《个人信息保护法》终稿解读中英双语版

《个人信息保护法》终稿解读中英双语版

IXCDC

第一章 

总则解读

Chapter 1

Interpretation of General Principles

1.1

立法目的（第1条）

Legislative purpose (Article 1)

本条明确了《个人信息保护法》的立法目的和宗旨，即通过立法的形式，促进个人信息合法、合规、合理利用。为了体现制定实施本法对于保障公民的人格尊严和其他权益具有重要意义，《个人信息保护法》终稿第1条增加了“根据宪法”，以宪法中“公民的人格尊严不受侵犯；公民的通信自由和通信秘密受法律保护”为基础。

This article clarifies the legislative purpose and purpose of the "Personal Information Protection Law", that is, to promote the legal, compliant, and reasonable use of personal information through legislation. In order to reflect that the enactment and implementation of this law is of great significance to the protection of citizens' personal dignity and other rights and interests, Article 1 of the final draft of the Personal Information Protection Law adds “according to the Constitution”, that is, the personal dignity of citizens in the Constitution shall not be violated; Citizens' freedom and confidentiality of correspondence shall be protected by law.

1.2

个人信息权（第2条）

Personal information right（Article 2）

“个人信息保护”的相关内容在《民法典》第四编“人格权”中的第六章有所体现，《民法典》将第六章命名为“隐私权和个人信息保护”，足见“个人信息保护”的法律地位之高以及立法者对其重视程度之深。本条与《民法典》第一千零三十四条相一致，将自然人的个人信息列为了法律保护的范畴予以调整。

The relevant content of "Personal Information Protection" is reflected in Chapter 6 of "Personality Rights" in Title IV of the Civil Code. The "Civil Code" named Chapter 6 "Privacy and Personal Information Protection", which shows that " The high legal status of "Personal Information Protection" and how deeply the legislators attach importance to it. This article is consistent with Article 1034 of the Civil Code, and adjusts the personal information of natural persons as a category of legal protection.

1.3

适用范围（第3条）

Scope of application（Article 3）

本法适用于在中华人民共和国境内处理自然人个人信息的活动。对于在中华人民共和国境外处理中华人民共和国境内自然人个人信息的活动,如果以向境内自然人提供产品或者服务为目的，或，为分析、评估境内自然人的行为，也适用本法。

This law applies to activities that process personal information of natural persons within the territory of the People's Republic of China. And it also applies to the activities of processing personal information of natural persons in the People's Republic of China outside the People's Republic of China for the purpose of providing products or services to natural persons within the territory of China, or to analyze and evaluate the behavior of natural persons in the territory. 

1.4

“个人信息”和“处理个人信息”的定义（第4条）

Definition of "personal information" and "handling of personal information" (Article 4)

个人信息是以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息,不包括匿名化处理后的信息。

个人信息的处理包括个人信息的收集、存储、使用、加工、传输、提供、公开、删除等活动。

Personal information is a variety of information related to an identified or identifiable natural person recorded electronically or by other means, excluding anonymized information.

The processing of personal information includes activities such as the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information.

1.5

数据处理基本要求（第5、6、7、8、10条）

Basic requirements for data processing (Article 5, 6, 7, 8, 10)

1.5.1合法和正当性要求（第5条）

1.5.1 Legality and legitimacy (Article 5)

所谓合法性，指的是在个人信息处理过程中，需要符合法律法规的要求，禁止通过植入恶意软件等非法手段收集、存储、使用、加工、传输、提供、公开个人信息。

所谓正当性，指的是在个人信息处理过程中，需要采取例如“明示+同意”的正当形式收集、存储、使用、加工、传输、提供、公开个人信息。

The so-called legitimacy refers to the need to comply with the requirements of laws and regulations during the processing of personal information, and it is prohibited to collect, store, use, process, transmit, provide, and disclose personal information through illegal means such as malware implantation.

The so-called legitimacy refers to the need to collect, store, use, process, transmit, provide, and disclose personal information in a proper form such as "express plus consent" during the processing of personal information.

1.5.2目的和必要性要求（第6条）

1.5.2 Purpose and necessity(Article 6)

所谓目的性，指的是在个人信息处理过程中，需要符合一定的合理目的，且该目的需要具备较为明确的要素，同时需要注意该目的性的要求应当与企业自身所提供的商品和服务具有一定的关联性。

所谓必要性，指的是在个人信息处理过程中，需要收集与企业自身经营活动密切相关的个人信息，不得收集无关且多余的个人信息。实践中，大量企业违规收集个人信息，甚至收集与其提供商品或服务无关的个人信息，这些行为都是被禁止的。

The so-called purpose is that in the process of personal information processing, it needs to meet a certain reasonable purpose, and the purpose needs to have relatively clear elements. At the same time, it should be noted that the purpose of the requirements should be consistent with the goods and services provided by the enterprise itself. Certain relevance.

The so-called necessity refers to the need to collect personal information closely related to the company's own business activities in the process of personal information processing, and not to collect irrelevant and redundant personal information. In practice, a large number of companies illegally collect personal information, or even collect personal information that has nothing to do with the goods or services they provide. These behaviors are prohibited.

1.5.3公开透明要求（第7条）

1.5.3 Openness and transparency openness(Article 7)

本条在《民法典》第一千零三十五条第一款第二项的基础上，增加了透明原则，要求个人信息处理的方式方法必须公开、透明，以便随时受到社会公众的监督。

This article adds the principle of transparency on the basis of Article 1035, Paragraph 1, Item 2 of the Civil Code, and requires that the methods and methods of personal information processing must be open and transparent in order to be subject to supervision by the public at any time.

1.5.4准确性要求（第8条）

1.5.4 Accuracy(Article 8)

个人信息应当准确,并及时更新。

Personal information should be accurate and updated in a timely manner.

1.5.5国家安全与公共利益绝对禁止（第10条）

1.5.5 Prohibit infringement of national security and public interest(Article 10)

处理个人信息的活动绝对禁止侵犯国家安全和公共利益。

Activities that process personal information are absolutely prohibited from infringing upon national security and public interests.

1.6

归责原则（第9条）

Imputation principle（Article 9）

本条确立了“谁处理 谁负责”的基本原则。

This article establishes the basic principle of "who handles it and who is responsible".

1.7

国家责任（第11、12条）

State responsibility (Article 11, 12)

本法一是明确了国家依法整治互联网及维护个人信息保护良好环境的决心，确立了个人信息保护工作的基本原则。其中，建立健全个人信息保护制度的要求，对互联网企业的数据合规提出了更高要求。二是明确了我国与其他国家间在个人信息保护领域的国际合作关系，对推动信息保护规则和标准的国际互认意义重大。《个人信息保护法》借鉴了欧盟的《避风港协议》和《隐私盾协议》的做法，深化国际交流合作，在提升个人信息保护技术的同时，为我国与他国间的跨境数据自由流转提供土壤，进而促进我国互联网企业的蓬勃发展。

First, this law clarifies the country's determination to rectify the Internet in accordance with the law and maintain a good environment for personal information protection, and establishes the basic principles of personal information protection. Among them, the requirement to establish a sound personal information protection system puts forward higher requirements for Internet companies' data compliance. The second is to clarify the international cooperation relationship between my country and other countries in the field of personal information protection, which is of great significance to promoting the international mutual recognition of information protection rules and standards. The "Personal Information Protection Law" draws on the practices of the EU's "Safe Harbor Agreement" and "Privacy Shield Agreement" to deepen international exchanges and cooperation, while improving personal information protection technology, while providing soil for the free flow of cross-border data between my country and other countries , Thereby promoting the vigorous development of my country's Internet companies.

1.8

与GDPR对比

Comparison with GDPR

《个人信息保护法》第3条明确了域外适用的效力，即通过最密切联系原则确立了三项连结点，其与欧盟GDPR第3条中的指向性和监管性要求相类似。两部法案都对域外适用情况做了规定。相比而言，《个人信息保护法》在对域外适用范围的厘清和界定上较为模糊和保守，而GDPR的“属地+属人”原则更加凸显，将“属人”原则置于与“属地”同等的地位。

《个人信息保护法》第4条将“识别和关联”作为个人信息的定义方式，借鉴了欧盟GDPR的做法，明确了这部法律所调整的范畴，使得司法实践在对“个人信息”认定方面更为准确。但值得注意的是，《个人信息保护法》的主语是“个人信息”，而GDPR的主语采用了“data”，即“个人数据”。《个人信息保护法》采取的“纯定义”立法模式具有更大的开放性，赋予了具体司法实践中更大的司法解释空间。

在《个人信息保护法》中，涉及个人信息的相关方主要为个人信息主体、个人信息处理者和履行个人信息保护职责的部门。而GDPR除此之外，设立了数据保护官（DPO）一职。

《个人信息保护法》第8条与欧盟GDPR第五条第一款（d）项的规定较为类似，即要求个人信息处理的及时性及准确性。在商业运作中，要求企业及时更新个人信息，使得处理所得的数据较为精确。同时，从侧面也赋予了个人随时修改自身信息的权限。

Article 3 of the "Personal Information Protection Act" clarifies the validity of extraterritorial application, that is, three connection points are established through the principle of the closest connection, which is similar to the directive and regulatory requirements in Article 3 of the EU GDPR. Both bills provide for extraterritorial application. In contrast, the "Personal Information Protection Law" is more vague and conservative in clarifying and defining the scope of extraterritorial application, while the GDPR's "territorial plus personal" principle is more prominent, placing the "personal" principle in relation to the "territorial" principle. "Equal status.

Article 4 of the "Personal Information Protection Act" defines "identification and association" as the way to define personal information, draws on the practices of the EU GDPR, and clarifies the scope of adjustments in this law, so that judicial practice can identify "personal information" More accurate. However, it is worth noting that the subject of the "Personal Information Protection Law" is "personal information", while the subject of GDPR uses "data", that is, "personal data." The "pure definition" legislative model adopted by the "Personal Information Protection Law" has greater openness, giving more room for judicial interpretation in specific judicial practices.

In the "Personal Information Protection Law", the parties involved in personal information are mainly personal information subjects, personal information processors, and departments performing personal information protection duties. In addition to the GDPR, a data protection officer (DPO) was established.

Article 8 of the "Personal Information Protection Act" is similar to the provisions of Article 5 (1) (d) of the EU GDPR, which requires the timeliness and accuracy of personal information processing. In business operations, companies are required to update personal information in a timely manner, so that the processed data is more accurate. At the same time, from the side, individuals are also given the right to modify their own information at any time.