公开;

(二) 为促进社会公共利益且在必要范围内;

(三) 基于公共利益为学术研究或者统计的目的,以不足以识别特定信息主体的方式公开,但涉及个人敏感信息除外;

(四) 依照法律、行政法规的规定公开。

第三十八条. 匿名化信息的提供与公开

信息业者对外提供匿名化信息,应当审查接收方信息业者的个人信息安全保护措施、能力和水平,向接收方信息业者说明该信息为匿名化信息,并与接收方信息业者书面约定,要求其不得尝试复原匿名化信息的可识别性。

信息业者利用网络公开匿名化信息的,应当在公开匿名化信息前进行个人信息保护影响性评估,重点评估匿名化信息公开的必要性、涉及的匿名化信息的情况、复原匿名化信息识别性的可能性,以及匿名化信息公开可能对国家安全、社会公共利益、信息主体合法权益带来的风险。

第三十九条. 个人信息自动化分析与决策

个人信息自动化分析是指信息业者对信息主体的个人信息进行自动化处理,获得对信息主体工作表现、经济状况、健康状况、个人偏好等的分析。除经信息主体同意或法律、行政法规另有规定的情形,信息业者不得收集信息主体的个人敏感信息用于进行个人信息自动化分析。

信息业者获得信息主体的个人信息自动化分析,用于决定是否向信息主体授信、承保、提供就业机会等影响信息主体合法权益或对信息主体有重大影响的事项时,应当向信息主体说明个人信息自动化处理的目的、范围、内容,并经其同意。未经其同意,信息主体有权要求人工介入或拒绝该决定的约束,但法律、行政法规另有规定的除外。

第四十条. 录音、录像等监听、监控的采用

信息业者为维护营业场所安全、提升服务质量等正当目的,在其营业场所、办公场所运用录音、录像等现代技术手段实施监听、监控前,应当将采取的技术手段、设备类型、点位分布等基础信息向所在地县级以上人民政府公安机关备案。

禁止在旅馆客房、集体宿舍以及公共浴室、更衣室、卫生间等可能泄露他人隐私的场所、部位,安装视听信息采集设备。

第四十一条. 录音、录像等监听、监控的管理

信息业者应当在信息主体进入监听、监控采集范围时,明确提示信息主体。

对于获取的语音、图像信息,信息业者应当采取授权管理、控制访问等措施,控制对获取的语音、图像信息的查阅、复制和传输和非法泄露,但行使侦查、检察、审判职权的机关因司法工作需要,公安机关、国家安全机关因行政执法工作需要,或者县级以上人民政府行政主管部门因调查、处置突发事件需要,查阅、复制或者调取获取的语音、图像信息时,信息业者依法予以配合的除外。

第四十二条. 信息主体查询权

信息主体有权查询信息业者处理的其个人信息及其相关事项,信息业者应当为信息主体查询其个人信息提供便利。

第四十三条. 信息主体更正权

信息主体发现信息业者处理的其个人信息存在错误、遗漏时,可以书面通知信息业者予以更正。信息业者经初步确认后,应当对相关个人信息作出存在异议的标注。

经核查,确认相关信息确有错误、遗漏的,信息业者应当予以更正;确认不存在错误、遗漏的,应当取消异议标注;经核查仍不能确认的,对核查情况和意义内容应当予以记载。

第四十四条. 信息主体删除权

经信息主体同意进行个人信息处理,信息主体撤回其同意或者认为信息业者不再具有本法第三十条规定的个人信息处理的其他合法性依据的,可以通知信息业者删除已处理的个人信息,但法律、行政法规规定不得删除或需要保留的除外。

下列情形中,信息主体认为网络空间中的个人信息,是不准确、不再相关或侵害其合法权益的,且与公共利益无关的,信息主体有权要求信息业者采取删除、屏蔽、断开链接等必要措施:

(一) 提供网络平台服务的信息业者接到信息主体通知后,确认平台内相关个人信息与公共利益无关的,应当及时采取删除、屏蔽、断开信息内容等必要措施,并协助信息主体通知其已知或应知的其他链接、复制该个人信息的信息业者采取必要措施;

(二) 提供网络搜索引擎服务的信息业者接到信息主体通知后,确认搜索引擎结果中相关个人信息链接内容与公共利益无关的,应当及时采取删除、屏蔽、断开链接等必要措施;

(三) 未成年人或其监护人要求信息业者删除、屏蔽网络空间中该未成年人个人信息的,信息业者应当及时采取删除、屏蔽、断开链接等必要措施。

信息主体行使前款规定的删除权,应当以书面形式通知信息业者,告知信息业者姓名和联系方式、要求删除个人信息相关的网络地址或足以定位该个人信息的其他信息、要求删除相关信息的理由等事项。信息业者收到信息主体的通知后,应当及时删除相关信息。信息业者认为信息主体删除请求不符合前款规定的,可以拒绝删除,但应当及时通知信息主体,并向信息主体说明理由。

, , ,

第四十五条. 委托他人进行个人信息处理

信息业者委托其他信息业者进行个人信息处理,应当对受托方个人信息安全保护措施、能力和水平进行评估,不得委托不具备本法规定的个人信息安全保护水平的信息业者。信息业者应当通过合同等方式,与受托方信息业者明确授权范围,包括受托处理个人信息的类型、范围、处理目的等,并对受托方信息业者的个人信息安全管理进行监督。

信息业者接收其他信息业者委托进行个人信息处理,应当遵守本法和其他法律、行政法规的有关个人信息保护的规定,确保个人信息安全,并按照与委托方信息业者的约定妥善进行个人信息处理,接受委托方信息业者的监督,并向委托方信息业者报告个人信息处理情况,不得超出委托方信息业者的授权范围处理个人信息。

第四十六条. 使用第三方存储或计算服务

信息业者使用第三方存储或计算服务的,应当遵守本法和其他相关法律、行政法规、国家标准,通过与第三方签订合同等方式,明确第三方个人信息安全管理标准,确保个人信息的安全,并在使用第三方存储或计算服务过程中持续监督。

第三方应当按照法律、行政法规、国家标准、与信息业者的约定,确保信息业者提供的个人信息以及信息业者业务系统运行过程中收集、产生、存储的个人个人信息, 的安全,确保信息业者对前述个人信息的访问、利用、支配,接受信息业者的持续监督,未经信息业者授权,不得访问、修改、披露、利用、传输前述个人信息。服务终止时,应按照法律、行政法规、国家标准、信息业者的要求,进行移交或删除。

第二节 信息业者商业营销行为规定

第四十七条. 禁止商业营销号码登记

国家建立禁止商业营销的固定电话、移动电话号码登记制度(以下简称“禁止商业营销号码登记”)。

国务院电信主管部门推进、监督禁止商业营销号码登记工作,组织禁止商业营销号码登记系统的建设。

第四十八条. 禁止商业营销号码登记申请、查询与变更

信息主体提供其办理固定电话、移动电话入网手续时的真实身份信息,可以通过禁止商业营销号码登记系统为其固定电话、移动电话号码申请登记、变更禁止商业营销登记事项范围或注销登记。

国务院电信主管部门通过禁止商业营销号码登记系统为信息主体办理禁止商业营销号码登记、变更或注销登记,除收取必要成本费用外,不得收取其他费用。

第四十九条. 信息业者禁止商业营销号码登记查询

信息业者基于商业营销目的,拨打固定电话、移动电话号码或向其发送短信息,应当事先通过禁止商业营销号码登记系统查询该号码的禁止商业营销登记情况和禁止事项范围,每次查询的有效期为30个自然日。

国务院电信主管部门通过禁止商业营销号码登记系统为信息业者提供查询服务,可以收取必要的合理费用。

第五十条. 商业营销目的语音呼叫、信息发送

信息业者将要进行的语音呼叫、信息发送属于固定电话、移动电话号码已经进行禁止商业营销登记禁止事项范围时,不得基于商业营销目的,通过语音呼叫、信息发送方式联络该信息主体,但经信息主体同意或应信息主体请求进行的除外。

第五十一条. 商业营销目的语音呼叫、短信息

信息业者通过语音呼叫、发送短信息等方式开展商业营销,应当向信息主体表明其真实、准确的身份,不得隐匿、伪造,并将发送端电话号码或者代码一并发送,不得缺少或者含有虚假、冒用的发送端电话号码或者代码。

信息业者利用自动语音群呼、短信群发服务开展商业营销的,应当向电信服务提供者申请使用商业营销固定特服号码。电信服务提供者应当审查、登记信息业者的真实身份信息。

信息业者在语音呼叫、短信息中应当为信息主体提供易于操作的拒绝机制,确保一键退订。信息主体拒绝接收的,不得再次向其发送内容相同或者相似的语音呼叫、短信息。

第五十二条. 商业营销目的电子邮件

未经信息主体同意或者请求,信息业者不得基于商业营销目的,向信息主体的个人电子邮箱发送电子邮件。

信息业者基于商业营销目的向信息主体发送电子邮件,应当向信息主体提供真实、准确的电子邮件信封信息,不得隐匿或伪造电子邮件信封信息,并在电子邮件标题信息前显著标明。

信息业者基于商业目的向信息主体发送电子邮件,应当以清晰、易懂的用语,向信息主体提供易于操作的拒绝机制,确保一键退订。信息主体拒绝接收的,不得再次向其发送内容相同或者相似的电子邮件。

第五十三条. 定向商业营销信息

信息业者基于信息主体的网络浏览历史、兴趣爱好、消费记录和习惯等个人信息,向其发送商业营销信息内容的,应当显著标明退订标志,确保一键退订。信息主体退订的,信息业者不得再次发送,并应向信息主体提供删除或匿名化商业营销活动所使用的个人信息的方式。

 

第三节 向境外提供个人信息规定

第五十四条. 个人信息出境安全评估的一般要求

因业务需要,信息业者在中华人民共和国境内运营中收集和产生的个人信息确需向境外提供的,应当进行个人信息出境安全评估,认为个人信息出境不会对个人信息主体权益保护造成重大风险时,方可出境。

信息业者进行个人信息出境安全评估,应重点评估以下内容:

(一) 个人信息出境的合法性、正当性和必要性;

(二) 出境个人信息基本情况,包括数量、范围、类型、敏感程度等

(三) 境外数据接收方基本情况,包括自身安全保护措施、能力和水平,以及所在国家和地区的网络安全环境等。

第五十五条. 免于评估的一般规定

有以下情形之一的,信息业者在向境外提供个人信息时,可免为第五十四条规定的个人信息出境安全评估:

(一) 为维护个人信息主体或他人的生命、财产等重大合法权益所必要;

(二) 为履行法律法规、行政法规规定的义务所必要;

(三) 由信息主体主动发起的个人信息出境。

第五十六条. 向同等个人信息保护水平的国家或地区提供个人信息

国家网信部门主动或应信息业者申请评估特定国家或地区的个人信息保护水平的,应根据境外国家或地区的立法与执法状况、参与国际条约状况等,明确特定国家或地区是否满足我国个人息保护水平,向社会公布具备同等个人信息保护水平的国家或地区名单。

信息业者向经国家网信部门认定具备同等个人信息保护水平的国家或地区的信息业者提供个人信息,可免为第五十四条规定的个人信息出境安全评估事项,但应当对个人信息出境的基本情况,如出境个人信息的类型、数量、目的、境外数据接收方基本信息等予以记录。

第五十七条. 信息业者向境外子公司、分公司提供个人信息

信息业者因业务需要向境外子公司、分公司提供在中国境内运营中收集和产生的个人信息的,承诺其境外子公司、分公司适用与境内相同的个人信息保护规章制度,确保同等个人信息保护水平,并对境外子公司、分公司的个人信息处理行为承担相应法律责任的,可免为第五十四条规定的个人信息出境安全评估事项,但应当向国家网络部门、国务院电信主管部门和其他有关部门备案。

第五十八条. 外商投资信息业者向境外母公司、总公司提供个人信息

外商投资设立的信息业者因业务需要向境外母公司、总公司等提供在中国境内运营中收集和产生的个人信息的,承诺其境外母公司、总公司对前述个人信息与境内公司适用相同的个人信息保护规章制度,确保同等个人信息保护水平,并对境外母公司、总公司对前述个人信息的处理行为承担相应法律责任的,可免为第五十四条规定的个人信息出境安全评估事项,但应当向国家网络部门、国务院电信主管部门和其他有关部门备案。

第五十九条. 我国信息业者在境外设立数据中心的要求

信息业者面向中国境内提供服务,因业务需要在境外设立数据中心的,应当遵守以下规定:

(一) 在经国家网信部门认定具备同等个人信息保护水平的国家或地区设置数据中心的,应当向国家网信部门备案。

(二) 在未经国家网信部门认定具备同等个人信息保护水平的国家或地区设置数据中心的,应当经国家网信部门批准。

第六十条. 境外个人信息接收方再次提供的限制

信息业者因业务需要向境外提供在中华人民共和国境内运营中收集和产生的个人信息的,应当与境外个人信息接收方约定非经其同意,不得再次向第三方传输所接收的个人信息。

第六十一条. 境外执法机关、司法机关调取的限制

信息业者在境外设立的子公司、分公司、数据中心收到所在国家或地区执法机关、司法机关调取其在中华人民共和国境内运营中收集和产生的个人信息命令等情形的,应当及时通知国家网信部门或有关主管部门,经批准后,方可提供。

信息业者因业务需要向境外提供在中华人民共和国境内运营中收集和产生的个人信息的,应当与境外个人信息接收方约定在其收到所在国家或地区执法机关、司法机关调取前述个人信息命令等情形时,应当及时通知信息业者。信息业者收到通知后,应当及时向国家网信部门或有关主管部门备案。

 

第五章 政务部门的个人信息处理

第一节 政务部门一般行为规定

第六十二条. 个人信息处理的合法性依据

政务部门在法定职权范围内,基于特定目的进行个人信息处理活动,应当符合下列情形之一时:

(一) 为履行法定职责所必要;

(二) 经信息主体同意;

(三) 为保护信息主体或第三人的重大人身、财产利益所必要,但依其情形,难以获得信息主体的同意;

(四) 为基于公共利益而进行的统计、研究所必要;

(五) 法律、行政法规规定的其他情形。

第六十三条. 对信息主体的告知义务

政务部门收集个人信息,应当通过通知、公告等方式,以清晰、易懂的用语告知信息主体下列事项:

(一) 政务部门的名称、联系方式、个人信息保护规则等基本信息;

(二) 个人信息处理的基本事项,包括个人信息的性质、法律依据、处理目的、方式、范围和存储期限等;

(三) 个人信息处理的特殊事项,包括可能进行的个人信息公开、共享、开放事项;

(四) 信息主体是否负有提供个人信息的法定义务,同意或拒绝个人信息的处理可能对其造成的影响;

(五) 信息主体享有的同意、查询、更正、删除等各项权利及行使途径;

(六) 收集未成年人个人信息时,还应当尽可能告知其监护人;

(七) 间接收集个人信息时,还应当向信息主体告知获取个人信息的来源。

通过信息主体直接收集其个人信息时,应当在收集个人信息时告知信息主体前款事项;间接收集信息主体个人信息时,应当在收集个人信息后不超过一个月的合理期限内告知信息主体前款事项;间接收集的个人信息用于联络信息主体时,应当在初次联络信息主体时告知其前款事项。

第六十四条. 免于告知的情形

符合下列情形之一时,政务部门在必要限度内,可免为第六十三条第一款规定的告知义务:

(一) 信息主体已知第六十三条第一款的规定的各项事项;

(二) 间接收集个人信息时,向信息主体告知第六十三条第一款规定的各项事项,代价极高;

(三) 向信息主体告知第六十三条第一款规定的各项事项,有可能对行使法定职权造成严重不利影响;

(四) 向信息主体告知第六十三条第一款规定的各项事项,有可能损害第三人利益、社会公共利益;

(五) 法律行政法规规定的其他情形。

第六十五条. 有效同意

政务部门依本法第六十二条第二项收集信息主体个人信息时,应当以清晰、易懂的用语,通过信息主体易于选择和操作的方式,征求信息主体对处理其个人信息的同意。政务部门在征求信息主体同意时,在事实上排除信息主体行使同意权时,视为信息主体未同意。

信息主体虽未作出有效同意,但向政务部门提供其个人信息,且依具体情形,信息主体提供其个人信息的行为存在合理性,视为信息主体同意对其个人信息的收集。

第六十六条. 目的限定及合理目的范围外使用

政务部门应当在个人信息收集时确定的特定目的范围内或者与之具有合理关联的范围内使用个人信息。

第六十七条. 信息主体查询权

信息主体有权查询政务部门处理的本人个人信息及其相关事项,政务部门应当为信息主体查询其个人信息提供便利,但法律法规另有规定的除外。

第六十八条. 信息主体更正权

信息主体认为政务部门所处理的个人信息存在错误、遗漏的,有权向相应的政务部门提出异议。政务部门经初步确认后,应当对相关个人信息作出存在异议的标注。

经核查,确认相关信息确有错误、遗漏的,政务部门应当予以更正;确认不存在错误、遗漏的,应当取消异议标注;经核查仍不能确认的,对核查情况和异议内容应当予以记载。

第六十九条. 信息主体停止处理权

存在下列情形之一的,信息主体有权向相应政务部门提出停止使用、删除或停止向他人提供相关个人信息的请求:

(一) 政务部门违反法律法规收集个人信息的;

(二) 政务部门在处理目的外使用个人信息且不属于法定例外情形的;

(三) 政务部门违法向第三人提供的。

政务部门在收到请求后,经核查存在前款规定的情形之一的,应当在20个工作日内停止使用、删除或者停止他人提供。认为不存在前款规定的情形的,应当在20个工作日内通知信息主体,并说明理由。下列情形下,信息主体可以向政务部门提出停止使用、删除相关信息或停止向他人提供的请求:

第七十条. 向信息业者查询或要求信息业者提供数据

政务部门在履行法定职责过程中,需要查询或要求信息业者提供个人信息类数据时,应当具有法律法规依据,经严格的批准程序,书面通知信息业者,并按照第六十三条、第六十四条的规定向相关信息主体履行告知义务,技术侦查措施适用、情报信息搜集等法律法规另有规定的除外。

政务部门依法查询或要求信息业者提供的个人信息时,应以履行法定职责的实际需要为限度查询或保存相关个人信息,不得用于与履行职责无关的用途。

第二节 政务信息公开、共享、开放行为规定

第七十一条. 政务信息公开个人信息保护规定

政务部门应当依照本法和其他有关法律、法规和国家有关规定对拟公开的政府信息进行审查。涉及个人信息的,遵循以下规则:

(一) 不公开对公共利益无重大影响的,不得公开,但能够对个人信息和其他信息进行分区分处理的,公开对个人信息进行区分处理后的其他信息;

(二) 不公开可能对公共利益造成重大影响的,应当予以公开,但应当对个人信息进行匿名化处理后公开;

(三) 不公开可能对公共利益造成重大影响的,但进行匿名化处理无法实现信息公开的目的,应当书面征求信息主体的意见。信息主体自收到征求意见书之日起15个工作日内未提出意见的,由政务部门依法决定是否公开。信息主体不同意公开且有合法理由的,政务部门不予公开。政务部门认为不公开可能对公共利益造成重大影响的,可以决定公开,并将决定公开的政府信息内容和理由书面告知信息主体。

政务部门不能确定政府信息涉及的个人信息是否可以公开的,应当报同级网信部门确定。

第七十二条. 个人信息政务信息资源共享类型

政务信息中包含个人信息的,按共享类型分为无条件共享、有条件共享、不予共享等三种类型。

人口信息、电子证照信息等基础信息资源的基础信息项等可提供给所有政务部门共享使用的个人信息属于无条件共享类。凡列入无条件共享类的个人信息,应当有法律、行政法规或党中央、国务院政策依据。

可提供给相关政务部门共享使用或仅能够部分提供给所有政务部门共享使用的个人信息属于有条件共享类。

不宜提供给其他政务部门共享使用的个人信息属于不予共享类。

第七十三条. 个人信息政务信息资源共享目录

制作或采集个人信息类政务信息资源的部门(以下简称“提供部门”)应当按照个人信息保护相关法律法规要求,建立个人信息类政务信息资源共享目录,列明个人信息类政务信息资源的共享类别。

提供部门应当在同级网信部门的指导下建立个人信息类政务信息资源共享目录动态调整机制,对尚未列入无条件共享、有条件共享的个人信息类政务信息资源进行个人信息共享风险评估,确定对信息主体权益不会造成不利影响的,及时更新共享个人信息类政务信息资源目录。

第七十四条. 个人信息政务信息资源共享机制

因履行职责需要使用共享个人信息的部门(以下简称“使用部门”)应提出明确的共享需求和信息使用用途。

属于无条件共享的个人信息,使用部门可以通过政务数据共享交换平台以数据下载或者接口调用等方式直接获取。

属于有条件共享的个人信息,使用部门应通过政务数据共享交换平台向提供部门提出申请,提供部门应在10个工作日内予以答复。予以共享的,应当明确个人信息使用的条件和具体要求。对不予共享的,提供部门应说明理由。

属于不予共享类的个人信息,以及有条件共享类提供部门不予共享的个人信息,使用部门因履行职责确需使用的,由使用部门与提供部门协商解决,协商未果的由有权决定的同级网信部门协调解决,涉及中央有关部门的由促进大数据发展部际联席会议协调解决。

第七十五条. 个人信息政务信息资源共享使用限制

使用部门对获取的共享个人信息,应遵守提供部门提出的个人信息使用条件和具体要求,并仅可按照明确的使用用途用于本部门履行职责需要,不得直接或以改变数据形式等方式提供给第三方,也不得用于或变相用于其他目的。

第七十六条. 个人信息政务信息资源共享异议更正机制

使用部门对获取的共享个人信息发现有错误、遗漏的,应及时反馈提供部门。提供部门经初步确认后,应当对相关个人信息作出存在异议的标注。

经核查,确认相关信息确有错误、遗漏的,提供部门应当予以更正;确认不存在错误、遗漏的,应当取消异议标注;经核查仍不能确认的,对核查情况和异议内容应当予以记载。

第七十七条. 个人信息政务信息资源开放目录

制作或采集个人信息类政务信息资源的部门(以下简称“开放部门”)拟增加有条件开放类或者无条件开放类政务信息资源的,应当进行个人信息保护影响评估,并采取听证会、讨论会等形式,听取有关基层和群体代表、部门、人民团体、专家、人大代表和社会有关方面的意见。

开放部门应当将数据开放的必要性、对个人信息保护可能产生的影响以及听证、论证情况向同级网信部门报告。经同级网信部门批准后,纳入有条件开放或无条件开放目录,并通过开放平台向社会公布。

第七十八条. 个人信息政务信息资源开放机制

属于无条件开放类的个人信息类政务信息资源,自然人、法人和非法人组织可以通过政务数据统一开放平台以数据下载或者接口调用的方式直接获取。

属于有条件开放类的个人信息类政务信息资源,开放部门应当通过政务数据统一开放平台公布数据使用技术能力和安全保障措施等要求,向符合条件的自然人、法人和非法人组织(以下简称“数据利用主体”)开放,并签订数据利用协议,明确数据利用的条件和具体要求,并通过政务数据统一开放平台向社会公示数据使用主体相关信息。

第七十九条. 个人信息政务信息资源开放利用限制

数据利用主体在利用个人信息类开放政务信息资源过程中,应当采取必要的安全保障措施,不得以识别自然人为目的利用个人信息类开放政务信息资源,并接受数据开放部门及有关部门的监督检查。

属于有条件开放类的个人信息类政务信息资源,数据利用主体还应当遵守数据利用协议中的条件和具体要求。

第八十条. 个人信息政务信息资源开放利用反馈机制

数据利用主体在利用个人信息类开放政务信息资源过程中,应当定期向数据开放部门反馈数据利用情况,在发生或可能发生开放政务信息资源恢复个人信息识别性时,应当及时向数据开放部门反馈。

第八十一条. 个人信息政务信息资源开放监督机制

开放部门应当建立有效的监督制度,对有条件开放类个人信息资源的利用情况进行持续监督。

第八十二条. 个人信息政务信息资源开放信息主体权益保护

自然人、法人和非法人组织认为开放个人信息类政务信息资源侵犯信息主体合法权益的,可以通过政务数据统一开放平台告知开放部门,并提交相关证据材料。

开放部门收到相关证据材料后,认为必要的,应当立即中止开放,同时进行核实。根据核实结果,分别采取撤回数据、恢复开放或者处理后再开放等措施,并及时反馈。

 

第六章 监督管理

第八十三条. 网信部门职责

国家网信部门负责组织、指导、协调和监督个人信息保护工作,履行下列职责:

(一) 指导和监督地方网信部门、个人信息保护认证机构、个人信息保护组织的工作;

(二) 单独或联合属地网信部门对信息业者个人信息保护工作进行监督检查;

(三) 协调国务院各主管部门开展个人信息保护执法工作,定期或临时召开促进个人信息保护部际联席会议;

(四) 组织调查、评估个人信息保护状况,发布评估报告;

(五) 发布并更新充分个人信息保护国家和地区名单、认可并更新境外个人信息保护标识名单;

(六) 代表国家与其他国家、国际组织开展个人信息保护国际合作;

(七) 法律、行政法规规定的其他职权。

地方网信息部门依本法和国家网信部门授权,负责组织、指导、协调和监督本地区个人信息保护工作,履行与国家网信部门相应的职责。

第八十四条. 行业组织

有关行业组织应当对信息主体信息业者依法自愿成立行业协会,加强行业自律管理,负责本行业个人信息保护标识认证的批准事项,并受理信息主体投诉,组织对会员的监督检查,协助相关监管部门进行合规审查等,促进行业健康发展。

第八十五条. 新闻监督

新闻媒体应当开展个人信息保护法律、法规以及个人信息保护标准和知识的公益宣传,并对个人信息保护违法行为进行舆论监督。有关个人信息保护的宣传报道应当真实、公正。

信息业者、政务部门进行个人信息处理相关重大事项,应当主动接受新闻媒体舆论监督,通过新闻发布会、记者招待会、新闻通稿、公报、互联网站等形式向新闻媒体及时发布相关信息。

第八十六条. 社会监督

个人信息保护组织、消费者权益保护组织等公益组织依法对违反本法规定,侵害信息主体合法权益的行为,依法进行社会监督。

个人信息保护组织、消费者权益保护组织等公益组织可以向信息主体提供信息保护教导和咨询,并可就信息主体合法权益保护等问题向有关部门反映、建议,参与有关信息主体权益保护的法律、行政法规、规范性文件、标准制定的听证程序等。

第八十七条. 公民参与

任何组织或者个人有权举报个人信息保护违法行为,依法,监督和督促信息业者、政务部门遵守本法及其他个人信息保护相关的法律、行政法规,对个人信息保护工作提出意见和建议

第七章 救济

第八十八条. 救济途径

信息主体认为信息业者个人信息处理活动损害其合法权益的,可以通过以下途径解决:

(一) 与信息业者协商;

(二) 请求个人信息保护组织或者依法成立的其他调解组织调解;

(三) 向信息业者所在行业协会投诉;

(四) 向有关主管部门投诉;

(五) 根据与信息业者达成的仲裁协议提请仲裁机构仲裁;

(六) 向人民法院提起诉讼。

第八十九条. 与信息业者协商优先

信息主体在信息业者进行个人信息处理时,其合法权益受到损害的,有权通知信息业者停止侵害或向信息业者要求赔偿,协商解决。

信息业者接到信息主体的通知后拒不处理、限期未予处理,或者信息主体认为信息业者的处理结果不合理的,信息主体可以选择本法第八十八条规定的其他争议解决方式。

第九十条. 个人信息保护组织或者其他依法成立的其他调解组织调解

个人信息保护组织或者依法成立的其他调解组织可以依法受理信息主体对信息业者的投诉,通知被投诉信息业者,对被投诉事项进行调查,以信息主体和信息业者双方自愿、合法、合理、公正为基础,以事实和证据为依据进行调解。

对内容复杂、争议较大的投诉,前述调解组织可以会同信息业者所在行业协会、有关主管部门共同处理;对涉及面广,危及广大信息主体权益的,或者损害信息主体权益情节严重的重要投诉,应向有关主管部门及时反映,要求制止和及时查处信息业者,并可以通过大众传播媒介予以揭露、批评。

第九十一条. 行业组织

相关行业组织应当按照章程,监督本协会会员执行本行业行为规范,并受理信息主体对会员信息业者的投诉,促进行业健康发展。

第九十二条. 主管部门投诉受理机制

各级主管部门收到信息主体的投诉,属于本部门相关职责范围的,应当受理并及时调查、核实、处理和反馈;不属于本部门职责范围的,应当及时通知信息主体并移交有关部门进行调查、核实处理和反馈;涉及多个主管部门的,应当及时报告同级网信部门,由同级网信部门协调相关主管部门进行调查、核实、处理和反馈。

前款规定的各级主管部门应当自收到投诉之日起7个工作日内予以处理并告知信息主体。

第九十三条. 共同诉讼

因信息业者的个人信息处理行为受到损害的信息主体人数众多的,可以依法由信息主体推选代表人进行共同诉讼。

第九十四条. 公益诉讼

各省、自治区、直辖市设立的个人信息保护组织、消费者权益保护协会等社会组织对侵害众多信息主体合法权益的行为,可以向人民法院提起诉讼。

人民检察院在履行职责过程中发现侵害众多信息主体合法权益的行为,在没有适格主体或者适格主体不提起诉讼的情况下,可以向人民法院提起诉讼。

第九十五条. 行政救济

信息主体认为政务部门个人信息处理活动违反本法及其他法律、行政法规的规定、侵害其合法权益的,可以向相应的主管部门投诉、举报,也可以依法申请行政复议或者提起行政诉讼。

第八章 法律责任

第九十六条. 信息业者未落实个人信息安全保护义务的行政责任

信息业者违反本法规定,落实个人信息安全保护义务不到位,存在较大个人信息安全风险的,由网信部门或有关主管部门责令改正,给予警告;拒不改正或发生个人信息安全事件的,处上一年度在中国境内营业额百分之一以上百分之五以下的罚款,对直接负责的主管人员处五千元以上五万元以下罚款。

第九十七条. 信息业者侵害信息主体合法权益的行政责任

信息业者违反本法规定,侵害信息主体个人信息依法得到保护的权利的,由网信部门或有关主管部门责令改正,可以根据情节单处或者并处警告、没收违法所得、处上一年度在中国境内营业百分之一以上百分之五以下的罚款,对直接负责的主管人员和其他直接责任人员处一万元以上十万元以下罚款;情节严重的,可以责令暂停相关业务、停业整顿、关闭网站、吊销相关业务许可证或者吊销营业执照。

第九十八条. 违法商业营销行为的行政责任

信息业者违反本法规定,未落实商业营销行为规范向信息主体发送商业性营销信息的,由电信主管部门按照国家有关法律、行政法规予以处罚。

第九十九条. 其他法律责任

信息业者违反本法规定,给信息主体或他人造成损害的,依法承担民事责任。

信息业者违反本法规定,构成违反治安管理行为的,依法给予治安管理处罚;构成犯罪的,依法追究刑事责任。

第一百条. 社会信用记录

信息业者有本法规定的违法行为的,依照有关法律、行政法规的规定记入信用档案,并予以公示。

第一百〇一条. 政务部门法律责任

政务部门违反本法规定,未落实个人信息安全保护义务的,由上一级政务部门责令改正;情节严重的,对负有责任的领导人员和直接责任人员依法给予处分。、

政务部门违反本法规定,侵害信息主体个人信息依法得到保护的权利的,由上一级政务部门责令改正;情节严重的,对负有责任的领导人员和直接责任人员依法给予处分;构成犯罪的,依法追究刑事责任。

第一百〇二条. 境外信息业者的法律责任

境外信息业者违法本法规定,侵害中华人民共和国公民个人信息依法得到保护的权利,造成严重后果的,依法追究法律责任;国务院公安部门和有关部门并可以决定对该境外信息业者采取冻结财产或者其他必要的制裁措施。

第九章 附则

第一百〇三条. 术语定义

本法下列用语的含义:

(一) 信息主体,指姓名、出生日期、身份证件号码、个人生物识别信息、住址、电话号码等个人身份代码和记述等被识别出的特定生存自然人。

(二) 个人敏感信息,指因其性质、内容与信息主体的核心隐私相关,或一旦泄露、滥用可能危害信息主体人身和财产安全或引发对信息主体的歧视等不利后果的个人信息。

(三) 信息业者,指除政务部门之外,开展个人信息收集、利用、加工、传输活动的一项或多项的法人、非法人组织;自然人以营利为目的从事个人信息收集、使用、加工等个人信息处理活动的一项或多项,在本法适用范围内视为信息业者。

(四) 政务部门,指政府部门及法律法规授权具有行政职能的事业单位和社会组织。

(五) 个人信息收集:指通过电子或人工等任何方式取得信息主体个人信息并加以记录的行为。

(六) 个人信息使用:指将个人信息用于加工以外的特定目的。

(七) 个人信息加工:指针对个人信息进行的编辑、编码、加密、去识别性、存储、比对、挖掘等操作。

(八) 个人信息提供:指将收集或加工的个人信息向他人传输数据副本或提供数据访问、检索等。

(九) 个人信息共享:指向他人提供个人信息,且双方分别对个人信息拥有独立控制权的过程。

(十) 个人信息转让:指向他人转移个人信息控制权的过程。

(十一) 个人信息出境:指为中华人民共和国境外的公民、法人或其他组织提供接入途径等,使其能够处理存储在中华人民共和国境内的服务器中的个人信息的操作;或为中华人民共和国境外的公民、法人或其他组织提供存储在中华人民共和国境内的服务器中的个人信息的拷贝等,使其获取前述个人信息的操作。

(十二) 去识别化处理:指通过对个人信息的技术处理,使其在不借助额外信息的情况下,无法识别个人信息主体的过程。

(十三) 匿名化处理:指通过对个人信息的技术处理,使得个人信息主体无法被识别或者关联,且依据现有技术水平和理性的成本考量,处理后的信息不再能合理地识别信息主体。经过匿名化处理后的信息,不属于个人信息。

(十四) 个人信息处理:指针对个人信息进行的任何操作,包括收集、使用、加工、共享、转让、跨境传输、去识别化、匿名化等。

第一百〇四条. 其他国家机关参照适用

权力机关、审判机关、检察机关、军事机关等其他国家机关涉及公民个人信息处理事项的,除法律、行政法规另有规定外,应遵守本法相关规定。

第一百〇五条. 国际条约的适用

中华人民共和国缔结或者参加的与个人信息保护有关的国际条约与本法有不同规定的,适用国际条约的规定;但是,中华人民共和国声明保留的条款除外。

第一百〇六条. 法律生效日期

本法自 年 月 日起施行。

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s