Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/153492
|
| Title: | 新版標準契約條款在歐盟GDPR下之合法性分析
Legal Analysis of the New Standard Contractual Clauses under EU GDPR |
| Authors: | 楊和潤
Yang, Ho-Jun |
| Contributors: | 薛景文
楊和潤
Yang, Ho-Jun |
| Keywords: | 歐盟一般資料保護規則
標準契約條款
歐盟基本權利憲章
個資保護
隱私權
跨境資料傳輸
資料跨境傳輸
GDPR
SCC
Schrems
Schrems
Meta
data protection
privacy rights
cross-border data transfer |
| Date: | 2024 |
| Issue Date: | 2024-09-04 15:28:36 (UTC+8) |
| Abstract: | 在現今數位爆炸之時代下,人們的日常生活已與網際網路密不可分,而現今各式新興科技之背後,均須以大量之個人資料作為其基礎與分析改善之動能,依今日網路技術之發展及全球化商業佈局之普遍程度,資料需要在許多不同國家間跨境傳輸已是無法避免之必要行為。不料歐盟法院於2015年及2020年相繼宣告美歐間《安全港協議》及《隱私盾協議》失效,使美歐間之資料跨境傳輸頓失合法依據,惟Schrems II案判決中,仍側面肯定以標準契約條款(Standard Contractual Clauses, SCC)進行跨境傳輸之合法性,歐盟執委會於Schrems II案後積極進行相關修訂,並於2021年6月正式通過新版之SCC條款,此一新版之SCC條款,整合過去三份SCC並加入兩種新的傳輸情境,形成依不同傳輸情境區分之四個模組(Module)的特殊規範模式,並針對Schrems II案中歐盟法院之擔憂於第14條、第15條新增若干義務。
不料於2023年,愛爾蘭資料保護委員會認為Meta以2021新版SCC作為合法依據之跨境傳輸不合法,並裁罰Meta 12億歐元。本文以此案件作為發想,惟不限於本件裁罰案討論之範疇,而係全面性之比較2021新版SCC與歐盟GDPR之規範差異,及透過若干歐盟法院判決、監管機關裁罰案件及指引、學者見解等,進一步分析2021新版SCC於歐盟規範架構下之合法性,最後加入若干本文自身觀點,期望能提供企業若欲選擇以SCC作為資料跨境傳輸合法依據者,在面對2021新版SCC可能仍無法完全解決歐盟法院於Schrems II案擔憂之前提下,應注意2021新版SCC有哪些法律上之重點缺失,以及得採取何種補充措施以制訂長久合法有效的資料跨境傳輸契約。
In today's era of digital explosion, people's daily lives are inextricably linked with the internet. The basis for the analysis and improvement of various emerging technologies relies heavily on large amounts of personal data. Given the current development of internet technology and the widespread extent of global business layouts, the necessity of cross-border data transfer between many different countries has become an unavoidable requirement. However, the European Court of Justice (CJEU) successively invalidated the Safe Harbor Agreement and the Privacy Shield Agreement between the U.S. and the EU in 2015 and 2020. Nonetheless, the Schrems II case still indirectly affirmed the use of Standard Contractual Clauses (SCC) as a legal basis for cross-border data transfer. Following the Schrems II case, the European Commission actively made relevant revisions and officially passed the new version of SCC clauses in June 2021. This new version of SCC integrates three previous SCCs and adds two new transfer scenarios, forming a special regulatory model divided into four modules based on different transfer scenarios. It also added several obligations in Articles 14 and 15 to address the concerns of CJEU in the Schrems II case.
Unexpectedly, in 2023, the Irish Data Protection Commission deemed Meta's cross-border transfer, which based on the 2021 new SCC was illegal and fined Meta €1.2 billion. This paper uses this case as an inspiration, but not limited to the scope of this case. This paper comprehensively compares the regulatory differences between the 2021 new SCC and the EU GDPR, further analyzes the legality of the 2021 new SCC under the EU regulatory framework through several EU court cases, regulatory authority penalty cases, and scholarly opinions, and finally adds several of the author's viewpoints. It aims to provide enterprises, intending to choose SCC as a legal basis for cross-border data transfer, with insights into the legal shortcomings of the 2021 new SCC and suggests possible supplementary measures to formulate a long-term, legal, and effective cross-border data transfer contract. |
| Reference: | 一、中文文獻
(一)專書
張陳弘、莊植寧,新時代之個人資料保護法制:歐盟GDPR與臺灣個人資料保護法的比較說明,2版(2022年)。
(二)期刊論文
郭戎晉,論資料在地化之立法,臺灣科技法學叢刊,第3期(2020年)。
郭戎晉,論區塊鏈技術與歐盟一般資料保護規則之衝突,臺大法學論叢,50卷1期(2021年)。
郭戎晉,論個人資料跨境傳輸與數位經貿之互動與規範設計─以歐盟法院 Schrems案影響為觀察對象,收於:王震宇編,2021數位貿易政策論壇-科技.人文.數位貿易(2021年)。
陳靜怡,隱私權新觀點:走過不留下痕跡?淺談被遺忘權與大數據,NCC NEWS,8卷11期(2014年)。
薛景文,從Schrems I & II論美歐隱私權保障落差對於自由貿易規範之影響,第21屆國立政治大學國際經貿法學學術發展研討會論文集(2021年)。
(三)碩博士論文
董芃旻,台灣跨境資料傳輸——聚焦以契約方式作為隱私保障工具,國立政治大學法律學系碩士學位論文(2022年)。
二、英文文獻
(一)專書
GREGOR DORFLEITNER & LARS HORNUF, FINTECH AND DATA PRIVACY IN GERMANY (2019).
(二)期刊論文
Anupam Chander, Is Data Localization a Solution for Schrems II, 23(3) Journal of International Economic Law (2020).
Flora Y. Wang, Cooperative Data Privacy: The Japanese Model of Data Privacy and the EU-Japan GDPR Adequacy Agreement, 33 HARV. J. L. & TECH. (2020).
Julian Schütte & Gerd Stefan Brost, LUCON: Data Flow Control for Message-Based IoT Systems, 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering, Institute of Electrical and Electronics Engineers (Aug., 2018).
Marcelo Corrales Compagnucci et al., Cross-Border Transfers of Personal Data after Schrems II: Supplementary Measures and New Standard Contractual Clauses (SCCs), 2021(2) NORDIC JOURNAL OF EUROPEAN LAW (2020).
Sergi Batlle and Arnaud van Waeyenberge, EU–US Data Privacy Framework: A First Legal Assessment, EUROPEAN JOURNAL OF RISK REGULATION (2023).
Stephen Breen et al., GDPR: Is your consent valid, 37(1) BUSINESS INFORMATION REVIEW (2020).
(三)碩博士論文
En-Naoui Wissame, Transfer of personal data to third countries and the complexity of Clause 14 of the Standard Contractual Clauses at. 47 (Dec. 1, 2022) (on file with the Faculty of Law, University of Oslo).
(四)歐盟法院判決
Case C‑131/12, Google Spain v. AEPD and Mario Costeja González (May 13, 2014).
Case C‑307/22, FT v. DW (Oct. 26, 2023).
Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems.
Case C-362/14, Maximillian Schrems v. Data Protection Commissioner (Oct. 6, 2015).
Court of Justice, Application (OJ) of 16 Feb, 2024, case T-8/24, Meta Platforms Ireland v European Data Protection Board.
(五)政府單位或國際組織文件
2000/520/EC: Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of The Protection Provided by the Safe Harbor Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce, 2000 O.J. (L 215).
2001/497/EC: Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC, 2001 O.J. (L 181) 19.
2004/915/EC: Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, 2004 O.J. (L 385) 74.
2010/87/: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, 2010 O.J. (L 39) 5.
Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01, as last Revised and Adopted on 11 April 2018, https://ec.europa.eu/newsroom/article29/items/622227.
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield, 2016 O.J. (L 207).
Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, 2021 O.J. (L 199) 31.
Commission Implementing Decision (EU) of 10 July 2023 Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the Adequate Level of Protection of Personal Data under the EU-US Data Privacy Framework, 2023 O.J. (L 231) 118.
Casalini, F. and J. López González, Trade and Cross- Border Data Flows, 220 OECD TRADE POLICY PAPERS 10 (2019).
European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), Version 2.1, Adopted on 12 Nov. 2019, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf.
EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, Adopted on 18 June 2021, https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.
European Data Protection Board, Guidelines 01/2022 on data subject rights - Right of access, version 1.0, Adopted on 18 January 2022, https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf.
Executive Order (EO) 14086 of 7 October 2022, on Enhancing Safeguards for United States Signals Intelligence Activities.
In the matter of Meta Platforms Ireland Limited (previously known as Facebook Ireland Limited) Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation Further to an own-volition inquiry under Section 110 of the Data Protection Act 2018, Data Protection Commission Ireland (Adopted on May 12, 2023).
Presidential Policy Directive 28 – Signals Intelligence Activities, 17 January 2004.
Sofija Voronova and Anna Nichols, Understanding EU Data Protection Policy, EUROPEAN PARLIAMENTARY RESEARCH SERVICE (May, 2020), https://www.europarl.europa.eu/RegData/etudes/BRIE/2020/651923/EPRS_BRI(2020)651923_EN.pdf
(六)網路資料
About Us, EUROPEAN DATA PROTECTION SUPERVISOR, https://edps.europa.eu/about/about-us_en; Frequently Asked Questions, EUROPEAN DATA PROTECTION SUPERVISOR, https://edps.europa.eu/frequently-asked-questions_en (last visited Jan. 18, 2024).
Davinia Brennan et al., EU-US Data Transfers Back in the Spotlight Following Record €1.2bn Fine, MATHESON LLP (May 24, 2023), https://www.matheson.com/insights/detail/eu-us-data-transfers-back-in-the-spotlight-following-record-1.2bn-fine.
Davinia Brennan, WhatsApp decision considers scope of transparency obligations under the GDPR, A&L GOODBODY LLP (Sep. 24, 2021), https://www.techlaw.ie/2021/09/articles/data-protection/whatsapp-decision-considers-scope-of-transparency-obligations-under-the-gdpr/.
European Commission, Adequacy decisions, https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#high-level-meeting-on-international-data-flows (last visited Jan. 18, 2024).
European Commission, New Standard Contractual Clauses - Questions and Answers Overview, https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en (last visited Jan. 24, 2024).
NOYB, European Commission Gives EU-US Data Transfers Third Round at CJEU (July 10, 2023) https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.
Nick Clegg and Jennifer Newstead, Our Response to the Decision on Facebook’s EU-US Data Transfers, META (May 22, 2023), https://about.fb.com/news/2023/05/our-response-to-the-decision-on-facebooks-eu-us-data-transfers/.
Nicole Beranek, SCCs and CoCs and BCR – Untangling the Web and Spotting the Difference, INPLP (Nov. 26, 2021), https://inplp.com/latest-news/article/sccs-and-cocs-and-bcr-untangling-the-web-and-spotting-the-difference/.
Tasks and Duties, EUROPEAN DATA PROTECTION BOARD, https://edpb.europa.eu/about-edpb/what-we-do/tasks-and-duties_en (last visited Jan. 18, 2024). |
| Description: | 碩士
國立政治大學
國際經營與貿易學系
110351042 |
| Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0110351042 |
| Data Type: | thesis |
| Appears in Collections: | [國際經營與貿易學系 ] 學位論文
|
Files in This Item:
| File |
Description |
Size | Format | |
|---|
| 104201.pdf | | 1854Kb | Adobe PDF | 0 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|
