作者｜白宇思

《個人信息保護法》作為中國首部個人信息保護的專門性法律，于2021年11月1日起施行，標志著中國全面依法保護個人信息的新時代正式開啟。至今，中國個人信息保護的配套制度逐步完善，形成了基本的框架體系，其中，個人信息保護影響評估制度成為關鍵制度之一。

*本文首發于China Business Law Journal《商法》2025年2月刊

This article was originally published in the February 2025 issue of China Business Law Journal

個人信息保護影響評估制度的內涵與價值。中國的個人信息保護影響評估制度基于風險預防的理念，要求個人信息處理者在開展高風險的個人信息處理活動前，對處理目的、處理方的正當性、合法性和必要性進行評估，識別可能對個人權益產生的重大影響，并檢測監控所采取的保護措施是否合法、有效且與風險程度相適應。通過事前評估，處理者能提前發現風險并加以干預和化解，動態應對風險變化，并在評估報告的基礎上，判斷是否實施該處理活動，以及有針對性地及時采取控制措施，合規、安全地實施該活動。

這種早期介入的評估機制將個人信息保護納入項目設計階段，融入個人信息處理者的制度、業務和技術方案中，既能全面有效地保護個人信息權益，又能幫助個人信息處理者將風險控制在其承受范圍之內，從而降低事后損失，并提升成本效益。

除風險預防價值外，在發生爭議時，個人信息處理者對于高風險的個人信息處理活動進行事前評估并加以記錄，可作為其已依據法律法規采取相應控制措施、確保處理活動合規與安全的證明，有助于規范處理者行為并保護其合法權益。此外，若發生個人信息泄露等安全事件，相關評估記錄能夠協助處理者開展原因調查、分析和追蹤等工作，并降低再次發生類似風險的可能性。

個人信息保護影響評估的義務履行。《個人信息保護法》明確規定了個人信息處理者應當開展個人信息保護影響評估的適用情形，包括處理敏感個人信息，利用個人信息進行自動化決策，委托處理個人信息、向其他個人信息處理者提供或公開個人信息，向境外提供個人信息，以及其他可能對個人權益產生重大影響的個人信息處理活動。因此，只要出現法律規定的評估情形，個人信息處理者就必須履行評估和記錄義務，這是其法定義務。

在實踐中，一些個人信息處理者已開展相關評估工作并取得積極成果，但仍有大量處理者因不了解個人信息保護影響評估的功能與價值，或不知道如何開展評估工作，而導致數據合規義務履行不到位。此外，隨著個人信息處理者的業務不斷發展，個人信息處理活動往往呈現持續和動態的變化。故個人信息保護影響評估義務的履行并非一蹴而就，需要建立長期、持續、靈活、動態的評估工作機制。

個人信息保護影響評估的要點。風險源識別是影響評估活動的核心內容。個人信息處理中的風險可能源自處理者自身的脆弱性，也可能來自外部威脅，如處理敏感個人信息時不具備特定目的和充分必要性、未充分履行告知同意原則、與第三方共享數據時未取得個人信息主體的明示同意、超范圍收集信息、信息存儲超過必要期限、刪除機制不健全、自動化決策缺乏透明度、信息濫用、泄露、篡改等。個人信息處理者應充分分析可能存在的風險，并設計和實施有效的控制措施以降低風險。同時，應在項目設計階段將個人信息保護要求嵌入各項措施，確保處理活動符合法律和行政法規。

開展風險應對是個人影響評估活動的目標。個人信息處理者應根據評估結果及其風險承受水平，選擇風險應對方案，如決定對某特定類型的信息不開展處理活動、在隱私政策或者用戶協議中明確告知處理規則并取得用戶同意、嚴格控制信息存儲時間并保證安全銷毀、健全用戶刪除機制、信息加密傳輸、對信息進行匿名化、去標識化處理、規范身份驗證和訪問控制等。

《個人信息保護法》規定了個人信息處理者的記錄義務。評估報告應包含評估人員、評估適用范圍、評估對象、評估規模、評估方法、涉及的相關方等基本事項，以及風險分析結果、風險應對方案和方案落實情況。

綜上，個人信息保護影響評估在個人信息保護法治體系建設及執法框架中具有重要作用，其功能與價值對于處理者履行數據安全及合規義務意義重大。個人信息保護影響評估活動可以充分發揮預防功能，最大限度降低個人信息處理者的風險，全面有效地保護個人信息權益。

Key points of personal information protection impact assessment

The Personal Information Protection Law (PIPL), China’s first specialised legislation on personal information protection, came into effect on 1 November 2021, marking the beginning of a new era of comprehensive legal protection for personal information in the country. Since its implementation, China has gradually improved its supporting systems for personal information protection, establishing a fundamental framework. Among these, the personal information protection impact assessment system has emerged as a critical component.

The connotation and value of the personal information protection impact assessment system. China’s personal information protection impact assessment system is rooted in the concept of risk prevention. It mandates that personal information processors conduct assessments before engaging in high-risk personal information processing activities. These assessments evaluate the purpose of processing, as well as the legitimacy, legality and necessity of the processing parties, while identifying potential significant impacts on individual rights. The system also requires monitoring and verifying whether the protective measures adopted are lawful, effective and proportionate to the level of risk. Through pre-assessment, processors can identify, intervene in and mitigate risks in advance, dynamically respond to changes in risk, and determine whether to proceed with the processing activity based on the assessment report. This enables them to implement targeted control measures promptly, ensuring the activity is carried out in a compliant and secure manner.

This early intervention assessment mechanism integrates personal information protection into the project design phase, embedding it within the systems, operations and technical solutions of personal information processors. This approach not only ensures comprehensive and effective protection of personal information rights but also helps processors control risks within manageable limits, thereby reducing potential post-incident losses and improving cost efficiency.

Beyond its risk prevention value, conducting and documenting pre-assessments of high-risk personal information processing activities can serve as evidence that processors have implemented appropriate control measures in compliance with laws and regulations. This helps regulate processor behaviour and safeguard their legitimate rights and interests in the event of disputes. Furthermore, in cases of personal information breaches or other security incidents, the assessment records can assist processors in investigating, analysing and tracing the causes, while reducing the likelihood of similar risks recurring.

Obligation to conduct personal information protection impact assessments.The PIPL explicitly outlines the circumstances under which personal information processors must conduct impact assessments. These include processing sensitive personal information, using personal information for automated decision-making, entrusting others to process personal information, providing or disclosing personal information to other processors, transferring personal information overseas, and other activities that may significantly affect individual rights. Whenever these legally prescribed scenarios arise, processors are obligated to perform and document such assessments as a statutory duty.

In practice, some processors have undertaken these assessments and achieved positive outcomes. However, many still fail to meet compliance requirements due to a lack of understanding of the purpose and value of impact assessments or uncertainty about how to conduct them. Additionally, as processors’ operations evolve, personal information processing activities often undergo continuous and dynamic changes. Therefore, fulfilling the obligation to conduct impact assessments is not a one-time task but requires the establishment of a long-term, ongoing, flexible and adaptive assessment mechanism.

Key points of personal information protection impact assessments. Risk identification is central to impact assessment activities. Risks in personal information processing may stem from the processor’s internal vulnerabilities or external threats. Examples include processing sensitive personal information without a specific purpose or sufficient necessity, failing to adhere to the principle of informed consent, sharing data with third parties without explicit consent from the data subject, collecting information beyond the required scope, storing information beyond the necessary period, lacking robust deletion mechanisms, insufficient transparency in automated decision-making, and issues such as misuse, leakage, or tampering of information. Personal information processors must thoroughly analyse potential risks, design and implement effective controls to mitigate them. Additionally, personal information protection requirements should be embedded into measures during the project design phase to ensure processing activities comply with legal and regulatory standards.

The objective of personal information protection impact assessments is to implement effective risk responses. Based on assessment results and their risk tolerance levels, personal information processors should adopt appropriate risk response measures. These may include refraining from processing certain types of information, explicitly informing users of processing rules in privacy policies or user agreements and obtaining their consent, strictly limiting data storage periods and ensuring secure destruction, establishing robust deletion mechanisms, encrypting data transmission, anonymising or de-identifying information, and standardising identity verification and access controls.

The PIPL mandates that processors maintain records of their assessments. Assessment reports must include key details such as the personnel involved, scope of application, assessment subjects, scale, methods, relevant stakeholders, risk analysis results, risk response plans, and the implementation status of these plans.

In summary, personal information protection impact assessments play a critical role in the legal framework for personal information protection. Their function and value are significant in helping processors fulfil data security and compliance obligations. These assessments serve a preventive purpose, minimising risks for processors and effectively safeguarding personal information rights.