略论个人数据跨境流动的法律标准
|
摘要
个人数据跨境流动的法律标准,通常也称为保护水平要求,是数据进口方得以进行个人数据转移的前提条件。针对个人数据跨境流动的规制路径主要包括"以地理区域为基准"和"以组织机构为基准"两种方式,其对于保护水平的要求也呈现出明显的差异性。同时,两种不同路径的保护水平还存在融合与补充。在区域性跨境数据流动原有机制呈现适用范围扩张,各国逐渐制定具有操作性的规则下,研究个人数据跨境流动的法律标准,对我国完善立法、参与国际合作和企业走出去均有参考意义。
The legal standard for the cross-border flow of personal data, which is usually called as the protection level requirement as well, is the precondition for data importer to carry out personal data transfer. The regulatory paths for cross-border flows of personal data mainly include two approaches of "geographically based" and "organizationally based", and their requirements for the protection ability are also showing a significant difference. At the same time, the protection ability of two different paths still integrate and supplement with each other. With the original mechanism of regional cross-border data flow appearing application scope expansion and various countries having gradually established operational rules, studying the legal standards for the cross-border flow of personal data has reference meaning for our country improving legislation, participating in international cooperation and enterprises going global.
The legal standard for the cross-border flow of personal data, which is usually called as the protection level requirement as well, is the precondition for data importer to carry out personal data transfer. The regulatory paths for cross-border flows of personal data mainly include two approaches of "geographically based" and "organizationally based", and their requirements for the protection ability are also showing a significant difference. At the same time, the protection ability of two different paths still integrate and supplement with each other. With the original mechanism of regional cross-border data flow appearing application scope expansion and various countries having gradually established operational rules, studying the legal standards for the cross-border flow of personal data has reference meaning for our country improving legislation, participating in international cooperation and enterprises going global.
引文
[1]Mc Kinsey Global Institute,Digital Globalization::The new era of global flows,https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/digital-globalization-the-new-era-of-global-flows,last visited on March.6,2018.
[2]Pipe,G.Russell.“International information policy:Evolution of transborder data flow issues.”Telematics&Informatics 1.4(1984):409-418,p.413.
[3]孔令杰:《个人资料隐私的法律保护》,武汉大学出版社2009年版,第122页。
[4]八项基本原则包括:限制收集原则、数据质量原则、目的明确原则、限制使用原则、安全保障原则、公开原则、个人参与原则以及问责原则,为个人信息和隐私保护确立最低的标准。
[5]Oleary,Daniel E.“Some Privacy Issues in Knowledge Discovery:The OECD Personal Privacy Guidelines.”IEEE Expert 10.2(1995):48-59,p.50.
[6]OECD.Declaration on Transborder Data Flows.https://www.oecd-ilibrary.org/docserver/230240624407.pdf expires=1523086168&id=id&accname=guest&checksum=1F8E90803CEBFE280A1EB6A4327ADB52,last visited on 10 March,2018.
[7]Europe,Council.“Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,CETS 108.”Council of Europe(1981).
[8]库勒(Christopher Kuner):《欧洲数据保护法:公司遵守与管制》,旷野、杨会永等译,法律出版社2008年版,第354页。
[9]“95指令”规定了数据保护和处理的六项原则,包括合法性、目的限制、透明度、比例原则以及安全和管理。
[10]Trubow,George B.“European Harmonization of Data Protection Laws Threatens U.S.Participation in Trans Border Data Flow,The.”Journal of Architecture&Building Science 52.1(1992):159,pp.175-76.
[11]包括避免伤害、通知、收集限制、个人信息的使用、选择性原则、个人信息的完整性、安全保障、查询及更正、问责制。
[12]Foster,Jim.“TPP and the future of the Digital Economy in the Asia Pacific Region.”International Conference on Advanced Computer Science and Information Systems IEEE,2017:1-8,pp.2-4.
[13]Burton,Paul F.,et al.“Transborder Data Flow:A Review of Issues and Policies.”Library Review37.3(1988):27-37,p.33.
[14]韩静雅:《跨境数据流动国际规制的焦点问题分析》,载《河北法学》2016年第10期,第172页。
[15]Kuner,Christopher.“Regulation of Transborder Data Flows Under Data Protection and Privacy Law:Past,Present,and Future.”Social Science Electronic Publishing(2010),p.8.
[16]FTC原则包括通知原则、选择原则、访问原则和数据安全原则。
[17]Peterson,Dane,et al.“Consumer trust:privacy policies and third-party seals.”Journal of Small Business&Enterprise Development14.4(2007):654-669,p.661.
[18]黄宁、李杨:《“三难选择”下跨境数据流动规制的演进与成因》,载《清华大学学报》(哲学社会科学版)2017年第5期,第177页。
[19]Fromholz,J.M.“The European Union Data Privacy Directive.”Berkeley Technology Law Journal1(2000),p.483.
[20]Id.
[21]洪延青:《看清APEC“跨境隐私保护规则”体系背后的政治和经济》,数据治理和网络安全研究联盟网站,http://www.dgcs-research.net/a/xueshuguandian/2018/0201/99.html,最后访问日期:2018年4月5日。
[22]宫下弘:《日本的数据跨境传输规则》,数据治理和网络安全研究联盟网站,http://www.dgcs-research.net/a/xueshuguandian/2018/0122/90.html,最后访问日期:2018年4月6日。
[23]Treasury Board of Canada,Guidance Document:Taking Privacy into Account Before Making Contracting Decisions.http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12510,last visited on March 31,2018.
[24]APEC,Electronic Commerce Steering Group,https://www.apec.org/Groups/Committee-on-Trade-andInvestment/Electronic-Commerce-Steering-Group,last visited on 10 March,2018.
[25]Id.
[26]Id.
[27]Greenleaf,Graham.“The influence of European data privacy standards outside Europe:implications for globalization of Convention 108.”Social Science Electronic Publishing volume 2.2(2011):68-92(25),p.24.
[28]European Commission,Adequacy of the protection of personal data in non-EU countries,https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personaldata-non-eu-countries_en,last visited on April 7,2018.
[29]Greenleaf,Graham.“The influence of European data privacy standards outside Europe:implications for globalization of Convention 108.”p.13.
[30]Waters,Nigel,et al.“30 years on–The review of the Council of Europe Data Protection Convention108.”Computer Law&Security Review the International Journal of Technology&Practice 27.3(2011):223-231,pp.226-30.
[31]Greenleaf,Graham.“‘Modernising’data protection Convention 108:A safe basis for a global privacy treaty?”Computer Law&Security Review 29.4(2013):430-436,p.432.
[32]Id.
[33]Birnhack,Michael D.“The EU Data Protection Directive:An engine of a global regime.”Computer Law&Security Review the International Journal of Technology&Practice 24.6(2008):508-520,p.516.
[34]CPEA第2条。
[35]Wallerstein,Nina&B.Duran.The theoretical,historical,and practice roots of CBPR.Community based participatory research for health.2008,pp.30-31.
[36]孔令杰:《个人资料隐私的法律保护》,第314页。
[37]OECD.“Report on the Cross-Border Enforcement of Privacy Law.”Oecd Digital Economy Papers(2006),p.3.
[38]IDPPCC,https://icdppc.org/,last visited on 11 March,2018.
[39]Id.
[40]Greenleaf,Graham.“Sheherezade and the 101 Data Privacy Laws:Origins,Significance and Global Trajectories.”Social Science Electronic Publishing 23.1(2013),p.4.
[41]《网络安全法》第41条。
[42]2017年,网信办公布《个人信息和重要数据出境安全评估办法(征求意见稿)》,截至目前尚未有最新进展。
[43]Posadas Jr,Dalmacio V.“After the Gold Rush:The Boom of the Internet of Things,and the Busts of Data-Security and Privacy.”Fordham Intell.Prop.Media&Ent.LJ 28(2017),p.69.
[44]商务部中国服务贸易指南网,http://tradeinservices.mofcom.gov.cn/article/yanjiu/hang yezk/200807/44852.html,最后访问日期:2018年3月30日。
[45]https://www.apec.org/Press/News-Releases/2017/0627_Privacy,last visited on March 30,2018.
[46]商务部中国自由贸易区服务网,http://fta.mofcom.gov.cn/,最后访问日期:2018年4月6日。
[2]Pipe,G.Russell.“International information policy:Evolution of transborder data flow issues.”Telematics&Informatics 1.4(1984):409-418,p.413.
[3]孔令杰:《个人资料隐私的法律保护》,武汉大学出版社2009年版,第122页。
[4]八项基本原则包括:限制收集原则、数据质量原则、目的明确原则、限制使用原则、安全保障原则、公开原则、个人参与原则以及问责原则,为个人信息和隐私保护确立最低的标准。
[5]Oleary,Daniel E.“Some Privacy Issues in Knowledge Discovery:The OECD Personal Privacy Guidelines.”IEEE Expert 10.2(1995):48-59,p.50.
[6]OECD.Declaration on Transborder Data Flows.https://www.oecd-ilibrary.org/docserver/230240624407.pdf expires=1523086168&id=id&accname=guest&checksum=1F8E90803CEBFE280A1EB6A4327ADB52,last visited on 10 March,2018.
[7]Europe,Council.“Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,CETS 108.”Council of Europe(1981).
[8]库勒(Christopher Kuner):《欧洲数据保护法:公司遵守与管制》,旷野、杨会永等译,法律出版社2008年版,第354页。
[9]“95指令”规定了数据保护和处理的六项原则,包括合法性、目的限制、透明度、比例原则以及安全和管理。
[10]Trubow,George B.“European Harmonization of Data Protection Laws Threatens U.S.Participation in Trans Border Data Flow,The.”Journal of Architecture&Building Science 52.1(1992):159,pp.175-76.
[11]包括避免伤害、通知、收集限制、个人信息的使用、选择性原则、个人信息的完整性、安全保障、查询及更正、问责制。
[12]Foster,Jim.“TPP and the future of the Digital Economy in the Asia Pacific Region.”International Conference on Advanced Computer Science and Information Systems IEEE,2017:1-8,pp.2-4.
[13]Burton,Paul F.,et al.“Transborder Data Flow:A Review of Issues and Policies.”Library Review37.3(1988):27-37,p.33.
[14]韩静雅:《跨境数据流动国际规制的焦点问题分析》,载《河北法学》2016年第10期,第172页。
[15]Kuner,Christopher.“Regulation of Transborder Data Flows Under Data Protection and Privacy Law:Past,Present,and Future.”Social Science Electronic Publishing(2010),p.8.
[16]FTC原则包括通知原则、选择原则、访问原则和数据安全原则。
[17]Peterson,Dane,et al.“Consumer trust:privacy policies and third-party seals.”Journal of Small Business&Enterprise Development14.4(2007):654-669,p.661.
[18]黄宁、李杨:《“三难选择”下跨境数据流动规制的演进与成因》,载《清华大学学报》(哲学社会科学版)2017年第5期,第177页。
[19]Fromholz,J.M.“The European Union Data Privacy Directive.”Berkeley Technology Law Journal1(2000),p.483.
[20]Id.
[21]洪延青:《看清APEC“跨境隐私保护规则”体系背后的政治和经济》,数据治理和网络安全研究联盟网站,http://www.dgcs-research.net/a/xueshuguandian/2018/0201/99.html,最后访问日期:2018年4月5日。
[22]宫下弘:《日本的数据跨境传输规则》,数据治理和网络安全研究联盟网站,http://www.dgcs-research.net/a/xueshuguandian/2018/0122/90.html,最后访问日期:2018年4月6日。
[23]Treasury Board of Canada,Guidance Document:Taking Privacy into Account Before Making Contracting Decisions.http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12510,last visited on March 31,2018.
[24]APEC,Electronic Commerce Steering Group,https://www.apec.org/Groups/Committee-on-Trade-andInvestment/Electronic-Commerce-Steering-Group,last visited on 10 March,2018.
[25]Id.
[26]Id.
[27]Greenleaf,Graham.“The influence of European data privacy standards outside Europe:implications for globalization of Convention 108.”Social Science Electronic Publishing volume 2.2(2011):68-92(25),p.24.
[28]European Commission,Adequacy of the protection of personal data in non-EU countries,https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personaldata-non-eu-countries_en,last visited on April 7,2018.
[29]Greenleaf,Graham.“The influence of European data privacy standards outside Europe:implications for globalization of Convention 108.”p.13.
[30]Waters,Nigel,et al.“30 years on–The review of the Council of Europe Data Protection Convention108.”Computer Law&Security Review the International Journal of Technology&Practice 27.3(2011):223-231,pp.226-30.
[31]Greenleaf,Graham.“‘Modernising’data protection Convention 108:A safe basis for a global privacy treaty?”Computer Law&Security Review 29.4(2013):430-436,p.432.
[32]Id.
[33]Birnhack,Michael D.“The EU Data Protection Directive:An engine of a global regime.”Computer Law&Security Review the International Journal of Technology&Practice 24.6(2008):508-520,p.516.
[34]CPEA第2条。
[35]Wallerstein,Nina&B.Duran.The theoretical,historical,and practice roots of CBPR.Community based participatory research for health.2008,pp.30-31.
[36]孔令杰:《个人资料隐私的法律保护》,第314页。
[37]OECD.“Report on the Cross-Border Enforcement of Privacy Law.”Oecd Digital Economy Papers(2006),p.3.
[38]IDPPCC,https://icdppc.org/,last visited on 11 March,2018.
[39]Id.
[40]Greenleaf,Graham.“Sheherezade and the 101 Data Privacy Laws:Origins,Significance and Global Trajectories.”Social Science Electronic Publishing 23.1(2013),p.4.
[41]《网络安全法》第41条。
[42]2017年,网信办公布《个人信息和重要数据出境安全评估办法(征求意见稿)》,截至目前尚未有最新进展。
[43]Posadas Jr,Dalmacio V.“After the Gold Rush:The Boom of the Internet of Things,and the Busts of Data-Security and Privacy.”Fordham Intell.Prop.Media&Ent.LJ 28(2017),p.69.
[44]商务部中国服务贸易指南网,http://tradeinservices.mofcom.gov.cn/article/yanjiu/hang yezk/200807/44852.html,最后访问日期:2018年3月30日。
[45]https://www.apec.org/Press/News-Releases/2017/0627_Privacy,last visited on March 30,2018.
[46]商务部中国自由贸易区服务网,http://fta.mofcom.gov.cn/,最后访问日期:2018年4月6日。