数据跨境流动规制中的正当公共政策目标例外及中国因应

Legitimate Public Policy Objectives Exceptions in the Cross-border Data Flow Regulation and China’s Response

鉴于WTO协定等传统经贸协定难以有效约束各国采取的数据跨境流动限制性措施,且一般例外和基本安全例外难以充分保障一国在数据跨境流动领域的国家规制权,《全面和进步跨太平洋伙伴关系协定》(CPTPP)、《区域全面经济伙伴关系协定》(RCEP)和《数字经济伙伴关系协定》(DEPA)等晚近经贸协定开始明确禁止缔约方限制数据跨境流动或采取数据本地化措施,同时允许缔约方为了追求正当公共政策目标而在满足相应条件的情况下采取上述措施。但不同协定中的正当公共政策目标例外在文本表述上或存在不同程度的差异,在解释该例外时应关注文本差异引发的适用区别。中国最可能受到挑战的数据本地化措施在现阶段对于实现中国追求的安全和执法获取数据等多重目标可能是必要的,但鉴于措施的必要性会随着实践发展而动态变化,其可发展规制措施必要性评估制度以及关于网络安全和保护个人隐私的标准与最佳实践,避免未来在援引正当公共政策目标例外时陷入被动局面。

Having considered that the measures restricting cross-border data flows cannot be effectively regulated by such traditional trade agreements as WTO agreements,and that the essential security exceptions and general exceptions cannot sufficiently preserve a country’s right to regulate in the field of cross-border data flows,recent trade agreements such as CPTPP,RCEP and DEPA initiated the rules that no contracting Party shall restrict cross-border data flows or take data localization measures,while they also allow Parties to take such measures if they aim to achieve legitimate public policy objectives and satisfy certain conditions.However,when interpreting the legitimate public policy objectives exceptions in different agreements,it should be noted that textual differences may result in the differences in application.The most likely being challenged data localization measures taken by China in order to achieve such goals as safety may at present be deemed necessary.However,having considered that the necessity of a measure may vary with the practices,China may develop necessity assessment regimes for regulatory measures,standard and best practices relevant to cybersecurity and protecting privacy so as to prevent being put in passive situation when invoking legitimate public policy objectives exceptions.