数据保护影响评估制度:欧盟立法与中国方案

doi:10.13266/j.issn.0252-3116.2020.05.005

图书情报工作 ›› 2020, Vol. 64 ›› Issue (5): 41-49.DOI: 10.13266/j.issn.0252-3116.2020.05.005

数据保护影响评估制度:欧盟立法与中国方案

崔聪聪, 许智鑫

北京邮电大学互联网治理与法律研究中心北京 100876

收稿日期:2019-05-06 修回日期:2019-10-09 出版日期:2020-03-05 发布日期:2020-03-05
作者简介:崔聪聪(ORCID:0000-0001-7633-1007),副主任,副教授,博士,E-mail:cuicongcong@bupt.edu.cn;许智鑫(ORCID:0000-0002-5149-5678),硕士研究生。
基金资助:
本文系国家社会科学基金重大项目"国家网络空间安全法律保障机制研究"（项目编号：13&ZD181）研究成果之一。

Data Protection Impact Assessment: EU Legislation and China Plan

Cui Congcong, Xu Zhixin

Institute of Internet Governance and Law, Beijing University of Posts and Telecommunications, Beijing 100876

Received:2019-05-06 Revised:2019-10-09 Online:2020-03-05 Published:2020-03-05

摘要/Abstract

摘要： [目的/意义] 欧盟一般数据保护条例（GDPR）引入的数据保护影响评估（DPIA）制度给数据控制者提出新的要求。通过解析GDPR中DPIA制度的相关规定，研究其立法思路和核心理念，可以为我国相关立法工作提供借鉴。[方法/过程] 通过查阅和梳理以GDPR为代表的欧盟数据保护领域的法律文件，归纳DPIA制度的出台背景和演化过程，深入剖析DPIA制度的数据保护模式、适用情形、基本流程和执行过程等主要内容。[结果/结论] DPIA制度能够应对愈加复杂多变的数据安全风险环境，具有重要的实践价值和参考意义。我国个人信息保护法应确立DPIA制度，具体内容包括DPIA的规制对象、适用情形以及数据控制者的事先咨询义务，并提出数据风险评估模型。

关键词: 数据保护影响评估, 风险路径, 数据风险评估模型, 个人信息保护法

Abstract: [Purpose/significance] The Data Protection Impact Assessment (DPIA) introduced by the General Data Protection Regulations (GDPR) imposes new requirements on data controllers. By analyzing the relevant provisions of DPIA in GDPR and studying its legislative ideas and core concept, it could provide reference for relevant legislative work in China.[Method/process] This paper reviews the legal documents in the field of data protection in the EU represented by GDPR, summarizes the background and evolution of the DPIA system, and then deeply analyzes its data protection pattern, applicable situations, basic processes and execution processes.[Result/conclusion] The DPIA can cope with the increasingly complex and variable risk environment of data security, which has important practical value and reference significance. China's personal information protection law should establish the DPIA system, which includes DPIA's regulatory objects, applicable situations, data controllers' prior consulting obligations, and data risk assessment model.

Key words: DPIA, risk-based approach, data risk assessment model, personal information protection law

中图分类号:

G250

崔聪聪, 许智鑫. 数据保护影响评估制度:欧盟立法与中国方案[J]. 图书情报工作, 2020, 64(5): 41-49.

Cui Congcong, Xu Zhixin. Data Protection Impact Assessment: EU Legislation and China Plan[J]. LIS, 2020, 64(5): 41-49.

参考文献

[1] The EU general data protection regulation is the most important change in data privacy regulation in 20 years[EB/OL].[2019-04-23]. https://eugdpr.org/.
[2] Guidelines on data protection impact assessment and determining whether processing is "likely to result in a high risk" for the purposes of regulation 2016/679[EB/OL].[2019-04-04]. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236.
[3] GELLERT R. Understanding the notion of risk in the general data protection regulation[J]. Computer law & security review, 2018, 34(2):279-288.
[4] BIEKER F, FRIEDEWALD M, HANSEN M, et al. A process for data protection impact assessment under the European general data protection regulation[C]//APF 2016. Lecture notes in computer science. Cham:Springer, 2016:21-37.
[5] 高富平. 个人数据保护和利用国际规则:源流和趋势[M]. 北京:法律出版社,2016.
[6] European Commission. Privacy and data protection impact assessment framework for RFID applications[EB/OL].[2019-01-12]. https://danskprivacynet.files.wordpress.com/2008/06/infso-2011-00068.pdf.
[7] European Commission. Recommendation of 10 October 2014 on the data protection impact assessment template for smart grid and smart metering systems[EB/OL].[2019-01-13]. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014H0724&from=EN.
[8] VAN D N, GELLERT R, ROMMETVEIT K. A risk to a right? beyond data protection risk assessments[J]. Computer law & security review, 2016, 32(2):286-306.
[9] CLARKE R. Privacy impact assessment:its origins and development[J]. Computer law & security review, 2009, 25(2):123-135.
[10] WRIGHT D, DE H P. Privacy impact assessment[M]. Dordrecht:Springer Netherlands, 2012.
[11] CNIL. Privacy risk assessment:methodology (how to carry out a PIA)[EB/OL].[2019-02-01]. http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology.pdf.
[12] 肖冬梅,谭礼格.欧盟数据保护影响评估制度及其启示[J].中国图书馆学报,2018,44(5):76-86.
[13] WRIGHT D. The state of the art in privacy impact assessment[J]. Computer law & security review, 2012,28(1):54-61.
[14] WRIGHT D, GELLERT G, GUTWIRTH S, et al. Precaution and privacy impact assessment as modes towards risk governance[M]. Luxembourg:European Commission, 2011.
[15] BERNSTEIN P L. Against the Gods-the remarkable story of risk[M]. New York:John Wiley & Sons, 1996.
[16] EWALD F. Insurance and risk[M]. Chicago:The University of Chicago Press, 1991.
[17] WYNNE B. Risk and environment as legitimatory discourses of technology:reflexivity inside-out[J]. Current sociology, 2002, 50(3):459-477.
[18] POWER M. Organized uncertainty:designing a world of risk management[M]. Oxford:Oxford University Press, 2007.
[19] ISO. Risk management-Principles and guidelines[EB/OL].[2019-02-17]. https://www.iso.org/standard/43170.html.
[20] WARNER F. Risk:analysis, perception and management-a report of a royal[M]. London:The Royal Society, 1992.
[21] 程莹.风险管理模式下的数据保护影响评估制度[J].网络与信息安全学报,2018,4(8):63-70.
[22] Statement on the role of a risk based approach in data protection legal frameworks[EB/OL].[2019-03-25]. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf.
[23] 洪延青."以管理为基础的规制"——对网络运营者安全保护义务的重构[J].环球法律评论, 2016, 38(4):20-40.
[24] GELLERT R. Data protection:a risk regulation? between the risk management of everything and the precautionary alternative[J]. International data privacy law, 2015, 5(1):3-19.
[25] PDPC. Guide to data protection impact assessment[EB/OL].[2019-04-14]. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/guide-to-dpias---011117.pdf.
[26] 范为. 大数据时代个人信息保护的路径重构[J]. 环球法律评论, 2016, 38(5):92-115.
[27] 中国国家标准化管理委员会. 《信息安全技术个人信息安全影响评估指南》(征求意见稿)[EB/OL].[2019-03-28]. https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20180613180739930746&norm_id=20180523160439&recode_id=29212.
[28] BINNS R. Data protection impact assessments:a meta-regulatory approach[J]. International data privacy law, 2017, 7(1):22-35.
[29] 胡文涛.我国个人敏感信息界定之构想[J].中国法学,2018, 35(5):235-254.
[30] BIEKER F, MARTIN N, FRIEDEWALD M, et al. Data protection impact assessment:a hands-on tour of the GDPR's most practical tool[C]//IFIP. Advances in information and communication technology. Cham:Spring, 2018:207-220.

数据保护影响评估制度:欧盟立法与中国方案

Data Protection Impact Assessment: EU Legislation and China Plan

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 2

编辑推荐

Metrics

[1]	盛小平, 唐筠杰. 我国个人信息权利与欧盟个人数据权利的比较分析:基于《个人信息保护法》与GDPR[J]. 图书情报工作, 2022, 66(6): 26-33.
[2]	陈祥玲, 肖冬梅, 杨忠. 图书馆处理个人信息的合规义务研究[J]. 图书情报工作, 2022, 66(17): 69-80.