[Purpose/significance] The Data Protection Impact Assessment (DPIA) introduced by the General Data Protection Regulations (GDPR) imposes new requirements on data controllers. By analyzing the relevant provisions of DPIA in GDPR and studying its legislative ideas and core concept, it could provide reference for relevant legislative work in China.[Method/process] This paper reviews the legal documents in the field of data protection in the EU represented by GDPR, summarizes the background and evolution of the DPIA system, and then deeply analyzes its data protection pattern, applicable situations, basic processes and execution processes.[Result/conclusion] The DPIA can cope with the increasingly complex and variable risk environment of data security, which has important practical value and reference significance. China's personal information protection law should establish the DPIA system, which includes DPIA's regulatory objects, applicable situations, data controllers' prior consulting obligations, and data risk assessment model.
Cui Congcong
,
Xu Zhixin
. Data Protection Impact Assessment: EU Legislation and China Plan[J]. Library and Information Service, 2020
, 64(5)
: 41
-49
.
DOI: 10.13266/j.issn.0252-3116.2020.05.005
[1] The EU general data protection regulation is the most important change in data privacy regulation in 20 years[EB/OL].[2019-04-23]. https://eugdpr.org/.
[2] Guidelines on data protection impact assessment and determining whether processing is "likely to result in a high risk" for the purposes of regulation 2016/679[EB/OL].[2019-04-04]. https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236.
[3] GELLERT R. Understanding the notion of risk in the general data protection regulation[J]. Computer law & security review, 2018, 34(2):279-288.
[4] BIEKER F, FRIEDEWALD M, HANSEN M, et al. A process for data protection impact assessment under the European general data protection regulation[C]//APF 2016. Lecture notes in computer science. Cham:Springer, 2016:21-37.
[5] 高富平. 个人数据保护和利用国际规则:源流和趋势[M]. 北京:法律出版社,2016.
[6] European Commission. Privacy and data protection impact assessment framework for RFID applications[EB/OL].[2019-01-12]. https://danskprivacynet.files.wordpress.com/2008/06/infso-2011-00068.pdf.
[7] European Commission. Recommendation of 10 October 2014 on the data protection impact assessment template for smart grid and smart metering systems[EB/OL].[2019-01-13]. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014H0724&from=EN.
[8] VAN D N, GELLERT R, ROMMETVEIT K. A risk to a right? beyond data protection risk assessments[J]. Computer law & security review, 2016, 32(2):286-306.
[9] CLARKE R. Privacy impact assessment:its origins and development[J]. Computer law & security review, 2009, 25(2):123-135.
[10] WRIGHT D, DE H P. Privacy impact assessment[M]. Dordrecht:Springer Netherlands, 2012.
[11] CNIL. Privacy risk assessment:methodology (how to carry out a PIA)[EB/OL].[2019-02-01]. http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology.pdf.
[12] 肖冬梅,谭礼格.欧盟数据保护影响评估制度及其启示[J].中国图书馆学报,2018,44(5):76-86.
[13] WRIGHT D. The state of the art in privacy impact assessment[J]. Computer law & security review, 2012,28(1):54-61.
[14] WRIGHT D, GELLERT G, GUTWIRTH S, et al. Precaution and privacy impact assessment as modes towards risk governance[M]. Luxembourg:European Commission, 2011.
[15] BERNSTEIN P L. Against the Gods-the remarkable story of risk[M]. New York:John Wiley & Sons, 1996.
[16] EWALD F. Insurance and risk[M]. Chicago:The University of Chicago Press, 1991.
[17] WYNNE B. Risk and environment as legitimatory discourses of technology:reflexivity inside-out[J]. Current sociology, 2002, 50(3):459-477.
[18] POWER M. Organized uncertainty:designing a world of risk management[M]. Oxford:Oxford University Press, 2007.
[19] ISO. Risk management-Principles and guidelines[EB/OL].[2019-02-17]. https://www.iso.org/standard/43170.html.
[20] WARNER F. Risk:analysis, perception and management-a report of a royal[M]. London:The Royal Society, 1992.
[21] 程莹.风险管理模式下的数据保护影响评估制度[J].网络与信息安全学报,2018,4(8):63-70.
[22] Statement on the role of a risk based approach in data protection legal frameworks[EB/OL].[2019-03-25]. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf.
[23] 洪延青."以管理为基础的规制"——对网络运营者安全保护义务的重构[J].环球法律评论, 2016, 38(4):20-40.
[24] GELLERT R. Data protection:a risk regulation? between the risk management of everything and the precautionary alternative[J]. International data privacy law, 2015, 5(1):3-19.
[25] PDPC. Guide to data protection impact assessment[EB/OL].[2019-04-14]. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/guide-to-dpias---011117.pdf.
[26] 范为. 大数据时代个人信息保护的路径重构[J]. 环球法律评论, 2016, 38(5):92-115.
[27] 中国国家标准化管理委员会. 《信息安全技术个人信息安全影响评估指南》(征求意见稿)[EB/OL].[2019-03-28]. https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20180613180739930746&norm_id=20180523160439&recode_id=29212.
[28] BINNS R. Data protection impact assessments:a meta-regulatory approach[J]. International data privacy law, 2017, 7(1):22-35.
[29] 胡文涛.我国个人敏感信息界定之构想[J].中国法学,2018, 35(5):235-254.
[30] BIEKER F, MARTIN N, FRIEDEWALD M, et al. Data protection impact assessment:a hands-on tour of the GDPR's most practical tool[C]//IFIP. Advances in information and communication technology. Cham:Spring, 2018:207-220.
