欧盟《一般数据保护条例》的周年回顾与反思

Annual Review and Reflection of the EU General Data Protection Regulation

欧盟《一般数据保护条例》正式实施已满一年。一年来,从制度细化到执法处罚,欧盟数据保护委员会和各成员国数据保护局各司其职,提升了欧盟公众对个人数据权利的关注度,并对全球的企业和立法者产生了深远影响,可谓成绩斐然。但另一方面,其执法并未达到“一致性”和“一站式”的承诺,没有实现建立企业与用户间信任的目的,并已阻碍了数字经济发展。我国应汲取其经验和教训,在《个人信息保护法》制定中,明确其“通用性”和“一般性”,灵活解释个人“知情同意”规则,并将“双边信任”而非“单边个人信息权利保护”作为制度设计的基点。

The EU General Data Protection Regulation has been officially implemented for one year. In the past year, from the refinement of the institution to the law enforcement, the European Data Protection Board and the Data Protection Authorities of each member country have performed their respective duties, increasing the attention of the EU public on the right to personal data and exerting a profound influence on global enterprises and legislators with remarkable achievements. On the other hand,its law enforcement neither achieved the "consistency" and "one-stop-shop" commitment, nor accomplished the purpose of building trust between enterprises and users. On the contrary, it has hindered the development of the digital economy. China should learn from its experience and lessons. In the formulation of the Personal Information Protection Law, we should clarify its "universality" and "generality", flexibly interpret the individual "informed consent" rules, and take "bilateral trust between both parties" instead of "unilateral protection of personal information rights" as the basis of institutional design.