国际资讯 | 欧盟委员会根据《数字服务法》指定Shein为超大型在线平台等（4.25-4.30）

European Commission Designates Shein as Very Large Online Platform under the Digital Services Act

欧盟委员会根据《数字服务法》指定Shein为超大型在线平台

On April 26, 2024, the European Commission (the Commission) has formally designated Shein as a Very Large Online Platform (VLOP) under the Digital Services Act (DSA).

2024年4月26日，欧盟委员会（以下简称“委员会”）根据《数字服务法》（以下简称“DSA”）正式指定Shein为超大型在线平台。

Shein is a fashion online retailer with an average of more than 45 million monthly users in the European Union. This user number, which Shein has communicated to the Commission, is above the DSA threshold for designation as a VLOP.

Shein是一家总部设在新加坡的快时尚在线零售商，在欧盟的月平均用户数量超过4500万。Shein已向欧盟委员会通报了这一用户数量，该数字超过了DSA规定的超大型在线平台临界值。

Following the designation as a VLOP, Shein will have to comply with the most stringent rules under the DSA within four months of its notification (i.e. by the end of August 2024), such as the obligation to adopt specific measures to empower and protect users online, including minors, and duly assess and mitigate any systemic risks stemming from their services. More specifically, these additional obligations include:

在被指定为超大型在线平台之后，Shein将必须在收到通知后的四个月内（即在2024年8月底之前）遵守DSA下最严格的规则，例如有义务采取具体措施，授权和保护包括未成年人在内的在线用户，并适当评估和降低其服务所产生的任何系统性风险。更具体地说，这些额外义务包括如下：

More diligent surveillance of illegal products:

• Shein needs to diligently analyse the specific systemic risks with regard to the dissemination of illegal content and products and from the design or functioning of its service and its related systems. Risk assessment reports will have to be provided to the Commission 4 months after the notification of the formal designation and thereafter one a year.

• Shein must put in place mitigation measures to address risks, such as the listing and sale of counterfeit goods, unsafe products, and items that infringe on intellectual property rights. These measures can include adapting the terms of service, enhancing user interface design for better reporting and detection of suspicious listings, improving moderation processes to swiftly remove illegal items, and refining its algorithms to prevent the promotion and sale of prohibited goods.

• Shein must reinforce its internal processes, resources, testing, documentation, and supervision of any of the activities linked to the detection of systemic risks.

加强对非法产品的监控：

• Shein需要认真分析传播非法内容和产品的具体的系统性风险，以及其服务和相关系统的设计或运行风险。在收到正式指定通知4个月后，必须向委员会提交风险评估报告，此后每年提交一份报告。

• Shein必须采取缓释措施来应对风险，如假冒商品、不安全产品和侵犯知识产权物品的上市和销售。这些措施可包括调整服务条款、加强用户界面设计以更好地报告和发现可疑列表、改进审核流程以迅速删除非法物品，以及改进算法以防止推广和销售违禁商品。

• Shein必须加强其内部流程、来源、测试、记录和监督与检测系统性风险有关的任何活动。

Enhanced Consumer Protection Measures:

• The yearly risk assessment reports by Shein must specifically evaluate any potential adverse effects on consumer health and safety, with an emphasis on the physical and mental well-being of underage users.

• Shein is required to structure its platform, including user interfaces, recommendation algorithms, and terms of service, to mitigate and prevent risks to consumer safety and well-being. Measures must be implemented to protect consumers from purchasing unsafe or illegal goods, with particular focus on preventing the sale and distribution of products that could be harmful to minors. This includes incorporating robust age assurance systems to restrict the purchase of age-restricted items.

加强消费者保护措施：

• Shein的年度风险评估报告必须具体评估对消费者健康和安全的任何潜在不利影响，重点是未成年用户的身心健康。

• Shein必须构建其平台，内容需包含用户界面、算法推荐和服务条款，以减少和预防对消费者安全和权益的风险。Shein必须采取措施保护消费者，防止他们购买不安全或非法的商品，尤其要重点防止销售和分销可能对未成年人有害的产品。这包括建立健全的年龄保证制度，限制购买有年龄限制的商品。

More transparency and accountability:

• Shein needs to ensure that its risk assessments and compliance with all the DSA obligations are externally and independently audited every year.

• Shein needs to publish repositories of all the ads served on its interface.

• Shein will have to give access to publicly available data to researchers, including to vetted researchers designated by Digital Services Coordinators.

• Shein needs to comply with transparency requirements, including the publication of transparency reports on content moderation decisions and risk management every six months, in addition to reports on the systemic risks and audit results once a year.

• Shein has to appoint a compliance function and be subject to an external independent audit every year.

提高透明度并加强问责制：

• Shein需要确保每年进行风险评估并对遵守DSA义务的情况进行外部独立审计。

• Shein需要公布其界面上所有广告的存储库。

• Shein必须允许研究人员访问公开数据，包括数字服务协调员指定的经过审查的研究人员。

• Shein必须遵守透明度要求，包括每六个月发布一次有关内容管理决策和风险管理的透明度报告，以及每年发布一次有关系统风险和审计结果的报告。

• Shein必须指定一个合规职能部门，并每年接受一次外部独立审计。

Next, following its designation as a VLOP, the Commission will be competent to supervise Shein's compliance with the DSA in cooperation with the Irish Digital Services Coordinator.

接下来，在被指定为超大型在线平台之后，委员会将有权与爱尔兰数字服务协调员合作，监督Shein遵守DSA的情况。

The Commission services will carefully monitor the application of the DSA rules and obligations by the platform, especially concerning measures to guarantee consumer protection and address the dissemination of illegal products. The Commission services are ready to engage closely with Shein to ensure these are properly addressed.

委员会服务部门将认真监督该平台对DSA规则和义务的执行情况，特别是有关保障消费者权益和解决非法产品传播问题的措施。委员会服务部门随时准备与Shein密切合作，确保这些问题得到妥善解决。

上述资讯源自欧盟委员会官网，详见：

https://ec.europa.eu/commission/presscorner/detail/en/ip_24_2326

MEPs Votes to Approve the Inter-institutional Agreement on Establishing a European Health Data Space

欧洲议会议员投票通过了关于建立欧洲健康数据空间的机构间协议

On April 24, 2024, MEPs voted with 445 in favour and 142 against (39 abstentions) to approve the inter-institutional agreement on establishing a European Health Data Space. It will empower patients to access their health data in an electronic format, including from a different member state to the one in which they live, and allow health professionals to consult their patients’ files with their consent (so-called primary use), also from other EU countries. These electronic health records (EHR) would include patient summaries, electronic prescriptions, medical imagery and laboratory results.

2024年4月24日，欧洲议会议员以445票赞成、142票反对（39票弃权）通过了关于建立欧洲健康数据空间的机构间协议。该协议将使患者能够在线访问自己的健康数据，包括在不同的成员国以及在现居住国家的数据，并允许医疗专业人员在征得患者同意的情况下查阅患者档案。这些电子健康记录将包括病历摘要、电子处方、医疗图像和化验结果。

The law will make it possible to transfer health data safely to health professionals in other EU countries (based on MyHealth@EU infrastructure), for example when citizens move to another state. It will be possible to download the health record free of charge.

该协议将使健康数据安全地传输给欧盟其他国家的医疗专业人员成为可能（基于MyHealth@EU基础设施），例如当公民搬到另一个国家时，健康记录可以自由下载。

Additionally, the Health Data Space would unleash the research potential of health data in an anonymised or pseudonymised format. Data including health records, clinical trials, pathogens, health claims and reimbursements, genetic data, public health registry information, wellness data and information on healthcare resources, expenditure and financing, could be processed for public interest purposes, including research, statistics and policy-making (so-called secondary use). Data could, for example, be used to find treatments for rare diseases, where small datasets and fragmentation currently prevent advances in treatments.

此外，“健康数据空间”将以匿名或假名格式释放健康数据的研究潜力，包括健康记录、临床试验、病原体、健康索赔和补偿、基因数据、公共卫生登记信息、健康数据以及有关医疗资源、支出和融资的信息在内的数据，可为公共利益目的进行处理，包括研究、统计和决策。例如，数据可用于寻找罕见疾病的治疗方法，因为目前罕见疾病的治疗方法因数据集较小和分散而无法取得进展。

Secondary use will not be allowed for commercial purposes including advertising, assessing insurance requests or lending conditions or making job market decisions. Access decisions will be made by national data access bodies.

二次使用将不允许用于商业目的，包括广告、评估保险申请或贷款条件或做出就业市场决策。访问决定将由国家数据访问机构做出。

The law ensures people will have a say in how their data are used and accessed. Patients will be able to refuse their health data being accessed by practitioners (except where this is necessary for protecting the vital interests of the data subject or another person) or processed for research purposes, apart from certain public-interest, policy-making or statistical purposes. Patients will also have to be informed each time their data are accessed, and will have the right to request corrections to incorrect data.

该协议确保人们对如何使用和访问他们的数据拥有权利。除特定公共利益、政策制定或统计目的外，患者有权拒绝从业人员查阅其健康数据或为研究目的处理其数据。患者还必须在每次查阅其数据时得到告知，并有权要求更正不正确的数据。

Next, the provisional agreement still needs to be formally approved by the Council. Once published in the EU’s Official Journal, it will enter into force twenty days later. It will be applied two years after, with certain exceptions, including primary and secondary use of data categories, which will apply four to six years later, depending on the category.

接下来，该临时协议仍需得到欧盟理事会的正式批准。一旦在欧盟官方公报上公布，该协议将在二十天后生效。该协议将在两年后生效，但某些例外情况除外，包括数据的主要和次要使用类别，将在四到六年后生效，具体取决于类别。

By adopting the law, Parliament is responding to the demands of citizens put forward in the conclusions of the Conference of the Future of Europe. These include proposal 8(1), which explicitly recommended the creation of a health data space to facilitate exchanges, and proposals 35(7) and 35(8) on data and artificial intelligence.

议会通过该协议是对欧洲未来会议结论中提出的公民要求的回应。这些要求包括明确建议建立健康数据空间以促进交流的提案8(1)，以及关于数据和人工智能的提案35(7)和35(8)。

上述资讯源自欧盟委员会官网，详见：

https://www.europarl.europa.eu/news/en/press-room/20240419IPR20573/eu-health-data-space-more-efficient-treatments-and-life-saving-research

South Korea PIPC Imposes Fines Totaling KRW 244M on Six Businesses for PIPA Violations

韩国PIPC对违反PIPA的六家企业处以总额2.44亿韩元的罚款

On April 24, 2024, the Personal Information Protection Commission (PIPC) published its decision in which it imposed fines totaling KRW 244 million (approx. $177,385) on six businesses for violations of the Personal Information Protection Act (PIPA). 

2024年4月24日，韩国个人信息保护委员会（以下简称“PIPC”）发布决定，对违反《个人信息保护法》（以下简称“PIPA”）的六家企业处以总额为2.44亿韩元（约合177,385美元）的罚款。

The PIPC stated that while providing online services, the businesses violated safety measures and obligations to include notification of personal information leaks under the PIPA.

• D.S.En Co., Ltd., a company that operates an online pizza ordering service, underwent a system development error that permitted anyone to access customers' order information by entering the administrator page address. The administrator page was also exposed to search engines and personal information was leaked. In addition, upon user consent order information was to be kept for only one year, but data was kept beyond that period. Personal information was also held by another company, Mr. Pizza Co., Ltd., and kept beyond the expiration time without destroying it. 

• Yanolja Co., Ltd. utilized cloud data storage with settings that allowed anyone with the address to access customers' personal information. In this instance, at least 794 customers' personal information could be seen. 

• STG24, Inc., an online shopping mall, mismanaged website visitor information that allowed personal data to be duplicated. As a result, during a contest the gift receipt information for some winners, around 173 people, was stored and viewed by other winners. 

• Funit Co., Ltd. and Hiplay Co., Ltd. underwent a data breach and the administrator account was accessed causing a leak of personal information. Specifically, the PIPC stated that Funit confirmed a hacker accessed the administrator account, checked member information, and sent text messages to 20,196 members. The PIPC also mentioned that no secure authentication method besides password and ID was utilized. 

• Regarding Hiplay Co., Ltd., a hacker accessed the management program with an administrator account and leaked 1,409 pieces of personal information. Additionally, users were not notified when information was transferred from another business and users' resident registration numbers were collected without a legal basis.

PIPC指出，这些企业在提供在线服务时，违反了安全措施和PIPA规定的个人信息泄露通知义务。

• D.S.En Co., Ltd.是一家经营比萨线上订购服务的公司，由于系统开发错误，任何人都可以通过输入管理员页面地址访问客户的订购信息。同时管理员页面也被暴露在搜索引擎中，导致个人信息被泄露。此外，经用户同意，订单信息的保存期限只有一年，但数据的实际保存期限却超过了一年。个人信息还被另一家公司Mr. Pizza Co., Ltd.持有，并在过期后没有销毁被保留了下来。

• Yanolja Co., Ltd.利用云数据存储，其设置允许任何拥有地址的人访问客户的个人信息。在此案例中，至少有794名客户的个人信息可以被访问。

• STG24,Inc.是一家在线购物商城，该公司对网站访客信息管理不当，导致个人数据被复制。在某次竞赛中，一些获奖者（约173人）的礼品收据信息被存储并被其他获奖者查看。

• Funit Co., Ltd.和 Hiplay Co., Ltd.发生数据泄露事件，管理员账户被访问，导致个人信息泄露。PIPC具体指出，Funit证实一名黑客访问了管理员账户，查看了会员信息，并向20,196名会员发送了短信。PIPC还提到，除了密码和ID之外，没有使用任何安全验证方法。

• 关于Hiplay Co., Ltd.，一名黑客使用管理员账户访问了管理程序，并泄露了1,409条个人信息。此外，从其他企业转移信息时没有通知用户，在没有法律依据的情况下收集用户的居民登记号码。

The PIPC highlighted that five of the companies, namely, D.S.En, Yanolja, STG24, Funit, and Hiplay failed to report data leaks or complete the required notification within 24 hours after recognizing the data leaks, thereby violating the leak notification and reporting requirements under the PIPA. 

PIPC着重指出，其中五家公司，即D.S.En、Yanolja、STG24、Funit和Hiplay在发现数据泄漏后24小时内未报告数据泄漏或完成规定的通知，因此违反了PIPA规定的泄漏通知和报告要求。

The violations were as follows: 

• D.S.En failed to destroy personal information, lacked proper safety measures, and did not notify the PIPC regarding the leak in the time required in violation of Articles 21, 29, and 39 of the PIPA;

• Mr. Pizza failed to destroy personal information in violation of Article 21 of the PIPA;

• Funit, Yanolja, and STG24 lacked proper safety measures and did not notify the PIPC regarding the leak in time, in violation of Articles 29 and 39 of the PIPA; and

• Hiplay failed to restrict the processing of social security numbers properly, failed to limit the transfer of personal information according to the transfer of business information, lacked proper safety measures, and did not notify the PIPC regarding the leak in time, in violation of Articles 24, 27, 29, and 39 of the PIPA.

违规情况如下：

• D.S.En没有销毁个人信息，缺乏适当的安全措施，也没有在规定时间内将泄密事件通知PIPC，违反了PIPA第21条、第29条和第39条的规定；

• Mr. Pizza没有销毁个人信息，违反了PIPA第21条的规定；

• Funit、Yanolja 和 STG24 缺乏适当的安全措施，没有及时向PIPC通报泄密事件，违反了PIPA第29条和第39条；以及

• Hiplay未适当限制社会保障号码的处理，未根据业务信息的转移限制个人信息的转移，缺乏适当的安全措施，且未及时向PIPC通报泄密事件，违反了PIPA第24、27、29和39条的规定。

Considering the above, the PIPC issued fines totaling KRW 244 million (approx. $177,385).

综上所述，PIPC共开出了2.44亿韩元（约合177,385美元）的罚单。

上述资讯源自dataguidance，详见：

https://www.dataguidance.com/news/south-korea-pipc-imposes-fines-totaling-krw-244m-six

01

想要获得更多资讯内容

请扫码关注我们

M姐 数据合规评论

微信号｜M_DigitalLawandLife