EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

The General Data Protection Regulation and the rise of certification as a regulatory instrument

The endorsement of certification in Article 42 and 43 of the General Data Protection Regulation (hereinafter GDPR) extends the scope of this procedure to the enforcement of fundamental rights. The GDPR also leverages the high flexibility of this procedure to make of certification something else than a voluntary process attesting the conformity with technical standards. This paper argues that the GDPR turned certification into a new regulatory instrument in data protection, I suggest to call it monitored self-regulation, seeking to fill the gap between self-regulation and traditional regulation in order to build a regulation continuum.     

Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) devotes particular attention to the protection of personal data of children. The rationale is that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Yet, the text of the GDPR offers little clarity as to the actual implementation and impact of a number of provisions that may significantly affect children and their rights, leading to legal uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children's data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children's rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards.     

The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform

In the first part of this paper, I will present and explain the Singapore Personal Data Protection Act (“PDPA”) in the context of legislative developments in the Asian region and against the well-established international baseline privacy standards. In the course of the above evaluation, reference will be made to the national laws and policy on data privacy prior to the enactment of the PDPA as well as current social and market practices in relation to personal data. In the second part of this paper, I will decipher and assess the future trends in data privacy reform and the future development of the privacy regime in Singapore and beyond. In the course of this analysis, international standards, technological trends and recent legal developments in other jurisdictions will be considered.     

数据安全认证:个人信息保护的第三方规制

契合放管服改革理念的数据安全认证,在数字时代整个规制法体系中必将占据日益重要的地位。数据安全认证通过声誉评价机制,可以引导、激励互联网企业守法合规经营,可以增强用户对中小微互联网企业和新兴数字产业的信任感,可以避免一刀切的政府规制,可以满足社会公众多元的数据安全需求。数据安全认证机构应具有高度的独立性与专业性,防止其被互联网企业俘获或成为政府的附庸。宜实行自愿为主、强制为辅的数据安全认证模式。认证程序应强调公正透明性,认证标准应注重评价企业数据合规的制度建设。根据过错责任原则,分别设置数据安全认证机构相应的赔偿责任或连带责任,并加大对数据安全认证违法行为的公法责任追究。科学构建法治化的数据安全认证体制机制,不仅是保障数据安全的现实需要,而且是弥补数字时代政府规制缺陷的迫切需求。     

网络信息时代电子病历的隐私保护研究

与传统纸质病历相比,电子病历信息的存储和共享的范围将进一步扩大,但同时也为隐私信息的暴露提供捷径。本文通过分析我国电子病历隐私保护现状及存在的问题,并对比发展较好的其他国家电子病历隐私保护历程,提出我国进一步完善电子病历隐私保护的建议。     

论我国个人信用征信中隐私权的保护

市场经济是信用经济,个人信用征信势在必行,而在个人信用征信过程中,存在着信用信息的流动与隐私权保护的矛盾冲突。目前,我国已经采取了一定的措施来平衡这对矛盾,但是笔者认为还存在诸多问题,只有完善隐私权的一般规定、制定个人信息保护法、构建个人信用活动的具体规则,才能真正保护个人信用征信中的隐私权。     

Bioinformatics and genetic privacy: The impact of the Personal Data Protection Act 2010

Bioinformatics refers to the practise of creation and management of genetic data using computational and statistical techniques. In Malaysia, data obtained from genomic studies, particularly for the purpose of disease identification produces a tremendous amount of information related to molecular biology. These data are created from DNA samples obtained from diagnostic and research purposes in genomic research institutes in Malaysia. As these data are processed, stored, managed and profiled using computer applications, an issue arises as to whether the principles of personal data privacy would be applicable to these activities. This paper commences with an illustration of the salient features of the Personal Data Protection Act 2010. The second part analyses the impact of the newly passed Personal Data Protection Act 2010 on the collection of DNA sample, the processing of data obtained from it and the profiling of such data. The third part of the paper considers whether the various personal data protection principles are applicable to the act of DNA profiling and the creation of bioinformatics.     

试析网络时代下的隐私权保护

随着互联网的高速发展,个人隐私在网络空间的安全性受到了挑战,网络隐私权的保护问题日益凸显。本文在对网络隐私权的基本理论进行分析的基础上,结合我国隐私权和网络隐私权的立法现状及存在的问题,借鉴了以美国和欧盟为代表的两大网络隐私权的立法模式,提出了构建我国网络隐私权保护体系的相关对策和建议。     

美国隐私权的宪法保护述评

美国隐私权的宪法保护建立在其独特的司法审查的基础上,有其独特的特色,不仅体现在通过最高法院对宪法的司法解释回应了公民权利运动对隐私权保护的要求,而且宪法对隐私权的保护具有开放性,虽然美国宪法对隐私权的保护受制于社会传统伦理道德和政府的政策,但是通过消极的个案判决方式从基本人权的角度确立了宪法对自决权意义上的隐私权的保护。     

Independence of data privacy authorities (Part I): International standards

Part I of this article analyses the views of learned commentators on what constitutes the ‘independence’ of data protection authorities (DPAs). It concludes that a more satisfactory answer needs to be found in the international instruments on data privacy and on human rights bodies, their implementation and judicial interpretation, and in the standards that have been proposed and implemented by DPAs themselves. It finds that only the OECD and APEC privacy agreements did not require a DPA (and therefore have no standards for its independence). Thirteen factors were identified as elements of ‘independence’ across these instruments and standards, five of which were more commonly found than others. Part II of the article will consider how these criteria have been implemented in laws in the Asia-Pacific.     

The EU Proposal for a General Data Protection Regulation and the roots of the ‘right to be forgotten’

The EU Proposal for a General Data Protection Regulation has caused a wide debate between lawyers and legal scholars and many opinions have been voiced on the issue of the right to be forgotten. In order to analyse the relevance of the new rule provided by Article 17 of the Proposal, this paper considers the original idea of the right to be forgotten, pre-existing in both European and U.S. legal frameworks. This article focuses on the new provisions of Article 17 of the EU Proposal for a General Data Protection Regulation and evaluates its effects on court decisions. The author assumes that the new provisions do not seem to represent a revolutionary change to the existing rules with regard to the right granted to the individual, but instead have an impact on the extension of the protection of the information disseminated on-line.     

大数据时代社区应急治理中居民隐私顾虑之化解

大数据时代社区应急治理现代化既要运用大数据技术提高应对突发事件的效能,也要兼顾对居民隐私权的有效保护,消除居民隐私顾虑.隐私权的双重属性和社区应急治理中不规范的居民信息采集、使用和泄露行为会导致出现侵害居民隐私权的情况,使居民产生隐私顾虑.因此,大数据环境下社区应急治理需加强对居民隐私的保护,从法律、责任、多元主体协同...     

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

香港个人资料隐私保护之经验——兼论我国个人资料保护法之制定

个人信息作为信息的一种,具有与信息相同的特征。个人资料属于现代隐私的外延,指的是可以识别出个人的所有资料。我国香港特别行政区已于1996年12月实施了《个人资料(私隐)条例》。在实施的十年间,法院与香港个人资料私隐专员公署分别做出了一些司法原则和执行决定,很值得我国在制定《个人资料保护法》时加以参考与借鉴。     

Independence of data privacy authorities (Part II): Asia-Pacific experience

Part I of this article in [2012] 28 CLSR 3-13 analysed the views of learned commentators on what constitutes the ‘independence’ of data protection authorities (DPAs). It concluded that a more satisfactory answer needed to be found in the international instruments on data privacy and on human rights bodies, their implementation and judicial interpretation, and in the standards that have been proposed and implemented by DPAs themselves. It found that only the OECD and APEC privacy agreements did not require a DPA (and therefore had no standards for its independence). Thirteen factors were identified as elements of ‘independence’ across these instruments and standards, five of which were more commonly found than others.     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

网络隐私法律保护简论

隐私一般是指与公共利益、群体利益无关的、当事人不愿让他人知道或他人不便知道的个人信息,而个人数据是所有用来标识个人基本情况的数据。文章针对互联网技术的发展为个人数据处理带来的隐私权问题,在分析西方国家保护模式、梳理我国隐私权保护现状基础上,提出了在我国加强网络空间的隐私权保护的必要性和紧迫性。     

网络时代隐私权的法律保护

随着大众传媒的不断发展,侵害公民个人隐私的行为也不断发生,保护公民隐私权已成为我国法学界的共识。我国对公民隐私权的保护还需要在立法上加以完善,同时对隐私权的保护也需要进行一定的限制。