|
EBU6008 Information and Privacy Law Coursework
FriendChina.cn是一个社交网站,为世界各地对中国文化感兴趣的中国学生和学生提供一系列服务。该网站可以从中国和国外访问。该网站大多为英文版,并提供英文视频和其他有关中国历史,体育,文学和其他传统的信息。有英语和普通话聊天室,以及公告板讨论这些和其他更一般的聊天。用户也可以发送私信给对方。
任何想加入FriendChina.cn的人都可以注册一个免费账户。为了开立账户,个人必须提供他们的第一个(给定)姓名,性别,出生日期以及他们居住的城市的名称。他们还被要求通过在包括音乐,电影等风格的列表中勾选选定的项目来表示他们的兴趣。 FriendChina.cn收集这些个人信息,并将其存储在其公司网络上的可通过其网站访问的计算机上。除了公司网络之外,它还运行一个不连接到企业网络的独立计算机网络。
FriendChina.cn由广告赞助。所有出现在个人屏幕上的广告都是以年龄,性别,个人兴趣以及他们所处的世界的哪个地区为目标。系统还使用cookie,不仅保持用户登录FriendChina.cn,而且还跟踪用户访问的所有网站。此外,FriendChina.cn系统会自动搜索所有私人信息,查找用于为个人定制广告的关键字。通过这些广告链接的一些第三方网站通过个人收集更多的个人信息,通常使用游戏或提供免费屏保和其他下载来鼓励个人输入他们的信息。
在FriendChina.cn主页的顶部,出现了一个“隐私政策”,其中规定:
“FriendChina.cn不会收集或保留任何个人身份信息,也不会随时将此类信息传递给第三方。”
尽管有此承诺,FriendChina.cn系统还收集所有与FriendChina.cn链接的第三方广告的网页表单信息。这意味着该系统可能收集了一些个人身份信息,与其主页上的隐私政策相反。
“隐私政策”还对从客户那里收集到的敏感信息的保密性作出如下声明:
“FriendChina.cn采取一切措施保护用户的信息。当用户通过网站提交敏感信息时,您的信息在线和离线保护。我们使用业内最好的加密软件 - SSL。 FriendChina.cn致力于保护您提供给我们的数据安全,并会采取合理的预防措施来保护您的信息免受丢失,误用或篡改。“
从2017年1月开始,持续到2017年5月,黑客利用FriendChina.cn网站上的SQL注入攻击在其公司网络上安装常见黑客程序。黑客程序用于查找存储在企业网络上的敏感个人信息,并通过互联网将信息传输到网络外的计算机。结果,黑客获得了未经授权的访问数以千计的用户随后用于身份盗用的信息。一些用户伪造了银行账户,并以他们的名义提取了贷款。
1.建议FriendChina.cn在欧盟GDPR(假设适用)下的隐私义务(如果有的话)[50分]
2.根据中国网络安全法[50分]向FriendChina.cn通知其信息安全义务(如有)
Question1
On April 14, 2016, the European Parliament voted to General Data Protection Regulation (GDPR), which will take effect on May 25, 2018. The adoption of the GDPR means that the EU has achieved unprecedented heights in the protection of personal information and its supervision, making it the most stringent data protection act in history. GDPR is of great significance to the compliance operations of companies in China whose business scope involves the territory of EU member states and their citizens, avoiding high penalties, as well as the legal research related to data in China. The GDPR stipulates that "personal data" refers to any information that points to a recognized or identifiable natural person ("data subject"). The identifiable natural person can be directly or indirectly identified, in particular by referring to such an identifier as a name, identity card number, location data, online identification, or by referring to one or more physical, physiological, Elements of genetic, psychological, economic, cultural or social identity. "Processing" refers to any one or a series of operations that target the collection of personal data or personal data, such as collecting, recording, organizing, constructing, storing, adapting or modifying, retrieving, consulting, using, disclosing, disseminating, whether or not this operation is automated.
In this case, Anyone who wants to join friendchina.cn can sign up for a free account. To open an account, individuals must provide their first (given) name, gender, date of birth, and the name of the city in which they live. They were also asked to express their interest by checking selected items from a list of styles including music and movies. These personal information conform to the definition of "personal data" in GDPR.
Friendchina.cn collects this personal information and stores it on computers accessible through its website on its corporate network. In addition to the corporate network, it runs a separate computer network that is not connected to the corporate network. Friendchina.cn is sponsored by advertising. All the ads that appear on individual screens are aimed at age, gender, personal interests and where in the world they live. The system also uses cookies, which not only keeps users on friendchina.cn, but also keeps track of all the websites they visit. In addition, friendchina.cn automatically searches all private information for keywords that are used to tailor advertisements for individuals. Some of the third-party websites linked to these ads collect more personal information through individuals. These collection, storage, and search behaviors of friendchina.cn belong to processing behaviors in GDPR.
GDPR imposes a set of obligations on data controllers: Personal data should be handled in a lawful, fair and transparent manner in relation to the data subject; it should be is collected for a specific, definite and lawful purpose and it shall not be further disposed in any way if it does not conform to the above purposes; It should be sufficient, relevant and to the extent necessary for the purpose of personal data processing (" data minimization "); To ensure the safety of personal data moderate way, including the use of appropriate technology or organizational measures against unauthorized, unlawful processing, accidental loss, loss of or damage to the protective measures (integrity and confidentiality). In this case of Friendchina.cn,The company's "privacy policy" stipulates that "friendchina.cn will not collect or retain any personal identity information and will not transmit such information to any third party at any time." The system may have collected some personal identity information as opposed to the privacy policy on its home page. This violates the above obligation to keep the data transparent, and it does not inform users that the company may have collected some personal information. This violates the user's right to know. The company also further processed the data and collected more personal information through a series of processing methods, in violation of the "no further processing in a certain way" clause.
Controllers should implement appropriate technical and organizational measures, such as anonymity, in order to implement data protection principles, such as data minimization, in an effective manner, while identifying means of processing and processing.Controllers should implement necessary safeguards to meet legal requirements and protect the rights of data subjects.As a result, the hackers used SQL injection attacks on friendchina.cn to install common hacking programs on their corporate networks. Hackers are used to find sensitive personal information stored on corporate networks and transmit it over the Internet to computers outside the network. As a result, hackers gained unauthorized access to thousands of users' information, Forged bank accounts and took out loans in their name, which caused personal information to be stolen by hackers and caused huge losses to users. According to the obligations of the GDPR, the website did not implement appropriate technical measures, resulting in data theft. The web site should be held accountable.
Article 83, paragraph 5 of the GDPR provides for specific serious violations: first, violation of the basic principles and conditions of data processing. Data processing should follow six principles, namely, legality, legitimacy and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. Data processing shall conform to the corresponding legal conditions. In the second category, the rights of consent, access, correction, oblivion, data portability, rejection and relief are violated
Generally speaking, GDPR as a solution to data protection, although currently only effective in Europe, but its impact is global. Based on the model of the entire Internet industry driven by gathering personal information and privacy, the impact will be inevitable, because even if other countries do not copy the EU, the protection of personal privacy information has become a general trend.
The Privacy Directive stipulates that cookies stored on a user's terminal device must be changed from opt-out to opt-in. Member states shall ensure that only allows to store information in the user terminal device or obtain information already stored, but the condition is: the user has agreed to according to the instruction from the 95th article 46 / ec, and has been provides a clear and comprehensive information, especially about dealing with the purpose of processing. In this case, the system also uses cookie, not only to keep users logged in FriendChina.cn, but also to track all websites visited by users. The website has not provided comprehensive information and without the user's consent, which is in violation of the Privacy Directive obligations.#p#分页标题#e#
Question2
The Cyber Security Law of the people's Republic of China came into effect on June 1, 2017, which is an important milestone in the establishment of strict network governance guidelines in China.
According to the provisions of the Cyber Security Law for certain types of entities, this law is obviously more suitable for network operators and critical information infrastructure operators. For example, the definition of "network operator" in the Annex to the Cyber Security Law applies to almost all Chinese enterprises that own or manage their networks. In addition to traditional information technology, network service providers and communications enterprises, the Cyber Security Law can also be understood to cover all industries. Therefore, it can be said that any enterprise (regardless of size, domestic or multinational) in China through the operation of the network (including websites and internal and external networks) Business, and the provision of services or data collection, are likely to be included in this approach. In this case,FriendChina.cn,as a social networking platform , the personal information of many users is in its hand , and surely is the subject of the law.
The fourth chapter deals of the with information security, especially in the protection of personal information. According to the definition in the Supplementary provisions of the Cyber Security Law, personal information refers to all kinds of information which are recorded electronically or by other means and can be combined with other information to identify individuals. Includes name, date of birth, ID number, personal biometric information (e.g. fingerprint, facial recognition, retinal scan, address, telephone number and other similar personal data). In this case, Anyone who wants to join friendchina.cn can sign up for a free account. To open an account, individuals must provide their first (given) name, gender, date of birth, and the name of the city in which they live. They were also asked to express their interest by checking selected items from a list of styles including music and movies. These personal information conform to the definition of "personal information" in the Cyber Security Law.
With regard to the information security of the network , the law provides the following relevant obligations: Article 40 stipulates Network operators shall strictly keep confidential the user information they collect and establish and improve the system of user information protection.Article 41 stipulates network operators collect, use personal information, and should follow legal, legitimate, necessary principles, and should be consented by the collector. The network operator shall not collect personal information which is not related to the services provided by him, shall not collect and use personal information in violation of the provisions of the laws, administrative regulations and rules and the agreement with the users, and shall Process the personal information it holds in accordance with the provisions of the law, the administrative regulations and the agreement with the users. In this case of Friendchina.cn,The company's "privacy policy" stipulates that "friendchina.cn will not collect or retain any personal identity information and will not transmit such information to any third party at any time." The system may have collected some personal identity information as opposed to the privacy policy on its home page. This violates the relevant provisions of articles 40 and 41.
Network operators shall take technical and other necessary measures to ensure the security of personal information collected by them and to prevent information from leaking, damaging and losing. In case of leakage, damage or loss of personal information, remedial measures shall be taken immediately, and timely notification shall be made to the user and reported to the competent authority in accordance with relevant regulations.The hackers used SQL injection attacks on friendchina.cn to install common hacking programs on their corporate networks. Hackers are used to find sensitive personal information stored on corporate networks and transmit it over the Internet to computers outside the network. As a result, hackers gained unauthorized access to thousands of users' information, Forged bank accounts and took out loans in their name, which caused personal information to be stolen by hackers and caused huge losses to users. According to the obligations above, the website did not implement appropriate technical measures, resulting in data theft. The web site should be held accountable.In the event of personal information disclosure, damage, or loss, friendchina.cn did not take reasonable remedial measures to prevent the situation from spreading, resulting in the loss of the user.
Article 64 of the Cyber Security Law where a network operator or provider of a network product or service violates the provisions of the third paragraph of articles 41 to 43 of this Law, and infringes upon the right of personal information to be protected according to law, Shall be ordered by the competent department concerned to make corrections, and may, in accordance with the circumstances of the case, be given a single sentence or concurrently impose a warning, confiscate the illegal proceeds, and impose a fine of not less than one time but not more than 10 times the illegal income. If there is no illegal income, the offender shall be fined not more than 1,000,000 yuan.The directly responsible person in charge and other persons directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan; if the circumstances are serious, they may also be ordered to suspend relevant business, close down for rectification, close down the website, and revoke the relevant business license.According to this Article, the company and the responsible person shall be held responsible if the consequences are serious.
Even many well-known multinationals face the same challenge when they operate abroad. They don't know what data they collect, how it is used, or where it is located. These in the establishment of a solid network security foundation formed a constraint. With the implementation of the Cyber Security Law, it becomes more important for enterprises to review their current operations, especially for data-related businesses, so as to ensure that enterprises comply with laws and regulations.
Consumer Law provides that the Consumer in the purchase and use goods and services, enjoy the rights of human dignity, national customs and habits respected, shall enjoy the right of name, image rights, privacy and other personal information are protected rights. In this case of friendchina.cn, The company 's "privacy policy" stipulates that "friendchina. cn shall not collect or retain any personal identity information and will not transmit to the information to any third party at any time." The System may have collected some personal identity information as opposed to the privacy policy on its home page.It can be seen from this point that the privacy of citizens has been violated and the company should bear the responsibility of consumer law.
Tort law clearly puts forward the protection of citizens' privacy right, and infringement of citizens' privacy right shall be liable for Tort. Friendchina.cn collects users' identity information without their consent, and finally the information is leaked, resulting in property losses. Friendchina.cn is liable for infringement of citizens' privacy rights.
|
 |
|||
| 网站地图 |
