|
Currently although there is no omnibus personal information protection law in China, relevant provisions are scattered throughout several laws, administrative regulations and department rules, a violation of which may lead to relevant civil and administrative liabilities. In regard to criminal liabilities, Amendment (VII) to the Criminal Law, effective since 28 February 2009, has added Article 253 (A) to establish the “crime of selling or illegally providing personal information of citizens” and the “crime of illegally obtaining personal information of citizens”. Amendment (IX) to the Criminal Law in 2015 has combined these two crimes into the “crime of infringing on citizens' personal information” and also expanded the scope of application of this offense from specific industries and areas such as employees of financial institutions, telecommunication companies, education or medical institutions, to all individuals and entities and increased the maximum penalty that could be imposed on violation1. However, in practice, elements which this criminal offence require are not entirely clear. Specifically, in this digitalized age, practices of enterprises utilizing data in various industries are developing rapidly and in many aspects experimental and whether those practices may cross the line and raise criminal liabilities is still very much in a grey area. 在《网络安全法》2017年6月1日正式生效前,最高人民法院与最高人民检察院于2017年5月9日发布《最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》(简称“《两高解释》”)2及相关典型案例3,并将与《网络安全法》同时生效。《两高解释》第一次对“侵犯公民个人信息罪”的犯罪要件做出了较为明确的规定,对于明确刑事责任的范畴和判断具有重要意义。以下我们将重点分析几条对企业信息合规有重要影响的规定。 Recently, the Supreme People's Court and the Supreme People's Procuratorate promulgated the Interpretation by the Supreme People's Court and the Supreme People's Procuratorate on Issues Concerning the Application of Law in Handling Criminal Cases of Infringing on Citizens' Personal Information (hereinafter the “Interpretation”)2 and relevant typical cases3, and the Interpretation will become effective at the same time as the Cybersecurity Law. The Interpretation provides more specific conditions for “the crime of infringing on citizens' personal information” for the first time, which has important meanings to define and decide the scope of criminal liabilities. We will analyze certain provisions that we consider may have significant influences on the personal information compliance practice for enterprises. 一、明确“违反国家有关规定”范围 Clarifying the Scope of “Violation of the Relevant State Provisions” “侵犯公民个人信息罪”的犯罪行为包括“违反国家有关规定,向他人出售或者提供公民个人信息”、“窃取或者以其他方法非法获取公民个人信息”。就“向他人出售或者提供公民个人信息”的行为,“违反国家有关规定”是构成犯罪的前提条件。我国目前关于个人信息的规定散见于大量的法律、行政法规、部门规章及规范性文件之中。“国家有关规定”的范围实质性影响罪与非罪的判断。 The criminal behavior of “the crime of infringing on citizens' personal information” includes “selling or providing citizens’ personal information to third parties in violation of the relevant state provisions” or “stealing or illegally obtaining citizens’ personal information by other methods”. With respect to the former, “violation of the relevant state provisions” is the precondition for such a crime. Currently, personal information protection regulations are scattered throughout several laws, administrative regulations, departmental rules and normative documents. As a result, the scope of “the relevant state provisions” would substantially impact whether or not a violation can be considered a crime. 《刑法》第96条规定,“本法所称违反国家规定,是指违反全国人民代表大会及其常务委员会制定的法律和决定,国务院制定的行政法规、规定的行政措施、发布的决定和命令。”其并未将地方性法规和部门规章包括在“国家规定”的范围内。而《两高解释》第二条明确规定,“违反国家有关规定”是指“违反法律、行政法规、部门规章有关公民个人信息保护的规定”,将部门规章也包括在内,较宽的包括了目前法律法规对不同行业、不同类别的个人信息的保护要求。这从实质上提高了企业在信息保护方面合规的最低标准。实践之中司法机关将如何认定国家有关规定值得关注。 Article 96 of the Criminal Law provides, '‘violation of State Provisions’ as mentioned in this Law refers to violation of the laws enacted or decisions made by the National People's Congress or its Standing Committee and the administrative regulations and rules formulated, the administrative measures adopted and the decisions or orders promulgated by the State Council.” The scope of the “state provisions” in Article 96 of the Criminal Law does not include local regulations and departmental rules, while the Article 2 of the Interpretation clearly provides that “violation of the relevant state provisions” refers to “violation of the laws, administrative regulations and departmental rules in relation to the personal information protection”, which includes departmental rules that contain broad legal protection requirements for different industries and types of personal information. Such interpretation would be critical for practice of enterprises to consider when setting up the internal compliance rules and policies and judicial practice in this aspect is also worthy constantly monitored to keep alerted to elements to constitute the crime. 二、明确未经同意提供公民个人信息构成犯罪 Clearly Stipulating that Providing Citizen's Personal Information without Consent Commits a Crime 《两高解释》出台之前,《刑法》第253条之一第一款在司法实践中通常被理解为非法出售。例如与《两高解释》同时发布的七则侵犯公民个人信息犯罪典型案例均为非法买卖公民个人信息之情形。企业在正常经营活动中合法获取的个人信息以无偿、合作或转让等方式对外提供的情形并不清楚是否构成刑事责任。 Before the promulgation of the Interpretation, Section 1 of Article 253A of the Criminal Law was construed in practice mainly as illegal selling. For example, seven typical criminal cases regarding infringement on citizens' personal information, published at the same time with the Interpretation, are all relevant to situations of illegally selling or purchasing citizens’ personal information. It was unclear whether enterprises’ providing or transferring personal information which was legally obtained through normal business activities to a third party for free or by cooperation will raise criminal liabilities. 《两高解释》第三条明确规定,“未经被收集者同意,将合法收集的公民个人信息向他人提供”,也属于刑法第253条之一规定的“提供公民个人信息”。实践之中,对于同意的内容、形式必将带来很多的争议。同时,《两高解释》第三条延续了《网络安全法》的规定,明确规定在向他人提供个人信息时,“经过处理无法识别特别个人且不能复原的除外”。因此,合法提供公民个人信息的情形,除事先征得同意外,还可以选择匿名化处理的方式。企业在难以补充获取信息主体同意时,或难以证明事先曾获得信息主体同意时,采取匿名化处理是降低法律风险的一条途径,但匿名化的标准仍不清楚。 Article 3 of the Interpretation explicitly provides that “providing citizens’ personal information which was legally collected to others without consent of the citizens” will also constitute “the crime of providing any citizen's personal information” under Article 253A of the Criminal Law. In practice, the content and form of the consent raises many disputes and debates due to lack of clear requirements under law. In addition, the Interpretation adopts a provision in the Cybersecurity Law that when providing personal information to others, if “the information has been processed in a manner that it is impossible to identify a specific person and it cannot be restored”, it will not be subject to the consent requirement for transfer. In practice, where it is difficult for enterprises to obtain consent from the subjects of the personal information or it is hard to prove that prior consent of the subjects has been obtained, anonymization is an approach to mitigate potential legal risks. However, standards for anonymization are still ambiguous at this stage. 三、“以其他方式非法获取公民个人信息”的概念扩宽 Concept of “Illegally Obtaining Citizen's Personal Information by Other Methods” Expands 以往的侵犯公民个人信息犯罪案例之中,被认为构成犯罪的提供方式通常为非法出售的情形,而常见的非法获取的方式是购买个人信息。《两高解释》第四条进行了更为明确的界定,除购买以外,将收受、交换、履行职责提供服务过程中的收集也明确纳入非法获取个人信息的范畴。 In previous cases of crimes of infringing on citizens' personal information, illegally obtaining is mostly construed as illegal purchasing personal information. Article 4 of the Interpretation provides a clearer definition, which clearly provides that without consent from subjects of the information, receiving, exchanging and collecting personal information during the performance of duties or providing services are all regarded as illegally obtaining personal information. 四、简评 Our Observation 《两高解释》将于2017年6月1日与《网络安全法》同时生效,《网络安全法》将网络运营安全和信息安全的保护提升到法律层面,而《两高解释》则进一步从刑事责任层面确立了关于个人信息保护最基本的法律责任的界限。然而,《两高解释》对《刑法》第253条之一较为宽泛的解释,导致在罪与非罪的区分上依然存在一些不清晰的地方,例如,信息收集前关于“同意”的具体要求,关于“行踪轨迹”定义为个人信息的一部分的解释,具体执行和量刑将如何确定等,这些问题仍有待于司法实践中解释和解决。 The Interpretation will become effective on June 1, 2017 together with the Cybersecurity Law. The Cybersecurity Law is for the first time introduced cybersecurity and information protection requirements on the level of law, while the Interpretation has further clarified the boundaries of legal responsibilities in relation to personal information protection. However, the Interpretation provides certain broad interpretations of Article 253A of the Criminal Law which will result in certain ambiguities between crime and non-crime. For example, the specific requirement of “consent” before collecting information is not clear; how to determine the “whereabouts tracks” of personal information is not clear, and the specific implementation and measurement of sentencing is subject to practical judicial decisions. 我们理解,《两高解释》和《网络安全法》的生效,将大大提高企业在数据保护、网络安全保护等方面的合规义务,企业有必要加强内部管理,提高员工的合规意识,密切关注数据保护法律法规的进一步发展和实施情况。 We understand that the effectiveness of the Interpretation and Cybersecurity Law will largely enhance the compliance duties of enterprises in relation to data protection and cybersecurity protection. It is necessary for enterprises to enhance internal management, improve compliance awareness of their staff and remain on alert for further developments regarding the data protection laws and regulations and their implementation. 1. http://www./law-reviews/192 2. http://www.chinacourt.org/law/detail/2017/05/id/149396.shtml 3. http://www.chinacourt.org/article/detail/2017/05/id/2852365.shtml |
|
|
