个人数据安全的法律保护模式——从数据确权的视角切入

个人数据权益的多元性,决定了个人数据在不同场景中的权属不同,这意味着对不同权属性质的个人数据,提供的法律保护模式也不同。我国对个人数据的法律保护模式有三种:财产权保护模式、人格权保护模式和平台保护模式。鉴于当前我国数据确权的制度安排尚未完成、数据的人格权保护没有得到公益救济、数据利益的损害赔偿无法实现,有必要对不同权属性质的个人数据作出有针对性的调整方案:在方法论上应突破私法或公法的思维局限,在立法论与数据应用实践层面,对现有的个人数据保护模式作出相应的调整,通过商业秘密保护模式拓宽数据财产权的保护路径,利用个人数据场景化保护模式弥补人格权保护模式的虚置,利用平台保护模式优化数据安全法律保护的制度设计。     

数据财产权益的私法规范路径

数据的本质是信息,应将数据界定为以电子形式存储和处理的体现一定事实内容的信息。数据分类应聚焦非公开数据和公开数据,前者可受商业秘密制度保护,对作为当前主要研究对象的后者如何保护尚无共识。美国与欧盟调整数据财产权益的法治实践表明,应承认数据控制者对其合法收集处理之数据享有独立的财产权益,同时这种财产权益不宜具有绝对性。我国立法未规定数据财产权益机制,实务模式和学理见解存在不同程度局限。应在数据之上创建具备有限排他性的准财产权,使数据控制者得以据此对抗特定类别主体和特定类别行为。应保留《民法总则》第127条,在《反不正当竞争法》第9条之后新增一个条文对数据准财产权保护作出规定。     

网络隐私法律保护简论

隐私一般是指与公共利益、群体利益无关的、当事人不愿让他人知道或他人不便知道的个人信息,而个人数据是所有用来标识个人基本情况的数据。文章针对互联网技术的发展为个人数据处理带来的隐私权问题,在分析西方国家保护模式、梳理我国隐私权保护现状基础上,提出了在我国加强网络空间的隐私权保护的必要性和紧迫性。     

数据刑法保护的比较考察与体系建构

德国通过附属刑法和核心刑法所建立的二元数据刑法保护模式,在体系架构、法益定位、构成要件设置等方面具有启发意义.个人数据犯罪虽具有现象层面的公共性和社会性,但保护法益仍然是作为个体法益的个人信息权.侵犯公民个人信息罪的行为类型不宜局限在数据流转过程中的非法获取和提供,而应有条件地将犯罪产业链下游的非法使用、处理行为纳入.一般数据犯罪的应然保护法益是数据主体对一般数据的形式支配权限,以及对一般数据的私密性、完整性和可用性利益.我国一般数据犯罪的罪名无法实现对上述法益的独立性、完整性、体系性保护,其存在结构错位、保护不周等问题,应从国际视角出发对相应构成要件进行完善与调整.     

从私法到公法：数字时代隐私权保护的模式延展

随着数字时代的来临，政府开始成为收集和利用公民信息的最大主体，公民隐私权遭到公权侵犯的风险随之加大，因此隐私权的公法保护模式逐步呈现和凸显。隐私权公法保护的本质，是要求国家在社会公共利益和公民个人隐私利益之间作出必要衡平。这种衡平需要从隐私权的效力位阶层级、公民隐私信息的价值指向以及公民的身份等三个维度来具体展开，因为这三个维度共同决定了个人隐私利益在何种程度上应当退让于社会公共利益。在区分和考量上述三个维度的基础上，可以通过设置绝对公法保护模式、严格公法保护模式、一般公法保护模式和弱公法保护模式等四种不同模式来展开对公民隐私权的公法保护。     

财产申报制度中的隐私权保护

建立和完善财产申报制度,解决其与隐私权保护之间的冲突问题,并非单纯以隐私权的限制为代价,对隐私权的限制亦有限度。我国的财产申报制度不能一味强调对公职人员隐私权的限制而忽视必要的保护。必须在制度上充分考虑隐私权保护的需要,对财产申报制度设定合理的界限:在申报主体范围上,应以职位与公众有密切关联的公共官员为限;在财产申报内容上,应以个人与外界公共场合发生广泛的社会领域为限;在财产申报公示上,应对财产申报资料的查阅或使用加以限制,防止财产申报资料的不当利用与传播,减轻申报人因个人财产信息被过度曝光导致的隐私忧虑。只有实现财产申报制度与隐私权保护的平衡,才能打消公职人员财产申报公示的隐私权顾虑,让财产公示变成现实。     

死者生前人格上财产利益之保护

人格权内含精神与财产双重利益。对人格上财产利益的保护是人性自主的必然结果,且不论人之生死,人格上之财产利益皆应受保护。生者人格上财产利益保护应采用德国法上一元论的人格权保护模式,而死者人格上财产利益保护则应参照美国法上的公开权模式。利用死者生前之人格特征获利的权利乃一种无形财产权,归属于死者之继承人。继承人行使此项权利需按照死者明知或可推知的意思进行,权利行使期限宜为50年。     

网络时代的隐私权──兼论美国和欧盟网络隐私权保护规则及其对我国的启示

随着网络和信息技术的快速发展,网络上的个人隐私权正在被严重地侵害,面对这种侵害,各国都致力于建立完善的网络隐私权法律保护体系。从比较研究的角度讨论美国和欧盟的网络隐私权立法保护模式和规则,并对我国网络隐私权的保护提出立法建议。     

数据交易下权益边界的实践探索与调适

数据作为区别于传统客体的新兴民事权利客体,依附数据交易而实现其特定价值,同时具有社会资源、人格利益和财产利益的法定属性。数据交易下,其权益边界成为民事权利主体资格探讨的必备要素,关乎着数据主体资格、法律关系和私权制度价值。我国司法实践认为数据权益应因其劳动增值而取得,美国则认为数据权益应当回归数据应用的价值。基于分析,对数据权益应严格数据人格利益与财产利益,同时基于数据交易而赋予数据控制者基于数据主体的衍生权利,并建立各类数据控制者之间进行数据流转的合规性标准,以求在总结司法实践和立论的基础上,为数据权益的边界界分提供参考性意见。     

超越物债区分原则:论作为财产支配权的网络虚拟财产权

在数字经济勃兴的时代背景下，出于主观权利理论与社会现实需求的双重考虑，就网络虚拟财产定位而言，应当放弃具有一定实益的关系范式与契合教义体系的利益范式，继续恪守权利范式以实现网络虚拟财产的权利化。由于网络虚拟财产权物权说等网络虚拟财产权理论在网络虚拟财产权构造方面有所不足，故而仍须加以反思与补正。在损益学界既有学说的基础上，或许可以考虑分离网络服务合同与网络虚拟财产，将网络虚拟财产別除于网络用户债权效力之外，并且区分“物权所有权”与“非为物权的网络虚拟财产所有权”，继而以网络虚拟财产所有权为中心构造网络虚拟财产权概念及其规则体系。此外，尽管作为网络虚拟财产权客体的网络虚拟财产具有数据属性，但网络虚拟财产却不同于一般数据。被排除在网络虚拟财产范围之外的数据，则可以借由数据权益、人格权或者个人信息保护规则获得妥当的法律保护。     

Privacy Enhancing Employment of ICT: Empowering and Assisting Data Subjects

This article is based on the fact that the new data protection regime in Europe, according to the Data Protection Directive (46/95/EC), presupposes a Europe were personal data should flow freely between the 20 countries of EU and associated states. At the same time, data subjects have been given comprehensive rights. These rights will make it necessary for them that they relate to controllers in various countries, as well as to a variety of national legislation and languages. Schartum discusses how and to what extent ICT tools may be used in order to empower data subjects and make them capable of safeguarding their privacy interests. He points to the fact that a diversity ICT support should be of interest, and that our attention should not only be on Privacy Enhancing Technologies in a strict sense.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

大数据背景下个人生物识别信息安全的法律规制

个人生物识别信息具有个人数据的唯一性、程序识别性、可复制性、损害的不可逆性及信息的关联性等特征。在大数据背景下,个人生物识别信息的广泛应用会带来严重的生物信息安全风险,其滥用可造成隐私权、平等权和财产权等权益受到侵犯,需要立法进行全方位规制。我国目前个人生物信息的相关立法存在总体位阶较低且内容分散、保护范围狭窄、权利义务边界不清、法律责任不明晰等缺陷,应当采取渐进式专门立法的思路,完善现有相关部门法关于个人生物信息的规制内容,构建层次分明、内外协调的个人生物识别信息安全保护的法律体系。     

The principle of security safeguards: Unauthorized activities

The principle of information security safeguards is a key information privacy principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers who are responsible for providing adequate protection. This paper takes a step toward bridging this knowledge gap by presenting an analysis of how Data Protection and Privacy Commissioners have evaluated the adequacy level of security protection measures given to personal information in selected privacy invasive cases. This study addresses both security measures used to protect personal information against unauthorized activities and the use of personal information in authentication mechanisms. This analysis also lays a foundation for building a set of guidelines that can be used by data controllers for designing, implementing, and operating both technological and organizational measures used to protect personal information.     

捍卫权利模式——个人信息保护中的公共性与权利

个人信息权和个人信息受保护权是两种相对立的模式,学界通常认为个人信息权赋予个人排他性的支配权,这与个人信息的公共性相矛盾。个人信息的公共性并不必然反对权利模式。一种广义的公共性包含着个人信息所负载的公共利益,个人信息的公开化也是网络时代个人和商业交往的必要前提,但这并不意味着要否定个人信息保护的权利模式。公共利益具有多样性,正是某些公共利益支持了权利。权利所蕴涵的主张权确保了人的尊严和自由,这也是个人信息保护法的立法宗旨;个人信息受保护权做不到这一点,它不具有义务指向性。但在立法模式上,个人信息保护法要以义务性规范或禁止性规范为主,这是由网络空间个人信息的性质决定的。     

The right to data portability in the GDPR: Towards user-centric interoperability of digital services

The right to data portability is one of the most important novelties within the EU General Data Protection Regulation, both in terms of warranting control rights to data subjects and in terms of being found at the intersection between data protection and other fields of law (competition law, intellectual property, consumer protection, etc.). It constitutes, thus, a valuable case of development and diffusion of effective user-centric privacy enhancing technologies and a first tool to allow individuals to enjoy the immaterial wealth of their personal data in the data economy. Indeed, a free portability of personal data from one controller to another can be a strong tool for data subjects in order to foster competition of digital services and interoperability of platforms and in order to enhance controllership of individuals on their own data. However, the adopted formulation of the right to data portability in the GDPR could benefit from further clarification: several interpretations are possible, particularly with regard to the object of the right and its interrelation with other rights, potentially leading to additional challenges within its technical implementation. The aim of this article is to propose a first systematic interpretation of this new right, by suggesting a pragmatic and extensive approach, particularly taking advantage as much as possible of the interrelationship that this new legal provision can have with regard to the Digital Single Market and the fundamental rights of digital users. In sum, the right to data portability can be approximated under two different perspectives: the minimalist approach (the adieu scenario) and the empowering approach (the fusing scenario), which the authors consider highly preferable.     

The fundamental right of data protection in the European Union: in search of an uncharted right

The entry into force of the EU Charter of Fundamental Rights and the ensuing introduction of the right to data protection as a new fundamental right in the legal order of the EU has raised some challenges. This article is an attempt to bring clarity on some of these questions. We will therefore try to address the issue of the place of the right to the protection of personal data within the global architecture of the Charter, but also the relationship between this new fundamental right and the already existing instruments. In doing so, we will analyse the most pertinent case law of the Court of Luxembourg, only to find out that it creates more confusion than clarity. The lesson we draw from this overview is that the reasoning of the Court is permeated by a ‘privacy thinking’, which consists not only in overly linking the rights to privacy and data protection, but also in applying the modus operandi of the former to the latter (which are different we contend). The same flawed reasoning seems to be at work in the EU Charter of Fundamental Rights. Therefore, it is crucial that the different modi operandi be acknowledged, and that any upcoming data protection instrument is accurately framed in relation with Article 8 of the Charter.     

The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR

The EU faces substantive legislative reform in data protection, specifically in the form of the General Data Protection Regulation (GDPR). One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals afresh and determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection. This article reviews the current state of play of privacy seals, the EU policy and regulatory thrusts for privacy and data protection certification, and the GDPR provisions on certification of the processing of personal data. The GDPR leaves substantial room for various options on data protection certification, which might play out in various ways, some of which are explored in this article.     

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.