Depth report

　　

Known as the most stringent personal information protection law in history, the EU's General Data Protection Regulation (GDPR) has finally arrived. However, if we only regard it as the background of the rapid development of information technology, the European Union's reaffirmation of the dignity and freedom of personality of European citizens would have underestimated its significance.

    Any legislation is not entirely driven by ideas, and there are often greater practical considerations behind it. As stated in Article 1 of GDPR "Subject and Objectives", "The protection of the processing of personal data of natural persons shall not be used to restrict or prohibit the free flow of personal data in the European Union". The European Union is by no means merely upholding the moral supremacy of the fundamental rights of data. On the contrary, it is well aware of the key role of personal data in the digital economy. Therefore, through the prism of the digital economy, we may be able to realize the other side of GDPR.

Laggards of the digital economy

    In 2016, the Group of Twenty (G20) released the "G20 Digital Economy Development and Cooperation Initiative" in Hangzhou, China, and listed the "digital economy" as an important topic in the G20 blueprint for innovation and growth for the first time. As a new form of economic and social development following the agricultural economy and the industrial economy, the digital economy has long gone beyond the barriers of the information industry and has become a driving force to promote digital transformation in various fields and achieve value appreciation and efficiency improvement. In view of this, both developed and developing countries regard the digital economy transformation as a major priority policy. However, in the world map of the digital economy, the development of countries is uneven. According to the "G20 Digital Economy Development Research Report (2017)" of the Chinese Academy of Information and Communications Technology: In 2016, the scale of the digital economy in the United States reached 10.8 trillion U.S. dollars, which is far ahead in the world; China ranked second with a total of 3.4 trillion U.S. dollars. Japan, Germany and the United Kingdom rank third to fifth respectively, and their average size is about half that of China.

    The leading position of China and the United States in this wave of digital economy is clearly reflected in the market value of technology companies. In 2017, there were seven technology companies among the top ten companies in the world by market value, five of them in the United States: Apple, Microsoft, Google, Facebook, Amazon, and two in China: Alibaba and Tencent. This situation is more pronounced in various subdivisions. The United Nations "World Investment Report 2017—Investment and the Digital Economy Report" sorts out the major digital economy fields such as network platforms, digital solutions, e-commerce, digital content, IT, and telecommunications facilities. , Found that global leaders or followers are basically occupied by companies from China and the United States. Obviously, compared with China and the United States, Europe is temporarily lagging behind in the digital economy.

    In fact, the EU has long been aware of the advent of the digital economy. As early as 1996, in order to stimulate the development of the data industry, the Council of the European Union signed the "Directive on the Legal Protection of Databases", which for the first time in the world granted special rights to databases that are not protected by copyright law but have substantial investments ( sui generis right protection). However, due to the vagueness of the law itself, the directive did not allow the EU data industry to flourish. Even in 2004, the development of the EU data industry had fallen back to the level of 1996.

    Under this situation, in 2015, the European Union issued the "European Single Digital Market Strategy" to ensure the free flow of goods, people, services, capital, and data, so that individuals and companies can seamlessly under the conditions of fair competition. Visits and online activities to promote the development of the EU's digital economy and ensure Europe's position in the global digital economy. The EU recognizes that as the three pillars of this strategy, digital production factors flow, infrastructure construction and public service guarantees are indispensable. Therefore, in addition to the GDPR, the EU has played a set of combination punches, from the 2017 "Proposal on the Framework for the Free Flow of Non-Personal Data" to the April 2018 "Proposal on Revising the Public Sector Information Reuse Directive" and "Revising 2012". Recommendations on Access and Preservation of Scientific Information in 2016, and the Guiding Opinions on Sharing Data from the Private Sector to the Public Sector Based on the Public Interest, the EU demonstrated its ambition to establish a digital single market. As such, the issue of personal data protection is not an independent event. It is dominated by the EU's macro-structure of the digital economy, and it serves the EU's overall layout of pursuing the leadership of the digital economy.

The three weapons of GDPR

    The GDPR has a dual effect: on the one hand, it promotes the integration of the EU's internal market through unified personal data protection legislation and "one-stop" law enforcement; on the other hand, it disturbs the global market outside the EU through extraterritorial effects.

    In terms of the latter, the EU is actually using the GDPR to ask Chinese and American companies and governments a difficult multiple-choice question: Either make corporate operating procedures or domestic laws consistent with GDPR, or be consumed by 500 million wealthy individuals. The market of the actor is excluded.

    The implementation of the extraterritorial effects of the GDPR relies on three major killers. The first is "protective jurisdiction", that is, GDPR aims to protect the interests of natural persons in the EU, regardless of whether the data controller or processor is within or outside the EU, and regardless of whether the processing occurs within or outside the EU. EU law applies. Protective jurisdiction is one of the main adjustments of GDPR to the 1995 EU Directive 95/46/EC on the Protection of Individuals' Rights in Data Processing and Automatic Movement ("95 Directive"), which breaks through the traditional "territorial jurisdiction" And the principle of "personal jurisdiction" has greatly expanded the jurisdiction of the European Union. In fact, before the implementation of the GDPR, the EU had already stated this position in the Google Spain v. AEPD and Mario Costeja cases in 2014. In this case, the European Court of Justice ruled that even though the processing of personal data was performed by Google outside the European Union, Google still fell into the "95 Directive" because the business activities of Google's parent company are inseparable from the sales promotion of the Spanish subsidiary. The scope of effectiveness.

    The second weapon is "control of cross-border data flow." Unlike the European single digital market strategy that mandates the free flow of data within the EU, the GDPR uses a separate chapter to strictly restrict the flow of data outside the EU. Generally speaking, personal data within the EU is only allowed to flow into third countries that the EU believes can provide "sufficient protection" or "appropriate safeguards." The "sufficiency" standard here includes the overall level of personal data protection in the country, the current status of data flow, and the political and trade relations with the EU, as well as the values and goals upheld. At present, Japan has the best hope of becoming the first Asian country to receive the EU's "sufficiency certification", while the possibility of China is almost zero. Therefore, for Chinese companies, the only way to achieve cross-border data transfer is through the "appropriate safeguards" such as "Binding Corporate Rules" or "Standard Contractual Clauses". Under this circumstance, Chinese companies must provide adequate protection in all aspects of data transmission, storage, and processing, otherwise they will face legal risks of being sued or appealed in the EU at any time.

    Finally, the law without responsibility is like a toothless tiger. To achieve real deterrence, GDPR must be equipped with strong penalties. For violations of the GDPR, the GDPR has set two penalties: violations of privacy protection design and default privacy protection, failure to implement adequate IT security measures, violations of data breach notification requirements, etc., impose a penalty of 10 million euros or the previous year 2% of global revenue (whichever is higher); for violations of data processing principles, no legal basis for data processing, illegal consent requirements, infringement of the legal rights of data subjects, etc., 20 million euros or the company's global last year 4% of operating income (whichever is higher). Obviously, for large-scale Chinese and American multinational companies, the punishment linked to global revenue can be said to be a hit.

Economic consequences of GDPR

    With the GDPR, first of all, of course, the soaring cost of corporate compliance. Paul Hastings Law Firm surveyed 100 FTSE 350 index companies and 100 Fortune 500 companies’ general counsel and chief security officers, and found that FTSE 350 index companies will increase GDPR by an average of 430,000 pounds, while the world’s 500 Strong companies are even as high as 1 million U.S. dollars. It's not just big companies that are affected. Although Article 30, paragraph 5 of the GDPR grants special duty exemptions to enterprises or organizations with fewer than 250 employees, the scope of the exemption is limited, and it also stipulates such things as "may bring risks to the rights or freedoms of data subjects" Waiting for vague exemption conditions, small companies will still face very uncertain enforcement. As a result, they may have to take time and effort and assume obligations like large companies. This weakens the legislative function of small business exemptions and harms the development of start-up companies. .

    GDPR brings more than just compliance costs. In fact, through complex chain reactions, it will eventually affect the entire digital economy.

    For the artificial intelligence industry, Pedro Domingos, a professor at the University of Washington, the author of "Ultimate Algorithms," said at the beginning of this year: From May 25, the European Union will require all algorithms to explain their output principles, which means that deep learning will soon be illegal. Although some scholars believe that this statement is a misunderstanding of the GDPR, the algorithm transparency and accountability required by the GDPR and the resulting decline in the type and quantity of data will inevitably be a challenge that artificial intelligence must face. For the blockchain industry, its immutability directly conflicts with the right of correction, deletion, and forgotten rights granted to individuals by GDPR. The setting of multi-point accounting and multi-party consensus makes each node assume strict data controller obligations , And this is an impossible task. For the technology and financial industry, as the economist Jentzsch's previous research found, using the Financial Privacy Index as an indicator, personal data protection in the United States is weaker than that of the European Union, but the proportion of credit acquisition in the United States is higher than that of EU countries. The implementation of GDRP will further increase the difficulty for individuals to obtain credit. Deloitte accounting firm estimates: GDPR will reduce consumer credit by 19%, cause annual losses of 83 billion euros to GDP and cause 1.4 million unemployment. For the “online behavioral advertising” industry, under the GDPR, it becomes more difficult to process personal data such as users’ IP addresses, Cookies, and device IDs. The cost of using personal data for marketing will increase and the entire industry will be lost. 3.2 billion euros in revenue. According to the overall assessment of Deloitte Accounting Firm, only in the four major industries of direct sales, advertising, web analysis, and credit, GDPR will directly or indirectly cause a GDP loss of 173 billion euros and a loss of employment of 2.8 million yuan.

    It is easy to imagine that with the three weapons of GDPR, a large part of these unfavorable economic consequences will be borne by the digital economy powers outside the EU. In fact, the consequences have already been revealed. On the first day of the GDPR’s entry into force, Google and Facebook faced lawsuits for alleged violations of user data sharing, and could be fined a total of 3.7 billion euros and 3.9 billion euros, respectively. Internet Queen Mary Meeker also warned in the latest Internet Trends report that GDPR's right to manage and control personal data will inevitably hinder innovation. In this context, China should have a clear and comprehensive understanding of the intent and impact of GDPR. On the one hand, it must maintain the institutional strength of the digital economy, and not follow GDPR as the latest trend in the protection of personal information in the world. On the other hand, On the one hand, it is necessary to treat EU law enforcement seriously, and resolve conflicts between Chinese law and GDPR through international consultations and political negotiations, so as to help Chinese companies comply with GDPR within a reasonable range and achieve a balance between corporate development and personal information protection.

How do companies respond to GDPR that has taken effect?

    For companies from all countries, it is especially important to pay attention to the scope of GDPR. On the one hand, for subsidiaries established or acquired by companies from various countries in Europe, regardless of whether their data processing activities are within the EU, they must comply with the GDPR. On the other hand, if a company collects and processes information for the purpose of providing goods and services to identifiable natural persons in the EU, or collects and processes their information for the purpose of monitoring the activities of identifiable natural persons in the EU, it shall also be subject to GDPR. Jurisdiction. Therefore, for companies (especially banks, e-commerce, Internet, aviation, IT companies, and software and hardware manufacturers) that have made a strategic layout in the EU or intend to expand their business network to the EU, they must pay attention to GDPR compliance, otherwise Will suffer significant financial and reputation losses.

Analysis of key elements of GDPR

      The GDPR includes a preamble and 11 chapters, with a total of 99 specific protection clauses. The focus is on the rights of personal data subjects. This means that data subjects have a stronger ability to control their personal data and can make more legal claims when using the company's products or services. At the same time, the GDPR also further clarifies the personal data that needs special management and related processing requirements, which also puts forward more stringent requirements on the management capabilities of data controllers and processors in the protection of personal data privacy.

 

 

       a Data subject's rights

 

    In terms of the rights of personal data subjects, the user rights stated in the GDPR can be summarized in the following main aspects, namely, the right to access data, the right to data correction, the right to be forgotten, the right to restrict processing, the right to portability, the right to make independent decisions, and the right to refuse. Wait. Through these rights, the data subject can request the company for personal data backup at any time, or request it to provide the purpose of use of the personal data, and can correct, delete, export and transfer related data and other operations. At the same time, users can also make explicit requirements to companies to prohibit certain processing and use of their personal data, so as to avoid being affected by certain automated decision-making. This type of restriction or even refusal from individual users is also a key content clearly stated in the GDPR.

      b Special types of personal data

      In the past, companies paid different attention to privacy protection, and there were also certain differences in the definition of personal data. However, the GDPR has clarified special types of personal data, involving race, political views, religious beliefs, trade unions, and personal information. Genetic data, biometric values, health information, sexual life and orientation, etc. For these sensitive personal data, companies need to manage it independently from other personal data and provide more stringent security protection measures.

      c Personal data of minors

      For minors, the GDPR also provides specific provisions for special protection. when

When companies provide products or services to minors and process their personal data, the GDPR clearly states that it is necessary to obtain the consent and authorization of the guardians of minors under the age of 16, instead of seeking consent from minors only.

      d Privacy protection management requirements for enterprises

      For enterprises, the GDPR also puts forward a full range of privacy protection management requirements, and carries out continuous supervision from different aspects.

      First, for the personal data that has been collected, if the company no longer has the purpose of using it when collecting the data, it needs to take the initiative to clear the relevant data;

      Second, if a company has a data leakage incident, it will disclose the personal data leakage to the supervisory authority within 72 hours, and in certain circumstances that affect user safety, it must also be disclosed to the affected individuals at the same time;

      Third, companies need to set up a Data Protection Officer (DPO) to be responsible for the company’s privacy protection, improve related management systems and work processes, conduct business-based privacy impact assessments, and set up within the EU based on the company’s own situation Relevant representatives respond to user needs in a comprehensive and timely manner.

 The phased implementation method of GDPR privacy protection

      Now that the "Sword of Damocles" of GDPR has been suspended, how companies respond to this regulation and meet the corresponding compliance requirements is the top priority after "5.25". Because once the processing of personal data by a company triggers the violation of the GDPR, it will face a fine of up to 4% of the company's global annual turnover (4% of the company's global annual turnover or 20 million euros, whichever is higher) .

      Regarding the formal implementation of the GDPR, many companies have raised certain concerns and doubts. This article sorts out and summarizes some of the major challenges that may arise after the formal implementation of the GDPR, and puts forward corresponding suggestions.

      1 Definition and identification of personal data types

      Enterprises often find it difficult to define personal data when sorting out personal data, and even different departments or teams within the enterprise adopt different definitions for the same data.

      Suggestion: The concept of "identifiable" is often realized after multiple pieces of data are combined. Therefore, even if a piece of data cannot directly identify a specific user, it still needs to be combined with other data to identify the user. Protect it.

      2 Authorization for the processing of personal data of minors

      Regarding the consent and authorization of guardians of minors under the age of 16, it is difficult for companies to truly identify the relationship between minors and their guardians, and there is a certain risk of violations.

      Recommendation: Further judgments can be made based on official documents applicable to different countries. Documents that can be referred to include but are not limited to birth certificates, adoption certificates, etc.

      3 Cross-border transfer of personal data

      The GDPR has clarified the requirements for cross-border data, but some companies have a single data center or no relevant facilities in the EU.

      Recommendation: If a company cannot set up a data center in the EU, it should consider using binding corporate rules (Binding Corporate Rules, BCR), standard contract clauses, approved codes of conduct or other certification mechanisms for cross-border transfer of personal data.

      With the official entry into force of GDPR today, governments and regulatory agencies in various countries are also paying more and more attention to data privacy protection. Related laws and regulations are gradually being improved or implemented. Many Chinese companies have also made comprehensive plans for data privacy protection. Related work can be said to have a long way to go. We also expect that in the foreseeable future, more and more companies will gradually improve themselves.