k8·凯发天生赢家·一触即发(中国区)官方网站

    k8凯发天生赢家·一触即发探索

    个人信息保护法对运营的五大影响——第四章:处罚和执法机制

    2022-03-17


    640.png


    中文摘要:在中国《个人信息保护法》正式实施之际,国际隐私专业协会(IAPP)作为全球规模最大、覆盖最广泛的信息隐私管理社区,特邀五位隐私保护领域专家撰写隐私法解读系列之“中国篇”—“中国个人信息保护法对运营的五大影响(Top 5 operational impacts of China’s PIPL)”。k8凯发天生赢家·一触即发北京办公室合伙人王一楠律师受邀撰写其中第四章,并发表在IAPP官网。王律师在其撰文中从个人信息保护监管部门、行政处罚、私益诉讼、公益诉讼、治安管理及刑事责任、个人信息与重要数据等六个主要方面对中国《个人信息保护法》的处罚和执法机制进行全面解读。


    6401.png

    The Personal Information Protection Law is the first law dedicated to protecting personal information in China, provides comprehensive penalty and enforcement mechanisms, including administrative penalties, private actions, public interest actions (China’s equivalent of class actions), public security administration, and criminal penalties. Every individual or organization that acts as a data handler, including state organizations as stipulated in Article 33, will be subject to the enforcement of the PIPL.


    Supervisory authorities


    Unlike the EU General Data Protection Regulation and the California Consumer Protection Act, which respectively empower a unified supervisory authority responsible for enforcement, the PIPL jointly offers this role to multiple governmental departments (the “supervisory authorities”), including the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration for Market Regulation, financial regulators, as well as their respective counterparts at local levels. In this multi-level protection system, the CAC takes a leading and coordinating role, and the relevant departments’ supervisory authorities in personal information protection are limited to their respective designated areas.


    Article 63 provides certain administrative enforcement powers to the supervisory authorities. The supervisory authorities can conduct several investigatory measures and handlers are obligated to assist and cooperate. The investigatory measures include interviewing relevant parties of a personal information processing activity; viewing and duplicating the parties’ contracts, account books and other relevant materials; conducting on-site inspections; and examining relevant equipment and articles. Among these measures, the sequestration and confiscation of wrongdoers’ equipment or property are the most powerful ones.


    Administrative penalties


    The PIPL creates two tiers of administrative penalties for violations: general ones and grave ones (a term left undefined in the PIPL). Only supervisory authorities at a provincial or higher level have the power to impose penalties for grave violations. For general violations, fines imposed on handlers can reach up to RMB 1 million (approximately $156,000) and on its management officers up to RMB 100,000 (approximately $15,600). For grave violations, fines imposed on companies can reach as high as RMB 50 million (~$7.8 million) or 5% of the previous year's annual revenue and on its management officers from RMB 100,000 (~$15,600) to 1 million (~$156,000). In addition, the PIPL also empowers supervisory authorities to invoke other penalties, including request for rectification, warning, disgorgement of profits, suspension of business, or even revocation of the business license. If a grave violation occurs, management officers can be prohibited from holding similar positions in the relevant business for a certain (unspecified) time period. In addition, any violation may be recorded in China’s credit system and announced to the public.


    Article 65 confers a right on anyone who has knowledge of violations to lodge a complaint or report to the supervisory authorities. This means that, not limited to data subjects, any third party — including a handler’s competitor or a whistleblower — may submit a complaint to the supervisory authorities. Upon receipt of such a report, the supervisory authorities shall take necessary steps in response and provide feedback in a timely manner.


    Private actions


    Before the PIPL came into force, the Civil Code had provided a cause of action for data subjects to seek monetary damages or compensation in court from anyone who infringed their personal information rights. What the PIPL creates in this area is to set forth the burden of proof and the damages for this kind of cause of action. Like the GDPR, after a data subject demonstrates an infringement, the PIPL shifts the burden to the defendant to prove that they are not at fault. This makes it much easier for a data subject to make their case in court. Consequently, handlers will not only have to make compliance efforts but also preserve evidence of what they did to lower the risk of their exposure to potential litigation. In terms of the damages determination, courts do not have to limit themselves to data subjects’ actual losses when assessing the amount of damages to award, and may alternatively rely on the gains obtained by the handlers resulting from the infringement. If it is difficult to determine either amount, the courts shall then have full discretion in this regard. This is designed to resolve the difficulties of data subject in showing damages in court when personal information is breached and will create a deterrent effect on handlers.


    In addition to the infringement of personal information rights, any refusal of the handler to entertain a data subject’s request to exercise their rights afforded by the PIPL may also give rise to a cause of action under Article 50.


    Public interest actions


    The PIPL establishes that China’s class action equivalent — the public interest action mechanism — applies to the protection of personal information. This expands the scope of this unique mechanism, which has been deployed in the areas of environmental protection, consumer protection (including food and drug safety) and state asset protection areas, among others.


    Like class actions in the United States, a public interest action in China is filed on behalf of a group of people. In this digital era, personal information breach incidents mostly involve a massive number of victims, but it is time-consuming and costly for these data subjects to enforce their respective rights in court on an individual basis. Public interest actions help to resolve this problem by granting standing to a third-party organization. According to Article 70, third-party organizations include the people’s procuratorates (the equivalent of a prosecutor general’s office), statutorily designated consumer organizations, and organizations designated by the CAC.


    One day after the adoption of the PIPL, the Supreme People’s Procuratorate issued an official notice confirming that public interest actions for personal information protection cases will be the focus of its work in the future.


    Public security administration and criminal penalties


    If a handler commits any violation, it may also be subject to public security administration or criminal penalties. Public security administration penalties will be imposed by the public security organs, in accordance with the Public Security Administration Punishments Law of China, when the violation is not severe enough to be subject to criminal liabilities. Public security administration penalties include warnings, fines and administrative detention. When a violation is severe enough, there are several criminal sanctions for breaches involving personal information under the Criminal Law of China. The most relevant one is “infringement of citizens' personal information,” which imposes criminal sanctions on anyone who, in violation of relevant rules, sells or discloses personal information to third parties. The sanctions imposed by the statute vary depending on the seriousness of the violation. The threshold for a violation to be subject to criminal penalties is relatively low. For instance, if they illegally procure, sell or provide more than 50 pieces of sensitive personal information, such as credit information, the wrongdoer will be criminally liable. The most serious violation will result in prison sentences up to seven years in addition to a fine.


    Article 64 provides that the supervisory authorities, when engaging their administrative enforcement duties, shall timely transfer any violation with the potential to be a criminal offense to police authorities. In practice, this to some extent would expand the scope of authority of the Supervisory Authorities in the enforcement of the PIPL.


    Relationship of personal information and important data


    In the China data protection legal regime, “important data” as well as personal information is afforded a heightened degree of protection. Under certain circumstances, an accumulation of personal information may arguably be categorized as “important data.” For instance, the Several Provisions on Automobile Data Security Management (Trial Implementation) provides that personal information involving more than 100,000 data subjects, along with other data in the automobile context, shall be deemed “important data.” Consequently, any violation in relation to this category of personal information would additionally be subject to the enforcement applicable to “important data.”


    Conclusion


    The PIPL represents a major unifying moment in China’s long history of piecemeal data privacy policymaking, exhibiting considerable alignment with international trends in personal data protection, such as hefty fines and penalties. At the same time, this law merely provides a framework and broad principles, leaving some concepts such as “grave violation” undefined. While uncertainties remain as to enforcement in practice, given its entry into force in November 2021, many implementing regulations, rules and standards will be introduced in the near future, providing more detailed and concrete guidance.


    本文作者:

    image.png



    声明:            

    本文由k8凯发天生赢家·一触即发律师事务所律师原创,仅代表作者本人观点,不得视为k8凯发天生赢家·一触即发律师事务所或其律师出具的正式法律意见或建议。如需转载或引用本文的任何内容,请注明出处。

    相关律师

    • 王一楠

      合伙人

      电话:+86 10 5268 2888

      邮箱:wangyinan@cqhaolun.com

    相关搜索

    手机扫一扫

    手机扫一扫
    分享给我的朋友

    友情链接: