信息安全研究 ›› 2023, Vol. 9 ›› Issue (2): 162-.

• 技术应用 • 上一篇    下一篇

联邦学习的个人信息保护合规分析框架

朱悦1庄媛媛2
  

  1. 1(北京科技创新中心研究基地北京100083)
    2(深圳市湾区数字经济与科技研究院广东深圳518126)
  • 出版日期:2023-02-01 发布日期:2023-01-24
  • 通讯作者: 朱悦 博士,研究员.主要研究方向为隐私权与个人信息保护、算法治理. pkueconzy@163.com
  • 作者简介:朱悦 博士,研究员.主要研究方向为隐私权与个人信息保护、算法治理. pkueconzy@163.com 庄媛媛 博士,研究员.主要研究方向为数据相关政策法律法规、数据安全与隐私保护、隐私增强技术. atuanc@yeah.net

Compliance Analysis Framework of Personal Information  Protection in Federated Learning

  • Online:2023-02-01 Published:2023-01-24

摘要: 联邦学习在个人信息保护意义下的合规分析需进一步完善,尤其需要技术与法律更紧密结合.故建立识别适用规定、定性数据流、识别处理行为、定性主体身份、识别责任义务和合规风险分析6步骤合规分析框架.框架对经典的横向纵向联邦学习架构足以给出具体、与适用规定存在紧密逻辑关系的合规结论;并可推广至其他架构或隐私计算技术合规分析;可融入其他国家或地区的合规要求;有助于满足《中华人民共和国个人信息保护法》对个人信息处理影响评估的要求.最后,基于框架及其分析结论,对联邦学习的个人信息保护标准制定提出建议.

关键词: 联邦学习, 个人信息保护, 合规分析框架, 个人信息处理影响评估, 隐私计算

Abstract: The compliance analysis of federated learning in the sense of personal information protection needs to be further improved, especially the closer combination of technology and law. Therefore, a 6 stepscompliance analysis framework is established, which includes identifying applicable regulations, data flow, processing behavior, subject identity, responsibilities and obligations, and compliance risk analysis. For the classical horizontal and vertical federated learning framework, the framework is sufficient to give concrete compliance conclusions which have close logical relationship with applicable regulations. It can be extended to other architectures or privacy computing technology compliance analysis, and be integrated into the compliance requirements of other countries or regions. The framework helps to meet the requirements of the personal information protection law for impact assessment of personal information processing. Finally, based on the framework and conclusions, some suggestions on the formulation of personal information protection standards for federated learning are put forward.

Key words: federated learning, personal information protection, compliance analysis framework, personal information impact assessment, privacy enhancing computation