2024_05_07_7f0c8d9870b8cc6a2dc0g

欧盟个人信息保护概况研究投告 EU Personal Information Protection Profile Study Submission

欧盟作为世界范围内领先的经济组织，其个人信息保护体系起源于隐私保护理念，即个人隐私属于基本人权的重要组成部分, 因此需要被尊重与保护。为了顺应数字经济的发展和更好地保护个人信息主体的权益，欧盟已通过公约、条例、指南等法律规范在个人信息保护领域建立了严格的保护机制。欧盟在 2020 年又提出了《欧洲数据战略》, 致力于建构欧盟单一数据市场, 为了促进战略落地, 欧盟结合实践情况, 相继发布了很多法律规范来强化数据治理，逐步构建出一个更综合的个人信息保护体系。
As a leading economic organization in the world, the European Union's personal information protection system originates from the concept of privacy protection, which means that personal privacy is an important part of basic human rights and therefore needs to be respected and protected. In order to respond to the development of the digital economy and better protect the rights and interests of personal information subjects, the EU has established a strict protection mechanism in the field of personal information protection through conventions, regulations, guidelines and other legal norms. In order to promote the implementation of the strategy, the EU has issued a number of laws and regulations to strengthen data governance and gradually build a more comprehensive personal information protection system.

一、立法概述 i. legislative overview

$一$ 初始阶段：重要条约 $一$ Initial phase: key treaties

欧盟的个人信息保护起源于隐私保护，1953 年生效的《欧洲人权和基本自由公约》 (European Convention on Human Rights) 第 8 条就提出要尊重隐私和家庭生活, 每个人的私人家庭生活、住宅、通讯的隐私都应该被尊重, 若需要对此进行限制, 则必须符合法律规定且属于为民主社会所必需的情形, 此条款已将隐私与个人生活相关联。
The protection of personal information in the EU has its roots in the protection of privacy. Article 8 of the European Convention on Human Rights (ECHR), which entered into force in 1953, envisages respect for privacy and family life, whereby the privacy of everyone's private family life, home and correspondence should be respected, and where limitations are necessary they must be in accordance with the law and be necessary in a democratic society. Restrictions, if any, must be in accordance with the law and be necessary in a democratic society, and this article links privacy to personal life.

1981 年的《关于自动化处理的个人信息保护公约》(the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 以下简称 “108 号公约”) 进一步指出, 要保护个人免受个人信息收集、处理过程中因个人信息被滥用而造成的损害，同时强调对个人信息跨境流动进行规制。108 号公约还规定禁止处理涉及个人种族、政治、健康、宗教等的个人信息, 且个人对其个人信息享有知情权, 在必要时有权要求纠正其个人信息的错误。只有在国家安全、国防安全等重大利益处于危险之中时，才能对个人信息保护权利予以限制。最新版公约已于 2012 年 11 月正式通过,修订后的公约扩大了 108 号公约的保护范围，去掉了针对个人信息处理中的自动化限制。
The 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, hereinafter referred to as "Convention 108", further states that individuals are to be protected against harm caused by the misuse of personal information during the collection and processing of personal information, while emphasizing the regulation of the cross-border flow of personal information. Convention 108 further states that individuals should be protected from damage caused by the misuse of personal data during the collection and processing of personal data, and emphasizes the regulation of the cross-border flow of personal data. 108 also prohibits the processing of personal data relating to an individual's race, politics, health, religion, etc., and that Individuals have the right to be informed about their personal information and to have it corrected if necessary. The right to protection of personal information may be restricted only when vital interests, such as national security or defense, are at stake. The latest version of the Convention was adopted in November 2012, and the revised Convention expands the scope of protection of Convention No. 108 and removes restrictions on automation in the handling of personal information.

2000 年的《欧盟基本权利宪章》（Charter of Fundamental Rights of the European Union）将个人信息权益保护上升到基本人权高度。第 8 条规定了个人信息保护内容, 即每个人的个人信息都需要受到保护, 个人信息的处理应仅限于特定明确的目的, 且在获取个人信息主体同意或有其他合法处理基础时，被公平地处理。每个人均有权访问和销毁其个人信息。
The Charter of Fundamental Rights of the European Union of 2000 elevates the protection of personal information to the level of a fundamental human right. Article 8 of the Charter provides for the protection of personal information, namely that everyone's personal information is to be protected, and that the processing of personal information is to be limited to a specific and explicit purpose and is to be carried out fairly, with the consent of the subject of the personal information, or on the basis of another legitimate basis for processing. Everyone has the right to access and destroy their personal information.

（二）核心阶段：《通用数据保护条例》及其相关指南
(ii) Core phase: General Data Protection Regulation and its associated guidance

《通用数据保护条例》（General Data Protection Regulation, 以下简称 GDPR）是欧盟个人信息保护法律体系的核心基石,其从 2018 年 5 月 25 日开始在欧盟范围内对其成员国具有直接的约束力, 在欧盟成员国内建立起了统一的个人信息保护和流动规则。为了进一步解释 GDPR 的相关条款的内容, 欧洲数据保护委员会 (European Data Protection Board,以下简称 “EDPB”) 和第 29 条工作组发布了很多指南来进行针对性的解释说明。
The General Data Protection Regulation (hereinafter referred to as the GDPR) is the core cornerstone of the EU's legal system for the protection of personal information, and has been directly binding on its member states within the EU since May 25, 2018, establishing uniform rules for the protection and movement of personal information within EU member states. The GDPR is the central cornerstone of the European Union. In order to further explain the content of the relevant provisions of the GDPR, the European Data Protection Board ("EDPB") and the Article 29 Working Party have issued a number of guides to provide targeted explanations.

1. 适用范围 1. Scope of application

GDPR 有域外适用效力, GDPR 把控制者或处理者的设立地点作为切入点, 通过机构设立地标准和目标指向标准确立了 GDPR 的广泛域外适用范围。EDPB 还发布了《关于 GDPR 适用地域范围（第三条）的解释指南》 (Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) ) 来具体解释适用问题。首先, 在欧盟境内设有经营场所的控制者或处理者, 只要个人信息处理活动发生在此经营场所开展活动的场景中, 也就是处理活动与经营场所的活动相关, 即使实际的处理活动不发生在欧盟境内, 该处理活动也要受到 GDPR 的管辖。即使控制者或处理者没有设立在欧盟境内,但为欧盟内的个人信息主体提供商品或服务;或对发生在欧盟范围内的个人信息主体的活动进行监控, 也要受到 GDPR 的管辖。
The GDPR has an extraterritorial application, and the GDPR establishes a broad extraterritorial scope of application of the GDPR through the place of establishment and targeting criteria by using the place of establishment of the controller or processor as the entry point.The EDPB has also issued Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) to specifically explain the application issues. The EDPB has also published Guidelines 3/2018 on the interpretation of the territorial scope of the GDPR (Article 3) to explain the application in detail. First of all, a controller or processor that has a place of business in the EU is subject to the GDPR as long as the processing of personal data takes place in the context of the activities carried out on the place of business, i.e. the processing activity is related to the activities of the place of business, even if the actual processing activity does not take place in the EU. Even if the controller or processor is not established in the EU, but provides goods or services to subjects of personal information in the EU, or monitors the activities of subjects of personal information within the EU, it is still subject to the GDPR.

2. 个人信息的界定 2. Definition of personal information

GDPR 将个人信息界定为与任何已识别或可识别的自然人相关的信息, 不包括匿名化的信息，其中种族或民族、工会成员身份、政治观念、宗教或哲学信仰、基因信息、为了特定识别自然人的生物性识别信息、和自然人健康相关的信息、和个人性生活或性取向相关的信息属于特殊类型的个人信息, 需要更严格的保护。第 29 条工作组发布了《关于匿名化技术的意见》 (Opinion 05/2014 on Anonymisation Techniques)，匿名化信息是指与已识别或可识别的自然人不相关的信息，或者以个人信息主体不可被识别的方式提供的信息。GDPR 还提出应考虑合理且可能穷尽的所有手段来确定自然人是否可识别。同时, 此意见还具体介绍了很多匿名化技术手段, 即泛化和随机化, 并从是否仍有可能明确识别个人; 是否仍有可能关联到与个人有关的记录; 是否能推断出有关个人的信息这三个维度来评判技术的有效性。
The GDPR defines personal information as information relating to any identified or identifiable natural person, excluding anonymized information, of which racial or ethnic origin, trade union membership, political opinions, religious or philosophical beliefs, genetic information, biometric information for the purpose of specifically identifying a natural person, information relating to the health of a natural person, and information relating to an individual's sex life or sexual orientation fall into a special category of personal information and require stricter protection. Personal information is a special type of personal information that requires stricter protection. The Article 29 Working Party issued Opinion 05/2014 on Anonymisation Techniques, which defines anonymised information as information that does not relate to an identified or identifiable natural person or information that is provided in such a way that the subject of the personal information cannot be identified.The GDPR also proposes that all means of determining whether a natural person is an identified or identifiable natural person, that are reasonably available to the subject of the personal information and that are reasonably likely to be exhausted, shall be taken into account. The GDPR also suggests that all reasonable and potentially exhaustive means of determining whether a natural person is identifiable should be considered. At the same time, the opinion specifies a number of anonymization techniques, namely generalization and randomization, and assesses the effectiveness of the techniques in terms of whether it is still possible to unambiguously identify an individual, whether it is still possible to associate records with an individual, and whether it is possible to deduce information about an individual.

3. 处理的合法性基础 3. Legitimate basis for treatment

GDPR 规定了很多处理个人信息的合法性基础，包括个人信息主体的同意; 履行合同所必要; 控制者履行法定义务所必需; 保护个人信息主体或另一自然人的核心利益所必要; 处理是为了公共利益或基于官方权威而履行义务; 控制者或第三方的正当利益。
The GDPR sets out a number of bases for the lawfulness of processing personal information, including the consent of the subject of the personal information; necessary for the performance of a contract; necessary for the controller to comply with a legal obligation; necessary for the protection of the core interests of the subject of the personal information or of another natural person; that the processing is necessary for the performance of an obligation in the public interest or on the basis of official authority; and in the legitimate interests of the controller or of a third party.

GDPR 对于同意的有效性是非常关注的, GDPR 将同意界定为个人信息主体通过一个声明或者一个明确的行为, 在充分了解相关信息的基础上所自由做出的、明确的意愿表达。为了进一步明确同意的含义, EDPB 发布了《同意的解释指南》 (Guidelines 05/2020 on consent under Regulation 2016/679）以明哳如何获取有效的同意, 首先, 同意必须是自愿做出的,这种同意不能是被捆绑的，且撤回自愿作出的同意不会给个人信息主体带来不利结果。其次，同意是其体的，要明确预期处理活动的具体的、明确的、合法的目的，同时细化请求同意的颗粒度, 若要为不同的目的寻求同意, 就应当就每个目的设置单独的主动性选择机制。再次,同意是知情的, 至少要告知个人信息主体：控制者的身份、处理目的、收集和使用的个人信息类型、用户撤回同意的权利、自动决策的相关信息、由于缺乏充分性决定和适当保障措施带来的潜在风险。最后, 同意应为明确的行为, 也就是主动作出声明或明确肯定的行为。此外，控制者还需要能够证明其已获得了有效的同意。
The GDPR is very concerned about the validity of consent. The GDPR defines consent as the free and explicit expression of the will of the subject of the personal information through a statement or an explicit act, based on a full understanding of the relevant information. In order to further clarify the meaning of consent, the EDPB has issued Guidelines 05/2020 on Consent under Regulation 2016/679 to clarify how to obtain valid consent. First of all, the consent must be given voluntarily, and such consent must not be bound, and the withdrawal of voluntary consent will not bring adverse consequences to the subject of personal information. Firstly, consent must be voluntary, it must not be tied, and withdrawal of voluntary consent will not result in adverse consequences for the subject of personal information. Second, consent must be specific, explicit, and legitimate purposes of the intended processing activity, and the granularity of the consent requested should be refined so that if consent is sought for different purposes, there should be a separate active opt-in mechanism for each purpose. Again, consent should be informed, at a minimum, by informing the subject of the personal information of: the identity of the controller, the purposes of the processing, the types of personal information collected and used, the user's right to withdraw consent, information about automated decision-making, and the potential risks posed by a lack of an adequacy decision and appropriate safeguards. Finally, consent should be an explicit act, that is, an active statement or an explicit affirmation. In addition, the controller needs to be able to demonstrate that he or she has obtained valid consent.

针对合同处理所必需这个合法性基础，EDPB 发布了《关于在向个人信息主体提供在线服务时依据 GDPR 第 6 (1) (b) 条规定处理个人信息的指南》 (Guidelines 2/2019 on the processing of personal data under Article 6(1) (b) GDPR in the context of the provision of online services to data subjects) 来进一步明确 “必需” 的判断标准,即基于个人隐私保护的立法目的，结合具体场景综合判断。EDPB 建议控制者从以下角度来综合考虑: 提供给个人信息主体的服务是什么? 该服务有什么显著特征? 合同的订立目的是什么? 合同的必要性要素有什么? 合同各方的期待是什么? 服务是怎么样推广给个人信息主体的?一个普通用户考虑到服务的性质, 是否会合理地设想到履行合同必然会发生个人信息处理行为? EDPB 还特别选择了新闻个性化推荐、个性化展示以及用户画像等常见的场景进行说明，明确了改进服务、防止欺诈、精准广告推送、基于历史数据的个性化推存一般都不被视为合同履行所必需的理由。
In response to the legality basis of the necessity of contractual processing, the EDPB issued Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects to further clarify the "necessity" judgment standard, i.e., based on the purpose of the legislation on personal privacy protection and in light of specific scenarios and comprehensive judgments. (b) GDPR in the context of the provision of online services to data subjects) to further clarify the judgment standard of "necessity", i.e., based on the purpose of the legislation on the protection of personal privacy, combined with a comprehensive judgment of specific scenarios. The EDPB suggests that controllers should consider the following perspectives: What is the service provided to the personal data subject? What are the distinctive features of the service? What is the purpose of the contract? What are the necessary elements of the contract? What are the expectations of the parties to the contract? How is the service promoted to the subject of personal information? Would an ordinary user, given the nature of the service, reasonably expect the processing of personal information to occur as part of the performance of the contract? The EDPB has also chosen to illustrate common scenarios such as personalized news recommendations, personalized displays, and user profiling, making it clear that service improvement, fraud prevention, accurate advertisement delivery, and historical data-based personalization are generally not considered to be necessary for the performance of a contract.

4. 个人信息主体权利 4. Rights of subjects of personal information

GDPR 专章规定了个人信息主体的权利，包括知情权、更正权、可携带权、反对权、被遗忘权、限制处理权等。针对可携带权, 2002 年欧盟《通用服务指令》 (Universal Service Direct ive）就规定了用户号码的可携性。第 29 条工作组又发布了《关于 GDPR 的可携带权的解释指南》 (Guidelines on the right to data portability under Regulation 2016/679)也对此权利进行了细化解释, 可携带权的适用条件是个人信息处理活动建立在个人信息主体同意或履行合同的基础上, 可携带的个人信息仅为自然人所提供的信息, 且转移的个人信息的格式是结构化、通用、机器可读的, 同时不会影响第三方的权利和自由。
The GDPR specifies the rights of the subject of personal information, including the right to information, the right to rectification, the right to portability, the right to object, the right to be forgotten, and the right to restriction of processing. With regard to the right to portability, the 2002 EU Universal Service Directive provides for the portability of subscriber numbers. The Guidelines on the right to data portability under Regulation 2016/679 issued by the Working Party on Article 29 also provide a detailed explanation of this right, which applies when the processing of personal information is based on the consent of the subject of the personal information or on the performance of a contract. The right to portability applies when the processing of personal information is based on the consent of the subject or the fulfillment of a contract, the personal information that can be ported is only the information provided by the natural person, and the personal information that is transferred is in a structured, generic and machine-readable format, and does not affect the rights and freedoms of third parties.

针对被遗忘权, EDPB 发布了《关于搜索引㢣案件中 GDPR 被遗忘权构成要件的第 2019/5 号指南》 (Guidel ines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR）细化了针对搜索引㢣服务商行使被遗忘权的合法性基础以及例外情形。当个人信息对于搜索引㢣服务提供商的处理不再必要时; 或以同意为合法性基础且没有其他法律根据时，个人信息主体撤回同意时；或个人信息主体行使反对权时；或个人信息被非法处理时; 或个人信息必须被删除以符合法律规定时; 或个人信息的收集是与向儿童提供信息社会服务有关时, 可以行使被遗忘权。不能行使被遗忘权的特殊情形包括: 处理对于行使表达自由和信息自由而言是必要的; 为履行控制者所承担的法律义务, 或为执行公共利益或经监管机构授权进行的个人信息处理活动是必要的; 出于公共卫生领域的公共利益考虑; 出于公共利益、科学或历史研究目的或统计目的, 且被遗忘权有可能使该处理的目标无法实现或受到严重损害; 提起或应对法律诉求。
In response to the right to be forgotten, the EDPB issued Guidel ines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR, which details the basis for the legality of the exercise of the right to be forgotten against search engine providers and the exceptions to it. engines cases under the GDPR) refines the basis for the legality of the exercise of the right to be forgotten against search engine service providers and the exceptions to it. The right to be forgotten may be exercised in cases where the personal information is no longer necessary for the processing by the search engine service provider; or where the subject of the personal information withdraws his or her consent when there is no other legal basis for the legality of the consent; or where the subject of the personal information exercises his or her right to object; or where the personal information has been unlawfully processed; or where the personal information has to be deleted in order to comply with the provisions of the law; or where the personal information has been collected in connection with the provision of information society services to children. The right to be forgotten may be exercised when the collection of personal information is related to the provision of information society services to children. Exceptional circumstances in which the right to be forgotten may not be exercised include: where the processing is necessary for the exercise of freedom of expression and freedom of information; where the processing is necessary to comply with a legal obligation of the controller or to carry out activities with respect to personal information in the public interest or as authorized by a supervisory authority; where the processing is necessary for reasons of public interest in the field of public health; or for reasons of public interest, for purposes of scientific or historical research, or for statistical purposes and the right to be forgotten would make the objectives of the processing impossible to achieve; or where the processing is not in the public interest. the right to be forgotten is likely to frustrate or seriously undermine the objectives of the processing; to bring or respond to a legal claim.

针对自动化决策,第 29 条工作组通过发布《关于画像和自动化决策的指南》(Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679) 进一步阐述了自动化决策的合规要求, 控制者应当履行告知义务, 告知自动化决策和画像的存在、相关逻辑、此类个人信息处理的意义、对个人信息主体可能产生的后果,同时还需进行影响评估, 并确保尽量不使用儿童信息进行自动化决策和画像。针对个人信息主体权利保障, 当某种包括画像在内的完全自动化决策会对个人信息主体产生具有法律影响或类似重大影响时, 个人信息主体可以行使反对权。但是如果还存在履行或订立合同所必要;或经欧盟或成员国法律授权, 已制定规则并采取适当措施保障个人信息主体的权利、自由及合法权益; 或已获取个人信息主体的明确同意这三种情形之一, 则一般不能针对自动化决策和画像行使反对权。
With regard to automated decision-making, the Working Party on Article 29 has further elaborated on the compliance requirements for automated decision-making by issuing Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679. The Working Party on Article 29 has further elaborated the compliance requirements for automated decision-making by issuing the Guidelines on Automated Individual Decision-Making and Profiling for the purposes of the Regulation 2016/679, in which controllers are required to fulfill the obligation to notify the existence of automated decision-making and profiling, the related logic, the significance of such personal information processing, the possible consequences for the subject of the personal information, as well as to carry out an impact assessment, and ensure that children's information will not be used in automated decision-making and profiling. With regard to the protection of the rights of the subject of personal information, the subject of personal information may exercise the right to object to the use of personal information when a fully automated decision-making process, including profiling, has a legal or similarly significant impact on the subject of personal information. However, the right to object to automated decision-making and portraits generally cannot be exercised if one of the following three circumstances exists: it is necessary for the performance or conclusion of a contract; it is authorized by EU or Member State law; rules have been adopted and appropriate measures have been taken to safeguard the rights, freedoms and legitimate interests of the subject of the personal information; or the subject of the personal information has given his or her express consent.

5. 控制者和处理者的合规义务 5. Compliance obligations of controllers and processors

控制者和处理者都需要采取数据安全保护措施、记录具体的处理活动、在符合条件的情况下任命数据保护官、积极配合监管等合规义务。控制者还需要履行数据保护影响评估、默认的数据保护设计义务、个人信息泄露报告义务。
Both controllers and processors are required to adopt data security measures, document specific processing activities, appoint a data protection officer where eligible, and actively cooperate with regulatory and other compliance obligations. Controllers also need to fulfill data protection impact assessments, default data protection design obligations, and personal information breach reporting obligations.

针对默认的数据保护设计义务, EDPB 特别发布了《GDPR 第 25 条设计和默认的数据保护指南》 (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default)来进一步解释说明。针对设计阶段的保护, 控制者应在确定了处理活动的总体性方针策略、准备选择具体的数据保护方式时就要开始数据保护的整体设计, 根据处理活动的性质、范围、背景及目的, 评估处理活动可能给个人信息主体权利和自由造成的风险可能性与严重性, 选择适当的技术、组织和其他保障措施, 以达到有效保护个人信息主体权利与自由的最终目的。针对默认的保护, 企业应采取合适的、足够的、相关的技术和组织措施, 如访问限制。而且要特别注意, 安全保护义务是持续性的, 要求控制者根据情况的变化不断自我评估, 调整技术、组织措施。最后, 此指南要求控制者能够在证明自己已经采取了有效的措施, 所以需要留存好审批记录、评估记录、操作日志等相关记录以备审查。
In particular, the EDPB has issued Guidelines 4/2019 on Article 25 Data Protection by Design and by Default to further explain the default data protection design obligations. With regard to protection by design, the controller shall start the overall design of data protection as soon as the general policy and strategy for the processing activity have been determined and the specific data protection method is ready to be selected, assess the likelihood and severity of the risk that the processing activity may pose to the rights and freedoms of the subject of the personal data in the light of the nature, scope, context and purpose of the processing activity, and select the appropriate technological, organizational and other safeguards to achieve effective protection of the rights and freedoms of the subject of the personal data. To achieve the ultimate goal of effective protection of the rights and freedoms of the subject of personal information. In order to protect personal information by default, companies shall adopt appropriate and sufficient technical and organizational measures, such as access restrictions. Furthermore, it is important to note that the obligation of security protection is ongoing, and requires the controller to continually self-assess and adjust technical and organizational measures in response to changing circumstances. Finally, this guideline requires controllers to be able to demonstrate that they have taken effective measures, so records such as approval records, assessment records, operation logs, and other relevant records should be kept for review.

针对个人信息泄露通知, GDPR 规定在个人信息泄露的情形中, 如果可行, 控制者在知悉后应当及时, 最迟在 72 小时内, 将个人信息泄露的事件告知监管机构, 除非个人信息泄露对于自然人的权利与自由不太可能会带来风险, 迟延告知则还需要进一步告知原因。当个人信息泄露很可能给自然人的权利和自由带来高风险时, 控制者应当及时告知个人信息主体。EDPB 又发布《关于 GDPR 下的个人信息泄露通知的第 9/2022 号指南 2.0》 (Guidelines 9/2022 on personal data breach notification under GDPR Version 2.0), 对于通知的时限、通知的内容、通知的接收者、如何通知、何时需要通知、什么是个人信息泄露等问题进行了进一步的细化规定。
With regard to notification of personal information breach, the GDPR stipulates that in the case of a personal information breach, the controller shall inform the supervisory authority of the personal information breach in a timely manner, at the latest within 72 hours, if practicable, after becoming aware of the breach, except in the case where the personal information breach is unlikely to pose a risk to the rights and freedoms of natural persons, and where the reasons for the delay in the notification need to be further communicated. The EDPB also issued Guidelines 9/2022 on personal data breach notification under GDPR Version 2.0 (Guidelines 9/2022 on personal data breach notification under GDPR Version 2.0), and the EDPB has issued Guidelines 9/2022 on personal data breach notification under GDPR Version 2.0 (Guidelines 9/2022 on personal data breach notification under GDPR Version 2.0). The EDPB also issued Guidelines 9/2022 on personal data breach notification under GDPR Version 2.0, which provides further details on the time limit for notification, contents of notification, recipients of notification, how to notify, when to notify, and what constitutes a personal data breach.

针对跨境活动, GDPR 规定了充分性保护措施、控制者或处理者提供适当的保障措施（包括公共机构或实体之间具有法律约束力并可执行的文件、有约束力的公司规则、标准合同条款等), 以及特殊情况（例如明确同意、履行合同所必需、对于实现个人信息主体的利益所必需、对于实现公共利益所必需等）。针对欧美之间的个人信息跨境传输, 欧盟委员会于 2023 年 7 月 10 日通过了《关于欧盟一美国数据隐私框架的充分性决定》, 意味着欧盟认可基于欧盟一美国数据隐私框架（EU-US Data Privacy Framework）, 美国能够提供与欧盟相当的安全保护水平, 从而实现欧盟的个人信息与参与该栓架的美国组织之间的个人信息共享。
For cross-border activities, the GDPR provides for adequate protection measures, appropriate safeguards provided by the controller or processor (including legally binding and enforceable documents between public authorities or entities, binding corporate rules, standard contractual clauses, etc.), as well as special cases (e.g., where express consent is given, necessary for the performance of a contract, necessary for the realization of the interests of the subject of the personal data, necessary to achieve the public interest, etc.). (e.g., express consent, necessary for the fulfillment of a contract, necessary for the realization of the interests of the subject of the personal information, necessary for the realization of the public interest). With respect to cross-border transfers of personal information between the U.S. and Europe, the European Commission adopted the "Adequacy Decision on the EU-US Data Privacy Framework" on July 10, 2023, which means that the EU recognizes that the U.S. is able to provide a comparable level of security and protection based on the EU-US Data Privacy Framework as that provided by the EU, and that the transfer of personal information from the EU to the participating parties to the framework can be accomplished in a manner consistent with the EU's obligations under the EU-US Data Privacy Framework. The EU-US Data Privacy Framework means that the EU recognizes that the U.S. can provide a comparable level of security to the EU based on the EU-US Data Privacy Framework, allowing for the sharing of personal information between EU personal information and U.S. organizations participating in the framework.

（三）细化阶段：专项领域保护规范 (iii) Refinement phase: norms of protection in specialized areas

1. 电子通信 1. Electronic communications

欧盟理事会于 2021 年通过了《电子隐私条例》(Regulation on Privacy and Electronic Communication), 取代了 2002 年的《隐私与电子通信指令》 (Directive on Privacy and Electronic Communications, 2002/58/EC)，其旨在加强对欧盟境内电子通信相关业务中的个人信息保护, 对 GDPTR 形成了一定的补充与完善。《电子隐私条例》适用于各类电子通信数据和电子通信股务, 以及向用户发送直接营销信息的行为。针对电子通信数据, 原则上禁止对电子通信数据进行千扰, 例如监听, 但同时对于必要的目的、必要的期间、用户已经同意等情形了设置了㝬免条款, 并特别强调了禁止未经用户同意进行骚扰电话营销等未经请求的通信, 用户应当在收集其个人信息时被明确地赋予同意或拒绝直接营销的机会，仅仅从用户处获得联系方式不能构成同意。此外, 除非存在获取同意、进行电子通信的目的所必需、提供社会信息服务所必需、信息社会服务提供者进行网页访客监测所必需的情形，否则不应该从终端设备中收集用户的信息。
The Council of the European Union adopted the Regulation on Privacy and Electronic Communication in 2021, replacing the 2002 Directive on Privacy and Electronic Communications (2002/58/EC). Communications (2002/58/EC), which was adopted in 2021, replacing the 2002 Directive on Privacy and Electronic Communications (2002/58/EC), and is intended to strengthen the protection of personal information in electronic communications-related businesses in the European Union (EU), complementing and supplementing the GDPTR. The E-Privacy Regulation applies to all types of electronic communications data and services, as well as to the sending of direct marketing information to users. In principle, it prohibits interference with electronic communications data, such as eavesdropping, but at the same time, it sets up exemption clauses for necessary purposes, necessary periods, and cases in which the user has given consent, and especially emphasizes the prohibition of unsolicited communications such as harassing telemarketing calls without the user's consent, and that the user should be given the opportunity to give consent or refuse direct marketing at the time of collection of his or her personal information. Users should be explicitly given the opportunity to consent or refuse direct marketing at the time of collection of their personal information, and merely obtaining contact information from a user does not constitute consent. In addition, users' information should not be collected from end devices unless there is consent, it is necessary for the purpose of electronic communication, it is necessary for the provision of social information services, or it is necessary for the monitoring of website visitors by information society service providers.

2. 金融领域 2. Financial sector

2023 年发布的《关于金融数据访问枉架和修订条例 (草案) 》(Financial Data Access Regulation) 对于金融客户的个人信息进行了专门规定, 旨在确保金融客户可以有效地控制其个人信息的访问、共享和使用。首先，处理个人信息需要满足 GDPR 中提及的合法处理基础。其次, 客户有权要求金融机构将其收集的客户个人信息与其他使用方进行共享, 即进一步确定了金融领域的可携带权, 个人信息共享需要以公认的标准格式、安全的通信通道进行传输。于此同时, 接收个人信息的使用方也只能基于与客户约定的目的和条件来进行处理,并且个人信息的存储时间不应超过必要的时间, 同时也要遵从商业秘密和知识产权保护的要求。此外, 持有客户个人信息的相关金融机构还需要向客户提供一个权限查看界面, 告知客户其每类权限的授权情况（例如目的、授权期限、可访问方的名称、共享的个人信息类型等)，并允许客户直接撤回其给予的共享授权。
The Financial Data Access Regulation (Draft) issued in 2023 specifically regulates the personal information of financial customers to ensure that financial customers can effectively control the access, sharing and use of their personal information. Firstly, the processing of personal information is subject to the lawful basis of processing referred to in the GDPR. Secondly, customers have the right to request that financial institutions share the personal information they collect with other users, which further establishes the right of portability in the financial sector, and the sharing of personal information requires that it be transmitted in a recognized standard format and over a secure communication channel. At the same time, the user who receives the personal information may only process it for the purposes and under the conditions agreed upon by the customer, and the personal information shall not be stored longer than necessary, and shall comply with the requirements for the protection of trade secrets and intellectual property rights. In addition, the financial institution that holds the personal information of the customer is required to provide the customer with an interface to view the authorization for each type of authorization (e.g., the purpose, duration of the authorization, name of the accessible party, type of personal information to be shared, etc.), and to allow the customer to revoke the authorization to share that information directly.

3. 人工智能 3. Artificial intelligence

欧盟自 2018 年以来, 先后出台了《欧洲人工智能战略》、《人工智能协调计划》等政策文件, 初步勾勒出欧盟人工智能的发展战略框架。欧盟近期又正在就《人工智能法案（草案) 》 (Artificial Intelligence Act, 以下简称《AI 法案》) 进行磋商谈判, 其有望成为欧盟首部综合性的人工智能监管法律。《AI 法案》适用于人工智能系统的提供者和部署者, 只要属于提供人工智能服务的主体, 无论是开发、发行、还是仅经销, 都属于监管对象。《AI 法案》使用的是基于风险的监管模式, 针对属于不可接受的风险的人工智能系统则不能投入欧盟市场使用。针对属于高风险的人工智能系统则需要履行相关的合规义务, 包括建立风险管理系统和质量管理体系; 使用高质量的训练测试数据集, 但是收集相关个人信息进行训练也需要确保满足欧盟的个人信息保护法律要求, 采取加密等保护措施等; 向用户告知人工智能系统的相关信息, 保证透明度, 并确保会有人工监管, 包括对于输出的结果进行正确解释, 特定情形下拒绝系统输出某些内容。针对属于有限风险的人工智能系统则需要遵守透明度的义务, 确保适当的可追溯性和可解释性。针对属于低风险或轻微风险的人工智能系统, 则没有特殊的合规义务。
Since 2018, the European Union has introduced the "European Artificial Intelligence Strategy", "Artificial Intelligence Coordination Program" and other policy documents, initially outlining the EU's strategic framework for the development of artificial intelligence. Recently, the EU is negotiating the Artificial Intelligence Act (draft) (hereinafter referred to as the AI Act), which is expected to become the first comprehensive AI regulatory law in the EU. The AI Act applies to both providers and deployers of AI systems, as long as they are subject to regulation as providers of AI services, whether they are developed, distributed, or only distributed. The AI Act utilizes a risk-based regulatory model, whereby AI systems that pose unacceptable risks cannot be placed on the EU market. High-risk AI systems are required to fulfill compliance obligations, including the establishment of a risk management system and quality management system; the use of high-quality training and testing data sets, but the collection of personal information for training needs to ensure that it meets the requirements of the EU's personal information protection law, and to take encryption and other protective measures; to inform the user of the AI system, to ensure transparency and ensure that there will be human supervision. Inform users about the AI system, ensure transparency, and ensure that there is human supervision, including correct interpretation of outputs and refusal of certain outputs in certain cases. For AI systems with limited risk, the obligation of transparency needs to be complied with, ensuring appropriate traceability and interpretability. There are no special compliance obligations for AI systems with low or minor risks.

4. 儿童保护 4. Child protection

2022 年发布的《预防和打击儿童性虐待条例（草案）》（Regulation to Prevent and Combat Child Sexual Abuse Online) 也特别强调在调查儿童性虐待事件时也要保护儿童的个人信息安全。相关托管服务提供者和通信服务提供者在收到监管机构发出的检测协助通知后，需要采取技术措施来检测儿童性虐待的相关信息，但是这类技术的使用仅限于执行检测命令, 并需要采取一切必要措施, 确保技术和指标以及个人信息的处理仅用于检测儿童性虐待的相关情况，建立防止技术、指标和个人信息被滥用的内部程序和机制，确保选择对个人信息权益影响最小的方式进行处理。此外, 托管服务提供者和通信服务提供者仅基于执行监管指令、或向欧盟中心报告潜在的在线儿童性虐待情况、或冻结相关账户、或终止向相关用户提供服务、或处理用户投诉、或回应监管当局的要求等目的, 才能存储为遵守本条例所采取的相关措施所产生的相关内容数据和个人信息。欧盟中心为履行法定义务也会存储相关个人信息, 并采取相关的技术和管理措施来保障个人信息的安全, 确保超过必要期限后就会及时删除个人信息。
The Regulation to Prevent and Combat Child Sexual Abuse Online (Draft), published in 2022, also places special emphasis on protecting the security of children's personal information when investigating child sexual abuse. The relevant hosting service providers and communication service providers are required to take technical measures to detect child sexual abuse upon receipt of a notification of detection assistance from the Regulatory Authority, but the use of such technology is limited to the execution of the detection order, and all necessary measures are required to be taken to ensure that the technology and indicators, as well as the handling of personal information, are used only to detect child sexual abuse, and that internal procedures and mechanisms to prevent the misuse of the technology, indicators, and personal information are put in place. Internal procedures and mechanisms are in place to prevent the misuse of technology, indicators and personal information, and to ensure that processing is carried out in a manner that minimizes the impact on the rights and interests of personal information. In addition, hosting service providers and communication service providers may only store content data and personal information generated for the purpose of complying with the measures taken to comply with this Regulation for the purposes of implementing a supervisory directive, or reporting potential online child sexual abuse to the European Union Center, or freezing the relevant account, or terminating the provision of the service to the relevant subscriber, or dealing with the subscriber's complaints, or responding to a request from a supervisory authority. The European Union Center also stores personal information in order to fulfill its legal obligations, and takes technical and administrative measures to safeguard the security of personal information and to ensure that it is deleted after the necessary period of time has elapsed.

5. 监管执法 5. Regulatory enforcement

2016 年生效的《数据保护执法指令》(The Data Protection Law Enforcement Directive)旨在规制刑事执法当局处理其个人信息的合规性，确保犯罪受害者、证人和嫌疑人的个人信息能得到有效保护, 并促进打击恐怖主义和其他严重犯罪的跨国合作。该指令转化为本国法律后，才具有法律约束力。该指令也赋予了个人信息主体访问、更正、删除、限制处理其个人信息的权利, 并允许非营利机构、组织或协会代表个人信息主体提起投诉。欧盟的所有执法处理都必须遵守必要性、相称性和合法性的原则。
The Data Protection Law Enforcement Directive, which came into force in 2016, aims to regulate the compliance of criminal law enforcement authorities with the processing of their personal information, to ensure that the personal information of victims, witnesses and suspects of crime is effectively protected, and to facilitate transnational cooperation in the fight against terrorism and other serious crimes. The Directive is intended to regulate compliance by criminal law enforcement authorities with the handling of their personal information to ensure the effective protection of victims, witnesses and suspects of crime and to facilitate transnational cooperation in combating terrorism and other serious crimes. The Directive is legally binding only after it has been transposed into national law. The Directive also gives subjects of personal information the right to access, rectify, delete, and restrict the processing of their personal information, and allows non-profit institutions, organizations, or associations to file complaints on behalf of subjects of personal information. All law enforcement processing in the EU is subject to the principles of necessity, proportionality and lawfulness.

欧洲议会和欧盟理事会于 2018 年正式发布了《欧洲议会和理事会 2018/1725 号条例》（Regulation 2018/1725），其在 GDPR 的基础上，对欧盟机关、办公室和办事处等官方监管机构处理个人信息的问题进行了重点规制, 要求一般情形下欧盟机构处理个人信息的行为适用 GDPR 中的相关规定。此外，条例将欧洲数据保护专员设置为监管主体，在任职期间，欧洲数据保护专员及相关工作人员应对履行职责过程中所了解的任何机密信息承担保密义务。欧洲数据保护专员可对控制者和处理者行使指控权, 并可进一步要求控制者和处理者在合理期限内对相关指控的意见、依据指控所采取的措施等内容报告给欧洲数据保护专员。欧洲数据保护专员所实施的活动是受到实时监督的, 其所形成的年度活动报告不仅要提交给欧洲议会、欧洲理事会，同时还将接受其他欧盟机构的监督。
In 2018, the European Parliament and the Council published Regulation 2018/1725 of the European Parliament and of the Council, which, on the basis of the GDPR, focuses on the handling of personal data by official supervisory authorities, such as EU authorities, offices and offices, and requires that the handling of personal data by EU authorities in general be subject to the provisions of the GDPR. In addition, the Regulation applies the provisions of the GDPR to the handling of personal data by EU institutions in general. In addition, the Regulation establishes the European Data Protection Commissioner as the supervisory authority and imposes a duty of confidentiality on the European Data Protection Commissioner and his staff in respect of any confidential information coming to their knowledge in the course of their duties. The European Data Protection Commissioner may exercise the right to charge controllers and processors and may further require controllers and processors to report to the European Data Protection Commissioner within a reasonable period of time their opinion on the charge, the measures taken on the basis of the charge and so on. The activities carried out by the European Data Protection Commissioner are monitored in real time and the annual report on the activities carried out by the European Data Protection Commissioner is submitted not only to the European Parliament and the European Council, but also to other EU institutions.

（四）战略阶段：数据治理相关法案 (iv) Strategic phase: data governance-related bills

为了促进单一数据市场的欧盟数据战略的实现，欧盟委员会又提出了《数据治理法案》（Data Governance Act）, 期望通过构建数据共享机制, 增强数据的可用性。此法案构建了公共数据再利用的机制, 原则上禁止公共数据的独家许可或最终效果是限制数据再利用的行为, 除非是为提供符合公共利益的服务或产品所必需, 且期限不得超过三年。各公共部门必须在满足欧盟或其成员国的相关法律法规，或在权利人同意的情况下，才能开放带有知识产权属性的数据。此外, 《数据治理法案》也提出要建立以实现数据在不特定个人信息主体、数据持有者与数据使用需求方之间分享的数据中介服务平台, 并对合格的数据中介发放通用认可标识, 并建立通行于整个欧盟的标识认证体系。为了进一步促进基于公共利益的数据共享, 《数据治理法案》设立了 “数据利他组织”, 对符合要求的组织实体进行备案登记, 并颁发 “欧盟认可的利他主义组织”的标签。
In order to promote the realization of the EU data strategy for a single data market, the European Commission has proposed the Data Governance Act, which seeks to enhance the availability of data through the establishment of data sharing mechanisms. This Act builds a mechanism for the reuse of public data, in principle, prohibits the exclusive license of public data or the ultimate effect is to restrict the reuse of data, unless it is necessary for the provision of services or products in the public interest, and for a period of no more than three years. The public sector can only open up data with intellectual property attributes if it meets the relevant laws and regulations of the EU or its member states, or if the right holder has given his or her consent. In addition, the Data Governance Act also proposes the establishment of a data intermediary service platform to enable the sharing of data between unspecified personal data subjects, data holders and data users, the issuance of a common recognition mark for qualified data intermediaries, and the establishment of a marking and certification system for the entire EU. In order to further promote data sharing based on public interest, the Data Governance Act establishes the "Data Altruism Organization", registers organizational entities that meet the requirements, and issues the label of "EU-recognized Altruism Organization".

《数据法案》 (Data Act) 对《数据治理法案》 (Data Governance Act) 进一步进行了补充, 特别规定了共享数据的义务。用户被赋予了与第三方共享数据的权利, 根据用户请求, 数据持有者应立即向第三方提供可用的数据以及解释和使用这些数据所需的相关元数据, 同时数据持有者有权就数据共享提出补偿要求, 但补偿应是非歧视性的、合理的。产品及服务提供者有义务保障其提供的物联网产品和服务能让用户能够直接、便捷、安全地访间使用这些产品和服务所生成的数据, 可以应用适当的技术保护措施, 但是这类措施不得歧视数据接收者, 也不得妨碍用户行使相关权利。此外, 《数据法案》也为云服务提供商提出了新的义务, 如协助用户将相关数据提供给类似的服务提供商, 不得施加任何可能阻止用户执行操作的技术或合同限制。
The Data Act further supplements the Data Governance Act by, inter alia, imposing an obligation to share data. Users are granted the right to share data with third parties and, upon request, data holders shall immediately provide the third party with the available data as well as the relevant metadata necessary for the interpretation and use of the data, and shall be entitled to claim compensation for the sharing of the data, provided that the compensation is non-discriminatory and reasonable. Product and service providers are obliged to ensure that their IoT products and services provide users with direct, easy and secure access to the data generated by those products and services, and may apply appropriate technical protection measures, provided that such measures do not discriminate against the recipients of the data and do not prevent users from exercising their rights. In addition, the Data Act imposes new obligations on cloud service providers, such as assisting users in making relevant data available to similar service providers, and not imposing any technical or contractual restrictions that might prevent users from performing their operations.

数字经济的高速发展催生了大量的互联网平台, 欧盟现存的竞争法并不足以应对大型平台对数字市场构成的挑战, 为了促进欧盟数字单一市场的建立和竞争秩序的重塑, 针对核心的平台服务提供者，欧盟发布了《数字市场法》 (Digital Market Act)，引入了“守门人”概念, 对符合要求的向欧盟境内的商家或用户提供核心平台服务的平台进行规制, 不论守门人的设立地在哪里, 也不论其提供的服务是否适用其他法律。具体认定如下:
The rapid development of the digital economy has given rise to a large number of Internet platforms, the existing competition law in the EU is not sufficient to deal with the challenges posed by large platforms to the digital market, in order to promote the establishment of the EU's digital single market and reshape the competition order, the EU issued the Digital Market Act (Digital Market Act), which introduced the concept of "gatekeeper" to regulate platforms that meet the requirements to provide core platform services to merchants or users in the EU, regardless of the place of establishment of the gatekeeper, and regardless of their provision of core platform services. The Digital Market Act (DMA) introduces the concept of "gatekeeper" to regulate platforms that meet the requirements to provide core platform services to merchants or users in the EU, regardless of the place of establishment of the gatekeeper, and regardless of whether the services provided by the gatekeeper are subject to other laws. It is recognized as follows.

守门人的认定条件

推定属于守门人的标准

对国内市场有重大影响。

在过去 3 个财政年度中, 每年在欧盟内的年营业额
Annual turnover in the EU in each of the last 3 financial years

不低于 75 亿欧元, 或过去 1 个财政年度, 平均市
Not less than €7.5 billion, or average market value for the last fiscal year

值不低于 750 亿元, 且向至少三个成员国提供相同
The value of the program should not be less than $75 billion, and the same program should be available to at least three member countries.

的核心平台服务。

提供的核心平台服务是商家接触 The core platform services offered are merchant engagement

用户的重要渠道。

公司运营的核心平台服务在上一财政年度有超过 The core platform services operated by the Company in the last financial year had over

4500 万的月活跃欧盟用户或 1 万的年活跃欧盟商
45 million monthly active EU users or 10,000 annual active EU merchants

家。

已经拥有或可以预期即将拥有稳 Have or can be expected to have stable

固、持久的市场地位。

过去三个财政年度均符合第 2 个标准。 The second criterion has been met for the past three fiscal years.

《数字市场法》提出要公平交易, 守门人不得利用商家通过核心平台服务所生成或提供的非公开数据与商家进行竞争, 守门人不能将基于核心平台服务收集的个人信息与守门人提供的其他服务、或第三方服务收集的个人信息任意融合，并应每天免费向广告主或其授权方提供关于广告主投放的每则广告的信息。同时, 针对守门人自己与第三方提供的类似服务或产品, 守门人不得优待自己, 应适用透明、公平和非歧视性条件来进行排名和展示。此外,守门人要保障用户的可携带权、选择权、公平交易权, 确保用户可以在操作系统上卸载任何应用，但是对操作系统或设备功能至关重要且在技术上不能由第三方独立提供的应用除外。针对欧盟境内主体的在线中介服务提供者, 欧盟发布了《数字服务法案》 (Digital Service Act）来规制向欧盟境内或在欧盟有营业地的服务接收者提供中介服务的主体。在线平台需要履行内容管理义务, 向用户提供一个易于访问的非法内容投诉处理机制, 提供内容管理的透明度报告; 还需要确保界面设计合规, 不能以欺骗、强迫或以其他严重损害用户知情选择权的方式进行设计和运行, 并确保不能使用未成年人的个人信息来对其进行定向广告推荐; 加强平台商家管理和用户权益保护, 确保参与线上交易的商家的可追溯性, 要求商家在提供服务前先向在线平台提供相关信息, 并审核评估相关信息的可靠性与完整性, 当在线平台意识到商家基于其平台服务向用户提供了非法的产品或服务时, 如果在线平台有相关用户的联系方式, 则会向在过去 6 个月内购买过非法产品或服务的用户, 告知非法商家的信息和相关补救措施。
The Digital Marketplace Act proposes fair trade, that a gatekeeper shall not use non-public data generated or provided by a merchant through the core platform services to compete with the merchant, that a gatekeeper shall not arbitrarily merge personal information collected on the basis of the core platform services with personal information collected by other services provided by the gatekeeper or by third-party services, and that the gatekeeper shall provide advertisers or their licensors with information on each advertisement placed by an advertiser, free of charge and on a daily basis, on the basis of the core platform services, on the basis of the core platform services. Advertisers or their authorized parties shall be provided with information about each advertisement placed by the advertiser free of charge on a daily basis. At the same time, the Gatekeeper shall not give preferential treatment to itself in relation to similar services or products offered by the Gatekeeper and third parties, and shall apply transparent, fair and non-discriminatory conditions for ranking and presentation. In addition, gatekeepers shall guarantee the user's right to portability, choice, and fair dealing, and ensure that the user can uninstall any application on the operating system, except for applications that are essential to the functionality of the operating system or device and that are not technically feasible to provide independently by a third party. For online intermediary service providers to subjects in the EU, the EU has issued the Digital Service Act to regulate the provision of intermediary services to service recipients in the EU or with a place of business in the EU. Online platforms need to fulfill their content management obligations by providing users with an easily accessible mechanism for handling complaints about illegal content and providing transparency reports on content management; ensuring that interfaces are designed and operated in a way that is not deceptive, coercive, or otherwise materially prejudicial to the user's right to informed choice; ensuring that minors' personal information is not used to target advertisements; and enhancing platform Strengthen the management of merchants and protection of users' rights and interests, ensure the traceability of merchants involved in online transactions, require merchants to provide relevant information to the online platform before providing services, and audit and assess the reliability and completeness of the relevant information, when the online platform realizes that a merchant has provided illegal products or services to a user based on the platform's services, if the online platform has the contact information of the relevant user, it will provide information to the user who has purchased illegal products or services in the past 6 months. When the online platform realizes that a merchant has provided illegal products or services to a user based on its platform service, the online platform will, if it has the contact information of the relevant user, inform the user who has purchased illegal products or services within the past six months about the illegal merchant and the relevant remedies.

超大在线平台（在欧盟境内的平均月活用户超过 4500 万的平台, 且被欧盟委员会认定为超大在线平台）因其拥有更为庞大的用户群体，可能会产生更多的风险，因此需要对其进行更为严格的规制, 至少每年进行一次系统性风险评估, 具体评估时应特别注意评估推荐系统和其他相关算法机制的设计、内容审核系统、适用的政策条款及其执行情况、广告的选择和展示系统、处理活动等; 每年至少进行一次独立审计; 每个推荐系统至少应提供一个不基于用户画像的选项; 应在适当期限内, 向监管机构提供所需的访问权限, 例如提供 API 接口;每 6 个月发布 1 份报告, 在上述的在线平台透明度报告要求基础上, 还需要额外说明关于内容审核的人力资源情况（包括人员的资质和能力等）, 以及向这些人员提供的培训与支持、自动化内容审核的准确性指标和相关信息。
Mega online platforms (platforms with more than 45 million average monthly active users in the EU, recognized as mega online platforms by the European Commission) are subject to stricter regulation due to the potential risks arising from a larger user base, and should therefore be subject to a systematic risk assessment at least annually, with particular attention paid to assessing the design of recommender systems and other relevant algorithmic mechanisms The systematic risk assessment should be conducted at least once a year, with particular attention paid to the design of the recommendation system and other related algorithmic mechanisms, the content review system, the applicable policy terms and conditions and their implementation, the selection and display system of advertisements, and the processing activities, etc.; an independent audit should be conducted at least once a year; at least one option that is not based on user profiles should be provided by each recommendation system; the required access should be made available to the regulator, e.g., by providing an API interface, within an appropriate period of time; and a report should be issued every 6 months. On top of the above transparency reporting requirements, additional information on human resources for content review (including qualifications and competencies of personnel, etc.), as well as training and support provided to these personnel, accuracy metrics for automated content review and related information is required.

二、执法概述 II. Overview of law enforcement

$一$ 执法机构 $一$ Law enforcement agencies

原则上, 欧盟内每一个成员国都需要指定自己的国内监管机构进行执法, 根据 GDPR第 51 条规定, 每个成员国应指定一个或多个监管机构, 负责在本国实施 GDPR, 以保护自然人在个人信息处理中所享有的基本权利与自由, 以及促进个人信息在欧盟范围内安全流动。
In principle, each member state of the European Union is required to designate its own national supervisory authority to enforce the GDPR. According to Article 51 of the GDPR, each member state shall designate one or more supervisory authorities responsible for the implementation of the GDPR in their respective countries, in order to protect the fundamental rights and freedoms of natural persons with regard to the processing of personal information and to facilitate the secure movement of personal information within the European Union.

欧盟层面的个人信息保护机构主要有两个: 一是 “欧洲数据保护监管机构” (European Data Protection Supervisor，简称EDPS），其主要负责确保欧盟机关在处理其个人信息时遵守个人信息保护规则, 以及确保欧盟成员国的各个监管机构适用 GDPR 时的一致性。二是 EDPB, 其是由欧盟各成员国的国家监管机构和上述 EDPS 的代表组成。EDPB 主要负责确保 GDPR 在欧盟范围内得到统一适用, 例如对于成员国执行 GDPR提供一般性的指导, 并做出具有约束力的决定以解决成员国之间的跨境执法争议。
There are two main personal data protection authorities at the EU level: the European Data Protection Supervisor (EDPS), which is responsible for ensuring that EU authorities comply with the personal data protection rules when processing personal data, and for ensuring consistency in the application of the GDPR by the various supervisory authorities of the EU member states. The first is the European Data Protection Supervisor (EDPS), which is responsible for ensuring that EU authorities comply with personal data protection rules when processing personal data, and for ensuring consistency in the application of the GDPR by the various supervisory authorities of the EU member states. The second is the EDPB, which consists of representatives of the national supervisory authorities of the EU Member States and the EDPS, and is responsible for ensuring that the GDPR is applied uniformly across the EU, such as by providing general guidance to Member States on the implementation of the GDPR and making binding decisions to resolve cross-border law enforcement disputes between Member States.

二一站式执法机制
II One-stop enforcement mechanism

GDPR 建立了一站式监管机制（One-Stop-Shop mechanism）。该机制要求对于涉及跨境数据处理活动的案件, 相关成员国的监管机构都有权进行联合调查, 并困涉案企业的主要机构所在地的监管机构作为主导监管机构进行协调。主导监管机构应当毫无延迟地将相关信息告知其他相关监管机构, 并提交决定草案, 咨询他们的意见, 考虑他们的观点, 该机制建立了监管机构之间的合作体系, 旨在减少企业的合规负担, 使个人更简单地行使其权利。但是欧盟各国的执法路径不尽相同，护执法人员的水平也存在差异，所以各成员国在实践中也采取了不同的执法尺度。
The GDPR establishes the One-Stop-Shop mechanism. The mechanism requires that in cases involving cross-border data processing activities, the supervisory authorities of the Member States concerned are authorized to conduct joint investigations, with the supervisory authority of the place where the main establishment of the enterprise involved in the case is located acting as the lead supervisory authority for coordination. The lead supervisory authority should inform other relevant supervisory authorities without delay, and submit a draft decision, consult their opinions, and consider their views. This mechanism establishes a system of cooperation between supervisory authorities, aims to reduce the compliance burden on enterprises, and makes it simpler for individuals to exercise their rights. However, enforcement paths vary across the EU, as do the levels of protective enforcement personnel, so member states have adopted different enforcement scales in practice.

三) 执法情况 (iii) Enforcement

根据 GDPR 的规定, 对于一般的违法行为, 罚款上限是 1000 万欧元, 或者上一个财政年度全球全年营业收入的

(两者中取数额高者) ; 对于严重违法行为, 罚款上限是 2000 万欧元, 或者上一个财政年度全球全年营业收入的

（两者中取数额高者）。根据 GDPR 执法追踪器网站的数据统计, 从罚款总额来看, 爱尔兰、卢森堡、法国、意大利、英国、西班牙等国家的罚款总额较大。从罚款总数来看, 西班牙、意大利、罗马尼亚、德国、匈牙利、希腊等国家的罚款总次数较多。从罚款依据的角度看, 不遵守基本的个人信息处理原则、处理的合法性基础存疑、保障数据安全的技术和组织措施不足、未满足个人信息主体的行权请求是监管机构对相关企业处以罚款的主要原因。从行业角度看, 媒体与电信领域、工业与商业领域、交通与能源领属于罚款较多的行业领域。但整体来看, 不同国家的监管机构执法力度各有不同。目前有一些监管机构已经做出了大额罚款决定, 根据 GDPR 执法追踪器网站的数据统计, 目前最大数额的罚款案件是由爱尔兰数据监管机构在 2023 年对 Meta(Meta Platforms Ireland Limited) 做出的 12 亿欧元罚款案。
According to the GDPR, for general offenses, the maximum fine is €10 million or

(whichever is higher) of the global annual revenue of the previous fiscal year; for serious offenses, the maximum fine is €20 million or

(whichever is higher) of the global annual revenue of the previous fiscal year. According to the GDPR Enforcement Tracker website, in terms of the total amount of fines, Ireland, Luxembourg, France, Italy, the UK, Spain and other countries have larger total fines. In terms of the total number of fines, Spain, Italy, Romania, Germany, Hungary, Greece and other countries have a higher total number of fines. In terms of the basis for fines, non-compliance with the basic principles of personal information processing, doubtful basis of legality of processing, insufficient technical and organizational measures to ensure data security, and failure to satisfy the right of action requests of the subject of personal information are the main reasons for the regulators to impose fines on the relevant enterprises. From an industry perspective, the media and telecommunications sector, the industrial and commercial sector, and the transportation and energy sector are among the sectors with the highest number of fines. Overall, however, the level of enforcement varies from country to country. Some regulators have already imposed large fines, and according to the GDPR Enforcement Tracker website, the largest fine imposed so far is the €1.2 billion fine imposed on Meta (Meta Platforms Ireland Limited) in 2023 by the Irish Data Regulator.

鉴于大型互联网平台的特殊性, 欧盟也对此类主体施加了更严格的合规义务, 并于 2023 年开始逐步开展执法活动。2023年 12 月, 欧盟委员会已启动正式调查程序, 评估超大在线平台 X（前身为 Twitter）是否在风险管理、内容管理、暗黑模式、广告透明度等方面存在违反《数字服务法》的行为。根据初步调查结果, 欧盟委员会决定根据《数字服务法》对

提起正式侵权指控, 并可能会据此采取进一步的执法措施, 如临时措施。这是欧盟首起针对超大在线平台的执法案例, 由此可见, 欧盟已经开始加大数据治理层面的执法力度, 规范大型互联网平台的处理活动，提升个人信息保护水平。
Given the specificity of large Internet platforms, the EU has also imposed stricter compliance obligations on such entities, with progressive enforcement activities beginning in 2023.2023 In December 2023, the European Commission has launched a formal investigative procedure to assess whether the mega online platform X (formerly Twitter) violated the Digital Services Act in terms of risk management, content management, dark patterns, and advertising transparency. Services Act. Based on the results of the preliminary investigation, the European Commission has decided to file a formal infringement complaint against

under the Digital Services Act, which may result in further enforcement measures, such as interim measures. This is the first enforcement case against a mega online platform in the EU, which shows that the EU has started to step up enforcement efforts at the data governance level to regulate the processing activities of large internet platforms and improve the level of personal data protection.

声明

本文版权归属于 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见, 任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.

如有任何问题, 请联系邮箱组: td_lega1@tendcloud. com。
If you have any questions, please contact the e-mail group: td_lega1@tendcloud. com.

声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.
声明：本文版权归属 TalkingData 法务合规部, 解读内容仅供一般参考, 不应视为针对特定事件的意见,任何依据本文全部或部分内容做出的判断或决定以及因此造成的法律后果, TalkingData 法务合规部不承担任何责任。
Disclaimer: This article is copyrighted by TalkingData's Legal Compliance Department, and the contents of this article are for general reference only, and should not be regarded as an opinion on a specific incident. TalkingData's Legal Compliance Department shall not be responsible for any judgment or decision made based on the contents of this article in whole or in part, and the legal consequences resulting therefrom.