雲端跨境資料傳輸管制政策之探討

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：16

、訪客IP：3.149.27.202

姓名

林幸萱(Hsing-Hsuan Lin) 查詢紙本館藏

畢業系所

產業經濟研究所

論文名稱

雲端跨境資料傳輸管制政策之探討
(Regulating Cross-Border Data Flow in the Era of Cloud Computing)

相關論文

★ 網路中立原則 - 我國管制可能性之研究	★ 電子投票與民主參與－以英國之實驗經驗為借鏡
★ 智慧財產證券化—法制環境之檢討與建議	★ 開放源碼軟體商業應用之法律爭議及其可能之解決途徑
★ Google Books計畫所涉之法律問題研析─以反托拉斯法律相關議題為中心	★ 論債權式新資金引入—以公司重整制度為中心
★ 頻譜資源分配之政策─以開放模式為目標	★ 律師業管理機制與公平交易法衝突之研究─從法易通案談起
★ 專利主張實體問題之研究─以美國經驗為借鏡	★ 論跨媒體合併行為之管制―以民主機能之健全為中心
★ 雲端個人健康資訊系統專法芻議 ─以平衡、有效之隱私保護為核心	★ 離職後競業禁止約款之適法性研究－以人才流動自由化為政策取向
★ 網路環境中之著作權法第一次銷售原則－迷思之化解與困境之突破	★ 非實施專利實體與專利訴訟－美國發明法實施前後之實證分析
★ 美國軟體專利適格性之研究 —談審查之趨勢與我國企業的因應之道	★ 新興市場中之合作與競爭—以U.S. v. Apple案為中心

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

雲端運算(cloud computing)為一種大量且可擴充之電腦運算技術，透過網際網路，提供使用者各類型軟硬體資源，其高效能、高彈性，以及快速便捷之特性，受到大量用戶喜好。雲端服務已大幅改變人們儲存與處理資料之方式，從既有的本地儲存，移轉至雲上世界。而為了支持系統運營與承載巨量資料運算，雲端服務業者於不同國家設置數個資料中心以進行資料之處理與儲存。此等「異地儲存」之型態，使雲端之個人資料經常脫離其母國法律之地域管轄。資料經傳輸至他國後，其所受之隱私保護若不及於原先母國之標準，可能形成對於個人資料隱私保護之危險。
為保障個人資料於雲端各地資料中心流動之隱私與安全，歐盟等諸多國家原則禁止跨境資料傳輸，惟我國個資法則採相當寬鬆之原則允許制。欲探究如何保護雲端個人資料跨境傳輸之安全，本文以使用者所在地為母國，依資料中心所在地將雲端服務區分為四種情境。分別將四種情境置於歐盟GDPR與我國個資法檢視何時構成跨境傳輸，並分析歐盟與我國跨境傳輸管制政策之優劣。
限制資料跨境傳輸有其利弊，不同利益取捨，難謂有完美之道，惟就我國而言，限制傳輸係屬必要。近年來若干雲端服務業者將資料中心設置於隱私保護標準顯著低於我國之國家，蓋因我國未限制跨境傳輸，倘該等業者未為妥善保護措施或未經資料主體同意，逕將資料跨境傳輸至缺乏隱私保護之國家，我國資料主體之隱私遭受侵害時，將難以主張其權利。
因此，本文建議個資法當務之急應先釐清跨境傳輸之定義，並適當限制資料跨境傳輸。參考歐盟之政策，建立屬於我國之資料保護分級名單，依資料傳輸至不同層級之國家予以不同程度之限制。而為了在保護個人隱私之餘，同時顧及資料流通之需求與利益，本文羅列數項例外允許傳輸之條件，提供未來立法者參考。

摘要(英)

Cloud computing is a type of technique that can storage and process massive demands of data through the Internet. With its high flexibility and expansibility, cloud computing has soon become popular taste. It has changed the way people store and process data, from local storage into the world of cloud. In order to sustain monumental computing, cloud provider usually deploy several data centers in different countries around the world. This came into the result of transmitting data almost every moment in cloud computing. When personal data being stored or processed in the cloud, it might imperil the privacy of personal data.
EU and some other countries restrict transferring data outside one′s jurisdiction, so as to protect information privacy of data subjects. By contrast, Personal Data Protection Act in our nation adopts a fairly loose principle of allowance. In purpose of finding how to maintain personal data protection in the cloud, this paper sets out four scenarios of cloud computing. The four scenarios are respectively placed under GDPR and Personal Data Protection Act to examine what scenario constitutes data transfer. Restricting data transfer has its own pros and cons, it′s hard to say there exit a perfect law policy that can fit in every country. By analyzing two different cogitations of policy (whether to restrict or not), this paper aims to find the best policy for our nation.
This thesis argues our nation has the urgency to restrict personal data transfer. Recently, some cloud providers start to deploy their data centers in countries where it certainly lacks of data protection and privacy care. If we don′t restrict transferring data outside foreign countries, once the data subject gets hurt by unsafe transfer, he or she can hardly claim one’s rights.
Therefore, in order to protect data subject, this paper suggests to restrict data transfer, and sets several ways for permitting transfer. With EU policy as reference, we can establish a data protection classification list of our nation, and restrict or ban data transmission to countries with low data protection levels. While protecting the individuals’ privacy, the needs of keeping data flow should be taken into account too, this paper proposes several methods that exceptionally allow transfer.

關鍵字(中)

★ 隱私權
★ 個人資料保護
★ 跨境傳輸
★ 雲端服務
★ 資料安全

關鍵字(英)

論文目次

1 緒論 1
1.1 研究背景與動機 1
1.2 研究目的與問題意識 3
1.3 研究方法與限制 4
1.4 名詞定義 4
1.5 研究架構 5
2 雲端服務的現況與問題 7
2.1 雲端服務與雲端運算 7
2.1.1 三種服務類型 9
2.1.2 四種部署模式 10
2.1.3 雲端資料傳輸安全問題 12
2.2 個人資料保護於雲端資料傳輸之困難 14
2.2.1 科技設計思維迥異於法律 15
2.2.2 隱私權本質抽象 15
2.2.3 隱私權與其他利益之取捨 16
2.2.4 國家政府與科技巨人之結合 17
2.3 研究主要參考對象 19
2.3.1 雲端資料傳輸限制政策 19
2.3.2 歐盟與我國之相似性 20
2.4 基本情境設定 23
3 歐盟跨境資料傳輸法制分析 27
3.1 雲端資料之定性 28
3.1.1 去識別化資料 29
3.1.2 加密資料 30
3.1.3 切分資料 30
3.2 跨境傳輸之定義 31
3.3 雲端服務業者之法律地位 32
3.3.1 雲端服務業者為資料控管者 33
3.3.2 雲端服務業者為資料處理者 33
3.4 四種基礎情境分析 34
3.4.1 情境一 34
3.4.2 情境二 36
3.4.3 情境三 38
3.4.4 情境四 39
3.4.5 雲端階層關係 46
3.4.6 情境分析綜合討論 46
3.5 歐盟跨境資料傳輸限制 47
3.5.1 目的地資料保護適足性獲認可 (Adequacy Decision) 48
3.5.2 採行適當防護措施 (Appropriate Safeguards) 48
3.5.3 例外條款 (Derogations) 49
4 歐盟跨境資料傳輸政策之分析 53
4.1 基本管制政策 53
4.1.1 基本管制政策之類型 53
4.1.2 基本管制政策之論辯 54
4.2 政策執行概況與優劣分析 67
4.2.1 充足保護水準 (適足性) 67
4.2.2 適當防護措施執行概況 70
4.2.3 例外豁免條款認定標準 74
4.3 資料控制權與資料加密 75
5 我國跨境資料傳輸法制與分析 79
5.1 我國法制環境下的雲端服務 79
5.1.1 我國跨境資料傳輸之定義 79
5.1.2 雲端服務業者之法律地位 79
5.2 構成跨境處理之雲端情境 81
5.2.1 情境一 81
5.2.2 情境二 83
5.2.3 情境三 85
5.2.4 情境四 85
5.3 我國跨境傳輸政策之闕漏 89
5.3.1 定義與認定標準模糊 89
5.3.2 跨境傳輸管制鬆散 89
5.4 我國限制跨境傳輸之必要 90
5.4.1 雲端服務於我國之實際情況 90
5.4.2 未限制傳輸之具體風險 91
5.5 我國跨境傳輸政策之改善方向 94
5.5.1 我國有別於歐盟之特性 94
5.5.2 政策改善方向之建議 95
6 結論 101
參考文獻 105

參考文獻

中文文獻(依作者姓氏筆畫排序)
王泰銓，歐洲聯盟法總論，臺灣智庫 (2008)。

王明禮，論資訊隱私：科技與商業發展脈絡下的觀察，中原財經法學，第32期，頁61-105 (2014)。

江庭瑀，歐洲議會認為歐美資料隱私屏障協議未達適當保護水平，經貿法訊，第238期，頁15-20 (2018)。

宋柏霆，試析歐盟資料保護規則中境外傳輸之要求與我國個人資料保護法之合致性，經貿法訊，第196期，頁12-22 (2016)。

林玫君, 簡介歐盟一般資料保護規則 (GDPR)之跨境傳輸例外條款，經貿法訊，第233期，頁43-52 (2018)。

財團法人資訊工業策進會科技法律研究所，個資法保護1.0，書泉 (2012)。

郭戎晉，個人資料跨境傳輸之法律研究，科技法律透析，第27卷第8期，頁28-55 (2015).

張紹斌、徐仕瑋，從雲端運算談個資保護，司法新聲，第99期，頁28-36 (2011)。

張乃文，雲端運算產業發展之策略與法制因應：科技法律料保護法與歐盟個人資料保護指令的比較為中心，東海大學法學研究，第43期，頁53-106 (2014)。

張陳弘，國家建置全民健康保險資料庫之資訊隱私保護爭議---評最高行政法院 106年度判字第54號判決，中原財經法學，第40期，頁185-257 (2018)。

經濟部，2018年中小企業白皮書(2019)。

葉奇鑫，國家發展委員會106年度「個人資料保護專責機關與資料在地化之法制研究」委託研究計畫結案報告 (計畫編號：ndc106020, 2018)。

葉奇鑫，國家發展委員會歐盟GDPR適足性相關文件與判決之對外說明資料結案報告 (2018)。

樓一琳，何之行，個人資料保護於雲端運算時代之法律爭議初探暨比較法分析:以健保資料為例，臺大法學論叢，第46卷第2期，頁339-422 (2017)。

廖文華、張志勇，雲端運算概論，五南書局 (2016)。

劉靜怡，網路社會的資訊隱私權保護，二十一世紀雙月刊，第63期，頁17-27 (2001)。

劉靜怡，網際網路時代的資訊使用與隱私權保護規範: 個人、政府與市場的拔河，資訊管理研究，第4卷第3期，頁137-161 (2002)。

劉佐國、李世德，個人資料保護法釋義與實務，碁峰資訊 (2012)。

劉定基, 雲端運算與個人資料保謢，以台灣個人資料保護法與歐盟個人資料保護指令的比較為中心，東海大學法學研究，第43期，頁53-106 (2014)。

寰瀛法律事務所，個資法百問，新學林 (2013)。

Matthias Herdegen, 歐洲法，張恩民譯，韋伯文化國際 (2006)。

網路資源
高敬原，說好的保障用戶資料呢？蘋果連iCloud 「密鑰」一併轉移中國，數位時代，2018年2月26日。https://www.bnext.com.tw/article/48286/apple-is-moving-icloud-encryption-keys-for-chinese-users-to-china.

何明諠, 獨立的個資專責機關哪裡找？臺灣人權促進會，2018年6月12日。https://www.tahr.org.tw/news/2268.

風傳媒，果粉資料會落入中國手中嗎？蘋果官方答覆：台灣香港用戶資料在美國，目前不受影響，2018年1月1日。https://www.storm.mg/article/384340

中央社，雲端資料庫設中國恐外洩，立委促部會正視個資法，2019年4月17日。https://www.taiwannews.com.tw/ch/news/3682192

個資與隱私保護專責機關DPA，2017年9月。https://talk.vtaiwan.tw/t/topic/1442

外國文獻
Books
KUNER, CHRISTOPHER, TRANSBORDER DATA FLOWS AND DATA PRIVACY LAW, 4 (Oxford Univ. Press ed., 2013).

KAVIS, MICHAEL J., ARCHITECTING THE CLOUD: DESIGN DECISIONS FOR CLOUD COMPUTING SERVICE MODELS 51 (Wiley. eds., 1st, 2014).

MARINESCU, DAN, CLOUD COMPUTING: THEORY AND PRACTICE 2 (Morgan Kaufmann eds., 2th ed. 2018).

Cases
Case C-362/14, Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650.

Case C-131/12 Google Spain SL and Google Inc v. AEPD and Mario Costeja González, ECLI:EU:C:2014:317.

Journal Articles, Book Chapters and Reports
Article 29 Working Party Document No. WP262, “Guidelines on Article 49 of Regulation 2016/679”, adopted on 6. Feb, 2018.

Article 29 Working Party Document No. WP254, “Adequacy Referential (Updated)”, adopted on 28. Nov, 2017.

Article 29 Working Party Document No. WP216, Opinion 05/2014 on Anonymisation Techniques, adopted on 10. April, 2014.

Article 29 Working Party Document No. WP179, “Opinion 8/2010 on Applicable Law”, adopted on 16. Dec, 2010.

Article 29 Working Party Document No. WP169, “Opinion 1/2010 on the Concepts of “Controller” and “Processor””, adopted on 16. Feb, 2010.

Article 29 Working Party Document No. WP136: “Opinion 4/2007 on the Concept of Personal Data”, adopted on 20. June, 2007.

Article 29 Working Party Document No. WP56, “Working Document on Determining the International Application of EU Data Protection Law to Personal Data Processing on the Internet by Non-EU Based Web Sites”, adopted on 30. May, 2002.

Article 29 Working Party Document No. WP29, “Opinion 4/2007 on the Concept of Personal Data”, adopted on 20. June, 2007.

Article 29 Working Party Document No. WP12, “Transfers of Personal Data to Third Countries : Applying Articles 25 and 26 of the EU Data Protection Directive”, adopted on 24. July, 1998.

A Commentary by the UK Data Protection Registrar, in Ninth Annual Report of the Data Protection Registrar 66-75 (1993).

Box, Sarah, Internet Openness and Fragmentation: Toward Measuring the Economic Effects, (Centr. for Int. Gov. Innov., Paper Series No. 36, 2016).

Bauer, Matthias, Hosuk Lee-Makiyama, Erik van der Marel, & Bert Verschelde, The Costs of Data Localisation: Friendly Fire on Economic Recovery, (ECIPE Occasional Paper, No. 3, 2014)

Commission Decision 2010/87/EU, of 5 February 2010 on Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries Under Directive 95/46/EC of the European Parliament and of the Council, O. J. (L 39) 5.

Commission Decision 2004/915/EC, of 27 December 2004 Amending Decision 2001/497/EC as Regards the Introduction of an Alternative Set of Standard Contractual Clauses for the Transfer of Personal Data to Third Countries, O. J. (L 385) 74.

Council Directive 95/46/EC, of the European Parliament and of the Council of 24 Oct 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31.

Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 28 January 1981.

Cunningham, McKay, Complying with International Data Protection Law, 84 UNIV. CINCINNATI LAW REV. 421-450 (2016).

Drake, William J., Vinton G. Cerf & Wolfgang Kleinwächter, Internet Fragmentation: An Overview, (WEF, White Paper, 2016).

Ferracane, Martina, Restrictions on Cross-Border Data Flows (ECIPE, Working Paper No. 1, 2017)

Graham Greenleaf, Global Tables of Data Privacy Laws and Bills, 157 PRIV. LAWS & BUS. INT′L REP. 16-31 (2019)

Hon, W. Kuan & Christopher Millard, Data Export in Cloud Computing – How can Personal Data be Transferred Outside the EEA? The Cloud of Unknowing, Part 4, 9 SCRIPT-ed. 25-63 (2012).

Hon, W. Kuan, Julia Hörnle & Christopher Millard, Data Protection Jurisdiction and Cloud Computing – When are Cloud Users and Providers Subject to EU Data Protection Law? The Cloud of Unknowing, Part 3, 25 INT REV LAW COMPUT TECHAT. 129-164 (2012).

Hon, W. Kuan, Christopher Millard & Ian Walden, Who is Responsible for “Personal Data” in Cloud Computing?--The Cloud of Unknowing, Part 2, 2 INT. DATA PRIV. LAW. 3-18 (2011).

Hon, W. Kuan, & Christopher Millard, The Problem of ′Personal Data′ in Cloud Computing- What Information is Regulated? The Cloud of Unknowing, Part 1, 4 INT. DATA PRIV. LAW. 211-228 (2011).

Hughes, J. Trevor & Sagi Leizerov, IAPP-EY: Annual Privacy Governance Report 2016, https://iapp.org/media/pdf/resource_center/IAPP%202016%20GOVERNANCE%20SURVEY-FINAL3.pdf.

ICO, The Eighth Data Protection Principle and International Data Transfers v4.0 (2017).

Jourová, Věra, EU Japan Adequacy Decision, Fact Sheet (Jan. 2019), https://ec.europa.eu/info/sites/info/files/research_and_innovation/law_and_regulations/documents/adequacy-japan-factsheet_en_2019_1.pdf

Linn, Emily, A Look Into the Data Privacy Crystal Ball: A Survey of Possible Outcomes for the EU-U.S. Privacy Shield Agreement, 50 Vand. J. Transnat′l L. 1311-1358 (2017).

MANYIKA JAMES, SUSAN LUND, JACQUES BUGHIN, JONATHAN WOETZEL, KALIN STAMENOV & DHRUV DHINGRA, DIGITAL GLOBALIZATION: THE NEW ERA OF GLOBAL FLOWS 1-156 (2016).

Moerel, L., The Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to Processing of Personal Data of EU Citizens by Websites Worldwide?, 1 INT. DATA PRIV. LAW 28-46 (2010).

Mell, Peter & Timothy Grance, The NIST Definition of Cloud Computing (Sep. 28, 2011), http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909616.

OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, OECD (2013)

Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 2016 O.J. (L 119) 1.

Schwartz, Paul M. & Karl Nikolaus Peifer, Transatlantic Data Privacy Law, 106 GEORGETOWN LAW J. 115-179 (2017).

Sveinbjarnardóttir & Þorgerður Jóhanna, The Concept of ′Transfer′ of Data under European Data Protection Law: In the Context of Transborder Data Flows (Dec. 1, 2015) (B.A. thesis, University of Oslo)

Svantesson, Dan Jerker B., Extraterritoriality and Targeting in EU Data Privacy Law: The Weak Spot Undermining the Regulation, 5 INT. DATA PRIV. LAW 226-234 (2015).

Schwartz, Paul M, European Data Protection Law and Restrictions on International Data Flows, 80 IOWA LAW REV. 471-496 (1995).

Theodorakis, Nikolaos I., Cross Border Data Transfers Under the GDPR: The Example of Transferring Data from the EU to the US (Stanford-Vienna TTLF, Working Papers No. 39, 2018).

Tan, Shawn W. & Alberto Osnago, Disaggregating the Impact of the Internet on International Trade (World Bank Grp., Working Papers No. 7785, 2016).

Wagner, Julian, The Transfer of Personal Data to Third Countries under the GDPR: When does a Recipient Country Provide an Adequate Level of Protection?, 8 INT. DATA PRIV. LAW 318-337 (2018).

Whitman, James Q., The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 YALE L.J. 1151-1221 (2004).

WICKHAM HEATH CONSULTING, CROSS-BORDER DATA FLOWS REALISING BENEFITS AND REMOVING BARRIERS, 1-28 (2018).

Web Resources
Bischoff, Paul, The World’s Most Surveilled Cities, COMPARITECH (2019), https://www.comparitech.com/vpn-privacy/the-worlds-most-surveilled-cities/

BEUC, Privacy Shield: Strong and Shiny or Porous and Rusty?, BEUC (Feb. 5, 2016), https://www.beuc.eu/press-media/news-events/privacy-shield-strong-and-shiny-or-porous-and-rusty.

Cadwalladr, Carole & Emma Graham-Harrison, Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach, THE GUARDIAN (2018), https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election

Collier, Kevin, Does the NSA’s PRISM Spying Program Violate EU Law?, DAILY DOT (Dec. 11, 2015), https://www.dailydot.com/news/prism-nsa-government-surveillance-europe-law/.

Evans, Bob, Top 5 Cloud Vendors in the World, CLOUD NEWS (Jan. 14, 2019), https://cloudwars.co/worlds-top-5-cloud-vendors-cloud-wars/.

European Comm’n, Adequacy Decisions-How the EU Determines if a Non-EU Country has an Adequate Level of Data Protection, EUROPEAN COMM’N (2019), https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

Gartner Inc., Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5 Percent in 2019, GARTNER.COM (April. 2, 2019), https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-forecasts-worldwide-public-cloud-revenue-to-g

Gartner Inc., Cloud Computing, GARTNER.COM http://www.gartner.com/it-glossary/cloud-computing/

Greenfield, Marlene, Distribution of Twitter Users Worldwide from 2012 to 2018, by Region, STATISTA (May. 27, 2014), https://www.statista.com/statistics/303684/regional-twitter-user-distribution/

In Your Face: China’s All Seeing State, BBC NEWS. (Dec. 10, 2017), https://www.bbc.com/news/av/world-asia-china-42248056/in-your-face-china-s-all-seeing-state

ICO, Guide to the General Data Protection Regulation (GDPR), https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/

Mass, Framingham, Cloud it Infrastructure Revenues Surpassed Traditional it Infrastructure Revenues for the First Time in the Third Quarter of 2018, According to IDC, IDC (Jan. 1, 2019), https://www.idc.com/getdoc.jsp?containerId=prUS44670519

Moerel, Lokke, Binding Corporate Rules, GDPR.BE.BLOG, https://gdpr.be/english/binding-corporate-rules/.

Perlroth, Nicole, Yahoo Says Hackers Stole Data on 500 Million Users in 2014, N.Y. Times, Sept. 22, 2016, https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html

Proust, Olivier, Why BCR are the Future of Global Data Flows - Privacy, Security and Information Law, FIELDFISHER, https://privacylawblog.fieldfisher.com/2017/why-bcr-are-the-future-of-global-data-flows.

Samuels, David, Is Big Tech Merging with Big Brother? Kinda Looks Like It, WIRED (2019), https://www.wired.com/story/is-big-tech-merging-with-big-brother-kinda-looks-like-it/

指導教授

王明禮(Ming-Li Wang)

審核日期

2020-1-20

推文