欧盟《个人资料隐私保护指令》域外效力研究

发布时间：2018-04-03 06:56

本文选题：个人资料隐私保护指令　切入点：域外效力　出处：《中国政法大学》2014年硕士论文

【摘要】：欧盟《个人资料隐私保护指令》是目前全世界对个人资料进行保护的标杆性法令。由于欧盟指令的域外效力属性加之欧盟巨大的经济能量,该指令对世界各国和国际组织制定个人资料保护方面的法律或其他文件中起着非常重要的引导作用,在世界范围内产生了广泛的影响。基于此,本文以该指令的域外效力为研究对象,试图对该指令的域外效力进行探索性研究。本文的研究成果主要来源于对欧盟个人资料保护相关机构制定的法令或工作文件的细致琢磨以及对大量欧美个人资料保护相关文献资料的研究。除去引言部分,全文分为五章：第一章对《个人资料隐私保护指令》制定的历史背景予以简述。首先本文介绍了早期(1980年以前)个人资料保护的努力,涉及普遍性的国际法律文件、区域性国际公约以及欧洲经济区国家的国内法；然后对1980年以后个人资料保护的进程进行了追溯,涉及到经济全球化和科技发展对个人资料保护的影响、经济合作与发展组织关于个人资料保护的指南性文件、全球第一个个人资料保护国际公约即欧洲理事会制定的《有关个人资料自动化处理之个人保护公约》的简要介绍；最后,对欧盟《个人资料隐私保护指令》的制定予以介绍。第二章对《个人资料隐私保护指令》域外效力条款及与《个人资料隐私保护指令》域外效力相关的条款进行文本解读。与《个人资料隐私保护指令》域外效力相关的条款涉及个人资料处理合法性、敏感资料的处理、资料处理的安全性和保密性等内容。而域外效力条款涉及到在欧盟成员国和第三国之间进行资料转移的法律基础的两种情形。第一种情形是被转移的个人资料在第三国所受到的保护会达到“充分保护”的水平,这又包括三种途径：第一是第三国关于个人资料保护的国内规定满足充分性要求；第二是资料进口者通过适当的合同条款等保护措施达到了欧盟的“充分性”要求；第三是资料进口者因制定了有约束力的公司规则符合了“充分保护”的要求。第二种情形是该资料转移属于指令规定的七种例外情形之一。第三章对欧盟《个人资料隐私保护指令》第26条规定的满足充分性的三种途径予以详述。该章首先介绍了进行“充分性”认定需要考虑的因素；然后进一步详细介绍了满足充分性要求的三种途径,即第三国的国内法对个人资料的保护水平达到了充分保护的水平、通过适当的合同条款达到了充分保护的水平、通过制定有约束力的公司规则达到了充分保护的水平。第四章对欧美个人资料保护立法的差异及其协调措施进行介绍,该章首先分析了欧盟和美国两大经济体在个人资料保护立法上的差异,然后进一步介绍协调这种差异的措施即安全港制度,包括其内容、实施情况、实施成本以及替代途径。第五章对欧盟《个人资料隐私保护指令》对中国国内立法的借鉴意义进行了叙述和分析,指出欧盟指令正在并将继续对我国个人资料保护立法起着重要引导作用；另外本章还对中国企业遵守欧盟指令的实践予以考察并提出了建议,包括通过合同路径满足欧盟对个人资料保护的要求、符合条件的企业可适时制定有约束力的公司规则和利用资料主体的同意等例外条款。
[Abstract]:The Directive on the Protection of Personal Data of European Union ( EU ) is a benchmark for the protection of personal data in the world . As a result of the extraterritorial effects of EU directives , the Directive has a very important guiding role in the development of legal or other documents relating to the protection of personal data from all countries and international organizations .

In the first chapter , the historical background of personal data privacy protection is briefly described . Firstly , the author introduces the efforts to protect personal data before ( 1980 ) , and deals with the universal international legal documents , regional conventions and the domestic law of the countries of the European Economic Area ;
The process of personal data protection since 1980 was then traced to the impact of economic globalization and technological development on the protection of personal data , a guide document on the protection of personal data by the Organization for Economic Cooperation and Development , the International Convention on the Protection of Personal Data in the Global First International Convention on the Protection of Personal Data , a brief introduction to the Convention on the Protection of Personal Data , which was developed by the Council of Europe relating to the automatic processing of personal data ;
Finally , we will introduce the development of the European Union ' s Privacy Protection Directive on Personal Data .

The second chapter explains the validity of the personal data privacy protection instruction and the terms related to the extraterritorial effect of personal data privacy protection instruction . The article deals with the legality of personal data processing , the handling of sensitive data and the security and confidentiality of data processing . The first case is that the protection of the transferred personal data in the third country will reach the level of " adequate protection " , which also includes three ways : the first is the third country ' s domestic regulations concerning personal data protection meet the adequacy requirement ;
Secondly , it is the " sufficiency " requirement of the European Union through the protection measures such as the proper contract terms and so on .
Thirdly , the information importer was in line with the requirement of " adequate protection " for the formulation of binding corporate rules . The second scenario was that the information was transferred to one of the seven exceptions specified in the directive .

In the third chapter , three ways to satisfy the adequacy of the article 26 of the European Union Personal Data Privacy Protection Directive are detailed in this chapter . The first chapter introduces the factors which need to be considered for " sufficiency " determination ;
Then , three ways to meet the adequacy requirements are introduced in detail , namely , the domestic law of the third country has reached the level of adequate protection for the protection level of personal data , and the level of adequate protection is reached through the appropriate contractual terms , and the level of adequate protection is achieved through the development of binding corporate rules .

The fourth chapter introduces the differences and the coordination measures of the European and American personal data protection legislation . This chapter first analyzes the differences between the EU and the United States in the legislation of personal data protection , then further introduces the measures to coordinate this difference , namely , the safety port system , including its content , implementation , implementation cost and alternative route .

The fifth chapter describes and analyzes the reference significance of China ' s domestic legislation , points out that EU directive is and will continue to play an important role in China ' s personal data protection legislation ;
In addition , this chapter investigates and makes recommendations for Chinese enterprises ' compliance with EU directives , including through contract paths to meet EU requirements for personal data protection , and eligible enterprises can develop binding corporate rules and the consent of the data subject in due course .

【学位授予单位】：中国政法大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：D95

【共引文献】