国际资讯 | 荷兰数据保护机构发布人脸识别总体框架等（5.1-5.7）

Netherlands AP Publishes General Framework for Facial Recognition

荷兰数据保护机构发布人脸识别总体框架

On May 2, 2024, the Dutch data protection authority (AP) published its general framework for facial recognition which answers frequently asked questions relating to the use of facial recognition. According to the AP, the framework is targeted toward privacy professionals and organizations that wish to implement facial recognition technologies.

2024年5月2日，荷兰数据保护机构（以下简称“AP”）发布了人脸识别总体框架，回答了与人脸识别应用有关的常见问题。据AP报道，该框架的目标群众是希望应用人脸识别技术的隐私专业人士和组织。

In the framework, the AP emphasizes the importance of ensuring the protection of personal data when processing biometric data due to the ability to trace back individuals and the need to perform a Data Protection Impact Assessment before carrying out such processing by facial recognition. The AP also states that the the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) applies to pilot or test projects and that controllers may be obliged to request prior consultation from the AP due to the high residual risk to processing.

在此框架中，AP强调了在处理生物识别数据时确保个人数据保护的重要性，因为生物识别数据能够追溯到个人。AP还强调在使用人脸识别进行此类数据处理之前需要开展数据保护影响评估。AP还指出，《通用数据保护条例》（欧盟第2016/679号条例）（下称“GDPR”）适用于试点或测试项目，由于处理过程中存在较高的剩余风险，控制者有义务事先向AP请求咨询。

Additionally, the AP answers the following questions in the framework:

• when the processing of personal data via the deployment of facial recognition is a purely personal or household activity, where the GDPR does not apply;

• what requirements are considered biometric data under the GDPR when applying facial recognition;

• whether the processing of biometric data falls under the processing ban for special data if the purpose is identity confirmation; and

• when exceptions to the processing ban can be relied upon when using facial recognition, particularly explicit consent and public interest.

此外，AP还在框架中回答了以下问题：

• 当通过部署人脸识别来处理个人数据单纯属于个人或家庭活动时，GDPR不适用；

• 应用人脸识别时，哪些要求被视为GDPR下的生物识别数据；

• 如果目的是确认身份，则生物特征数据的处理是否属于特殊数据的处理禁令；以及

• 在何种情况下可以依据处理禁令的例外情形来使用人脸识别（如明示同意和公共利益）。

上述资讯源自dataguidance，详见：

https://www.dataguidance.com/news/netherlands-ap-publishes-general-framework-facial

FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data

FCC因美国主要无线运营商出售客户位置数据而对其处以罚款

On April 29, 2024, the U.S. Federal Communications Commission (“FCC”) levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.

2024年4月29日，美国联邦通信委员会（以下简称“FCC”）对包括AT&T、Sprint、T-Mobile和Verizon在内的四大运营商处以总额近2亿美元的罚款，原因是它们未经同意非法共享客户的位置信息。

The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.

这些罚款标志着监管机构对主要运营商的长达四年多的行为调查达到了顶峰。自2020年2月，FCC开始向四家无线服务提供商发出通知，指出他们共享客户位置数据的行为可能违反了法律。

The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators’, who then resold access to the information to third-party location-based service providers.

FCC称，它发现这些运营商各自将客户的位置信息出售给“聚合商”，后者再将信息转售给第三方定位服务提供商。

“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”

“在这样做的过程中，每家运营商都试图将其获得客户同意的义务转嫁给位置信息的下游接收者，这在很多情况下意味着没有获得有效的客户同意”，FCC在有关该行动的声明中写道。“在意识到自己的保障措施无效后，这些运营商继续出售位置信息的访问权，而没有采取合理措施保护信息不被未经授权访问，这就加剧了违法后果的产生”。

The FCC’s findings against AT&T show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.

FCC对AT&T的调查结果显示，AT&T直接或间接向至少88家第三方实体出售了客户位置数据。FCC发现，Verizon向67家第三方实体（间接或直接）出售了客户位置数据。Sprint客户的位置数据被出售给86家第三方实体，T-Mobile客户的位置数据被出售给75家第三方实体。

The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty.

FCC对Sprint和T-Mobile分别处以1,200万美元和8,000万美元的罚款。AT&T被罚款5,700多万美元，Verizon被罚款4,700万美元。

The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.

罚款金额之所以不同，部分原因是罚款是根据运营商在被告知共享客户位置数据违法后继续共享的天数计算的（还考虑了有效的第三方位置数据共享协议的数量）。FCC指出，AT&T和Verizon从《泰晤士报》的报道发表到结束数据共享协议分别用了320多天；T-Mobile用了275天；Sprint继续共享客户位置数据长达386天。

上述资讯源自krebsonsecurity，详见;

https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/

原始来源详见;

https://docs.fcc.gov/public/attachments/DOC-402213A1.pdf

European Digital Identity Framework Published in EU Official Journal

《欧盟官方公报》发布欧洲数字身份框架

On April 30, 2024, the Regulation (EU) 2024/1183 establishing the European Digital Identity Framework (the Regulation) was published in the Official Journal of the European Union.

2024年4月30日,《欧盟官方公报》发布了建立欧洲数字身份框架的第2024/1183号条例（EU）（以下简称“《条例》”）。

In July 2020, the European Commission opened a consultation with various private and public stakeholders to examine barriers to the development of electronic identification services in the EU. The feedback collected pointed to the need for multiple digital identities, an extension of the use of digital identification to the private sector, the harmonization of certifications, security, and legal requirements, and the expansion of cross-border frameworks.

2020年7月，欧盟委员会与各私营和公共利益相关方展开磋商，研究欧盟发展电子身份识别服务的障碍。收集到的反馈意见指出，需要多种数字身份，将数字身份识别的使用范围扩大到私营部门，统一认证、安全和法律要求，以及扩大跨境框架。

Following this, the Commission proposed the Regulation establishing a framework for a European Digital Identity and amending Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market.

在此之后，欧盟委员会提出了建立欧洲数字身份框架的条例，并修订了关于内部市场电子交易的电子身份识别和信任服务的第910/2014号条例（EU）。

The Regulation aims to ensure the provision of an adequate level of security of electronic identification services used across the EU to enable and facilitate the exercise by natural and legal persons of the right to access online public and private services, including cross-border access, throughout the EU. In particular, the Regulation, among other things:

• lays down the conditions under which Member States are to recognize natural and legal persons' electronic identification means emanating from another Member State, and provide and recognize European Digital Identity Wallets (EUDI Wallet);

• establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, certificate services for website authentication, electronic archiving, electronic attestation of attributes, electronic signature creation devices, electronic seal creation devices, and electronic ledgers;

• sets out provisions on the EUDI Wallet, including expected actions in situations of security breaches and compromises of the EUDI Wallets, supervision of the EUDI Wallet Framework, and protection of personal data; and

• mandates the Commission to establish a European Digital Identity Cooperation Group.

《条例》旨在确保为在欧盟范围内使用的电子身份识别服务提供适当的安全级别，使自然人和法人能够在欧盟范围内行使访问在线公共和私人服务的权利，包括跨境访问。除此以外，该条例：

• 规定了成员国承认来自另一成员国的自然人和法人电子身份识别手段以及提供和承认欧洲数字身份钱包（以下简称“EUDI Wallet”）的条件；

• 为电子签名、电子印章、电子时间戳、电子文件、电子登记交付服务、网站认证证书服务、电子存档、属性电子证明、电子签名创建设备、电子印章创建设备和电子分类账建立法律框架；

• 制定有关EUDI Wallet的规定，包括在EUDI Wallet出现安全漏洞和泄露情况下的预期行动、EUDI Wallet框架的监督以及个人数据的保护；以及

• 授权欧盟委员会成立欧洲数字身份合作小组。

Next, the Regulation will enter into force on May 20, 2024. The deadline for the publication of the first set of implementing acts related to EUDI Wallet and electronic attribute attestations is set for November 21, 2024, and for other implementing acts related to all other trust services on May 21, 2025.

下一步，《条例》将于2024年5月20日生效。与EUDI Wallet和电子属性证明有关的第一套实施法案的发布截止日期为2024年11月21日，与所有其他信托服务有关的其他实施法案的发布截止日期为2025年5月21日。

上述资讯源自dataguidance，详见：

https://www.dataguidance.com/news/eu-european-digital-identity-framework-published-eu

原始来源详见：

https://eur-lex.europa.eu/eli/reg/2024/1183/oj

European Commission Opens Formal Proceedings against Facebook and Instagram under the Digital Services Act

欧盟委员会根据《数字服务法》对Facebook和Instagram启动正式诉讼程序

On April 30, 2024, the European Commission has opened formal proceedings to assess whether Meta, the provider of Facebook and Instagram, may have breached the Digital Services Act (“DSA”).

2024年4月30日，欧盟委员会（以下简称“委员会”）启动了正式诉讼，评估Facebook和Instagram的供应商Meta是否违反了《数字服务法》（以下简称“DSA”）。

The current proceedings will focus on the following areas:

• Deceptive advertisements and disinformation. The Commission suspects that Meta does not comply with DSA obligations related to addressing the dissemination of deceptive advertisements, disinformation campaigns and coordinated inauthentic behaviour in the EU. The proliferation of such content may present a risk to civic discourse, electoral processes and fundamental rights, as well as consumer protection.

• Visibility of political content. The Commission suspects that Meta's policy linked to the ‘political content approach', that demotes political content in the recommender systems of Instagram and Facebook, is not compliant with DSA obligations. The investigation will focus on the compatibility of this policy with the transparency and user redress obligations, as well as the requirements to assess and mitigate risks to civic discourse and electoral processes.

• The non-availability of an effective third-party real-time civic discourse and election-monitoring tool ahead of the upcoming elections to the European Parliament and other elections in various Member States. Meta is in the process of deprecating “CrowdTangle”, a public insights tool that enables real-time election-monitoring by researchers, journalists and civil society, including through live visual dashboards, without an adequate replacement. However, as reflected in the Commission's recent Guidelines for providers of Very Large Online Platforms on systemic risks for electoral processes, in times of elections, access to such tools should instead be expanded. The Commission therefore suspects that, taking into account Meta's deprecation and planned discontinuation of CrowdTangle, Meta has failed to diligently assess and adequately mitigate risks related to Facebook's and Instagram's effects on civic discourse and electoral processes and other systemic risks.

• The mechanism to flag illegal content. The Commission suspects that Meta's notice and action mechanism, that allows users to notify the presence of illegal content on its services, is not compliant with DSA obligations. This includes the suspicion that the requirements, by which this mechanism must be easy to access and user-friendly, are not met. At the same time, the Commission suspects that Meta has not put in place an effective internal complaint-handling system to lodge complaints against content moderation decisions taken.

本次诉讼将重点讨论以下内容：

• 欺骗性广告和虚假信息。委员会怀疑Meta没有履行DSA规定的与处理欧盟境内传播欺骗性广告、虚假信息活动和虚假的协同行为有关的义务。此类内容的扩散可能对公民言论、选举进程和基本权利以及消费者保护构成风险。

• 政治内容的可见性。委员会怀疑，Meta与“政治内容方法”相关的政策（该政策降低了Instagram和Facebook推荐系统中政治内容的推荐优先级）不符合DSA的规定。调查的重点是这一政策是否符合透明度和用户申诉义务，以及评估并减轻公民话语和选举过程的风险的要求。

• 在即将举行的欧洲议会选举和各成员国的其他选举之前，没有有效的第三方实时公民讨论和选举监督工具。Meta正在淘汰“CrowdTangle”，这是一个公众监察工具，研究人员、记者和社会公民可通过实时可视化仪表板等方式进行实时选举监督，目前没有其他适当的可替代工具。同时，正如委员会最近关于选举进程系统性风险的超大型在线平台提供商准则所反映的那样，在选举期间，应扩大此类工具的使用范围。因此，委员会怀疑，考虑到Meta计划淘汰CrowdTangle，Meta没有认真评估和充分缓释与Facebook和Instagram对公民言论和选举进程的影响有关的风险以及其他系统性风险。

• 非法内容标记机制。委员会怀疑Meta的通知和行动机制（允许用户通知其服务中存在非法内容）不符合DSA的规定。这包括怀疑该机制不符合要求，即必须易于访问和方便用户使用。同时，委员会怀疑Meta没有建立有效的内部投诉处理系统，以便对所做的内容修改决定提出投诉。

If proven, these failures would constitute infringements of Articles 14(1), 16(1), 16(5), 16(6), 17(1), 20(1), 20(3), 24(5), 25(1), 34(1), 34(2), 35(1) and 40(12) of the DSA. The Commission will now carry out an in-depth investigation as a matter of priority. The opening of formal proceedings does not prejudge its outcome.

如果证据确凿，这些违规行为将违反DSA第14(1)、16(1)、16(5)、16(6)、17(1)、20(1)、20(3)、24(5)、25(1)、34(1)、34(2)、35(1)和40(12)条的规定。委员会现在将优先进行深入调查。目前无法得知诉讼程序的最终结果。

The current opening of proceedings is without prejudice to any other proceeding that the Commission may decide to initiate on any other conduct that may constitute an infringement under the DSA. After the formal opening of proceedings, the Commission will continue to gather evidence, for example by sending additional requests for information, conducting interviews or inspections.

目前启动的诉讼程序不影响委员会可能决定就任何其他可能构成违反DSA的行为启动的任何其他诉讼程序。在正式启动诉讼程序后，欧盟委员会将继续收集证据，例如发送更多信息请求、进行面谈或检查。

The opening of formal proceedings empowers the Commission to take further enforcement steps, such as interim measures, and non-compliance decisions. The Commission is also empowered to accept commitments made by Meta to remedy the issues raised in the proceedings. The DSA does not set any legal deadline for bringing formal proceedings to an end. The duration of an in-depth investigation depends on several factors, including the complexity of the case, the extent to which the company concerned cooperates with the Commission and the exercise of the rights of defence.

正式启动诉讼程序后，委员会有权采取进一步的执法措施，如临时措施和不遵守决定。委员会还有权接受Meta为纠正诉讼中提出的问题而做出的承诺。DSA没有为正式程序的时限设定任何法定期限。深入调查的持续时间取决于多个因素，包括案件的复杂程度、相关公司与委员会的合作程度以及辩护权的行使情况。

The opening of formal proceedings relieves Digital Services Coordinators, or any other competent authority of EU Member States, of their powers to supervise and enforce the DSA in relation to the suspected infringements of Articles 14(1), 16(1), 16(5), 16(6), 17(1), 20(1), 20(3), 24(5), 25(1) and 40 (12).

正式启动诉讼程序后，欧盟成员国的数字服务协调员或任何其他主管当局将不再有权就涉嫌违反DSA第14(1)、16(1)、16(5)、16(6)、17(1)、20(1)、20(3)、24(5)、25(1)和40(12)条的行为进行监督和执法。

上述资讯源自欧盟委员会官网，详见：

https://ec.europa.eu/commission/presscorner/detail/en/ip_24_2373

01

想要获得更多资讯内容

请扫码关注我们

M姐 数据合规评论

微信号｜M_DigitalLawandLife