論我國數據本地化措施與FTA締約的協調

Data Localization in China's Legislation and Its Reconciliation with FTA Conclusion

當前，我國數據本地化要求主要包括對於關鍵信息基礎設施生成數據的境內存儲和安全評估、特定行業數據的境內存儲與安全評估，以及個人信息保護法中的個人信息出境合法性要求。上述制度需與我國已加入的RCEP和未來可能加入的CPTPP電子商務規則相協調。前兩類數據本地化要求分別服務於我國基礎設施安全與情報安全，也能夠符合RCEP與CPTPP“安全例外”的要求。個人信息保護法中個人信息出境的合法性審查應適用公共政策例外，其中最難以證明的“必要性”要件，可通過强調我國確立個人信息保護水準的政策空間加以解决。此外，對於可能引發數據本地化措施合法性爭議的行業，我國還可在條約談判中通過“不符措施清單”避免爭議産生。

Currently, China's data localization requirements include the data local storage concerning critical information infrastructure and security evaluation; local storage and security evaluation of data in specific fields; as well as requirements for personal data before they can be transferred overseas by China's Personal Data Protection Law. These requirements need to reconcile with RCEP, which China has joined, and CPTPP, which China considers to join. The former two requirements serve the security of China's infrastructure and intelligence, and therefore should qualify for security exceptions under both RCEP and CPTPP. The legal requirements under China's Personal Data Protection Law might qualify under public policy exceptions, and the only obstacle, that is, the element 'necessity', could be overcome by emphasizing China's policy space of setting up its own criterion of personal information protection. Moreover, as to industries that are most likely to incur the dispute concerning the legality of data localization, China could avoid the risks by drafting 'non-conforming lists' in treaty negotiations.