国际资讯 | 《欧洲互操作法案》生效等（4.13-4.16）

The Interoperable Europe Act Entered into Force

《欧洲互操作法案》生效

On April 11, 2024, the Interoperable Europe Act entered into force. The Act will facilitate cross-border data exchange and accelerate the digital transformation of the public sector. The Act is essential to reaching the objectives of the EU's Digital Decade, such as having 100% of key public services available online by 2030. Interoperability is a core feature of a functioning Digital Single Market and contributes to a more effective implementation of digital features of public policies, from justice to health to transport.

2024年4月11日，《欧洲互操作法案》正式生效。该法案将促进数据跨境流动，加快公共部门的数字化转型。该法案对于实现欧盟“数字十年”的目标至关重要，例如到2030年，基本公共服务均能在线提供。互操作性是数字化单一市场正常运作的核心特征，有助于更好地体现司法、卫生以及交通等领域公共政策的数字化特征。

Citizens, businesses, and public administrations will benefit most of the new regulation when using interconnected digital public services that require cross-border exchange of data. Examples of such services include mutual recognition of academic diplomas or professional qualifications, exchanges of vehicle data for road safety, access to social security and health data, the exchange of information related to taxation, customs, public tender accreditation, digital driving licenses, commercial registers. According to the impact assessment, the Act is expected to save up to €5 billion on a yearly basis.

在使用涉及数据跨境的互联数字公共服务时，公民、企业和公共管理部门可参考适用该法案。这类服务包括学历文凭或职业资格的互认、道路安全车辆数据的互换、社会保障和健康数据的互换、与税收、海关、公共招标认证、数字驾照、商业登记有关的信息互换。根据影响评估，该法案预计每年可节省高达50亿欧元。

The Act will be implemented through a set of key measures:

• The setup of a multi-level cooperation framework bringing together Member State most senior digital government practitioners, as well as a broad community of civil society, experts, academics and local actors, to define a common interoperability agenda and an evolving ecosystem of common interoperability solutions. This framework will be steered by the Interoperable Europe Board and supported by the Interoperable Europe Community.

• The introduction of mandatory interoperability assessments to build “interoperable-by-design" public services. This will help public sector bodies to explore and, where appropriate, address cross-border interoperability aspects already at the design phase of new services or tools. The Commission will provide the necessary guidelines and support.

• The ‘Interoperable Europe Portal', a one-stop-shop to encourage the sharing and reuse of high quality and reliable interoperability solutions among public administrations.

• Strengthened innovation and policy support mechanisms, including training, regulatory sandboxes for policy experimentation, public-private GovTech and policy implementation support projects, to develop, test and scale up solutions.

该法案将通过一系列关键措施落地实施：

• 建立一个多层次的合作框架，汇集成员国最资深的数字政府从业人员，以及广泛的社会团体、专家、学者以及当地的参与者，以确定共同的互操作性安排和不断发展的互操作性解决方案。该框架将由欧洲互操作委员会指导，并将得到欧洲互操作社区的支持。

• 引入强制性互操作性评估，建立“互操作性设计”的公共服务。这将有助于公共部门在新服务或新工具的设计阶段就探索并酌情处理跨境互操作性问题。欧盟委员会将提供必要的指导和支持。

•  “可互操作的欧洲门户网站”是一个一站式网站，旨在鼓励公共行政部门共享和重复使用高质量的、可靠的互操作性解决方案。

• 加强创新和政策支持，包括培训、政策实验监管沙盒、公私合作的政府机构和政策实施支持项目，用以开发、测试和推广互操作性解决方案。

The Act applies to public sector bodies, including EU Institutions and bodies. The Act will be funded through the Digital Europe Programme.

该法案适用于公共部门，包括欧盟机构和团体。该法案的实施将由数字欧洲计划资助。

上述资讯源自欧盟委员会官网，详见：

https://ec.europa.eu/commission/presscorner/detail/en/IP_24_1970

United States Representative Introduces the Generative AI Copyright Disclosure Act

美国众议员提出《生成式人工智能版权披露法案》

On April 9, 2024, Representative Adam Schiff introduced the Generative AI Copyright Disclosure Act. This legislation marks an important step forward in making sure the policy framework put in place for AI promotes and protects the rights of creators. This transparency will ensure that creators can see when developers use their work to train generative AI tools and will give them the necessary tools to demand appropriate credit and compensation. The bill, which aligns with ASCAP's six principles on AI, represents an important effort to balance technological innovation with fairness and the economic and legal rights of creators. The bill has generated significant support from the creative community.

2024年4月9日，美国众议员Adam Schiff提出了《生成式人工智能版权披露法案》。这项立法标志着美国在完善人工智能政策框架和保护创作者权利方面迈出了重要一步。这种透明度将确保创作者能够看到开发者何时使用他们的作品来训练生成式人工智能工具，并为他们提供必要的工具来获得作品被使用的适当的声明和补偿。该法案符合美国作曲家、作家和出版商协会关于人工智能的六项原则，是平衡技术创新与公平以及创作者经济和法律权利的重要举措。该法案得到了创意界的大力支持。

The bill includes:

• Require a notice be submitted to the Register of Copyrights prior to the public release of a new generative AI system with a sufficiently detailed summary of all copyrighted works used in building or altering the training dataset for that system;

• Require the Copyright Office to establish a publicly available online database of notices filed;

• Require the Copyright Office to issue regulations to implement these requirements and assess civil penalties for failure to comply; and

• Apply retroactively to generative AI systems already available to consumers.

该法案规定：

• 在公开发布新的生成式人工智能系统之前，需向版权登记处提交一份告知文件，充分详细地概述其在构建或修改该系统训练数据集时使用的所有版权作品；

• 版权局需建立一个公开的告知文件在线数据库；

• 版权局需发布实施这些要求的规定，并对不遵守规定的行为进行民事处罚；以及

• 该法案溯及已经提供给消费者的生成式人工智能系统。

上述资讯源自美国国会议员网站，详见：

https://schiff.house.gov/news/press-releases/rep-schiff-introduces-groundbreaking-bill-to-create-ai-transparency-between-creators-and-companies

United States Representative Introduces Children and Teens’ Online Privacy Protection Act

美国众议员提出《儿童和青少年在线隐私保护法案》

On April 9, 2024, Reps. Tim Walberg and Kathy Castor introduced Children and Teens’ Online Privacy Protection Act (COPPA 2.0). The bipartisan, bicameral COPPA 2.0 modernizes and strengthens the only online privacy law for children, the Children’s Online Privacy Protection Act (COPPA). 26 years after COPPA's enactment, COPPA 2.0 takes a multifaceted approach to adjust to the modern realities and threats children and teenagers face online in the digital age.

2024年4月9日，美国众议员Tim Walberg和Kathy Castor提出了《儿童和青少年在线隐私保护法案》（以下简称“COPPA 2.0”）。COPPA 2.0更新并加强了美国唯一一部针对儿童的在线隐私保护的法律《儿童在线隐私保护法》（以下简称“COPPA”）。在COPPA颁布26年之后，COPPA 2.0采取了多种方法，以适应数字时代儿童和青少年在网上面临的现实和风险。

Provisions of COPPA 2.0 includes:

• Build on COPPA by prohibiting internet companies from collecting personal information from users who are 13 to 16 years old without their consent;

• Ban targeted advertising to children and teens;

• Revise COPPA’s “actual knowledge” standard to close the loophole that allows social media platforms to ignore kids and teens on their site;

• Create an “Eraser Button” by requiring companies to permit users to eliminate personal information from a child or teen when technologically feasible;

• Establish data minimization rules to prohibit the excessive collection of children and teens’ data.

COPPA 2.0的规定包括：

• 在COPPA的基础上，扩大主体保护范围，禁止互联网公司在未依法获得本人同意的情况下收集13至16岁用户的个人信息；

• 禁止向儿童和青少年投放针对性的广告；

• 修改COPPA的“实际知悉”（actual knowledge）标准，以填补社交平台忽略保护其平台上儿童和青少年的漏洞；

• 创建“擦除按钮”（Eraser Button），要求公司允许用户在技术上可行的情况下删除儿童或青少年的个人信息；

• 建立数据最小化规则，禁止过度收集儿童和青少年的数据。

上述资讯源自美国国会议员网站，详见：

https://walberg.house.gov/media/press-releases/walberg-castor-introduce-comprehensive-childrens-privacy-bill

Germany DSK Publishes Comments on Draft Law Amending Federal Data Protection Act

德国数据保护会议发布对《联邦数据保护法》修订草案的意见

On April 12, 2024, the German Data Protection Conference (DSK) published its opinion on the Federal Government's draft law to amend the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) (the Act). In particular, the DSK provided comments on, among others:

2024年4月12日，德国数据保护会议（以下简称“DSK”）发布了对联邦政府修订2017年6月30日《联邦数据保护法》（实施GDPR）（修订版）（以下简称“法案”）的法律草案的意见。DSK特别就以下方面发表了意见：

• the institutionalization of the DSK - namely to include DSK goals directly in the legal regulation and the express requirement for the Federal and State Governments to set up a permanent office that will support the DSK;

• the expansion of jurisdictional scope - namely to remove the additional appointment of a lead German supervisory authority in cases where the controller or the processor does not have a domestic branch and the targeting criteria under Article 3(2) of the General Data Protection Regulation (GDPR) is not applicable;

• the protection of trade and business secrets when data subjects request information - namely to remove the additional provision as it may be incompatible with the restrictions foreseen under Article 23 of the GDPR;

• scoring - namely:

• the determination of a lead supervisory authority for cross-border data processing - namely to ensure that the determination of the lead authority is done by the supervisory authority, not the company, as well as to clarify the personal scope of this provision.

DSK的制度化——即将DSK的目标直接纳入法律法规，并明确要求联邦和州政府设立一个支持DSK的常设办事处；

• 扩大管辖范围——即在控制者或处理者在德国国内没有分支机构且《通用数据保护条例》（GDPR）第3（2）条规定的“目标标准”不适用的情况下，取消额外任命一个主导德国监管机构的要求；

• 当数据主体要求提供信息时，保护商业和商业秘密 - 即删除附加条款，因为它可能与GDPR第23条规定的限制不相容；

• 评分——即：

• 确定跨境数据处理的牵头监管机构——即确保牵头机构的确定是由监管机构而不是公司完成的，并澄清本条款的个人范围。

The DSK suggested further changes, such as:

• immediate enforceability of administrative acts against public bodies;

• applicability of provisions of the Administrative Offenses Act to violations according to Article 83 of the GDPR;

• possibility for supervisory authorities to confiscate items; and

• possibility of imposing fines against authorities and other public bodies.

DSK 建议进一步更改，例如：

• 针对公共机构的行政行为的即时执行性；

• 根据GDPR第83条，《行政违法法》的规定是否适用于违规行为；

• 监管机构没收物品的可能性；和

• 对当局和其他公共机构处以罚款的可能性。

上述资讯源自dataguidance，详见：

https://www.dataguidance.com/news/germany-dsk-publishes-comments-draft-law-amending

French SA Fines HUBSIDE.STORE €525,000 for Illegal Processing of Personal Data

法国监管机构因HUBSIDE.STORE违法处理个人数据对其罚款52.5万欧元

On April 4, 2024, the French Supervisory Authority (SA) imposed a fine of EUR 525,000 on HUBSIDE.STOR. The reason was that the company used personal data purchased from the data brokers for business development without obtaining the consent of the subject of the personal data.

2024年4月4日，法国监管机构（SA）对HUBSIDE.STORE处以52.5万欧元的罚款，原因是该公司在未取得个人数据主体同意的情形下，将从数据经纪人处购买的个人数据用于业务开拓。

The French SA found several breaches of the GDPR:

• Failure of the obligation to have a legal basis for processing data (Article 6 GDPR). The misleading appearance of the data collection forms used by data brokers responsible for collecting the data did not allow valid consent to be obtained from the individuals concerned. Therefore, HUBSIDE.STORE did not have a valid legal basis for data collection (Article 6 GDPR) for commercial prospecting by phone calls. It also constitutes a breach of the French Postal and Electronic Communications Code (Article L.34-5) for SMS prospecting purposes.

• Failure to comply with the obligation to inform individuals (Article 14 GDPR). Investigations revealed that individuals canvassed by telephone did not have all the necessary information on the collection and use of their personal data (for example, the identity and contact details of the organisation, the purposes for which the data was used, the retention periods, the source of the data, their rights or even their possibility of lodging a complaint with the French SA).

法国监管机构（SA）发现HUBSIDE.STORE违反GDPR的行为包括：

• 缺乏处理数据的合法性基础（GDPR第6条）。由于HUBSIDE.STORE负责收集数据的数据经纪人所使用的数据收集表具有误导性外观，因此无法获得相关个人的有效同意，所以该公司没有有效的合法性基础来支撑收集数据并通过电话进行商业推销的行为。此外，该公司的行为还违反了《法国邮政和电子通信法》（第L.34-5条）中有关短信营销的规定。

• 未履行告知个人的义务（GDPR第14条）。调查显示，电话营销时没有向个人告知有关收集和使用其个人数据的所有必要信息（例如，组织的身份和联系方式、数据的使用目的、保留期限、数据来源、主体权利或向法国监管机构（SA）投诉的可能性）。

上述资讯源自欧洲数据保护委员会官网，详见：

https://www.edpb.europa.eu/news/news/2024/commercial-prospecting-french-sa-fined-hubsidestore-eu525000_en

Greece HDPA Fines ELTA €2.9M for Inadequate Technical and Organizational Measures

希腊数据保护局因ELTA不充分的技术和组织措施罚款290万欧元

On April 12, 2024, the Hellenic Data Protection Authority (HDPA) published its Decision No. 10/2024, as issued on February 28, 2024, in which it imposed a fine of €2,995,140 on Hellenic Post S.A. (ELTA) for violations of the General Data Protection Regulation (GDPR), following its breach notification to the HDPA.

2024年4月12日，希腊数据保护局（以下简称“HDPA”）发布了2024年2月28日出具的第10/2024号决定，对Hellenic Post S.A.（以下简称“ELTA”）违反GDPR的行为处以2,995,140欧元的罚款，此前该公司已向HDPA发出安全事件通知。

Background to the HDPA's decision

The HDPA recounted that ELTA had submitted a notification of a breach incident concerning software encryption on the company's system, as a result of a malicious attack by third parties, and leakage of personal data which were subsequently published on the dark web. Furthermore, the HDPA noted that as part of the system breach, there was unauthorized remote access to workstations and files within the company, leading to the attackers' discovery of the passwords of network domain management accounts, unauthorized access to files and folders, and installation of malicious processes.

HDPA决定的背景

HDPA表示，由于受到第三方的恶意攻击，ELTA已经提交了一份关于公司系统软件加密的违规事件的通知，并随后在暗网上发布了个人数据泄露情况。此外，HDPA指出，作为系统漏洞的一部分，公司内部的工作站和文件存在未经授权的远程访问，导致攻击者发现网络域管理帐户的密码，未经授权访问文件和文件夹，并安装恶意进程。

Findings of the HDPA

After investigations into the cybersecurity incident, the HDPA found that ELTA did not maintain adequate technical and security measures on the system and used an incorrect application of security policies, in violation of Article 32 of the GDPR. Furthermore, the HDPA found that ELTA did not ensure restricted access of personal data to only authorized persons, in violation of Article 5(1)(f) of the GDPR.

HDPA的调查结果

在对网络安全事件进行调查后，HDPA发现ELTA没有采取足够的技术和安全措施维护系统安全，并且使用了不正确的安全策略，违反了GDPR第32条。此外，HDPA发现，ELTA没有确保仅允许授权人员访问个人数据，这违反了GDPR第5（1）（f）条。

上述资讯源自dataguidance，详见：

https://www.dataguidance.com/news/greece-hdpa-fines-elta-29m-inadequate-technical-and

01

想要获得更多资讯内容

请扫码关注我们

M姐 数据合规评论

微信号｜M_DigitalLawandLife