民法典框架下个人数据财产法益的体系构建

从欧盟个人数据保护相关立法的变迁可以发现,个人数据从隐私权保护的传统模式开始出现向财产权保护模式过渡的迹象。这并不意味着数据产业界的新机会,而是调节数据主体与数据控制者之间日益失衡关系的新尝试。财产权保护模式有着隐私权保护模式无可比拟的优势,却也存在权利定性和范围界定上的困难。与非个人数据更为鲜明的财产属性不同,个人数据上的民事权益应该构建为一个以数据主体的财产利益为基础、以数据控制者对个人数据的占有利益为核心的财产法益体系。数据控制者及其义务作为个人数据财产法益体系的中心,才能在保护数据主体和发挥数据效用之间保持平衡。     

Balancing data protection and privacy – The case of information security sensor systems

This article analyses government deployment of information security sensor systems from primarily a European human rights perspective. Sensor systems are designed to detect attacks against information networks by analysing network traffic and comparing this traffic to known attack-vectors, suspicious traffic profiles or content, while also recording attacks and providing information for the prevention of future attacks. The article examines how these sensor systems may be one way of ensuring the necessary protection of personal data stored in government IT-systems, helping governments fulfil positive obligations with regards to data protection under the European Convention on Human Rights (ECHR), the EU Charter of Fundamental Rights (The Charter), as well as data protection and IT-security requirements established in EU-secondary law. It concludes that the implementation of sensor systems illustrates the need to balance data protection against the negative privacy obligations of the state under the ECHR and the Charter and the accompanying need to ensure that surveillance of communications and associated metadata reach established principles of legality and proportionality. The article highlights the difficulty in balancing these positive and negative obligations, makes recommendations on the scope of such sensor systems and the legal safeguards surrounding them to ensure compliance with European human rights law and concludes that there is a risk of privatised policymaking in this field barring further guidance in EU-secondary law or case law.     

中俄刑法典有关危害食品安全犯罪的规定之比较

中俄两国刑法典有关危害食品安全犯罪的规定在构成要件、犯罪既遂标准以及处罚等方面有所不同,两国刑法典有关危害食品安全犯罪的规定各具特色。俄罗斯刑法典将该类犯罪归类于危害公共安全类犯罪的做法值得我国借鉴;其规制行为内容多、规制目标广的做法更有利于对消费者合法权益的保护;其量刑情节设置具体、细腻的做法也有参考价值;罚金刑的设置方式也具有一定的借鉴意义。     

Russian PNR system: Data protection issues and global prospects

The usage of Passenger Name Record (PNR) for security purposes is growing worldwide. At least six countries have PNR systems; over thirty are planning to introduce them. On 1 December 2013, a Russian PNR system will be implemented. But enhanced collection of personal data leads to increased surveillance and privacy concerns. Russian authorities state that passengers' rights will be respected, but a closer look at the Russian regime reveals a number of critical points. From a global perspective, the Russian regime is only one of many PNR systems, including new ones to come in the future. Apparently, for the majority of them, similar challenges and problems will apply. At the same time, for the EU, with its strict data protection requirements, PNR requests by third countries (i.e. non-EU countries) create conflicts of laws. In order to resolve them, the EU concludes bilateral PNR agreements. However, the current deals, especially the one between the EU and the USA, involve a number of weaknesses. Accepting the latter, and having a pending proposal on the EU PNR system, the EU has weakened its position in negotiations with third countries. How will the EU deal with the Russian as well as with all the future requests for PNR? This paper provides legal analysis of the Russian PNR regime, pointing out common problems and giving prognosis on the global situation.     

欧盟非合同义务法律适用统一化——以《罗马条例Ⅱ》为中心

《罗马条例Ⅱ》的诞生,标志着欧盟国际私法统一化的最新发展——非合同义务领域法律适用的统一,从而使非合同义务的法律适用增加了一种“超国家”法律渊源。而且,统一的内容涉及侵权或不法行为、不当得利、无因管理等非合同之债的主要方面,统一的法律选择力求在法律适用的确定性与灵活性、管辖权选择与内容定向法律选择、社会公共利益与个人利益等方面达到平衡。欧盟非合同义务法律适用的统一化给中国国际私法立法以启示。     

后“SchremsⅡ案”时期欧盟数据跨境流动法律监管的演进及我国的因应

“SchremsⅡ案”对以隐私权和数据保护为核心构建的欧盟数据跨境流动规则体系产生重大影响,它要求无论使用何种数据跨境流动工具,都必须确保第三国能够提供与欧盟同等的保护水平。在该案的影响下,《欧盟基本权利宪章》在数据保护领域的地位进一步提高,保障措施的适用愈发严苛,欧洲数据保护委员会在数据保护领域将扮演更重要的角色,数据跨境流动欧盟法规则与国际贸易法的不兼容问题日益凸显。欧盟虽然结合SchremsⅡ案的判决完善了对数据跨境的法律监管,但依然没有减少外界对其监管合理性的质疑。我国对数据跨境流动的监管存在着配套立法不健全、规则可操作性差、多元价值失衡、缺乏内外联动的“中国方案”等问题。对此,应完善我国相关立法,加强中欧国际合作,共同引领构建数据跨境流动的国际规则。     

大数据背景下个人生物识别信息安全的法律规制

个人生物识别信息具有个人数据的唯一性、程序识别性、可复制性、损害的不可逆性及信息的关联性等特征。在大数据背景下,个人生物识别信息的广泛应用会带来严重的生物信息安全风险,其滥用可造成隐私权、平等权和财产权等权益受到侵犯,需要立法进行全方位规制。我国目前个人生物信息的相关立法存在总体位阶较低且内容分散、保护范围狭窄、权利义务边界不清、法律责任不明晰等缺陷,应当采取渐进式专门立法的思路,完善现有相关部门法关于个人生物信息的规制内容,构建层次分明、内外协调的个人生物识别信息安全保护的法律体系。     

Having yes,using no? About the new legal regime for biometric data

The rise of biometric data use in personal consumer objects and governmental (surveillance) applications is irreversible. This article analyses the latest attempt by the General Data Protection Regulation (EU) 2016/679 and the Directive (EU) 2016/680 to regulate biometric data use in the European Union. We argue that the new Regulation fails to provide clear rules and protection which is much needed out of respect of fundamental rights and freedoms by making an artificial distinction between various categories of biometric data. This distinction neglects the case law of the European Court of Human Rights and serves the interests of large (governmental) databases. While we support regulating the use and the general prohibition in the GDPR of using biometric data for identification, we regret this limited subjective and use based approach. We argue that the collection, storage and retention of biometric images in databases should be tackled (objective approach). We further argue that based on the distinctions made in the GDPR, several categories of personal data relating to physical, physiological or behavioural characteristics are made to which different regimes apply. Member States are left to adopt or modify their more specific national rules which are eagerly awaited. We contend that the complex legal framework risks posing headaches to bona fide companies deploying biometric data for multifactor authentication and that the new legal regime is not reaching its goal of finding a balance between the free movement of such data and protecting citizens. Law enforcement authorities also need clear guidance. It is questioned whether Directive (EU) 2016/680 provides this.     

Legislative genesis and judicial death of a directive: The European Court of Justice invalidated the data retention directive (2006/24/EC) thereby creating a sustained period of legal uncertainty about the validity of national laws which enacted it

The Grand Chamber has ruled that the data retention directive was invalid ex tunc since it seriously interfered with the fundamental rights to respect for private life and protection of personal data and exceeded the limits of the principle of proportionality which are provided for in the Charter. The scope and temporal effects of this ruling should be clarified, especially its legal impacts on national laws of Member States which enacted the directive. In addition, the findings of the Grand Chamber on geographical safeguards have far-reaching implications on the retention and storage of personal data in the EU.     

The two judgments of the European Court of Justice in the four cases of Privacy International,La Quadrature du Net and Others,French Data Network and Others and Ordre des Barreaux francophones et germanophone and Others: The Grand Chamber is trying hard to square the circle of data retention

On 6 October 2020, the Grand Chamber of the European Court of Justice rendered two landmark judgments in Privacy International, La Quadrature du Net and Others, French Data Network and Others as well as Ordre des barreaux francophones et germanophone and Others. The Grand Chamber confirmed that EU law precludes national legislation which requires a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security.In situations where a Member State is facing a serious threat to national security which proves to be genuine and present or foreseeable, such State may however derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of this data for a period which is limited in time to what is strictly necessary but which may be extended if the threat persists.¹ In respect of combating serious crime and preventing serious threats to public security, a Member State may also provide for the targeted retention of this data and its expedited retention. Such an interference with fundamental rights must be accompanied by effective safeguards and be reviewed by a court or by an independent administrative authority. It is likewise open to a Member State to carry out a general and indiscriminate retention of IP addresses assigned to the source of a communication where the retention period is limited to what is strictly necessary or even to carry out a general and indiscriminate retention of data relating to the civil identity of users of means of electronic communication. In the latter case, the retention is not subject to a specific time limit.     

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.     

非法获取计算机信息系统数据罪的规范结构与罪名功能——基于案例与比较法的反思

通过对非法获取计算机信息系统数据罪的案例法考察和域外法阐释,可以发现,其核心涵义指向侵犯数据机密性的情形和侵犯数据可用性的情形。其原因是机密性和可用性的规范结构导致该罪成为口袋罪:在罪名上,与人身安全、财产安全等多个章节的罪名产生交叉重合;在保护的利益上,不仅涵摄我国《刑法》其他章节所保护的法益,而且溢出整个刑法典,保护信息的时代重要性日益凸显、其他权益日益频繁地受到侵害。面对这种庞杂的规范结构,需要进行网络时代罪情、刑法基本原则的权衡考量,达致刑法规范的明确性与合理性。新的罪名标签“非法获取数据致损罪”,适应了双层社会虚实同构的态势、数据和利益在双层空间不断协同的复杂行为模式,是在刑法规范中嵌入网络风险控制的法律机制,有助于系统完善网络风险的治理格局。     

Body scanners versus privacy and data protection

In recent history, the world has experienced dramatic events which have had a substantial effect on the balance between human rights protection and security measures. Body scanners installed at airports are intended to protect our lives. But at the same time they have a serious impact on privacy and data protection. The international legislation allows limiting people’s rights and freedoms, but only if it is in accordance with the law and is proportionate and necessary for national security, public safety and for the protection of the rights and freedoms of others. Do body scanners respect these principles? The article examines the current situation, its background and future prospects. It discusses and analyzes the key terms and legal instruments, problems, disputes and proposed “safeguards”. The work concludes by pointing out the unlawfulness of current regimes and sets forth perspective on the possible solutions.     

Data retention in the UK: Pragmatic and proportionate,or a step too far?

On 6 April 2009 new legislation came into force, for the first time putting Internet service providers' duty to retain significant amounts of data (relating to customers' email and Internet usage) on a compulsory, as opposed to a voluntary footing. It is a topic which has provoked intense protest from the privacy lobby and fuelled months of “Big Brother” headlines in the press. For the industry it raises operational challenges – how to facilitate storage and retrieval of colossal amounts of data. In this article we consider the policy background to the regime, the detail of the UK implementation and the practical implications for communications service providers. We weigh up the privacy and human rights concerns against the business case put forward by the Government. We also examine the Government's proposals – announced at the end of April – to significantly extend and “future proof” this regime in the form of its Intercept Modernisation Programme.     

Privacy,Data Retention and Domination: Digital Rights Ireland Ltd v Minister for Communications

In Digital Rights Ireland Ltd v Minister for Communications, the European Court of Justice found the EU Data Retention Directive, which required the retention of communications data for up to two years, to be incompatible with Articles 7 and 8 of the EU Charter of Fundamental Rights – the rights to privacy and to the protection of personal data. It is argued in this note that the decision ought to be taken as one that is concerned with the exercise of arbitrary power, a concern that is captured by the concept of domination.     

个人数据安全的法律保护模式——从数据确权的视角切入

个人数据权益的多元性,决定了个人数据在不同场景中的权属不同,这意味着对不同权属性质的个人数据,提供的法律保护模式也不同。我国对个人数据的法律保护模式有三种:财产权保护模式、人格权保护模式和平台保护模式。鉴于当前我国数据确权的制度安排尚未完成、数据的人格权保护没有得到公益救济、数据利益的损害赔偿无法实现,有必要对不同权属性质的个人数据作出有针对性的调整方案:在方法论上应突破私法或公法的思维局限,在立法论与数据应用实践层面,对现有的个人数据保护模式作出相应的调整,通过商业秘密保护模式拓宽数据财产权的保护路径,利用个人数据场景化保护模式弥补人格权保护模式的虚置,利用平台保护模式优化数据安全法律保护的制度设计。     

新版《药品管理法》的主要内容与特色研究

经2019年8月修订后的《中华人民共和国药品管理法》的出台是国家药品管理的立法典范。它在完善卫生法律体系的立法架构下,通过采用修订立法方式,界定区分假、劣药品概念,强调信用监管,规范网络售药行为,鼓励科技创新,明确法律责任与处罚,突出法律的回应性立法特征,保障公民健康权利。法律的生命在于实施。应结合社会主义法治理念要求,建议健全药品的配套法规,严格药品监管执法,合理开展普法宣传,加强司法适用,实现"良法善治"的目的。     

论中小微企业科技创新人才法律保障机制的完善

中小微企业科技创新人才法律保障机制是指从法律上为生产规模较小、从业人员和营业收入较少的企业进行科技创新活动的人才提供保障的机制。我国虽然在《中华人民共和国中小企业促进法》、《中华人民共和国科学技术进步法》等法律法规和政策中对中小微企业科技创新人才法律保障机制进行了初步规定,但还是面临着缺乏专门立法、立法位阶不高、操作性不强、激励机制不完善等困境。美国完善的法律体系、英国的激励机制等值得我国借鉴。我们应该从清理和整合现有法律、法规政策、制定中小微企业科技创新人才保障法、完善人才激励机制和科技服务体系等方面完善中小微企业科技人才法律保障机制。     

行政征收的法律规制论纲

公民财产权的排他性支配属性及其在公民权利体系中的地位呼唤法律对行政征收进行有效规制。首先,行政征收立法应遵守法律保留原则,并以公共利益条款限制征收目的。其次,行政征收程序应吸纳正当法律程序的精髓——参与,并且这一参与应是有效参与。最后,在不得不征收公民财产时,行政机关应给予公平补偿。     

Struggling to strike the right balance between interests at stake: The ‘Yarovaya’, ‘Fake news’ and ‘Disrespect’ laws as examples of ill-conceived legislation in the age of modern technology

The article deals with the legislative amendments that have been recently adopted in the Russian Federation, the so-called ‘Yarovaya’ law, the ‘fake news’ law and the ‘disrespect’ law. It explains the essence and problems of implementation of the above-mentioned legal instruments and assesses them from the human rights angle. It is established that the rather complex laws under analysis pose significant threats to the human rights and fundamental freedoms of individuals, including privacy, data protection and freedom of expression, and introduce other additional negative effects to the Russian society and economy. While in the adoption of such legislation it is crucial to give due weight to the involved interests, the used examples indicate that the State's interests seem to prevail at the cost of the rights and freedoms of those who need to be adequately protected.