【北邮国院大三下】Cybersecurity Law 网络安全法 Week3

北邮国院大三电商在读，随课程进行整理知识点。仅整理PPT中相对重要的知识点，内容驳杂并不做期末突击复习用。个人认为相对不重要的细小的知识点不列在其中。如有错误请指出。转载请注明出处，祝您学习愉快。

编辑软件为Effie，如需要pdf/docx/effiesheet/markdown格式的文件请私信联系或微信联系

Week3

什么是隐私privacy

Privacy (noun) a state in which you are not watched or disturbed by others

隐私(名词)一种你不被别人监视或打扰的状态

Privacy include

Bodily Privacy 人身隐私

• Protection of physical self 身体自我保护
  • E.g. Right to refuse medical treatment  拒绝医疗的权利

Territorial Privacy 领土的隐私

• Protection of our own physical space  保护我们自己的物理空间
  • E.g. Right to control who comes into your home 控制谁来你家的权利

Communications Privacy 通信隐私

• Protection of mail/ telephone conversations/ emails/ etc  保护邮件/电话/电子邮件等

Information Privacy 信息隐私

• Protection of personal data 个人资料保护

How does technology threaten privacy?

Advances in technology 科技上的进步

• Surveillance and collection of information 监视和收集信息

Databasing 数据库

• Collection, storage, exchange and processing of information about individuals. Profiling! 个人信息收集、存储、交换和处理。分析

Ecommerce

• more collection and use of information than ever before! 信息的收集和使用比以往任何时候都多

Data Protection in the EU

Two key principles:

1. Article 8, Council of Europe Convention on Human Rights and Fundamental Freedoms: 《欧洲委员会人权和基本自由公约》第8条:

• Right to respect for private life 尊重私人生活的权利

2. Internal Market powers: 内部市场力量:

• Free flow of information throughout the EU to promote the growth of the Single Market economy 信息在整个欧盟自由流动，促进单一市场经济的增长
  • Threat to Single Market if protection not harmonized 如果保护不协调，对单一市场的威胁

EU Charter of Fundamental Rights and Freedoms 

Charter is based on CoE’s European Convention on Human Rights (ECHR) (Same restrictions apply as in Aticle 8(2))

宪章以《欧洲人权公约》(ECHR)为基础(与第8(2)条相同的限制适用)

• All EU Countries are also members of the CoE 所有欧盟国家也是CoE的成员
• Article 7 ‘Respect for private and family life’ 第七条“尊重私人和家庭生活”
  • Everyone has the right to respect for his or her private and family life, home and communications. 每个人的私人和家庭生活、住宅和通讯都有权受到尊重。
• Article 8 ‘Protection of personal data’  第8条“个人资料保护”
  • Everyone has the right to the protection of personal data concerning him or her.  人人有权保护与他或她有关的个人资料。
  • Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 此类数据必须为特定目的而公平处理，并在相关人员同意或法律规定的其他合法基础上进行处理。每个人都有权查阅被收集的有关他或她的数据，并有权要求纠正这些数据。
  • Compliance with these rules shall be subject to control by an independent authority. 这些规则的遵守应由一个独立的当局加以监督。

EU General Data Protection Regulation（GDPR - EU部分的绝对核心）

• Protection of personal data as a ‘fundamental right’ (Recital 1) 保障个人资料为一项“基本权利”

• “not an absolute right” - (Recital 4) “不是绝对的权利”

  • Must be balanced against other rights according to principle of proportionality 必须根据比例原则与其他权利相平衡

• Importance of co-operation between EU states in transborder data flows (internal market; also national authorities, e.g. police) (Recital 5)  欧盟国家在跨境数据流动(内部市场;也包括国家当局，例如警察)

• Technology (including social networking) has had a huge impact on level of information sharing by individuals (Recital 6) 技术(包括社交网络)对个人的信息共享水平产生了巨大的影响

• Need for amore coherent, unified response across EU (Recital 7) 需要在整个欧盟范围内采取一致一致的应对措施



• Regulation applies directly, BUT MS should also incorporate into national law where appropriate (Recital 8) 法规直接适用，但在适当情况下，MS也应纳入国家法律

• Importance of harmonisation (Recitals 9-13)  协调的重要性

• Needs of commercial actors of varying sizes (Recital 13) 不同规模的商业参与者的需求

• Protection to apply to information belonging to “natural persons” (Recital 14) 保护适用于属于“自然人”的信息



• Protection should be technology neutral – includes both manual and automated storage and use (Recital 15)  保护应该是技术中立的-包括手动和自动存储和使用

• Protections apply to ecommerce as long as individual from whom personal data is collected is in the EU (Recitals 24 & 25)  只要被收集个人数据的个人在欧盟，这些保护措施就适用于电子商务

• Where an EU MS’s laws apply outside the EU, GDPR will also apply (Recital 25) 如果欧盟国家的法律适用于欧盟以外，则GDPR也将适用 

• Children merit specific protection (Recital 38) 儿童值得特别保护

【附GDPR全文链接，未覆盖可自行查漏补缺：REGULATION (EU) 2016/ 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/ 46/ EC (General Data Protection Regulation) (europa.eu)】

在GDPR Art.4 中定义的几个术语

Data Subject 数据主体

• “An identified or identifiable natural person” “已识别或可识别的自然人”
• “one who can be identified, directly or indirectly” 可以直接或间接辨认的人。

Has specific rights under EU DP Law

有欧盟法律规定的特定权利

Not limited to EU residents or citizens but any ‘subject’ of personal data within scope of EU DP Law

不限于欧盟居民或公民，而是欧盟数据保护法范围内的任何个人数据“主体”

Personal Data 个人数据

any information relating to an individual from which that person is identified or identifiable

任何与个人有关的资料，而该等资料可作为识别或识别该人的依据

• Unlimited in nature: 本质上是无限的:
  • E.g., sound and image data from video surveillance may be personal data, email address 例如，来自视频监控的声音和图像数据可能是个人数据、电子邮件地址
• ‘identifiable’: considering all ways in which the data could reasonably be used “可识别的”:考虑数据可以合理使用的所有方式

Protected by the GDPR

• via series of: 
  • obligations on controllers 控制人的义务
    • Compliance with data principles as presented  遵守所提出的数据原则
  • rights accorded to data subjects 给予资料当事人的权利
    • Access, correction, deletion, redress 访问，更正，删除，纠正
  • Subject to enforcement by member states and overseen by EU regulator 受成员国执行和欧盟监管机构监督

Sensitive Data

For definition, see Recital 51

【Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. 就其性质而言，对基本权利和自由特别敏感的个人数据值得特别保护，因为处理这些数据的背景可能对基本权利和自由造成重大风险。】

Data with enhanced obligations and narrower exceptions because processing presents greater risk of harm to data subject because of its nature:

由于处理数据主体的性质，其损害风险更大，因此义务更强，例外范围更窄的数据:

• Health and medical data (‘data concerning health’ defined in Article 4)
• Race/ethnicity 种族与族群
• Gender
• Union/trade membership
• Religious or philosophical belief 宗教或哲学信仰
• Sexual orientation, practices 性取向、性行为
• Political affiliation 政治立场
• Criminal history (special category) 犯罪记录
• Genetic Data (Defined in Article 4) 遗传学数据
• Biometric Data (Defined in Article 4) 生物识别数据

GDPR Article 9 prohibits the processing of sensitive data

• Exception:
  • Explicit consent unless MS/EU law does not allow consent  明确同意，除非MS/EU法律不允许同意
  • Narrow exceptions 狭窄的例外

Consent 同意

• Explicit (cannot be implied) 必须明确同意(不能暗示)

Necessary to:

• More limited circumstances 更有限的情况
• Carry out obligations and specific rights of the controller authorized under national employment law that provides for adequate safeguards. 履行提供充分保障的国家就业法授权的控制者的义务和具体权利。
• Protect the vital interests of the data subject or another person where data subject legally or physically incapable of giving consent. 在数据主体在法律上或身体上没有能力给予同意的情况下，保护数据主体或其他人的重大利益。
  • Very serious health or safety threats 非常严重的健康或安全威胁
• Legitimate activities by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade union aim and with sufficient protections.  基金会、协会或任何其他以政治、哲学、宗教或工会为目的的非营利性机构的合法活动，并有充分的保护。
• To the establishment, exercise or defence of a legal claim. 辩护:对法律要求的确立、行使或辩护

Processing 处理

Any operation or set of operations, e.g.,

• collecting personal data
• using personal data
• mining, matching personal data
• storing personal data
• sharing personal data
• transferring personal data

Exemptions 豁免

GDPR Article 2.

Include:

• Activities which fall outside scope of EU law 不属于欧盟法律范围的活动
• Prevention/detection/prosecution/punishment of crimes 预防/侦查/起诉/惩治犯罪
• Processing for reasons ofnational security (Recital 16) 因国家安全原因处理
• Processing re EU’s common foreign and security policy (Recital 16) 加工是欧盟共同的外交和安全政策
• Purely personal or household activites, e.g.“correspondence and theholding ofaddresses, or social networking and online activityundertaken within the context of such activities.’’ (but facilitatorse.g. social networks NOT exempt when process this information)(Recital 18) See also Lindqvist case. 纯粹的个人或家庭活动，例如“通信和持有地址，或在此类活动背景下进行的社交网络和在线活动”。而是促进者。在处理这些信息时，社交网络也不例外)
• Dead people (left up to Member States) (Recital 27) 死人(由会员国决定)
• Fully anonymised data (Article 11) 完全匿名的数据
• Statistical / historic /scientific research 统计/历史/科学研究

Controller

Party or parties who determine the nature and means of processing. Can be:

决定处理性质和方式的一方或多方。

• Public or private
• Natural or legal persons 自然人或法人

GDPR: Article 3

• Rules apply to processing by controller or processor established in the EU, even if processing takes place outside EU 规则适用于在欧盟设立的控制者或处理者的处理，即使处理发生在欧盟以外
• Processing by controller or processor not established in EU if:  由不在欧盟设立的控制者或处理者进行处理，如果:
  • Offers goods or services to data subjects based in EU 为欧盟的数据主体提供商品或服务
    • No requirement that this is in exchange for payment  没有要求这是支付的交换条件
  • Monitoring data subject behaviour within EU 监控欧盟内部数据主体的行为
• Anywhere not in the EU that Member State law applies via public international law 成员国法律通过国际公法适用于欧盟以外的任何地方

Obligations of Controllers

See Chapter IV of the GDPR.

Obligations include:

• Not to collect or process personal data unless legitimate basis 除非有合法依据，否则不得收集或处理个人资料
• Compliance with processing principles 符合处理原则
• Ensure confidentiality and security of personal data 确保个人资料的机密性和安全性
  • Use of “appropriate technical and organisational measures” 使用“适当的技术和组织措施”
  • Privacy by design 隐私设计
  • Notification of any breach 任何违约通知
• Keep adequate records of processing 保存足够的加工记录
• Not transfer data to 3rd country unless ‘adequate’ protection 除非有足够的保护，否则不要将数据转移到第三国
• Co-operation with supervisory authority 与监管机构合作
  • including notification of any breach 包括任何违约的通知
• Conduct Impact Assessments where necessary 必要时进行影响评估
• Follow approved relevant industry codes of conduct where applicable 在适用的情况下遵循相关的行业行为准则

【个人感觉最重要的是第一个和第三个】

Data Processor

One who processes data pursuant to the instructions of a controller

根据控制人的指令处理数据的人

• Must meet EU Law’s security requirements 必须符合欧盟法律的安全要求
• Must have contract with controller 必须与控制人签订合同
• Must process according to controller’s instructions 必须按照控制人的指示处理

Controller is responsible for compliance 控制人负责遵从性

Can be both processor and controller 可以同时是处理人和控制人

• E.g., uses data further beyond controller’s instructions 使用超出控制人指令的数据

Legitimate Basis for Data Processing 数据处理的合法依据

Consent – Article 6 (see also Recital 32)

• “clear, affirmative act” [affirmative = opt in] – controller must be able to evidence consent given “明确的，肯定的行为”——控制者必须能够提供同意的证据

  • 

• Unambiguous, freely given and informed; data subject has right to withdraw consent at any time 明确的，自由给出的和知情的;数据主体有权随时撤回同意

• Written, electronic, oral… 书面、电子、口头……

• E.g.s – website tick box, browser settings 例如:网站复选框、浏览器设置

• Opt-out is insufficient 选择退出是不够的

• Correlation with ‘fair’ 与“公平”的相关性

• Employees?

OR

Necessary – Article 6

• To comply with obligation 履行义务
  • performance of contract with data subject 履行与资料当事人订立的合约
  • of law on the controller 关于控制器的法律
• To protect vital interests of data subject 保障资料当事人的切身利益
• Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 为履行为公众利益而执行的任务或行使赋予管理人的官方权力所必需的
• To protect legitimate interests of controller or 3rd party to whom data disclosed unless fundamental rights override 保护数据披露的控制者或第三方的合法利益，除非基本权利优先

GDPR Article 21

• Right to object to processing of personal data where: 在下列情况下反对处理个人资料的权利:
  • Processing in the public interest or exercise of lawful authority 为公共利益或行使合法权力而处理
  • Necessary for the purposes of legitimate interests of a third party 为了第三方的合法利益所必需的
  • Controller can only continue to process where candemonstrate an overriding case (test of proportionality) 控制者只有在能够证明有压倒性的情况下才能继续处理(比例性测试)
• Data subject to be informed of this right “at the latest” at time of firm communication with data subject 数据主体“最迟”在与数据主体确定通信时被告知此权利

Consent: Children

GDPR Article 8:

• Information Society Services Offered Directly to Children (e.g. social media) 直接为儿童提供的资讯社会服务(例如社交媒体)
• Child’s consent lawful from 16. 儿童同意从16岁起合法。
  • Children under 16 – must be confirmed by “holder of parental consent” 16岁以下儿童-必须由“家长同意持有人”确认
    • Controller must take reasonable steps to ensure this 控制者必须采取合理的措施来确保这一点
  • Member States permitted to have lower age in national law, subject to minimum of 13 国家法律允许年龄较低的会员国，但不超过13岁
• No effect on general laws re contract validity 不影响合同效力的一般法律

Compliance with Principles

GDPR Article 5: Principles relating to processing of personal data

GDPR第5条:个人数据处理的原则

• Lawfulness, Fairness & Transparency 合法、公平、透明
  • Controller must be able to demonstrate compliance (‘Accountability’) 控制者必须能够证明合规(“问责制”)
• Purpose Limitation 目的限制
• Data Minimisation 数据最小化
• Accuracy 准确性
• Storage Limitation 限量设定
• Integrity and Confidentiality 数据完整性和隐私保护

Lawfulness, Fairness & Transparency

Fairness: determined with regard to the circumstances

公平:根据情况而定

Transparency about processing:

处理的透明度:

• Who, what, where, why processed, how long will be stored, source of data (if not data subject) consequences, including also: 谁、什么、在哪里、为什么处理、将存储多长时间、数据来源(如果不是数据主体)后果，还包括:
  • Absence of any adequacy findings for 3rd countries and means of adequacy safeguards (includes how to get a copy) 缺乏针对第三国的任何充分性调查结果和充分性保障手段(包括如何获得副本)
  • Right to complain to supervisory authority 向监管机构投诉的权利
  • Identity of company data protection officer (if there is one) 公司资料保障主任的身份(如有)
  • Whether such disclosure is statutory (legislation) or by contract (terms of agreement with data subject) 该等披露是法定(法例)或透过合约(与资料当事人的协议条款)
  • Whether any automated decision making will take place –and if so, implications of same for data subject 是否会进行自动化决策，如果是，对数据主体的影响
  • Right to withdraw consent & right to data portability made clear 撤销同意的权利和数据可移植性的权利明确

Lawfully

Corresponds to legitimate processing

对应于合法处理

Consent

• Nature
  • ‘freely given, specific and informed’ “自由给出，具体和知情”
  • Clear ‘opt in’ 清晰的“选择性加入”
  • “Ambiguous” –v- explicit 模棱两可的 v 清楚明白的

Lawfully Processed 依法处理

Obligation for certain data 对某些资料的义务

• Sensitive data only on explicit consent or more compelling alternative grounds (e.g. matter of life and death!) 只有在明确同意或更令人信服的其他理由(例如生死攸关!)的情况下才提供敏感数据。

Timing

• Provided at or prior to processing – see Recital 61 加工时或加工前提供的
• unless data subject already has this information – see Recital 62 除非数据主体已经有了这些信息
• “Within a reasonable period” if from 3rd party- see Recital 61 如果来自第三方，“在合理期限内”

Other lawful basis:

• Necessity

Processing Without Consent: Safeguards 未经同意的处理:保障措施

Article 6: Where processing PD for further purpose without consent, Controller must take into account:

第6条:如果未经同意将个人数据用于其他目的，控制者必须考虑:

• any link between the purposes for which collected and intended further use 收集目的与预期进一步使用目的之间的任何联系
• the context in which the personal data have been collected 收集个人资料的背景
  • Esp. the relationship between data subjects and the controller 特别是数据主体与控制器之间的关系

the nature of the personal data

个人资料的性质

• Sensitive personal data involved? 涉及敏感的个人资料?
• Personal data relating to criminal convictions? 与刑事定罪有关的个人资料?

Possible consequences for data subjects

对资料当事人可能造成的后果

Existence of appropriate safeguards 是否有适当的保障措施

• E.g. encryption or pseudonymisation 例如加密或假名化

Further Data Subject Rights

没详细讲，这里我们也略过

Storage Limitation

GDPR Article 25: “Data protection by design and default”

GDPR第25条:“设计和默认的数据保护”

• Appropriate technical and organizational measures for security/integrity of data 适当的技术和组织措施，以确保数据的安全性/完整性
• Only personal data necessary for each activity is processed 只处理每项活动所需的个人资料
• 

GDPR Article 32: “Security of Processing” GDPR第32条:“处理的安全性”

• “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” “适当的技术和组织措施，以确保与风险相适应的安全水平”
  • E.g. encryption; regular testing and updating 如加密;定期测试和更新
• Sliding Scale 滑动比例
  • Nature of data, processing, costs, ‘state of the art’, what is customary, etc. 数据的性质、处理、成本、“技术水平”、习惯等等。
• Must include in contracts with processors 必须包含在与处理人的合同中
• 

Duty to notify unaddressed risks of breach of security and possible remedies - “without undue delay”

有责任通知未解决的违反安全的风险和可能的补救措施-“不无故拖延”

• To Supervisory Authority – Article 33 对监管机构

  • 

• To Data Subjects affected or potentially affected by breach - Article 34 对受违规影响或可能受违规影响的数据主体

  • 

Other Duties

Supervisory authority under GDPR

GDPR下的监管机构

• Article 51

  • Each member state to appoint national DP authority 各成员国指定国家DP权力机构
  • Operation: independent of national government 运作:独立于国家政府

• Tasks - Article 57

  • Monitor & enforce GDPR, advise national legislatures, educate the public, investigate complaints… 监督和执行GDPR，为国家立法机构提供建议，教育公众，调查投诉……

• Powers – Article 58

• Activity Reports – Article 59

Data Transfers 数据传输【重点】

Data transfers within EU:

• Subject to GDPR (See Article 44)

  • 

  • (And any relevant national provisions & exemptions)

Data Transfers outside the EU

Article 45-50 GDPR

• Transfer from EU to third countries (or from one third country to another) only where: 只有在下列情况下才从欧盟转移到第三国(或从一个第三国转移到另一个第三国):
  • “Adequate protection” for data is available 对数据有“充分的保护”
    • Third country’s law 第三国法律
    • alternative mechanism if Controller/Processor has provided “appropriate safeguards” (e.g. approved code of conduct) 如果控制者/处理者提供了“适当的保障措施”(例如，批准的行为准则)，则替代机制
    • Foreign Court orders – but only if based on international law recognised by EU 外国法院的命令——但前提是基于欧盟承认的国际法
  • Very limited derogations from adequacy requirement 对充分性要求的非常有限的减损
    • E.g. explicit consent, necessity. 例如明确同意，必要性。
  • NOTE: simply uploading to a website is not an international transfer – material is located where hosting server is located. 注意:简单地上传到一个网站不是国际传输-材料位于主机服务器所在的位置。

Transfers of Data Outside the EU

Commerce: increasingly international

商业:日益国际化

• Transfers of huge quantities of personal data 大量个人数据的传输
  • Customers
  • Employees / staff
• Transfers between and among units of the same corporate enterprise located in different countries 同一法人企业位于不同国家的单位之间的转移
  • Several MNCs headquartered in the US 几家跨国公司的总部设在美国
• Globalisation of trade 贸易全球化
  • Why process personal data overseas? 为何在海外处理个人资料?
  • Cost & efficiency 成本和效率
• So how is data transferred outside the EU under the General Data Protection Regulation? 那么，根据《通用数据保护条例》，数据是如何转移到欧盟以外的?
  • Adequate protection of personal data 充分保障个人资料

Purpose of DP laws defeated if data sent where no protection

如果数据发送到没有保护的地方，DP法律的目的就会失败

GDPR Article 45

• “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that [it] ensures an adequate level of protection.” “将个人数据转移到第三国或国际组织可能发生在欧盟委员会认为(它)确保了足够保护水平的地方。”
• Where Commission has made an adequacy ruling, no specific authorisation for transfer required 如委员会已作出充分性裁定，是否无须特别授权转让
• Note: Lindqvist ruling of the CJEU that uploading to a website is not such a transfer still valid 注意:CJEU的Lindqvist裁决，上传到网站不是这种转移仍然有效

Alternatives routes to adequacy (other than in national law) set out in Article 46. Must provide: 

第46条规定的充分性的替代途径(国内法以外)。必须提供:

• “appropriate safeguards” “适当的保障”
• Enforceable data subject rights available  可执行的数据主体权利可用
• Effective legal remedies for data subjects available 数据主体可获得有效的法律救济

【如果没有根据第45（3）条而做出的决定，控制者或处理者只有提供适当的保障措施，以及为数据主体提供可执行的权利与有效的法律救济措施，才能将个人数据转移到第三国或一个国际组织。】

Derogations 废除例外

Article 49: exceptions to the ‘adequate protection’ requirement

第49条:“充分保护”要求的例外情况

• Explicit consent of data subject to transfer 明确同意资料转移
  • Must be informed of possible risks due to absence of appropriate safeguards’ + adequate protection 必须被告知由于缺乏适当的保障措施+充分保护而可能存在的风险。

Disadvantages:

• Do individuals really pay attention to warnings? 个人真的会注意警告吗?
• Disputable value in employment relationships – consent not given ‘freely’ 雇佣关系中有争议的价值-并非“自由”给予同意
• What about individuals who do not provide consent, others do, how is data to be segregated? 那些不同意而其他人同意的人怎么办，数据如何被隔离?

Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY

第49条:“充分保护”要求的例外情况:必要性

• The transfer is necessary or legally required on important public interest grounds (A49(1)(d)) 第49条:“充分保护”要求的例外情况:必要性
  • For example, the prevention of crime or the fight against terrorism 例如，预防犯罪或打击恐怖主义
  • Exchange of PNR data between EU member states and US, Canada and Australia 欧盟成员国与美国、加拿大和澳大利亚交换PNR数据
• the transfer is necessary or legally required for the establishment, exercise or defence of legal claims (A49(1)(e)) 转让是设立、行使或辩护法定权利要求的必要或法律要求
  • Includes obtaining legal advice or otherwise for establishing, exercising or defending legal rights 包括获取法律意见或以其他方式建立、行使或捍卫合法权利
  • The legal proceedings do not necessarily have to involve the data controller or the data subject. 法律程序不一定要涉及数据控制者或数据主体。
• The transfer is necessary in order to protect the vital interests of the data subject (A49(1)(f)) 为了保护资料当事人的切身利益，转移是必要的
  • “data subject is physically or legally incapable of giving consent” “资料当事人在身体上或法律上没有能力给予同意”
  • Must be a life-or-death situation! 一定是生死攸关的情况!
  • For example, example the transfer of medical records where an individual has been in a serious accident abroad 例如，当个人在国外发生严重事故时，医疗记录的转移
• Transfer is made from a register which according to EU/MS law (Article 49(1)(g)) is: 根据欧盟/欧盟法律(第49(1)(g)条)，从登记册进行转移:
  • intended to provide information to the public 旨在向公众提供信息
  • available to general public or “any person who can demonstrate a legitimate interest” 公众或“任何能证明其合法利益的人”均可获得
  • Subject to conditions in EU/MS law 根据欧盟/美国法律的条件
• Transfer necessary for performance of contract 履行合同所必需的转让
  • between data controller and data subject (Article 49(1)(b)) 在数据控制人和数据主体之间
  • or
  • Between controller and another natural or legal person in the interests of the data subject (Article 49(1)©) 在控制者和代表数据主体利益的另一个自然人或法人之间

关于necessary的例子

1. A French company uses a call centre located in India for customer enquiries?

• 不是necessary的。因为可以不传到India去处理

2. Chinese airline transfers the reservation details of a UK passenger to its main reservation computer in China?

• 不是necessary的。因为传输是必要的，但是这个computer可以不设在欧盟之外的地方

3. A German travel agent confirms the booking of a German tourist to a hotel in Namibia?

• 是necessary的，因为预定的信息必须传到Namibia才可以让那边的hotel知道

General Adequacy Criteria 一般充分性准则

Commission adequacy decisions (including legacy decisions) to be be reviewed at least every four years § Adequacy decisions may be repealed, amended, suspended

委员会充分性决定(包括遗留决定)至少每四年审查一次。充分性决定可以被废除、修改、暂停

What is ‘adequate’ protection?

• Aim: EU citizens should have same protection when data transferred out of EU 目的:欧盟公民在数据转移出欧盟时应享有同样的保护

All circumstances concerning data transfer considered (Article 45(2)):

所有与数据传输有关的情况(第45(2)条):

(a) Rule of law, respect for human rights & fundamental freedoms, relevant law in third country, professional rules & security measures (including rules for onward transfer of data to another third country / international organisation), case-law, effective and enforceable subject rights & legal remedies

法治、尊重人权和基本自由、第三国相关法律、专业规则和安全措施(包括将数据转移到另一个第三国/国际组织的规则)、判例法、有效和可执行的主体权利和法律补救措施

(b) Are there any supervisory authorities who can ensure protections are enforced?

是否有任何监管机构可以确保保护措施得到执行?

© Has the third country committed to any legally binding international rules on protecting personal data?

第三国是否承诺遵守任何具有法律约束力的保护个人资料的国际规则?

Nature of the Data

Commission will require higher standards for transferring sensitive personal data to a third country (i.e. one outside the EU)

欧盟委员会将对将敏感个人资料转移至第三国(即欧盟以外的国家)提出更高的标准

• For example, health data.

Transfer of data that poses little risk to the rights and freedoms of individuals, does not usually require the same level of protection

对个人权利和自由构成很小风险的数据传输通常不需要同样程度的保护

• For example, transfer of a list of internal telephone extensions to overseas subsidiaries of a multinational company 例如，向跨国公司的海外子公司转让内部电话分机号码清单

Purpose and duration 目的和期限

Data controller must take into account the purposes for which the data is transferred

数据控制者必须考虑数据传输的目的

• some purposes will carry a lesser risk to the rights of data subjects than others 某些用途对资料当事人权利的风险较其他用途小

Data exporters must ensure that:

数据导出者必须确保:

• processing time in the third country is kept to a minimum; and 第三国的处理时间被保持在最低限度
• data is deleted by the data importer as soon as it is no longer required for the intended purpose 一旦预期目的不再需要数据，数据导入器就会删除数据

Remember, Data Controllers will be held accountable for actions of processors in third countries!

请记住，数据控制者将对第三国处理者的行为负责！

不需要监管批准的"Appropriate Safuguard"的几种情况

“Appropriate safeguards” which do not require approval by supervisory authority:

不需要监管机构批准的“适当保障措施”:

• Legally binding and enforceable instruments between public bodies / authorities (Treaties) 公共机构/当局之间具有法律约束力和可执行性的文书(条约)

• Binding Corporate Rules (A47) 约束公司规则【后面会稍微详细的说一点这个】

  • 

• European Commission’s standard contractual clauses 欧盟委员会的标准合同条款

• Standard contractual clauses adopted by national DPA and approved by Commission 国家DPA采用并经委员会批准的标准合同条款

• Approved Code of Conduct (A40) 认可的行为准则

• Approved certification mechanism (A42) 认可的认证机制

需要监管批准的"Appropriate Safuguard"的几种情况

“Appropriate safeguards” which do require approval by supervisory authority:

需要监管机构批准的“适当保障措施”:

• Contractual arrangements between party in EU (Controller or Processor) and party in third country (controller/processor/recipient) or international organisation 欧盟一方(控制者或处理者)与第三国一方(控制者/处理者/接收者)或国际组织之间的合同安排
• Provisions inserted in administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights 在公共当局或机构之间的行政安排中插入的条款，包括可执行的和有效的数据主体权利

Certification - GDPR A42

National authorities & European Commission to encourage EU “data protection mechanisms…seals and marks”

各国政府和欧盟委员会鼓励欧盟“数据保护机制……印章和标志”

• Certifying that specific data controllers in third countries provide EU-level of protection (see US Privacy Shield) 证明第三国的特定数据控制者提供欧盟级别的保护(参见美国隐私盾)
• Certification must be voluntary and transparent 认证必须是自愿和透明的
• Must be monitored; can be withdrawn for non-compliance 必须被监控;是否可以因违规而撤销
• Certification bodies and processes must be properly approved GDPR A43 认证机构和流程必须符合GDPR A43的要求

Privacy Shield

单向的，EU→US

Privacy Shield Principles:

• Notice 注意
• Choice 选择
• Accountability for Onward Transfers 继续转移的问责制
• Security 安全
• Data Integrity and Purpose Limitation 数据完整性和目的限制
• Access 入口
• Recourse, Enforcement and Liability 追索权、执行和责任

隐私盾总体表现很好，但仍有需要改进的地方（答题可以用，反正就是可以完善，具体怎么完善感觉没啥用）

Key implications of the Privacy Shield 隐私盾的主要影响

Exposure to civil & criminal proceedings in US

在美国面临民事和刑事诉讼

Public statement of commitment may highlight local differences

公开承诺可能会突出地方差异

Only available to organisations regulated by the Department of Commerce or the Department of Transport

仅适用于由商务部或运输部监管的组织

Only covers transfers to the US and only from Europe

只涵盖向美国和欧洲的转账

How robust is the Privacy Shield? 隐私盾有多强大?

• Vulnerable to attack on similar grounds to Safe Harbor 易受攻击的理由与安全港相似

Other forms of adequate safeguards

Binding Corporate Rules (BCR) (GDPR A47)

具有约束力的公司规则(BCR)

EU Model Clauses [Standard Contractual Clauses SCC)] (GDPR A93)

欧盟示范条款〔标准合约条款〕

Standard contractual clauses adopted by national DPA and approved by Commission (A93)

国家DPA采用并经委员会批准的标准合同条款

Approved Code of Conduct (A40)

认可的行为准则

Approved certification mechanism (A42)

认可的认证机制

Binding Corporate Rules

有约束力的公司规则是欧盟数据保护监管部门第29条工作组在2003年提出来的，主要是规范分支机构位于不同国家的跨国企业内部的跨境数据流动。

有约束力的公司规则需要得到负责处理个人数据的分支机构所在国家数据保护监管部门的批准。签订约束性企业规则的好处，在于为跨国企业集团制定了统一的数据保护政策框架，有助于通过合同、政策和纪律等手段统一协调跨国企业集团内部个人数据保护的实务操作。

【来源：有约束力的公司规则_百度百科 (baidu.com)】

Facilitate TBDF within particular corporate groups – saves paperwork

促进特定公司集团内部的TBDF -节省文书工作

Article 47 GDPR sets out requirements

GDPR第47条规定了要求

• 

• 又臭又长，没啥大用

National DPAs / European Commission to approve

国家dpa /欧盟委员会批准

Code of Conduct drafted – containing privacy policy of the entire enterprise

行为准则起草——包含整个企业的隐私政策

• Each entity included in the enterprise subscribes 企业中包含的每个实体都订阅
• Enables data subjects to enforce code against the enterprise 使数据主体能够针对企业强制执行准则

Supervisory Authorities (National DPAs) to ensure consistency of applying the rules

监管机构(国家dpa)确保适用规则的一致性

• Pre-GDPR approvals still valid, though can be reviewed GDPR之前的批准仍然有效，但可以进行审查

Standard Contractual Clauses (SCCs) 标准合约条款(SCCs)

European Commission or National DPA (e.g. UK ICO) can adopt standard clauses

欧盟委员会或国家DPA(如英国ICO)可以采用标准条款

• Businesses can use these without approval 企业可以在未经批准的情况下使用这些工具

or

Companies can come up with their own and seek Commission / DPA approval

公司可以提出自己的方案，并寻求欧盟委员会/ DPA的批准

Standard Contractual Clauses: The 2010 Version（最新版）

February 2010: European Commission adopts revised “controller-to-processor” SCCs.

2010年2月:欧盟委员会采用修订的“控制者到处理者”SCCs。

• takes account of the expansion of processing activities outsourced by EU businesses to companies in third countries 考虑到欧盟企业外包给第三国公司的加工活动的扩大
• includes specific provisions allowing the outsourcing by the data processor of its processing activities to other sub- processors 包括允许数据处理者将其处理活动外包给其他子处理者的具体规定

Codes of Conduct - GDPR A40 行为准则

National Supervisory Authorities & EC to encourage creation of codes of conduct “for various processing sectors”

国家监管机构和欧共体鼓励为“各种加工部门”制定行为准则

• Types of information, business, needs of particular business sector 信息类型，业务，特定业务部门的需求

“Associations and other bodies representing categories of controllers or processors may prepare codes of conduct…”

“代表控制者或处理者类别的协会和其他机构可以制定行为准则……”

• Codes to be approved by national DPAs (Supervisory authorities) or European Commission 由国家dpa(监管机构)或欧盟委员会批准的准则

Codes not themselves binding law, (though help to obey the law),

准则本身并不具有法律约束力(虽然有助于遵守法律)，

BUT

• If made binding by legal instrument (e.g. by contract) on party in third country, can provide “appropriate safeguards” 如果通过法律文书(例如通过合同)对第三方具有约束力，可以提供“适当的保障”。
• Day to day monitoring of approved codes can be by accredited body – GDPR A41 经认可的机构GDPR A41可以对批准的准则进行日常监控

Online Service Providers

Internet “actors”: Internet Access Provider :

互联网“参与者”:互联网接入提供商;

• deal with internet access only 只处理互联网访问
• Individual has to subscribe 个人必须订阅
• Providing personal data 提供个人资料
• IAP: log the date, time, duration, IP address IAP:记录日期，时间，持续时间，IP地址
  • Q: Is the above information “personal data”? 上述资料是否属“个人资料”?
  • A: YES, if possible to link the logbook to the IP address of a user 是，如果可能，将日志链接到用户的IP地址

Internet “actors”: Internet Service Providers (ISPs) 互联网服务供应商

• Provide services to individuals and companies on the web 在网络上为个人和公司提供服务
  • Webhosting, newsgroup access, FTP access, email 网站托管，新闻组访问，FTP访问，电子邮件
• Own/ hire a permanent TCP/IP connection, use servers permanently connected to the Internet 拥有/租用一个永久的TCP/IP连接，使用永久连接到Internet的服务器
• Servers equipped with protocols: gather personal data 配备协议的服务器:收集个人数据
• http servers: logbook or logfile created systematically: may contain all or some data present in the http request header (browser chattering) and the IP address 系统创建的日志或日志文件可能包含http请求头(浏览器抖动)和IP地址中存在的全部或部分数据
  • Is this personal data?
  • YES, according to some, NO, according to others 一些人认为是，另一些人认为不是

[Note: IAPs frequently provide ISP services – ISP used as a combined term]

[注:IAPs通常提供ISP服务- ISP用作组合术语]

Internet “actors”: Information Society Service Providers 信息社会服务提供者

• Provide online services, sell or advertise their goods or services online (retailers, UGC platforms, social media sites etc.) 提供在线服务，在网上销售或宣传他们的商品或服务(零售商，UGC平台，社交媒体网站等)
• Collect personal data from users/customers 收集用户/客户的个人资料
  • For the performance of a contract with the user (e.g. delivery of goods ordered online, payment etc.) 用于履行与用户的合同(例如，交付在线订购的商品，付款等)
  • During the registration process 在注册过程中
  • While the user uses the service 当用户使用服务时

Collection of information online

Information collection from individuals, natural persons, consumers

收集个人、自然人、消费者的信息

• Visibly: Often with consumer’s knowledge or consent 可见的:通常在消费者知情或同意的情况下
  • E.g. personal information provided to online retailers, as part of online competitions or in exchange for free use of online service 例如，提供给在线零售商的个人信息，作为在线竞争的一部分或作为免费使用在线服务的交换
  • However, subsequent use may not be transparent 然而，随后的使用可能不透明
• Invisibly: often without user’s knowledge or consent 无形的:通常在用户不知情或不同意的情况下
  • E.g. TCP/IP tracking, browser chattering, invisible hyperlinks, cookies and other web tracking devices, traffic data, clickstream data 例如TCP/IP跟踪，浏览器抖动，不可见的超链接，cookie和其他网络跟踪设备，流量数据，点击流数据
  • However, users may have given “implied” consent 然而，用户可能已经“暗示”同意

Privacy Risks

Privacy Risks: TCP/IP:

• Route: dynamic: speed – connection between 2 towns in the same EU country may be routed through a non EU country, which may not have adequate level of protection 路线:动态:速度-在同一个欧盟国家的两个城镇之间的连接可能会通过非欧盟国家路由，这可能没有足够的保护水平
• DNS Server: translation of numeric IP address and domain name. DNS server can keep trace of all the names of the internet servers the user has tried to contact DNS服务器:数字IP地址和域名的转换。DNS服务器可以跟踪用户试图联系的所有互联网服务器的名称
• Ping command: enable anyone on the internet to know if a particular computer is turned on and connected Ping命令:使互联网上的任何人都能知道一台特定的计算机是否打开并连接

HTTP privacy risks

• browser chattering 浏览器抖动
• Invisible hyperlinks 看不见的超链接

Privacy Risks: Cookies

Cookies可能通过Invisible hyperlinks来set，最新的叫Flash cookies，无法通过changing browser settings来删除

Privacy Risk: Traffic data 流量数据

Any data that identifies the person transmitting the communication, the person to whom it is transmitted and the circumstances under which it is transmitted

识别传送该通讯的人、接收该通讯的人及传送该通讯的情况的任何资料

Can be used to build up a picture of the user, who he talks to, his interests etc.

可以用来建立一个用户的画像，他与谁交谈，他的兴趣等。

E.g. e-mail, mobile phone call

Privacy Risk: Clickstream data 点击流数据

Clickstream: route that a visitor chooses when clicking or navigating through a site 点击流:访问者在点击或浏览网站时选择的路径

• A list of all the pages viewed by a visitor, in the order viewed ‘succession of mouse clicks’ 访问者浏览过的所有页面的列表，按“鼠标点击的先后顺序”排列。
• Shows when and where a person came into a site, all the pages viewed, time spent on the page, when and where visitor left 显示用户何时何地进入网站，浏览过的所有页面，在页面上花费的时间，以及访问者何时何地离开
• When aggregated, tell how long people spend on the site, how often they return, pages most frequently viewed 当聚合时，告诉人们在网站上花费了多长时间，他们返回的频率，最常被浏览的页面
• If a visitor has entered their email address at any point, email address stored with the visitor’s clickstream data - ‘tagging’ 如果访问者在任何时候输入了他们的电子邮件地址，电子邮件地址存储与访问者的点击流数据- ‘标签’
• Direct connection established, e.g. Amazon.com 建立直接连接，例如Amazon.com

Privacy Risk: Online Services

用户在使用Online Services（OS）的时候会提供大量的个人数据，OS会利用这些数据为自己服务或者进行商业营销，但这些数据的使用Usually with user consent——但是这个同意通常是通过privacy policies进行的，这些协议通常冗长难懂没人看，且无法协商（同意就用不同意就不用）

Online Profiling 在线资料收集与分析研究

Combination of visible and invisible collection of personal data online can lead to invisible profiling of every individual internet user!

在线收集可见和不可见的个人数据可以导致每个互联网用户的隐形分析!

Useful for direct marketing and targeted sales activity (including individual pricing)

用于直接营销和目标销售活动(包括个人定价)

• Direct marketing:
  • Direct marketing companies: finance many search engines and “free-to-access” online services 直销公司:为许多搜索引擎和“免费”在线服务提供资金
  • Common websites: put an invisible hyperlink to cyber marketing companies on their webpages, instructing browsers to open an independent connection with the cyber marketing company’s http server 常见的网站:在网页上放一个指向网络营销公司的隐形超链接，指示浏览器与网络营销公司的http服务器打开一个独立的连接
    • All data collected: used, traded, etc to build consumer profiles 收集的所有数据:使用、交易等，以建立消费者档案
    • Allows targeting of advertisements based on user behaviour and preferences 允许基于用户行为和偏好的广告定位

Also creates pools of personal data which may then be accessed by third parties (e.g. governments) for unrelated purposes

还创建了个人数据池，这些数据可能会被第三方(例如政府)出于不相关的目的访问

• E.g. Cambridge Analytica
  • Accessed “far more than” 87 millions Facebook users’ data 访问了“远远超过”8700万Facebook用户的数据
  • Changed outcome of US Presidential Election / UK Brexit vote? 美国总统大选或英国脱欧公投结果改变?

Possible protection:

• Anonymisation (identities are disguised: personal data is collected, but identity is disguised. Useful for statistical purposes and for research) 匿名化(伪装身份:收集个人数据，但伪装身份。对统计和研究有用)
• Pseudonymisation (through use of “username” or avatar. Will usually be traceable) 假名化(通过使用“用户名”或虚拟形象)。通常是可追溯的)

Anonymised/pseudonymised data 匿名/去个性化 数据

Anonymising data: challenging task

匿名数据:具有挑战性的任务

• Sophisticated data analysis, data mining techniques on ‘anonymised’ data may eventually ‘reverse engineered’ or lead ‘directly or indirectly’ to a specific individual (see search engine data) 对“匿名”数据的复杂数据分析和数据挖掘技术最终可能会“逆向工程”或“直接或间接”指向特定的个人(参见搜索引擎数据)。
  • If so, it becomes personal data 如果是这样，它就成为个人数据

“Identified tracking” no longer necessary

不再需要“识别跟踪”

• Online advertisers no longer need to know the identity of the potential customer, only what he/she can afford to buy and what they are interested in 网络广告商不再需要知道潜在客户的身份，只需要知道他/她能买得起什么，以及他们对什么感兴趣
  • Data protection laws do not directly protect against predatory or manipulative marketing and sales activity 数据保护法并不直接防止掠夺性或操纵性的营销和销售活动
    • Targeted advertising 定向广告

The Impact of Search Engines

Identify users through 通过以下方式识别用户

• log files
• IP addresses
• web cookies

Collect and store

• keywords and search terms
• user choices

Privacy & Online Data Collection

Privacy in eCommunications 通信中的隐私

• General legal framework 一般法律框架
• How is the use of cookies and spyware regulated? 如何监管cookie和间谍软件的使用?
• Traffic data 流量数据

Direct Marketing and Spam E-mail 直接营销和垃圾邮件

• Unsolicited communications 主动沟通
• E-mail harvesting 电子邮件搜集
• Traffic data 流量数据

Regulation of search engines 规管搜寻引擎

Processing of IP addresses IP地址处理

Direct marketing & Spam Email - 主要是对垃圾邮件的管控 - ePrivacy Directive

What is Spam? 什么是垃圾邮件?

• Unsolicited e-mail 未经请求的电子邮件
• E-mail is widely defined: text/SMS, voice, sound, image messages sent over a public communications network 电子邮件被广泛定义为:通过公共通信网络发送的文本/SMS、语音、声音、图像信息

ePrivacy Directive 2002 电子隐私指令

• Art. 13: Unsolicited e-mail is prohibited unless: 第13条:禁止未经请求的电子邮件，除非:
  • recipient ‘opts-in’, i.e. gives prior consent before being sent unsolicited email, (also faxes and calls by automated calling systems) 收件人“选择加入”，即在收到未经请求的电子邮件(也包括传真和自动呼叫系统的电话)之前给予事先同意。

Limited exception (“soft opt-out”) 有限例外(“软选择性退出”)

• Merchants can use e-mail addresses if they were collected from customers in the course of a sale to market similar products/ services to those customers without customer’s prior consent 商户可以使用在销售过程中收集到的电子邮件地址，在没有客户事先同意的情况下向这些客户推销类似的产品/服务
• But: customer can opt-out i.e. ‘refuse’ receiving such direct marketing solicitations 但是，客户可以选择退出，即“拒绝”接收此类直接营销请求

ePrivacy Directive对垃圾邮件的具体要求 - 很严格！

Consent:

• As defined by EU DPD, now GDPR 由欧盟DPD，现在的GDPR定义
  • Freely given, specific and informed indication of wishes 自由地、具体地、知情地表示愿望
    • Asking, by a general email sent to recipients, consent to receive marketing e-mails – not legitimate, explicit and specific 通过发送给收件人的普通电子邮件，要求他们同意接收营销电子邮件——不合法、不明确、不具体
    • Purposes must be specified 必须指明用途
  • Any appropriate method enabling above – such as ticking a box when visiting an internet website 任何适当的方法实现上述-例如在访问互联网网站时勾选一个方框
• Implied consent to receive such mails not compatible with above – pre ticked box not acceptable 不接受与上述复选框不兼容的默示同意接收此类邮件
• Consent to pass on the personal data to third parties must be obtained where applicable 在适用的情况下，必须取得将个人资料传递给第三方的同意
• Information about data controller identity must be provided at time of collection 必须在收集时提供有关数据控制器身份的信息
• Other requirements of the GDPR GDPR的其他要求

Article 29 Working Party on ePrivacy Directive (WP90 Interpretation)

• Direct Marketing: 直接营销（一种营销策略，通过直接与潜在客户进行沟通，以提高产品或服务的销售。通常包括邮件、电话、短信和电子邮件等方式。）
  • no definition in the directives 指令中没有定义
  • Any form of sales promotion, including fund raising by charities and political organizations 任何形式的促销活动，包括慈善机构和政治组织的筹款活动
  • Broad definition adopted by the Federation of European Direct Marketing Code of Practice 宽泛的定义，由欧洲直销联合会的业务守则采用
    • “The communication by whatever means (including but not limited to mail, fax, telephone, on-line services etc…) of any advertising or marketing material, which is carried out by the Direct Marketer itself or on its behalf and which is directed to particular individuals. “直销人以任何方式(包括但不限于邮件、传真、电话、在线服务等)向特定个人发送任何广告或营销材料。
• Definition of email:
  • ‘electronic mail’ means any text, voice, sound or image message sent over a public co-mmunications network which, can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient (including SMTP based mail, SMS, MMS, messages on answering machines, voice mail service systems including on mobile services, ‘net send’ communications addressed directly to an IP address…) “电子邮件”是指通过公共通信网络发送的任何文本、语音、声音或图像信息，这些信息可以存储在网络中或收件人的终端设备中，直到收件人收集为止(包括基于SMTP的邮件、短信、彩信、答录机上的信息、语音邮件服务系统(包括移动服务)、直接向IP地址发送的“网络发送”通信……)。

ePrivacy Directive - Prior Consent: OPT IN 事先同意 - 选择加入

Purposes to be specified

用途需要指明

Consent to pass on the PI to third parties to be asked where applicable

同意将个人信息传递给第三方(如适用)

Information, at time of collection: data controller identity (see also Ecommerce Directive Article 6; note new article 13(4) inserted by ePrivacy Amendment Directive 2009)

收集时的信息:数据控制者身份(另见电子商务指令第6条;(注2009年电子私隐修订指令新增的第13(4)条)

Other requirements of the GDPR

• Especially GDPR A 21(2) – data subject has right to object at any time to processing of their personal data for marketing purposes 特别是GDPR A 21(2) -数据主体有权随时反对出于营销目的处理其个人数据
• Where Data subject objects, processing must cease 当数据主体反对时，处理必须停止

Email Harvesting

ePrivacy Directive

• Automatic collection of PI on public internet places, e.g web, chat rooms, etc 自动收集PI在公共互联网场所，如网页，聊天室等
• UNLAWFUL
• GDPR Article 22: “data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” e.g. online credit card checks? GDPR第22条:“数据主体有权不受完全基于自动处理的决定的约束，包括分析，这对他或她产生了法律影响，或者同样对他或她产生了重大影响。”“比如网上信用卡查询?”
• BUT – certain exemptions can be inserted by national law, e.g. to monitor for tax evasion or fraud 但是-某些豁免可以由国家法律插入，例如监测逃税或欺诈行为
  • See also Recitals 71 & 72

The Regulation of Search Engines

No specific regulation in ePrivacy Directive

在电子隐私指令中没有具体的规定

Unclear if information collected by search engines is personal data 不清楚搜索引擎收集的信息是否属于个人数据

• Search engines do not, as a rule, have information about the searcher’s identity (vanity searches? Combined services?) 搜索引擎通常没有关于搜索者身份的信息(虚荣搜索? - 查了一下，虚荣搜索的意思大概就是你搜你自己的名字 - 综合服务?)
• But: searcher’s identity may be “reverse engineered” from search terms 但是，搜索者的身份可能是从搜索词中“反向工程”出来的
• See GDPR Recital 26: test for identifiability includes: 参见GDPR序言26:可识别性测试包括:
  • “all the means likely to be used” to identify “可能使用的所有手段”来识别

EU WP 136

• The Working Party noted in its WP 136 that:
  • “… unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side”, “…除非互联网服务提供商能够绝对确定该等资料与无法识别的用户相对应，否则为安全起见，它必须将所有知识产权资料视为个人资料”;

Processing of IP Addresses

When is an IP address personal data?

• Personal data includes all data relating to an identified or identifiable personal 个人资料包括与已识别或可识别个人有关的所有资料
• An identifiable person is one who can be identified, directly or indirectly, from information held by the person in possession of the IP address or that person and another person 可识别的人是指可以直接或间接地从拥有IP地址的人或该个人和另一个人持有的信息中识别出来的人
  • Example:
    • Directly identifiable: by ISP 直接识别:通过ISP
• Indirectly identifiable: A person collecting the IP address online and the ISP 间接识别:在线收集IP地址的人和ISP
• GDPR Recital 26: test for identifiability includes: GDPR序言26:可识别性测试包括:
  • “all the means likely to be used” to identify “可能使用的所有手段”来识别

The Right to be Forgotten

Vast quantities of personal information online

网上有大量的个人信息

• Why might want information deleted? 为什么可能希望删除信息?
  • Inaccurate or false – possibly defamation? 不准确或虚假——可能是诽谤?
  • Invades privacy – issue of past criminal records? 侵犯隐私——过去犯罪记录的问题?

GDPR Article 17

• Data subject has a right to deletion of information “without undue delay” if one of these applies: 如下列情况之一适用，资料当事人有权“不经不当延误”删除资料:
  • No longer necessary for purposes collected 不再需要用于收集目的
  • No longer wants data there, and no other legal grounds for processing 不再需要数据，也没有其他处理的法律依据
  • Objects to processing under A21, and no overriding grounds 反对根据A21进行处理，且无凌驾理由
  • Data has been unlawfully processed 数据被非法处理
  • If published or otherwise shared, Controller must take reasonable steps to advise others to delete. 如已发布或以其他方式共享，控制人必须采取合理步骤建议他人删除。
• Exceptions:
• Where processing is necessary for:
  • “exercising the right of freedom of expression and information” “行使言论及资讯自由权”
  • Compliance with legal obligations on Controller 遵守控制人的法律义务
  • Performance of tasks carried out in public interest or exercise of official authority 为公共利益或行使官方权力而执行的任务
  • Public interest in areas of public health (link A9 GDPR) 公共卫生领域的公共利益(链接A9 GDPR)
  • Archives that are in the public interest, scientific or historical research or statistical research where deletion would “render impossible or seriously impair” aims of research (subject A89) 有关公众利益、科学或历史研究或统计研究的档案，若删除会“不可能或严重损害”研究目的(主题A89)
  • “establishment, exercise, or defence of legal claims” 法律要求的确立、行使或辩护。

Data Portability 数据可移植性

Today: common to change service providers regularly 今天:定期更换服务提供商是很常见的

• Mobile telephones, Netflix/ Amazon Prime, changing social networks, utility providers, banks, credit cards… 移动电话、Netflix/ Amazon Prime、不断变化的社交网络、公用事业提供商、银行、信用卡……

Article 20 – right to data portability 第20条-资料可携权

• “in a structured, commonly used and machine-readable format” “以结构化、常用和机器可读的格式”
• Available where:
  • Processing based on consent 基于同意的处理
  • Processing carried out by automated means 通过自动化手段进行的处理
• Controller must then delete (link A17) 然后控制者必须删除(链接A17)
• Where feasible, Controller to forward directly to new controller 在可行的情况下，控制者直接转发到新的控制者