中国个人信息保护法的立法进程与重点条款解读

The research on personal information protection in Chineseacademic circles started earlier, but the actual legislative path is a little long and tortuous, which is mainly affected by the scarcity of legislative resources, the inadequacy of protection concepts, and the ambiguity of a number of major theoretical issues. With the promotion and efforts of all parties, on October 21, 2020, Personal Information Protection Bill was officially announced. At present, it has entered the second review stage. In the future, the “Personal Information Protection Law”, the “Cybersecurity Law” and the “Data Security Law” will jointly constitute the three pillar laws for ensuring the security of networks, data and personal information in the digital economy era. The second paragraph of Article 3 of the bill establishes the extraterritorial effect of China's personal information protection law, which is an important manifestation of China's active response to the extraterritorial effect of other countries' personal information protection laws and the enhancement of China's voice in the global digital field. Although the bill has many references to the provisions of the GDPR, there are differences in the specific applicable standards between the two. Compared with the GDPR, the bill is more modest and restrained in the expansion of extraterritorial effectiveness. Regarding the core requirements for identifying personal information, the mainstream view adopts the identification theory, while the bill adopts the correlation theory. Compared with the identification standard, the relevance standard is more practical and clearer in practice, and can better reflect the principle of balancing the protection and utilization of personal information. Regarding the expression of the concept of personal information, the Personal Information Protection Law adopts a simple generalization model without specific enumeration. At this stage, the Personal Information Protection Law should adopt the generalization and enumeration expression model for the definition of personal information. The general provisions can ensure the extensibility of the concept of personal information by clarifying the core requirements, and enumeration can provide clear applicable guidelines for practice. Article 29 of the bill defines and specifically enumerates sensitive personal information. In the future, classified enumeration may be considered, such as information on personal property, personal health and physiological, personal biometric, personal identification, network identification, among others. Regarding the processing of personal information, the bill establishes seven basic principles and provides for seven legitimate reasons. The second bill adds “processing of personal information that has been disclosed within a reasonable range in accordance with the provisionsof this Law” as the fifth lawful reason for the processing of personal information, echoing Article 28 of the bill, taking into account the legitimate interests of the subjects and processors of personal information. Regarding the processing of sensitive personal information, the bill stipulates the preconditions for processing, that is, “specific purposes” and “sufficient necessity”. In addition, it is specifically required that when processing sensitive personal information based on consent, a separate individual should be obtained. It sets a higher threshold for processing. In accordance with the whole life cycle of personal information processing, the draft focuses on four rights of individuals, namely the right to know and decide, the right to access and copy, the right to correct and supplement, and the right to delete. Regarding the obligations of personal information processors, special attention should be paid to risk assessment in advance of personal information processing activities stipulated in Article 54 of the bill. Regarding the cross-border flow of personal information, the bill requires processors to provide personal information abroad only based on the individual's individual consent, and stipulates strict conditions that must be followed before providing it, which reflects the legislative cautious attitude towards the export of personal information. Regarding regulatory authorities, Article 56 of the bill stipulates cyberspace administration shall be responsible for the overall planning andcoordination of personal information protection work and relevant departments shall be responsible for supervision and administration work, which basically continues the current industry decentralized supervision model. It is more in line with the tradition of the establishment and division of functions of administrative agencies in my country, and the cost of conversion is relatively small. It is also conducive to industry authorities to promote and improve the level of personal information protection in the industry as soon as possible. In the future, specific system design should be adopted to strengthen the level and effectiveness of the overall coordination and industry supervision of the cybersecurity and informatization departments. We should focus on solving the problem of how to effectively supervise the situation where there are no competent departments and multiple competent departments. In terms of legal liability for infringement of personal information, the seventh chapter of the bill specifically stipulates administrative responsibilities. On this basis, it also stipulates the civil tort liability for infringement of personal information and the public interest litigation system in the form of special provisions in Article 68 and Article 69 respectively. These constitute a major feature of this chapter.