A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

手机短信骚扰的法律思考

绝大部分手机用户都有被短信骚扰的经历,这种骚扰让人不堪忍受。短信骚扰属于违法行为,既违反了《消费者权益保护法》,也侵犯了公民的隐私权。为了保护手机用户的权益,应严格禁止群发短信广告,加强对个人资料的法律保护,明确短信骚扰的民事责任,理清举证责任。     

论企业数据权益的法律保护——基于数据法律性质的分析

在互联网与大数据时代,数据已经成为企业的重要资产,对企业数据权益应当进行合理保护。但对企业数据不宜进行绝对化与排他性的财产权保护,因为此种保护违背数据的基本特征——数据并不具有排他性与竞争性。保护企业数据权益应当以促进数据共享为目标,企业数据的合理保护应当有利于促进数据共享。对企业数据应当进行类型化与场景化保护。对于非公开的企业数据,应当提供商业秘密保护;对于半公开的数据库数据,应当提供类似欧盟的数据库特殊权利保护;对于公开的网络平台数据,应当采取竞争法保护,避免恶性搭便车行为。法律还应当为企业主动公开的数据提供特殊类型的保护,允许企业设置白名单与黑名单。此外,法律也应当协调保护个人数据与企业数据,在优先保护个人数据的前提下,实现个人数据隐私期待与企业数据权益的共赢。     

Governing ghostbots

This article discusses the legal implications of a novel phenomenon, namely, digital reincarnations of deceased persons, sometimes known as post-mortem avatars, deepfakes, replicas, holographs, or chatbots. To elide these multiple names, we use the term 'ghostbots'. The piece is an early attempt to discuss the potential social and individual harms, roughly grouped around notions of privacy (including post-mortem privacy), property, personal data and reputation, arising from ghostbots, how they are regulated and whether they need to be adequately regulated further. For reasons of space and focus, the article does not deal with copyright implications, fraud, consumer protection, tort, product liability, and pornography laws, including the non-consensual use of intimate images (‘revenge porn’). This paper focuses on law, although we fully acknowledge and refer to the role of philosophy and ethics in this domain.We canvas two interesting legal developments with implications for ghostbots, namely, the proposed EU Artificial Intelligence (AI) Act and the 2021 New York law amending publicity rights to protect the rights of celebrities whose personality is used in post-mortem ‘replicas’. The latter especially evidences a remarkable shift from the norm we have chronicled in previous articles of no respect for post-mortem privacy to a growing recognition that personality rights do need protection post-mortem in a world where pop stars and actors are routinely re-created using AI. While the legislative motivation here may still be primarily to protect economic interests, we argue it also shows a concern for dignitary and privacy interests.Given the apparent concern for the appropriation of personality post-mortem, possibly in defiance or ignorance of what the deceased would have wished, we propose an early solution to regulate the rise of ghostbots, namely an enforceable ‘do not bot me’ clause in analogue or digital wills.     

民法典框架下个人数据财产法益的体系构建

从欧盟个人数据保护相关立法的变迁可以发现,个人数据从隐私权保护的传统模式开始出现向财产权保护模式过渡的迹象。这并不意味着数据产业界的新机会,而是调节数据主体与数据控制者之间日益失衡关系的新尝试。财产权保护模式有着隐私权保护模式无可比拟的优势,却也存在权利定性和范围界定上的困难。与非个人数据更为鲜明的财产属性不同,个人数据上的民事权益应该构建为一个以数据主体的财产利益为基础、以数据控制者对个人数据的占有利益为核心的财产法益体系。数据控制者及其义务作为个人数据财产法益体系的中心,才能在保护数据主体和发挥数据效用之间保持平衡。     

流调与追踪中的数据法律保护

疫情中流调与追踪的数据保护面临着数据隐私权保护的全新威胁,数据收集、处理合法性原则的挑战以及数据保护制度不完善的规制障碍等困境和挑战。由于传统权利理论的供给不足和缺少共识性的价值衡量尺度以及数据保护的规制方式不完善等原因导致了流调与追踪中的数据保护面临难题。通过确保数据权利保护和数据流动的平衡、完善数据权利保护的法律体系、构筑有效的外部执法机制、构建自主可控的数据保护新路径使得流调与追踪中收集的数据在保护数据权利的前提和基础上,以便数据能够流通和分享,为疫情防控发挥更好的作用。     

Body scanners versus privacy and data protection

In recent history, the world has experienced dramatic events which have had a substantial effect on the balance between human rights protection and security measures. Body scanners installed at airports are intended to protect our lives. But at the same time they have a serious impact on privacy and data protection. The international legislation allows limiting people’s rights and freedoms, but only if it is in accordance with the law and is proportionate and necessary for national security, public safety and for the protection of the rights and freedoms of others. Do body scanners respect these principles? The article examines the current situation, its background and future prospects. It discusses and analyzes the key terms and legal instruments, problems, disputes and proposed “safeguards”. The work concludes by pointing out the unlawfulness of current regimes and sets forth perspective on the possible solutions.     

论隐私、隐私权的概念和特征

本文着重论述隐私概念和特征、隐私权概念和特征、西方隐私权的新构成、以及隐私权和其他相关人格权的区别。采用比较分折的方法,论述了国外隐私权渊源及发展,探讨我国隐私权保护滞后的原因。并力图对隐私、隐私权作一个科学的界定。     

For privacy's sake: Consumer “opt outs” for smart meters

When balancing consumer privacy and data protection rights with the important societal benefits to be obtained from smart meters, should consumers be allowed to opt out? If so, what should a smart meter opt out mechanism look like? Further, may consumers be charged additional fees for the privilege of opting out without violating their privacy and data protection rights? The EU/U.S. comparative law analysis provided in this paper aims to help energy suppliers and regulators craft opt out mechanisms to protect individual privacy and data protection rights while also achieving important societal benefits from smart meters.     

The legal construction of personal information protection and privacy under the Chinese Civil Code

Personal information protection and privacy interact in diverse ways, especially in the contemporary information age. Although books and articles have focused on this topic, the new tendencies of worldwide legislation and judicial practice bring challenges, as the legal construction of personal information protection and privacy differs from culture to culture and time to time. In 2017, the General Provisions of the Civil Law of the People's Republic of China (“the General Provisions of the Chinese Civil Code” hereafter)¹ (expired) addresses the legal concepts of personal information protection and the right to privacy simultaneously, to which this article refers as the dual model, differing from the one-dimensional mode of privacy protection before. Subsequently, the “The Right to Privacy and the Protection of Personal Information,” a chapter of the newly issued Civil Code of the People's Republic of China's (“the Chinese Civil Code” hereafter), ascertains the dual model and details related provisions. It has been dubbed a landmark ruling of China's personal information protection, greatly boosting the modernization of China's civil system.Despite the many articles that discuss approaches to China's civil protections, little attention has been given to the fundamental question concerning what exactly encompasses the personal information protection and privacy to which these laws refer. Based on the regulations and applicability of the General Provisions of the Chinese Civil Code and the Chinese Civil Code, this paper explores the legal construction of personal information protection and privacy under Chinese legal orders, including the differences, similarities, and interplay between the two rights. By distinguishing the legal value, contents and remedial approaches, this paper concludes that the two rights are distinct but overlap. On one side, personal information protection is elevated to the status of a separate civil right in the legal context of China, rather than part of privacy. On the other side, tailored regulations should be establish according to the criteria of the nature of information, the extent of information processing, and the elements of damage when confronted with overlaps in the two rights in judicial practice. Thus, this paper provides a perspective from which to clarify the approaches to civil protection of personal information and privacy in China and a reference model for enactment of the Chinese Personal Information Protection Law in the future.     

A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

Smart meters and the information panopticon: beyond the rhetoric of compliance

The Smart Meter Implementation Programme is the Government's flagship energy policy. In its search for solutions to address privacy dilemmas raised by smart meters, the Government has been content with using data protection principles as a policy framework to regulate the processing of consumers' personal information. This is worrying since the question of who has access to what type of information and how it is used cannot simply be regarded as raising information security, authenticity and integrity issues. If we are to go beyond the rhetoric of protecting the privacy rights of energy consumers we must scrutinise the context in which legitimate interests and reasonable expectations of privacy subsist. To remedy this apparent policy oversight, the paper undertakes two tasks: first, to clarify the content and application of data protection and privacy rights to smart meters; and second, it outlines a policy framework that will address the lack of specificity on how best innovation and privacy issues can be better calibrated. More importantly, it calls for targeted substantive reforms, development of accessible privacy policies and information management practices that promote transparency and accountability and deployment of technological solutions that will help reduce emerging fault lines between innovation and privacy in this sphere of energy policymaking.     

There's more to it than data protection – Fundamental rights,privacy and the personal/household exemption in the digital age

Heated debates triggered by the plans to introduce the “right to be forgotten” exposed problems the all-encompassing application of rules on data processing may cause in practice. The purpose of this article is to discuss the compatibility of these rules with the rapidly evolving online environment in the context of the need to guarantee human rights on the internet. The author argues that there is an imbalance in the protection of individual rights online. It results from the limited application of personal/household exception and, in general, the narrow understanding of the concept of online privacy. According to the author in order for data protection laws to flesh out not only the fundamental right of data protection, but also play a mediatory role in balancing other rights, the application of the personal/household exception should be extended to include private online activities. This would reflect the complex character of the very concept of online privacy, diversity of actors and activities shaping online “territories”, as well as the increasingly heterogeneous fabric of the Web.     

Privacy Enhancing Employment of ICT: Empowering and Assisting Data Subjects

This article is based on the fact that the new data protection regime in Europe, according to the Data Protection Directive (46/95/EC), presupposes a Europe were personal data should flow freely between the 20 countries of EU and associated states. At the same time, data subjects have been given comprehensive rights. These rights will make it necessary for them that they relate to controllers in various countries, as well as to a variety of national legislation and languages. Schartum discusses how and to what extent ICT tools may be used in order to empower data subjects and make them capable of safeguarding their privacy interests. He points to the fact that a diversity ICT support should be of interest, and that our attention should not only be on Privacy Enhancing Technologies in a strict sense.     

Do privacy laws affect the location decisions of internet firms? Evidence for privacy havens

This paper empirically studies the location decisions of internet firms when they face high legal standards of privacy protection. Many factors might influence them: technological spillovers, lower taxation, and so on. Internet firms can also arbitrate national differences and many of them actually locate their activity in order to escape from national laws they consider over-stringent. In the current stage of development of the internet—the so-called Web 2.0—the ease of access to personal data proved to be strategic input. So the more a jurisdiction makes collecting and using these data easy, the more attractive the country is, if all other things remain constant. One way for a firm to avoid such legal restrictions is to locate or to expand its business in less privacy protective countries. Our empirical results support this ‘no-privacy haven’ hypothesis. In particular, we highlight a new privacy paradox according to which the more stringent certain online privacy laws are, the more they induce firms to locate their business in less stringent countries, and finally the weaker actual privacy protection on the internet is.     

网络时代隐私权的法律保护

随着大众传媒的不断发展,侵害公民个人隐私的行为也不断发生,保护公民隐私权已成为我国法学界的共识。我国对公民隐私权的保护还需要在立法上加以完善,同时对隐私权的保护也需要进行一定的限制。     

Privacy principles,risks and harms

The protection of privacy is predicated on the individual's right to privacy and stipulates a number of principles that are primarily focused on information privacy or data protection and, as such, are insufficient to apply to other types of privacy and to the protection of other entities beyond the individual. This article identifies additional privacy principles that would apply to other types of privacy and would enhance the consideration of risks or harms to the individual, to groups and to society as a whole if they are violated. They also relate to the way privacy impact assessment (PIA) may be conducted. There are important reasons for generating consideration of and debate about these principles. First, they help to recalibrate a focus in Europe on data protection to the relative neglect of other types of privacy. Second, it is of critical importance at a time when PIA (renamed ‘data protection impact assessment’, or DPIA) may become mandatory under the European Commission's proposed Data Protection Regulation. Such assessment is an important instrument for identifying and mitigating privacy risks, but should address all types of privacy. Third, one can construct an indicative table identifying harms or risks to these additional privacy principles, which can serve as an important tool or instrument for a broader PIA to address other types of privacy.     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.     

美国隐私权的宪法保护述评

美国隐私权的宪法保护建立在其独特的司法审查的基础上,有其独特的特色,不仅体现在通过最高法院对宪法的司法解释回应了公民权利运动对隐私权保护的要求,而且宪法对隐私权的保护具有开放性,虽然美国宪法对隐私权的保护受制于社会传统伦理道德和政府的政策,但是通过消极的个案判决方式从基本人权的角度确立了宪法对自决权意义上的隐私权的保护。     

美国、德国隐私权宪法保护比较研究

美国和德国是世界上隐私权宪法保护比较成熟的国家,但是由于历史文化和法律传统的不同,两国隐私权的宪法保护在基本理念、具体含义、宪法保护方式和保护效力方面存在着很大的不同,比较研究两国隐私权的宪法保护对于我国隐私权的宪法保护的完善有借鉴意义。