自《个人信息保护法》(“个保法”)于2021年11月1日实施已近四个月,新法不但对企业提出了更高的合规要求,近期监管部门执法力度也更大。相关专家分享了该领域最新执法动态,以及对相关企业的建议。
在信息时代,数据是重要的生产要素,个人信息的流通也需要配套法律进行保护。作为中国第一部专门规范个人信息保护的法律,《个保法》针对社会上备受关注的议题予以积极回应。
该法确立了处理个人信息应采取对个人权益影响最小的方式,不得过度收集个人信息等原则,明确杜绝“杀熟”行为。此外,《个保法》对于违法企业给予严厉的行政处罚,最高处五千万元以下或者上一年度营业额百分之五以下罚款,是少有的以营业额度规定罚款的法律。
新法颁布后,监管机构也加强了执法力度,例如工信部就因为产品或服务违反《个保法》相关规定,例如超范围、高频次索取权限,非服务场景所必需收集用户个人信息等原因,通报并要求下架上百款APP。
执法力度强,企业应自查合规
新法的实施,对以数据收集和处理为重要生产过程的企业影响巨大。
“国家和地方网信办、国家计算机病毒应急处理中心等加大了对APP的查处力度; 华为、网易、OPPO、vivo等23家重点互联网企业被展开现场检查;东亚银行、北京银行等多家银行因个人信息保护不合规被罚。”广东卓建律师事务所合伙人李兰兰律师如此介绍新法实施以来的严厉执法举措。
“网信办、工信部、公安部、市场监督管理局等相关部门在各自职责范围都积极推动了《个保法》的落地实施。”
- 郭冰娜,美国伟凯律师事务所
美国伟凯律师事务所合伙人郭冰娜律师指出,网信办、工信部、公安部、市场监督管理局等相关部门在各自职责范围也都积极推动《个保法》的落地实施。
世辉律师事务所合伙人王新锐律师也感受到空前的执法力度。他指出,以该所服务的数家头部科技公司为例,它们在《个保法》生效前后普遍收到了整改要求。被公开通报的科技公司只是少数,但给其他公司带来了较大的合规压力。
在监管机构和司法机关之外,媒体监督也带动了法律的落实。
王新锐律师指出:“《个保法》生效前后,多家主流媒体对头部公司的APP进行了实际测试,对一些容易泄露个人信息的场景进行了深度报道,产生了很大的公众影响力,也推动很多公司对产品和内控流程进行改进。”
《个保法》生效后,相关的诉讼案例数量也有所上升。王律师指出,以大型公司作为目标的诉讼增加了不少,很多案例在起诉中都援引了《个保法》新增的制度,比如删除权。
“除了以个人为原告的民事诉讼外,由检察机关和消费者协会提起的个人信息领域的公益诉讼也有明显增加,已有超过20个省份明确要求检察机关积极稳妥开展个人信息保护领域公益诉讼。”王律师补充说。
“以大型公司作为目标的诉讼增加了不少,很多案例在起诉中都援引了《个保法》新增的制度……由检察机关和消费者协会提起的个人信息领域的公益诉讼也有明显增加。”
- 王新锐,世辉律师事务所
执法的威慑力,以及社会范围内数据合规意识的提升,使得不少企业对个人信息保护的重视程度有所提高。
根据2021年《全国移动APP第三季度安全研究报告》,在针对全国移动APP进行的个人信息合规性抽样检测中,56.87%的应用存在“违规收集个人信息”; 55.6%的应用存在“超范围收集个人信息”; 19.16%的应用存在“APP强制、频繁、过度索取权限”。
而现在,如果用户在手机上打开某个软件,会发现众多软件已经修改了隐私政策并且会弹出“隐私保护提示”的弹窗,提醒用户阅读更新的隐私政策。浩天信和律师事务所合伙人何为律师指出,多家互联网企业更新隐私政策、以适应《个保法》相关要求,金融机构亦根据新规升级技术防护措施。
李兰兰律师也告诉ALB,自新法实施以来,很多企业已经对旗下的APP/小程序/SDK在合规和技术双重层面进行自检,并聘请律所等第三方专业机构开展个人信息影响评估和合规改进工作。
但在中小企业层面,却是另一番光景。李律师发现部分中小企业考虑到成本,在法律合规方面仍会存在侥幸心理。她也指出,企业是否愿意投入成本进行合规,与执法力度具有一定关系。
李律师举例说:“新法实施前发生 ‘滴滴事件’,当时很多企业主动开展合规工作,新法实施后,由于并没有看到监管机构的具体处罚措施,很多企业反而放松了合规意识。”
数据安全领域三法联动
在数据安全领域,《个保法》结合已经生效的《网络安全法》(“网安法”)《数据安全法》(“数安法”),将形成三法联动,三法既有交叉又有区分。
三法的区分首先体现在立法目的和调整对象上,何为律师强调,《网安法》强调维护网络空间主权和网络安全,侧重于对网络空间的综合治理;《数安法》侧重保障数据安全,其主要围绕规范数据处理活动;《个保法》则强调通过规范个人信息处理活动,以保护个人信息权益。
王新锐律师认为,目前《网安法》和《数安法》共同的特点是更具原则性,后续会有多项配套法规具体落实法律义务;而《个保法》的规定则比较细致,和国际规则也有诸多相通之处。
在惩罚力度上,李兰兰律师介绍说,目前《网安法》最高处一百万元以下罚款,《数安法》最高处以一千万元以下罚款,《个保法》最高处五千万元以下或者上一年度营业额百分之五以下罚款,并增加了违法失信公示和相关负责人禁止担任董监高职务等规则。
郭冰娜律师认为,这三法将“一同构建起中国数据安全法律保障体系”。
个保法重塑互联网企业
《个保法》无疑对互联网平台企业的个人信息保护合规制度提出了更高要求。王新锐律师提出:“个保法从多个角度提高了合规的基线,使得一些过去的合规优等生在法律出台后也只是勉强及格,对大型企业尤其是互联网平台的挑战是全方位的。”
李兰兰律师介绍,《个保法》第五十八条就专门针对互联网平台企业作出规定,规定企业按照国家规定建立健全个人信息保护合规制度体系,成立主要由外部成员组成的独立机构对个人信息保护情况进行监督。
郭冰娜律师补充说:“互联网平台企业需及时更新平台及APP的隐私政策并对隐私界面进行合规整改,包括告知用户行使个人信息权利的路径,响应并落实用户撤回、删除、复制、转移个人信息等权利请求,向用户提供关闭自动化决策的途径等。”
郭律师指出,互联网平台企业在新法下将面临如何便捷高效地取得个人同意及在法定情形下取得单独同意、如何与第三方共同处理个人信息或委托第三方处理个人信息、以及如何跨境传输个人信息等合规挑战。
但是法律义务的落地,也受到很多现实因素,如技术难度、商业模式、行业惯例的制约。王新锐律师说:“在一些情况下如何获得单独同意或实现匿名化,对于这些具体问题,包括立法和监管机关在内的各方还没有确定的答案。”
这种业务模式的调整可能会对互联网平台公司留存用户造成影响,“公司可以通过产品调整实现合规,但会产生影响用户增长和收入的问题。比如一个弹窗的不同设置、不同表述,对于用户留存和转化都会有很大影响,而该做法是否是合规前提下的最优解,是很多大型公司内部反复讨论的话题。”王律师指出。
除了弹窗影响用户留存之外,广告作为互联网平台的收入来源,在新法下,其投放模式将会被改变。
“诸多互联网平台的业务经营都依赖于个性化推荐广告的盈利模式……但在新法实施后,APP需同时提供不针对用户个人特征的营销选项,或向用户提供便捷的拒绝方式,从而极大影响广告投放量。”
- 何为,浩天信和律师事务所
何为律师介绍说:“广告收入是众多互联网平台的主要收入来源。诸多互联网平台的业务经营都依赖于个性化推荐广告的盈利模式。”
例如,供用户免费阅读小说的手机APP,其主要,甚至唯一的盈利方式就是通过收集和分析用户个人信息,为用户推送个性化广告。
但在新法实施后,APP通过自动化决策方式向用户进行商业营销时,需同时提供不针对用户个人特征的营销选项,或向用户提供便捷的拒绝方式。这一要求导致该类APP寻求广告商投放时无法继续以精准营销作为卖点,从而极大影响广告投放量,何为律师说。
王新锐律师强调,互联网平台产品迭代迅速的特性也给新法下的企业带来了更高的管理要求。因为大型公司的产品线往往很复杂,内部组织架构也纵横交错,无论从产品还是部门维度,如何保证数据保护的基本信息可以对齐、主要制度完整覆盖不留死角,都是大企业需要考量的问题。
由此,郭冰娜律师强调,提供重要互联网平台服务、用户数量巨大、业务类型复杂的互联网平台同时被施加了更多的责任与义务。
何为律师也指出,对企业来说,数据合规是一项系统工程,需要在对法律规则有充分的了解和认识的基础上,从战略、组织架构和企业制度层面去落实。
更为综合的协助
谈到律师在新法下能够为企业提供的帮助,王新锐律师认为,在实例中,律师不仅协助客户理解法律规则,也提供最优实践供企业参考。“我们不断整理执业中接触的正反实例,同时采取技术手段跟踪行业合规方案的变化,并定期向客户输出。”他说。
郭冰娜律师亦提及全球化数据合规经验的重要性,她说:“全球化的律师事务所拥有跨多个法域的数据合规专家,可汲取诸如欧盟GDPR及美国CCPA下的合规经验,协助客户更加有效地应对《个保法》下的法律挑战,也可以为公司协调各个领域的合规要求,设计全球业务的合规政策。”
除了帮助客户更加深入地理解新法,科技也可以成为这场征途中的好帮手。
大公司期待获得更多科技导向的帮助,毕马威预计,在新法的数据合规要求下,2023年国内数据安全技术服务有望达成百亿市场。
律所在科技转型中也未曾掉队。 何为律师介绍,在个保法时代,随着个人信息保护相关规则的具体化对企业合规提出更高要求,律师会和有经验的技术团队合作开展数据合规相关项目,借助技术手段,更全面完整地识别企业在个人信息处理过程中存在的问题。
王新锐律师也肯定了技术对于合规的重要性:“[律师]要协助客户将合规自动化、智能化。在个保法出台前,我们就和第三方共同开发了‘数据审核宝’这一风险智能审核工具,帮助企业初步识别风险。”
简单的技术可以节省大量人力成本,王新锐律师举例说,律师们基于“决策树”帮多家大型企业开发了智能表格,这项技术虽然简单,但解决了不同部门之间的协同问题,降低了合规中的沟通成本。
A NEW ERA FOR DATA COMPLIANCE
It has been nearly four months since the implementation of the Personal Information Protection Law (PIPL), which ushered in heightened compliance requirements and tougher legal enforcement. Experts share the latest enforcement trends and their advice to affected companies.
Data plays a critical role in the age of information, and the circulation of personal information needs to be protected by supporting laws. As China’s first law specifically regulating the protection of personal information, the PIPL represents a proactive response to a topic of great social concern.
The law sets out fundamental principles for handling of personal information, including requiring that it should be handled in a way that has the least impact on the rights and interests of individuals, not be excessively collected, and protecting against discriminatory pricing based on big data, a practice that generated a lot of complains among apps users.
In addition, the law imposes severe administrative penalties on rule-breaking behaviours of up to $7.89 million yuan ($1.25 million) or up to 5 percent of the violating company’s previous year’s revenue. It is one of the few laws that provide for fines in terms of revenue.
Since its implementation, the Ministry of Industry and Information Technology (MIIT) has requested hundreds of apps be withdrawn because their products or services violate relevant PIPL provisions such as unwarranted and frequent requests for accessing personal information or unnecessary collection of personal information.
STRONGER ENFORCEMENT
The implementation of the new law has a huge impact on companies for whom data collection and processing is an important part of the business.
“National and local cyberspace administrations as well as the National Computer Virus Emergency Response Centre increased the investigation and punishment of apps. Twenty-three key Internet enterprises such as Huawei, NetEase, OPPO, Vivo, etc. were subject to on-site inspections. The Bank of East Asia, the Bank of Beijing and many other banks were fined for non-compliance in personal information protection,” says Li Lanlan, partner at Guangdong Zhuojian Law Firm.
“Departments such as the Cyberspace Administration, the MIIT, the Ministry of Public Security and the Administration for Market Regulation are all actively promoting the implementation of the PIPL in their areas of responsibility.”
- Guo Bingna, White & Case
Guo Bingna, partner at White & Case, points out that departments such as the Cyberspace Administration, the MIIT, the Ministry of Public Security and the Administration for Market Regulation are actively promoting the implementation of the PIPL in their areas of responsibility.
Raymond Wang, partner at Shihui Partners, also notices the unprecedented enforcement efforts. Wang says that several of the top-tier technology companies his firm serves have received rectification requests before and after the law came into effect.
Although only several tech companies were publicly notified, those notifications also put greater pressure on others to comply with the law.
In addition, media scrutiny has also driven implementation.
Several mainstream media conducted actual tests of some apps and produced in-depth reports of some scenarios where personal information was easily leaked.
“The coverage had a great public impact and drove many companies to make improvements to their products and internal control processes,” says Wang.
Wang notes that the amount of litigations targeting large companies has increased, and many cases have invoked new provisions added by the PIPL, such as the right to erasure, in their prosecutions.
Wang adds that in addition to civil lawsuits in which individuals are plaintiffs, there has been a significant increase in public interest litigation brought by procurators and consumer associations.
“The amount of litigations targeting large companies has increased, and many cases have invoked new provisions added by the PIPL, such as the right to erasure, in their prosecutions… There also has been a significant increase in public interest litigation brought by procurators and consumer associations.”
- Raymond Wang, Shihui Partners
“More than 20 provinces have explicitly requested procurators to actively and properly carry out public interest litigation,” says Wang.
Before the new law, personal information processing was regulated loosely.
In testing apps, the National Mobile App Third Quarter Security Research Report found in 2021 that 56.87 percent of apps were in violation related to the collecting of personal information; 55.6 percent of the apps collected personal information beyond scope; and 19.16 percent generated forced, frequent and excessive requests for permission.
Now, when users open certain software on their mobile phones, they will notice a modified privacy policy and a pop-up window with a privacy protection notice to remind them to read the updated privacy policy.
He Wei, partner at Hylands Law Firm, points out that many Internet companies have updated their privacy policies to meet the requirements of the PIPL, and financial institutions have also upgraded their technical protection measures.
According to Li, many enterprises have reviewed their apps, mini apps and software development kits at both compliance and technical levels and hired third-party professional organisations, such as law firms, to conduct personal information impact assessments and compliance improvements.
However, for small and medium-sized enterprises (SMEs), it is a different story.
Li finds that some SMEs still have something of a fluke mentality regarding legal compliance and considering compliance costs. The willingness of enterprises to invest in compliance is also related to the strength of enforcement.
"When the Didi incident happened before the implementation of the new law, many enterprises took the initiative to carry out compliance work. But after, many enterprises relaxed their awareness of compliance instead because they did not see specific penalties from regulators," says Li.
DATA SECURITY TRIANGLE
In the field of data security, the PIPL combines with the existing Cybersecurity Law and Data Security Law to form a three-law triangle.
The distinction between the three laws is primarily reflected in their legislative purposes and the areas they regulate.
Li says that the Cybersecurity Law emphasizes the maintenance of cyberspace sovereignty and cybersecurity, focusing on the comprehensive governance of cyberspace, while the Data Security Law focuses on safeguarding data security, which mainly involves regulating data processing activities.
The PIPL, on the other hand, emphasizes the protection of personal information rights and interests by regulating personal information processing activities.
Wang believes that the distinctive feature of the current Cybersecurity Law and Data Security Law is that they are more principled and will be followed by supporting regulations to specifically implement legal obligations; while the provisions of the PIPL are more detailed and have many similarities with international rules.
In terms of penalties, Li says that three laws are different. The Cybersecurity Law imposes fines of up to 150,000 yuan, the Data Security Law imposes fines of up to 1.5 million yuan, and the PIPL carries fines of up to 7.89 million yuan or up to 5 percent of the previous year’s revenue and adds provisions for the public disclosure of subjects violating the law and a prohibition for the person in charge from holding the position of director and supervisor.
With all these measures, Guo believes that these three laws will “together build up China’s data security legal protection system.”
RESHAPING INTERNET BUSINESSES
The PIPL undoubtedly imposes higher compliance requirements on Internet platform companies.
“The law has raised the compliance baseline from several angles, making some of the best companies barely pass the baseline after it was introduced. The challenges for large enterprises, especially Internet platforms, are all-encompassing,” says Wang.
According to Li, Article 58 of the new law specifically targets Internet platform companies, stipulating that companies need to establish a sound compliance system to protect personal information in accordance with national regulations and set up an independent body composed mainly of external members to supervise the protection of personal information.
Under the law, Internet platforms need to inform users of how to exercise their personal information rights, responding to and implementing users’ requests to withdraw, delete, copy and transfer personal information and other rights, and providing users with a way to close automated decision-making, says Guo.
Guo points out that Internet platform companies will face compliance challenges under the new law such as how to easily and efficiently obtain individual consent and separate consent legally, how to handle personal information with a third party or entrust a third party to handle personal information, and how to transfer personal information across borders.
But the implementation of the law is also constrained by many practical factors such as technical difficulties, business models, and industry practices.
“In some cases, how to obtain individual consent or achieve anonymisation have no definite answers from all parties, including the legislators and regulators,” says Wang.
This business model adjustment may have a huge impact on the retention of users. Companies may achieve compliance through product adjustment, but the possible problem is that it will affect user growth and revenue.
“For example, different settings and expressions of a pop-up window will have a great impact on users’ willingness to stay at the app. Whether the practice is the optimal solution with compliance would be repeatedly discussed within many large companies,” Wang points out.
In addition, advertising, as an important source of revenue for Internet platforms, will be largely influenced under the new law.
“Many Internet platforms rely on the profit model of personalised recommended advertising for their business operations. However, after the implementation of the new law, the app is required to provide advertisements that are not personalised or provide users with a convenient way to reject them.”
- He Wei, Hylands Law Firm
“Many Internet platforms rely on the profit model of personalised recommended advertising for their business operations,” says He Wei.
For example, for free novels apps, their main, or even the only way to profit is by pushing personalised ads for users after collecting and analysing their personal information.
However, after the implementation of the new law, the app is required to provide advertisements that are not personalised or provide users with a convenient way to reject them.
This requirement has led to difficulties for such apps to continue to use accurate marketing as a selling point when seeking advertisers to place ads, says He Wei.
Wang stresses that the new law also bring higher management requirements to companies.
Because the product lines of large companies are often complex, the internal organisational structure is also crisscrossed. Ensuring that the basic information of data protection can be aligned and that the main system of complete coverage does not leave blind spots are the issues that large enterprises need to consider, says Wang.
As a result, Guo emphasises that Internet platforms that provide important Internet platform services have a huge number of users and complex business types are imposed with more responsibilities and obligations at the same time.
He Wei also believes that data compliance is a systematic project for companies, which needs to be implemented on strategy, organisational structure and corporate systems based on a full understanding of legal rules.
DIVERSIFIED ASSISTANCE
Talking about how to assist companies under the new law, Wang mentions that lawyers should also provide the best practices for enterprises to refer to.
“We constantly collate positive and negative examples we come across in our practice, while adopting technology to track changes in industry compliance programs and share with our clients on a regular basis," he says.
Guo also mentions the importance of global data compliance experience.
“With data compliance experts across multiple jurisdictions, international law firms can draw on compliance experience under, for example, the General Data Protection Regulation (GDPR) of the EU and the U.S. California Consumer Privacy Act (CCPA) to help clients more effectively address legal challenges. They can also coordinate compliance requirements for the company in various areas and design compliance policies for global operations,” says Guo.
Apart from obtaining a deeper understanding of the laws, technology could also be a good helper in the compliance journey. KPMG expects domestic data security technology services market to reach 10 billion yuan by 2023 under the new law’s data compliance requirements.
Law firms also pick up in this transformation towards “being smarter.”
He Wei says that now lawyers are actively seeking to cooperate with experienced technical teams to carry out data compliance-related projects.
“Through the combination of law and technology, lawyers will better identify the problems of enterprises in the process of personal information processing,” she says.
Wang also affirms the importance of technology: “Lawyers have to assist clients to automate and intellectualise compliance. Before the introduction of the PIPL, we developed ‘Data Audit Treasure’, a risk-intelligent audit tool, to help companies initially identify risks.”
Sometimes simple technology can solve a lot of labour costs.
Wang says their lawyers have helped several large enterprises develop smart sheets, which is a simple technology but can solves collaboration challenges between different departments and reduced communication costs in compliance.