Faculty采访｜现代隐私法的学习与实践

Faculty采访｜现代隐私法的学习与实践

编者按：

本次结构式采访由张珈玮同学完成。张珈玮毕业于加州大学伯克利分校法学院（LL.M.），现就读于牛津大学法学院（MPhil in Law）。中文版采访经Determann教授许可，进行了部分删减，以方便读者阅读。英文版采访，请参见文末。

受访嘉宾介绍

Lothar Determann教授从事并教授国际数据隐私、技术、商业和知识产权法。

Determann教授供职于在位于旧金山和帕洛阿尔托的贝克·麦坚时律师事务所（Baker McKenzie）。他自1998年以来一直为公司提供数据隐私法合规以及将产品和商业模式推向国际的法律咨询服务。他获得了美国加州和德国的执业资格，被《旧金山和洛杉矶日报》评为加州十大版权律师和二十五大知识产权律师之一，并被“钱伯斯”（Chambers）、“法律500强”（Legal 500）、IAM和其他机构评为领先律师。

Determann教授自1999年以来一直是德国公法教授协会的成员，在柏林自由大学（自1994年）、加州大学伯克利分校法学院（自2004年）、黑斯廷斯法学院（自2010年）、斯坦福法学院（2011年）和旧金山大学法学院（2000-2005年）教授数据隐私法、计算机法和互联网法。他撰写了150多篇文章和论文，以及五本专著，包括《Determann 数据隐私法领域指南》（Determann’s Field Guide to Data Privacy Law） （2017年第三版，有中文、德文、日文、葡萄牙文、俄文和土耳其文版本）和《加州隐私法-实用指南和评论》（California Privacy Law – Practical Guide and Commentary）（2018年第三版）。

问题一：能否请您给中国学生介绍您在伯克利开的两门课：计算机法和加州隐私法？

（1）计算机法

我自2005年开始讲授计算机法。我围绕由Mark Lemley教授、Pamela Samuelson教授、Peter Menell教授和Robert Merges教授合著的《软件和互联网法》建构了课程，基本上集中在公司如何将计算机和信息技术商业化。

这门课有很多有关软件的内容，但我并没有止步于软件，我还涵盖了有关硬件的内容。这门课遵循一个假设，即信息技术如何商业化？适用哪些法律？在实现商业模式时如何使用和尊重知识产权？然后，我们关注信息技术发展的不同阶段和不同的可能性，接着从知识产权和商业的角度关注最终的科技部署。这门课非常重视实践，但同时当然也包括对政策方面的关注，如平衡财产法下的排他性权利，我们所追求的公共访问和创新规划，以及为什么我们有这样的知识产权法。总而言之，我们希望促进新技术的进步和使用。

（2）加州隐私法

加州隐私法是一个非常新的课程。而它的重点，如标题所示，是加州在保护个人隐私、规制个人信息处理方面所采取的截然不同的方法。加州是世界上最大的经济体之一。如果我们是一个国家，我们将在国民生产总值方面排名世界第五。同时，我们是美国人口最多的州之一，是许多创新的源泉。此外，加州有很多媒体公司和出版物，有狗仔队刺探名人的隐私。而且，加州有非常多样化的行业、企业和利益。因此，加州不仅在技术和数据处理方面领先于世界，而且在隐私立法方面也是如此。

加州因人民投票，在宪法中增设隐私权，而我们也是最早在宪法中增设隐私权的的法域之一。除此之外，我们是第一个提出数据泄漏通知（breach notification)的法域，很多国家都沿袭了这一制度。欧盟在2018年，在《一般数据保护条例》(General Data Protection Regulation)中提出了欧盟范围内的数据泄漏通知要求，但加州早在15年前就有了这一制度。我们还首度通过了许多其他法律来保护隐私，如《加州消费者隐私法》。我们在这个方面领先于全国（在某种程度上，其他州），可能也领先于其他一些国家。因此，这一领域是一个前沿的话题，也是一个非常有趣的话题。这也是我在加州隐私法课程中涉及的内容。

《数据隐私法实务指南》Lothar Determann著，何广越译

我出版了一本隐私法领域的指南（《数据隐私法实务指南》），这本书正在被翻译成很多语言版本。我在2010年开始这本书的写作。它现在已经更新到第五版了，每两到三年更新一次，以反映最新的法律发展，目的是给企业提供实用的指导，同时也在某种程度上给世界各地的政策制定者提供指引——隐私法是什么，公司如何遵守它，在其他国家什么是好的，什么是不好的。这些问题可以从我的指引中得出结论。

而从2015年开始，我开始写一本《加州隐私法》的书，我最初想的只是要写一个小而精的版本。但后来Hoofnagel教授说，如果我加上对所有现有的对加州隐私法评注不是很好吗，我想这很有趣。我的书的体积突然变得大了三倍。国际版本大概有200多页，但加州的版本有600多页，因为我把这些评注都写在了在里面。

Lothar Determann: Determann’s Field Guide to Data Privacy Law

我认为让人们了解所有这些法律真的很重要。教课，与学生合作来帮助我更新和编辑这本书，是隐私法实践的重要部分。我认为我们都可以通过处理这个问题来回馈社会，因为立法者非常迫切地制定新的法律，但往往甚至没有考虑到已经存在的问题，又不能废除任何东西。因此，这些法律使得公司必须履行的义务不断增加。总的来说，这门课关注的内容与计算机法完全不同。它不仅是知识产权，不是关于谁拥有某样东西以及这些访问权和个人排他性权利是如何平衡的。它更多的是关于个人隐私如何被保护，公司要做什么，如何监管企业。

问题二：由于科技法总是掺杂着许多技术问题，没有技术背景的学生可能会觉得难以理解。作为一位专攻法律和科技的律师和教授，您认为学生在学习科技法时如何克服这些技术障碍？

我没有发现我的学生在计算机法的课上存在普遍的困难。互联网（如维基百科）上有很多很棒的信息用于技术问题的学习。我也努力在课堂上解释相关的内容。我认为，在这个人人使用电子产品的时代，如果你对技术感兴趣，相对快速地掌握是没有问题的。

我认为这是作为一个法律人的重要技能。作为一个学者，或作为一个法律学生，你也试图理解和处理事实以及它们如何适用于法律。法律永远落后于最新的技术，并且永远必须赶上技术的发展。我们法律人的一个重要功能是了解技术如何运作，商业模式如何运作，社会如何受到影响，然后就现有的法律如何适用于这种新的情形形成法律意见。我认为这是我们在计算机法中学习的东西。因此，我认为，一般来说这不应该成为学生学习这个特定课程的顾虑。

问题三：对于即将完成法学院学习并进入隐私、数据、知识产权和技术法领域的新律师，你有什么建议可以帮助他们更好地在这些领域执业？

我想说的是，要有点机会主义精神，要轻松地适应摆在你面前的问题。如果你对某个领域充满热情，那就去追求它。如果你开始了一个综合性的法律实务工作，无论是公司法务、律所律师，抑或是在政府机构和法院工作，要灵活地处理所面对的问题。在日常工作中要一直记着IRAC的体系——确定问题、寻找适用的规则、适用并且得出结论。在实践中，我看到有许多人没有做到这一点。他们忘记了规则（Rule）和适用（Application）的步骤，从而得出了错误的结果。当然，如果你为一家公司或个人利益代理，你可以为某个主体辩护。那么，有时会有某种程度的“混淆视听”，你必须看穿某些情况是故意为之或以一种可能误导人们的方式呈现。作为律师，我们必须睁大我们的眼睛，试图了解事实是什么。我们把它们记录下来，然后分析它们，端详它们。然后我们来适用我们的法律做出评价，并得出一个法律结论。我们不只是遵循最佳做法或者做其他人正在做的事。我们要确保我们了解事实是什么，以便我们能够相应地适用法律。

就我个人而言，我总是被技术问题所吸引。因此，我从德国来到硅谷。我从未计划过我会在这里呆这么久。在这里，我的实践每天都给我带来新鲜有趣的事情，它们也让我在学术层面处理它们，因为我在这些领域的工作中发现了一些尚未受到公众关注的问题。这让我很有成就感。当你从一个特定的案例或法律适用中学到一些东西时，你如何能让这个东西有用？你可以发表相关文章，帮助其他人也从中学习，形成一种理解，最终推动人类在进步和发展以及实现负责任地使用新技术方面的目标。

问题四：《中国信息保护法》于2021年颁布。您认为中国和美国的数据保护存在哪些差异，这给两国的隐私法律师带来了哪些挑战？

中国有许多关于数据和隐私的法律，也有许多不同的监管机构涉及这一领域。因此，重要的是，就像在美国一样，不要只看最新的法律，而是必须在网络安全法以及其发布的一些信息法规和决定指南的背景下来看这个问题。如果类比到美国，你也必须看看联邦法律和各州的隐私法。

综合而言，我认为中国和美国对个人隐私和数据监管的态度不同。在如何追求自由和价值观以及政策目标方面，中国注重自由和集体意识，将确保个人有足够的食物，有工作，有所有他们需要的东西作为真正的关注点；而在美国，重点是重视个人，一个人的个人自由，反对政府的权利，反对公司的权利在美国更加发达。因此，这是从广义上讲的，而历史背景也导致了两国对隐私方面的关注点有所不同。

就公共部门的隐私监管而言，我认为中国新颁布的《个人信息保护法》在技术上也可以适用以限制有关公共部门。在美国，许多数据保护法可以用来对付政府，保护个人自由不受政府影响。例如，第四修正案在很大程度上侧重于防止政府不合理的搜查和扣押，这就是我们在宪法中的规定。在美国限制公共部门仍然是隐私法的基础。

就其他方面而言，我想说的是，去年11月通过的中国《个人信息保护法》，以及我们现在的CCPA和CPRA，都受到了欧洲观点的影响，即个人数据的处理需要被监管。我认为在欧洲、美国和中国都有一种意识，即数据流的监管是一个重要的经济和贸易话题，同时也与个人自由和个人隐私保护有关。

此外，全球跨国科技公司已经变得非常非常强大，在世界上各个国家，政府都有兴趣利用隐私立法来控制科技公司，并将其作为科技监管和贸易监管的一种方式，以及作为地方政府执法情报服务的一种获取个人数据的方式。

问题五：国家安全、个人隐私和公共利益之间具有怎样的关系？

看待安全和隐私的一种方式是，没有安全，就没有隐私。如果我们不能保护自己免受对方或政府的伤害，那么我们就没有隐私。我们将不会处于一个安宁的状态。所以我们需要政府。我们需要警察来保护我们，并维护安全。因此，安全是拥有隐私的一个条件。

同时，即便没有任何隐私，也可以有真正好的安全。因此，如果政府过分强调安全，为了防止犯罪或反社会行为而对每个人进行监视，通过社会评分和其他措施控制国内每个人的每一件事，那么就不会有个人隐私。所以这也是至关重要的。所以我不会说安全总是与隐私对立的。

我认为通信隐私不仅是个人尊严的问题，它也是一个政府、一个社会在一个正常的民主制度下运作的条件，人们可以在保密的情况下表达意见，而不必将一切都放在公共领域。

向上滑动阅览英文版采访

Q1: I know that you offer two courses at Berkeley Law School, Computer Law and California Privacy Law. Could you please briefly introduce the schedule and content of these two courses for Chinese students who will be attending Berkeley?

A: That computer law class is one that I've been teaching since 2005. And in 2005, Professor Lemley moved to Stanford and he’s been teaching this class on computer law. There was a fine book by Mark Lemley, Pamela Samuelson, Peter Menell, and Robert Merges, which is called Software and Internet Law. And the first half is focused on what I teach in computer law. Mark had shared it with me for teaching. And I’ve built the curriculum around that book, which is basically focused on how companies commercialize Computer and Information Technology. Much software, but I don't stop there all to cover hardware. The class follows a hypothetical on how can information technology be commercialized, what laws apply? How can intellectual property be used and respected when business models are delivered? And then we look at different stages and different possibilities of the development and then ultimately, deployment of information technologies from an IP and commercial perspective. That's what that class is about. It's very practice-oriented, but we cover of course, also, policy considerations such as the balancing of exclusive rights under property laws, and the public access and innovation agenda that we actually pursue publicly, why we even have such intellectual property laws. We want to promote the progress and the use of new technologies and that is a big policy topic that follows the class. So that's the class on computer law.

The class on California privacy law is a very new one. And it's focused, as the title indicates, on the very different approach that California has to take to protect individual privacy, and now also to regulate the processing of personal information to some extent. California is one of the largest economies in the world. If we were a country we would be number five in terms of the gross national produc. We're one of the most populous US states where there is a source of much innovation. At the same time, we have media companies, we're publishing things, we have paparazzi running up to celebrities who want to protect their privacy and we have a very diverse set of industries, businesses and interests in our state. And so California is not only leading the world on new technologies, new data processing interests, but also privacy legislation. We are one of the first jurisdictions that added privacy rights to their constitution.

This was done by a ballot initiative. It was the people of California who want to set it in the constitution. We are the first jurisdiction that came up with a breach notification law pretty much all countries followed. The EU followed many years later in 2018, with a federal or EU-wide breach notification requirements in the General Data Protection Regulation, but we had it in California 15 years earlier. And've passed many other laws as a first to protect privacy. So that's an interesting place to be and we're leading right now, the country and some extent other states and probably other countries again, by coming up with the California Consumer Privacy Act. And so that topic is a cutting-edge one, and a really interesting one. And it's something that I covered in this California privacy law class. I've been publishing a privacy field guide that is a book being translated into quite a few other languages. 

I started doing that in 2010. It's now in its fifth edition already updated every two or three years to reflect the latest developments and is intended to give practical guidance to businesses and to also some extent, policymakers around the world, what privacy laws do and how companies can comply with it, what is good and not working so good in other countries, it can be derived from the guidance that I'm providing in there. And since 2015, I started writing a California privacy book, and I was initially thinking it is just going to be a very specific version of this. But then Professor Hoofnagel said, Wouldn't it be nice if I also added a commentary on all the existing California privacy laws and I thought that's interesting. And when I started taking a look on how many they were, my book became suddenly three times bigger in size. The International Version is about 200 pages to California focus more than 600 pages, because I have all this commentary in there. And I think it's really important that people understand all these laws that are out there. And so teaching the class, updating the book, working with you, the students who are helping me updating and editing the book is a really important part of privacy practice. And I think something we can all give back to the community by even processing this because lawmakers are very quick to turn out new laws but often not even thinking about what's already out there and not able to repeal anything ever. So they're just adding to the pile of things that companies have to do. So that class is really focused on something very different from computer law. It's not only intellectual property, it's not about who owns something, and how these access rights and individual exclusion rights are balanced. But it's more about how is individual privacy protected. What do companies have to do? How are businesses regulated and that is what we're covering in California privacy law.

_________________________________________

Q2: Since technology law is always mixed with many technical issues, students without a technology background may find it difficult to understand. As a lawyer and professor specializing in law and technology, how do you think students can conquer these technical obstacles when learning technology law?

A: I have not found that my students have a hard time as a general matter in computer law class. Learning about the technology I think there's so much great information available on the internet. I'm trying to explain what is relevant in class too. But there is a lot of good stuff available on Wikipedia on many other sites. And so I think if you're curious and interested in technology generally and we all use technology, then I think it is no problem to catch up relatively quickly. And I think this is an important part of being a lawyer. Being a scholar, or being a student of law that you also try to understand and process facts and how they apply to the law. The law will always be behind the latest technologies, and always have to catch up. And a big function that we play is to understand how technologies work, how business models work, how society is affected, and then form an opinion on how existing laws apply in this new context. And I think that's something we're learning in computer law but you learned that in every other class in one way or another as well. So I think that should not generally be a concern for students to take this particular class.

_________________________________________

Q3: What advice would you give to new lawyers who are about to finish their studies at law school and enter the field of privacy, data, IP and technology law to help them better practice in these fields?

A: I would say be a bit opportunistic and adapt easily to the problems that come before you. I think if you're passionate about a certain area, then pursue that but if you go into a general practice, you work for a company you work for a law firm, you work for a government agency or a judge, people will bring you problems and reacting to them and processing them and do a good job of understanding them and finding solutions for them will over time help you develop and be a good lawyer. Always think about your IRAC scheme-- to identify issue, try to find out what the rules are applied and come up with a conclusion in day-to-day life. There are many lawyers that I see in practice that failed to do that. They forget about the rule and application step and they come to the wrong results. And of course, if you're advocating for a company or for an individual interests, you can defending somebody. Then there'll be some degree of obfuscation sometimes that you have to see through were intentionally certain scenarios or presented in a way that could mislead people. And we as lawyers have to have our eyes open. We try to understand what the facts are. We write them down. We analyze them. We look at them. And then we come and apply our legal assessment and come up with a legal conclusion. We were not just following best practices or we do what everybody else is doing or what some government recommends. To question everything. And we want to be sure that we understand what the facts are so that we can apply the law accordingly. That would be the recommendation. 

For me personally, I was always attracted by technological issues. And so I followed them to Silicon Valley from Germany. I never planned I would stay here this long. I love Germany too. But it's been never boring. And my practice has brought me every day new interesting things and they allow me then also to process them academically. Because I see things before they even become public just working in these fields. And that has been very rewarding. When you learn something from a particular case or application How can you make this useful? And you publish about it and help others learn from that as well and develop an understanding that is ultimately furthering the objectives of humankind in terms of progress and development and responsible use of new technologies.

_________________________________________

Q4: The Chinese Personal Information Protection Law was enacted last year. What differences do you think exist between data protection in China and the United States and what challenges does this present for privacy lawyers in both countries?  

I want to acknowledge that China has many laws on data and privacy and has many different regulators that cover this area as well. So it's important like in the US that you don't just look at the latest law, but we have to look at that in the context of the cybersecurity law, and some of its information regulations decision guidance that was issued. So that is something you'd have to look at. If you compare that in the US, also you'd have to look at federal law and state privacy law. 

As a general matter I think, it is a completely different attitude towards individual privacy and to data regulation in China and the United States. In the sense of how freedom and values and policy goals are being pursued. China, the communist party rules and has a focus on freedom and the collective sense to make sure that the individual has enough to eat has work has all the things that they need to live performance society as a real focus point, whereas in the US the focus is very much on the individual, individual freedom for one person, right against the government, the rights against companies is much more developed in the United States. And so that's from a broad picture, and historic context then leads also in privacy to a different focus. It starts with public sector privacy regulation. I think the new data protection law that was passed technically could also apply against public sector entities, but it remains to be seen whether it will actually be applied and used that way. Whereas in the US many data protection laws can be used against the government and protects individual freedoms against the government. For example, the Fourth Amendment was very much focused on preventing unreasonable searches and seizures, against the government that is what we have in the Constitution. And that continues to be the basis for privacy law against the public sector in the United States. I think that's an important difference right there. 

The other aspects of it I would say that is a bit of a convergence that both the Chinese data protection law that was passed last November, and then also what we have now in CCPA, and CPRA, are influenced by the European idea that the processing of personal data as such needs to be regulated. I think there is a sense in Europe, in the US and in China that the regulation of data flows is an important economic and trade topic as much as relevant for individual freedoms and protection of the individual privacy sphere. 

And I think that is also a strong feeling that global multinational tech companies have become very, very powerful and both in the United States, in Europe, in China, there is a interest on the government side to use privacy legislation alters a way to rein in tech companies as a way of tech regulation as a way of trade regulation, and as a way of securing access personal data for local governments for law enforcement intelligence services. So the strategic importance of personal information leads to data regulation that is not only there to protect the individuals, I think also, it is in China, a feeling that I've heard as the government is often using privacy laws as an excuse to examine, censorship or impose censorship on individuals as well. And this is a discussion that we have in the United States as well that people say in the name of privacy law, or protection of individuals, again, free speech is being restricted and that privacy is becoming a threat to freedom of speech and free information.

_________________________________________

Q5: What is the relationship between national security, personal privacy, and public interest?  

One way to look at security and privacy is to say without security, there is no privacy. If we are not able to protect ourselves from each other, or from governments, then we have no privacy. We will not be left alone. So we need the government. We need the police to protect us, and to protect security. And therefore security is a condition to having privacy. At the same time, there could be really good security without any privacy. And that is a concern. So if the government over-emphasizes security and spies on everyone in order to prevent crimes or to anti-social conduct, with social scoring and other measures, control every bit of every person in the country then there will be no individual privacy. So that is also an important thing. So I wouldn't say that security is always pitched against privacy. It is necessary as a basis for privacy but if security is too much emphasized, then privacy will be gone and where privacy is gone, we lose the ability of people to speak freely. Democracy will become very difficult or impossible because people have to be concerned at all times that the opinions that they expressed will be used against them. So I think communication privacy is not only a question of individual dignity, it is also the condition for a government, a society to operate in a functioning democracy in a way that people can express opinions in confidentiality, in private without having everything be in the public sphere. So I think there's an individual dignity, concern. And then there's also a public interest in a sphere of being privacy so that we have responsible individuals and not class citizens that just serve a purpose for the government and no longer any individuality. That's my sense.

 扫描二维码关注哦！