《欧盟数据保护条例》(GDPR)已于2018年5月25日生效。在此之前(乃至直至现在),隐私律师为此已经忙碌了很久。由于GDPR具有某种“域外效力”,位于欧盟之外的企业也总会担心,希望了解自己在欧洲之外的生意是否收到影响。
The EU General Data Protection Regulation (GDPR) has come into force on 25 May 2018. Before the day (and maybe until today), privacy lawyers have been busying in advising their clients on how to comply with the new law . In particular, since GDPR implies certain “extra-territorial effect”, enterprises located outside of EU are also seeking advice from their counsels on whether the the new regulation would impact their business outside of Europe.
香港電腦保安事故協調中心 (HKCERT) 在一篇帖子里列出了GDPR适用于非欧洲企业的一些例子:
In their post, HKCERT has listed a few examples where a non-EU company’s service would be considered under GDPR’s umbrella.
- 未在欧洲设立任何分支机构的一间公司,通过建立于美国服务器的网站向在欧洲内的个人提供免费的社交服务——GDPR适用
A Company without any EU subsidiaries offering free social media services via a website hosted in US to individuals in the EU – GDPR applies - 酒店预订服务,使用cookies追踪过往顾客(包括身在欧盟的顾客)的浏览历史,以便定向投放广告——GDPR适用
Hotel book business using cookies to track past customers’ (including EU-based customers) browsing in order to target specific hotel adverts to them – GDPR applies - 一家香港的鲜花速递公司允许身处于欧洲的个人通过该公司的网站在香港订购鲜花并送达香港本地的收件人。而送花的费用是以欧元计价——GDPR适用
HK flower delivery company allowing individuals in the EU to make orders for fulfilment only in HK. The price for the flower delivery services is denominated in an EU currency – GDPR applies - 香港的零售公司使用网站接收预订并送货。身处欧洲的个人可以访问网站,但网站是英文的。订单是以港币计价,送货范围仅限香港地址—— GDPR不适用
HK retailer with a website for orders/deliveries. The website is accessible to individuals in the EU in English. The currency is the HK dollar and the address fields only allow HK addresses – GDPR doesn’t apply
那么,究竟应该掌握什么规律,才可以简单确定GDPR的跨境效力呢。很简单:如果你的企业不在欧洲,并且不以身处于欧洲的个人为目标消费者,那么GDPR就管不了你。
Put it in simple, the extra-territorial effect of GDPR is limited. If your company is not targeting individuals who are physically staying in the territory of Europe, GDPR won’t apply to your business.
需要澄清的是:GDPR并不管EU国家公民在EU范围外接受服务时,提供自己的个人信息的情况——只要这些信息的采集和处理过程均是在 EU境外完成。例如,下面这些例子中,服务提供者并不需要将 GDPR作为其处理EU护照持有者的个人信息时的准则,而只需要遵守服务提供当地的法律:
It is important to clarify that GDPR does not apply to the collection and process of a EU passport holder’s personal data when the personal data is collected and processed outside of EU. For examples, in the following cases, service providers don’t need to take GDPR as the standard for the processing of personal data collected from a EU passport holder, but just need to consider the local laws where the service is provided:
- 一家日本旅行社为一名通常居住于以色列的法国人提供旅行服务;
a Japanese company offering tourism services to French expats living permanently in Israel; - a mobile APP recommending restaurants in Hong Kong, which enables a UK passport holder to book table and receive discounts.
一个推荐香港的餐厅的手机APP,可以让身处香港的英国人通过预定餐厅或者获得优惠。
事实上,GDPR其实根本不考虑国籍(其第二条已经说得很清楚了)。GDPR考虑的是在欧盟范围内的任何数据主体的权利。所以,一位旅居于德国的叙利亚难民也拥有与欧洲护照持有者相同的权利。如果你的公司瞄准了在欧洲留学的中国学生,那么你也要以GDPR作为自己的隐私权政策标准。
In fact GDPR never considers citizenship (according to its Article 2). It simply protects the rights of data subjects for anyone living in the territory of EU. Therefore, a refugee living in Germany will enjoy the same right to the EU passport holders. If your company targets Chinese students studying in Europe, then you should take GDPR as the standard of your privacy policy.
GDPR的跨境效力,其实主要是体现在其对在欧洲营业的企业的规管:只要你的营业地是在欧洲,或者是只要收集信息的主体位于欧洲,那么不管你收集的是来自哪里的个人信息,你都需要符合GDPR的要求。更多的例子可以参考这里。
The extra-territorial effect of GDPR is mainly reflected in its effects to the companies who are operating in the territory of EU. Namely, if a data collector/controller is located in EU, then it shall comply with GDPR, without considering whose data will be collected and where the data will be originated. See more examples here.
合规过程不易,但思路应当保持简洁。
The process of compliance is not easy, but its concepts should be kept simple.