由於5G即將來臨,香港必然向智慧城市發展,立法會討論了《加快推動智慧城市發展》。政府的首要工作應該是準備訂立相關法例,特別是保護私隱和網絡保安。某程度上,版權法也與此相關,但2014年版權條例修訂的經驗說明,這些議案相當敏感,需時頗長。可是,我們完全看不到政府在這方面工作。
急遽的技術發展和全球化為保護個人資料帶來了新的挑戰。全球的收集和分享個人數據的規模顯著增加。
新技術允許企業和政府以前所未有的規模利用個人數據,跟蹤人們的活動。人們越來越多地暴露個人資料。 技術改變了經濟和社會活動,因此,促進國際之間的個人數據自由流動、轉移,以及確保個人資料受法律保護應互相兼顧。
歐洲議會的立法方式分為規例、指令、決定、建議和意見5種,以規例為最高級別,強制在歐盟各國執行(註1)。
歐盟經過4年的準備和辯論之後,在2016年4月14日批准了《一般資料保護規例》 ( EU
General Data Protection Regulation , GDPR),2018年5月25日執法,在2020年檢視其執行情況。
公民權利
GDPR加強和新增的權利包括:
•公民可以易懂的方式了解其個人資料的處理;
•公民享有 “被遺忘的權利”;
•公民有權知道他們的個人資料是否被黑客入侵;
•方便用戶轉變服務提供商
(新的權利)。
對企業的影響
GDPR創造商機並激發創新(註2):
•單一規則可以為企業節省23億歐元;
•公共機構和處理大規模數據的企業需要設立數據保護官;
•每國設立一站式服務的監管機構;
•非歐盟公司若處理歐盟公民的個人資料,需要遵守此法;
•產品的開發階段,需考慮保證數據保護措施;
•以假名(標識)和加密等技術保議個人私穩;
• 統一刪除通知;
•企業必須進行風險評估;
•多於250名員工的企業需要專人處理數據記錄;
•違例者可被重罰。
被遺忘權
新例中最爭議性的是確立被遺忘權(註3),[Article 17 ,Right
to erasure (‘right to be forgotten’)]。 資料主體(data
subject) 運用這權利時是有限制的。
在下列情況,資料主體不享有被遺忘權:
(a)影響言論自由和信息自由;
(b)管理者由於需要遵守法律義務而無法執行;
(c)出於公共衛生領域的公共利益的原因;
(d)為了符合公共利益,例如科學或歷史研究;
(e)辯護或法律索賠。
資料主體在上述情況以外時,可以下列理由要求刪去其個人資料:
(a)就其收集的目的而言,其個人資料不再是必需的;
(b)原本資料當事人是為某些指定的目的而同意其資料被處理的,而現在當事人取消其同意書;
(c)其資料是被用作市場調查用途;
(d)其個人資料被非法處理;
(e)根據法律,其個人數據必須被刪除;
(f)父母為16歲以下兒童登記的個人資料。
由歐盟立法可以看到,很多網民誤解了被遺忘權,例如,某君被網民指是契弟,他並沒有以上的六種理由之一,要求臉書為其刪帖。
反對者以被遺忘權與塊連結技術相剋做文章,並指責《一般資料保護規例》殺死互聯網,這似乎跨大,因為上述的情況很少放在塊連結,第一是沒必要,第二是塊連結
(如虛擬貨幣) 的成本高,上載慢。
不受電腦決定的權利
人越來越受機械控制,這是無可避免的,電腦預測消費者行為,誘導消費,甚至改變消費者的需要。機械決定了人的生活,但有時機械會出錯的。
Article 22
Automated individual decision-making, including profiling
例如,當你使用在線銀行進行貸款。銀行的算法告訴你是否貸款,並給出建議的利率。 你有權要求銀行職員(自然人)審核。
新的權利
第20條規定,資料當事人有權要求資料控制者以結構化,通用和機器可讀的格式接收他的個人資料,並有權將這些資料傳送給另一控制者,不受阻礙:
例如,你是在交友網站(收費)的成員。 當你希望轉會到另一個交友網站時,你可以要求您當前的交友網站將你的個人數據(包括照片)傳輸到新的交友網站。
----------------完----------------------
備註
註一
Regulations, Directives and other acts
The aims set out in the EU treaties are achieved by several
types of legal act. Some are binding, others are not. Some apply to all EU
countries, others to just a few.
Regulations
A "regulation" is a binding legislative act. It
must be applied in its entirety across the EU. For example, when the EU wanted
to make sure that there are common safeguards on goods imported from outside
the EU, the Council adopted a regulation.
Directives
A "directive" is a legislative act that sets out a
goal that all EU countries must achieve. However, it is up to the individual
countries to devise their own laws on how to reach these goals. One example is
the EU consumer rights directive, which strengthens rights for consumers across
the EU, for example by eliminating hidden charges and costs on the internet,
and extending the period under which consumers can withdraw from a sales
contract.
Decisions
A "decision" is binding on those to whom it is
addressed (e.g. an EU country or an individual company) and is directly
applicable. For example, the Commission issued a decision on the EU
participating in the work of various counter-terrorism organisations. The
decision related to these organisations only.
Recommendations
A "recommendation" is not binding. When the
Commission issued a recommendation that EU countries' law authorities improve
their use of videoconferencing to help judicial services work better across
borders, this did not have any legal consequences. A recommendation allows the
institutions to make their views known and to suggest a line of action without
imposing any legal obligation on those to whom it is addressed.
Opinions
An "opinion" is an instrument that allows the
institutions to make a statement in a non-binding fashion, in other words
without imposing any legal obligation on those to whom it is addressed. An
opinion is not binding. It can be issued by the main EU institutions
(Commission, Council, Parliament), the Committee of the Regions and the
European Economic and Social Committee. While laws are being made, the
committees give opinions from their specific regional or economic and social
viewpoint. For example, the Committee of the Regions issued an opinion on the
clean air policy package for Europe.
註2
Summary
SUMMARY OF:
Regulation (EU) 2016/679 — protection of natural persons
with regard to the processing of personal data and the free movement of such
data
WHAT IS THE AIM OF THE REGULATION?
• It allows European Union (EU)
citizens to better control their personal data. It also modernises and unifies
rules allowing businesses to reduce red tape and to benefit from greater
consumer trust.
• The general data protection
regulation (GDPR) is part of the EU data protection reform package, along with
the data protection directive for police and criminal justice authorities.
Citizens’ rights
The GDPR strengthens existing rights, provides for new
rights and gives citizens more control over their personal data. These include:
• easier access to their data —
including providing more information on how that data is processed and ensuring
that that information is available in a clear and understandable way;
• a newright to data portability —
making it easier to transmit personal data between service providers;
• a clearer right to erasure (‘right
to be forgotten’) — when an individual no longer wants their data processed and
there is no legitimate reason to keep it, the data will be deleted;
• right to know when their personal
data has been hacked — companies and organisations will have to inform
individuals promptly of serious data breaches. They will also have to notify
the relevant data protection supervisory authority.
Rules for businesses
The GDPR is designed to create business opportunities and
stimulate innovation through a number of steps including:
• a single set of EU-wide rules — a
single EU-wide law for data protection is estimated to make savings of €2.3
billion per year;
• a data protection officer,
responsible for data protection, will be designated by public authorities and
by businesses which process data on a large scale;
• one-stop-shop — businesses only
have to deal with one single supervisory authority (in the EU country in which
they are mainly based);
• EU rules for non-EU companies —
companies based outside the EU must apply the same rules when offering services
or goods, or monitoring behaviour of individuals within the EU;
• innovation-friendly rules — a
guarantee that data protection safeguards are built into products and services
from the earliest stage of development (data protection by design and by
default);
• privacy-friendly techniques such
as pseudonymisation (when identifying fields within a data record are replaced
by one or more artificial identifiers) and encryption (when data is coded in
such a way that only authorised parties can read it);
• removal of notifications — the new
data protection rules will scrap most notification obligations and the costs
associated with these. One of the aims of the data protection regulation is to
remove obstacles to free flow of personal data within the EU. This will make it
easier for businesses to expand;
• impact assessments — businesses
will have to carry out impact assessments when data processing may result in a
high risk for the rights and freedoms of individuals;
• record-keeping — SMEs are not
required to keep records of processing activities, unless the processing is regular
or likely to result in a risk to the rights and freedoms of the person whose
data is being processed.
Review
The European Commission must submit a report on the
evaluation and review of the regulation by 25 May 2020.
註三
Right to erasure (‘right to be forgotten’)
1. The data subject
shall have the right to obtain from the controller the erasure of personal data
concerning him or her without undue delay and the controller shall have the
obligation to erase personal data without undue delay where one of the
following grounds applies:
(a) the personal data are no
longer necessary in relation to the purposes for which they were collected or
otherwise processed;
(b) the data subject
withdraws consent on which the processing is based according to point (a) of
Article 6(1), or point (a) of Article 9(2), and where there is no other legal
ground for the processing;
(c) the data subject objects
to the processing pursuant to Article 21(1) and there are no overriding
legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2);
(d) the personal data have
been unlawfully processed;
(e) the personal data have to
be erased for compliance with a legal obligation in Union or Member State law
to which the controller is subject;
(f) the personal data have
been collected in relation to the offer of information society services
referred to in Article 8(1).
2. Where the
controller has made the personal data public and is obliged pursuant to paragraph
1 to erase the personal data, the controller, taking account of available
technology and the cost of implementation, shall take reasonable steps,
including technical measures, to inform controllers which are processing the
personal data that the data subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and
2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and
information;
(b) for compliance with a legal obligation which requires
processing by Union or Member State law to which the controller is subject or
for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public
health in accordance with points (h) and (i) of Article 9(2) as well as Article
9(3);
(d) for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes in
accordance with Article 89(1) in so far as the right referred to in paragraph 1
is likely to render impossible or seriously impair the achievement of the
objectives of that processing; or
(e) for the establishment, exercise or defence of legal
claims.
註四
Article 22
Automated individual decision-making, including profiling
1. The data subject
shall have the right not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects concerning him or
her or similarly significantly affects him or her.
Profiling is done when your personal aspects are being
evaluated in order to make predictions about you, even if no decision is taken.
For example, if a company or organisation assesses your characteristics (such
as your age, sex, height) or classifies you in a category, this means you are
being profiled.
Decision-making based solely on automated means happens when
decisions are taken about you by technological means and without any human
involvement. They can be taken even without profiling.
The data protection law establishes that you have the right
not to be subject to a decision based solely on automated means, if the
decision produces legal effects concerning you or significantly affects you in
a similar way. A decision produces legal effects when your legal rights are
impacted (such as your right to vote). In addition, processing can
significantly affect you if it influences your circumstances, behaviour or
choices. For example automatic processing may lead to the refusal of your
online credit application.
Profiling and automated decision-making are common practice
in a number of sectors, such as banking and finance, taxation and healthcare.
It can be more efficient, but may be less transparent and may restrict your
choice.
Although, as a general rule, you may not be the subject of a
decision based solely on automated processing, this type of decision-making may
exceptionally be allowed if the use of algorithms is allowed by law and
suitable safeguards are provided.
Decisions based solely on automated means are also allowed
where:
the decision is necessary that is to say, there must be no
other way to achieve the same goal to enter or perform a contract with you;
you have given your explicit consent.
In both instances, the decision taken needs to protect your
rights and freedoms, by implementing suitable safeguards. The company or
organisation must, at least, inform you of your right to human intervention and to make the required
procedural arrangements. Furthermore, the company or organisation should allow
you to express your point of view and inform you that you may contest the
decision.
Algorithm-based decisions may not make use of special
categories of data, unless you have given your consent or the processing is
allowed by EU or national law (see above).
Example
You use an online bank for a loan. You are asked to insert
your data and the bank’s algorithm tells you whether the bank will grant you
the loan or not and gives the suggested interest rate. You must be informed
that you may express your opinion, contest the decision and demand that the
decision made via the algorithm be reviewed by a person.
註五
Article 20 Right to data portability
1. The data subject
shall have the right to receive the personal data concerning him or her, which
he or she has provided to a controller, in a structured, commonly used and
machine-readable format and have the right to transmit those data to another
controller without hindrance from the controller to which the personal data
have been provided, where:
(a) the processing is based on consent pursuant to point (a)
of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point
(b) of Article 6(1); and
(b) the processing is
carried out by automated means.
2. In exercising his
or her right to data portability pursuant to paragraph 1, the data subject
shall have the right to have the personal data transmitted directly from one
controller to another, where technically feasible.
3. The exercise of the right referred to in
paragraph 1 of this Article shall be without prejudice to Article 17. That
right shall not apply to processing necessary for the performance of a task
carried out in the public interest or in the exercise of official authority
vested in the controller.
4. The right referred to in paragraph 1 shall
not adversely affect the rights and freedoms of others.
If a company is processing your personal data on the basis
of your consent or a contract, you can ask the company to transfer your
personal data to you.
You can also ask for your personal data to be transferred
directly to another company whose services you would like to use, when it’s
technically feasible.
Example
You are a member of an online social media network. You
decide that a new rival social media network is better suited to your aims and
age-group. You can ask your current online social media network to transfer your
personal data, including your photos, to the new social media network.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
沒有留言:
張貼留言