GDPR跨境傳輸例外規範與WTO規範下 GATS之合致性分析

2018年歐盟一般資料保護規則（General Data Protection Regulation，GDPR）正式實施為資料保護規範立下重要的里程碑。資料保護的範圍擴及到網路上的使用軌跡，強調資料主體擁有其資料的主權、資料控制者及處理者須嚴謹遵守其義務，除此之外， GDPR原則上禁止了將歐盟境內資料傳輸到境外，僅允許幾種特定的例外條款。此規定使得GDPR不僅對資料保護的發展帶來革新，也對國際貿易的規範帶來衝擊與影響。大數據時代的興起使得「資料」（Data）成為極具價值的資產，因為網路使得跨國的商業貿易突破地理界線的障礙，可以輕易地觸及跨國消費者。消費者在網路上所產生的資料，企業透過跨境蒐集與處理可以進行行銷分析，是商業發展重要的根據。然而GDPR原則上禁止跨境傳輸之規定，直接衝擊到在歐盟進行商業活動的企業，因此引發各界質疑該規範是否是以資料保護之名，行貿易障礙之實。本文聚焦於探討GDPR跨境傳輸的三種例外允許：國家適足性認定、適當保護措施以及資料主體同意是否實質上是難以通過的窄門，違反WTO最惠國待遇、國民待遇及相互承認等規範。本文透過整理法規及相關官方條文解釋文件，將歐盟的資料保護法制與背景，GDPR中關於資料的定義、資料主體及資料控制處理者之權利義務，以及跨境傳輸的原則及各項例外允許規範進行說明，以輔助後續合致性分析。同時本文以文獻回顧之研究方法，整理歸納各界學者探討GDPR跨境傳輸與WTO貿易法可能的潛在衝突及看法。本文藉由整理歸納WTO過往最惠國待遇、國民待遇及相互承認的案例以分析例外允許規範是否有違反WTO規範。整體而言，例外允許規範並沒有實質上違反WTO規範，並確實有許多國家及企業藉此進行跨境傳輸。惟其仍有值得改進之處，因為縱然其規範沒有違反WTO義務，其在申請的程序上多耗時且所費不貲，且追求與GDPR相當的資料保護程度，仍可能不利於中小企以及資料保護規範尚在發展中的國家。

關鍵字

資料保護規範；跨境資料傳輸

並列摘要

The adoption of General Data Protection Regulation in the European Union in 2018 is an important milestone for data protection regulations. The scope of data protection has been extended to the trajectory of use on the Internet, emphasizing that data subjects have sovereignty over their data, thus indicating data controllers and processors must strictly abide by their obligations. Furthermore, GDPR prohibits the cross-border transfer of data from EU to other countries with only a few specific exceptions. Hence, GDPR not only provides a new perspective to the development of data protection but also exert significant impact on the regulation of international trade. The rise of the era of big data makes "data" a very valuable asset because the Internet enables transnational commercial trade to break through the barriers of geographical boundaries and can easily reach multinational consumers. The data generated by consumers on the Internet can be analyzed by companies through cross-border collection and processing, which is an important basis for business development. However, the principle that the GDPR prohibits cross-border transmission in principle directly impacts companies doing business in the European Union, which has led to questions from all walks of life whether the norm is a barrier to trade in the name of data protection. This article focuses on the three exceptions to GDPR cross-border data transfers: Adequacy Decision, appropriate protection measures, and whether the data subject agrees that it is essentially a narrow gate that is difficult to pass, a violation of WTO most-favored-nation treatment, national treatment, and mutual recognition and other specifications. This paper analyzes the consistency of the exceptions of cross-border data transfers under GATS regulation especially in most favored nation treatment, national treatment, and mutual recognition. Overall, the exception regulations did not substantially violate the WTO regulations. However, further improvement is needed, due to its time-consuming and expensive application process, and also the requirement of data protection meeting the standard of GDPR may be cause negative impact to SMEs and developing countries.