数据安全认证:个人信息保护的第三方规制

契合放管服改革理念的数据安全认证,在数字时代整个规制法体系中必将占据日益重要的地位。数据安全认证通过声誉评价机制,可以引导、激励互联网企业守法合规经营,可以增强用户对中小微互联网企业和新兴数字产业的信任感,可以避免一刀切的政府规制,可以满足社会公众多元的数据安全需求。数据安全认证机构应具有高度的独立性与专业性,防止其被互联网企业俘获或成为政府的附庸。宜实行自愿为主、强制为辅的数据安全认证模式。认证程序应强调公正透明性,认证标准应注重评价企业数据合规的制度建设。根据过错责任原则,分别设置数据安全认证机构相应的赔偿责任或连带责任,并加大对数据安全认证违法行为的公法责任追究。科学构建法治化的数据安全认证体制机制,不仅是保障数据安全的现实需要,而且是弥补数字时代政府规制缺陷的迫切需求。     

超越私权属性的个人信息共享——基于《欧盟一般数据保护条例》正当利益条款的分析

在获取、处理、使用和转移个人信息的过程中,各方主体之间存在信息权益冲突,迫切需要规范层面提供协调机制。关于信息权益的主体划分和保护层级、信息正当利益的法律内涵、各方主体利用信息的范围和界限等问题,学界尚未提出明确的解决思路。为推动社会治理和产业经济的数字化进程,个人对信息的绝对控制需要让位于信息正当利益的维护和实现。《欧盟一般数据保护条例》规定在某些情形下应该优先保护信息的正当利益,体现出欧盟调节各方信息权益时的权衡和取舍。借鉴《欧盟一般数据保护条例》的规制路径并结合我国的现实问题,我国立法应构建信息主体、其他自然人、国家机关、企业四方主体共享的个人信息权益体系,以妥善解决各方主体之间的权益冲突。     

劳动者个人信息保护的法律价值、基本原则及立法路径

由于传统隐私权制度的局限性,我国应建立职场劳动者个人信息保护制度,以充分保护劳动者的隐私和个人信息权利.劳动者个人信息保护,除了具有个人信息保护的一般价值外,还有助于实现劳动者或求职者的平等权、言论自由权以及工作中的权利等.劳动者个人信息保护除了应遵循个人信息保护的一般原则,诸如合法、公正、必要和透明等原则外,应将比例原则确立为核心原则,在信息处理中平衡雇主合法利益和雇员隐私权利.由于劳动关系的性质以及雇主和雇员地位和实力的不平衡,知情同意原则的适用应严格限制,原则上,雇员同意不能单独作为雇主处理个人信息的合法性基础.借鉴国外尤其是欧洲国家的立法经验,我国应在个人信息保护法中规定劳动者个人信息保护的一般条款,并通过制定行政法规规定具体规则.同时,行政机关、工会或企业组织可发布职场个人信息处理的行为指引,企业和工会也可通过集体协议或规章制度约定或规定涉及个人信息保护的有关事项.     

Contract Governance in the EU: Conceptualising the Relationship between Investor Protection Regulation and Private Law

The instrumental use of private law, in particular contract law, by the EU raises a complex issue concerning the relationship between contract‐related regulation and traditional private law and underlines the need for conceptualising the interplay between the two from the contract governance perspective. The present article aims to apply this new analytical approach in the investment services field where there is considerable tension between the EU investor protection regulation embodied in the Markets in Financial Instruments Directive (MiFID I and MiFID II) and national private laws. The article explores various models of relationship between investor protection regulation and traditional private law within a multi‐level EU legal order, considering the strengths and weaknesses of each field in pursuing public and private interests involved in financial contracting. This analysis also offers some lessons for the broader narrative of how European integration in regulated areas dominated by public supervision and enforcement could proceed.     

个人信息权的体系化解释——兼论《个人信息保护法》的公法属性

《个人信息保护法》是数字时代个人信息保护的基本法。它采取了将个人信息权作为新兴公法权利的思路,确立了完整的个人信息权利保护体系,在个人信息保护问题上和《民法典》一起形成了公私法共同协力的进路。《个人信息保护法》以权利束的方式规定了个人信息主体的知情权、决定权、查阅权、复制权、更正权、删除权、可携带权和信息权利救济权等。《个人信息保护法》从立法依据、权利体系、条文设计和规制措施上都体现出鲜明的公法属性,这也可以从基本权利的双重面向和个人信息国家保护义务得到理论上的证成。这部法律是数字时代公法秩序的基石,它对公法边界的形塑仍需通过其实施来确立。     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

Beyond European Labour Law? Reflections on the EU Racial Equality Directive

In June 2000, the Council adopted a directive forbidding discrimination on grounds of racial or ethnic origin in the areas of employment, social protection, education, goods and services, and housing. This is the first time the European Union has adopted binding legislation to combat racism. In this article, the Directive is placed within the context of European labour law, and its implications for the development of this area of law are considered. Specifically, it is proposed that a new category of European 'social law' is emerging, broader in scope than European 'labour law'. The Directive also reveals a new emphasis on effective enforcement of social law. Finally, this article considers the position of the Social Partners and non-governmental organisations in relation to the Directive. The prominence of NGOs is linked to wider trends in the wake of globalisation.     

个人信息保护的私法维度——兼论《民法典》与《个人信息保护法》的关系

个人信息的私法保护路径对于有效保障民事主体的个人信息权益十分重要;《个人信息保护法》本身包含大量的私法规范、制度和原则,因此需要从体系化的角度与《民法典》作关联解读与适用.由此,需要充分认识到《民法典》与《个人信息保护法》之间的内在密切关联,正确看待二者的关系.《民法典》与《个人信息保护法》中的私法规范构成普通法与特别法的关系,在后者有明确规定的时候应优先适用,而在其没有规定的时候应适用《民法典》的规则.在个人信息保护的法律适用中将二者割裂甚至对立起来的观点或者对《民法典》采取排斥封闭的态度,都会破坏法律体系的和谐和法律适用的统一,对个人信息保护来说也是不利的.     

论隐私、个人信息和数据的三重民法保护

隐私、个人信息和数据三者在民法意义上的本源与价值都是个人信息,只是隐私和个人信息的范围不同,数据与个人信息为为载体与本源之关系。《民法典》对隐私、个人信息和数据的不同规定,保护着不同类型与范围中的个人信息不受侵害,是对科技双刃剑下公民权益保护的有效回应。《民法典》对于私密型个人信息的隐私予以法律赋权;对于需均衡使用与保护的个人信息予以法律保护;对作为信息载体的数据予以前瞻性开放式法律规定,三重法律保护体现了《民法典》以人为本的政治内涵。     

中国个人信息保护法草案若干问题

在个人信息保护法草案中,个人信息的定义应修改为"个人信息是能够单独或者与其他信息结合识别有生命的自然人的各种信息,不包括匿名化处理后的信息."并加一款体现"识别"+"关联"的立法思路的文字.个人信息处理的列名操作应该由七个变更为十一个,即收集、存储、加工、使用、交易、提供、公开、查阅、复制、更正、删除等.第六十九条匿名...     

论个人信息的行政法保护

行政主体收集、处理和利用个人信息是一种行政事实行为。我国应尽快制定个人信息保护法,明确信息主体有权要求行政机关不能随意处理个人信息,公开对其个人信息的收集和利用,规定个人信息保护的范围、原则、监督和救济制度。利益衡量是目前协调个人信息保护与行政信息公开的适当方法。     

The EU Proposal for a General Data Protection Regulation and the roots of the ‘right to be forgotten’

The EU Proposal for a General Data Protection Regulation has caused a wide debate between lawyers and legal scholars and many opinions have been voiced on the issue of the right to be forgotten. In order to analyse the relevance of the new rule provided by Article 17 of the Proposal, this paper considers the original idea of the right to be forgotten, pre-existing in both European and U.S. legal frameworks. This article focuses on the new provisions of Article 17 of the EU Proposal for a General Data Protection Regulation and evaluates its effects on court decisions. The author assumes that the new provisions do not seem to represent a revolutionary change to the existing rules with regard to the right granted to the individual, but instead have an impact on the extension of the protection of the information disseminated on-line.     

论完善个人信息保护法制的几个问题

个人信息保护是信息化过程中而产生的问题,在国外有关国家和地区早已掀起了个人信息保护立法的浪潮。鉴于此,本文立足于世界有关国家和地区个人信息立法的情况,对其中涉及逻辑基础、适用范围、原则及个人信息主体的权利、适用例外等问题进行了探讨。     

The Power of EU Collective Action: The Impact of EU Data Privacy Regulation on US Business Practice

Contemporary critiques of globalisation processes often focus on the potential levelling of regulatory standards and the export by the United States of neoliberal norms of deregulation and market facilitation. This paper, in contrast, examines the extra-jurisdictional impact of EU regulatory policy on the behaviour of foreign private parties, even in powerful states such as the United States. Shaffer finds that the threat of curtailing access to the EU's large market provides the EU with leverage. By acting collectively, EU Member States can magnify the impact of European policy on US business practice and enhance EU Member State clout in the negotiation of de jure and de facto foreign standards. The site of analysis is the current dispute between the United States and the European Union over the provision of 'adequate' data privacy protection in accordance with the EU Directive on data privacy. The paper explores the many ways in which the Directive affects US practice through changing the stakes of US players – including regulators, businesses, privacy advocates, lawyers and privacy service providers – and thereby shifting the playing field in the United States on which competing interest groups clash. In examining the interaction of EU law, US practice and international trade rules, the author finds that WTO law, rather than constraining the Directive's extra-jurisdictional impact, provides the EU with a shield against US retaliatory threats, thereby facilitating a trading up of data privacy standards. The paper concludes by examining the conditions under which cross-border exchange can lead to a leveraging up of social protections: the desire for firms to expand their markets, Member States' collective bargaining power buttressed by market clout, the nature of luxury goods, the externalities of foreign under-regulation legitimising EU intervention, and the constraints of supranational trade rules.     

Unravelling the Embedded Liberal Bargain: Labour and Social Welfare Law in the Context of EU Market Integration

European economic integration with a minimalist social policy at EU level was in part made possible by strong domestic labour market and social welfare institutions. The main contention of this paper is that EU market liberalisation was embedded within institutions of social citizenship at domestic level, which served to counter the liberalisation of the internal market. But this settlement has been put under strain. In addition to the challenges posed to the sustainability of European welfare states by the global economic crisis, the internal market jurisprudence of the Court of Justice casts doubt on the sustainability of the ‘embedded liberal bargain’. This paper focuses on the role of the Court, in particular in its jurisprudence on the interaction between (EU) market freedoms and (national) labour law, which undermines the ability of states to retain their regulatory autonomy over labour or social welfare law and, arguably, speeds up the unravelling of the ‘embedded liberal bargain’.     

论银行卡个人数据的隐私权保护

银行卡个人数据包括个人身份信息、交易信息和信用状况信息。这些信息都属于隐私权保护的范围。持卡人对之享有允许或拒绝他人查询、收集和使用的权利,任何单位和个人不得非法使用,否则视为侵权。持卡人有权提起诉讼,请求停止侵害,赔偿损失。     

超越数据界权:数据处理的双重公法构造

数据财产权益如何界定是一个备受关注的立法难题。关于数据界权的讨论,在其权益构造上歧见丛生,在其权益基础上又含混不清或似是而非。贸然推动数据要素确权立法,可能不利于数据的公平获取使用。基于控制的数据处理,是数字经济和公共管理服务运行的实然状态,它受到合同法、侵权责任法、反不正当竞争法等法律规范的有效调整。无论是否能够妥当进行数据确权,都需要确立一个数据处理秩序,而公法构造不可或缺。这个公法构造是双重的,第一重是数据处理的规制体系,第二重是公共数据的开放利用。数据处理的双重公法构造能够超越数据确权,形成促进数据要素流动和价值分配的秩序构造,提供数字经济和数字政务服务持续发展的法律框架。     

个人数据安全的法律保护模式——从数据确权的视角切入

个人数据权益的多元性,决定了个人数据在不同场景中的权属不同,这意味着对不同权属性质的个人数据,提供的法律保护模式也不同。我国对个人数据的法律保护模式有三种:财产权保护模式、人格权保护模式和平台保护模式。鉴于当前我国数据确权的制度安排尚未完成、数据的人格权保护没有得到公益救济、数据利益的损害赔偿无法实现,有必要对不同权属性质的个人数据作出有针对性的调整方案:在方法论上应突破私法或公法的思维局限,在立法论与数据应用实践层面,对现有的个人数据保护模式作出相应的调整,通过商业秘密保护模式拓宽数据财产权的保护路径,利用个人数据场景化保护模式弥补人格权保护模式的虚置,利用平台保护模式优化数据安全法律保护的制度设计。     

Personal Data Protection in Nigeria: Reflections on Opportunities,Options and Challenges to Legal Reforms

The right to personal data protection is, without doubt, an important right in the jurisprudence of rights in the contemporary information society. It is becoming as crucial as other orthodox human rights and also attracting significant attention from academics, lawyers, human rights activists and policy makers. In spite of the growing attention data protection receives at international and regional levels, Nigeria is still lagging behind many competitor states like South Africa in establishing an effective legal framework to protect personal data. Individuals’ personal data is being collected and used without any serious form of control to check against abuse. This paper reflects on opportunities, option and challenges to legal reforms on data protection in Nigeria. It contends that certain legislative and practical challenges stand in the way of an effective legal regime on personal data protection. The paper suggests appropriate legal reforms that are needed to enable prevent the increasing risks of violating the right to data protection in a country that is making rapid advances in Information and Communication Technology but hamstrung by an outdated regulatory framework.