The forbidden city where diesel vehicles are banned

I came across this illustration named “the forbidden city” (figure 1) recently, which was an interesting allusion to Germany’s ruling to allow its cities to ban diesel vehicles, except for those that meet the Euro 6 emission standard, in restricted areas. The Euro 6 standard is an European emission standard that sets limits for exhaust emissions such as carbon monoxide, volatile organic compounds, nitrogen oxide, particulate matter, etc, emitted by new vehicles manufactured in the European Union (EU).

WhatsApp Image 2018-10-04 at 15.20.28
figure 1

The first European emission standard, Euro 1, was introduced in 1992, which was amended with stricter limits as time went by. The latest Euro 6 standard was adopted in 2014. The illustration tells the story of a forbidden city, where the blue vehicle, an Euro 6 automobile, is allowed in the city, and the red one, an Euro 5 vehicle, is banned. This points to Hamburg, the first German city that banned diesel vehicles that failed to meet the Euro 6 standard from entering some of its busy roads. More German cities will follow suit. Stuttgart will ban diesel vehicles of the Euro 4 or older standards from 2019. Frankfurt was obliged to implement the same ban on Euro 4 or older standards vehicles from February 2019, and a stricter ban on Euro 5 as well from September next year.

As more countries are on their ways to ban fossil fuel vehicles, more environmentally-friendly vehicles such as electric ones are the future. The road may be bumpier for some countries, but hopefully that leads to greener and more sustainable societies.


首個實施柴油汽車禁令的城市

最近看到以上名為「禁城」的報刊插圖(見圖一 figure 1),詼諧地報道了德國今年二月起允許各城市頒布柴油汽車禁令,除符合歐洲汽車廢氣排放標準(European emission standards)歐盟六期(Euro 6)的車輛外,德國城市可對不符合標準的柴油車實施限行。歐盟六期是由歐盟國家共同採納的歐洲汽車廢氣排放標準,限制了不同類型汽車的廢氣污染物排放,包括一氧化碳(CO)、碳氫化合物(HC)、氮氧化物(NOx)和懸浮粒子(PM)。

首個歐洲汽車廢氣排放標準為歐盟一期,於1992年推出,其後陸續加強收緊排放限值,最新的排放標準為歐盟六期,於2014年生效。插畫描述「禁城」禁止圖中紅色的汽車進城,因其為歐盟五期排放標準的車輛,而藍色汽車則為歐盟六期車輛,可在城內自由駕駛。插畫中的「禁城」就是漢堡,漢堡是德國首個對歐盟六期以外柴油車頒布限駛令的城市,嚴禁未達標的柴油車駛進部分繁忙道路,未來將有更多德國城市仿效。史特加(Stuttgart)將於2019年1月起對歐盟四期或以前排放標準的柴油車頒布禁令,而法蘭克福(Frankfurt)將於2019年2月緊隨其後,同年9月起更加禁歐盟五期車輛。

隨著越來越多國家制定禁止化石燃料汽車時間表,發展更環保的汽車如電動汽車是大勢所趨。這需要社會不同持份者的配合,雖然不易,但有助社會變得更環保和可持續發展。

What does GDPR mean to financial technologists?

Innovative technologies have developed rapidly. Many companies utilise advanced innovations to tap user data to understand users’ needs, upgrade operations, and discover business opportunities. However this has raised data privacy issues. The outbreak of Facebook data leak scandal has caused a wider user data privacy concern. To safeguard user data privacy, the European Union (EU) implemented the General Data Protection Regulation (GDPR) this year on May 25.

How GDPR affects Hong Kong companies?

Dubbed the strictest data protection law, the GDPR puts citizens in EU in control of their data. The GDPR applies to any business involving processing activities of personal data of the EU citizens, be it in or outside EU jurisdictions. In other words, the regulation applies to Hong Kong companies that run businesses that consist of processing operations related to EU citizens which require regular and systematic monitoring of data subjects on a large scale, or involve core activities consisting of processing a large scale of sensitive personal data and data relating to criminal convictions and offences.

The GDPR highlights an accountability principle and requires companies to implement measures to ensure compliance. Hong Kong companies that involve processing of EU citizens’ data are required to appoint a Data Protection Officer (DPO) to monitor and advise on GDPR compliance; conduct Data Protection Impact Assessment (DPIA) before engaging in any data processing that may put individuals’ rights at risk; undertake Privacy by Design and by Default in determining the means of processing and to integrate the necessary safeguards to realise the data protection principles; keep records of processing activities; and formulate data processing policies for compliance and accountability purposes. In case of a data breach, a company is required to issue a mandatory breach notification no later than 72 hours after noticing the breach.

How should financial technologists cope with the GDPR?

The financial sector, among the industries that deal with considerable sensitive personal user data, may expect more attention from the regulatory authority and the public. That is why financial technologists need to be on the lookout for the compliance risk of GDPR by complying with the principles of processing personal data stipulated in the GDPR.

The overriding principle of the GDPR is to safeguard data privacy of EU citizens, so financial technologists are obliged to protect the rights and privacy of data subjects in formulating and implementing their technical and organisational policies. In processing or overseeing the processing of user data, financial technologists should ensure the concerned service only collects and processes personal data stipulated in documented instructions, processes data confidentially, ensures safety of the data processed, answers the requests of deleting or returning the data after the processing activity.

The GDPR underlies data subjects’ control over their own data, that is why consent of the data subject is the prerequisite for legal processing of personal data. It is essential for financial technologists to ensure a clear and intelligible request on their service platforms for data consent from data subjects, which should also inform data subjects the option of withdrawing their consent anytime. Data consent from minors should as well be obtained, by the authorisation by their guardians.

Companies do not simply need to obtain from data subjects their consent of data usage, but also need to respect how and to what extent data subjects want their data to be used, by allowing the options of data rectification, objection, restriction, erasure, right to be forgotten and right to data portability. Financial technologists need to review their practices in alignment with the above enhanced rights for data subjects. Especially with the rapid advancement and increasing adoption of financial technologies to predict business trends and analyse customers’ needs, user data is inevitably collected and analysed in the financial sector. Such practices may go against the GDPR as the GDPR allows data subjects to object to data processing or profiling that is for direct marketing purposes, interests pursued by the concerned company or third party, statistical purposes, etc. Financial technologists need to ensure options to be provided to allow data subjects to object to or delete a data processing.

A more secured approach to handling user data can contribute to building customers’ trust on the company and improving customer services. Financial technologists should take this chance to review their technical practices against the GDPR to safeguard the public’s right to their personal data, while securing the company’s services to achieve a win-win situation.


《通用數據保障條例》對金融科技從業員的影響

創新科技發展一日千里,許多公司利用創新科技開拓用家數據和資料,提取有用資訊,讓企業更明白用戶的需要,藉以提升營運,發掘商機。然而,使用用戶數據和資料難免帶來侵犯個人資料和私隱的隱憂,近期Facebook洩露用戶資訊的一連串事件便引起社會廣泛關注。為了保障用戶資料安全,歐盟於今年五月二十五日起實施《通用數據保障條例》(General Data Protection Regulation,縮寫GDPR),GDPR被部分人認為是史上最嚴的個人資料保護條例。

GDPR如何影響香港企業?

GDPR把個人資料的控制權交回用戶本身,賦予歐盟居民更大權力決定個人資料的使用。GDPR適用於所有涉及處理歐盟居民資料的企業,包括在歐盟以外的企業。換言之,任何香港公司如業務涉及歐盟居民資料處理,包括定期和有系統地監控大量個人資料,或其核心業務涉及處理大量敏感的個人資料,或與刑事定罪和犯罪有關的資料時,均須遵行GDPR。

GDPR強調問責原則,要求公司採取措施確保合規。根據GDPR,香港任何公司若業務涉及處理歐盟居民資料,必須遵行以下規定︰

  • 委任保障資料主任(Data Protection Officer),負責監督、建議該公司的GDPR合規事宜;

  • 在進行任何可能使個人權利面臨風險的數據處理活動前,須進行資料保障影響評估(Data Protection Impact Assessment);

  • 採取貫徹私隱的設計及預設設定(Privacy by Design and by Default ),即在決定資料處理方法時結合必要的保障措施,貫踐資料保護原則;

  • 保留資料處理活動的紀錄;

  • 為合規和問責的目標訂立政策和措施;

  • 如果發生資料外洩事故,公司須於發現違規行為後72小時內發出通告。

金融科技從業員應如何應對GDPR?

金融業每天處理大量敏感個人資料,容易受到監管機構和公眾的格外關注,金融科技從業員因而須特別留意GDPR的合規風險,確保公司奉行GDPR的條例。

GDPR的首要原則是保護歐盟居民的個人資料和私隱,因此金融科技從業員在訂立和實施技術和企業措施時須以保障用戶的權利和私隱為目標。在資料處理或監察資料處理工作時,金融科技從業員須

  • 確保有關服務僅按照控制者書面指示處理個人資料;

  • 保密處理數據;

  • 確保處理資料安全;

  • 回應用戶要求在完成資料處理後刪除或交還其個人資料。

GDPR強調用戶對個人資料的控制,因而用戶的同意和授權是資料處理活動合法進行的必要前提,金融科技從業員因此須在公司網站或服務平台以清晰易明的字句徵詢用戶的同意,並須知會用戶有權在任何時候撤回同意。用戶若未成年,企業仍須獲得其父母或合法監護人的授權。

除了須獲得用戶同意處理個人資料外,企業亦須尊重用戶有權希望如何使用其資料和使用的程度,包括滿足用戶對資料修改、反對、限制、刪除、被遺忘及資料可攜權等要求。金融科技從業員有必要審視其行業實踐是否切合以上的用戶權利。隨着金融科技的急速發展和廣泛行業應用,金融業愈趨收集和分析用戶資料,以預測行業趨勢和了解客戶需要,這和GDPR若干規例原則相違背,例如GDPR讓用戶有權反對任何資料處理和個人概況彙編活動,只要活動用作直接捉銷、涉及有關企業或第三方利益、以統計為目的等,為此金融科技從業員須為用戶提供反對和刪除資料處理的選擇。

金融科技從業員應把握機會根據GDPR檢視其業務實踐,以更可靠、安全的方法處理用戶數據,不但能夠建立客戶對企業的信任,並提高客戶服務水平,在保障大眾個人資料使用權的同時,加強企業服務,達致雙贏。