為因應物聯網時代資料生成與傳輸速度的增加，歐盟在資料保護法制作出許多相應的變 革。其中，為求促進單一數位市場的推動與企業法規遵循的簡化，歐盟執委會於2012年1月所 提出的「一般資料保護規則」(General Data Protection Regulation，以下或簡稱「GDPR」)草 案，企圖整合個人資料保護指令(Directive 95/46/EC)、e-privacy指令(Directive 2002/58/EC)與 歐盟Cookie指令(Directive 2009/136/EC)，並終於在4年後於2016年4月通過。其中，本文特別 對於與物聯網時代資料保護有關的重點法律設計，諸如同意條件的補強與特種個資範圍的調 整，被遺忘權、資料可攜的權利、於設計階段納入隱私考量、與特徵分析等，作比較詳細的 說明。文末，並對照我國新修正的個人資料保護法研析，希冀提供作為我國未來資料保護法 制持續向前邁進之參考。

To cope with the increase both in terms of speed of volume of data in the age of internet of things (IoT), European Union (EU) has made a number of corresponding reforms. Among these attempts, European Commission submitted the proposal of General Data Protection Regulation in January, 2012, in the hope to facilitate the further formation of single digital market and to ease the compliance burden of enterprises. And this draft was finally passed in April, 2016. In this article, special legal design related to the data protection in the age of IoT would be introduced, including the adjustment of the condition of the consent, the scope of sensitive data, the set-up of right to be forgotten, privacy by design, as well as prohibition of profiling Last not but least, some comparison is made between the GDPR and the revised Act on Protection of Personal Data in Taiwan, in the hope of providing some reference for future evolvement of data protection jurisprudence.