South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

India’s national ID system: Danger grows in a privacy vacuum

India is juggling demands and proposals for at least three national data surveillance projects of vast scope. This article focuses on the unique identification (UID) number, which it is proposed will be allocated to India’s 1.2 billion people, with 600 M UIDs to be allocated by 2015. Draft legislation to create the Authority which will administer the UID contains few protections for privacy or other liberties. They are needed because there is otherwise a privacy vacuum in Indian law. The Bill leaves most of the details of the demographic and biometric information which will be required to be included Regulations, and imposes no controls on which organisations can require UIDs, or what they can do with them. This article focuses on the planning documents for the UID, and the Bill, to argue that India may be building an identification system that puts peoples’ liberties at risk, and does so in a way which will be largely out of control of democratic or judicial restraints on such a powerful use of information technology.     

DNA数据库比对技术在刑事侦查中运用的合宪性问题

DNA数据库比对技术实质上是基因检测技术和大数据处理技术相结合的产物。DNA数据库比对技术可以精确锁定犯罪嫌疑人,由于其强大的证明能力而被广泛地运用于刑事侦查,各国都积极推动DNA数据库的建立。DNA数据库比对技术在维护了社会安全的同时也对公民基因隐私构成极大威胁。如何在技术的运用和隐私权保障之间做出更好的平衡,是DNA比对技术的合宪性争议的中心。廓清了合宪性问题,我们才可以更好地制定相关法律,消弭合宪性问题,在保障公民隐私权的同时也更好地维护社会安全。     

论开放银行数据共享中的信息披露义务

开放银行模式下,数据共享过程中的信息披露存在对象和内容两方面的特殊性,个人客户的知情权保障面临信息不对称与信息过载的双重困境。我国有关开放银行的规范将视线聚焦于技术标准,涉及信息披露之核心操作环节的规则处于空白状态。在我国,实践中,各家银行并没有足够的动力履行信息披露义务,有必要对开放银行数据共享中的信息披露义务进行系统构建,这需要结合银行和第三方机构在数据共享不同阶段承担的不同角色,对信息披露义务的具体内容及形式予以明确,并从民事责任、行政责任、刑事责任的角度对各类违反信息披露义务的行为分别加以规制。     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.