发布时间: 2022-12-29 供稿人:王晓鑫、姚青原
去年8月20日,中国正式通过了《个人信息保护法》(下称《个保法》),并于同年11月1日正式施行。《个保法》旨在从制度层面保护公民的个人信息利益,基于此,该法对处理个人信息的工作者制定了相应的规范。在我们身处的大数据时代,网络平台处理了大量个人信息,而在新法出台的背景下,网络平台与其用户间将产生新类型的争议。本文将围绕新法出台后网络平台对个人信息的保护义务展开探讨,以期减少上述争议的产生。
《个保法》的保护范围
根据《个保法》第四条规定:“个人信息是以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息,不包括匿名化处理后的信息。”此处的匿名化处理是指通过技术将个人信息处理后,无法再通过该信息识别特定自然人且不能复原的信息;与之对应的“去标识化”信息是指通过对个人信息的技术处理,在借助其他信息的情况下可以识别或者关联到对应主体。匿名化后的信息不属于个人信息,而去标识化后的信息仍属于个人信息,故本文中探讨的个人信息仅指非匿名化处理的信息,若网络平台使用了匿名化处理的信息,则不属于受《个保法》规限情形。
网络平台的定位
根据《个保法》规定,互联网平台属于个人信息处理者,应对个人信息的处理行为承担责任,并对所处理个人信息的安全性予以保证。作为网络服务提供者,网络平台基于网络大环境和网络信息技术为网络用户提供服务,在此平台上不同网络用户利用网络服务者提供的便利条件进行互动或交易,但网络平台本身并不实质性介入。
网络平台在提供服务中会处理大量个人信息,在此过程中,网络平台应:
1. 制定内部管理规定,规范工作人员处理用户信息的流程,制定内部工作人员信息处理权限;
2. 对用户个人信息采取加密、去标识化等安全措施的分类化管理;
3. 定期开展合规性审查、风控评估等内控工作;
4. 针对可能发生或已发生的用户个人信息泄露、篡改、丢失的情形,网络平台应立即主动采取补救措施,以最大程度减轻对用户的损害。
网络平台的监管
根据《个保法》,对于网络平台的监督主体主要分为社会公众及国家网信部门。《个保法》第五十八条规定:“提供重要互联网平台服务、用户数量巨大、业务类型复杂的个人信息处理者,应当履行下列义务……(四)定期发布个人信息保护社会责任报告,接受社会监督。”
根据该规定,网络平台应当定期就上述四个义务向公众发布相应报告,并接受公众监督。国家网信部门负责统筹协调个人信息保护的监督管理工作,监督的形式应包含:
1. 调查处理用户信息泄露事件;
2. 定期组织对网络平台进行外部测评调查;
3. 制定相应的保护具体规则、标准等;
4. 支持研究开发和推广应用安全、方便的电子个人信息管理技术等。
负责人与专员
《个保法》中提到了“个人信息保护负责人”,主要负责对个人信息处理活动以及对个人信息采取的保护措施进行监督。欧盟的《通用数据保护条例》(GDPR)中有类似的“数据保护专员”,但此专员与上述负责人不同,专员主要的工作是就其所在企业涉及个人信息保护工作的合规性、潜在风险等事项向企业的管理层报告。
负责人的职责是对网络平台处理的个人信息数据的处置方式和所采用的防护手段进行监督,而专员的职责更倾向于就网络平台的个人信息保护工作向管理层提供指导性意见。专员的设置有利于网络平台建立完善的个人信息保护机制,其职责能够与负责人的职责进行互补,亦与上述网络平台应承担的义务相符。
总结
《个保法》在信息资讯日益成为国家和个人核心竞争资源的背景下出台,伴随着互联网经济发展,网络平台对用户个人信息保护成为了热点话题。网络平台作为用户个人信息的直接处理方,应从完善健全内部用户信息管理制度、设立定期风控内核机制、遵守社会及政府主管单位监督入手,并可以参考GDPR设置专员,就网络平台处理用户信息中可能产生的风险及时向管理层报告,以避免对用户个人信息造成损害。国家网信部门作为个人信息保护的监督机关,应根据《个保法》的规定,制定个人信息保护的具体规则和标准。
Online platforms’ data protection obligations under PIPL
In the big data era, online platforms process a large amount of personal information. After the promulgation of the Personal Information Protection Law (PIPL), new types of disputes are set to emerge between online platforms and their users. This article focuses on online platforms’ obligations to protect personal information, in order to reduce the occurrence of these disputes.
PIPL SCOPE OF PROTECTION
Aiming to protect the personal information interests of citizens at the institutional level, the PIPL sets out relevant provisions to regulate personnel in charge of processing personal information. According to article 4 of the PIPL: “Personal information refers to various information related to identified or identifiable natural persons recorded electronically or by other means, and does not include anonymised information.”
In terms of the type of technical processing, information, if “anonymised”, cannot be used to identify specific natural persons, nor can it be recovered; but “de-identified” information refers to information that can be used to identify or associate with the information subject with the help of additional information. Anonymised information is not personal information, but de-identified information is. Personal information discussed in this article refers to non-anonymised information. If online platforms have used anonymised information, it does not fall under the jurisdiction of the PIPL.
WHERE ONLINE PLATFORMS STAND
According to the PIPL, online platforms are personal information processors and therefore shall be responsible for the processing of personal information, and ensure their security. Online platforms are service providers serving users within the context of the internet environment and using internet information technology. Users interact or transact by relying on the convenience provided by the online platforms, but they do not substantively become involved in the activities.
As online platforms process a significant amount of personal information during the provision of services, they should:
1.Establish internal management rules to regulate staff procedures in handling user information, as well as their access to such information;
2.Adopt security measures, such as encryption and de-identification, for the classification and management of users’ personal information;
3.Regularly conduct compliance reviews, risk control assessments and other works of internal control; and
1.Take immediate remedial measures against any potential or existing leakage, tampering or loss of users’ personal information, and mitigate any potential damage to users to the greatest extent.
REGULATING ONLINE PLATFORMS
According to the PIPL, online platforms are mainly supervised by the public and the national cyberspace administrative authorities. Article 58 of the PIPL provides that: “Personal information handlers providing important internet platform services, that have a large number of users, and whose business models are complex shall fulfil the following obligations: … (4) Regularly release personal information protection social responsibility reports, and accept society’s supervision.”
Accordingly, online platforms should regularly publish reports accessible to the public regarding the above-mentioned obligations and be subject to public supervision. The national cyberspace administrative authorities are responsible for co-ordinating the supervision and management of personal information protection, which manifests as:
1.Investigating and handling incidents of leakage of user information;
2.Regularly organising external evaluation and investigation for online platforms;
3.Formulating specific rules and standards for personal information protection; and
4.Supporting research on developing, promoting and applying secure and easy-to-use technologies for the management of electronic personal information.
DESIGNATED PERSONNEL
The PIPL makes reference to a person in charge of personal information protection, who is mainly responsible for supervising the processing of personal information and the measures taken to protect personal information. The EU’s General Data Protection Regulation (GDPR) features a similar role called the “data protection officer”, but it differs from the person in charge in key areas. The officer’s main responsibility is to report the compliance issues of, and potential risks to, the protection of personal information to corporate management. The person in charge is mainly responsible for supervising the personal information processing methods and protection measures adopted by the online platforms. The officer, however, is more inclined to provide the management team with guiding opinions on the personal information protection work of the online platforms. The appointment of the officer will help online platforms establish a sound personal information protection mechanism, as its duties will complement those of the person in charge and also comply with the obligations of online platforms.
CONCLUSION
The PIPL has been promulgated at a time when information is increasingly becoming a core resource in national and individual competition, and with the development of the internet economy, the protection of user personal information by online platforms has become a heated topic.
As direct processors of users’ personal information, online platforms should begin improving their internal user information management systems, set up a regular internal review mechanism for risk control, and abide by supervision from society and competent government authorities.
In addition, they may create a role similar to the data protection officer under the GDPR, one that timely reports to management on potential risks arising from the processing of users’ personal information, so as to prevent any damage to the information. As the supervisory authority of personal information protection, the Cyberspace Administration of China is expected to formulate specific rules and standards for personal information protection in accordance with the PIPL.
作者简介
王晓鑫,北京仲裁委员会/北京国际仲裁中心高级顾问。姚青原对文章亦有贡献。
本文刊载于《商法》2022年10月刊。如欲阅读电子版,欢迎浏览《商法》官网。
