昊鑫隆百货,广西生二胎新政策2014,妻货可居
EBU6008 Information and Privacy Law Coursework
FriendChina.cn是一个社交网站,为世界各地对中国文化感兴趣的中国学生和学生提供一系列服务。该网站可以从中国和国外访问。该网站大多为英文版,并提供英文视频和其他有关中国历史,体育,文学和其他传统的信息。有英语和普通话聊天室,以及公告板讨论这些和其他更一般的聊天。用户也可以发送私信给对方。
任何想加入FriendChina.cn的人都可以注册一个免费账户。为了开立账户,个人必须提供他们的第一个(给定)姓名,性别,出生日期以及他们居住的城市的名称。他们还被要求通过在包括音乐,电影等风格的列表中勾选选定的项目来表示他们的兴趣。 FriendChina.cn收集这些个人信息,并将其存储在其公司网络上的可通过其网站访问的计算机上。除了公司网络之外,它还运行一个不连接到企业网络的独立计算机网络。
FriendChina.cn由广告赞助。所有出现在个人屏幕上的广告都是以年龄,性别,个人兴趣以及他们所处的世界的哪个地区为目标。系统还使用cookie,不仅保持用户登录FriendChina.cn,而且还跟踪用户访问的所有网站。此外,FriendChina.cn系统会自动搜索所有私人信息,查找用于为个人定制广告的关键字。通过这些广告链接的一些第三方网站通过个人收集更多的个人信息,通常使用游戏或提供免费屏保和其他下载来鼓励个人输入他们的信息。
在FriendChina.cn主页的顶部,出现了一个“隐私政策”,其中规定:
“FriendChina.cn不会收集或保留任何个人身份信息,也不会随时将此类信息传递给第三方。”
尽管有此承诺,FriendChina.cn系统还收集所有与FriendChina.cn链接的第三方广告的网页表单信息。这意味着该系统可能收集了一些个人身份信息,与其主页上的隐私政策相反。
“隐私政策”还对从客户那里收集到的敏感信息的保密性作出如下声明:
“FriendChina.cn采取一切措施保护用户的信息。当用户通过网站提交敏感信息时,您的信息在线和离线保护。我们使用业内最好的加密软件 - SSL。 FriendChina.cn致力于保护您提供给我们的数据安全,并会采取合理的预防措施来保护您的信息免受丢失,误用或篡改。“
从2017年1月开始,持续到2017年5月,黑客利用FriendChina.cn网站上的SQL注入攻击在其公司网络上安装常见黑客程序。黑客程序用于查找存储在企业网络上的敏感个人信息,并通过互联网将信息传输到网络外的计算机。结果,黑客获得了未经授权的访问数以千计的用户随后用于身份盗用的信息。一些用户伪造了银行账户,并以他们的名义提取了贷款。
1.建议FriendChina.cn在欧盟GDPR(假设适用)下的隐私义务(如果有的话)[50分]
2.根据中国网络安全法[50分]向FriendChina.cn通知其信息安全义务(如有)
Question1
On April 14, 2016, the European Parliament voted to General Data Protection Regulation (GDPR), which will take effect on May 25, 2018. The adoption of the GDPR means that the EU has achieved unprecedented heights in the protection of personal information and its supervision, making it the most stringent data protection act in history. GDPR is of great significance to the compliance operations of companies in China whose business scope involves the territory of EU member states and their citizens, avoiding high penalties, as well as the legal research related to data in China. The GDPR stipulates that "personal data" refers to any information that points to a recognized or identifiable natural person ("data subject"). The identifiable natural person can be directly or indirectly identified, in particular by referring to such an identifier as a name, identity card number, location data, online identification, or by referring to one or more physical, physiological, Elements of genetic, psychological, economic, cultural or social identity. "Processing" refers to any one or a series of operations that target the collection of personal data or personal data, such as collecting, recording, organizing, constructing, storing, adapting or modifying, retrieving, consulting, using, disclosing, disseminating, whether or not this operation is automated.
In this case, Anyone who wants to join friendchina.cn can sign up for a free account. To open an account, individuals must provide their first (given) name, gender, date of birth, and the name of the city in which they live. They were also asked to express their interest by checking selected items from a list of styles including music and movies. These personal information conform to the definition of "personal data" in GDPR.
Friendchina.cn collects this personal information and stores it on computers accessible through its website on its corporate network. In addition to the corporate network, it runs a separate computer network that is not connected to the corporate network. Friendchina.cn is sponsored by advertising. All the ads that appear on individual screens are aimed at age, gender, personal interests and where in the world they live. The system also uses cookies, which not only keeps users on friendchina.cn, but also keeps track of all the websites they visit. In addition, friendchina.cn automatically searches all private information for keywords that are used to tailor advertisements for individuals. Some of the third-party websites linked to these ads collect more personal information through individuals. These collection, storage, and search behaviors of friendchina.cn belong to processing behaviors in GDPR.
GDPR imposes a set of obligations on data controllers: Personal data should be handled in a lawful, fair and transparent manner in relation to the data subject; it should be is collected for a specific, definite and lawful purpose and it shall not be further disposed in any way if it does not conform to the above purposes; It should be sufficient, relevant and to the extent necessary for the purpose of personal data processing (" data minimization "); To ensure the safety of personal data moderate way, including the use of appropriate technology or organizational measures against unauthorized, unlawful processing, accidental loss, loss of or damage to the protective measures (integrity and confidentiality). In this case of Friendchina.cn,The company's "privacy policy" stipulates that "friendchina.cn will not collect or retain any personal identity information and will not transmit such information to any third party at any time." The system may have collected some personal identity information as opposed to the privacy policy on its home page. This violates the above obligation to keep the data transparent, and it does not inform users that the company may have collected some personal information. This violates the user's right to know. The company also further processed the data and collected more personal information through a series of processing methods, in violation of the "no further processing in a certain way" clause.
Controllers should implement appropriate technical and organizational measures, such as anonymity, in order to implement data protection principles, such as data minimization, in an effective manner, while identifying means of processing and processing.Controllers should implement necessary safeguards to meet legal requirements and protect the rights of data subjects.As a result, the hackers used SQL injection attacks on friendchina.cn to install common hacking programs on their corporate networks. Hackers are used to find sensitive personal information stored on corporate networks and transmit it over the Internet to computers outside the network. As a result, hackers gained unauthorized access to thousands of users' information, Forged bank accounts and took out loans in their name, which caused personal information to be stolen by hackers and caused huge losses to users. According to the obligations of the GDPR, the website did not implement appropriate technical measures, resulting in data theft. The web site should be held accountable.
Article 83, paragraph 5 of the GDPR provides for specific serious violations: first, violation of the basic principles and conditions of data processing. Data processing should follow six principles, namely, legality, legitimacy and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. Data processing shall conform to the corresponding legal conditions. In the second category, the rights of consent, access, correction, oblivion, data portability, rejection and relief are violated
Generally speaking, GDPR as a solution to data protection, although currently only effective in Europe, but its impact is global. Based on the model of the entire Internet industry driven by gathering personal information and privacy, the impact will be inevitable, because even if other countries do not copy the EU, the protection of personal privacy information has become a general trend.
The Privacy Directive stipulates that cookies stored on a user's terminal device must be changed from opt-out to opt-in. Member states shall ensure that only allows to store information in the user terminal device or obtain information already stored, but the condition is: the user has agreed to according to the instruction from the 95th article 46 / ec, and has been provides a clear and comprehensive information, especially about dealing with the purpose of processing. In this case, the system also uses cookie, not only to keep users logged in FriendChina.cn, but also to track all websites visited by users. The website has not provided comprehensive information and without the user's consent, which is in violation of the Privacy Directive obligations. |
