Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/118575
|
| Title: | 歐盟與美國有關雲端運算產業從事跨境資料傳輸法制之比較研究
A comparative study on EU and US data protection laws governing transatlantic data flow services by cloud computing industry |
| Authors: | 紀珮宜
Chi, Pei-I |
| Contributors: | 楊培侃
Yang, Pei-Kan
紀珮宜
Chi, Pei-I |
| Keywords: | 資料保護規範
隱私屏障協議
隱私權
跨境資料傳輸
Data protection regulation
Privacy shield framework
Right to privacy
Cross-border data flow |
| Date: | 2018 |
| Issue Date: | 2018-07-10 16:17:20 (UTC+8) |
| Abstract: | 近年來,雲端運算科技快速發展,對企業的營運模式帶來巨大改變,快速成長的歐盟市場則成為美國大型雲端業者積極爭取進入的目標。對雲端運算產業而言,資料的自由傳輸為服務提供的必要條件,但資料傳輸的過程中涉及個人資料及隱私之保護,歐盟和美國在此議題上立場與看法的差異成為雲端運算業者市場進入的主要障礙。另外,在2018年歐盟通過更為嚴格的資料保護規則,將雲端運算業者納入規範範圍,增加企業保護資料之義務,使得雲端運算業者成本增加。而針對跨大西洋的資料跨境傳輸,根據歐盟之規範,僅有達到與其相同保護水準之第三國得以將資料跨境傳輸到該國。而傳統美國公司所使用的傳輸途徑包含資料主體同意、標準化契約條款及企業內部約束規則皆未能有效提供雲端產業在進行大量且重複性的資料傳輸時所需要的法律依據。因此多數雲端業者皆使用歐盟與美國為跨大西洋資料傳輸所共同發展出來的跨境傳輸協議──隱私屏障協議作為跨境傳輸的基礎。
鑑此,本文透過分析歐美隱私屏障協議之內容,認為協議較先前的安全港協議對擁有資料並進行處理的企業要求更多的義務,同時也賦予資料主體更多權利可以確保隱私。然即便如此,本文認為該協議仍不足以符合歐盟對於資料隱私保護水準之要求,故建議歐美雙方應針對防止個人隱私因大規模情報蒐集受侵害,以及提供受損害之個人有效救濟途徑的問題進行重新談判,以避免未來隱私屏障協議面臨被判決無效之法律風險。
In recent years, Cloud Computing has developed rapidly, and has brought big changes in the management model of enterprises. The fast-growing European market becomes the battlefield that all the American large cloud-computing providers aggressively try to get in. For the cloud computing, transferring data without limit is the essential condition in providing services; however, inevitably, the transferring process involves the issue of personal data and privacy protection. The EU and America hold different opinions over this issue, and the differences are the main barriers that prevent cloud-computing providers from entering the European market. In addition, the EU passed a more stringent rule, the Data Protection Regulation, in 2018, and covered the cloud-computing providers by imposing the obligation of protecting data on the enterprises. As for the transatlantic-data flow, according to the EU law, only the country who has the same level of personal data protection is allowed to transfer the data across the border. In this case, the majority of cloud-computing providers adopt the EU-US Privacy Shield Framework, a cross-border data transfers agreement specifically designed for the transatlantic-data flow by the EU and America, as their key foundation. In view of this, this thesis analyzed the content of EU-US Privacy Shield Framework, and concluded that this agreement requires more obligations for the enterprises, which are handling data, than the previous Safe Harbor Framework agreement, while it also gives the data subject more rights to ensure privacy. Nevertheless, this thesis believes that this agreement is still insufficient to meet the EU’s standard of data privacy protection. Therefore, it is suggested that both parties, the EU and America, should renegotiate the approaches that prevent personal privacy from being compromised by mass surveillance and data collection and provide affected individual with effective legal resorts to remedy damage, with the aim of avoiding the legal risk of EU-US Privacy Shield Framework being determined invalid in the future. |
| Reference: | 中文文獻
劉定基,「雲端運算與個人資料保謢--以台灣個人資料保護法與歐盟個人資料保護指令的比較為中心」,東海大學法學研究,頁53-106。
翁逸泓,「OTT發展之隱私與個人資料保護問題初探」,世新大學法學院,頁25-85。
孫鈺婷,「歐美跨境資料傳輸新框架--從歐美安全港協議無效談起」,科技法律透析,第28卷第7期,頁22-30。
孫鈺婷,「準備好了嗎?歐盟一般資料保護規則施行進入倒數計時」,科技法律透析,第28卷第4期,頁6-8。
林俊宏,「數位化時代個人資料隱私之問題」,月旦法學教室,總號:55,頁92-103。
劉靜怡,「之十一:資訊隱私權保護的國際化爭議─從個人資料保護體制的規範協調到國際貿易規範的適用」,月旦法學雜誌,總號:86,頁195-205。
陳俐伶,「歐美針對跨大西洋資料之流動達成新架構性協議」,經貿法訊,第192期,頁1-3。
英文文獻
書籍
CHRISTOPHER KUNER, INTERNATIONAL REGULATION OF TRANSBORDER DATA FLOWS (2016).
PAUL M. SCHWARTZ AND DANIEL SOLOVE, PRIVACY LAW FUNDAMENTALS (2011).
THE PRIVACY, DATA PROTECTION AND CYBERSECURITY LAW REVIEW (Alan Charles Raul et al. 4th ed. 2017)
期刊
Edward R. Alo, EU Privacy Protection: A Step Towards Global Privacy, 22 Mich. St. Int`l L. Rev. (2013).
David Bender, Having mishandled Safe Harbor, will the CJEU do better with Privacy Shield? A US perspective, 6 INTERNATIONAL DATA PRIVACY LAW (May 13, 2016).
WK Hon and C Millard, Data Export in Cloud Computing – How Can Personal Data Be Transferred Outside the Eea? The Cloud of Unknowing, Part 4, 9 SCRIPT-ed (2012).
Jay P. Kesan, Carol M. Hayes & Masooda N. Bashir, Information Privacy and Data Control in Cloud Computing: Consumers, Privacy Preferences, and Market Efficiency, 79, WASHINGTON AND LEE LAW REVIEW, 341(2013).
Mantelero, A, Cloud computing, trans-border data flows and the European Directive 95/46/EC: applicable law and task distribution, 3 EUROPEAN JOURNAL FOR LAW AND TECHNOLOGY (2012).
Sean Marston, Cloud Computing-Business Perspective, 51, DECISION SUPPORT SYSTEMS, 176(Apr., 2011).
Justice Opara-Martins, Reza Sahandi & Feng Tian, Critical Analysis of Vendor Lock-in and Its Impact on Cloud Computing Migration: A Business Perspective, JOURNAL OF CLOUD COMPUTING ADVANCES, SYSTEMS AND APPLICATIONS, (Apr. 15, 2016).
Judith Rauhofer & Caspar Bowden, Protecting their own: Fundamental rights implications for EU data sovereignty in the cloud, EDINBURGH SCHOOL OF LAW RESEARCH PAPER (June 21, 2013)
Konstantinos K. Stylianou, An Evolutionary Study of Cloud Computing Services Privacy Terms, 27 J. MARSHALL J. COMPUTER & INFO. L. 593 (2010).
Paul M. Schwartz, The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures, BERKELEY LAW 1974 (May 2013).
Marina Škrinjar Vidović, EU Data Protection Reform: Challenges for Cloud Computing, 12 CROATIAN YEARBOOK OF EUROPEAN LAW & POLICY 171 (2016).
P Swire and Y Lagos, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, 72(2) MARYLAND LAW REVIEW 335 (2013).
Mark Webber, The GDPR’ impact on the cloud service provider as a processor, 16 PRIVACY & DATA PROTECTION JOURNAL 12 (March, 2016).
Legal Challenges against Privacy Shield Begin to Mount in Europe, Inside US Trade, Vol.34, No.43, Nov.3, 2016.
機構報告
Cloud Standards Customer Council, Public Cloud Service Agreements: What to Expect and What to Negotiate Version 2.0.1., Aug. 2016, http://www.cloud-council.org/deliverables/CSCC-Public-Cloud-Service-Agreements-What-to-Expect-and-What-to-Negotiate.pdf.
ENISA, The Right to Be Forgotten – Between Expectations and Practice, Oct. 18, 2011, www.enisa.europa.eu/publications/the-right-to-be-forgotten.
ITA, 2016 Top Markets Report Cloud Computing, Apr., 2016, https://www.trade.gov/topmarkets/pdf/Cloud_Computing_Top_Markets_Report.pdf.
Kommerskollegium, Swedish National Board of Trade. How Borderless is the Cloud?: An Introduction to cloud computing and international trade. Sept., 2012.
OECD, Cloud Computing: The Concept, Impacts and the Role of Government Policy, OECD Doc. DSTI/ICCP(2011)19/FINAL, (Aug. 19, 2014).
官方文件
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Unleashing the Potential of Cloud Computing in Europe, COM(2012) 529 final, Sept. 27, 2012.
Commission Decision 2000/520/EC, of July 26, 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protect Provided by the Safe Harbor Privacy Principles and Related Frequently Asked Questions Issued by the U.S. Department of Commerce, July 26, 2000, C(2000) 2441, 2000/520/EC.
Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC, O.J. (L 181), July 4, 2001.
Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC, O.J. (L 6), Jan. 10, 2002.
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce, O.J. 2000 (L 215).
Decision of the EEA Joint Committee No 83/1999 of 25 June 1999 amending Protocol 37 and Annex XI (Telecommunication services) to the EEA Agreement, 2000 O.J. (L296/41).
European Telecommunications Standards Institute, Cloud Standards in the Digital Single Market, Cloud Standard Coordination, Jan. 28, 2016, http://csc.etsi.org/.
EU – U.S. Privacy Shield – First annual Joint Review, Nov. 28, 2017, WP255, 17/EN.
European Commission, Guide to the EU-U.S. Privacy Shield, Aug. 1, 2018, https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en#eu-us-privacy-shield.
European Commission, Right environment for digital networks and services, May 16, 2017, https://ec.europa.eu/digital-single-market/en/environment-digital-single-market.
Explanatory Document on the Processor Binding Corporate Rules, Apr. 19, 2013, WP204, 00658/13/EN.
Guidelines on the right to data portability, Dec.13, 2016, WP242 rev.01, 16/EN.
Opinion 1/99 Concerning the Level of Data Protection in the United States and the Ongoing Discussion Between the European Commission and the United States Government, Jan. 26, 1999, WP 15, 5092/98.
Opinion 1/2010 on the concepts of "controller" and "processor", Feb. 16, 2010, WP29, 00264/10/EN.
Opinion 05/2012 on Cloud Computing, July 1, 2012, WP196, 01037/12/EN.
Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing, Sept. 22, 2015, WP232, 2588/15/EN.
Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision, Apr. 13, 2016, WP238, 16/EN.
Peter Mell & Timothy Grance, The NIST Definition of Cloud Computing, Sep,. 2011, available at: http://faculty.winthrop.edu/domanm/csci411/Handouts/NIST.pdf.
Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, (July 2, 2014) https://www.pclob.gov/library/702-Report.pdf.
Recommendation 1/2007 on the Standard Application for the Approval of Binding Corporate Rules for the Transfer of Personal Data, Jan. 10, 2017, WP133.
Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules, Apr. 14, 2005, WP108, 05/EN.
Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995, Nov. 25, 2005, WP114, 2093/05/EN.
Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, June 24, 2008, WP153, 18/EN.
Working Document Setting up a framework for the structure of Binding Corporate Rules, June 24, 2008, WP154, 1271-00-01/08/EN.
判決文件
Case C 362/14, Maximillian Schrems v. Data Protection Commissioner, Judgement of 6 October.
Case T-670/16, Digital Rights Ireland v Commission, Action brought on 16 September 2016.
Case C-293/12 & C-594/12 Digital Rights Ireland and Seitlinger, Judgement of 16 May 2014.
Case T-738/16, La Quadrature du Net and Others v Commission, Action brought on 25 October.
Clapper v. Amnesty International USA, 568 U.S. (2013) II, 10.
Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, [2016] No. 4809 (H. Ct.) (lr.).
Klass and Others v. Germany, App. No. 5029/71, Eur. H.R. § 56, 67 (1978).
Zakharov v. Russia, App. No. 47143/06, 4 Eur. H.R. Rep. 260 (2015).
網頁資料
Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy H. Katz, Andrew Konwinski, Gunho Lee, David A. Patterson, Ariel Rabkin, Ion Stoica & Matei Zaharia, Above the Clouds: A Berkeley View of Cloud Computing, at 8, Feb. 10, 2009.
P. Chase, S. David-Wilp & T. Ridout,Transatlantic Digital Economy and Data Protection: State-of-Play and Future Implications for the EU`s External Policies, 2016, http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535006/EXPO_STU(2016)535006_EN.pdf.
Louis Colunbus, Roundup of Cloud Computing Forecasts, 2017, Forbes, Apr. 29, 2017, https://www.forbes.com/sites/louiscolumbus/2017/04/29/roundup-of-cloud-computing-forecasts-2017/#5135867031e8.
Barb Darrow, Amazon Still Leads Cloud Rankings, But Competition Is Coming on Strong, Fortune, June 15, 2017, http://fortune.com/2017/06/15/gartner-cloud-rankings/.
Ron Davies, Cloud Computing : An Overview of economic and policy issues, May 2016, http://www.europarl.europa.eu/RegData/etudes/IDAN/2016/583786/EPRS_IDA(2016)583786_EN.pdf.
Deloitte, Measuring the economic impact of cloud computing in Europe, at 56, Jan.10, 2017 https://ec.europa.eu/digital-single-market/en/news/measuring-economic-impact-cloud-computing-europe.
EU Cloud Code of Conduct Version 2.0, EU Cloud CoC Information Portal, May, 2018 https://eucoc.cloud/fileadmin/cloudcoc/files/European_Cloud_Code_of_Conduct.pdf.
EU Cloud Code of Conduct Version 2.0, EU Cloud CoC Information Portal, May, 2018 https://eucoc.cloud/fileadmin/cloud-coc/files/European_Cloud_Code_of_Conduct.pdf.
London Economics, Implications of the European Commission’s Proposal for a General Data Protection Regulation for Business, May 2013, https://ico.org.uk/media/1042341/implications-european commissions-proposal-general-data-protection-regulation-for-business.pdf.
GDPR Portal: Site Overview, EU GDPR Information Portal, https://www.eugdpr.org/.
GDPR Key Changes, EU GDPR Information Portal, https://www.eugdpr.org/key-changes.html.
Detlev Gabel &Tim Hickman, Chapter 10: Obligations of controllers – Unlocking the EU General Data Protection Regulation, White& Case, Sept. 13, 2017, https://www.whitecase.com/publications/article/chapter-10-obligations-controllers-unlocking-eu-general-data-protection.
Detlev Gabel &Tim Hickman, Chapter 11: Obligations of processors – Unlocking the EU General Data Protection Regulation, White& Case, Jul. 22, 2016, https://www.whitecase.com/publications/article/chapter-11-obligations-processors-unlocking-eu-general-data-protection.
Detlev Gabel, Robert Blamires, Tim Hickman & Matthias Goetz, EU-US Privacy Shield approved, White & Case, July 12, 2016, https://www.whitecase.com/publications/alert/eu-us-privacy-shield-approved.
B Gellman and L Poitras, U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program, Washington Post (June 7, 2013), https://www.washingtonpost.com/ investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html.accessed 20 April 2016.
John B. Horrigan, Cloud Computing Gains in Currency, PEW RES. CTR., Sept. 12, 2008, http://pewresearch.org/pubs/948/cloud-computing-gains-incurrency.
Vivek Kundra, Federal Cloud Computing Strategy, Feb. 8, 2011, https://www.dhs.gov/sites/default/files/publications/digital-strategy/federal-cloud-computing-strategy.pdf.
Privacy shield list, EU Privacy shield Information Portal, https://www.privacyshield.gov/list.
V. Reading, Binding Corporate Rules: Unleashing the Potential of the Digital Single Market and Cloud Computing, Nov. 29, 2011, at 4, file:///C:/Users/lorra/Downloads/SPEECH-11-817_EN.pdf.
U.S. Department of Commerce, Safe Harbor Privacy Principles and Related Frequently Asked Questions, July 21, 2000.
Darrell M. West, Saving Money Through Cloud Computing, Apr. 7, 2010, https://www.brookings.edu/wp-content/uploads/2016/06/0407_cloud_computing_west.pdf. |
| Description: | 碩士
國立政治大學
國際經營與貿易學系
1053510193 |
| Source URI: | http://thesis.lib.nccu.edu.tw/record/#G1053510193 |
| Data Type: | thesis |
| DOI: | 10.6814/THE.NCCU.IB.015.2018.F06 |
| Appears in Collections: | [國際經營與貿易學系 ] 學位論文
|
Files in This Item:
| File |
Size | Format | |
|---|
| 01.pdf | 1772Kb | Adobe PDF2 | 739 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|
