Babbitt column | Personal information exit needs security assessment, the impact on the geometry of overseas currency companies?

According to the author: The Office of the Internet has recently publicly solicited opinions on the “Measures for the Assessment of Outbound Security of Personal Information”. The opinion draft also includes the behavior of overseas institutions collecting domestic personal information into the scope of supervision, which will affect the geometry of overseas currency companies.

In order to protect the personal information security of the exit and adapt to the development trend of cross-border data flow in the digital economy era, on June 13, 2019, after about two years, the National Internet Information Office ("Network Letter Office") released again. Notice on the "Personal Information Exit Safety Assessment Method (Draft for Comment) > Public Solicitation of Comments", [1] Publicly solicit opinions on the "Measures for the Assessment of Outbound Security of Personal Information (Draft for Comment)" ("Measures") ("Opinion Draft ").

According to the method, personal information (refers to various information recorded by electronic or other means that can identify the natural person's personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, ID number, personal biometric information Before leaving the country, the network operator shall report the personal information exit safety assessment to the local provincial network department, and the local network office shall organize the safety assessment.

It is worth noting that the opinion draft also includes the behavior of overseas institutions collecting domestic personal user information. According to Article 20 of the Measures, in the business activities of overseas institutions, the collection of personal information of domestic users through the Internet, etc. , shall be performed by the legal representative or organization in the territory to fulfill the responsibilities and obligations of the network operators in these Measures.

Since some overseas currency companies are involved in collecting activities of domestic users' personal information through the Internet, etc., foreign currency companies may also be included in the scope of supervision. The author intends to focus on the impact of the draft of the Exposure Draft on the relevant overseas currency companies for reference and comment.

1. How to understand and apply the relevant regulations is not clear

According to the opinion draft, the conditions and methods for the overseas institutions to apply the applicable jurisdiction are as follows:

(a) Foreign institutions collect personal information of domestic users through the Internet, etc. during their business activities;

(b) These overseas institutions shall, through their legal representatives or institutions (“domestic representatives”), perform the responsibilities and obligations of the network operators in the Measures.

At present, the overseas currency companies can be divided into two major categories: one is a currency circle enterprise that is limited to the domestic policy environment and is not registered in China. The actual controller is Chinese, the server is outside the country, but it is provided in the territory. The organization of technical support or services, or other related entities (and possibly not related domestic institutions), such as some digital currency exchanges, issuers of digital currencies, digital currency hedge funds, quantitative funds, etc.; Overseas enterprises are not registered in China, the actual controller is a foreigner, the server is outside the country, and only investors or users have domestic individuals (such as some overseas digital currency exchanges Bitfinex, etc.).

For the purpose of business operations, or to meet compliance requirements (such as KYC), some overseas currency companies will collect some personal information of domestic users (such as name and identity) through Internet sites, APPs, etc. in their business activities. ID number, phone number, etc.). According to the regulations, since these overseas enterprises collect personal information of domestic users through the Internet, they seem to need the regulation of applicable methods.

However, there may be some problems with the specific understanding and application of the relevant provisions of the approach:

(a) Who signed the contract for the responsibility for the exit of personal information?

The method draws on the relevant regulatory ideas of the standard contract under the EU General Data Protection Regulation (GDPR), and requires the network operator and the overseas recipient to sign a contract, the purpose and type of personal information exit. The time limit for preservation, the rights and interests of the main body of personal information, the responsibilities and obligations of the network operator and the recipient are specifically agreed, and the contract is an essential document for the network operator to apply for the security assessment of the network office.

By way of example, network operators refer to network owners, managers, and network service providers. Take the overseas digital currency exchange as an example. The server is usually deployed outside the country, and the network operation and management are also outside the country. Therefore, the digital currency exchange can be considered as the network operator. If a domestic individual user registers an account in the country and on an overseas website operated by the digital currency exchange and provides relevant personal information, the overseas digital currency exchange may also be regarded as the recipient of the personal information exit.

Since the overseas digital currency exchange is both a network operator and a recipient of personal information exit, the identity is coincident and the contract required by the method cannot be signed. Then who will sign the contract?

According to the measures, overseas enterprises should fulfill the responsibilities and obligations of the network operators under their means through their domestic representatives. According to this, should the contract between the domestic representative of the overseas institution (as the network operator) and the foreign institution (as the recipient) be signed? There is still room for further clarification .

(b) How can the website office effectively implement supervision?

Related to the previous question is that if an overseas enterprise does not currently have a domestic institution or a legal representative (the foreign institution usually does not try to determine a representative), and after the implementation of the method, it should be established according to the method without establishing a domestic representative. Under the circumstances, how should the network department implement effective supervision ?

In addition, even if the overseas enterprise has a domestic representative, the subject of the domestic obligation is still unclear : Is the obligor a domestic subsidiary, a related party or another institution? If there are multiple domestic entities, does the foreign institution have the right to choose?

2, want to comply with the problem

According to Article 6 of the Measures, the key content of the personal information exit safety assessment includes whether it complies with relevant national laws, regulations and policies . According to Article 13 of the Measures, the contract signed by the network operator and the recipient of personal information or other legally binding documents shall specify the purpose, type and time limit for the retention of personal information. Based on this, the personal information must be in compliance with national laws and policies, and the website will consider whether to release the information based on the purpose of the personal information.

For some overseas currency companies, whether the exit of personal information is in line with China's laws and policies is a problem, because the purpose of some personal information is to participate in the investment and trading of overseas digital currency. Although the state does not directly prohibit domestic individuals from participating in digital currency investments and transactions, the negative policies and evaluations for digital currency issuance and trading services are clear, so if overseas institutions collect for the purpose of providing digital currency issuance or trading services to domestic individuals. Personal information in the territory may be difficult to assess through the security of the website .


  • 3. Compliance risks and costs increase

According to Article 12 of the Measures, any individual or organization has the right to report to the provincial level by the Internet letter department or relevant departments for violations of the provisions of these Measures. Accordingly, the whistleblower does not have any status or geographical restrictions, and any individual or organization has the right to report the violation to the Internet Office or the relevant department.

For overseas currency companies involved in the collection of personal information in China, especially those with domestic representatives , if they have compliance problems in the exit of personal information, once they have invested in damaged domestic investors, competitors or other parties If it is reported to the Internet Office and other departments, the enterprises will have to make a choice – either to stop the collection of personal information in the country, that is, to abandon the domestic individual users ; or to comply with the provisions of the domestic personal information exit, fulfill The safety assessment obligations and responsibilities under the approach, but for overseas currency companies that do not support certain domestic policies, compliance may have difficulty as stated in Article 2 of this article , so the final result may still have to abandon the domestic Market .

4. Regulate foreign institutions by constraining domestic entities

According to the provisions of Article 20 of the Measures, the overseas institutions shall, through the legal representatives or institutions in the country, implement the responsibilities and obligations of the network operators in the Measures. According to the Measures and the provisions of the "Network Security Law", if the network operator violates the provisions of the Measures, it may be ordered to correct by the competent network letter office, give a warning, confiscate the illegal income, and impose a fine of 50,000 to 500,000 yuan. It may be ordered to suspend related business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license; and impose a fine of 10,000 yuan to 100,000 yuan for the directly responsible person in charge and other directly responsible personnel.

Based on the above, if the foreign institution or its domestic representative subject to the measures fails to comply with the provisions of the Measures, its domestic representatives will bear the corresponding legal responsibilities. The website office restricts the behavior of overseas institutions by means of accountability to domestic entities to ensure the enforceability of the regulations. Based on this, for overseas currency companies involved in collecting domestic personal information in business operations, unless they do not have domestic representatives, it may be difficult to evade supervision by the website .

Since the website of the Internet Information Office issued the Regulations on the Management of Blockchain Information Services in January 2019, the regulatory tentacles of the Office have begun to touch the overseas blockchain enterprises that provide blockchain information services to Chinese users, only because of the relevant filing system. It is still not perfect, and it is not clear how the foreign subjects will be filed. The issuance of the draft for this method shows that the Internet Information Office may wish to further broaden its scope of supervision. From the perspective of personal information exit protection, foreign institutions involved in the collection of personal information in China are also placed under its supervision.

Although the method is not a special regulation for overseas currency companies, nor is it that all overseas currency companies will be subject to supervision (the overseas currency companies that do not involve domestic personal information collection are not the subject of supervision), and the network office may not have Adequate means to supervise relevant overseas currency circle enterprises (for example, if overseas enterprises do not have domestic representatives), and the method is still at the stage of draft for comment, the relevant provisions have not yet been determined, and the formal implementation of the documents still takes time. How to understand and apply is less clear, but it can be expected that the supervision of the regulatory agencies will continue to increase and the regulatory radius will be expanded for the conduct of overseas currency companies to conduct business in China. Risks and costs will increase.

Author: Zhang Ling, a partner at law firm Han

Disclaimer: This article only represents the author's personal opinion and does not represent the opinions of the organization. The contents of this article do not constitute legal advice and investment advice. To reprint or cite any of the content in this article, please include the author's name.


[1] http://www.cac.gov.cn/2019-06/13/c_1124613618.htm