急遽的技術發展和全球化為保護個人資料帶來了新的挑戰。全球的收集和分享個人數據的規模顯著增加。 新技術允許企業和政府以前所未有的規模利用個人數據，跟蹤人們的活動。人們越來越多地暴露個人資料。 技術改變了經濟和社會活動，因此，促進國際之間的個人數據自由流動、轉移，以及確保個人資料受法律保護應互相兼顧。
歐盟經過4年的準備和辯論之後，在2016年4月14日批准了《一般資料保護規例》 ( EU General Data Protection Regulation , GDPR)，2018年5月25日執法，在2020年檢視其執行情況。
新例中最爭議性的是確立被遺忘權(註3)，[Article 17 ，Right to erasure (‘right to be forgotten’)]。 資料主體(data subject) 運用這權利時是有限制的。
反對者以被遺忘權與塊連結技術相剋做文章，並指責《一般資料保護規例》殺死互聯網，這似乎跨大，因為上述的情況很少放在塊連結，第一是沒必要，第二是塊連結 (如虛擬貨幣) 的成本高，上載慢。
Automated individual decision-making, including profiling
Regulations, Directives and other acts
The aims set out in the EU treaties are achieved by several types of legal act. Some are binding, others are not. Some apply to all EU countries, others to just a few.
A "regulation" is a binding legislative act. It must be applied in its entirety across the EU. For example, when the EU wanted to make sure that there are common safeguards on goods imported from outside the EU, the Council adopted a regulation.
A "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. One example is the EU consumer rights directive, which strengthens rights for consumers across the EU, for example by eliminating hidden charges and costs on the internet, and extending the period under which consumers can withdraw from a sales contract.
A "decision" is binding on those to whom it is addressed (e.g. an EU country or an individual company) and is directly applicable. For example, the Commission issued a decision on the EU participating in the work of various counter-terrorism organisations. The decision related to these organisations only.
A "recommendation" is not binding. When the Commission issued a recommendation that EU countries' law authorities improve their use of videoconferencing to help judicial services work better across borders, this did not have any legal consequences. A recommendation allows the institutions to make their views known and to suggest a line of action without imposing any legal obligation on those to whom it is addressed.
An "opinion" is an instrument that allows the institutions to make a statement in a non-binding fashion, in other words without imposing any legal obligation on those to whom it is addressed. An opinion is not binding. It can be issued by the main EU institutions (Commission, Council, Parliament), the Committee of the Regions and the European Economic and Social Committee. While laws are being made, the committees give opinions from their specific regional or economic and social viewpoint. For example, the Committee of the Regions issued an opinion on the clean air policy package for Europe.
Regulation (EU) 2016/679 — protection of natural persons with regard to the processing of personal data and the free movement of such data
WHAT IS THE AIM OF THE REGULATION?
• It allows European Union (EU) citizens to better control their personal data. It also modernises and unifies rules allowing businesses to reduce red tape and to benefit from greater consumer trust.
• The general data protection regulation (GDPR) is part of the EU data protection reform package, along with the data protection directive for police and criminal justice authorities.
The GDPR strengthens existing rights, provides for new rights and gives citizens more control over their personal data. These include:
• easier access to their data — including providing more information on how that data is processed and ensuring that that information is available in a clear and understandable way;
• a newright to data portability — making it easier to transmit personal data between service providers;
• a clearer right to erasure (‘right to be forgotten’) — when an individual no longer wants their data processed and there is no legitimate reason to keep it, the data will be deleted;
• right to know when their personal data has been hacked — companies and organisations will have to inform individuals promptly of serious data breaches. They will also have to notify the relevant data protection supervisory authority.
Rules for businesses
The GDPR is designed to create business opportunities and stimulate innovation through a number of steps including:
• a single set of EU-wide rules — a single EU-wide law for data protection is estimated to make savings of €2.3 billion per year;
• a data protection officer, responsible for data protection, will be designated by public authorities and by businesses which process data on a large scale;
• one-stop-shop — businesses only have to deal with one single supervisory authority (in the EU country in which they are mainly based);
• EU rules for non-EU companies — companies based outside the EU must apply the same rules when offering services or goods, or monitoring behaviour of individuals within the EU;
• innovation-friendly rules — a guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design and by default);
• privacy-friendly techniques such as pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it);
• removal of notifications — the new data protection rules will scrap most notification obligations and the costs associated with these. One of the aims of the data protection regulation is to remove obstacles to free flow of personal data within the EU. This will make it easier for businesses to expand;
• impact assessments — businesses will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals;
• record-keeping — SMEs are not required to keep records of processing activities, unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed.
The European Commission must submit a report on the evaluation and review of the regulation by 25 May 2020.
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Profiling is done when your personal aspects are being evaluated in order to make predictions about you, even if no decision is taken. For example, if a company or organisation assesses your characteristics (such as your age, sex, height) or classifies you in a category, this means you are being profiled.
Decision-making based solely on automated means happens when decisions are taken about you by technological means and without any human involvement. They can be taken even without profiling.
The data protection law establishes that you have the right not to be subject to a decision based solely on automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way. A decision produces legal effects when your legal rights are impacted (such as your right to vote). In addition, processing can significantly affect you if it influences your circumstances, behaviour or choices. For example automatic processing may lead to the refusal of your online credit application.
Profiling and automated decision-making are common practice in a number of sectors, such as banking and finance, taxation and healthcare. It can be more efficient, but may be less transparent and may restrict your choice.
Although, as a general rule, you may not be the subject of a decision based solely on automated processing, this type of decision-making may exceptionally be allowed if the use of algorithms is allowed by law and suitable safeguards are provided.
Decisions based solely on automated means are also allowed where:
the decision is necessary that is to say, there must be no other way to achieve the same goal to enter or perform a contract with you;
you have given your explicit consent.
In both instances, the decision taken needs to protect your rights and freedoms, by implementing suitable safeguards. The company or organisation must, at least, inform you of your right to human intervention and to make the required procedural arrangements. Furthermore, the company or organisation should allow you to express your point of view and inform you that you may contest the decision.
Algorithm-based decisions may not make use of special categories of data, unless you have given your consent or the processing is allowed by EU or national law (see above).
You use an online bank for a loan. You are asked to insert your data and the bank’s algorithm tells you whether the bank will grant you the loan or not and gives the suggested interest rate. You must be informed that you may express your opinion, contest the decision and demand that the decision made via the algorithm be reviewed by a person.
Article 20 Right to data portability
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
If a company is processing your personal data on the basis of your consent or a contract, you can ask the company to transfer your personal data to you.
You can also ask for your personal data to be transferred directly to another company whose services you would like to use, when it’s technically feasible.
You are a member of an online social media network. You decide that a new rival social media network is better suited to your aims and age-group. You can ask your current online social media network to transfer your personal data, including your photos, to the new social media network.