立場新聞 Stand News

《一般資料保護規例》

2018/6/30 — 14:47

資料圖片,來源:pixabay.com

資料圖片,來源:pixabay.com

由於 5G 即將來臨,香港必然向智慧城市發展,立法會討論了《加快推動智慧城市發展》。政府的首要工作應該是準備訂立相關法例,特別是保護私隱和網絡保安。某程度上,版權法也與此相關,但 2014 年版權條例修訂的經驗說明,這些議案相當敏感,需時頗長。可是,我們完全看不到政府在這方面工作。

急遽的技術發展和全球化為保護個人資料帶來了新的挑戰。全球的收集和分享個人數據的規模顯著增加。 新技術允許企業和政府以前所未有的規模利用個人數據,跟蹤人們的活動。人們越來越多地暴露個人資料。 技術改變了經濟和社會活動,因此,促進國際之間的個人數據自由流動、轉移,以及確保個人資料受法律保護應互相兼顧。

歐洲議會的立法方式分為規例、指令、決定、建議和意見 5 種,以規例為最高級別,強制在歐盟各國執行 (註 1)。

廣告

歐盟經過 4 年的準備和辯論之後,在 2016 年 4 月 14 日批准了《一般資料保護規例》(EU General Data Protection Regulation, GDPR),2018 年 5 月 25 日執法,在 2020 年檢視其執行情況。

香港律師會表示,「準備遵守歐盟《一般資料保護規例》」,這是因為,只要涉及歐盟成員的個人資料處理,歐洲資料保護法就適用。

廣告

公民權利

GDPR 加強和新增的權利包括:

•公民可以易懂的方式了解其個人資料的處理;
•公民享有「被遺忘的權利」;
•公民有權知道他們的個人資料是否被黑客入侵;
•方便用戶轉變服務提供商 (新的權利)。

對企業的影響

GDPR 創造商機並激發創新 (註 2):

•單一規則可以為企業節省 23 億歐元;
•公共機構和處理大規模數據的企業需要設立數據保護官;
•每國設立一站式服務的監管機構;
•非歐盟公司若處理歐盟公民的個人資料,需要遵守此法;
•產品的開發階段,需考慮保證數據保護措施;
•以假名(標識)和加密等技術保議個人私穩;
•統一刪除通知;
•企業必須進行風險評估;
•多於 250 名員工的企業需要專人處理數據記錄;
•違例者可被重罰。

被遺忘權

新例中最爭議性的是確立被遺忘權 (註 3),[Article 17 ,Right to erasure (‘right to be forgotten’)]。 資料主體(data subject)運用這權利時是有限制的。

在下列情況,資料主體不享有被遺忘權:

(a) 影響言論自由和信息自由;
(b) 管理者由於需要遵守法律義務而無法執行;
(c) 出於公共衛生領域的公共利益的原因;
(d) 為了符合公共利益,例如科學或歷史研究;
(e) 辯護或法律索賠。

資料主體在上述情況以外時,可以下列理由要求刪去其個人資料:

(a) 就其收集的目的而言,其個人資料不再是必需的;
(b) 原本資料當事人是為某些指定的目的而同意其資料被處理的,而現在當事人取消其同意書;
(c) 其資料是被用作市場調查用途;
(d) 其個人資料被非法處理;
(e) 根據法律,其個人數據必須被刪除;
(f) 父母為 16 歲以下兒童登記的個人資料。

由歐盟立法可以看到,很多網民誤解了被遺忘權,例如,某君被網民指是契弟,他並沒有以上的六種理由之一,要求臉書為其刪帖。

反對者以被遺忘權與塊連結技術相剋做文章,並指責《一般資料保護規例》殺死互聯網,這似乎跨大,因為上述的情況很少放在塊連結,第一是沒必要,第二是塊連結(如虛擬貨幣)的成本高,上載慢。

不受電腦決定的權利

人越來越受機械控制,這是無可避免的,電腦預測消費者行為,誘導消費,甚至改變消費者的需要。機械決定了人的生活,但有時機械會出錯的。

有見及此,歐盟的《一般資料保護規例》第 22 條規定,資料當事人有權不受僅基於自動處理的決定。(註 4)

Article 22

Automated individual decision-making, including profiling

例如,當你使用在線銀行進行貸款。銀行的算法告訴你是否貸款,並給出建議的利率。 你有權要求銀行職員(自然人)審核。

新的權利

《一般資料保護規例》引入了一條新的權利,數據可移植性的權利。(註 5)

第 20 條規定,資料當事人有權要求資料控制者以結構化,通用和機器可讀的格式接收他的個人資料,並有權將這些資料傳送給另一控制者,不受阻礙:

例如,你是在交友網站(收費)的成員。 當你希望轉會到另一個交友網站時,你可以要求您當前的交友網站將你的個人數據(包括照片)傳輸到新的交友網站。

 

———
備註

註 1

Regulations, Directives and other acts

The aims set out in the EU treaties are achieved by several types of legal act. Some are binding, others are not. Some apply to all EU countries, others to just a few.

Regulations

A "regulation" is a binding legislative act. It must be applied in its entirety across the EU. For example, when the EU wanted to make sure that there are common safeguards on goods imported from outside the EU, the Council adopted a regulation.

Directives

A "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. One example is the EU consumer rights directive, which strengthens rights for consumers across the EU, for example by eliminating hidden charges and costs on the internet, and extending the period under which consumers can withdraw from a sales contract.

Decisions

A "decision" is binding on those to whom it is addressed (e.g. an EU country or an individual company) and is directly applicable. For example, the Commission issued a decision on the EU participating in the work of various counter-terrorism organisations. The decision related to these organisations only.

Recommendations

A "recommendation" is not binding. When the Commission issued a recommendation that EU countries' law authorities improve their use of videoconferencing to help judicial services work better across borders, this did not have any legal consequences. A recommendation allows the institutions to make their views known and to suggest a line of action without imposing any legal obligation on those to whom it is addressed.

Opinions

An "opinion" is an instrument that allows the institutions to make a statement in a non-binding fashion, in other words without imposing any legal obligation on those to whom it is addressed. An opinion is not binding. It can be issued by the main EU institutions (Commission, Council, Parliament), the Committee of the Regions and the European Economic and Social Committee. While laws are being made, the committees give opinions from their specific regional or economic and social viewpoint. For example, the Committee of the Regions issued an opinion on the clean air policy package for Europe.

註 2

Summary

SUMMARY OF:

Regulation (EU) 2016/679 — protection of natural persons with regard to the processing of personal data and the free movement of such data

WHAT IS THE AIM OF THE REGULATION?

• It allows European Union (EU) citizens to better control their personal data. It also modernises and unifies rules allowing businesses to reduce red tape and to benefit from greater consumer trust.
• The general data protection regulation (GDPR) is part of the EU data protection reform package, along with the data protection directive for police and criminal justice authorities.

Citizens’ rights

The GDPR strengthens existing rights, provides for new rights and gives citizens more control over their personal data. These include:

• easier access to their data — including providing more information on how that data is processed and ensuring that that information is available in a clear and understandable way;
• a newright to data portability — making it easier to transmit personal data between service providers;
• a clearer right to erasure (‘right to be forgotten’) — when an individual no longer wants their data processed and there is no legitimate reason to keep it, the data will be deleted;
• right to know when their personal data has been hacked — companies and organisations will have to inform individuals promptly of serious data breaches. They will also have to notify the relevant data protection supervisory authority.

Rules for businesses

The GDPR is designed to create business opportunities and stimulate innovation through a number of steps including:

• a single set of EU-wide rules — a single EU-wide law for data protection is estimated to make savings of €2.3 billion per year;
• a data protection officer, responsible for data protection, will be designated by public authorities and by businesses which process data on a large scale;
• one-stop-shop — businesses only have to deal with one single supervisory authority (in the EU country in which they are mainly based);
• EU rules for non-EU companies — companies based outside the EU must apply the same rules when offering services or goods, or monitoring behaviour of individuals within the EU;
• innovation-friendly rules — a guarantee that data protection safeguards are built into products and services from the earliest stage of development (data protection by design and by default);
• privacy-friendly techniques such as pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it);
• removal of notifications — the new data protection rules will scrap most notification obligations and the costs associated with these. One of the aims of the data protection regulation is to remove obstacles to free flow of personal data within the EU. This will make it easier for businesses to expand;
• impact assessments — businesses will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals;
• record-keeping — SMEs are not required to keep records of processing activities, unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed.

Review

The European Commission must submit a report on the evaluation and review of the regulation by 25 May 2020.

註 3

Right to erasure (‘right to be forgotten’)

1.   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2.   Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3.   Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.

註 4

Article 22

Automated individual decision-making, including profiling

1.   The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Profiling is done when your personal aspects are being evaluated in order to make predictions about you, even if no decision is taken. For example, if a company or organisation assesses your characteristics (such as your age, sex, height) or classifies you in a category, this means you are being profiled.

Decision-making based solely on automated means happens when decisions are taken about you by technological means and without any human involvement. They can be taken even without profiling.

The data protection law establishes that you have the right not to be subject to a decision based solely on automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way. A decision produces legal effects when your legal rights are impacted (such as your right to vote). In addition, processing can significantly affect you if it influences your circumstances, behaviour or choices. For example automatic processing may lead to the refusal of your online credit application.

Profiling and automated decision-making are common practice in a number of sectors, such as banking and finance, taxation and healthcare. It can be more efficient, but may be less transparent and may restrict your choice.

Although, as a general rule, you may not be the subject of a decision based solely on automated processing, this type of decision-making may exceptionally be allowed if the use of algorithms is allowed by law and suitable safeguards are provided.

Decisions based solely on automated means are also allowed where:

the decision is necessary that is to say, there must be no other way to achieve the same goal to enter or perform a contract with you;

you have given your explicit consent.

In both instances, the decision taken needs to protect your rights and freedoms, by implementing suitable safeguards. The company or organisation must, at least, inform you of your right to  human intervention and to make the required procedural arrangements. Furthermore, the company or organisation should allow you to express your point of view and inform you that you may contest the decision.

Algorithm-based decisions may not make use of special categories of data, unless you have given your consent or the processing is allowed by EU or national law (see above).

Example

You use an online bank for a loan. You are asked to insert your data and the bank’s algorithm tells you whether the bank will grant you the loan or not and gives the suggested interest rate. You must be informed that you may express your opinion, contest the decision and demand that the decision made via the algorithm be reviewed by a person.

註 5

Article 20 Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

If a company is processing your personal data on the basis of your consent or a contract, you can ask the company to transfer your personal data to you.

You can also ask for your personal data to be transferred directly to another company whose services you would like to use, when it’s technically feasible.

Example

You are a member of an online social media network. You decide that a new rival social media network is better suited to your aims and age-group. You can ask your current online social media network to transfer your personal data, including your photos, to the new social media network.

發表意見