互联网企业个人信息保护测评标准
Evaluation Standard for Internet Enterprises’ Protection of Personal Information
(中国科学技术法学会 北京大学互联网法律中心)
China Law Association on Science and Technology
Institute for Internet Law, Peking University
正式版 v.1.0
Official Version v.1.0
目录
Contents
一、宗旨
I. Objectives
二、依据
II. Basis
三、定义
III. Definitions
1. 互联网企业
1. Internet Enterprises
2. 初始方、关联方、第三方
2. Initial Parties, Related Parties and Third Parties
3. 用户
3. Users
4. 个人信息
4. Personal Information
5. 处理
5. Processing
6. 同意、明示同意、默示同意
6. Consent, Express Consent, Implied Consent
7. 实质性修改
7. Substantial Revision
四、基本原则
IV. Basic Principles
1. 知情同意原则
1. Informed Consent Principle
2. 合法必要原则
2. Legitimate and Necessary Principle
3. 目的明确原则
3. Purpose Specification Principle
4. 个人控制原则
4. Individual Control Principle
5. 信息质量原则
5. Information Quality Principle
6. 安全责任原则
6. Safety Responsibility Principle
五、指标体系
V. Indicator System
1. 知情同意
1. Informed Consent
2. 收集
2. Collecting
3. 加工
3. Handling
4. 使用
4. Using
5. 转移
5. Transferring
6. 个人控制
6. Individual Control
7. 政策修改
7. Policy Revision
8. 安全责任
8. Safety Obligations
9. 特殊领域的个人信息
9. Personal Information in Special Fields
六、实现机制
VI. Implementation Mechanism
1. 机构测评
1. Institutional Evaluation
2. 企业参与
2. Enterprises’ Participation
3. 用户监督
3. Users’ Supervision
七、附件
VII. Appendix
一、宗旨
I. Objectives
本标准的制定是为了贯彻《全国人民代表大会常务委员会关于加强网络信息保护的决定》《消费者权益保护法》《电信和互联网用户个人信息保护规定》《网络交易管理办法》等与个人信息保护相关的规范性法律文件,维护用户合法权益并规范互联网企业的个人信息处理行为,以实现产业良性发展中个人信息保护与利用的平衡。
This Standard is formulated to implement the rules and regulations for the protection of personal information, as stipulated in Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection (DNIP), Law of the People's Republic of China on the Protection of Consumer Rights and Interests (CPL),Provisions on Protecting the Personal Information of Telecommunications and Internet Users (PIPP) and Measures on the Administration of Online Transactions(OTM); to maintain the legitimate rights and interests of users and to regulate the conduct of Internet-related enterprises in processing personal information in realizing the balance between the protection and utilization of personal information in a sound industry development.
测评标准通过对互联网企业义务的具体规定,致力于在现有规范性法律文件的基础上,建立有效的用户个人信息保护实践机制,一方面推动互联网企业构建合规的个人信息保护机制,另一方面实现用户在个人信息方面合法权益的保障。
Through substantive stipulations, this Standard strives to establish, on the basis of existing legal regime, an effective and practical mechanism for the protection of personal information, to promote a compliant personal information protection mechanism of an Internet enterprises and the security of legitimate rights and interests of users in personal information.
二、依据
II. Basis
本标准依据《全国人民代表大会常务委员会关于加强网络信息保护的决定》《消费者权益保护法》《电信和互联网用户个人信息保护规定》《网络交易管理办法》,参照OECD《关于保护隐私和个人数据跨国流通的指导原则》、APEC《隐私保护纲领》、《公共及商用系统个人信息保护指南》等国内外个人信息保护领域相关文件,结合我国互联网产业发展现状制定。
This Standard is formulated in accordance with DNIP, CPL, PIPP and OTM, with reference made to domestic and overseas instruments on personal information protection, such as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, APEC Privacy Framework, Guidelines on Personal Information Protection in Public and Commercial Systems, together with and taken into consideration of the existing Chinese domestic of Internet industrial development.
三、定义
III. Definitions
标准所涉及的术语定义如下:
The terms referred to in this Standard are defined as follows:
1. 互联网企业
1. Internet enterprises
互联网企业是指利用信息网络向用户提供技术服务或内容服务的过程中处理个人信息的组织实体。“信息网络”包括以计算机、电视机、固定电话机、移动电话机等电子设备为终端的计算机互联网、广播电视网、固定通信网、移动通信网等信息网络,以及向公众开放的局域网络。
An Internet enterprise means an personal information processing organization which provides technological or content services to users via information network. An “Information Network” includes an inter-connecting network of computers, a broadcast network, fixed communication network, or mobile communication network and a local area network open to the public with computers, televisions, fixed-line telephones, mobile telephones and other electronic devices as terminals.
2. 初始方、关联方、第三方
2. Initiating Party, Related Party and Third Party
初始方是指在提供技术服务或内容服务过程中直接向用户收集个人信息的互联网企业。
An initiating party means an Internet Enterprise that collects personal information from its users directly in the process of providing technological or content services.
关联方是指与特定初始方有控制关系,且其个人信息保护政策与初始方不存在实质性差异的互联网企业。“控制”是指有权以股权决定一个互联网企业的财务和经营政策,并能据以从该互联网企业的经营活动中获取利益。
A related party means an Internet Enterprise having a controlled relationship with a particular Initiating Party, whose policy on the protection of personal information bears no substantial difference with the Initiating Party. “Controlled” means an Internet Enterprise having the authority to dictate the financial and operational policies of an Internet Enterprise with stockholding right, and to obtain (economic or non-economic commercial) gain from an Internet enterprise’s operational activities.
第三方是指未直接向用户收集个人信息,但从初始方或关联方处获取个人信息的组织实体或自然人。
A third party means an organization or a natural person who does not collect personal information directly from users, but acquires such information from an Initiating Party or a Related Party.
3. 用户
3. Users
用户是指使用互联网企业提供的服务并可通过个人信息识别的自然人。本标准中所称的“未成年人”是指未满18周岁的限制民事能力人或无民事行为能力人。
A user means a natural person who uses services provided by an Internet Enterprise and can meet the personal information identification requirement. A “minor” in this Standard means a person under 18 years old with limited or no capacity for civil conducts.
4. 个人信息
4. Personal Information
个人信息是指能够切实可行地单独或通过与其他信息结合识别特定用户身份的信息或信息集合,如姓名、出生日期、身份证件号码、住址、电话号码、账号、密码等。
Personal information means information or collection of information capable of identifying, used individually or in combination with other information, the identity of a specific user, such as name, date of birth, national identification account numbers, address, phone number, account, or passwords, among other information.
本标准不适用于经不可逆的匿名化或去身份化处理,使信息或信息集合无法合理识别特定用户身份的信息。
This Standardshall not apply to information being irreversibly anonymizatized or de-identified by which no information or collection of information can reasonably identify the user.
5. 处理
5. Processing
处理是指互联网企业对用户个人信息的收集、加工、使用、转移行为,其中:
Processing means the collection, handling, using and transferring of a User’s personal information by an Internet Enterprise.
收集是指获取并保存个人信息的行为。
Collection means the acquisition and preservation of Personal Information.
加工是指将收集的个人信息进行自动化系统操作以满足使用、转移需要的行为。
Handling means the act of automatic system processing on the Personal Information being collected to satisfy the need for utility and transferring.
使用是指利用个人信息提供技术服务或信息服务,依据个人信息作出决策,以及向公众公开或向特定群体披露个人信息的行为。
Use means the act of providing technological or information services with Personal Information, rendering decisionswith Personal Information, and disclosure of Personal Information to the public or a specific group.
转移是指将个人信息传输给关联方或第三方的行为。
Transfer means the act of transmitting Personal Information to a Related Party or a Third Party.
6. 同意、明示同意、默示同意
6. Consent, Express Consent, Implied Consent
同意是指用户以其积极、肯定的意思表示,或以其自愿使用服务的行为,表达对互联网企业处理其个人信息的认可。其中:
Consent means the positive and affirmative expression of the user, or the user’s voluntarily act of using the services, to accept the processing of personal information by an Internet Enteprise, of which:
明示同意是指用户以其积极、肯定的意思表示认可互联网企业处理其个人信息。
Express consent means the positive and affirmative expression of acceptance for ane Internet enterprise’s processing of Personal Information.
默示同意是指用户以其自愿使用服务的行为认可互联网企业处理其个人信息。
Implied consent means the user’s voluntarily use of services as an acceptance of an Internet enterprise’s processing of Personal Information.
除经特别说明,本标准中的同意指默示同意。
Unless otherwise stated, the consent in this Standard refers to implied consent.
7. 实质性修改
7. Substantial Revision
实质性修改是指互联网企业对其在个人信息保护政策中承诺的、与个人信息处理有关的用户权利或互联网企业义务的减少。
Substantial revision means the reduction of the user’s rights or an internet enterprises’ obligations concerning the processing of personal information as agreed to by an Internet enterprises in its personal information protection policies.
四、基本原则
IV.Basic Principles
1. 知情同意原则
1. Principle of informed consent
除法律规定的情形外,互联网企业应充分告知用户有关个人信息处理的重要事项,并在告知的基础上获得用户的明示同意或默示同意。
Unless otherwise stipulated by laws, an Internet Enterprise shall sufficiently inform the Users of important items concerning the processing of Personal Information, and acquire the User’s express consents or implied consents on the basis of such information.
2. 合法必要原则
2. Principle of legitimacy and necessity
互联网企业处理个人信息的方式应符合法律规定,并仅处理为实现正当商业目的和提供网络服务所必需的个人信息。
An Internet Enterprise shall process Personal Information in a manner that complies with the laws and regulations, as well as only for the realization of appropriate commercial goals and for the necessity of providing network services.
3. 目的明确原则
3. Principle of definitive purposes
互联网企业处理个人信息应具有合法、正当、明确的目的,不得超出目的范围处理个人信息。
The processing of personal information by an Internet enterprise shall have legitimate, reasonable and definitive purposes, and shall not exceed the scope of such purposes.
4. 个人控制原则
4. Principle of individual control
用户有权查询个人信息,有权对其个人信息进行修改、完善、补充。
Any user shall have the right to inquire hi/her personal information, and the right to revise, complete and supplement such information.
5. 信息质量原则
5. Principle of information quality
互联网企业应为用户查询、更正其个人信息提供必要渠道,以保障个人信息的准确、完整、及时。
An Internet enterprise shall provide necessary channel(s) to its Users to inquire and correct personal information to assure the accuracy, completion and timeliness of the information.
6. 安全责任原则
6. Principle of security
互联网企业应采取必要的管理措施和技术手段,保护个人信息安全,防止未经授权检索、公开、丢失、泄露、损毁和篡改个人信息。
An Internet enterprise shall take necessary management measures and technological steps to safeguard all personal information, and to prevent unauthorized retrieval, publication, misplacement, disclosure, destruction and manipulation of such information.
五、指标体系
V. Indicator System
1. 知情同意
1. Informed Consent
1.1 互联网企业在收集个人信息前应以个人信息保护政策如实告知用户个人信息处理相关事项,包括但不限于:
1.1 An Internet enterprise shall honestly inform its users, prior to collecting personal information, the related matters concerning the processing of personal information protection policies, which includes but not limited to:
a) 收集个人信息的目的、方式、范围;
the purpose, methods and scope of personal information collection;
b) 加工、使用、转移个人信息的目的、方式、范围;
the purpose, methods and scope of the processing, using and transferring of personal information;
c) 互联网企业的名称、地址、联系方式和用户投诉机制;
the name, address, contact information and user complain mechanism of an Internet enterprise;
d) 用户查询、修改个人信息的渠道;
the channels for users to inquire and correct personal information;
e) 用户拒绝提供个人信息可能出现的后果;
the possible consequences of a user’s refusal to provide personal information;
f) 企业个人信息安全管理制度和个人信息安全保护措施。
the personal information safety management mechanisms and safety protection measures of an Internet enterprise.
1.2 互联网企业应在网站、软件或服务的适当位置公开其个人信息保护政策,并以适当方式提醒用户注意相关政策并告知不同意个人信息保护政策的可能后果。
1.2 An Internet enterprise shall publicize its personal information protection policy at an appropriate position on its website, software or services, appropriately remind its users of the relevant policies and inform them of the likely consequences of refusing to agree with the personal information protection policy.
在互联网企业履行其告知义务后,用户开始或持续使用技术服务或内容服务的行为视为同意互联网企业处理其个人信息。
Having fulfilled its notification obligation, an Internet enterprise may consider a user’s commencement or continuing use of technological or content services as consent to process the user’s personal information.
2. 收集
2. Collection
2.1 互联网企业收集个人信息应有合法、正当、明确的目的,不得超出目的范围收集个人信息。
2.1 The collection of personal information by an Internet enterprise shall have legitimate, reasonable and definitive purposes, and shall not exceed the scope of such purposes.
2.2 互联网企业应明确告知收集个人信息的手段,并确保相关手段合法、正当。
2.2 An Internet enterprise shall expressly inform its Users the methods of collect personal information, and ensure that the relevant methods are legitimate and reasonable.
2.3 互联网企业应明确告知收集个人信息的种类,并仅收集为实现正当商业目的和提供网络服务所必需的个人信息。
2.3 An Internet enterprise shall expressly inform its Users the kinds of personal information being collected, and only collect what is necessary to realize appropriate commercial purpose and to provide network services.
2.4 除有以下特殊情况,互联网企业收集个人信息的行为超出告知的目的、方式、范围,应以合理形式告知用户并获得用户的明示同意:
2.4 Except under the following special circumstances, an Internet enterprise shall inform its users in a reasonable manner and obtain their express consent if the collection of personal information should exceed the purpose, method and scope of the notification:
a) 法律法规特别规定,如维护公共安全、紧急避险等;
Where the laws or regulations provide special stipulation, such as maintaining public safety or in an act of rescue;
b) 行政机关依据法律作出的强制行为;
Where an administrative agency has taken a mandatory action in accordance with the law;
c) 司法机关依据法律作出的决定、裁定或判决。
Where a judicial body has issued a decision, ruling or judgment in accordance with the law.
3. 加工
3. Handling
3.1 互联网企业应在收集前告知的目的和范围内加工个人信息,并采取必要的措施和手段保障个人信息在加工过程中的安全。
3.1 An Internet enterprise shall handle personal information within the purpose and scope of the notification isued before collecting such information, and take necessary measures and steps to safeguard the personal information during the handling process.
3.2 除有以下特殊情况,互联网企业超出收集时所告知的目的和范围加工个人信息,应以合理形式告知用户并获得用户的明示同意:
3.2 Except under the following special circumstances, an Internet enterprise shall inform its users in a reasonable manner and obtain their express consent if the handling of personal information should exceed the purpose and scope of the notification:
a) 法律法规特别规定,如维护公共安全、紧急避险等;
Where the laws or regulations provide special stipulation, such as maintaining public safety or in an act of rescue;
b) 行政机关依据法律作出的强制行为;
Where an administrative agency has taken a mandatory action in accordance with the law;
c) 司法机关依据法律作出的决定、裁定或判决。
Where a judicial body has issued a decision, verdict ruling or judgment in accordance with the law.
4. 使用
4. Use
4.1 互联网企业应在收集前告知的目的和范围内使用个人信息,并采取必要的措施和手段保障个人信息在使用过程中的安全。
4.1 An Internet enterprises shall use the personal information within the purpose and scope of the notification issued before the collection of such information, and shall take necessary measures and steps to safeguard the personal information during using.
4.2 除有以下特殊情况,互联网企业超出收集时所明确告知的目的和范围使用个人信息,应以合理形式告知用户并获得用户的明示同意:
4.2 Except under the following special circumstances, an Internet enterprise shall inform its users in a reasonable manner and obtain their express consent if the using should exceed the purpose and scope of the notification:
a) 法律法规特别规定,如维护公共安全、紧急避险等;
Where the laws or regulations provide special stipulation, such as maintaining public safety or in an act of rescue;
b) 行政机关依据法律作出的强制行为;
Where an administrative agency has taken a mandatory action in accordance with the law;
c) 司法机关依据法律作出的决定、裁定或判决。
Where a judicial body has issued a decision, ruling or judgment in accordance with the law.
5. 转移
5. Transfer
5.1 互联网企业向关联方转移个人信息,应列举关联方具体情况并告知用户关联方处理个人信息的情况。
5.1 When transferring personal information to a related party, an Internet enterprise shall list the substantive condition of the related party and inform its Users of the related party’s state of personal information processing.
5.2 除有以下特殊情况,互联网企业向第三方转移个人信息,应告知用户并征得用户的明示同意:
5.2 Except under the following special circumstances, an Internet enterprise shall inform its users and obtain their express consent before personal information is transferred to a third party:
a) 法律法规特别规定,如维护公共安全、紧急避险等;
Where the laws or regulations provide special stipulation, such as maintaining public safety or in an act of rescue;
b) 行政机关依据法律作出的强制行为;
Where an administrative agency has taken a mandatory action in accordance with the law;
c) 司法机关依据法律作出的决定、裁定或判决。
Where a judicial body has issued a decision, ruling or judgment in accordance with the law.
6. 个人控制
6. Individual Control
6.1互联网企业应为用户提供独立操作机制,实现用户对个人信息的控制。
6.1 An Internet enterprises shall provide its users with individual operation mechanism to realize the user control over personal information.
6.2 互联网企业应为用户提供个人信息查询、修改的渠道。
6.2 An Internet enterprise shall provide its users with means to retrieve and revise personal information.
6.3 互联网企业应为用户提供注销账号或号码的渠道。
6.3 An Internet enterprise shall provide its users the means to cancel accounts or numbers.
7. 政策修改
7. Policy Revision
7.1 互联网企业应根据规范性法律文件和企业实践及时更新其个人信息保护政策。
7.1 An Internet enterprise shall timely update its personal information protection policy in accordance with the stipulated legal documents and business practices.
7.2 互联网企业实质性修改其个人信息保护政策,应以显著方式告知用户修改的内容,并告知用户不接受的后果及相应的解决机制。
7.2 If the personal information protection policy should be substantially revised, an Internet enterprise shall conspicuously inform its users of the content of revision and inform them of the likely consequences of refusing to agree with the relevant resolution mechanism.
7.3 互联网企业非实质性修改其个人信息保护政策,应以适当方式告知用户修改的内容。
7.3 If the personal information protection policy should be revised non-substantially, an Internet enterprise shall inform its users of the content of revision in an appropriate manner.
8. 安全责任
8. Safety Obligations
8.1 互联网企业应建立个人信息管理责任制度,落实个人信息管理责任,加强个人信息安全管理,规范个人信息处理活动。
8.1 An Internet enterprise shall establish a mechanism for personal information management, to strengthen management, and regulate the processing activities of personal information.
8.2 互联网企业应采取必要的技术措施和手段保护个人信息安全,包括但不限于:
8.2 An Internet enterprise shall take necessary technological measures and steps to safeguard personal information, including, but not limited to:
a) 建立完善的内部合规管理部门,设立并任命首席隐私官或相关管理人员;
Establishing a comprehensive internal management department for compliance, installing and appointing a Chief Privacy Officer or related managing staff;
b) 采用法律强制或业界通行的技术手段对用户个人信息进行加密;
Adopting legally mandatory or commercially prevalent technologies to add encryption to users’ personal information;
c) 采取法律强制或业界通行的技术手段对用户个人信息进行匿名化或去身份化处理,并使处理后的信息不可逆及不能用于识别个人身份;
Adopting legally mandatory or commercially prevalent technologies to anonymize or de-indentify the users’ personal information so that the processed information may not be used reversibly to identify an individual’s identity;
d) 在提供服务过程中,以技术手段保证用户对他人未经授权实施的个人信息侵害行为采取防御行为。
Taking defensive actions against unauthorized act that infringes its users’ personal information with technological steps while providing services.
9. 特殊领域的个人信息
9. Personal Information in Special Areas
9.1 互联网企业应规定未成年人个人信息处理的特殊措施,如仅在征得其监护人的明示同意前提下处理其个人信息,或一旦明知其为未成年人,在未征得监护人明示同意时停止处理其个人信息。
9.1 An Internet enterprise shall stipulate special measures on processing the personal information of a minor, such that personal information may be processed only after obtaining the express consent from his/her legal guardian, or the processing of personal information shall be halted once the Internet enterprise becomes aware of the status of a minor and prior to obtaining the express consent of his/her legal guardian.
9.2 互联网企业处理用户精确地理位置信息,应对用户作出明确告知,并在第一次收集用户精确地理位置信息前,以合理方式对用户作出即时通知及征得用户的明示同意,并为用户提供终止处理其精准地理位置信息的选择机制。
9.2 For the processing of information concerning the precise geographical location of its users, an Internet enterprise shall expressly inform its users, give timely notice to them in a reasonable manner and get their express consent before making the first collection of such information, provided that option shall be provided for users to terminatethe processing of their precise geographical location.
精确地理位置信息是指通过用户所使用的设备获取的,用于及时识别或描述用户在某一特定时间点误差小于1公里的实际物理位置的信息。
Precise geographical location means information of the physical location of a user acquired via the device of that user having a marginal error of less than 1 kilometer at a certain specific time.
六、实现机制
VI.Implementation Mechanism
1. 机构测评
1. Institutional Evaluation
本测评标准的发布机构将组建测评机构,测评机构由相关领域的政产学研各界人士组成。
The issuing organization of this Standard shall establish an evaluationagency which comprises of representatives from relevant governmental authorities, industries, universities and research institutions.
测评机构将以标准为依据主动对本标准适用范围内的互联网企业进行测评,测评对象为互联网企业设置的个人信息保护政策以及与个人信息保护相关的实践做法,包括服务或软件设置、典型步骤等。测评机构将以定期或不定期报告的方式发布测评结果。
The evaluation agency shall, motu proprio, evaluate an Internet enterprisein accordance withthis Standard concerning the personal information protection policy of the Internet enterprise and practices related to such protection, including services or installation of software, typical procedures, among other things. The evaluation shall publish periodic or out-of-cycle evaluation reports of its findings.
测评机构将适时发布标准标识使用标准,符合标准的互联网企业可以在网站或服务的适当位置显示相关标识。
The evaluation agency shall timely issue a certification logo for a conformed and qualified Internet enterprise to display appropriately on their website or service.
2. 企业参与
2. Enterprises’ Participation
互联网企业可以以本标准为依据对其个人保护政策及实践做法进行比照,及时调整政策文本及实践做法。除主动调整外,互联网企业可委托测评机构对政策文本及实践做法进行测评,根据测评结果及时调整政策文本及实践做法。
An Internet enterprise may adjust its policy and practices on the protection of personal information by making reference to this Standard. In addition to voluntary adjustment (or compliance?), an Internet enterprise may request an assessment of its policy texts and practices by the evaluation agency, and make adjustments accordingly.
3. 用户监督
3. Users’ Supervision
互联网用户可以以本标准为依据对互联网企业的个人信息保护政策及实践做法进行测评。用户可通过测评机构适时推出的网站反馈测评结果。
The Internet users may evaluate the personal information protection policies and practices of an Internet enterprise in accordance with this Standard. The users may provide feedback on evaluation results on the website of the evaluation agency.
七、附件
VII. Appendix
本测评标准基本规定的释义和制定依据将在附件中作出进一步解释和说明。
The interpretation and implementation of this Standard shall be further illustrated in the Appendix.
本标准以国家数字版权研究基地发布的版权自助协议(Self-Help Copyright License Agreement,SCLA)发布,许可条件为:
[仅保留署名权] 许可人仅保留表明作者身份、在作品上署名的权利。被许可人依照本协议规定取得演绎权许可的,必须在演绎作品上标明原作品的作者。许可人放弃对其作品享有的所有财产性权利。
[Reserve the Right to Claim Authorship only] The Licensor only reserves the right to claim authorship and the right of paternity on the copyrighted work. Any Licensee of the right of adaptation in accordance with this agreement shall indicate the author of the original works. The Licensor waives all the property rights in the work.
