面向电子政务的个人数据保护立法初探

政府部门在政务处理过程中经常需要收集和传播与个人相关的数据信息。本文在对电子政务中的个人数据侵权行为分析基础上,通过对国外个人数据保护的相关立法情况的考察,进而对我国面向电子政务的个人数据立法的原则进行了初步探讨。     

Bioinformatics and genetic privacy: The impact of the Personal Data Protection Act 2010

Bioinformatics refers to the practise of creation and management of genetic data using computational and statistical techniques. In Malaysia, data obtained from genomic studies, particularly for the purpose of disease identification produces a tremendous amount of information related to molecular biology. These data are created from DNA samples obtained from diagnostic and research purposes in genomic research institutes in Malaysia. As these data are processed, stored, managed and profiled using computer applications, an issue arises as to whether the principles of personal data privacy would be applicable to these activities. This paper commences with an illustration of the salient features of the Personal Data Protection Act 2010. The second part analyses the impact of the newly passed Personal Data Protection Act 2010 on the collection of DNA sample, the processing of data obtained from it and the profiling of such data. The third part of the paper considers whether the various personal data protection principles are applicable to the act of DNA profiling and the creation of bioinformatics.     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

数据安全认证:个人信息保护的第三方规制

契合放管服改革理念的数据安全认证,在数字时代整个规制法体系中必将占据日益重要的地位。数据安全认证通过声誉评价机制,可以引导、激励互联网企业守法合规经营,可以增强用户对中小微互联网企业和新兴数字产业的信任感,可以避免一刀切的政府规制,可以满足社会公众多元的数据安全需求。数据安全认证机构应具有高度的独立性与专业性,防止其被互联网企业俘获或成为政府的附庸。宜实行自愿为主、强制为辅的数据安全认证模式。认证程序应强调公正透明性,认证标准应注重评价企业数据合规的制度建设。根据过错责任原则,分别设置数据安全认证机构相应的赔偿责任或连带责任,并加大对数据安全认证违法行为的公法责任追究。科学构建法治化的数据安全认证体制机制,不仅是保障数据安全的现实需要,而且是弥补数字时代政府规制缺陷的迫切需求。     

大数据时代日本个人信息保护法探究

个人信息本来是极其隐私的事物,在大数据时代却时刻处于裸奔状态,时刻面临被侵犯的风险。特别在新冠肺炎疫情防控中,大数据技术发挥了重要作用,个人信息保护再次引起关注。整体而言,日本个人信息保护法以个人优先与公共优先的宗旨博弈为出发点,以个人信息的概念界定为基础,以个人信息权的保护为核心,以个人信息保护机构的...     

健康数据保护:健康二维码应用的法律风险及其治理

COVID-19的大规模流行破坏了世界正常的生产和生活秩序,也给每个国家的社会治理带来了新的挑战.为了控制流行疾病和促进经济恢复,健康二维码作为一种数字技术管理手段应运而生.从实际效果来看,健康二维码的开发在很大程度上消除了填写报告的繁琐工作,减少了交叉感染的可能性,并提高了数据收集的效率.但与此同时,健康二维码的广泛...     

The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform

In the first part of this paper, I will present and explain the Singapore Personal Data Protection Act (“PDPA”) in the context of legislative developments in the Asian region and against the well-established international baseline privacy standards. In the course of the above evaluation, reference will be made to the national laws and policy on data privacy prior to the enactment of the PDPA as well as current social and market practices in relation to personal data. In the second part of this paper, I will decipher and assess the future trends in data privacy reform and the future development of the privacy regime in Singapore and beyond. In the course of this analysis, international standards, technological trends and recent legal developments in other jurisdictions will be considered.     

The new German Data Protection Act and its compatibility with the European Data Protection Directive

A substitution of the right to maintain mailing lists for marketing purposes (the so-called list privilege) by a strict opt-in requirement as proposed by the German Government for the amendment of the German Data Protection Act does not conform with European law. Making the use of relatively innocuous data like name and address for marketing purposes subject to the data subject's declaration of consent infringes upon the requirements of the European Data Protection Directive. The Directive allows for the use of personal data either on the basis of a data subject's declaration of consent or after a balancing of legally protected interests. Reducing this two-track model to a one-track model (based on the data subject's declaration of consent only) does not do justice to the idea of balancing of interests or free movement of goods and services which are a mandatory part of European law. The draft bill interferes drastically with the free movement of goods and services. A tightening of the opt-in requirements would be a severe burden for the German economy because it is impossible for businesses to distribute their goods and services without the help of marketing measures. The economic cycle would be hit at its weakest point, i.e. the link between businesses and consumers which is gaining more and more importance especially with a view to cross-border competition.     

个人数据安全的法律保护模式——从数据确权的视角切入

个人数据权益的多元性,决定了个人数据在不同场景中的权属不同,这意味着对不同权属性质的个人数据,提供的法律保护模式也不同。我国对个人数据的法律保护模式有三种:财产权保护模式、人格权保护模式和平台保护模式。鉴于当前我国数据确权的制度安排尚未完成、数据的人格权保护没有得到公益救济、数据利益的损害赔偿无法实现,有必要对不同权属性质的个人数据作出有针对性的调整方案:在方法论上应突破私法或公法的思维局限,在立法论与数据应用实践层面,对现有的个人数据保护模式作出相应的调整,通过商业秘密保护模式拓宽数据财产权的保护路径,利用个人数据场景化保护模式弥补人格权保护模式的虚置,利用平台保护模式优化数据安全法律保护的制度设计。     

The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition

The year 2010 set an important milestone in the development of data protection law in Europe: both Europe's basic regulatory texts, the EU Data Protection Directive and the Council's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council's data protection system currently in effect as well as developments relating to the Convention's amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft's potential to constitute the next global information privacy standard.     

论我国未成年人犯罪个人资料保护

未成年人犯罪个人资料保护是我国现行法律法规中较为薄弱的一个部分,现行规定较为模糊和笼统,和当前法治发展要求进一步加大对未成年人的保护趋势不相适应。针对现存的保护时间节点过窄、责任主体不明、抹销制度与前科报告三大问题提出相应立法和司法建议,力求符合未成年人犯罪个人资料保护的时代发展要求,完善我国未成年人犯罪个人资料保护。     

South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity.     

个人数据保护中同意规则的“扬”与“抑”——卡-梅框架视域下的规则配置研究

知情同意规则是个人数据保护法领域中的核心规则,但知情同意高度依赖于同意主体对数据收集、处理过程的充分了解。而现实中,普遍存在于当事人间的信息分布不均妨害同意的认识基础,多环节的数据流通则进一步削弱了同意的有效性,在此基础上的同意决策容易陷入非理性。通过引入卡-梅框架进行分析和假设,可以明确财产规则与责任规则各自的效率优缺点、分配偏好与价值考量。从保护与利用平衡的角度出发,倡导构建以知情同意规则为核心、管制规则与自治性责任规则为辅助的互补性规则进路,并继续在立法上完善知情同意规则,简化事前谈判,强化事后风险防范,辅之以多种类的技术监督机制以消弭权利配置进路的负外部性。     

A walk in to the cloud and cloudy it remains: The challenges and prospects of ‘processing’ and ‘transferring’ personal data

Cloud computing is an information technology technique that promises greater efficiency and reduced-cost to consumers, businesses and public institutions. However, to the extent it has brought better efficiency and minimal cost, the emergence of cloud computing has posed a significant regulatory challenge on the application of data protection rules particularly on the regime regulating cross-border data flow. The Data Protection Directive (DPD), which dates back to 1995, is at odds with some of the basic technological and business-related features of the cloud. As a result, it is claimed that the Directive hardly offers any help in using the legal bases to ‘process’ and ‘transfer’ data as well as to determine when a transfer to a third country occurs in cloud computing. Despite such assertions, the paper argues that the ECJ's Bodil Lindqvist decision can to a certain extent help to delineate circumstances where transfer should and should not occur in the cloud. Concomitantly, the paper demonstrates that controllers can still make the most of the available possibilities in justifying their ‘processing’ as well as ‘transferring’ of data to a third country in cloud arrangements. In doing so, the paper also portrays the challenges that arise down the road. All legal perspectives are largely drawn from EU level though examples are given from member states and other jurisdictions when relevant.     

The exploitation of Business Register data from a public sector information and data protection perspective: A case study

Business Registers (BRs) are a very important information resource for investors, creditors, financial institutions and public authorities. The possibility to aggregate and interconnect these data at a European level could enhance the transparency of companies towards those actors and add a great deal of value to the raw Business Register data. The European BRITE project intended to provide adequate tools to meet these demands. BRITE will provide easier access and cross-border interoperability of Business Register data throughout Europe. On the other hand, the processing of BR data within the BRs and BRITE triggers several important European legislations such as the Data Protection Directive and the Directive on the re-use of public sector information. In this paper, the processing of BR data will be analysed from the perspective of both data protection and public sector information laws, analysing as well the relation between both regulations. Do these regulations strike an optimal balance between the interests of private data vendors to re-use BR data and enhance business transparency and the need to protect the personal data of natural persons?     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

Russian PNR system: Data protection issues and global prospects

The usage of Passenger Name Record (PNR) for security purposes is growing worldwide. At least six countries have PNR systems; over thirty are planning to introduce them. On 1 December 2013, a Russian PNR system will be implemented. But enhanced collection of personal data leads to increased surveillance and privacy concerns. Russian authorities state that passengers' rights will be respected, but a closer look at the Russian regime reveals a number of critical points. From a global perspective, the Russian regime is only one of many PNR systems, including new ones to come in the future. Apparently, for the majority of them, similar challenges and problems will apply. At the same time, for the EU, with its strict data protection requirements, PNR requests by third countries (i.e. non-EU countries) create conflicts of laws. In order to resolve them, the EU concludes bilateral PNR agreements. However, the current deals, especially the one between the EU and the USA, involve a number of weaknesses. Accepting the latter, and having a pending proposal on the EU PNR system, the EU has weakened its position in negotiations with third countries. How will the EU deal with the Russian as well as with all the future requests for PNR? This paper provides legal analysis of the Russian PNR regime, pointing out common problems and giving prognosis on the global situation.     

iCLIC Data Mining and Data Sharing workshop: The present and future of data mining and data sharing in the EU

Held at Southampton University's Highfield campus and hosted by iCLIC, an interdisciplinary core on Law, the Internet and Culture, the Data Mining and Data Sharing workshop brought together attendees and speakers from industry, government, academia and a range of disciplines alike. The workshop comprised two sessions, each with a keynote and an associated panel. The first session was chaired by Eleonora Rosati and dealt with copyright and database rights, data mining and data sharing. The second session, chaired by Sophie Stalla-Bourdillon, focussed on data protection, data mining and data sharing. The following report covers both sessions, associated panel discussions and the subsequent question and answer sessions.