欧盟《一般数据保护条例》:演进、要点与疑义

An Overview of the General Data Protection Regulation-Evolution,Key Points and Major Issues

欧盟《一般数据保护条例》具有明显的功能主义的立法特征,体现了数据问题的复杂本质——保护法益的多样性。这包括数据主体对数据的支配权,数据控制者和处理者对数据的使用收益权,也涉及国家(地区)的数据主权。《一般数据保护条例》借助市场地原则和个人数据处理概念拓宽适用范围;遵循保护前置理念构建数据主体权利,将类型化的数据保护前置到数据收集、处理阶段,确立了数据可携权、删除权等非绝对性权利;引入了数据"归属"不排斥"利用"的跨境传输规则。该条例存在价值困境和技术困境,这是经济全球竞争格局下法律价值序列的平衡所提出的最大挑战。数据立法区域竞争的实质是数字经济的全球竞争,而法律价值序列处于变动平衡和重组之中,是立法者对市场竞争优势、经济长期发展和社会目标实现的不同选择和不同追求。数字技术引发的问题绝不限于是否立法,更在于采取何种价值序列、以何种方式立法,及如何与既有法律监管体系相协调。无论采取何种数据立法模式,技术路径绝非可取之策,机械分离数据主体和数据控制者,采取单一价值取向的个人数据保护法的立法模式,亦非数字时代的最佳选择。

The General Data Protection Regulation(GDPR)bears obviously functional legislative characteristics and reflects the complex nature of the data problem concerning the protection of diversified legal interests,which include the data subject’s control over data,the usage of data by the controllers and processors,and the data sovereignty of a country(or region).GDPR broadens its scope of application by means of the market location principle and the concept of personal data processing.It follows the idea of pre-protection to construct data subject rights,pre-setting different types of data protection to the data collection and processing stage,and establishing non-absolute rights such as the right to data portability and to erasure.It introduces cross-border data transfer rules whose data“ownership”does not exclude“utilization”.GDPR has encountered both value and technical dilemma,which are the biggest challenges raised by the balance of the legal value sequence under the context of global economic competition.The data legislative competition is in essence the global competition of the digital economy.The sequence of legal values is facing a process of changing balance and reorganization,which is the outcome of the different choices and pursuits of the legislators for market competitive advantages,long-term economic development and social goals.The problems brought about by digital technology are by no means limited to whether legislation is being implemented.It involves as well issues such as what kind of value sequence to adopt,how to legislate,and how to coordinate with the existing legal supervision system.Regardless of the legislative model,the technical path is by no means a desirable one,while the mechanical separation of data subjects from data controllers and the introduction of pure personal data protection legislation may not be the best option.