Currently although there is no omnibus personal information protection law in China, relevant provisions are scattered throughout several laws, administrative regulations and department rules, a violation of which may lead to relevant civil and administrative liabilities. In regard to criminal liabilities, Amendment (VII) to the Criminal Law, effective since 28 February 2009, has added Article 253 (A) to establish the “crime of selling or illegally providing personal information of citizens” and the “crime of illegally obtaining personal information of citizens”. Amendment (IX) to the Criminal Law in 2015 has combined these two crimes into the “crime of infringing on citizens' personal information” and also expanded the scope of application of this offense from specific industries and areas such as employees of financial institutions, telecommunication companies, education or medical institutions, to all individuals and entities and increased the maximum penalty that could be imposed on violation1. However, in practice, elements which this criminal offence require are not entirely clear. Specifically, in this digitalized age, practices of enterprises utilizing data in various industries are developing rapidly and in many aspects experimental and whether those practices may cross the line and raise criminal liabilities is still very much in a grey area.
在《網(wǎng)絡安全法》2017年6月1日正式生效前����,最高人民法院與最高人民檢察院于2017年5月9日發(fā)布《最高人民法院、最高人民檢察院關(guān)于辦理侵犯公民個人信息刑事案件適用法律若干問題的解釋》(簡稱“《兩高解釋》”)2及相關(guān)典型案例3�����,并將與《網(wǎng)絡安全法》同時生效�。《兩高解釋》第一次對“侵犯公民個人信息罪”的犯罪要件做出了較為明確的規(guī)定��,對于明確刑事責任的范疇和判斷具有重要意義���。以下我們將重點分析幾條對企業(yè)信息合規(guī)有重要影響的規(guī)定�����。
Recently, the Supreme People's Court and the Supreme People's Procuratorate promulgated the Interpretation by the Supreme People's Court and the Supreme People's Procuratorate on Issues Concerning the Application of Law in Handling Criminal Cases of Infringing on Citizens' Personal Information (hereinafter the “Interpretation”)2 and relevant typical cases3, and the Interpretation will become effective at the same time as the Cybersecurity Law. The Interpretation provides more specific conditions for “the crime of infringing on citizens' personal information” for the first time, which has important meanings to define and decide the scope of criminal liabilities. We will analyze certain provisions that we consider may have significant influences on the personal information compliance practice for enterprises.
一��、明確“違反國家有關(guān)規(guī)定”范圍
Clarifying the Scope of “Violation of the Relevant State Provisions”
“侵犯公民個人信息罪”的犯罪行為包括“違反國家有關(guān)規(guī)定��,向他人出售或者提供公民個人信息”����、“竊取或者以其他方法非法獲取公民個人信息”。就“向他人出售或者提供公民個人信息”的行為�����,“違反國家有關(guān)規(guī)定”是構(gòu)成犯罪的前提條件�����。我國目前關(guān)于個人信息的規(guī)定散見于大量的法律����、行政法規(guī)、部門規(guī)章及規(guī)范性文件之中?�!皣矣嘘P(guān)規(guī)定”的范圍實質(zhì)性影響罪與非罪的判斷�。
The criminal behavior of “the crime of infringing on citizens' personal information” includes “selling or providing citizens’ personal information to third parties in violation of the relevant state provisions” or “stealing or illegally obtaining citizens’ personal information by other methods”. With respect to the former, “violation of the relevant state provisions” is the precondition for such a crime. Currently, personal information protection regulations are scattered throughout several laws, administrative regulations, departmental rules and normative documents. As a result, the scope of “the relevant state provisions” would substantially impact whether or not a violation can be considered a crime.
《刑法》第96條規(guī)定��,“本法所稱違反國家規(guī)定,是指違反全國人民代表大會及其常務委員會制定的法律和決定�����,國務院制定的行政法規(guī)�、規(guī)定的行政措施、發(fā)布的決定和命令����?��!逼洳⑽磳⒌胤叫苑ㄒ?guī)和部門規(guī)章包括在“國家規(guī)定”的范圍內(nèi)���。而《兩高解釋》第二條明確規(guī)定,“違反國家有關(guān)規(guī)定”是指“違反法律、行政法規(guī)�����、部門規(guī)章有關(guān)公民個人信息保護的規(guī)定”,將部門規(guī)章也包括在內(nèi)��,較寬的包括了目前法律法規(guī)對不同行業(yè)���、不同類別的個人信息的保護要求���。這從實質(zhì)上提高了企業(yè)在信息保護方面合規(guī)的最低標準�。實踐之中司法機關(guān)將如何認定國家有關(guān)規(guī)定值得關(guān)注���。
Article 96 of the Criminal Law provides, '‘violation of State Provisions’ as mentioned in this Law refers to violation of the laws enacted or decisions made by the National People's Congress or its Standing Committee and the administrative regulations and rules formulated, the administrative measures adopted and the decisions or orders promulgated by the State Council.” The scope of the “state provisions” in Article 96 of the Criminal Law does not include local regulations and departmental rules, while the Article 2 of the Interpretation clearly provides that “violation of the relevant state provisions” refers to “violation of the laws, administrative regulations and departmental rules in relation to the personal information protection”, which includes departmental rules that contain broad legal protection requirements for different industries and types of personal information. Such interpretation would be critical for practice of enterprises to consider when setting up the internal compliance rules and policies and judicial practice in this aspect is also worthy constantly monitored to keep alerted to elements to constitute the crime.
二��、明確未經(jīng)同意提供公民個人信息構(gòu)成犯罪
Clearly Stipulating that Providing Citizen's Personal Information without Consent Commits a Crime
《兩高解釋》出臺之前����,《刑法》第253條之一第一款在司法實踐中通常被理解為非法出售���。例如與《兩高解釋》同時發(fā)布的七則侵犯公民個人信息犯罪典型案例均為非法買賣公民個人信息之情形����。企業(yè)在正常經(jīng)營活動中合法獲取的個人信息以無償、合作或轉(zhuǎn)讓等方式對外提供的情形并不清楚是否構(gòu)成刑事責任�。
Before the promulgation of the Interpretation, Section 1 of Article 253A of the Criminal Law was construed in practice mainly as illegal selling. For example, seven typical criminal cases regarding infringement on citizens' personal information, published at the same time with the Interpretation, are all relevant to situations of illegally selling or purchasing citizens’ personal information. It was unclear whether enterprises’ providing or transferring personal information which was legally obtained through normal business activities to a third party for free or by cooperation will raise criminal liabilities.
《兩高解釋》第三條明確規(guī)定�,“未經(jīng)被收集者同意���,將合法收集的公民個人信息向他人提供”���,也屬于刑法第253條之一規(guī)定的“提供公民個人信息”��。實踐之中�����,對于同意的內(nèi)容��、形式必將帶來很多的爭議�。同時,《兩高解釋》第三條延續(xù)了《網(wǎng)絡安全法》的規(guī)定��,明確規(guī)定在向他人提供個人信息時����,“經(jīng)過處理無法識別特別個人且不能復原的除外”。因此�����,合法提供公民個人信息的情形���,除事先征得同意外��,還可以選擇匿名化處理的方式。企業(yè)在難以補充獲取信息主體同意時,或難以證明事先曾獲得信息主體同意時�����,采取匿名化處理是降低法律風險的一條途徑�,但匿名化的標準仍不清楚。
Article 3 of the Interpretation explicitly provides that “providing citizens’ personal information which was legally collected to others without consent of the citizens” will also constitute “the crime of providing any citizen's personal information” under Article 253A of the Criminal Law. In practice, the content and form of the consent raises many disputes and debates due to lack of clear requirements under law. In addition, the Interpretation adopts a provision in the Cybersecurity Law that when providing personal information to others, if “the information has been processed in a manner that it is impossible to identify a specific person and it cannot be restored”, it will not be subject to the consent requirement for transfer. In practice, where it is difficult for enterprises to obtain consent from the subjects of the personal information or it is hard to prove that prior consent of the subjects has been obtained, anonymization is an approach to mitigate potential legal risks. However, standards for anonymization are still ambiguous at this stage.
三�����、“以其他方式非法獲取公民個人信息”的概念擴寬
Concept of “Illegally Obtaining Citizen's Personal Information by Other Methods” Expands
以往的侵犯公民個人信息犯罪案例之中�,被認為構(gòu)成犯罪的提供方式通常為非法出售的情形,而常見的非法獲取的方式是購買個人信息����。《兩高解釋》第四條進行了更為明確的界定�,除購買以外,將收受���、交換��、履行職責提供服務過程中的收集也明確納入非法獲取個人信息的范疇���。
In previous cases of crimes of infringing on citizens' personal information, illegally obtaining is mostly construed as illegal purchasing personal information. Article 4 of the Interpretation provides a clearer definition, which clearly provides that without consent from subjects of the information, receiving, exchanging and collecting personal information during the performance of duties or providing services are all regarded as illegally obtaining personal information.
《兩高解釋》將于2017年6月1日與《網(wǎng)絡安全法》同時生效,《網(wǎng)絡安全法》將網(wǎng)絡運營安全和信息安全的保護提升到法律層面���,而《兩高解釋》則進一步從刑事責任層面確立了關(guān)于個人信息保護最基本的法律責任的界限�����。然而��,《兩高解釋》對《刑法》第253條之一較為寬泛的解釋���,導致在罪與非罪的區(qū)分上依然存在一些不清晰的地方,例如���,信息收集前關(guān)于“同意”的具體要求����,關(guān)于“行蹤軌跡”定義為個人信息的一部分的解釋����,具體執(zhí)行和量刑將如何確定等,這些問題仍有待于司法實踐中解釋和解決�����。
The Interpretation will become effective on June 1, 2017 together with the Cybersecurity Law. The Cybersecurity Law is for the first time introduced cybersecurity and information protection requirements on the level of law, while the Interpretation has further clarified the boundaries of legal responsibilities in relation to personal information protection. However, the Interpretation provides certain broad interpretations of Article 253A of the Criminal Law which will result in certain ambiguities between crime and non-crime. For example, the specific requirement of “consent” before collecting information is not clear; how to determine the “whereabouts tracks” of personal information is not clear, and the specific implementation and measurement of sentencing is subject to practical judicial decisions.
我們理解,《兩高解釋》和《網(wǎng)絡安全法》的生效�����,將大大提高企業(yè)在數(shù)據(jù)保護���、網(wǎng)絡安全保護等方面的合規(guī)義務,企業(yè)有必要加強內(nèi)部管理�����,提高員工的合規(guī)意識���,密切關(guān)注數(shù)據(jù)保護法律法規(guī)的進一步發(fā)展和實施情況����。
We understand that the effectiveness of the Interpretation and Cybersecurity Law will largely enhance the compliance duties of enterprises in relation to data protection and cybersecurity protection. It is necessary for enterprises to enhance internal management, improve compliance awareness of their staff and remain on alert for further developments regarding the data protection laws and regulations and their implementation.
1. http://www./law-reviews/192
2. http://www.chinacourt.org/law/detail/2017/05/id/149396.shtml
3. http://www.chinacourt.org/article/detail/2017/05/id/2852365.shtml
