2022年数据合规实践的继续探索 ——纪念《个人信息保护法》实施一周年 主编|孟洁 责任编辑|侯伊阳李晨瑜贾宜宾 ···········································································3 01- 1.1···········7 1.2········25 02- 2. 2.1·······························································44 2.2···············································································55 2.3······································60 2.4···························································80 2.5······································································91 3. 3.1——····························································································118 3.2·····································································································128 3.3·································································································138 3.4·····························································································146 3.5·····················································································158 4. 4.1··························································································································173 4.2············································································195 4.3“·····································································································203 : 4.4·············································································································214 4.5·········································································································225 5. 5.1——··········································································247 5.2——······························································262 5.3——··································································280 5.4················································································································300 03- 6.-APP 6.1AppApp····························309 6.2App····························316 6.3·······332 6.4·····················································343 7.I- 7.1“······························································351 7.2DataComplianceasaSocialResponsibilityofGatekeepers368 8.II- 8.1········································································································374 9.III- 9.1························································387 9.2···········································································407 10.I- 10.1·································································································422 10.2·····································································································437 11.II- 11.1·····························································································455 ·······································································································································································464 前言 2022年,《个人信息保护法》正式实施一周年。在此期间,我们欣喜地见证了在监管机构、个人信息处理者与个人信息主体等各方的共同努力下,《个人信息保护法》确立的原则、合法性基础、单独同意规则、个人信息保护影响评估、数据出境安全保护机制、个人信息主体权利等相关规定相继落地并开始实施;个人信息主体在履行一般合规义务、特殊场景下的合规义务,以及针对特殊主体与特殊对象的个人信息保护义务的过程中,逐步构建了各组织在自身业务经营过程中的个人信息保护合规体系,但也依然面临着难点与挑战。 在针对特殊主体与特殊对象的个人信息保护义务中,我们特别关注了作为“守门人”的特殊个人信息处理者三大层次的合规义务,即针对平台建设的义务、对平台内经营者的管理义务以及接受外部第三方监督的义务;关于对儿童个人信息的保护,包括在《个人信息保护法》 《中华人民共和国未成年人保护法(2020修订)》实施的大背景下,我国从立法、司法层面分别对儿童个人信息保护给予关注,并且对社会各方相关义务主体施以具体要求。 《网络安全法》自2017年正式实施以来,于2022年迎来首次修订。一方面,《关于修改〈中华人民共和国网络安全法〉的决定(征求意见稿)》针对网络运营者、关键信息基础设施运营者相关责任内容的逻辑更加紧凑清晰;另一方面,其将原有《网络安全法》下有关个人信息保护的法律责任修改为转致性规定,并调整了处罚幅度及处罚种类,顶格罚款金额与《个人信息保护法》的处罚标准保持一致,顺应了最新立法趋势,也进一步完善了网络安全、数据安全与个人信息保护法律责任制度体系。 3 2022年,《网络安全审查办法》正式实施,明确了网络安全审查的适用主体、启动方式、审查主体、审查流程、审查要点以及违规后果,网络安全审查制度体系逐步落地与完善。2022年6月,国内某知名学术期刊数据库公司被正式宣布启动网络安全审查;2022年7月,国家互联网信息办公室对国内某互联网出行平台作出基于网络安全审查后的相关行政处罚决定。网络安全审查相关法规的完善和行政处罚的实际执行引起了各界广泛关注。除应注意掌握超过100万用户个人信息的网络平台运营者赴国外上市,必须向网络安全审查办公室申报网络安全审查 ,同样应对关键信息基础设施运营者(CIIO)采购网络产品和服务,网络平台运营者开展数据处理活动,预判相关行为影响或者可能影响国家安全的风险。以及当网络安全审查办公室依职权进行网络安全审查时,企业应提前做好准备,把握网络安全审查的流程和时间。 数据跨境传输安全保护措施的三套机制——数据出境安全评估、个人信息跨境处理活动安全认证和个人信息出境标准合同的规定在2022年得以进一步细化。其一,《数据出境安全评估办法》的实施,明确了触发数据出境安全评估的条件以及提交安全评估的具体步骤和时间表;与之配套的《数据出境安全评估申报指南(第一版)》出台则为相关主体开展出境安全评估进一步提供了指引。其二,国家信息安全标准化委员会于本年度末月发布的《网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0》,相较于半年前发布的《网络安全标准实践指南—个人信息跨境处理活动安全认证规范》,衔接了《数据出境安全评估办法》《个人信息出境标准合同规定(征求意见稿)》的相关内容,明确了申请认证的情形、适格的申请主体、申请的具体要求,以及个人信息主体权利和相关方责任义务等内容。其三,《个人信息出境标准合同规定(征求意见稿)》规定了境内外双方在跨境传输个人信息时分别应当履行的义务,侧重对境内主体进行约束。 国家信息安全标准化委员会公布了《信息安全技术重要数据识别指南(征求意见稿)》,指明识别重要数据的基本原则和识别因素等,为各行业、地区、部门制定本行业、本地区、本部门的重要数据目录提供参考,为企业识别其自身掌握的重要数据提供实践指引,也进一步为国家重要数据安全保护工作提供支撑。《工业和信息化领域数据安全管理办法(试行)》《电力行业网络安全管理办法》《电力行业网络安全等级保护管理办法》也在年末正式实施,为相关行业主体在数据安全、网络安全方面落实主体责任提出了更为具体的实践要求。 4 作者:孟洁|李晨瑜 5 工信部门、网信部门、公安部门等监管机构在2022年持续纵深对App开展执法监管活动,执法对象包括App、SDK和微信小程序。从执法频率来看,2022年全年,工业和信息化部共开展了6批对App的执法活动;部分地方通信管理局,如北京、浙江、四川三地省级通信管理局分别开展了5次、10次、6次执法活动。国家互联网信息办公室于2022年11月一次性公布了大批违法违规App,其中下架处置的共55个,限期责令整改的共80个;部分地方互联网信息办公室,如河北、浙江两地互联网信息办公室在2022年分别开展了6次、2次执法活动。此外,国家计算机病毒应急处