数据隐私法的智能实施

Achieving the right outcomesfor the digital age The GSMA is a global organisation unifying the mobileecosystem to discover, develop and deliver innovationfoundational to positive business environments and societalchange. Our vision is to unlock the full power of connectivityso that people, industry and society thrive. Representingmobile operators and organisations across the mobileecosystem and adjacent industries, the GSMA delivers for itsmembers across three broad pillars: Connectivity for Good,Industry Services and Solutions, and Outreach. This activityincludes advancing policy, tackling today’s biggest societalchallenges, underpinning the technology and interoperabilitythat make mobile work, and providing the world’s largestplatform to convene the mobile ecosystem at the MWC andM360 series of events. We invite you to find out more atgsma.com Contents Introduction2 Implementing ‘guiding principles’ of smart data privacy law5International norms and frameworks6Accountability8Risk-based10Horizontal12Consent and lawful grounds for processing14Rights15Data breach notification16Cross-border data flows17Remedies, enforcement and sanctions19 Conclusion21 Introduction Supervisory authorities face numerous challenges in implementing data privacylaws, whether they are an emerging authority implementing a new law or a well-established authority having to consider how to modify the implementation of anexisting law. The nascent authority may, for example, have significant staffing or budgetaryconstraints or additional mandates to implement telecommunications and/orfinancial laws. The well-established authority may have to simplify or improveits current data privacy law implementation due to the interplay with differentsectoral laws, regulations or technological developments. It may need to considerhow to simplify the current implementation of the national data privacy law. How implementation is handled by a supervisoryauthority will impact the digital economy andmobile ecosystem. If the approach is overly strictand prescriptive or, conversely, lacking clarity orwith contradictory and overlapping requirements,the regulatory complexity for organisations suchas mobile network operators (MNOs) can increasecompliance costs while failing to protect consumersas intended. The key nine principles to consider whenimplementing a data privacy law are highlighted inTable 1 opposite. These are the principles associatedmost directly with the implementation decisions thatauthorities are typically faced with, and which helpachieve the right outcomes for the digital age. The following section considers the practicalapplication of each of these principles, as countriesadapt to a new or updated data privacy framework.While there is no single best approach, we strivehere to provide recommendations drawn from realexperience and reflecting input received throughour engagement with data protection authoritiesand MNOs worldwide. All quotes stem from GSMAengagement with data protection authorities,regulators and industry stakeholders at the GSMAMinisterial Programme at MWC Barcelona, GSMACapacity Building and regional events, the GlobalPrivacy Assembly and the African Network of DataProtection Authorities annual conference. In the GSMA’s 2019 Smart Data Privacy Laws report1,14 guiding principles were outlined, aimed at helpinggovernments, policymakers and organisationsto develop effective, future-proof data privacyframeworks. This report builds on the 2019 report by providinginsight into the implementation of each relevantprinciple, compiling learnings and good practice fromaround the world to assist those looking to implementdata privacy laws in their market. TABLE 1 A smart data privacy law is one that: Promotes cross-border data flows. Source:https://www.gsma.com/solutions-and-impact/connectivity-for-good/public-policy/wp-content/uploads/2019/06/GSMA_Smart-Data-Privacy-Laws_Report_June-2019.pdf Implementing guiding principlesof smart data privacy law International norms and frameworks PRINCIPLEA smart data privacy law is one that finds alignment with existing internationalnorms and data privacy frameworks. A data privacy framework is a comprehensive setof guidelines, regulations, principles and practicesdesigned to safeguard personal data and upholdindividuals’ rights. This includes national or regionallaws2and international instruments3, as well astools, standards and best-practice frameworksimplemented by organisations4. •Crafting a narrative that explains: a.Who the main stakeholders are, including ifany sector-specific supervisory authorities areengaged.b.Who is required to comply with the data privacyframework.c.The components of the framework and theirapplicability in practice.d.Why the adopted framework matters and itsintended impact.•Assessing whether specific examples and usecases are required to aid understanding. Implementing a data privacy framework varies fromone country to another, but a key step invol