腾讯集团数据及隐私保护中心
前言:腾讯集团数据及隐私保护中心梳理2017年度国内十大个人信息隐私保护事件,以期总结过去启迪未来。
No.1 Facebook
(1) Facebook因面部识别系统侵犯隐私被诉
【概述】1月, Facebook面临一项集体诉讼——因其使用的面部识别技术违反了伊利诺伊州在2008年通过的一项法律——生物信息隐私法案(BIPA)。该法案规定了公司在存储和使用用户生物识别信息中的限制条件,受限的信息包括指纹、声纹、虹膜或视网膜扫描,以及手掌和面部轮廓几何细节。但该诉讼目前已经暂且搁置。
(相关链接:http://www.biometricupdate.com/201702/facebook-facial-recognition-lawsuit-put-on-hold)
【评析】个人的生物信息属于敏感信息,对其收集和使用需要达到更严格的要求,需让用户知情同意。Facebook因其面部识别系统和“标签建议”功能涉嫌未经用户同意而收集特定生物信息遭到起诉。对于敏感的个人信息,企业在收集和使用时应当更加谨慎。
(2) WhatsApp因与Facebook分享数据在德被起诉
WhatsApp’s privacy policy change allowing Facebook to target advertising at its users has landed the company in a German court. The Federation of German Consumer Organizations (VZBZ) has filed suit against WhatsApp in the Berlin regional court, alleging that the company collects and stores data illegally and passes it on to Facebook, the federation said Monday. Of particular concern to VZBZ is the way that WhatsApp transfers numbers from its users’ contacts lists to Facebook — even when those numbers are not WhatsApp users. The federation wants the companies to stop transferring such information, and to delete any already transferred. It is also objecting to eight clauses in WhatsApp’s revised terms of use, including one allowing WhatsApp to provide users with advertising materials from the rest of Facebook without their consent.
The French data protection authority – CNIL may fine messaging app WhatsApp if it does not comply with an order to bring its sharing of user data with parent company Facebook into line with French privacy law.
【概述】1月,WhatsApp修改其隐私政策——允许Facebook向用户投放精准广告,德国消费者组织联合会(VZBZ)因此对其提起诉讼,指控其非法收集和存储数据并传输给Facebook。VZBZ特别关注的是WhatsApp将用户的联系人列表中的号码传输到Facebook的方式——即使这些号码不是WhatsApp的用户。VZBZ希望WhatsApp停止传输此类信息,并删除任何已转移的信息。
12月,法国数据保护组织CNIL要求WhatsApp停止与其母公司Facebook分享用户数据。(相关链接:https://www.reuters.com/article/us-whatsapp-privacy-france/french-privacy-watchdog-raps-whatsapp-over-facebook-data-sharing-idUSKBN1EC285 )
【评析】欧盟历来对个人信息、隐私的保护相当严格,企业间的数据共享应当合规,即使是关联公司间的数据共享也不例外,任何涉及用户数据收集、使用的服务都应当征得用户的知情同意。
(3) Facebook因数据收集违规遭多国罚款
Facebook has been slapped with a €155,000 (around ?132,000) fine by France’s data protection watchdog for collecting information on users without their consent. CNIL added that the fine – which was imposed on both Facebook Inc and Facebook Ireland – was part of a wider European investigation also being carried out in Belgium, the Netherlands, Spain and Germany into some of Facebook’s practices.
Facebook has been fined 1.2 million euros ($1.4 million) for allegedly collecting personal information from users in Spain that could then be used for advertising, the national data protection watchdog said on Monday. AEPD said it found three cases in which Facebook had collected details such as the gender, religious beliefs, personal tastes and browsing history of its millions of Spanish users without informing them how such information would be used.
Facebook Inc. was accused of Big Brother-style snooping on internet users in a fresh attack on the social network by Belgium’s data privacy watchdog. The regulator sought a court order on Thursday forcing Facebook to stop any collection of data for advertising purposes and the provision of “misleading” information to users, under the threat of a 250,000 euro ($296,000) daily penalty.
【概述】5月,法国隐私监管部门(CNIL)对Facebook作出了15.5万欧元的罚款,称Facebook收集了大量用户个人数据用于发布定向广告,且未给予用户拒绝的选项;并且,Facebook还在用户不知情的情况下收集用户浏览第三方网站的数据。
(相关链接:https://mp.weixin.qq.com/s/TuRLSoFV4STa-Dor90xgAA )
9月,Facebook因违法收集用户个人信息被西班牙数据保护监管部门(AEPD)罚款120万欧元。Facebook收集西班牙数百万用户个人信息但并未告知信息将如何被使用。
(相关链接:https://mp.weixin.qq.com/s/K4S-9voaD5aA7CKkZSsITQ )
10月,Facebook遭到比利时数据监管部门的起诉,被认为其非法收集用户个人信息并将其用于广告。
(相关链接:https://www.bloomberg.com/news/articles/2017-10-12/facebook-is-watching-you-belgian-privacy-agency-warns-in-court )
【评析】Facebook数据收集违规主要原因在于未明示告知用户数据收集的用途且征得其同意,如西班牙对Facebook的处罚理由即包括Facebook的隐私政策中有不清晰的描述。结合我国开展的“隐私条款评审”工作得出的启示是,企业的隐私政策应当详尽且清晰告知用户信息收集的范围,以及收集的信息与服务的对应关系。
No.2 Google
(1) 甲骨文向欧盟投诉Google的隐私政策更改
Oracle has registered several complaints with EU regulators that Google’s ad-targeting practices give them an unfair advantage. The software company has claimed that because Google is able to compile such a large amount of data from its myriad of sources and users, it allows the company to use that data to target consumers so precisely it creates an unfair competitive advantage. According to an official of the European Union they are taking the complaint regarding policy change “seriously”.
The European Commission has fined Google a record-breaking €2.42 billion (~$2.73BN) for antitrust violations pertaining to its Google’s Shopping search comparison service — in what is widely considered the most significant antitrust ruling in Europe since the 2004 Microsoft decision.
【概述】1月,甲骨文向欧盟监管机构投诉,称Google的广告定位做法使Google获得不公平的优势。甲骨文称,由于Google能够从其无数的来源和用户中编译大量的数据,其能够使用这些数据来精准定位消费者,因此导致不公平的竞争优势。“Google通过隐藏其隐私权政策的变更来诱使用户接受此更改,以便启用新功能“,该功能旨在获得对用户个人信息”更多的控制“。
【相关】6月,Google因其购物搜索比较服务违反欧盟反垄断法而被罚款27亿美元。
(链接:https://techcrunch.com/2017/06/27/google-fined-e2-42bn-for-eu-antitrust-violations-over-shopping-searches/ )
【评析】企业在收集和使用用户数据时既要征得其同意,同时要避免利用数据优势进行不正当竞争或垄断。丰富的数据是企业的重要资源,但对资源利用也应当合法合规。
(2) Google因违反数据保护在韩遭起诉
Google is facing investigation for apparently gathering information about the location of cell phone users without their knowledge. Regulators in South Korea summoned Google representatives this week to address them about a report that guaranteed the organization was gathering information from Android gadgets notwithstanding when local services were disabled.The Korea Communications Commission (KCC) is completing an investigation into the cases that Google gathered clients’ Cell ID information without consent even when their cell phone’s location service was latent.
【概述】11月,韩国监管机构向Google代表介绍一份报告——说明Google正在收集来自Android小工具的信息,尽管当地服务处于停用状态。韩国通信委员会(KCC)对Google收集客户的手机ID信息的情况进行调查。Google表示,收集的信息是为了加强通知和消息传递,并没有放在Google服务器上,并且更新的网络系统永远不会再要求Cell ID。
【评析】Google不仅在欧美因数据收集问题遭到调查或起诉,在亚洲也可能面临同样境况。在个人数据、信息保护得到越来越多重视的今天,企业应当自觉做好数据收集、使用的合规工作,保障数据安全,才能有效避免不必要的法律风险。
(3) Google因违法收集苹果用户数据被诉
A veteran consumer advocate has filed a groundbreaking lawsuit against Google in the U.K., over the company’s circumvention of privacy protections in Apple’s Safari browser years ago. Between June 2011 and February 2012, Google bypassed the browser’s anti-tracking protections to collect browsing information from users. It has already paid tens of millions to settle the resulting suits in the U.S., and now it faces a type of class action in the U.K.
【概述】11月,据《国际财经时报》报道,Google利用算法成功避开苹果手机的默认隐私设置,收集大概540万名iPhone用户的历史浏览收据,严重侵犯了用户隐私,已被消费者在英国法院提起诉讼,并被要求对规避苹果Safari浏览器的隐私设置行为进行赔偿。从2011年6月到2012年2月,Google绕过了浏览器的反跟踪保护,收集用户的浏览信息。在美国已经支付了数千万美元来解决诉讼,现在它在英国面临着集体诉讼。
【评析】企业在其他平台收集用户的数据仍然应当遵循知情同意原则,需获得用户及平台的双重授权,缺一不可,更不能罔顾用户的知情同意权而收集数据,否则将侵犯用户隐私,面临被起诉的风险。
No.3 美国众议院投票批准《电子邮件隐私法》(Email Privacy Act)
The U.S. House of Representatives approved on Monday the Email Privacy Act, which would require law enforcement agencies to get court-ordered warrants to search email and other data stored with third parties for longer than six months. The Email Privacy Act would update a 31-year-old law called the Electronic Communications Privacy Act (ECPA). Some privacy advocates and tech companies have pushed Congress to update ECPA since 2011. Lax protections for stored data raise doubts about U.S. cloud services among consumers and enterprises, supporters of the bill say.
【概述】2月6日,美国众议院投票通过《电子邮件隐私法》(Email Privacy Act)。该法规定,执法机构在搜查储存在第三方的时间超过6个月的电子邮件或者其他数据前,需要得到法院颁发的搜查令。
【评析】如果顺利写入法律,《电子邮件隐私法》将取代1986年起施行的《电子通信隐私法》。电子邮件属于个人隐私范畴,该法吸取新时代的特征,对公权力机关搜查公民通信内容作了限制,更有效保障公民隐私不受肆意侵犯。
No.4 Twitter等因共享用户信息赔530万美元
Facebook Inc is adding tools on Wednesday to make it easier for users to report so-called “revenge porn” and to automatically prevent the images from being shared again once they have been banned, the company said. The process to prevent repeat sharing requires Facebook to retain the banned pictures in a database, although the images are blurred and only a small number of employees have access to the database.
【概述】4月,美国几家主要的科技公司: Instagram、Foursquare、Kik、Gowalla、Foodspotting、 Yelp、 Twitter和 Path共享用户的个人信息,其软件的“查找朋友”功能能让用户能够发现其他朋友是否也在使用软件。2012年消费者因此向这些公司提起集体诉讼,认为 “查找朋友”功能在没有通知并征求用户同意的情况下将其个人信息传递给其他服务商,侵犯了消费者的隐私权。这些公司以赔530万美元与消费者达成和解。
【评析】Twitter在本案中辩称其通过隐私政策已获得用户的知情同意,但法官认为隐私政策在这点上并未能保障用户知情权。企业间的数据共享,包括信息收集的范围和使用用途均应当通过合适的提示方式真正做到向用户明示告知并征得同意。
No.5 美医疗公司支付数据泄露和解费用1.15亿美元
Anthem Inc (ANTM.N), the largest U.S. health insurance company, has agreed to settle litigation over hacking in 2015 that compromised about 79 million people’s personal information for $115 million, which lawyers said would be the largest settlement ever for a data breach. The deal, announced Friday by lawyers for people whose information was compromised, must still be approved by U.S. District Judge Lucy Koh in San Jose, California, who is presiding over the case.
【概述】6月,美国最大的医疗保险公司Anthem宣布,其同意以支付1.15亿美元就其因数据泄露遭到的诉讼达成和解。2015年,Anthem的数据库因遭到黑客攻击,导致7900万名客户的个人信息被泄露,这些个人信息包括姓名、出生日期、地址、邮箱地址、就业信息、收入信息以及社保号码等。此后,Anthem接到了超过100起用户提起的诉讼。
【评析】该案的和解金额打破美国数据泄露和解赔偿金额的最高纪录。数据泄露事件不仅危胁用户的生命财产安全,也会给企业带来巨大经济损失和严重的声誉受损。当今企业应当更加注重数据安全,防患于未然。
No.6 美国信用机构泻漏1.43亿用户数据
Hackers have hit a treasure trove of financial data from potentially up to 143 million people in the US. Equifax, a prominent credit reporting firm, said Thursday that it was hacked from mid-May to July, with thieves stealing names, Social Security numbers, birthdates and addresses from its customers.With the US population standing at 323 million people, according to the US Census Bureau, this would mean that nearly half the country is at risk for having their personal data leaked from the Equifax breach. And the 143 million affected doesn’t include victims from around the world.
【概述】9月8日,美国知名信用机构Equifax证实,该公司从5月中旬到7月份之间曾遭到黑客袭击,大约1.43亿名用户数据泄露,黑客窃取的信息包括社保号码、生日、地址、信用卡信息等。Equifax在发给投资者的声明中表示,约有20.9万人的信用卡号码被盗,而黑客窃取了18.2万名受害者的个人信息。
【评析】黑客袭击是数据泄露事件主要原因之一,为防范泄露事件的发生,企业应当做好一系列预防措施,如建立、健全企业的网络安全、数据保护的合规及保障体系,定期排查自身存在的系统漏洞以及数据泄露风险等。
No.7 雅虎30亿用户信息遭泄露
Yahoo has tripled down on what was already the largest data breach in history, saying it affected all 3 billion accounts on its service, not the 1 billion it revealed late last year. The company announced Tuesday that it has sent emails providing notice to additional user accounts affected by the August 2013 data theft. The breach now affects a number that represents nearly “half the world,” said Sam Curry, chief security officer for Boston-based firm Cybereason, though there’s likely to be more accounts than actual users.
【概述】10月3日,美国电信巨头威瑞森(Verizon)称,自2013年8月拥有雅虎账户的用户其个人信息都有可能被泄露。雅虎用户失窃资料包括用户姓名、电子邮件地址、电话号码、出生日期和加密密码等。支付卡与银行账户资料没有储存在被攻击系统内,未遭殃及。雅虎已在去年提醒所有用户更改密码、让未加密的安全问题和答案作废等保护措施。
【评析】在数据泄露频发的今天,除了企业需要提升自身的数据安全防范系统外,用户个人也应当增强安全防范意识,掌握必要的网络安全知识,让数据泄露事件对个人的影响降至最低。
No.8 美英多国就数据泄露调查Uber
Uber today was forced to admit it was hacked last year and paid a ransom to hackers before covering it up as a bug bounty program. Within a few hours, international legislators have already responded. According to Reuters, authorities in Britain, Australia, the Philippines, and the US have opened investigations into the data breach. In at least one country (Britain), and possibly more, the company could face huge fines for failing to notify its users and lawmakers of the breach. Recode reports that Illinois, Massachusetts, and Connecticut are also investigating.
【概述】11月,世界各国的政府官员纷纷表示,他们将关注Uber对去年一起重大数据泄露事件的处理情况。Uber此前表示,曾向黑客支付10万美元封口费以隐瞒涉及5700万个账户的数据泄露事件。这些外泄数据包括乘客的姓名、电子邮件、电话号码以及约60万名美国司机的驾照号码。
【评析】各国法律基本都规定泄露主体应当在数据泄露事件发生后的一定时间内发出公告通知,以防止事件造成的损失扩大。我国《网安法》第四十二条第二款即规定:“在发生或者可能发生个人信息泄露、毁损、丢失的情况时,应当立即采取补救措施,按照规定及时告知用户并向有关主管部门报告。”Uber在泄露事件发生后不但未及时通告,还向黑客支付封口费以隐瞒,这可能面临一系列处罚。
No.9 澳大利亚发布数字化身份框架草案以征求意见
The Digital Transformation Agency (DTA) has invited public comment on the draft national standards and rules designed to frame the planned whole-of-Government digital identity program. The Agency said feedback was open on its Trusted Digital Identity Framework which outlines a consistent approach to digital identity in Australia. Announcing the initiative, Assistant Minister for Digital Transformation, Angus Taylor said the framework was now available for public feedback, following a period of consultation with Government, industry and privacy representatives.
【概述】11月23日,澳大利亚政府发布一系列文件,概述澳大利亚数字化身份信息在收集、存储与使用方面的安全性与可用性标准。其中,可信数字化身份框架的核心隐私要求包括:隐私治理,隐私影响评估,数据泄露响应管理,隐私政策,个人信息收集的相关通知,收集与使用限制,在收集信息前征得同意,跨境与承包商披露,政府身份,访问、更正与仪表板,个人信息质量,隐私投诉处理,以及信息的销毁与去识别化。身份服务供应商亦不准在未经同意的情况下收集各类敏感信息,例如面部图像;且此类信息一旦被用于进行个人身份验证,即应被销毁; 同时为用户提供投诉服务。
【评析】随着信息时代的发展,将身份信息数字化是一个趋势,它将给人们的生活带来更多便利。但数字化的身份信息也应当保障公民的隐私安全,澳大利亚所发布的这份数字化身份框架草案列举了一系列保障隐私安全的核心要求,对于我国公安部正在推行的网络电子身份标识(eID)也具有借鉴意义。
No.10 欧盟更新电子隐私条例草案
The General Data Protection Regulation (“GDPR”) will enter into force 25 May 2018, and will provide new general data protection standards. In its draft ePrivacy Regulation of 10 January 2017 (“ePrivacy Regulation”), which includes specific provisions for electronic communications, the European Commission sought to ensure that both sets of rules will enter into force at the same time. December 2017, the European Council released a (“Consolidated Version”) which summarizes the work done so far in the European Council as a basis for its future work.
【概述】2017年1月10日欧盟委员会在《电子隐私条例》草案中规定了电子通信的相关内容。12月,电子隐私条例又进行了进一步的修改——修改版本概述了第6、7、9条中关于电子保密条例及其进一步处理的理由。在实施《通用数据保护条例》(GDPR)时,电子隐私条例将影响网站、应用程序、cookies和其他跟踪技术和营销活动。
【评析】《电子隐私条例》是《通用数据保护条例》的配套条例,其重要性不言而喻。条例的基本原则包括保障电子通信保密及保护个人数据。根据欧盟委员会计划,《电子隐私条例》将与《通用数据保护条例》同时生效。
后记:个人信息隐私保护问题已经成为一个全球关注的重要问题。在数据资源极其重要的今天,健康发展数据经济离不开对个人信息隐私安全的保障,否则对于企业而言,如漠视个人信息隐私的保护,将面临不断的集体诉讼、高额赔款等风险。总而言之,保障数据安全、保护个人信息隐私刻不容缓。