最有看点的互联网金融门户

最有看点的互联网金融门户
专栏国际资讯监管与政策

GDPR:2018年表现疲软,2019年或将迎来新气象

专栏国际资讯监管与政策

GDPR:2018年表现疲软,2019年或将迎来新气象

2018年5月25日,欧盟正式实施《通用数据保护条例》(General Data Protection Regulation,后文简称GDPR),成为2018年度技术领域的关键事件之一。这项雄心勃勃的法案是世界上最严格的隐私和安全法,旨在保障用户享有更好地控制个人数据的权力。但是法案达到预期效果了吗?对于大多数人来说,无论是人在欧盟还是在全球其他地区,除了访问每个网站时弹出无数个令人讨厌的同意窗口,貌似没有什么其他地方体现出"更好的控制"。

首先,GDPR究竟是什么?

如果您已经是GDPR专家,可以跳过本节。但考虑到GDPR文字内容超过100页,并且关于这部法案有很多误区,有必要对其要点进行简短解释。

欧盟切实希望人们能够更好地控制个人数据。欧盟所有数据主体(法律术语,代指所有使用计算机和类似设备的欧盟公民和居民)现在都有权对组织如何处理数据发表意见,因为他们只是"借出"数据,个人数据只属于本人,不属于其他任何人。

因此根据GDPR,个人有权:

  1. 了解个人数据被如何处理;
  2. 访问个人数据;
  3. 要求更正不正确的个人数据;
  4. 要求删除个人数据(例如,数据处理过程非法时可以要求删除);
  5. 当人个人数据被用于营销目的时表示抗议;
  6. 在特定情况下,提出限制个人数据处理的要求;
  7. 数据可移植性权;
  8. 要求由自然人做出基于涉及数据的自动处理决策,而不仅仅由计算机完成;

执行条款方面,GDPR支持"数据主体"寻求损害赔偿。违反GDPR将被处以高达全球收入的4%或2000万欧元的罚款,以较高者为准,这项罚款也被称为该条例最强力的执法工具。面对可能的大额罚款,即使是科技巨头也必须留心GDPR,但法令的影响范围也起到了重要作用。实际上,该法案适用于处理欧盟公民或居民个人数据的任何公司,因此2018年GDPR的实施举足轻重。

根据GDPR,公司必须对个人数据和处理个人数据的方式负责,包括在没有合理授权或理由的情况下,不得以任何方式使用个人数据。例如,可以是明确的同意、法院判令,或者为了执行或准备与个人的合同必须处理个人数据,例如,房屋租赁之前进行背景检查。但是,存在"合法利益"的情况下,公司也可以处理个人数据,这一条款意思并不清楚,会导致困惑。我们期待2019年能够出台更明确的定义和指导方针,同时参考常识用法。

条例要求公司保障适当的数据安全性,数据处理过程必须透明,并且必须在72小时内通知受影响的数据主体,否则将面临处罚。最后一项义务意义重大,但2018年爆发了大量大数据泄露事件,其中大部分都没有在72小时内通知受影响的用户,所以条例并没有起到太大的作用。Facebook在最近一次数据泄露事件发生两个多月之后才将情况公之于众。

等等,如果不遵守规则,GDPR还有什么用?

2018年执行状况不佳

Mozilla以关注隐私和开放互联网的立场而闻名,Raegan MacDonald是Mozilla的高级政策经理和欧盟负责人。对她来说,至少在最初的几个月里,GDPR的表现只能说是令人喜忧参半。

MacDonald表示:

"虽然正在取得一些进展,但是现在还很早,还没有发挥什么作用。许多公司更新了隐私条款并创建了帮助用户获得更多控制权的工具,如请求删除数据的方法。但是这些措施都过于表面化,许多公司似乎在尽可能狭隘地解释GDPR。我担心,在默认情况下,用户理解有限,又无法行之有效地控制隐私,个人隐私仍然会在处于危险之中。"

GDPR的目标之一是鼓励(或有力地推动)公司从设计着手保护隐私,而现状令人失望。

但MacDonald对未来持乐观态度:"我们还没有看到哪家公司被征收巨额罚款。但我觉得如果2018年是实施年,2019年就应该是执行年。"她指出,有9个欧盟成员国尚未实施GDPR,而监管机构欧洲数据保护委员会也仍在建设之中,因此难怪进展缓慢。

"我预计到2019年,'宽限期'将会结束,公司将要么好好表现,要么接受巨额罚款。法律的效力取决于其执行力度,许多数据保护机构开始密切关注一些公司采取的措施效果平平(还有成千上万的投诉),这一点还是让人挺受鼓舞的。"

目前,欧洲的数据保护机构(后文简称DPA)累积了许多引人注目的投诉。5月25日,隐私维权组织noyb向数据保护执法机构投诉,直指Facebook、Google等公司"强制"其用户"同意"其收集和处理个人数据,而用户本应可以使用服务,无需同意放弃个人数据。最近还有报道称,谷歌涉嫌非法追踪其欧盟用户。

可以向DPA提交投诉还是不错的,但除此之外,MacDonald表示,还应当提高控制手段的可操作性,让用户应该真正掌控自己的数据:"Mozilla坚信用户应当掌握真正的控制权,而不仅仅是使用隐藏在隐私声明或者设置菜单深处的工具。最终,需要在欧洲强有力地执行GDPR,惩戒不履行GDPR原则的公司。"

Mozilla等公司已经开始研发浏览器反跟踪功能等工具,但更有必要采用GDPR的思维方式,真正实现人对数据的控制。像MacDonald指出的那样,我们需要强有力的执行。但是,监管机构何在?

2019年GDPR将开始发力

GDPR运行只有几个月,但监管机构已经忙了很久。每个成员国的DPA都在扩充员工数量和专业知识。例如,爱尔兰数据保护委员会(DPC)从2014年的不到30名员工发展到2018年的130名员工,并计划2019年进一步扩充员工和专业技能。

全球许多大型科技公司都将欧盟总部设在爱尔兰,因此爱尔兰DPC在实施GDPR方面发挥着非常重要的作用。对Facebook、Twitter、微软、LinkedIn以及谷歌等公司的投诉都属于DPC的受理范畴。爱尔兰DPC沟通负责人Graham Doyle指出,GDPR让大众增强了个人数据隐私意识。一个重要的指标就是报告事件数量激增:2018年发出违规通知3500件和接受投诉2500件,是2017年的两倍。"2017年初我们开展了一项调查,评估了爱尔兰企业对GDPR的认知水平,调查结果在30%到40%之间。到2018年5月再次调查时,数字升至90%左右。"

2018年GDPR还是发挥了一定作用的,唤起了公众对个人数据处理方式的更多思考。DPC将教育企业和公众看做发挥自身作用的重要组成部分,因此在唤醒公众个人隐私意识方面投入了大量资源。

"我们采取双管齐下的方式为GDPR提供支撑:执行和参与监督,"Doyle说,"我们通过与组织互动,参与个人数据相关立法咨询和公司新产品的咨询,发挥参与监督作用。与组织接洽时,我们会尽力协助他们从初始阶段就按照正确的方式做好。"这种方法是也是可以理解的,因为对于公司而言,在第一时间做正确的事情,防止个人数据泄露,远比仅仅关注惩罚违法者的做法更好。Doyle补充说,DPC也计划履行其纠正作用,GDPR实施前几个月执行乏力并不是失效的表现。"GDPR为DPA提供的新工具包赋予了DPA更大的权力,"Doyle解释并补充说,目前尚未开出罚单是因为调查仍在进行中,"我们会在适用范围内,将赋予我们的权力发挥到极致,充分使用GDPR工具包。"

GDPR在2018年的影响可以归纳为,大众对个人数据被如何处理的意识更强了,推动企业改变了做法,尽管大多数企业可以在这方面做的还不够好。要做得更好,需要更强的执法力度,时间上不会等太久。被问到什么时候调查才会结束时,Doyle表示,"2019年,我们会完成部分大规模调查。"

2019年GDPR将发挥更大的作用,届时法令将发挥全部功能。

One of the defining moments for tech in 2018 was on May 25, when the EU implemented its General Data Protection Regulation — the ominous GDPR. The ambitious legislation is the toughest privacy and security law in the world and was meant to guarantee users better control over their over their personal data.

But has it? For most people, both in the EU and outside, the ‘better control’ only took form in a myriad of annoying consent pop-ups on seemingly every single site they visited.

That’s why we’re taking a look at GDPR’s 2018, here’s what experts had to say.

First things first though, what exactly is GDPR?

If you’re already an expert on GDPR, you can probably skip this section. But considering that GDPR’s text counts more than 100 pages  and the many misunderstandings regarding the legislation — like that you can read your boss’ email about you (spoiler alert, you can’t) — I’d wager that’s not likely. That’s why a short explanation of its main points is in order, based on this 2,000 word summary.

When the EU says it wants to give people better control over their personal data, it means it. All EU data subjects (legalese for EU citizens and residents who use computers and stuff) now have the right to have a say in how organizations handle their data, as they’re only ‘lending’ the data — your personal data should belong to you and nobody else.

So under GDPR, you have the right to:

  1. Information about how your personal data is processed
  2. Obtain access to the personal data held about you
  3. Ask for incorrect personal data to be corrected
  4. Request personal data to be erased (e.g. when its processing is unlawful)
  5. Object to your personal data being used for marketing purposes
  6. Request the restriction of the processing of your personal data in specific cases
  7. Right to data portability
  8. Request that decisions based on automated processing involving you or your data are made by natural persons, not only by computers

In order to enforce this, GDPR allows ‘data subjects’ to seek compensation for damages. But the biggest enforcement tool is the possible fine for violating GDPR: up to 4 percent of global revenue or €20 million, whichever is higher.

This staggering amount ensures that even tech Goliaths will be wary of GDPR, but its reach also plays a big part. The legislation actually applies to any company that handles personal data of EU citizens or residents — which is why GDPR was such a big deal in 2018.

GDPR puts a lot of responsibility on companies and how they handle people’s data. Those responsibilities include not using people’s personal data in any way, without proper authorization or reason. That can, for example, be an unambiguous consent, court order, or if processing is necessary to execute or prepare a contract with the person, e.g. background check before leasing them an apartment.

However, companies are also allowed to process a person’s data if there’s “legitimate interest” — which is just as vague as it sounds and is one of the major culprits for the confusion surrounding GDPR. We’ll probably see better definitions and guidelines for this in 2019, but it should refer to common sense usage.

Companies are also required to have appropriate data security, transparent data processing, and have to notify affected data subject within 72 hours or face penalties. This last obligation is great, but it hasn’t had much impact in 2018 as there’s been a ton of big data breaches, most of which didn’t notify affected users within the 72-hour period. Facebook waited more than two months to announce its latest data breach.

Wait, so if the rules aren’t followed, is GDPR worth anything? Well, let’s check in with the experts.

Not much enforcement in 2018

Raegan MacDonald is the Senior Policy Manager and EU Principal at Mozilla, a company know for its stance on privacy and open internet. For her, GDPR has been a bit of a mixed bag, at least in its first months.

“While it is early, I haven’t yet seen that impact, although some progress is being made,” MacDonald told TNW. “Many companies have updated their privacy policies and created tools to give users more control, such as ways to request that their data be deleted.”

However, MacDonald is disappointed with how superficial this approach has been: “Many companies appear to be interpreting GDPR as narrowly as possible. I’m concerned that privacy is still by default put at risk without users understanding or having meaningful control.”

This is disappointing because one of the goals of GDPR was to encourage (or forcefully nudge) companies to implement privacy by design, but MacDonald is optimistic about the future: “We haven’t seen the big fines levied just yet. But I suspect that if 2018 is the year of implementation, 2019 will be the year of enforcement.”

She points out that there are nine EU member states that have yet to implement GDPR, and the new regulator — the European Data Protection Board — is still setting up shop, so it’s no wonder things are moving slow for now.

“Starting in 2019, I expect this ‘grace period’ to end, where companies will either shape up or face serious fines by regulators. Laws are only as strong as their enforcement, and we are encouraged by the fact that many data protection authorities are starting to closely scrutinize the underwhelming implementation measures taken by some companies (and the thousands of complaints filed).”

There have been a number of high profile complaints lodged with data protections agencies (DPAs) in Europe. Right away on May 25, noyb, a group of privacy activists, filed complaints against Google, Facebook, Instagram, and WhatsApp over “forced consent” — as users should be able to use services without having to consent to giving up their data. Google was also reported recently for its alleged illegal tracking of its users in the EU.

It’s great that complaints are being filed to DPAs, but in addition to this MacDonald says there’s a need for more actionable control, users should really feel in charge of their data:

“Mozilla strongly believes that users should be given meaningful control, not just tools buried in privacy notices or deep within settings menus. And ultimately, we need strong enforcement in Europe against those companies that aren’t genuinely delivering on the principles in the GDPR.”

Companies like Mozilla have started creating tools, like anti-tracking features in browsers, but more need to adopt GDPR’s mentality to truly deliver on people’s control over their data. What it seems to boil down to, like MacDonald points out, is the need for better enforcement — so where are the regulators?

GDPR will be felt in 2019

GDPR has only been effect for a few months, but regulators have been far from idle. DPAs in each member state have been growing their staff’s numbers and expertise. The Irish Data Protection Commission (DPC) has, for example, grown from less than 30 employees back in 2014 to 130 staff members in 2018, with plans for further expansion of staff and expertise in 2019.

The Irish DPC plays a pivotal role in the implementation and enforcement of GDPR as many of the worlds biggest tech companies have their EU headquarters in Ireland. That means that complaints filed against companies like Facebook, Twitter, Microsoft, LinkedIn, and soon Google are under the purview the DPC.

TNW spoke to Graham Doyle, Head of Communications with the Irish DPC, about GDPR’s first few months. For him, it’s obvious that GDPR has made people in general much more aware of the issue regarding personal data. A big indicator of that is the amount of incidents reported have skyrocketed: 3,500 breach notifications and 2,500 complaints, double the amount of last year.

“We conducted a survey in early 2017 where we assessed the awareness levels of the GDPR among businesses in Ireland and found it to be between 30 and 40 percent,” Doyle told TNW. “However, when we redid the survey in May 2018, we were at around 90 percent awareness levels.”

GDPR clearly had an impact in 2018 as it made people think more about how their personal data is handled. Doyle is happy with this as the DPC spends considerable resources on awareness as it considers educating businesses and the public to be key part of its role.

“We take a twin-pronged approach to upholding GDPR: enforcement and engaged supervision” says Doyle. “Engaged supervision is where we engage with organizations, consult on personal data-related legislation, and with companies regarding their new products. Basically, when we engage with organizations, we try to assist them in getting it right from the beginning.”

This approach is understandable as it’s undeniably better for companies to get it right the first time — and prevent any personal data to be compromised — than to focus solely on punishing offenders. However, Doyle adds that the DPC also intends to fulfill its corrective role and the lack of enforcement in the first few months of GDPR shouldn’t be interpreted as inactiveness.

“The new toolkit that the GDPR has provided DPAs brings significantly enhanced powers,” Doyle explains and adds the reason there haven’t any fines been issued yet is that current investigations are still ongoing. “We will use the full powers afforded to us, and the full extent of the GDPR’s toolkit, where it’s appropriate to do so.”

GDPR’s impact in 2018 can be summed up in greater awareness regarding handling of personal data and encouraged companies to change their approach — although most businesses could do more in that regard. To do that, better enforcement is needed, and it looks like it’ll be coming soon.

When asked when we could be expecting investigations to come to an end, Doyle was clear: “We’ll certainly be concluding some of the bigger investigations in 2019.”

GDPR’s impact will keep growing in 2019, when the legislation’s full capabilities will be realized.

本文系未央网专栏作者栀航发表,属作者个人观点,不代表网站观点,未经许可严禁转载,违者必究!

用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

栀航 | 未央团队未央编辑团队

74
总文章数

TA还没写个人介绍。。。

数据泄露事件频发,美国版GDPR或将出台

MM 01-07

2018年最值得关注的三大颠覆性金融科技技术

Ahmed Faiz... 2018-12-29

监管不确定性成英国区块链公司最关心的问题之一

Mark Emem | 巴比特资讯 2018-12-04

美国政府或将出台全国性隐私法案,保险公司准备好了吗?

渺渺 2018-11-28

首张GDPR执行通知发出 逾期未合规将罚款2000万欧元

Jonathan C... 2018-09-28

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1