国外上市和香港上市在网络安全审查方面有区别吗?
《审查办法》规定,“掌握超过100万用户个人信息的运营者赴国外上市”应主动申报网络安全审查,相较于《中华人民共和国证券法》以及国务院的有关规定,此条款并未使用“境外”这一概念,而是使用了“国外”一词。我们认为,这一特殊安排的用意旨在将赴香港上市排除在本条所规定的网络安全审查的适用范围。《数安条例》将“赴国外上市”和“赴香港上市”通过第十三条的第二项和第三项分置规定,显然印证了这一理解,即《审查办法》第六条的适用范围不包括香港上市。
我们理解,《数安条例》并非在《审查办法》基础上对香港上市监管加码,而是法律适用的明确。《数安法》第二十四条规定,“国家建立数据安全审查制度,对影响或者可能影响国家安全的数据处理活动进行国家安全审查。”即,只要数据处理活动影响或可能影响国家安全,都会触发安全审查,赴港上市行为当然也应包括在内。《审查办法》第六条虽然不包括香港上市,但在第二条却有原则性的要求,即:“数据处理者开展数据处理活动,影响或可能影响国家安全的,应当按照本办法进行网络安全审查。”
据此,相较于对国外上市所采取的一刀切的量化标准,赴港上市的网络安全审查采取是风险导向的标准,只有确实存在影响或可能影响国家安全的风险,才会触发网络安全审查。同时,为消除该规定对香港上市带来的不确定性,我们也建议监管部门尽快制定赴港上市的数据风险预判指南。
最后,《数安条例》第三十二条还规定赴境外上市的数据处理者应每年开展数据安全评估并向市级网信部门报送的义务。此为赴国外上市和赴香港上市均需遵循的法定义务。
翻译:
Is there a difference in network security review between overseas listing and Hong Kong listing?
According to the regulations, “Operators with more than 1 million users’ personal information should report for cyber security review.” Compared with the Securities Law of the People’s Republic of China and relevant regulations of The State Council, this article does not use the concept of “overseas”, but uses the word “foreign”. In our view, this special arrangement is intended to exclude listings in Hong Kong from the scope of the cyber security review provided for in this Article. By separating the terms “overseas listing” and “Hong Kong listing” through the second and third provisions of Article 13, the Data Safety Ordinance clearly confirms this understanding that Article 6 of the Review Measures does not cover listing in Hong Kong.
We understand that the Data Safety Ordinance does not increase the regulation of listing in Hong Kong on the basis of the Review Measures, but clarifies the application of the law. Article 24 of the Data Security Law stipulates that “the State establishes a data security review system to conduct national security review on data processing activities that affect or may affect national security.” That is, whenever data-processing activities affect or could affect national security, a security review is triggered, and listing in Hong Kong should certainly be included. Although Article 6 of the Review Measures does not cover listing in Hong Kong, Article 2 has a principled requirement, namely: “Where data processors carry out data processing activities that affect or may affect national security, they shall conduct network security review in accordance with these Measures.”
Therefore, compared with the one-size-fits-all quantitative standards for foreign listings, the network security review for Hong Kong listings is risk-oriented. Only when there is a real risk that affects or may affect national security, the network security review will be triggered. At the same time, in order to eliminate the uncertainty caused by the regulation on listing in Hong Kong, we also suggest that the regulatory authorities formulate data risk prediction guidelines for listing in Hong Kong as soon as possible.
Finally, Article 32 of the “data security Regulations” also stipulates that data processors listed overseas should carry out annual data security assessment and report to the municipal network information department. This is the legal obligation to go public both abroad and in Hong Kong.
本文由数字化转型网(www.szhzxw.cn)转载而成,作者:中伦律师事务所;编辑/翻译:数字化转型网默然。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
