Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/128554
|
Title: | GDPR跨境傳輸例外規範與WTO規範下 GATS之合致性分析 The legal analysis of GDPR cross-border data transfer exception regulation under GATS of WTO |
Authors: | 張安潔 Chang, Ann-Chie |
Contributors: | 薛景文 Hsueh, Ching-Wen 張安潔 Chang, Ann-Chie |
Keywords: | 資料保護規範 跨境資料傳輸 GDPR GATS Data protection regulation Cross-border data transfers |
Date: | 2020 |
Issue Date: | 2020-02-05 17:03:11 (UTC+8) |
Abstract: | 2018年歐盟一般資料保護規則(General Data Protection Regulation,GDPR)正式實施為資料保護規範立下重要的里程碑。資料保護的範圍擴及到網路上的使用軌跡,強調資料主體擁有其資料的主權、資料控制者及處理者須嚴謹遵守其義務,除此之外, GDPR原則上禁止了將歐盟境內資料傳輸到境外,僅允許幾種特定的例外條款。此規定使得GDPR不僅對資料保護的發展帶來革新,也對國際貿易的規範帶來衝擊與影響。 大數據時代的興起使得「資料」(Data)成為極具價值的資產,因為網路使得跨國的商業貿易突破地理界線的障礙,可以輕易地觸及跨國消費者。消費者在網路上所產生的資料,企業透過跨境蒐集與處理可以進行行銷分析,是商業發展重要的根據。然而GDPR原則上禁止跨境傳輸之規定,直接衝擊到在歐盟進行商業活動的企業,因此引發各界質疑該規範是否是以資料保護之名,行貿易障礙之實。本文聚焦於探討GDPR跨境傳輸的三種例外允許:國家適足性認定、適當保護措施以及資料主體同意是否實質上是難以通過的窄門,違反WTO最惠國待遇、國民待遇及相互承認等規範。 本文透過整理法規及相關官方條文解釋文件,將歐盟的資料保護法制與背景,GDPR中關於資料的定義、資料主體及資料控制處理者之權利義務,以及跨境傳輸的原則及各項例外允許規範進行說明,以輔助後續合致性分析。同時本文以文獻回顧之研究方法,整理歸納各界學者探討GDPR跨境傳輸與WTO貿易法可能的潛在衝突及看法。本文藉由整理歸納WTO過往最惠國待遇、國民待遇及相互承認的案例以分析例外允許規範是否有違反WTO規範。整體而言,例外允許規範並沒有實質上違反WTO規範,並確實有許多國家及企業藉此進行跨境傳輸。惟其仍有值得改進之處,因為縱然其規範沒有違反WTO義務,其在申請的程序上多耗時且所費不貲,且追求與GDPR相當的資料保護程度,仍可能不利於中小企以及資料保護規範尚在發展中的國家。 The adoption of General Data Protection Regulation in the European Union in 2018 is an important milestone for data protection regulations. The scope of data protection has been extended to the trajectory of use on the Internet, emphasizing that data subjects have sovereignty over their data, thus indicating data controllers and processors must strictly abide by their obligations. Furthermore, GDPR prohibits the cross-border transfer of data from EU to other countries with only a few specific exceptions. Hence, GDPR not only provides a new perspective to the development of data protection but also exert significant impact on the regulation of international trade. The rise of the era of big data makes "data" a very valuable asset because the Internet enables transnational commercial trade to break through the barriers of geographical boundaries and can easily reach multinational consumers. The data generated by consumers on the Internet can be analyzed by companies through cross-border collection and processing, which is an important basis for business development. However, the principle that the GDPR prohibits cross-border transmission in principle directly impacts companies doing business in the European Union, which has led to questions from all walks of life whether the norm is a barrier to trade in the name of data protection. This article focuses on the three exceptions to GDPR cross-border data transfers: Adequacy Decision, appropriate protection measures, and whether the data subject agrees that it is essentially a narrow gate that is difficult to pass, a violation of WTO most-favored-nation treatment, national treatment, and mutual recognition and other specifications. This paper analyzes the consistency of the exceptions of cross-border data transfers under GATS regulation especially in most favored nation treatment, national treatment, and mutual recognition. Overall, the exception regulations did not substantially violate the WTO regulations. However, further improvement is needed, due to its time-consuming and expensive application process, and also the requirement of data protection meeting the standard of GDPR may be cause negative impact to SMEs and developing countries. |
Reference: | 中文文獻 日本取得歐盟GDPR例外適足性認定,台灣經貿網,2019年1月24日,https://reurl.cc/ObKN6g(最後瀏覽日:2020年1月13日)。 林彩瑜,WTO制度與實務:世界貿組織法律研究(三),2版,頁308(2013年)。 國家發展委員會,歐盟對台歐展開GDPR適足性對話表示歡迎,國家發展委員會,2019年3月11日,https://reurl.cc/72k4qN (最後瀏覽日:2019年12月31日)。 凱君,創新金融模式 下一步是FinTech還是TechFin?,經濟日報,2019年6月5日,https://money.udn.com/money/story/5613/3855248(最後瀏覽日:2019年12月31日) 鈦媒體,馬雲和他的兆元級「長子」螞蟻金服,數位時代,2019年1月3日,https://www.bnext.com.tw/article/51818/antfin-1000-billion-cny(最後瀏覽日:2019年12月31日)。 印度IT-BPM資訊外包產業介紹(二之一) ,台灣經貿網,2015年8月24日,https://reurl.cc/pDekxZ(最後瀏覽日:2020年1月13日)。
英文文獻 書籍 VAN DEN BOSSCHE, PETER & WERNER ZDOUC, THE LAW AND POLICY OF THE WORLD TRADE ORGANIZATION: TEXT, CASES AND MATERIALS 333 (3rd ed. 2013). Aaditya Mattoo,Thomas Cottier(eds.),Petros C. Mavroidis(eds.), REGULATORY BARRIERS AND THE PRINCIPLE OF NON-DISCRIMINATION IN WORLD TRADE LAW 2 (2000). 期刊 Jan Philipp Albrecht, How the GDPR Will Change the World, 2 EUR. DATA PROT. L. REV. 288, 287-289 (2016). Aaditya Mattoo, Joshua P. Meltzer, International Data Flows and Privacy: the Conflict and Its Resolution 21 J. INT. ECON. LAW 769, 779 (2018). Shin-yi Pent, ‘GATS and the Over-the-Top (OTT) Services—A Legal Outlook’, Journal of World Trade 50 (1), at 10-13. R. Fefer, S. Akhtar &W. Morrison, Digital Trade and US Trade Policy, CONGRESSIONAL RESEARCH SERVICE (Nov. 5, 2018), https://fas.org/sgp/crs/misc/R44565.pdf. Usman Ahmed, The Importance of Cross-Border Regulatory Cooperation in an Era of Digital Trade, 18 WORLD TRADE REVIEW, 99-120 (2019). Andrew D Mitchell & Neha Mishra, Regulating Cross-Border Data Flows in a Data Driven World: How WTO Law Can Contribute 22 J. INT. ECON. LAW, 3 (2019). Meltzer, Joshua, The Internet, Cross-Border Data Flows and International Trade, 2 ASIA & THE PACIFIC POLICY STUDIES 90, 90-102 (2013). 官方文件 OECD, OECD GUIDELINES ON THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA (1980). Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L281/31). Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, 2016 O.J. (L 119). Draft Report on the Proposal For A Regulation of The European Parliament and of the Council on the Protection of Individual With Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (COM(2012)0011–C7-0025/2012–2012/0011(COD)), EUR PARL. DOC. PE501.927V02 (2012). Opinion of the Committee of the Regions on ‘Data protection package’, Dec. 18, 2012, 2012 O.J. (C391)127, at 127–133. Executive Summary of the Opinion of the European Data Protection Supervisor on ‘Meeting the challenges of big data: a call for transparency, user control, data protection by design and accountability’, Feb. 20, 2016, 2016 O.J. (C67)13, at 13–15. European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) Version 2.0, Adopted on12 November 2019, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf [hereinafter Article 3 Guidelines]. Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, Adopted on 28 November 2017, as Last Revised and Adopted on 10 April 2018, WP259 rev. 01 Article 29 Data Protection Working Party, Adequacy Referential (updated), Adopted on 28 November 2017, WP254. 2001/497/EC: Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (Text with EEA relevance) (notified under document number C(2001) 1539). Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (notified under document number C(2004) 5271)Text with EEA relevance, Dec. 29, 2014, O.J. L 385, at 74–84. 2010/87/: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (Text with EEA relevance), Feb. 12, 2010,O.J. L 39, at 5–18. Article 29 Data Protection Working Party, Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR, Adopted on 11 April 2018, WP263 rev.01, at 1. Group of Negotiations on Services, Uruguay Round, Services Sectoral Classification List, Note by the Secretariat, MTN.GNS/W/120, 10 July 1991WTO Committee on Specific Commitments, Report of the Meeting Held on 18 September 2014, Note by the Secretariat, S/CSC/M/71. Comprehensive Economic and Trade Agreement Between Canada and the European Union and its Member States, Annex 9-B. Privacy Shield Framework, PRIVACY SHIELD FRAMEWORK, https://www.privacyshield.gov/welcome. 判決文件 Judgment of the Court (Grand Chamber), 13 May 2014.Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. Request for a preliminary ruling from the Audiencia Nacional. Personal data — Protection of individuals with regard to the processing of such data — Directive 95/46/EC — Articles 2, 4, 12 and 14 — Material and territorial scope — Internet search engines — Processing of data contained on websites — Searching for, indexing and storage of such data — Responsibility of the operator of the search engine — Establishment on the territory of a Member State — Extent of that operator’s obligations and of the data subject’s rights — Charter of Fundamental Rights of the European Union — Articles 7 and 8. Case C‑131/12. Case C-108/09, Ker-Optika bt v. ÀNTSZ Dél-dunántúli Regionális Intézete, 2010 E.C.J. I-12213, ¶¶ 22, 28. Judgment of the Court (Grand Chamber) of 6 October 2015. Maximillian Schrems v Data Protection Commissioner. Request for a preliminary ruling from the High Court (Ireland). Reference for a preliminary ruling — Personal data — Protection of individuals with regard to the processing of such data — Charter of Fundamental Rights of the European Union — Articles 7, 8 and 47 — Directive 95/46/EC — Articles 25 and 28 — Transfer of personal data to third countries — Decision 2000/520/EC — Transfer of personal data to the United States — Inadequate level of protection — Validity — Complaint by an individual whose data has been transferred from the European Union to the United States — Powers of the national supervisory authorities. Case C-362/14, ¶¶ 73, 74. Panel Report, United States-Measures Affecting the Cross-Border Supply of Gambling and Betting Services, ¶ 6.285–87, WT/DS285/R (Nov. 10, 2004). Appellate Body Report, United States— Measures Affecting the Cross-Border Supply of Gambling and Betting Services, ¶ 215, WT/DS285/AB/R (April 7, 2005). Appellate Body Report, United States — Import Prohibition of Certain Shrimp and Shrimp Products, ¶ 150, WTO Doc. WT/DS58/AB/R (Oct. 12, 1998). Appellate Body Report, Canada — Certain Measures Affecting the Automotive Industry, WTO Doc. WT/DS139/AB/R (adopted June 19, 2000). 226 Justice K S Puttaswamy v Union of India and Ors, Supreme Court of India, Writ Petition (Civil) No. 494. Panel Report, European Communities — Regime for the Importation, Sale and Distribution of Bananas, WTO Doc. WT/DS27/R/ECU (adopted on May 22, 1997). Appellate Body Report, European Communities - Regime for the Importation, Sale and Distribution of Bananas, WTO Doc. WT/DS27/AB/R (adopted on Sept. 25, 1997). Panel Report, China - Certain Measures Affecting Electronic Payment Services, ¶ 7.699, WTO Doc. WT/DS413/R (adopted on Aug. 31, 2012) Appellate Body Report, Argentina - Measures Relating to Trade in Goods and Services, WTO Doc. WT/DS453/AB/R (adopted on May 9, 2016). Panel Report, European Economic Community - Imports of Beef from Canada, ¶ 4.2-4.3, WTO Doc. L/5099 (Mar. 10, 1981). 網頁資料 Matthew Rosenberg, Nicholas Confessore & Carole Cadwalladr, How Trump Consultants Exploited the Facebook Data of Millions, THE NEW YORK TIME (Mar. 17, 2018), https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html?module=inline. EUROPEAN COMMISSION, Adequacy decisions How the EU determines if a non-EU country has an adequate level of data protection, EUROPEAN COMMISSION, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en (last visited Dec. 31, 2019). EUROPEAN COMMISSION, Binding Corporate Rules (BCR) Corporate rules for data transfers within multinational companies, EUROPEAN COMMISSION, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en (last visited Dec. 31, 2019). EUROPEAN COMMISSION, List of companies for which the EU BCR cooperation procedure is closed, EUROPEAN COMMISSION, https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=61384 (last visited Dec. 31, 2019). Forbes Technology Council, 15 Unexpected Consequences of GDPR, FORBES, https://www.forbes.com/sites/forbestechcouncil/2018/08/15/15-unexpected-consequences-of-gdpr/#2770880794ad (last visited Dec. 31, 2019). Daniela Fabian Masoch, Why Should Companies Invest in Binding Corporate Rules, ICLG, https://iclg.com/practice-areas/data-protection-laws-and-regulations/3-why-should-companies-invest-in-binding-corporate-rules (last visited Dec. 31, 2019). |
Description: | 碩士 國立政治大學 國際經營與貿易學系 106351043 |
Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0106351043 |
Data Type: | thesis |
DOI: | 10.6814/NCCU202000087 |
Appears in Collections: | [國際經營與貿易學系 ] 學位論文
|
Files in This Item:
File |
Size | Format | |
104301.pdf | 1141Kb | Adobe PDF2 | 0 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|