摘要
2018年5月,欧盟《一般数据保护条例》(GDPR)正式生效,极大地改变了有关数据保护的国际法律格局。其中,第6条规定了六种数据处理的合法性依据,数据主体的同意无疑是最重要和应用最广泛的一种。但同意的实质内涵仍然是困扰学术界和实务界的关键问题。为此,2020年5月,欧洲数据保护委员会(EDPB)在原第29条工作组相关工作的基础上,根据其行动计划发布了《关于〈一般数据保护条例〉规定的同意的指南》,旨在从有效同意的要素、同意的明确性、其他要件、与其他法律依据的关系、特定领域的同意问题,以及原《95/46EC指令》下同意的效力等方面全面解释了GDPR有关同意的构成要件及其适用。鉴于欧洲数据保护委员会在贯彻实施GDPR中的重要作用,以及同意作为数据处理的法律依据的重要性和广泛性,本指南正在并将继续对欧盟乃至全球的数据保护实践产生极其广泛的影响。另一方面,由于本指南带有极其强烈的释义学和面向实务的特征,因此就具备了重要的比较法价值。我国现行有关网络安全和个人信息保护的法律仅将信息主体同意作为数据处理的合法性依据,未规定任何例外情况。有鉴于此,作为推荐性国家标准的《信息安全技术个人信息安全规范》坚持信息主体同意这一原则的基础是较多借鉴了GDPR的立法经验,明确规定了同意的例外情形。在这个意义上,作为GDPR的权威解释的欧洲数据保护委员会的相关指南就对我国的个人信息保护立法和实践具有重要的借鉴意义。为此,本人不揣浅陋,将本指南译为中文,以期对学界有所裨益。
In May 2018,the EU's General Data Protection Regulation(GDPR)came into effect,which greatly changed the international legal pattern.Article 6 GDPR sets the conditions for a lawful personal data processing and describes six lawful bases on which a controller can rely.Among them,the consent of data subject is the most important and widely used lawful basis.However,what is the substantive mean of consent is still a key problem that plagues academic and practical circles.To this end,in May 2020,EDPB issued Guideline 5/2020 on consent under Regulation 2016/679 based on the work of Article 29 Working Party and its own plan.This guide has comprehensively explained the conditions for obtaining consent under GDPR from several perspectives,including the elements of valid consent,explicitness of consent,additional conditions for consent,interaction between consent and other lawful grounds,the issue of consent in specific areas,and the validity of consent obtained under Directive 95/46/EC.Having regard to the important role of EDPB in implementing GDPR,and the importance and breadth of consent as a lawful basis for data processing,this guide is and will continue to have an extremely wide impact on data protection practices in the European Union and even around the world.In addition,because of its strong hermeneutic and practical characteristics,this guide has important value in comparative law.The current legislations on network security and personal information protection take the consent of information subjects as the only lawful basis for data processing,without any exception.In view of this,as a recommendable national standard,on the basis of adhering to the principle of consent of information subject,Information security technologyPersonal information security specification has drawn on the legislative experience of GDPR and clearly stipulated the exceptions to consent.In this sense,as the authoritative interpretation of GDPR,The relevant guidelines of the EDPB are of great significance to the legislation and practice of personal information protection in China.In view of this,author bold mean,will translate it into Chinese,for everybody criticism.
基金
教育部重大攻关项目“大数据时代个人信息保护边界与策略研究”(项目批准号:17JZD031)的阶段性成果。
作者简介
敖海静:中国人民大学法学院博士后研究人员,讲师,法学博士。
