第7期｜DPOHUB全球数据合规头条（8.2-8.7）

点击上方“蓝字”，发现更多精彩。

DPOHUB

全球数据合规头条

Global Data Compliance Headlines

第七期｜8.2-8.7

1.  洞察数据保护执法的未来：2021-2022年欧洲数据保护机构的监管战略

2. 菲律宾：NPC发布实施ISO隐私标准的建议

3. 德国：联邦法院发布关于数据主体访问请求权范围的决定

4. 美国议员重新提出儿童隐私法案

5. ICO审查人工智能指南的影响

6. 国际广告协会欧洲分会发布情境广告指南

7. ICO为公共部门发布直接营销指南

8. 欧盟：欧洲议会发布关于数据挑战的简报

9. 欧盟：议会发布关于在智慧城市和城市交通中使用人工智能的文件

10. FTC 将公司从 COPPA 安全港计划中移除

11. 巴西 DPA 将对 LGPD 执法采取“响应式方法”

1. 并购：欧盟委员会对Facebook拟收购Kustomer展开深入调查

2. 俄罗斯对WhatsApp因违反个人数据法提起行政诉讼

3. Zoom同意支付8500万美元以解决隐私诉讼

4. 亚马逊将向顾客支付10美元的掌纹费用

1. 日本企业致力于开发基于面部识别的支付平台

2. 苹果就打击儿童虐待图像发布新举措

3. 为什么立法对解决黑暗模式很重要？

4. 随着教育技术的崛起，欧盟远程学习面临隐私风险

5. 数据清洗导致的隐私风险

Insights Into the Future of Data Protection Enforcement: Regulatory Strategies of European Data Protection Authorities for 2021-2022

洞察数据保护执法的未来：2021-2022年欧洲数据保护机构的监管战略

With GDPR enforcement visibly ramping up in the past year, it is important to get insight into the key enforcement areas targeted by regulators, as well as understanding what are those complex or sensitive personal processing activities where DPAs plan to provide compliance guidelines or to shape public policy. Last year, Future of Privacy Forum released a report, which outlined EU DPAs’ regulatory priorities for 2020 and the ensuing years, based on the documents of a strategic nature released by such authorities in the first half of last year. Since then, most DPAs have published their 2020 annual reports, as well as novel short or long-term strategies. Scholars compiled and analyzed these novel strategic documents, describing where different DPA strategies have touchpoints and noteworthy particularities. They summarized that enhanced enforcement of data protection rules against large foreign tech players may be expected.

随着过去一年GDPR执法力度的加大，深入了解监管机构的关键执法领域，以及了解哪些是DPA计划提供合规指导或制定公共政策的复杂或敏感数据处理活动变得愈发重要。去年，Future of Privacy Forum发布了一份报告，它根据欧盟DPA在去年上半年发布的战略性文件，概述了2020年和随后几年欧盟DPA的监管重点。自此，大多数DPA都发布了2020年年度报告，以及短期或长期战略。FPF的研究人员汇编并分析了这些新颖的战略文件，得出了不同国家DPA的战略重点和值得注意的特殊性。他们还指出，DPA会继续加大针对大型外国科技公司的数据保护执法力度。

The National Privacy Commission ('NPC') published, on 4 August 2021, four advisories on the implementation of data protection standards issued by the International Organization for Standardization ('ISO'), namely ISO/IEC 29100, ISO/IEC 29151, ISO/IEC 24760, and ISO/IEC 29134. In particular, the NPC confirmed that such standards are recognised as Philippine National Standards by the Bureau of Philippine Standards and called upon organisations to adopt the same within their privacy frameworks. More specifically, the NPC emphasised that the application of such standards may facilitate further protection of personal data and enhance compliance with the Data Privacy Act of 2012 (Republic Act No. 10173).

菲律宾国家隐私委员会（NPC）于2021年8月4日发布了有关实施国际标准化组织（ISO）规定的数据保护标准的四项建议，即ISO/IEC 29100、ISO/IEC 29151、ISO /IEC 24760和ISO/IEC 29134。NPC确认这些标准被菲律宾标准局认可为菲律宾国家标准，并呼吁各组织在其隐私框架内采用相同的标准。NPC强调，应用此类标准有助于进一步保护个人数据并加强对2012年《数据隐私法》（第10173号共和国法）的遵守。

Germany: Bundesgerichtshof publishes decision addressing scope of data subject access requests

德国：联邦法院发布关于数据主体访问请求权范围的决定

The Federal Court of Justice ('Bundesgerichtshof') issued, on 15 June 2021, its decision in a case addressing the scope of data subject access requests under Article 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Bundesgerichtshof held that the defendant had failed to include all of the information captured under the scope of Article 15 of the GDPR in its response to the access request. In addition, the Bundesgerichtshof pointed to the definition of 'personal data' under Article 4(1) of the GDPR, according to which, and in alignment with the case law of the Court of Justice of the European Union, it held that the term should be interpreted broadly, should not be limited to sensitive or private information, and could encompass objective or subjective opinions or assessments, provided the information is related to the data subject. Moreover, the Bundesgerichtshof confirmed that, in accordance with Recital 63(1) of the GDPR, information can be requested repeatedly by data subjects.

德国联邦法院于2021年6月15日就一个案件作出裁决，该案件涉及《通用数据保护条例》（EU 2016/679）（GDPR）第15条规定的数据主体访问请求权的范围。首先，联邦法院认为被告未能根据GDPR第15条的规定在访问回应中提供完整的信息。其次，联邦法院明确了GDPR第4(1)条下“个人数据”的定义。根据该定义和欧盟法院的判例法，法院认为“个人数据”应作广义解释，不应限于敏感或私人信息，而可以包括客观或主观意见或评估，前提是该信息与数据主体相关。此外，联邦法院确认，根据GDPR的Recital 63(1)，数据主体可以多次请求访问信息。

US rep. reintroduces children's privacy bill

美国议员重新提出儿童隐私法案

USA Today reports U.S. Rep. Kathy Castor, D-Fla., reintroduced her Protecting the Information of our Vulnerable Children and Youth Act. The bill, which covers minors ages 13 to 17, prohibits targeted advertising against kids, requires privacy impact assessments for all covered entities and allows a private right of action for parents to bring claims. In a statement, Castor said companies can't "unreasonably track and target children," adding that it's time to address "minimal privacy protections in place today" by bringing safeguards "into the 21st century."

《今日美国》报道，美国佛罗里达州众议员Kathy Castor重新提出了她的《保护弱势儿童和青少年信息法案》。该法案涵盖了13至17岁的未成年人，禁止针对儿童的广告，要求对所有涵盖的实体进行隐私影响评估，并允许家长提出索赔的私人诉讼。Castor在一份声明中说，公司不能 “不合理地跟踪和锁定儿童”，并补充说，现在是解决“今天的最低限度的隐私保护”的时候了，要把保障措施“带入21世纪”。

In a blog post, U.K. Information Commissioner’s Office Senior Policy Officer for Innovation Abigail Hackston looks back at the first year of the ICO’s “Explaining decisions made with AI” guidance. Fifty-six organizations said the guidance “clearly defined the key elements needed to build explainable AI systems.” In response to the input, fundamental elements of the guidance were added to new “at a glance” sections for easier access and case studies will be added to highlight practical examples.

在一篇博文中，英国信息专员办公室负责创新的高级政策官员Abigail Hackston回顾了ICO的“解释用人工智能做出的决定”指南的第一年情况。56个组织表示，该指南“明确了建立可解释的人工智能系统所需的关键要素”。作为对这些意见的回应，指南的基本要素被添加到新的“概览”部分，以便更容易获得，并将添加案例研究，以突出实际的例子。

IAB Europe releases contextual advertising guide

国际广告协会欧洲分会发布情境广告指南

IAB Europe released a guide on contextual advertising. The guide defines contextual advertising and explores the opportunities it provides Europe as third-party cookies are phased out. The document also provides best practices to ensure contextual advertising is used efficiently and looks at how it may evolve. "Utilising alternate solutions, such as the contextual advertising opportunity, is essential to ensuring success in a post third-party cookie world," the guide states.

IAB欧洲发布了一份关于情境广告的指南。该指南对情境广告进行了定义，并探讨了随着第三方cookie的逐步淘汰，它为欧洲提供的机会。该文件还提供了最佳实践，以确保情境广告得到有效利用，并探讨了其可能的发展方向。指南指出：“利用替代的解决方案，例如情境广告的机会，对于确保在第三方cookie之后的世界中取得成功至关重要。”

The U.K. Information Commissioner's Office published guidance on direct marketing in the public sector. The guidance aims to help public sector organizations understand when direct marketing rules apply to their communications. "If you work in the public sector, the law doesn’t stop you from sending promotional messages when they are necessary for your task or functions," ICO Director Anthony Luhman said. "However, there are times when the direct marketing rules will apply and we want to help the public sector get it right."

英国信息专员办公室发布了关于公共部门直接营销的指南。该指南旨在帮助公共部门组织了解直接营销规则何时适用于其通信。"ICO主任Anthony Luhman说："如果你在公共部门工作，法律并不阻止你发送促销信息，只要这些信息对你的任务或职能是必要的。"然而，有些时候，直接营销规则将适用，我们希望帮助公共部门正确处理。"

EU: European Parliament launches briefing on data challenge

欧盟：欧洲议会发布关于数据挑战的简报

The European Parliament's Think Tank released, on 28 July 2021, its briefing on challenges related to data for the European Union, as requested by the Artificial Intelligence in a Digital Age Committee. In particular, the briefing outlines that the exponential growth and importance of data generated in an industrial setting, have attracted the attention of policymakers aiming to create a suitable legal framework for its use. Although the briefing states that the term 'industrial data' has no clear definition, such data possesses certain distinctive characteristics in that they are a subset of big data collected in a structured manner and within industrial settings which are frequently proprietary and contain various types of sensitive data.

Despite noting that the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') provides greatly relevant rules for such data, the current and planned rules relevant for business to business sharing of industrial data exhibit many shortcomings, including lack of clarity on key issues, increasing the administrative burden for companies, whilst not always providing the data protection that businesses require. Lastly, the briefing calls for policy intervention, mindful that the instrument and its content should be carefully considered and that soft law might clarify the existing rules. 

欧洲议会智库于2021年7月28日根据数字时代人工智能委员会的要求，发布了关于欧盟数据相关挑战的简报。特别是，简报概述了工业环境中产生的数据的指数级增长和重要性，吸引了政策制定者的注意，旨在为其使用创建一个合适的法律框架。尽管简报指出，“工业数据industrial data”一词没有明确的定义，但这些数据具有某些独特的特征，因为它们是以结构化方式在工业环境中收集的大数据的一个子集，这些数据往往是专有的，包含各种类型的敏感数据。

尽管GDPR为此类数据提供了许多相关规则，但目前和计划中的与企业间共享工业数据有关的规则表现出许多缺陷，包括关键问题不明确，增加了公司的行政负担，同时并不总是提供企业所需的数据保护。最后，简报呼吁进行政策干预，同时注意应仔细考虑该文书及其内容，软法律可能会澄清现有规则。

EU: Parliament releases paper on use of AI in smart cities and urban mobility

欧盟：议会发布关于在智慧城市和城市交通中使用人工智能的文件

The European Parliament released, on 23 July 2021, a paper on the use of artificial intelligence ('AI') in smart cities and urban mobility provided by the Policy Department for Economic, Scientific and Quality of Life Policies. In particular, the paper focuses on relevant use cases and challenges faced by the public sector when it comes to the uptake and deployment of such AI solutions.

FTC removes company from COPPA Safe Harbor program

FTC 将公司从 COPPA 安全港计划中移除

The U.S. Federal Trade Commission announced Aristotle International is no longer part of the Children’s Online Privacy Protection Act Safe Harbor program. The FTC was concerned Aristotle was not sufficiently monitoring its member companies to see whether they followed its guidelines that provide "the same or greater protections for children as the COPPA Rule." Aristotle later withdrew from the Safe Harbor Program. FTC Commissioner Rohit Chopra said on Twitter the delisting "is an important course correction when it comes to enforcing children's privacy protections."

美国联邦贸易委员会宣布亚里士多德国际不再是儿童在线隐私保护法安全港计划的一部分。 FTC 担心亚里士多德没有充分监督其成员公司，以了解它们是否遵循其指导方针，为“儿童提供与 COPPA 规则相同或更大的保护”。 亚里士多德后来退出了安全港计划。 FTC 专员 Rohit Chopra 在 Twitter 上表示，退市是“在执行儿童隐私保护方面的一项重要修正。”

Brazilian DPA to adopt 'responsive approach' to LGPD enforcement

巴西 DPA 将对 LGPD 执法采取“响应式方法”

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, said it will adopt a responsive approach toward enforcement of the General Data Protection Law, ZDNet reports. "It is much easier to apply a fine and then move to the legal sphere," ANPD Director Waldemar Ortunho Junior said. "This process is laborious, but by observing other regulatory agencies, we concluded that the effect of a responsive regulation is much more positive." Enforcement of the LGPD began Aug. 1.

据 ZDNet 报道，巴西的数据保护机构 Autoridade Nacional d的 Proteção de Dados 表示，它将采用响应式方法来执行《通用数据保护法》。 ANPD 主任 Waldemar Ortunho Junior 说：“罚款然后转移到法律领域要容易得多。” “这个过程很费力，但通过观察其他监管机构，我们得出结论，响应式监管的效果要积极得多。” LGPD 于 8 月 1 日开始执行。

On 2 August 2021, the European Commission has opened an in-depth investigation to assess the proposed acquisition of Kustomer by Facebook under the EU Merger Regulation. The Commission is concerned that the proposed transaction would further strengthen Facebook's market position in the online display advertising market by increasing the already significant amount of data available to Facebook for personalisation of the ads it displays. The Commission is also concerned that the proposed transaction would reduce competition in the market for the supply of Customer Relationship Management (CRM) software. The proposed transaction was notified to the Commission on 25 June 2021. The Commission now has 90 working days, until 22 December 2021, to take a decision.

2021年8月2日，欧盟委员会展开对Facebook的深入调查，以评估Facebook根据欧盟并购条例对Kustomer的拟议收购。欧盟委员会表示，该拟议交易可能会增加Facebook本就通过个性化广告掌握的大量数据，并强化其在在线广告市场的优势地位。委员会还担心该拟议交易会降低客户关系管理(CRM)软件供应市场的竞争。该拟议交易于2021年6月25日通知欧盟委员会，委员会有90个工作日的时间做出决定（2021年12月22日之前）。

Russia opens case against WhatsApp for violating personal data law

俄罗斯对WhatsApp因违反个人数据法提起行政诉讼

Russia on Friday launched administrative proceedings against Facebook's (FB.O) WhatsApp for what it said was a failure to localise data of Russian users on Russian territory, the Interfax news agency reported. There was no immediate comment from Facebook.A day earlier, a Russian court fined Alphabet Inc.'s Google (GOOGL.O) 3 million roubles for violating personal data legislation and registered administrative proceedings against Facebook and Twitter (TWTR.N)  for the same offence.  The cases are part of a wider spat between Russia and Big Tech, with Moscow routinely fining social media giants for failing to remove banned content and seeking to compel foreign tech firms to open offices in Russia. WhatsApp could be fined between 1 million and 6 million roubles ($13,700 to $82,250), Interfax reported, citing court documents. A court date has not yet been set.

俄罗斯于7月30日对WhatsApp提起行政诉讼，称其未能将俄罗斯用户的数据本地化。Facebook没有立即发表评论。一天前，俄罗斯一家法院对谷歌因违反个人数据法律罚款300万卢布，并对Facebook和Twitter也因同样原因提起了行政诉讼。这些案件是俄罗斯和科技巨头之间所发生冲突中的一部分，莫斯科还曾因未能删除被禁止的内容进行罚款，并要求外国科技公司在俄罗斯开设办事处。据法院文件，WhatsApp可能会被罚款100万至600万卢布（13700至82250美元），出庭日期尚未确定。

Zoom agreed to pay $85 million to settle a lawsuit alleging it violated user privacy by sharing personal data with technology companies and allowing hackers to conduct "Zoombombing" attacks, Reuters reports. In addition, Zoom agreed to provide privacy and data handling training for employees and to implement a slate of security measures. The settlement still needs approval from U.S. District Judge Lucy Koh.

据路透社报道，Zoom公司同意支付8500万美元以解决诉讼，该公司与技术公司共享个人数据并允许黑客进行 "Zoombombing "攻击，从而侵犯了用户隐私。此外，Zoom同意为员工提供隐私和数据处理培训，并实施一系列的安全措施。该解决方案仍需得到美国地区法官Lucy Koh的批准。

Amazon to pay customers $10 for palm prints

亚马逊将向顾客支付10美元的掌纹费用

Amazon will pay $10 in promotional credit to customers who enroll their palm prints at stores equipped with its biometric scanning technology and link it to their Amazon account, TechCrunch reports. Amazon said it indefinitely stores the data, which can be used to target advertisements and make recommendations to users. Surveillance Technology Oversight Project Executive Director Albert Fox Cahn expressed concern over such use of biometric data. “The more we normalize these tactics, the harder they will be to escape,” he said.

据TechCrunch报道，亚马逊将向那些在装有其生物识别扫描技术的商店登记手掌指纹并将其与亚马逊账户连接的顾客支付10美元的促销信用。亚马逊表示，它无限期地储存这些数据，这些数据可用于目标广告和向用户进行推荐。监控技术监督项目执行主任阿尔伯特-福克斯-卡恩对这种生物识别数据的使用表示担忧。他说："我们越是将这些策略正常化，我们就越难逃脱"。

Japanese firms working on facial recognition-based payment platform

日本企业致力于开发基于面部识别的支付平台

A quartet of Japanese-based companies are drawing up plans for a payment platform driven by facial recognition technology, The Japan Times reports. Panasonic, financial firms Resona Holdings and JBC, and Dai Nippon Printing want to devise a system that allows withdrawals, deposits and transfers of money using facial recognition to identify and verify users. The images used for face matching will come from cameras registered to a common server. The companies aim to roll out the platform by April 2022.

据《日本时报》报道，日本的四家公司正在为一个由面部识别技术驱动的支付平台制定计划。松下公司、金融公司Resona Holdings和JBC以及大日本印刷公司希望设计一个系统，允许使用面部识别技术来识别和验证用户的提款、存款和转账。用于脸部匹配的图像将来自注册在一个共同服务器上的相机。这些公司的目标是在2022年4月前推出该平台。

Apple reveals new efforts to fight child abuse imagery

苹果就打击儿童虐待图像发布新举措

In a briefing on Thursday afternoon, Apple confirmed previously reported plans to deploy new technology within iOS, macOS, watchOS, and iMessage that will detect potential child abuse imagery, but clarified crucial details from the ongoing project. For devices in the US, new versions of iOS and iPadOS rolling out this fall have “new applications of cryptography to help limit the spread of CSAM [child sexual abuse material] online, while designing for user privacy.”

在本周四下午的新闻发布会上，苹果确认了此前报道的在iOS、macOS、watchOS和iMessage中部署新技术的计划，这些新技术将检测潜在的虐待儿童图像，并澄清了正在进行的项目的关键细节。对于美国的设备，今年秋天推出的iOS和iPadOS的新版本有新的加密应用，以帮助限制儿童性虐待材料（CSAM，child sexual abuse material）在网上的传播，并且也考虑到了用户的隐私设计。

3

Why it's important for legislation to address dark patterns

为什么立法对解决黑暗模式很重要？

In an op-ed for Reuters, Foley & Lardner Counsel Catherine Zhu, CIPP/E, CIPP/US, writes about the importance of legislation to address dark patterns. Zhu writes California and Colorado have passed privacy legislation banning dark patterns and Washington is among states with bills in the works. Zhu adds it's important for organizations to pay heed to this legislative trend. "This proliferation in usage of dark patterns has been proven to have a disparate impact on consumers, and, if unchecked, will likely exacerbate current inequities as we adapt AI and automated technologies," Zhu writes.

Foley & Lardner律师事务所律师Catherine Zhu, CIPP/E, CIPP/US在路透社的一篇专栏文章中写道，立法解决黑暗模式的重要性。朱写道，加州和科罗拉多州已经通过了禁止黑暗模式的隐私立法，华盛顿州也有一些法案正在制定中。Zhu补充说，企业关注这一立法趋势是很重要的。"Zhu写道："事实证明，黑暗模式的使用激增对消费者产生了不同的影响，如果不加以控制，随着我们对人工智能和自动化技术的适应，可能会加剧目前的不平等现象。

Privacy risks with EU's remote learning, rise in edtech

随着教育技术的崛起，欧盟远程学习面临隐私风险

Euractiv reports on privacy issues the EU faces with online learning and using more educational technology in the wake of COVID-19. Concerns were raised about the collection of students' data through artificial intelligence-based edtech deployments, which will only grow as students return to school this fall, and what sufficient safeguards should look like for those deployments. "We need spaces where we can rethink, assess and deploy technology in a beneficial and safe way for everyone," London School of Economics Researcher Ioanna Noula said.

Euractiv报道了欧盟在COVID-19之后在线学习和使用更多教育技术所面临的隐私问题。人们对通过基于人工智能的教育技术部署来收集学生的数据表示关切，随着今年秋季学生返校，这种情况只会越来越多，以及这些部署的充分保障措施应该是什么样子。"伦敦经济学院研究员Ioanna Noula说："我们需要一些空间，在那里我们可以重新思考、评估并以对每个人有利和安全的方式部署技术。

Data laundering leads to privacy risks

数据清洗导致的隐私风险

Security Boulevard reports on the growing privacy and security risks of data laundering — illegally acquiring data and making it seem authentic. Data laundering could lead to storage and security issues, make businesses vulnerable to potential data privacy lawsuits and more. PKWARE Vice President of Security and Privacy Chris Pin said businesses should know the validity of data sources. “As time goes on, more data privacy laws will catch up, making the chain of custody a data requirement that every organization and federal office begins to enforce,” he said.

Security Boulevard报道了数据清洗日益增长的隐私和安全风险--非法获取数据并使其看起来真实。数据洗钱可能导致存储和安全问题，使企业容易受到潜在的数据隐私诉讼的影响等等。PKWARE的安全和隐私副总裁Chris Pin说，企业应该了解数据来源的有效性。"随着时间的推移，更多的数据隐私法将迎头赶上，使监管链成为每个组织和联邦办公室开始执行的数据要求"，他说。

END

排版 | 蒋月珍

整理人 | 李亚楠 魏雪颖 蒋月珍 帕格健 

黄锐奇 胡天皓

会员招募|DPOHUB数据保护官俱乐部

期待您的加入

愿景

• 一个聚焦数据隐私和数据安全的非营利性高端学术平台；

• 一个整合法律、技术及管理的专业数据合规生态体；

• 一个制造干货、相互赋能及塑造职业品牌的数据合规共同体。

实践

• 宗旨：实现国际化和本土化深入融合的高端智库。以全球视野，为中国数据立法建言；以中国智慧，为国际数据规则献策。

• 定位：强调俱乐部的公益性、专业性及影响力。

• 形式：定期举行线下闭门会议，至少2月一次。

• 主题：意在解决企业最急需解决的数据实务问题。

• 方案：聚焦“法律+技术+管理”的落地化解决方案，强调差异化策略。

• 成员：发起人和会员都仅限甲方，乙方只能以合作方式有限度地参与。

• 特色：定期发布深度报告和白皮书，并择机结集出版。

会员申请

• 认可DPOHUB的理念及宗旨；
• 愿意积极参与DPOHUB的线上线下活动；
• 愿意参与撰写深度报告、白皮书及实务文章；
• 在甲方从事数据隐私或数据安全的工作。

扫描二维码，立即报名