歐盟一般資料保護規則法遵投資之探討

Abstract

一般個人資料保護規則（GDPR）為歐盟針對境內個人資料蒐集、處理之管制規範，並適用於所有歐盟及其他歐洲國家居民之個人資料。GDPR 對於個人資料有相當廣泛的定義，並適用於歐盟境外、有收集境內居民個資的事業。有鑑於違反該規則之單位將面臨至多 4％年營收或二千萬歐元的罰款，企業有必要衡量法遵之成本與效益。然而，罰金之上限無法完全述說 GDPR 對個資管制之影響或投入法遵之考量。 本論文參考違反 GDPR 所載之個資所有人權益、資安保護措施不足之相關案例以論述其執法過程與財務影響，並彙整新法上路後前四年（2018～2021 年）之裁罰案件，再使用戈登－洛布模型（Gordon-Loeb model）來估計法遵之成本。戈登－洛布模型為資訊安全投資的一個經濟模型，用於敘述事業平衡與優化其資安風險與投資成本。按照戈登－洛布模型之 37％規則，適用 GDPR 公司未進行資安投資而遭受裁罰的風險可介於 60％～80％，裁罰金額也介於 10 萬（小公司）至 400 萬歐元（大公司），進而顯示 GDPR 之執行環境相對嚴格並為適用之企業所重視。

The General Data Protection Regulation (GDPR) is a European Union regulation that regulates the processing of personal data of residents of the European Union and several other European countries. It features broader definition on personal data and requires compliance from entities regardless of their country of origin as long as they process European personal data. As noncompliant entities can be subject to penalties up to the greater of 20 million Euro or 4% of their annual turnover, assessment of compliance cost is salient to every commercial enterprise that makes direct or indirect use of European personal data. However, the upper limit of the fines does not provide the complete description of the enforcement environment or the risk calculations of investing into GDPR compliance. This thesis makes use of several actual examples of GDPR violations involving insufficient fulfillment of data subject rights and insufficient technical measures of data processing (data breach) in order to illustrate the enforcement process, the nature of the violations, and the financial impacts on the violators. Then it estimates the compliance cost using the Gordon-Loeb model, which is an economic model on firm’s optimization decision on cybersecurity risks and investment. It is determined that under the Gordon-Loeb model’s 37% rule, the compliance spending among the companies would imply a 60% to 80% ex ante vulnerability. The high ex ante vulnerability, coupled with the penalty of around 100,000 Euro for small firms and 4,000,000 Euro for large firms, is indicative of a rigorous enforcement environment that warrants serious attention by companies.