个人信息保护法（草案）解读（上）【中英双语】

个人信息保护法（草案）解读（上）【中英双语】

张晓宇、夏晨斌、李尚文、王怡璎、肖思嘉、罗旷怡

耀时跨境数据合规研究院（Institute of XEON Cross-Border Data Compliance）

此前,欧盟于2018年出台了《通用数据保护条例(GDPR)》，成为全球个人数据安全立法中极具标志性的一部法案。2020年10月21日，我国《个人信息保护法（草案）》正式公开征求意见。《个人信息保护法（草案）》是我国首部针对个人信息（GDPR称“个人数据”）的综合性立法，对我国境内的个人信息的全生命周期活动做了明确规定，并对个人信息的本地化义务和跨境流动做了明确规定。有鉴于近期有一些欧洲企业向我所咨询相关法律规范，也为了给有意来华投资的欧洲数字企业或有意赴欧洲投资的我国数字企业提供专业的跨境数据合规法规服务，我所（耀时跨境数据合规研究院）近期对《个人信息保护法（草案）》进行了双语解读，并与GDPR进行了比较分析。

本文将分上下两部分，供参考。

第一章

总则解读

Chapter 1

Interpretation of General Principles

1.1立法目的（第1条）

Legislative purpose (Article 1)

本条明确了《个人信息保护法》的立法目的和宗旨，即通过立法的形式，促进个人信息合法、合规、合理利用，并确保其具备一定流动性。

This article clarifies the legislative purpose and purpose of the "Personal Information Protection Law", that is, to promote the legal, compliant, and reasonable use of personal information through legislation, and to ensure that it has a certain degree of liquidity.

1.2个人信息权（第2条）

Personal information right（Article 2）

“个人信息保护”的相关内容在《民法典》第四编“人格权”中的第六章有所体现，《民法典》将第六章命名为“隐私权和个人信息保护”，足见“个人信息保护”的法律地位之高以及立法者对其重视程度之深。本条与《民法典》第一千零三十四条相一致，将自然人的个人信息列为了法律保护的范畴予以调整。

The relevant content of "Personal Information Protection" is reflected in Chapter 6 of "Personality Rights" in Title IV of the Civil Code. The "Civil Code" named Chapter 6 "Privacy and Personal Information Protection", which shows that " The high legal status of "Personal Information Protection" and how deeply the legislators attach importance to it. This article is consistent with Article 1034 of the Civil Code, and adjusts the personal information of natural persons as a category of legal protection.

1.3适用范围（第3条）

Scope of application（Article 3）

本法适用于在中华人民共和国境内处理自然人个人信息的活动的组织、个人。或者，在中华人民共和国境外处理中华人民共和国境内自然人个人信息的活动,活动以向境内自然人提供产品或者服务为目的，或，为分析、评估境内自然人的行为。

This law applies to organizations and individuals that process personal information of natural persons within the territory of the People's Republic of China. Or, the activities of processing personal information of natural persons in the People's Republic of China outside the People's Republic of China, the activities are for the purpose of providing products or services to natural persons in the territory, or to analyze and evaluate the behavior of natural persons in the territory.

1.4“个人信息”和“处理个人信息”的定义（第4条）

Definition of "personal information" and "handling of personal information" (Article 4)

个人信息是以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息,不包括匿名化处理后的信息。

个人信息的处理包括个人信息的收集、存储、使用、加工、传输、提供、公开等活动。

Personal information is a variety of information related to an identified or identifiable natural person recorded electronically or by other means, excluding anonymized information.

The processing of personal information includes activities such as the collection, storage, use, processing, transmission, provision, and disclosure of personal information.

1.5数据处理基本要求（第5、6、7、8、10条）

Basic requirements for data processing (Article 5, 6, 7, 8, 10)

1.5.1合法和正当性要求（第5条）

1.5.1 Legality and legitimac

所谓合法性，指的是在个人信息处理过程中，需要符合法律法规的要求，禁止通过植入恶意软件等非法手段收集、存储、使用、加工、传输、提供、公开个人信息。

所谓正当性，指的是在个人信息处理过程中，需要采取例如“明示+同意”的正当形式收集、存储、使用、加工、传输、提供、公开个人信息。

The so-called legitimacy refers to the need to comply with the requirements of laws and regulations during the processing of personal information, and it is prohibited to collect, store, use, process, transmit, provide, and disclose personal information through illegal means such as malware implantation.

The so-called legitimacy refers to the need to collect, store, use, process, transmit, provide, and disclose personal information in a proper form such as "express plus consent" during the processing of personal information.

1.5.2目的和必要性要求（第6条）

1.5.2 Purpose and necessity(Article 6)

所谓目的性，指的是在个人信息处理过程中，需要符合一定的合理目的，且该目的需要具备较为明确的要素，同时需要注意该目的性的要求应当与企业自身所提供的商品和服务具有一定的关联性。

所谓必要性，指的是在个人信息处理过程中，需要收集与企业自身经营活动密切相关的个人信息，不得收集无关且多余的个人信息。实践中，大量企业违规收集个人信息，甚至收集与其提供商品或服务无关的个人信息，这些行为都是被禁止的。

The so-called purpose is that in the process of personal information processing, it needs to meet a certain reasonable purpose, and the purpose needs to have relatively clear elements. At the same time, it should be noted that the purpose of the requirements should be consistent with the goods and services provided by the enterprise itself. Certain relevance.

The so-called necessity refers to the need to collect personal information closely related to the company's own business activities in the process of personal information processing, and not to collect irrelevant and redundant personal information. In practice, a large number of companies illegally collect personal information, or even collect personal information that has nothing to do with the goods or services they provide. These behaviors are prohibited.

1.5.3公开透明要求（第7条）

1.5.3 Openness and transparency openness(Article 7)

本条在《民法典》第一千零三十五条第一款第二项的基础上，增加了透明原则，要求个人信息处理的方式方法必须公开、透明，以便随时受到社会公众的监督。

This article adds the principle of transparency on the basis of Article 1035, Paragraph 1, Item 2 of the Civil Code, and requires that the methods and methods of personal information processing must be open and transparent in order to be subject to supervision by the public at any time.

1.5.4准确性要求（第8条）

1.5.4 Accuracy(Article 8)

个人信息应当准确,并及时更新。

Personal information should be accurate and updated in a timely manner.

1.5.5国家安全与公共利益绝对禁止（第10条）

1.5.5 Prohibit infringement of national security and public interest(Article 10)

处理个人信息的活动绝对禁止侵犯国家安全和公共利益。

Activities that process personal information are absolutely prohibited from infringing upon national security and public interests.

1.6归责原则（第9条）

 Imputation principle（Article 9）

本条确立了“谁处理 谁负责”的基本原则。

 This article establishes the basic principle of "who handles it and who is responsible".

1.7国家责任（第11、12条）

State responsibility (Article 11, 12)

本法一是明确了国家依法整治互联网及维护个人信息保护良好环境的决心，确立了个人信息保护工作的基本原则。其中，建立健全个人信息保护制度的要求，对互联网企业的数据合规提出了更高要求。二是明确了我国与其他国家间在个人信息保护领域的国际合作关系，对推动信息保护规则和标准的国际互认意义重大。《个人信息保护法》借鉴了欧盟的《避风港协议》和《隐私盾协议》的做法，深化国际交流合作，在提升个人信息保护技术的同时，为我国与他国间的跨境数据自由流转提供土壤，进而促进我国互联网企业的蓬勃发展。

First, this law clarifies the country's determination to rectify the Internet in accordance with the law and maintain a good environment for personal information protection, and establishes the basic principles of personal information protection. Among them, the requirement to establish a sound personal information protection system puts forward higher requirements for Internet companies' data compliance. The second is to clarify the international cooperation relationship between my country and other countries in the field of personal information protection, which is of great significance to promoting the international mutual recognition of information protection rules and standards. The "Personal Information Protection Law" draws on the practices of the EU's "Safe Harbor Agreement" and "Privacy Shield Agreement" to deepen international exchanges and cooperation, while improving personal information protection technology, while providing soil for the free flow of cross-border data between my country and other countries , Thereby promoting the vigorous development of my country's Internet companies.

1.8 与GDPR对比

 Comparison with GDPR

《个人信息保护法》第3条明确了域外适用的效力，即通过最密切联系原则确立了三项连结点，其与欧盟GDPR第3条中的指向性和监管性要求相类似。两部法案都对域外适用情况做了规定。相比而言，《个人信息保护法》在对域外适用范围的厘清和界定上较为模糊和保守，而GDPR的“属地+属人”原则更加凸显，将“属人”原则置于与“属地”同等的地位。

《个人信息保护法》第4条将“识别和关联”作为个人信息的定义方式，借鉴了欧盟GDPR的做法，明确了这部法律所调整的范畴，使得司法实践在对“个人信息”认定方面更为准确。但值得注意的是，《个人信息保护法》的主语是“个人信息”，而GDPR的主语采用了“data”，即“个人数据”。《个人信息保护法》采取的“纯定义”立法模式具有更大的开放性，赋予了具体司法实践中更大的司法解释空间。

 在《个人信息保护法》中，涉及个人信息的相关方主要为个人信息主体、个人信息处理者和履行个人信息保护职责的部门。而GDPR除此之外，设立了数据保护官（DPO）一职。

 《个人信息保护法》第8条与欧盟GDPR第五条第一款（d）项的规定较为类似，即要求个人信息处理的及时性及准确性。在商业运作中，要求企业及时更新个人信息，使得处理所得的数据较为精确。同时，从侧面也赋予了个人随时修改自身信息的权限。

Article 3 of the "Personal Information Protection Act" clarifies the validity of extraterritorial application, that is, three connection points are established through the principle of the closest connection, which is similar to the directive and regulatory requirements in Article 3 of the EU GDPR. Both bills provide for extraterritorial application. In contrast, the "Personal Information Protection Law" is more vague and conservative in clarifying and defining the scope of extraterritorial application, while the GDPR's "territorial plus personal" principle is more prominent, placing the "personal" principle in relation to the "territorial" principle. "Equal status.

Article 4 of the "Personal Information Protection Act" defines "identification and association" as the way to define personal information, draws on the practices of the EU GDPR, and clarifies the scope of adjustments in this law, so that judicial practice can identify "personal information" More accurate. However, it is worth noting that the subject of the "Personal Information Protection Law" is "personal information", while the subject of GDPR uses "data", that is, "personal data." The "pure definition" legislative model adopted by the "Personal Information Protection Law" has greater openness, giving more room for judicial interpretation in specific judicial practices.

In the "Personal Information Protection Law", the parties involved in personal information are mainly personal information subjects, personal information processors, and departments performing personal information protection duties. In addition to the GDPR, a data protection officer (DPO) was established.

Article 8 of the "Personal Information Protection Act" is similar to the provisions of Article 5 (1) (d) of the EU GDPR, which requires the timeliness and accuracy of personal information processing. In business operations, companies are required to update personal information in a timely manner, so that the processed data is more accurate. At the same time, from the side, individuals are also given the right to modify their own information at any time.

第二章 第一节

 个人信息处理规则的一般规定 解读

Chapter 2 Section 1

Interpretation of General Rules on Handling Personal Information

2.1

1.处理个人信息的合法性（第13条）

1. Legality of handling personal information (Article 13)

作为《个人信息保护法（草案）》最核心、最重要的改动之一，本条大范围扩充了处理个人信息的合法性基础。从处理个人信息合法性基础的演变看，《网络安全法》第四十一条第一款明确了收集使用个人信息的合法性基础为“被收集者同意”。《民法典》第一千零三十五条第一款第一项沿用了“同意”的合法性基础，但也留下了“法律、行政法规另有规定的除外”的例外规定。本条在《民法典》及《网络安全法》的基础上罗列了其他几种处理个人信息的合法情形，对“同意”原则进行了一定程度的延伸，为个人信息的处理提供了多样化的选择路径，实现了法律之间的有效衔接。

As one of the core and important modifications to the Law on the Protection of Personal Information (Draft), this article broadens the legal basis for handling personal information to a large extent. In terms of the evolution of the basis for the legality of handling personal information, Paragraph 1 of Article 41 of the Cyber Security Law specifies that the "consent of the person whose information is to be collected" is the basis for the legality of the collection and use of personal information. Item 1, Paragraph 1 of Article 1035 of the Civil Code follows the legal basis of "consent", but leaves an exception provision of "unless otherwise stipulated by laws and administrative regulations". Based on the Civil Code and the Cyber Security Law, this article lists several other legal situations to deal with personal information, extends the principle of "consent" to a certain extent, provides a variety of ways to deal with personal information, and realizes the effective link between laws.

2.1

2.同意的要件（第14、16、17条）

2.Requirements for consent (Articles 14, 16 and 17)

2.1.2.1处理个人信息的一般同意、特殊同意及重新取得同意的情形（第14条）

2.1.2.1 General and Special Consents for handling Personal Information and Circumstances of Regaining Consents (Article 14)

关于“一般同意”，需要依据《个人信息保护法（草案）》第七条的规定向个人明示个人信息处理规则，在确保个人充分知情的基础上，由个人自主作出明确的意思表示。从实践角度，对于需要用户同意才能处理用户个人信息的情形，需要通过《个人信息保护政策》等个人信息授权文本，向用户充分说明处理个人信息的规则，并由用户手动点击确认、手动勾选同意等自主同意的方式获得用户的同意。

关于“特殊同意”。需要结合《个人信息保护法（草案）》第二十四条、第三十条、第三十九条的相关内容，即当属于“向第三方提供其处理的个人信息”、“基于个人同意处理敏感个人信息的”以及“向中华人民共和国境外提供个人信息”三种情形时，需要单独同意或书面同意。

关于“重新取得同意”，在“处理目的、处理方式和处理的个人信息种类发生变更”的情形下，这种情形属于个人信息处理过程中的重大变更，倘若按照原有的授权实则可能会侵害他人合法权益，因此需要重新取得同意。并且鉴于原始同意时区分一般同意的情况和特殊同意的情况，重新取得同意时，需要与原始同意相对应，需要获得特殊同意的仍需获得特殊同意。

With regard to "general consent", the rules for handling personal information shall be expressly stated to individuals in accordance with the provisions of Article 7 of the Law on the Protection of Personal Information (Draft), and on the basis of ensuring that individuals are fully aware of the same, individuals may independently and clearly express their will. From a practical point of view, for situations where the user’s consent is required to process the user’s personal information, the personal information authorization text such as the "Personal Information Protection Policy" needs to be fully explained to the user about the rules for handling personal information, and the user manually clicks to confirm and manually select obtain the user's consent by means of voluntary consent such as consent.

About "special consent". The relevant content of Article 24, Article 30, and Article 39 of the Personal Information Protection Law (Draft) shall be combined, that means "providing the personal information handled by the third party", "based on personal consent when dealing with sensitive personal information" and "providing personal information outside the People's Republic of China", separate consent or written consent is required.

About "re-obtaining consent", in the case of "any change in the handling purpose, method or type of personal information", this situation is a major change in the handling of personal information, and it may infringe if the original authorization is followed. The legitimate rights and interests of others, so you need to obtain consent again. Moreover, in view of the distinction between general consent and special consent at the time of original consent, when re-obtaining consent, it needs to correspond to the original consent, and special consent is still required to obtain special consent.

2.1.2.2个人有权撤回同意（第16条）

2.1.2.2 Individuals have the right to withdraw consent (Article 16)

需要注意的是，本条所规定的“个人撤销权”仅仅是基于第十三条第一款情形下予以适用，除此之外法律并未授权个人此权限。从实践角度，这就要求互联网企业在线上必须架设撤销端口，供个人撤销其授权。但这并不影响其为个人提供的服务受限，互联网企业可以修改《注册协议》对该事由予以明示。

It should be noted that the "personal withdraw right" stipulated in this article is only applicable under the circumstances of the first paragraph of Article 13, except that the law does not authorize individuals to have this right. From a practical perspective, this requires Internet companies to set up revocation ports online for individuals to revoke their authorization. However, this does not affect the limitation of the services it provides to individuals. Internet companies can modify the "Registration Agreement" to express the matter.

2.1.2.3不得拒绝提供产品或者服务的情形（第17条）

2.1.2.3 Circumstances where products or services must not be refused (Article 17)

如果个人不同意处理其个人信息或者撤回其对个人信息处理的同意，而相对应的个人信息是属于提供产品或服务所必需的，个人信息处理者可以拒绝提供产品或服务。但如果不是提供产品或服务所必需的，个人信息处理者不得拒绝提供产品或服务。举例来说，在金融借贷场景下，收集使用用户的通讯录信息一般来说不属于提供金融借贷服务所必需的信息，用户不同意提供通讯录信息或者之前同意提供通讯录信息现在想要撤回处理通讯录信息的同意，金融机构不得以此拒绝提供金融借贷服务。

If an individual does not agree to the handling of their personal information or withdraws their consent to the handling of personal information, and the corresponding personal information is necessary to provide products or services, the personal information handler can refuse to provide products or services. However, if it is not necessary to provide products or services, the personal information handler shall not refuse to provide products or services. For example, in the financial lending scenario, the collection and use of the user's address book information is generally not the information necessary to provide financial lending services. The user does not agree to provide the address book information or previously agreed to provide the address book information and now wants to withdraw the handling. With the consent of the address book information, financial institutions shall not refuse to provide financial lending services.

2.1

3.成年人个人信息的特殊同意要求（第15条）

3.Special consent requirements for personal information of minors (Article 15)

《儿童个人信息网络保护规定》第九条规定“网络运营者收集、使用、转移、披露儿童个人信息的，应当以显著、清晰的方式告知儿童监护人，并应当征得儿童监护人的同意”，在此基础上，《个人信息保护法（草案）》增加了“知道或者应当知道”的情形要求，一定程度上减轻了个人信息处理者的责任，但要论证确实不知道其处理的个人信息未不满十四周岁未成年人（以下简称“儿童”）个人信息，存在一定难度。可能在对个人的身份、年龄等进行了充分认证的前提下，基于技术限制、个人恶意隐瞒等原因确实未发现为儿童的情况下，能够豁免未取得儿童监护人同意的责任，但具体适用，有待立法机关的进一步解释和细化。

Article 9 of the Regulations on the Protection of Children’s Personal Information Network stipulates that “network operators who collect, use, transfer, and disclose children’s personal information shall notify the child’s guardian in a conspicuous and clear manner, and shall obtain the consent of the child’s guardian”, in On this basis, the Personal Information Protection Law (Draft) adds the requirement of "know or should know", which reduces the responsibility of personal information handlers to a certain extent, but it is necessary to demonstrate that the personal information handled by them is not satisfied. There are certain difficulties in the personal information of 14-year-old minors (hereinafter referred to as "children"). It may be possible that on the premise that the individual's identity, age, etc. are fully verified, and the child is indeed not found due to technical restrictions, personal malicious concealment, etc., the responsibility for not obtaining the consent of the child's guardian can be exempted, but the specific application remains to be Further explanation and refinement by the legislature.

2.1

4.个人信息处理者的权利与义务（第18、19条）

4.The rights and obligations of personal information handlers (Articles 18 and 19)

2.1.4.1处理个人信息前的告知要求（第18条）

2.1.4.1 Notification requirements before handling personal information (Article 18)

第一款规定的告知要求，包含以下几个要点：（1）告知时间，处理个人信息前；（2）告知语言要求，以显著方式、清晰易懂的语言告知，即不得使用有歧义、容易引起误解或者大量使用晦涩难懂的专业术语进行告知；（3）告知内容要求，具体包括：第一项，“身份和联系方式”，对于联系方式，可以是客服电话、个人信息保护专用客服电话、个人信息保护部门联系电话/邮箱等；第二项，“处理目的、处理方式、处理的个人信息种类、保存期限”，一定程度上可以理解为《个人信息保护法（草案）》第七条规定的“个人信息处理规则”的范围。举例来说，收集个人信息时，需要告知收集个人信息的目的、收集方式（直接收集、间接收集等）、收集的个人信息种类和保存期限；第三项，“个人行使《个人信息保护法（草案）》规定权利的方式和程序”，《个人信息保护法（草案）》第四章专章规定了“个人在个人信息处理活动中的权利”，从告知角度，需要告知行使这些权利的方式和程序。对于方式，从理解的角度，包括自主通过App等业务渠道行使权利、联系客服提出行使权利的主张等；对于程序，以自助通过App行使权利为例，需要告知个人在App上的具体操作路径和响应时间等；第四项，“法律、行政法规规定应当告知的其他事项”，本项为兜底规定。

第二款规定了变更情况下的告知要求，这里没有对告知作出详细的限制，从理解的角度，可以通过网站公告、App内通知、App弹窗、短信等方式对变更的部分进行告知。

第三款规定了通过制定个人信息处理规则的方式告知的特殊要求，要求规则应该公开、便于查阅和保存，也就是需要方便个人查询到规则全文和保存规则全文。其中便于保存的要求，系《个人信息保护法（草案）》首次提出。

需要特别注意的是，本条规定的告知要求并未限制在经个人同意而处理个人信息的情形，而是对所有处理个人信息的情形提出了告知要求。从主体角度，也未进行限制，意味着无论是国家机关、事业单位还是普通的法人、非法人组织，抑或是其他类型的个人信息处理者处理个人信息之前，均要依据本条的规定进行相应的告知。对于例外情形可以适用第十九条的规定而不需要告知或者事后告知。

The notification requirements stipulated in the first paragraph include the following points: (1) notification of the time, before handling personal information; (2) notification of language requirements, in a clear and easy-to-understand language, that is, no ambiguity, easy Cause misunderstanding or use a large number of obscure professional terms for notification; (3) The content requirements of the notification include: the first item, "identity and contact information", for the contact information, it can be a customer service phone number or a dedicated customer service phone number for personal information protection , Personal information protection department contact phone/email, etc.; the second item, "handling purpose, handling method, type of personal information handled, and retention period" can be understood to a certain extent as Article 7 of the Personal Information Protection Law (Draft) The scope of the prescribed "Personal Information handling Rules". For example, when collecting personal information, it is necessary to inform the purpose of collecting personal information, the method of collection (direct collection, indirect collection, etc.), the type of personal information collected and the retention period; the third item, "Individuals exercise the Personal Information Protection Law ( Draft)" stipulates the methods and procedures of rights", Chapter IV of the Personal Information Protection Law (Draft) stipulates the "rights of individuals in personal information handling activities". From the perspective of notification, it is necessary to inform the method of exercising these rights and procedure. Regarding the method, from the perspective of understanding, it includes autonomously exercising rights through business channels such as App, contacting customer service to make claims for exercising rights, etc.; for procedures, taking self-service exercise of rights through the App as an example, it is necessary to inform individuals of the specific operation path and operation on the App. Response time, etc.; the fourth item, "other matters that should be notified by laws and administrative regulations", this item is a comprehensive provision.

The second paragraph stipulates the notification requirements in the case of changes. There are no detailed restrictions on notifications. From the perspective of understanding, the changes can be notified through website announcements, in-app notifications, app pop-ups, text messages, etc.

The third paragraph stipulates special requirements for notification through the formulation of personal information handling rules, requiring that the rules should be made public, easy to consult and save, that is, it is necessary to facilitate individuals to inquire and save the full text of the rules. Among them, the requirement to facilitate preservation was first proposed in the Personal Information Protection Law (Draft).

It is important to note that the notification requirements stipulated in this article are not limited to situations in which personal information is handled with the consent of an individual, but instead require notification in all situations where personal information is handled. From the perspective of the subject, there are no restrictions, which means that no matter whether it is a state agency, a public institution, an ordinary legal person, an unincorporated organization, or other types of personal information handlers, they must act in accordance with the provisions of this article before handling personal information. inform. For exceptions, the provisions of Article 19 can be applied without notification or subsequent notification.

2.1.4.2处理个人信息前需要告知的例外情形（第19条）

2.1.4.2 Exceptions to be notified before handling personal information (Article 19)

关于“不需要向个人告知的例外”，其适用限制在“有法律、行政法规规定应当保密或者不需要告知”的范围内。比如，《中华人民共和国反恐怖主义法》第五十一条规定，“公安机关调查恐怖活动嫌疑，有权向有关单位和个人收集、调取相关信息和材料。有关单位和个人应当如实提供”，根据该条规定，如果公安机关向某恐怖活动嫌疑人的工作单位或者亲属收集调取嫌疑人的个人信息，是无需向嫌疑人进行告知的。

关于“不需要提前向个人告知的例外”，是《个人信息保护法（草案）》第十三条第一款第（四）项的补充规定，该种紧急情况下无法及时向个人告知的，紧急情况消除后需要进行告知，而非不需要告知。

Regarding the "exceptions that do not need to be notified to individuals", its application is limited to the scope of "there is any circumstance that should be kept confidential and is not required to be disclosed as stipulated by laws or administrative regulations". For example, Article 51 of the Anti-Terrorism Law of the People's Republic of China stipulates that "public security organs have the right to collect and retrieve relevant information and materials from relevant units and individuals when investigating suspected terrorist activities. Relevant units and individuals shall provide truthfully." According to the provisions of this article, if the public security organ collects the suspect’s personal information from the work unit or relatives of a terrorist suspect, there is no need to inform the suspect.

Regarding the "exceptions that do not need to be notified to individuals in advance", it is a supplementary provision of Article 13 Paragraph 1 (4) of the Personal Information Protection Law (Draft). After the emergency is eliminated, notification is required, not without notification.

2.1.4.3个人信息保存期限（第20条）

2.1.4.3 The storage period of personal information (Article 20)

《个人信息保护法（草案）》并没有通过固定期限来限定个人信息的保存时间，而是根据必要性的要求，规定在满足处理目的后，尽快予以删除。这就需要互联网企业制定相应内部合规制度，就个人信息的存储及删除时间进行明确规定。

与此同时，本条也设置了兜底条款，常见的法律、法规另有规定的情形包括：（1）《反洗钱法》第十九条第三款，“客户身份资料在业务关系结束后、客户交易信息在交易结束后，应当至少保存五年”；（2）《电子商务法》第三十一条，“电子商务平台经营者应当记录、保存平台上发布的商品和服务信息、交易信息，并确保信息的完整性、保密性、可用性。商品和服务信息、交易信息保存时间自交易完成之日起不少于三年；法律、行政法规另有规定的，依照其规定。”

The Personal Information Protection Law (Draft) does not limit the storage period of personal information for a fixed period of time. Instead, it stipulates that it should be deleted as soon as possible after the handling purpose is met according to the requirements of necessity. This requires Internet companies to formulate corresponding internal compliance systems and clearly stipulate the storage and deletion time of personal information.

At the same time, this article also sets up a comprehensive clause. Common situations where laws and regulations provide otherwise include: (1) Article 19, paragraph 3 of the Anti-Money Laundering Law, "Customer identity information is The transaction information shall be kept for at least five years after the transaction is completed"; (2) Article 31 of the "E-Commerce Law", "E-commerce platform operators shall record and preserve the goods and service information and transaction information published on the platform, And to ensure the integrity, confidentiality, and availability of information. Goods and service information and transaction information are kept for no less than three years from the date of completion of the transaction; where laws and administrative regulations provide otherwise, follow their provisions."

2.1.4.4两个或者两个以上个人信息处理者共同处理个人信息的权利义务划分和责任承担（第21条）

2.1.4.4 The division of rights and obligations and responsibilities of two or more personal information handlers jointly handling personal information (Article 21)

从内部权利义务划分与个人权利主张主体看，本条第一款的规定与GDPR第26条相类似，要求共同处理个人信息的处理者内部划分权利和义务，但不得影响个人向任一处理者要求行使个人权利，这就要求处理者在内部划分权利和义务时，需要就响应个人权利主张作出相应约定。《信息安全技术个人信息安全规范》（GB/T 35273-2020）第9.6条对共同个人信息控制者的要求更加详细，可执行性更高，可以作为个人信息处理者内部划分权利义务的参考。

从责任承担看，本条第二款对共同处理个人信息的处理者提出了严格的责任承担要求，即“依法承担连带责任”，将共同信息处理致使他人受损的情形，视为是一种共同侵权行为，进而严厉打击可能存在的违法违规行为。

From the perspective of the division of internal rights and obligations and the subject of individual claims, the provisions of the first paragraph of this article are similar to Article 26 of the GDPR, requiring processors that jointly process personal information to internally divide rights and obligations, but shall not affect the individual's request from any processor The exercise of individual rights requires the processor to make corresponding agreements on responding to individual claims when dividing rights and obligations internally. Article 9.6 of the "Information Security Technology Personal Information Security Specification" (GB/T 35273-2020) has more detailed requirements for joint personal information controllers and higher enforceability, which can be used as a reference for the internal division of rights and obligations of personal information handlers.

From the perspective of responsibility, the second paragraph of this article puts forward strict requirements on the responsibility of the processors who jointly handle personal information, that is, "to bear joint and several liability in accordance with the law". Infringement, and then severely crack down on possible violations of laws and regulations.

2.1

5.委托第三方处理个人信息（第22条）

5.Entrust a third party to handle personal information (Article 22)

《个人信息保护法（草案）》规定了委托处理个人信息的情况下委托方的义务以及受托方的义务。《个人信息安全规范》第9.1条对委托处理做了更详细的规定，一定程度上可以作为适用本条的参考。

从委托方的义务看，委托方需要注意授权的范围，并确保受托方在授权的范围内行使相应职责。倘若由于故意或者重大过失导致其未能监管到位，可能存在被处罚及诉讼风险。

从受托方的义务看，主要在于按约处理个人信息、及时返还个人信息或删除个人信息以及未经同意不得转委托。补充强调一点，对于受托方，即使将个人信息交由母公司、子公司等关联公司处理，也属于转委托，也需要获得委托方的同意方可转委托。

需要注意的是，本条与第二十一条可能存在一定的重合，即委托人如果同时存在个人信息处理的情况下，其应当同时满足《个人信息保护法（草案）》第二十一条和第二十二条的要求。但当其自身并不处理个人信息时，其应当满足本条的规定。

The Personal Information Protection Law (Draft) stipulates the obligations of the entrusting party and the entrusted party when the handling of personal information is entrusted. Article 9.1 of the "Personal Information Security Specification" provides more detailed provisions for entrusted handling, which can be used as a reference for the application of this article to a certain extent.

From the perspective of the obligations of the entrusting party, the entrusting party needs to pay attention to the scope of authorization and ensure that the entrusted party performs corresponding duties within the scope of authorization. If the supervision is not in place due to deliberate or gross negligence, there may be penalties and litigation risks.

From the point of view of the obligations of the trustee, it is mainly to handle personal information in accordance with the contract, return personal information in time or delete personal information, and not to delegate without consent. I want to emphasize that, for the entrusted party, even if the personal information is handed over to the parent company, subsidiary and other affiliated companies, it is also a sub-entrustment, and the consent of the entrusting party is required to be transferred.

It should be noted that there may be a certain overlap between this Article and Article 21, that is, if the client has personal information handling at the same time, it should also meet Article 21 and Article 21 of the Personal Information Protection Law (Draft). Requirements of Article 22. But when it does not process personal information by itself, it shall meet the provisions of this article.

2.1

6.合并、分立等需要转移个人信息情形下的要求（第23条）

6.Requirements in situations where personal information needs to be transferred such as mergers and split (Article 23)

从个人信息处理者的义务看，需要向个人告知接收方的身份、联系方式，这里的“身份”“联系方式”可以和《个人信息保护法（草案）》第十八条第一款第一项中“身份”、“联系方式”作同样理解，不再赘述。

从接收方的义务看，应当继续履行个人信息处理者的义务，变更处理目的和处理方式的情况下还需要重新向个人告知并取得同意。需要指出的是，与《个人信息保护法（草案）》第十五条可能与第十三条的规定存在冲突相类似，本条的适用与《个人信息保护法（草案）》第十三条也可能存在冲突。如果不是适用第十三条第一款第一项“取得个人的同意”而是适用第十三条第一款的其他项处理个人信息，比如“为履行法定职责或者法定义务所必需”而处理个人信息，按说是无需获得个人同意的，如果接收方基于履行法定职责或者法定义务所必需而变更处理目的和处理方式，从理解的角度，仍然无需获得个人的同意，而仅仅进行告知即可。因此，可能需要将本条最后一句调整为“接收方变更原先的处理目的、处理方式的，应当依照《个人信息保护法（草案）》规定重新向个人告知，依据《个人信息保护法（草案）》第十三条第一款第一项处理个人信息的还需要取得其同意”。

From the perspective of the personal information handler’s obligations, it is necessary to inform individuals of the recipient’s identity and contact information. The “identity” and “contact information” here can be the same as Article 18, Paragraph 1 of the Personal Information Protection Law (Draft). The "identity" and "contact information" in the item should be understood in the same way and will not be repeated here.

From the perspective of the recipient's obligations, it should continue to perform the obligations of the personal information handler, and in the case of changing the handling purpose and handling method, it is necessary to notify the individual again and obtain consent. It should be pointed out that, similar to the provisions of Article 15 of the Personal Information Protection Law (Draft), which may conflict with the provisions of Article 13, the application of this article is also similar to Article 13 of the Personal Information Protection Law (Draft). There may be a conflict. If the handling of personal information is not applicable to the first paragraph of Article 13 "to obtain the consent of the individual" but to apply other items of the first paragraph of Article 13 to process personal information, such as handling "necessary to perform legal duties or obligations" Personal information does not require personal consent. If the recipient changes the handling purpose and handling method based on the performance of legal duties or statutory obligations, from the perspective of understanding, there is still no need to obtain personal consent, but only notification. Therefore, it may be necessary to adjust the last sentence of this article to "If the recipient changes the original handling purpose and handling method, it shall notify the individual again in accordance with the provisions of the Personal Information Protection Law (Draft), and in accordance with the Personal Information Protection Law (Draft)" The handling of personal information in the first paragraph of Article 13, paragraph 1, requires its consent".

2.1

7.向第三方提供个人信息的要求（第24条）

7.Requirements for providing personal information to third parties (Article 24)

从个人信息处理者的义务看，应当向个人告知“第三方的身份、联系方式、处理目的、处理方式和个人信息的种类”，并“取得个人的单独同意”。这里出现了《个人信息保护法（草案）》第十四条提到的“另有规定”的第一个“单独同意”情形。但与《个人信息保护法（草案）》第十五条、第二十三条可能和第十三条存在冲突相类似，本条可能也与《个人信息保护法（草案）》第十三条存在冲突，比如顾客在电商平台购物，为了依照合同约定向顾客配送商品，在没有或者不通过自有物流的情况下，电商平台必须将顾客的收件信息提供给第三方物流公司，这种情况下，是否属于“为履行合同所必需”而无需获得顾客的同意？或者说，即便不是“为履行合同所必需”，如果顾客不同意将收件信息提供给第三方物流公司，电商平台无法完整提供购物服务，那么电商平台是否可以适用《个人信息保护法（草案）》第十七条依据处理个人信息属于提供服务所必需而拒绝提供服务呢？如果是这样，顾客不同意提供收件信息，又有何意义？对此，有待进一步探讨。

从接收个人信息的第三方的义务看，变更处理目的、处理方式情况下，需要重新向个人告知并取得其同意。这里存在与《个人信息保护法（草案）》第二十三条接收方义务相类似的问题，不再重复。另外，本条第二款的规定可能存在冲突，根据《个人信息保护法（草案）》第六十九条第一款第四项“匿名化”的定义，匿名化信息就是无法复原的信息，如果向第三方提供的确实是匿名化信息，第三方不可能复原识别个人身份。因此，可能需要对本条第二款进行删减或者调整。

From the perspective of the personal information handler’s obligations, individuals should be informed of "the identity of the third party, contact information, handling purpose, handling method, and type of personal information" and "obtain the specific consent of the individual." Here appears the first "individual consent" situation mentioned in Article 14 of the Personal Information Protection Law (Draft) of "other provisions". However, similar to Articles 15 and 23 of the Personal Information Protection Law (Draft), which may conflict with Article 13, this article may also exist with Article 13 of the Personal Information Protection Law (Draft). Conflicts, such as customers shopping on the e-commerce platform, in order to deliver goods to the customer in accordance with the contract, the e-commerce platform must provide the customer's receipt information to the third-party logistics company without or without its own logistics. In this case, is it “necessary to perform the contract” without the customer’s consent? In other words, even if it is not "necessary for the performance of the contract", if the customer does not agree to provide the receiving information to the third-party logistics company, and the e-commerce platform cannot provide complete shopping services, can the e-commerce platform apply the Personal Information Protection Law ( (Draft)" Article 17 on the basis that the handling of personal information is necessary to provide services and refuse to provide services? If so, what is the point of the customer not agreeing to provide receiving information? In this regard, further discussion is needed.

From the perspective of the third party's obligation to receive personal information, if the handling purpose or handling method is changed, it is necessary to notify the individual again and obtain their consent. There are similar issues with the obligations of the recipient in Article 23 of the Personal Information Protection Law (Draft), which will not be repeated. In addition, there may be conflicts with the provisions of the second paragraph of this article. According to the definition of "anonymization" in Article 69, paragraph 1, item 4 of the Personal Information Protection Law (Draft), anonymized information is information that cannot be restored. The information provided to third parties is indeed anonymized, and it is impossible for third parties to recover personal identity. Therefore, the second paragraph of this article may need to be deleted or adjusted.

2.1

8.利用个人信息进行自动化决策的要求（第25条）

8.Requirements for using personal information to conduct automated decision-making (Article 25)

《个人信息保护法（草案）》强调自动化决策的透明和处理结果的公平合理，并为个人提供了救济途径。举例来说，在金融借贷场景下，如果依据数据模型自动决定个人贷款额度的，个人可以要求个人信息处理者作出说明并有权拒绝仅以数据模型自动决策的方式作出决定，相对应的，在个人依据本条提出权利主张的情况下，个人信息处理者可能需要对个人的贷款额度进行人工复核。当然，为了防止个人滥用本条的规定，本条对适用情形进行了限制，即“对其（个人）权益造成重大影响的”，防止个人随意拒绝自动化决策的处理后果或者提出异议而加重企业的负担。

从对自动化决策进行商业营销、信息推送的要求看，与《中华人民共和国电子商务法》第十八条第一款规定相类似，要求同时提供不针对其个人特征的选项。《个人信息安全规范》第7.5条b项也有类似规定。

The Personal Information Protection Law (Draft) emphasizes the transparency of automated decision-making and the fairness and reasonableness of handling results, and provides individuals with remedies. For example, in the financial lending scenario, if the personal loan limit is automatically determined based on the data model, the individual can request the personal information handler to make an explanation and have the right to refuse to make a decision only by the automatic decision of the data model. Where an individual makes a claim based on this article, the personal information handler may need to manually review the individual's loan limit. Of course, in order to prevent individuals from abusing the provisions of this article, this article restricts the applicable circumstances, that is, "causing a significant impact on their (individual) rights and interests", to prevent individuals from arbitrarily rejecting the consequences of automated decision-making or raising objections to increase the burden on the enterprise.

From the requirements of commercial marketing and information push for automated decision-making, it is similar to the provisions of Article 18, Paragraph 1 of the "E-Commerce Law of the People's Republic of China", requiring options that are not specific to their personal characteristics. There are similar provisions in Article 7.5 b of "Personal Information Security Regulations".

2.1

9.个人信息公开的原则要求和例外情形（第26条）

9.Principles and Exceptions for Disclosure of Personal Information (Article 26)

个人信息的处理仅需获得个人同意即可，因此，为降低个人信息权益受侵犯的风险，其处理原则应当“以不公开原则，以公开为例外”。除非个人就个人信息的公开“单独同意”或者有法可依的情况下，其他一律应当通过技术手段予以保密。

The handling of personal information only requires personal consent. Therefore, in order to reduce the risk of infringement of personal information rights, the principle of handling should be "the principle of non-disclosure, with the exception of disclosure". Unless the individual "individually agrees" to the disclosure of personal information or there is a law to follow, the others shall be kept confidential by technical means.

2.1

10.公共场所安装图像采集、个人身份识别设备的要求（第27条）

10.Requirements for installing image collection and personal identification devices in public places (Article 27)

基于“公共安全”的需要，可以对个人进行身份识别，但仍应符合第二十六条的规定，一般不得将所获个人信息进行公开或者向第三方提供。需要明确指出的是，此处并未将安装图像采集的主体限定为国家机关，因此只要是以维护“公共安全”为目的的主体，均可就个人身份进行识别，但需符合相应的保密规定。

Based on the needs of "public safety", individuals can be identified, but they should still comply with the provisions of Article 26. Generally, personal information obtained should not be disclosed or provided to third parties. It needs to be clearly pointed out that the subject who installs image collection is not limited to the state agency. Therefore, as long as the subject is for the purpose of maintaining "public safety", it can be personally identified, but it must meet the corresponding confidentiality regulations.

2.1

11.处理已公开的个人信息的要求（第28条）

11.Requirements for handling disclosed personal information (Article 28)

相较于《民法典》第一千零三十六条第二项规定的“合理处理该自然人自行公开的或者其他已经合法公开的信息，但是该自然人明确拒绝或者处理该信息侵害其重大利益的除外”，本条看似更为宽泛，但实则是在《民法典》的基础上进行了有效补充，两者在法律适用上其实并不存在任何障碍。

就本条理解，只要个人信息是行为人自行公开的，当个人信息处理者满足其公开时的用途，即可直接使用该公开的个人信息。此外，超出原始用途合理范围内的，则需要重新履行“告知和同意原则”。

当个人信息公开时的用途并不明确时，个人信息处理者需要合理、谨慎地处理已公开的个人信息。在个人信息公布的用途不明，且同时存在利用已公开的个人信息从事对个人有重大影响的活动时，就不得对个人信息进行处理，除非履行了“告知和同意原则”。此外，针对《民法典》第一千零三十六条第二项中的另一例外情况，即“该自然人明确拒绝”，我们认为实则是一种“撤销权”的表现形式，即与《个人信息保护法（草案）》第十三条的规定不谋而合，即无论个人信息公布时的用途是否明确，个人均有随时行使“撤销权”的权利。

Compared with the second paragraph of Article 1036 of the Civil Code, “ Deal reasonably with the information made public by the natural person himself or herself or other information that has been legally made public, unless the natural person explicitly refuses to do so or deals with the circumstance where such information infringes upon his or her major interests", this article seems to be broader, but in fact it is an effective supplement on the basis of the "Civil Code", and there is no obstacle to the application of the law between the two.

As far as this article is understood, as long as the personal information is disclosed by the perpetrator, when the personal information handler satisfies the purpose of the disclosure, the disclosed personal information can be used directly. In addition, if it is beyond the reasonable scope of the original purpose, the "information and consent principle" needs to be performed again.

When the purpose of personal information is not clear when it is disclosed, the personal information handler needs to handle the disclosed personal information reasonably and carefully. When the purpose of personal information disclosure is unknown, and at the same time there is the use of disclosed personal information to engage in activities that have a significant impact on individuals, personal information must not be handled unless the "information and consent principle" is fulfilled. In addition, in response to another exception in Article 1036, Item 2 of the Civil Code, that is, "the natural person expressly refuses", we believe that it is actually a form of expression of the "right of withdraw", that is, the The provisions of Article 13 of the Personal Information Protection Law (Draft) coincide, that is, individuals have the right to exercise the "right of withdraw" at any time regardless of whether the purpose of personal information is clear or not when it is published.

2.1

12.与GDPR对比

12.Comparison with GDPR

与GDPR不同的是，《个人信息保护法（草案）》未在定义中区分“控制者”和“处理者”的概念，而是将“自主决定处理目的、处理方式等个人信息处理事项的组织、个人”定义为“个人信息处理者”，这与GDPR对“控制者”的定义较为一致，GDPR下的“控制者”指的是“那些决定——不论是单独决定还是共同决定——个人数据处理目的与方式的自然人或法人、公共机构、规制机构或其他实体”。

需要特别提示的是，从定义上来看，《个人信息保护法（草案）》中的“个人信息处理者”的概念应与GDPR中的“控制者（controller）”对应，而非GDPR中的“处理者（processor）”，在实践中需要注意区分。特别是，与GDPR中的“处理者（processor）”相似的概念在个保法草案中并没有相应的定义，唯一相关的规定是草案第22条中有关委托处理行为中对“受托方”的规定，这有可能在实践中更容易引起混淆。且因为并没有类似于欧盟GDPR中处理者（processor）这一独立的法律主体概念，《个人信息保护法（草案）》中的出现的“第三方”、“受托方”在法律适用上可能也会出现混淆的情况。

从内容看，《个人信息保护法（草案）》第十三条第一款第一项到第五项的规定，与GDPR第6条第（1）款的（a）-（e）项相类似，又存在一定区别。例如第十三条第四款的立法背景与新冠肺炎疫情有一定关联。考虑到新冠疫情等突发公共卫生事件等客观因素，将紧急情况作为个人信息处理的合法要素纳入考量，更符合政府监管及互联网企业的现实需要。

《个人信息保护法（草案）》第十五条与GDPR第8条第（1）款内容相近，但缺少了“在适用‘取得个人的同意’的情形下”的限制，导致第十五条的适用与第十三条可能存在冲突，如果不是适用第十三条第一款第一项“取得个人的同意”而是适用第十三条第一款的其他项处理个人信息，比如“为履行法定职责或者法定义务所必需”而处理个人信息，本应无需获得个人同意的，无论个人是否是儿童。但《个人信息保护法（草案）》第十五条直接要求需要获得儿童的监护人同意，是否意味着即使是“为履行法定职责或法定义务所必需”处理儿童个人信息也需要获得儿童监护人的同意？如果是这样，那条文之间已经存在冲突，可能需要参照GDPR第8条第（1）款的规定增加“在适用《个人信息保护法（草案）》第十三条第一款第一项的情况下”的适用限制。

《个人信息保护法（草案）》第二十二条与GDPR第28条相类似。

《个人信息保护法（草案）》第二十五条从自动化决策的过程和结果要求看，与GDPR第22条相类似。

Different from GDPR, the Personal Information Protection Law (Draft) does not distinguish between the concepts of "controller" and "processor" in the definition. Instead, it defines "any organization or individual that autonomously determines the handling purpose, handling method or any other matter relating to the handling of any personal information" is defined as "personal information handler", which is more consistent with the GDPR definition of "controller". The "controller" under GDPR refers to "those decisions-whether they are made individually or jointly-individual Natural or legal persons, public institutions, regulatory agencies or other entities for the purpose and method of data handling".

What needs special reminder is that from the perspective of definition, the concept of "personal information handler" in the Personal Information Protection Law (Draft) should correspond to the "controller" in the GDPR, not the "processor" in the GDPR. The "personal information handler" needs to be distinguished in practice. In particular, the concept similar to the "processor" in the GDPR does not have a corresponding definition in the draft law. The only relevant provision is the "entrusted party" in Article 22 of the draft. Provisions, this may be more likely to cause confusion in practice. And because there is no independent legal subject concept similar to the “processor” in the EU GDPR, the "third party" and "entrusted party" appearing in the Personal Information Protection Law (Draft) may also be applicable to the law. There will be confusion.

From the content point of view, the provisions of Article 13 Paragraph 1 Item 1 to Item 5 of the Personal Information Protection Law (Draft) are consistent with the GDPR Article 6 Item (1) (a)-(e). Similar, but there are certain differences. For example, the legislative background of the fourth paragraph of Article 13 is related to the new crown pneumonia epidemic. Taking into account objective factors such as the new crown epidemic and other public health emergencies, taking emergency situations into consideration as a legal element of personal information handling is more in line with the actual needs of government supervision and Internet companies.

Article 15 of the Personal Information Protection Law (Draft) is similar in content to Article 8(1) of GDPR, but lacks the restriction of "in the case of applying' personal consent', which leads to Article 15 There may be conflicts between the application of Article 13 and Article 13, if it is not the application of Article 13 paragraph 1, paragraph 1 "to obtain personal consent" but the other items of Article 13 paragraph 1 to process personal information, such as "for It is necessary to perform statutory duties or statutory obligations" to process personal information, which should not require individual consent, regardless of whether the individual is a child. However, Article 15 of the Personal Information Protection Law (Draft) directly requires the consent of the child's guardian, does it mean that even if it is "necessary to perform legal duties or statutory obligations" to process children's personal information, the child's guardian's consent is required ? If this is the case, there are already conflicts between the provisions, and it may be necessary to refer to the provisions of Article 8(1) of the GDPR to add "in the application of the Personal Information Protection Law (Draft) Article 13 Paragraph 1 Circumstances" applicable restrictions.

Article 22 of the Personal Information Protection Law (Draft) is similar to Article 28 of the GDPR.

Article 25 of the Personal Information Protection Law (Draft) is similar to Article 22 of the GDPR in terms of the process and result requirements of automated decision-making.

第二章 第二节

敏感个人信息的处理规则解读

Chapter 2 Section 2

Interpretation of Rules on Handling of Sensitive Personal

2.2

1.处理敏感个人信息的条件和敏感个人信息的定义（第29条）

1.Conditions for handling sensitive personal information and definition of sensitive personal information (Article 29)

具体而言，本条是对《个人信息保护法》第六条的深化，与GDPR第9条相似。本条在第六条处理个人信息要求具备“明确且合理目的”的基础上，提出了更高的要求，即个人信息处理者需要满足“特定目的+充分必要”的规范化要求。这就意味着个人信息处理者应当本着更为严格和谨慎的态度处理敏感个人信息。

此外，根据《数据安全管理办法》（征求意见稿）第十五条的规定，“网络运营者以经营为目的收集重要数据或个人敏感信息的，应向所在地网信部门备案。”可见，虽然敏感个人信息与重要数据是政府监管的重点，但是二者的概念各不相同。根据《个人信息和重要数据出境安全评估办法》（征求意见稿）的相关规定，重要数据是指与国家安全、经济发展，以及社会公共利益密切相关的数据。针对重要数据具体的识别方式，中国的《重要数据的识别指南》尚在立法推进过程中。

Specifically, this article is a deepening of Article 6 of the Personal Information Protection Law, which is similar to Article 9 of the GDPR. This article puts forward higher requirements on the basis of the "clear and reasonable purpose" required for handling personal information in Article 6, that is, personal information handlers need to meet the standardized requirements of "specific purpose + sufficient necessity". This means that personal information handlers should handle sensitive personal information in a more strict and cautious manner.

In addition, according to Article 15 of the "Data Security Management Measures" (Draft for Comment), "Network operators who collect important data or personal sensitive information for business purposes should file with the local network information department." It can be seen that although Sensitive personal information and important data are the focus of government supervision, but the concepts of the two are different. According to the relevant provisions of the Measures for the Security Evaluation of the Exit of Personal Information and Important Data (draft for comments), important data refers to data that is closely related to national security, economic development, and social and public interests. Regarding the specific identification methods of important data, China's "Important Data Identification Guide" is still in the process of legislative advancement.

2.2

2.基于个人同意处理敏感个人信息的要求（第30条）

2.Requirements for handling sensitive personal information based on individual consent (Article 30)

当在处理敏感个人信息时，应当视情形采用“单独同意”或“授权同意”的形式。需要注意，此处的“单独同意”需要同时满足“明示同意”的要求，而“授权同意”也必须符合“书面同意”的形式要件。此外，根据《网络交易监督管理办法》（征求意见稿）第十一条规定，“网络交易经营者收集、使用生物识别信息、健康信息、财产信息、社交信息等敏感信息的，应当逐项取得被收集者授权同意”。可见，对敏感个人信息的处理有别于一般信息，“单独同意”需要逐项授权。

When handling sensitive personal information, the form of "individual consent" or "authorized consent" should be adopted depending on the situation. It should be noted that the "individual consent" here needs to meet the requirements of "express consent" at the same time, and the "authorized consent" must also meet the formal requirements of "written consent". In addition, according to Article 11 of the Measures for the Supervision and Administration of Online Transactions (Draft for Comment), “Internet transaction operators who collect and use sensitive information such as biometric information, health information, property information, and social information shall obtain item by item. Authorized and agreed by the collector". It can be seen that the handling of sensitive personal information is different from general information, and "individual consent" needs to be authorized item by item.

2.2

3.处理敏感个人信息的告知义务（第31条）

3.The notification obligation for handling sensitive personal information (Article 31)

处理敏感个人信息，除了需要根据《个人信息保护法（草案）》第十八条向用户告知相应的事项外，还需要告知必要性以及对个人的影响，告知的要求更加严格。对于“对个人的影响”。举例来说，投保人身保险时，保险公司收集了投保人的病例等医疗健康信息，对个人的影响在于如果存在特殊疾病史等情况，可能影响是否承保以及保费的测算。

When handling sensitive personal information, in addition to the need to inform users of the corresponding matters in accordance with Article 18 of the Personal Information Protection Law (Draft), it is also necessary to inform the necessity and the impact on the individual, and the notification requirements are more stringent. Regarding the “impact on individuals”. For example, when applying for personal insurance, the insurance company collects medical and health information such as the insured’s cases. The impact on individuals is that if there is a history of special diseases, it may affect the coverage and premium Calculated.

2.2

4.处理敏感个人信息的特殊限制情形（第32条）

4.Special restrictions on handling sensitive personal information (Article 32)

《个人信息保护法（草案）》并未直接明确处理敏感个人信息的特殊限制情形，而是留下了适用规定，不排除后续可能有其他相关法律或者配套行政法规作出严格限制，需要加以关注。

The Personal Information Protection Law (Draft) does not directly specify special restrictions on handling sensitive personal information. Instead, it leaves applicable regulations. It does not rule out that other relevant laws or supporting administrative regulations may impose strict restrictions in the future, which require attention.

第二章 第三节

国家机关处理个人信息的特别规定解读

Chapter 2 Section 3

Special Rules for Handling of Personal Information by State Organs Interpretation

2.3

1.国家机关处理个人信息的适用规则（第33条）

1.Rules applicable to the handling of personal information by state organs (Article 33)

本条明确了《个人信息保护法》调整的对象包括国家机关。

从一般规则看，国家机关处理个人信息需要适用《个人信息保护法》的一般规定；从特殊规则看，如果本节对国家机关处理个人信息进行了特殊规定，需要适用本节的特殊规定。

This article clarifies that the subject of adjustment of the Personal Information Protection Law includes state organs.

From the general rules, the state organs need to apply the general provisions of the Personal Information Protection Law in handling personal information; from the special rules, if this section has special provisions on the handling of personal information by the state organs, the special provisions of this section need to be applied.

2.3

2.国家机关为履行法定职责处理个人信息的规范化要求（第34、35条）

2.Standardized requirements for the handling of personal information by state organs in the performance of their statutory duties (Article 34, 35)

第三十四条是国家机关在处理个人信息时履行职责必要性的体现，有助于遏制“借公权力为名，行滥用个人信息之实”的现象，规范国家机关处理个人信息的实体和程序，以保障公民的合法权益。从第三十四条的规范化要求看，主要包括以下三点：（1）需要基于履行法定职责的需要，避免在法定职责之外随意收集、使用个人信息；（2）需要依照法律、行政法规规定的条件和程序进行，也就是说如未经法定条件和程序，即使在法定职责范围内国家机关也不得处理个人信息。举个例子，根据《网络安全法》等法律规定，公安机关有权依法对互联网服务提供者和联网使用单位履行法律、行政法规规定的网络安全义务情况进行安全监督检查，监督检查过程中很可能涉及用户的个人信息，《公安机关互联网安全监督检查规定》第三章对于公安机关进行互联网监督检查的程序进行了专章的规定，实践中公安机关开展涉个人信息的安全监督检查需要遵守该等规定；（3）不得超出履行法定职责所必需的范围和限度。这其实是比例原则的一定体现，但具体的范围和限度，仍待具体规定。

从第三十五条的具体要求来看，国家机关为履行法定职责处理个人信息，需要“告知+同意”，一定程度上能够提高国家机关处理个人信息的透明度；从例外情形看，“法律、行政法规规定应当保密，或者告知、取得同意将妨碍国家机关履行法定职责的除外”，比如为了犯罪侦查收集使用个人信息的，可以不向个人告知也无需获得其同意。

Article 34 is a reflection of the need for state organs to perform their duties in handling personal information, which helps to curb the phenomenon of "abuse of personal information in the name of public power" and regulate the entities and procedures of state organs in handling personal information to protect the legitimate rights and interests of citizens. From the normative requirements of Article 34, the following three points are included: (1) the need to perform statutory duties, to avoid the collection and use of personal information outside the statutory duties; (2) the need to be carried out in accordance with the conditions and procedures stipulated in laws and administrative regulations, that is, without the statutory conditions and procedures, even within the scope of statutory duties of state organs shall not handle personal information. For example, according to the "Network Security Law" and other laws, the public security organs have the right to supervise and inspect the Internet service providers and network users in accordance with the laws and administrative regulations to fulfill their obligations on network security, and the process of supervision and inspection is likely to involve users' personal information. In practice, the public security organs need to comply with these regulations when conducting security supervision and inspection involving personal information; (3) not to exceed the scope and limits necessary to perform their statutory duties. This is in fact a certain reflection of the principle of proportionality, but the specific scope and limits, still to be specified.

From the specific requirements of Article 35, state organs to handle personal information for the performance of statutory duties, the need to "inform + consent", to a certain extent to improve the transparency of state organs to handle personal information; from the exceptions, "laws and administrative regulations shall be confidential, or to inform or obtain consent will prevent the state organs to perform their statutory duties," except for the collection of personal information for crime investigation, for example, can be used without informing individuals or obtaining their consent.

2.3

3.国家机关不得公开或向他人提供处理的个人信息要求和例外情形（第36条）

3.State organs shall not disclose or provide to others the requirements and exceptions to the processing of personal information. (Article 36)

本条明确了国家机关履行法定职责处理个人信息，禁止对外公开或对外提供的要求。同互联网企业一样，国家机关在履行法定职责处理个人信息时，也不得随意公开或向他人提供，但是“法律、行政法规另有规定或者取得个人同意”是例外情况。

从原则性要求看，不得公开或向他人提供处理的个人信息为基本原则。如果需要公开或者向他人提供，需要有法律、行政法规的规定或者取得个人的同意。对于经个人同意公开或者向他人提供个人信息的情形，应该适用本法的一般性规定。值得一提的是，告知规则同样也限于必要限度。

This article specifies the requirements for state organs to perform their statutory duties in handling personal information and prohibit the disclosure or provision of such information to the public. Like Internet enterprises, state organs shall not disclose or provide personal information to others in the performance of their statutory duties, except as otherwise provided by law or administrative regulations or with the consent of the individual.

In terms of principle, the basic principle is not to disclose or provide the personal information handled to others. If it is necessary to disclose or provide to others, it is necessary to have the provisions of laws and administrative regulations or to obtain the consent of the individual. In the case of disclosure or provision of personal information to others with the consent of the individual, the general provisions of this Law shall apply. It is worth mentioning that the rules of notification are likewise limited to the necessary limits.

2.3

4.国家机关存储个人信息的一般要求和向境外提供个人信息的特殊要求（第37条）

4.General requirements for the storage of personal information by state organs and special requirements for the provision of personal information outside the country. (Article 37)

从一般要求看，国家机关一般应将处理的个人信息存储在境内；确需向境外提供的，应当进行风险评估。这里可以提供支持与协助的有关部门，从理解的角度，主要包括网信部门、公安部门等。本条严格遵循了《网络安全法》中有关数据本地化存储和跨境流转的要求。根据《网络安全法》第三十七条的规定，“关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据应当在境内存储。因业务需要，确需向境外提供的，应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估；法律、行政法规另有规定的，依照其规定。”可见，《个人信息保护法》将国家机关处理的个人信息全部纳入到了本地化存储和跨境风险评估的范围。因此，《个人信息保护法》生效后，不仅仅是关键信息基础设施运营者需要符合此类要求，国家机关也需要。

From the general requirements, state organs should generally store the personal information handled in the territory; if it is necessary to provide outside the country, a risk assessment should be conducted. Here can provide support and assistance to the relevant departments, from the point of view of understanding, mainly including the Internet information department, public security departments, etc. This article strictly follows the requirements of the "Network Security Law" regarding the localized storage and cross-border flow of data. According to the provisions of Article 37 of the "Network Security Law", "operators of critical information infrastructure in the People's Republic of China operations collected and generated in the personal information and important data should be stored in the territory. Due to business needs, it is necessary to provide outside the country, should be in accordance with the national network information department in conjunction with the relevant departments of the State Council to develop a security assessment; laws and administrative regulations otherwise provided for, in accordance with its provisions." As can be seen, the Personal Information Protection Law includes all personal information handled by state agencies in the scope of localized storage and cross-border risk assessment. Thus, after the Personal Information Protection Law comes into effect, not only critical information infrastructure operators will need to comply with such requirements, but also state organs.

2.3

5.与GDPR比较

5.Comparison with GDPR

结合近期国际社会对于限制各国公权力机构对于个人信息处理的呼声，借鉴GDPR第2条第3款等相关条款对于相关机构、实体适用的立法经验，《草案》特设专节对于国家机关处理个人信息进行规制。这一特别规定也回应了疫情期间民众对于政府的个人信息处理行为的疑虑。

《草案》第三十三条规定国家机关处理个人信息的行为应适用本法；国家机关应严格遵守法定权限、程序，并且不得超出法定职责所必需的范围和限度（第三十四条）；除非法律、法规规定应当保密或者将妨碍法定职责的履行，否则国家机关履职时如涉及处理个人信息，应按本法规定向个人告知并取得其同意（第三十五条）；除非法律、法规另有规定或者已取得同意，国家机关不得公开或者向他人提供个人信息（第三十六条）。

《草案》第三十七条规定了国家机关本地化存储个人信息的义务，以及如确需向境外提供个人信息，应进行风险评估的义务。

In light of recent international calls for restricting the handling of personal information by public authorities in various countries, and drawing on the legislative experience of the application of Article 2(3) of the GDPR and other relevant provisions to relevant institutions and entities, the Draft has a special section regulating the handling of personal information by state authorities. This special provision also responds to the public's concerns about the government's handling of personal information during the epidemic.

Article 33 of the Draft provides that this Law shall apply to the handling of personal information by state organs; state organs shall strictly comply with the legal authority and procedures, and shall not exceed the scope and limits necessary for their statutory duties (Article 34); state organs shall inform individuals and obtain their consent to the handling of personal information in the performance of their duties in accordance with this Law, unless otherwise provided by law or regulation or unless such consent has been obtained (Article 35); and state organs shall not disclose or provide personal information to others unless otherwise provided by law or regulation or unless such consent has been obtained (Article 36).

Article 37 of the Draft provides for the obligation of state organs to localize the storage of personal information and the obligation to conduct a risk assessment if it is necessary to provide personal information outside the country.