【北邮国院大三下】Cybersecurity Law 网络安全法 Week4

PRC核心法律:Personal Information Protection Law 2021(PIPL)

Why does PIPL matter to business?

Operating within the law! 在法律范围内行动

  • (GDPR Compliant companies have a head start here!) (符合GDPR标准的公司在这方面已经领先一步了!)

Avoiding reputational damage


Penalties: 处罚

  • A66: Correction, confiscation of “unlawful income” 纠正、没收“违法所得”
    • Failure to correct: fine for company of up to RMB 1 million 未改正的:对公司处以最高100万元的罚款
    • Individuals directly responsible can be fined RMB10k-100k 直接责任人员可处1 -10万元罚款
    • In “grave” circumstances – RMB 50 million /5% annual turnover, suspension or termination of business licence 情节严重的——5000万元/年营业额5%,暂停或终止营业执照
    • In “grave” circumstances – individuals can be fined RMB100k- RMB1million 情节严重的,个人可被处以10万元至100万元的罚款
  • A67 – a ‘name and shame’ approach 一种“点名羞辱”的方法
  • A69 – where cannot prove lack of liability for infringements: 不能证明无侵权责任的;
    • requirements to compensate loss 赔偿损失的要求
    • Based on loss to individual and/or unjust enrichment 基于个人损失和/或不当得利
  • A70 – potential prosecution for breach 可能因违规而被起诉

Oversight Bodies (A60-65) 监管机构

At National & Regional Level


State Cybersecurity & Information Department at top level


Responsible for:

  • Guidance on law & compliance 法律与合规指导
  • Enforcement 执行
  • Dealing with complaints from individuals 处理个人投诉
  • Creation of clear rules & standards for applying the PIPL 为应用PIPL制定明确的规则和标准
  • Support for R&D and adoption of privacy protection tech 支持隐私保护技术的研发和应用
  • Support for industry certification schemes 支持行业认证计划

Scope of the PIPL:

  1. Within PRC borders (A3) 在中国境内

  2. Outside PRC (A3) borders where:

  • Purpose is to provide products or service into China 目的是向中国提供产品或服务
  • Analysis / Assessment of Chinese citizens’ activities within PRC (e.g. market research, targeted advertising) 分析/评估中国公民在中国境内的活动(如市场调查、定向广告)
  1. “natural persons” (A3)
  • Living people
    • (But special arrangements for sensitive handling of the deceased’s information – A49) (但为妥善处理死者资料而作出的特别安排- A49)
  1. Personal Information (A4)
  • “all kinds of information recorded by electronic or other means” “以电子或其他方式记录的各种资料”
    • “related to identified or identifiable natural persons…” “与已识别或可识别的自然人有关……”
  1. “identified or identifiable natural persons…” “已识别或可识别的自然人……”
  • Identifying from the information 从信息中识别
  • Identifying from that information plus other information 通过这些信息加上其他信息进行识别
  1. Exceptions?
  • “…not including information after anonymization handling.” “……不包括匿名处理后的信息。”
    • De-identification (the information alone) (A73) 去识别化(信息本身)
    • Anonymisation (impossible to id and restore) (A73) 匿名化(无法识别和恢复)
  • The Profiling problem… 分析问题
    • If in doubt, treat as personal information 如有疑问,视为个人信息
  1. Sensitive Personal Information (A28)
  • “…once leaked or illegally used, may easily cause harm to…” “……一旦泄露或非法使用,很容易对……造成伤害。”
    • personal dignity / privacy 个人尊严/隐私
    • Serious harm to personal or property security (e.g. use for fraud) 严重危害人身或财产安全(例如用于诈骗)
    • Includes:
      • Biometrics, religious belief, health records, finances, location tracking… 生物特征,宗教信仰,健康记录,财务状况,位置追踪
      • Personal information of minors under 14 years of age 14周岁以下未成年人的个人信息
      • Non-exhaustive list 非详尽无遗的清单
  1. Additional safeguards; Necessity.

Who has responsibilities?

Public & Private Sector application


Personal Information Handlers


  • Organisations/ Individuals who “autonomously decide handling processes” “自主决定处理程序”的机构/个人
    • Data Controllers 数据控制者
    • Also responsible for activities of processors 还负责处理器的活动
  • Any business collecting & using personal information is affected by this law 任何收集、使用个人信息的企业均受本法的影响

Key principles affecting businesses

Collection of personal information must be:


  • Legal, necessary & honest 合法,必要和诚实
  • Only collect information necessary for intended use 只收集预期用途所必需的信息
  • Clarity (for data subject) 清晰性(适用于资料当事人)

Obligations to ensure:


  • Data integrity & security 数据完整性与安全性
  • Treatment and use in line with the law 依法处理和使用

Consent (A13-18) 同意收集数据的情况

  • Required for collection and use of individual data 收集及使用个人资料所需
  • must be informed 必须通知
  • Must be voluntary and explicit 必须是自愿和明确的
  • Only applies to purposes for specified which information collected (including entrusting information to sub- contractors) 只适用于收集资料的指定目的(包括将资料委托予分包商)
  • May be withdrawn 可以撤回
  • If declined, service may only be refused if information is necessary 如果被拒绝,只有在需要提供信息的情况下才可以拒绝服务
  • Exceptions where provided by law, e.g. police investigation 法律规定的例外情况,例如警方调查

Compliance 合规收集的方法

By management and design 通过管理和设计

  • E.g. website design: 网站设计
    • Clear privacy policy with ‘tick box’ (opt-in) type requirement to progress 明确隐私政策,并注明“选择加入”类型要求
  • E.g. recorded message (telephone sign-up) 录音留言(电话报名)
  • “using clear and easily understood language.” “使用清晰易懂的语言。”
  • Key information must be provided, including: 必须提供关键信息,包括:
    • Name and details of information collector 信息采集器的名称和详细信息
    • Purpose and duration of collection and use 收集和使用的目的和期限
    • Information about exercise of data subject rights 关于行使数据主体权利的信息
  • Children’s consent (A31) 孩子们的同意
    • For U14, Parent or Guardian must consent (Age verification, service limitations) 对于小于14岁的孩子,家长或监护人必须同意(年龄验证,服务限制)


Consent (A13-18): (这里感觉可以接在上一个Consent下面,但是它在conpliance这个标题下,就放在这里了,也算是一个对上面的某些点的详细解释)

  • Requires careful management: 需要精心管理的:
    • Not to exceed clear purpose for which collected 不得超过收集的明确目的
    • Time limitation – not to be kept longer than needed for that purpose 时间限制-保存时间不得超过所需时间
  • Consent can be withdrawn: 可以在下列情况下撤回同意:
    • Need to provide clear information on process 需要提供有关流程的明确信息
      • E.g account settings on website, dedicated email address, telephone number 例如,在网站上的帐户设置,专用电子邮件地址,电话号码
    • Best practice: regular checks 例如,在网站上的帐户设置,专用电子邮件地址,电话号码
      • E.g requirement to re-confirm consent every few months or after period of non-use of service / not logging in 例如,要求每隔几个月或在不使用服务/不登录一段时间后重新确认同意
  • The business model and ‘necessity’ (incl, onward data sale) 商业模式和“必要性”(包括后续数据销售)

Alternative to Consent: Necessity

  • Legal compliance 法律合规
    • E.g. tax laws, criminal investigations 税法,刑事调查
    • Fulfilment of contracts 履行合同
      • Payment details, addresses (for distance selling) 付款详情,地址(用于远程销售)
  • Emergencies 紧急事件
    • E.g. health emergency, employee collapse at work 例如,突发健康事件,员工在工作中昏倒
  • Public interest 公共利益
    • Including “news reporting” 包括“新闻报道”
  • Information already put in the public domain 已经公开的信息

Further Obligations for Personal Information Handlers 个人信息处理者的进一步义务


A22 Mergers, sale, company dissolution, bankruptcy et cetera:


  • Notification requirements re pi to be transferred 通知要求将被转移
  • New holder bound by original conditions absent further consent 未经进一步同意,新持有人受原有条件约束

A23 transfer of personal information to another 将个人信息转移给他人

  • Only with full, informed & voluntary consent 只有在充分、知情和自愿同意的情况下

Automated decision-making (A24) 自动决策

E.g. considering credit card applications


Must be transparent and fair


“unreasonable differential treatment of individuals in trading conditions” forbidden


  • E.g. offering different prices on ecommerce site based on profiling of individual 例如,根据个人概况在电子商务网站提供不同的价格

Must be “convenient method to refuse” targeted advertising / offers


Individuals have a right to challenge & refuse automated decision making


Additional rights for individuals 个人的附加权利

A44-A46: 个人对信息的控制权,查阅并获得副本的权利和可移植性

Right of control over their information 对其信息的控制权

  • Includes right to limit/refuse (ref: consent) 包括限制/拒绝的权利(参考:consent部分)

Right of access and to be given a copy 有权查阅并获得一份副本

  • Exceptions where provided by law 法律规定的例外情况
  • Must be provided “in a timely manner” 必须“及时”提供

Information portability 信息的可移植性

  • PI handler must facilitate transfer, e.g. to new service provider PI处理员必须协助转移,例如转移到新的服务提供商

Right to ensure information held about them is accurate 确保所掌握的有关他们的信息准确无误的权利

  • Includes right to have inaccuracy corrected 包括要求更正错误的权利


“Right to be forgotten”: information deletion “被遗忘权”:信息删除

  • Where purpose collected for achieved, is impossible, or information no longer necessary 在不可能达到收集目的,或者不再需要信息的情况下
  • Service or product no longer available 服务或产品不再可用
  • Consent withdrawn 同意取消
  • Legally required retention period ended 法律规定的保留期结束
    • If not ended but consent withdrawn, must cease use and only store & ensure secure (same rule if deletion is “technically hard to realise” 如果没有终止,但撤回同意,必须停止使用,只存储和确保安全(如果删除“技术上难以实现”,同样的规则)。
  • Personal Information handlers found to have breached the rules 被发现违反规定的个人信息处理者


Right to request clear explanation of rules on handling of personal information (to ensure legal compliance)


  • Need for clarity: relevant to specific audiences, e.g. Children, visually impaired… 需要清晰:与特定受众相关,例如儿童、视障人士……

Posthumous treatment of information 死后信息处理

  • PIPL designed to protect living individuals PIPL旨在保护活着的个体
  • BUT (unless prior arrangements made by individual) rights on death can be exercised by next of kin 但是(除非个人事先作出安排)死亡的权利可以由近亲行使
    • “for the sake of their own lawful, legitimate interests” “为了他们自己的合法、正当利益”
    • E.g. dealing with assets, closing accounts 处理资产,结帐

Obligations for Personal Information Handlers


To establish mechanisms & processes to deal with individual requests re data rights


Must provide explanation if refuse a request


  • Individuals entitled to file a lawsuit to challenge such refusal 个人有权对这种拒绝提出诉讼


Data Security requirements


  • Clear information available on how information is stored, potential risks, and protections 明确信息的存储方式、潜在风险和保护措施
    • Includes requirements of use of technological protections, regular staff training, clear operational limits [codes of conduct], incident response plans ready in advance 包括使用技术保护的要求,定期的员工培训,明确的操作限制[行为准则],提前准备好事件响应计划
    • Dedicated protection staff (where company dealing with certain quotas set by State Cybersecurity & Informatisation Department) 专门的保护人员(公司处理国家网络安全和信息化部门设定的特定配额)
    • Contact details for protection staff to be provided (inc specific individuals) 提供保护人员的联络资料(包括个别人士)
    • International companies to whom PIPL applies must appoint rep. in PRC PIPL申请的国际公司必须在中国指定代表
  • (Works in tandem with Data Security Law 2021) (与《2021年数据安全法》协同工作)


Regular review and audits of pi handling & compliance, including security provisions (e.g. encryption up to date)


In some circumstances must be impact assessment before information collected


  • Sensitive pi, automated decision making, using subcontractor, sending pi outside China, or otherwise “major impact” on data subject 敏感pi,自动化决策,使用分包商,将pi发送到中国境外,或对数据主体有其他“重大影响”


Response to data leak Immediate remedial measures (based on existing processes)


Notification requirements 通知要求

  • Government departments dealing with pi protection 处理pi保护的政府部门
  • Must include:
    • Information category, cause, potential harm 信息类别,原因,潜在危害
    • Measures taken to mitigate harm 减轻伤害:为减轻伤害而采取的措施
    • Contact details 联系方式
  • No need to notify individuals if can be sure harm avoided by action taken 如果采取行动可以避免伤害,则无需通知个人
  • If believe harm may have been caused, must notify affected individuals 如果认为可能造成伤害,必须通知受影响的个人


Providers of “important internet platform services. That have a large number of users and whose business models are complex…”


  • E.g. social media; scale/quantity of personal information 社交媒体;个人信息的规模/数量
  • Additional requirements 附加要求
    • Oversight bodies “composed mainly of outside members” 监督机构“主要由外部成员组成”
    • Public social responsibility reports 公共社会责任报告

Working with other companies


Third party subcontractors processing personal information? must ensure data security


A20: 不止一个pi handler的情况

Clear agreement required on division of rights and responsibilities


Individuals can still demand action re rights from any one pi handler


A21: 转包商,次承包商

Subcontractors (A21): 转包商,次承包商

  • Can only be done with data subject consent 只能在数据主体同意的情况下进行
  • Must be an agreement setting out key issues, including: 必须是一份列出关键问题的协议,包括:
    • Time limitations 时间限制
    • Handling method 处理方法
    • Types of personal information to be collected 收集的个人信息类型
    • Protection measures 保护措施
    • Rights and Duties of each side 双方的权利和义务
  • Achievable by contractual agreement, binding corporate rules, etc. 双方的权利和义务
  • Legal responsibility for oversight remains with the PI handler 监督的法律责任仍然由PI处理人员承担

A38: 跨境数据转移

Cross-border operations: transferring data out of China for processing and use elsewhere (A38)


  • Data localization 数据本地化
    • May only export data where “truly necessary” 只可在“真正需要”时导出数据
  • Must fulfill one of following: 必须符合下列条件之一:
    • Pass State Cybersecurity & Informatisation Dept security assessment 通过国家网络安全和信息化部门的安全评估
    • Certification by a specialised body recognized by C&I Dept 由C&I部认可的专业机构出具的证书
    • Standard contractual terms provided by C&I Dept C&I部提供的标准合同条款
    • Other conditions set out in law / regulation / by C&I Dept 法律/法规/工伤部规定的其他条件
  • OR - data export to company in country China recognizes law 数据出口到中国国家公司承认法律
  • NB: Exporter liable to ensure compliance 注:出口商有责任确保符合规定
  • Compliance strategies: 合规策略:
    • Training 训练
    • Oversight (legal advice) 监督(法律意见)
    • Contract: get everything in writing! 合同:一切都要写下来!
    • Pay close attention to C&I Dept advice 密切关注C&I部门的建议


Consent of the data subject is required (A39)


  • All standard consent requirements apply (fully informed, et cetera) 适用所有标准同意要求(充分知情,等等)
  • All details must be provided to permit full exercise of data subject rights 必须提供所有细节,以允许充分行使数据主体的权利


“Critical information infrastructure operators and pi handlers [who meet set data quotas]” must store information within PRC (A40)


  • State C&I Dept to oversee 国家C&I部负责监督
  • Unless a standard arrangement in place with destination country, must be specific security assessment 除非与目的地国家有标准安排,否则必须进行具体的安全评估

A41; 国家安全问题(只给许可的机构)

National Security issues (A41) 国家安全问题

  • Personal information stored in PRC may only be provided to foreign judicial or LEAs where PRC authorities have granted permission 存储在中国境内的个人信息仅可提供给经中国当局许可的外国司法机构或许可机构


Blacklist Provision (A42) 黑名单的条款

  • If foreign organisations or individuals violate PRC law on information protection or harm national security, State C&I Dept can add to list requiring their access to Chinese PI be limited or prohibited 外国组织或个人违反中华人民共和国信息保护法或危害国家安全的,国家信息产业部可列入限制或禁止其访问中国信息系统的名单

Key practical advice for compliance 合规的关键实用建议(暗示是重点部分!!!)

  1. If in doubt, treat it as personal information


  • The profiling question (especially online) 分析问题(尤其是在线问题)


  1. Informed Consent is King 知情同意为王
  • Invest in ensuring consent properly acquired 投资于确保适当获得同意
    • Web design, training of telephone staff 网页设计,电话人员培训
    • Clearly explained privacy policies with appropriate attention drawn 清楚地解释隐私政策,并引起适当的注意
    • Recording for telephone (or a script) 电话录音(或脚本录音)
  • Consent trumps necessity! 同意胜过需要!
  1. Sensitive Personal Data 敏感个人资料
  • Easier to avoid where possible 尽可能避免
  • Extra care, only process where strictly necessary 特别小心,只在绝对必要的情况下处理
  1. If children are target market or among it: 如果儿童是目标市场或其中之一:
  • Remember all U14’s data is sensitive 记住所有 低于14岁的儿童的数据是敏感的
    • Parental consent requirements 家长同意要求
    • age verification – citizenship number, credit card… 年龄验证-公民号码,信用卡…
    • Need extra flagging – website design, telephone procedure. 需要额外标记-网站设计,电话程序。
  1. Consent is an ongoing process, and can be withdrawn 同意是一个持续的过程,可以撤销
  • Need for regular dialogue with user (e.g. cooking warnings and regular reminders) 需要与用户定期对话(例如烹饪警告和定期提醒)
  1. Facilitating User rights 便利用户权限
  • Key contact details available, specialist staff where appropriate 关键联系方式可用,专家人员在适当情况下
  • Proper internal organization & processes 适当的内部组织和流程
  • Website design and access 网站设计与访问
  • Procedure in place for posthumous dealing with data, deletion whenever appropriate 死后处理数据的程序,在适当的时候删除
  1. Data Security 数据安全
  • Comply with all guidance per regulatory authorities 遵守监管机构的所有指导
  • Ensure encryption, firewalls et cetera are kept up to date 确保加密,防火墙等保持最新状态
  • Procedures in place for handling a data leak should one arise 如果出现数据泄漏,处理数据泄漏的适当程序
  • Prevention better than cure! 预防胜过弥补
  1. Working with others
  • Individual consent 个人同意
  • The liability rules and importance of trusted partners 可信赖伙伴的责任规则及其重要性
    • Oversight responsibilities 监管的责任
    • Importance of clear (written) rules 明确(书面)规则的重要性
  • Transfer of personal information outside China
    • Ensure compliance with data localization rules 确保符合数据本地化规则
    • Necessity: not just convenience or cost-saving 必要性:不仅仅是方便或节省成本
    • Informed Consent 知情同意
    • Clear contractual agreements 明确的合同协议
      • May help with liability questions even where law recognized by PRC 可以帮助解决中国承认的法律责任问题
  1. Clear record keeping! 记录清晰
  • Information sent to customers, security procedures, actions in event of breach, audit requirements, dealing with individuals, showing followed all the rules… 发送给客户的信息、安全程序、违规时的行动、审计要求、与个人打交道、显示遵守所有规则……
  • Evidence Matters! 凭证事项

Protection of Communications Privacy in Postal Law

Postal Law of China: Article 4: 中国邮政法:第四条:

Freedom and privacy of correspondence shall be protected by law. No organization or individual shall infringe the freedom and privacy of correspondence of other persons for any reason, except when the inspection of correspondence in accordance with legal procedures by the public security organ, the State security organ or the procuratorial organ is necessary for the State’s safety or the investigation of a criminal offence.


Protection of personal information in Chinese Criminal Law

China’s Criminal Law Article 252:


“[t]hose infringing upon the citizen’s right of communication freedom by hiding, destroying, or *illegally *opening others’ letters, if the case is serious, are to be sentenced to one year or less in prison or put under criminal detention.”


Article 284 Whoever unlawfully uses any special equipment or devices for eavesdropping or secret photographing, if the consequences are serious, shall be sentenced to fixed-term imprisonment of not more than two years, criminal detention or public surveillance.


Article 253(A) of the Criminal Law:

“where any staff member of a state organ or an entity in such a field as finance, telecommunications, transportation, education or medical treatment, in violation of the state provisions, sells or illegally provides personal information on citizens, which is obtained during the organ’s or entity’s performance of duties or provision of services, to others shall, if the circumstances are serious, be sentenced to fixed- term imprisonment not more than three years or criminal detention, and/or be fined.”


“whoever illegally obtains the aforesaid information by stealing or any other means shall, if the circumstances are serious, be punished under the preceding paragraph.”


“where any entity commits either of the crimes as described in the preceding two paragraphs, it shall be fined, and the direct liable person in charge and other directly liable persons shall be punished under the applicable paragraph.”


Communications Privacy in China

Article 7:Measures for Security Protection Administration of the International Networking of Computer Information Networks in the People’s Republic of China:


Users’ freedom of communication and communications secrecy are protected by law. No unit or individual shall use the international networking to infringe on users’ freedom of communication and communications secrecy in violation of the provisions of law.


Article 18 of the Implementation Rules for Provisional Regulations of the Administration of International Networking of Computer Information in the People’s Republic of China:


It is prohibited to infringe on the privacy of others by accessing computer systems without authorization, tampering with the information of others or sending information in the name of others.


Measures for the Administration of Internet E-mail Services 2006

Protects Chinese citizens privacy of correspondence in using Internet e-mail services.


No organization or individual should infringe upon any citizens privacy of correspondence


Public Security Organ or Prosecutorial Organ can inspect the contents of correspondence pursuant to the procedures prescribed in law when required by national security or investigation of crimes


Obligations on Email Providers

Internet e-mail service provider obliged to keep confidential the users personal registered information and Internet e-mail addresses


Internet e-mail service provider or any of its employees should not illegally use any users personal registered information or Internet e-mail address, or should not divulge the uses personal registered information or Internet e-mail address without consent of the user.


email services must comply with technical specifications established by the MII;


anonymous email forwarding must be prevented by disabling open-relays;


security management is required, and remedial measures must be immediately undertaken when network security flaws are discovered;


service providers must maintain copies of all emails sent and received, as well as the email addresses and IP addresses of senders/receivers for at least 60 days


  • c/f European ePrivacy Directice 参阅欧洲电子隐私指令(与GDPR的相同点?)
    • Provisions on retention of Traffic Data 关于保留交通数据的规定

Penalties for breach 违约处罚

Fines of up to RMB 30,000 per occurrence and, in severe cases, criminal prosecution.


Reporting Obligations 报告义务

Establishment of Complaint and Handling Centre for Email Abuse


Anti-Spam Provisions 反垃圾邮件的规定

Labeling Obligation 标签的义务

  • Advertising emails must be clearly labelled ‘AD’ (or Mandarin characters) in subject line 广告邮件必须在标题栏注明“AD”(或中文字符)

Opt-in consent to receiving advertising email 可选择同意接收广告电子邮件

  • Unsolicited advertising emails forbidden 禁止不请自来的广告邮件

Prohibited Activities 禁止的行为

  • Sending of email from someone else’s computer without authorisation 未经授权从他人的电脑发送电子邮件
  • Email harvesting 电子邮件获取
  • Selling, sharing or distributing harvested emails 出售、分享或分发收集到的电子邮件
  • Anonymous / mislabelled emails 匿名/贴错标签的邮件

Content Restrictions 内容限制

  • Certain email content forbidden, includes: state secrets, hate speech, defamation, obscenity, pornography, gambling, violence, incitement to criminal activity. 某些邮件内容被禁止,包括:国家机密、仇恨言论、诽谤、淫秽、色情、赌博、暴力、煽动犯罪活动。

Prohibitions on hacking, theft of others’ information on a network, spreading viruses, attacks on network security



Disclosure online permissible if: 以下情况允许在网上披露:

  • Consent in writing 书面同意
  • Disclosure is necessary in the public interest 为了公众利益,披露信息是必要的
  • Educational or scientific entity makes disclosure in public interest, academic research, or statistical analysis 教育或科学单位为公共利益、学术研究或统计分析之披露
    • with consent in writing to publication AND 经书面同意方可发表
    • Publication will not identify individual 出版物不会指明个人
  • Information already made public, online or otherwise* 已经公开、在线或以其他方式发布的信息
  • Personal information legitimately obtained* 合法获取的个人信息
  • *Disclosure in these categories still subject to civil liability if against public interest or public morality, or publication causes harm to subject. 上述披露如违反公共利益或公共道德,或对当事人造成损害,仍须承担民事责任。

IISPs & Personal Information

核心法律:– “Several Provisions on Regulating the Market Order for Internet Information Services” 《关于规范互联网信息服务市场秩序的若干规定》

Article 11:用户对个人信息收集的同意

User consent required for: 以下需要用户同意:

  • Collection of personal data 个人资料的收集
  • Disclosure to Third Party 向第三方披露
  • Subject to exceptions provided for by law / administrative regulation 法律、行政法规另有规定的除外

Once consent obtained: 征得同意后:

  • Clear information to user how data will be collected / processed, & what personal data collected 向用户明确如何收集/处理数据,以及收集哪些个人数据

Collection limited: 收集的限制

  • Only data necessary to provide service 仅提供服务所需的数据
  • Use Restriction 使用限制

Article 12:保护信息

Website operators: duty to protect information


Leakage must be reported to local telecommunications authority if may cause “serious consequences”


Article 13:用户对信息的权利,运营商保护信息

User rights to use / modify / delete information they upload


Operators may not modify or delete information without legitimate reason


Operators may not disclose or transfer without user consent


User consent must be genuine – no deception, coercion or misleading


Article 14 申诉

Complaints procedure


  • Clear contact information for Operator on website 15 day response period 在网站上明确运营商的联系方式,15天响应期

Articles 15-18:惩罚

Penalties 惩罚

  • RMB10,000-30,000
  • Telecommunication authorities empowered to make public announcement of wrongdoing 电信主管部门有权对违法行为进行公告

Provisions on Telecommunication & Internet User Personal Information Protection 2013

Article 4 - ‘Personal information’

Information relating to individuals, collected by telcos and IISPs in course of service provision


  • Includes name, DOB, ID no, address, phone, account info, passwords and other info that can be used separately orwith other information to ID an individual. 包括姓名、出生日期、身份证号码、地址、电话、账户信息、密码和其他信息,这些信息可以单独使用,也可以与其他信息一起使用,以识别个人身份。
  • Includes log details 包括日志详细信息

Article 5:收集信息合法

Collection must be legal, proportionate, necessary


Though note other laws require retention for security purposes


Article 9

Consent requirement


No mention of opt in/out, BUT 2013 Guidelines suggest opt in for sensitive personal information (e.g. religious details)


Further requirements throughout for transparency


  • INFORMED consent 知情同意

Guidelines for the supervision of IT Outsourcing risks of Banking Financial Institutions (2014)

Applies to all banks & finance institutions established in PRC (A2)


Designed to regulate outsourcing (A3)


  • E.g. bank hires a subsdiary company to run customer- service call centre 银行雇佣了一家子公司来经营客户服务电话中心

Banks must guarantee confidentiality of “client information” (A15)


Consumer Protection Law

Aims (Article 1)

Consumer protection


And to promote “development of the socialist market economy”


  • c/f EU Digital Single Market strategy 参考欧盟数字单一市场战略

Scope (Article 3)

Consumer transactions


  • “Proprietors producing or selling goods to provide to consumers…” “生产或者销售向消费者提供的商品的经营者……”

Mix of obligations for sellers and rights for consumers


Consumers – “right to have their personal information protected” (A14)


SAIC: Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers 工商总局:《侵害消费者权益行为处罚办法》

Article 11:消费者个人信息的定义

List of forbidden actions re infringement of consumer privacy in personal information


“Consumer personal information” = “information collected by an enterprise operator during the sale of products or provision of services, that can, singly, or in combination with other information, identify a consumer.”


  • Specific examples of “consumer personal information” – “name, gender, occupation, birth date, identification card number, residential address, contact information, income and financial status, health status, and consumer status”. “消费者个人信息”的具体示例——“姓名、性别、职业、出生日期、身份证号码、居住地址、联系方式、收入和财务状况、健康状况和消费者状况”。

Forbidden activities (see A29):

Collection & use without consent


Disclosure, sale or illegal transfer to third parties


Commercial communications (SPAM) where either no consent or clear indication not wanted


Obligations (see esp. A29):

Lawfulness, rationality, necessity


Expressly state purpose, method, scope of collection & use




Security (and duty to act if breach)


Publicise Privacy Policy


Observe additional laws and/or contractual obligations


Penalties – Article 56



Confiscation of illegal gains


Fine of up to 10 x illegal gain or if none, up to RMB500.000


Closure of business for remediation or revocation of business licence


Potential civil liabilities


China’s eCommerce Law

Article 24: 清楚列明

ecommerce businesses must:

  • Clearly state methods / procedures to facilitate individuals to: 清楚列明方法/程序,方便个人:
    • Make enquiries about what information is held about them 询问有关他们的信息
    • Correct wrong information 纠正错误信息
    • Delete user information where requested 删除请求的用户信息
    • De-registration of user-accounts (no unreasonable consitions to be appied) 注销用户账号(不得提出不合理的条件)

Article 25:提供信息

Provide information to relevant authorities on request


  • Criminal investigation, et cetera 刑事调查,等等

    计算机视觉与深度学习-04-图像去噪卷积-北邮鲁鹏老师课程笔记 噪声点,其实在视觉上看上去让人感觉很难受,直观理解就是它跟周围的像素点差异比较大,显得比较突兀,视觉看起来很不舒服,这就是噪声点。 黑丝像素和白色像素随机出现 白色像素随机出现 使用高斯卷积










