大数据时代个人信息使用的合法利益豁免
|
摘要
在大数据时代,知情同意机制已无法有效应对大数据生态系统的多元性和复杂性,无需取得数据主体同意的合法利益豁免可成为大数据信息使用的另一重要合法依据,为大数据产业发展提供灵活空间。我国在个人信息保护的相关立法中可引入合法利益豁免机制。引入该机制时,对合法利益应采用广泛的定义,只要是未违法的使用利益均属合法利益。但数据控制者必须进行一个平衡测试,证明数据使用的合法利益高于数据主体的个人利益,方可适用合法利益豁免。平衡测试可采用个案分析方式,并遵循必要性原则、目的限定原则和比例原则。此外,数据控制者还应对平衡测试进行全程记录,以接受数据主体、政府数据保护部门和法院的监督。
In the big data era,the notice and consent mechanism is unable to effectively deal with the diversity and complexity of the big data ecosystem,and legitimate interests exemption which does not require the consent of the data subjects can be an important alternative legal basis for big data information processing,and provide big data industry flexible development space.China may introduce legitimate interests exemption mechanism in the relevant legislation on personal information protection.When introducing this mechanism,a broad definition of legitimate interests should be adopted,as long as it is a non-illegal use of interests,it belongs to legitimate interests.However,the data controller must conduct a balance test to prove that the legitimate interests of data use override the personal interests of the data subject,in order to apply legitimate interests exemption.The balance test can be carried in a case-by-case way and should follow the principles of necessity,purpose limitation,and proportionality.In addition,data controllers should document the balance test,in order to be monitored by data subjects,government data protection authorities,and courts.
In the big data era,the notice and consent mechanism is unable to effectively deal with the diversity and complexity of the big data ecosystem,and legitimate interests exemption which does not require the consent of the data subjects can be an important alternative legal basis for big data information processing,and provide big data industry flexible development space.China may introduce legitimate interests exemption mechanism in the relevant legislation on personal information protection.When introducing this mechanism,a broad definition of legitimate interests should be adopted,as long as it is a non-illegal use of interests,it belongs to legitimate interests.However,the data controller must conduct a balance test to prove that the legitimate interests of data use override the personal interests of the data subject,in order to apply legitimate interests exemption.The balance test can be carried in a case-by-case way and should follow the principles of necessity,purpose limitation,and proportionality.In addition,data controllers should document the balance test,in order to be monitored by data subjects,government data protection authorities,and courts.
引文
[1]Paolo Balboni,et al.,Legitimate Interest of the Data Controller New Data Protection Paradigm:Legitimacy Grounded on Appropriate Protection,International Data Privacy Law,vol.3,no.4(2013).
[2]Daniel J.Solove,Privacy Self-Management and the Consent Dilemma,126 Harv.L.Rev.1880(2013).
[3]Viktor Mayer-Schanberger&Yann Padova,Regime Change?Enabling Big Data through Europe's New Data Protection Regulation,17 Colum.Sci.&Tech.L.Rev.315(2016).
[4]UK Information Commissioner's Office,Big Data,Artificial intelligence,Machine Learning and Data Protection(2017).
[5]范为:“大数据时代个人信息保护的路径重构”,载《环球法律评论》2016年第5期。
[6]谢琳、李旭婷:“个人信息财产权之证成”,载《电子知识产权》2018年第6期。
[7]Article 29 Data Protection Working Party,Opinion 06/2014on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,WP217(2014).
[8]Federico Ferretti,Data Protection and the Legitimate Interest of Data Controllers:Much ado about Nothing or the Winter of Rights?,Common Market Law Review,vol.51,no.4(2014).
[9]Irene Kamara&Paul De Hert,Understanding the Balancing Act behind the Legitimate Interest of the Controller Ground.In Evan Seligner,Jules Polonetsky&Omer Tene(eds.),The Cambridge Handbook of Consumer Privacy,Cambridge:Cambridge University Press(2018).
[10]Christopher B.Kuner,Proportionality in European Data Protection Law and Its Importance for Data Processing by Companies,Privacy&Security Law Report,vol.7,no.44(2008).
[11]Frederik J.Zuiderveen Borgesius,Personal Data Processing for Behavioural Targeting:Which Legal Basis?,International Data Privacy Law,vol.5,no.3(2015).
[12]周汉华:“探索激励相容的个人数据治理之道---中国个人信息保护法的立法方向”,载《法学研究》2018年第2期。
[13]龙卫球:“数据新型财产权构建及其体系研究”,载《政法论坛》2017第4期。
(1)欧盟《通用数据保护条例》(REGULATION(EU)OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data,简称General Data Protection Regulation)第6(1)(f)条。早在1995年,欧盟的《个人数据保护指令》就已对合法利益豁免做出规定。
(1)欧盟29条工作组在其关于同意机制的意见中指出,同意机制已被滥用,应对其进行限缩解释。Article 29 Data Protection Working Party,Opinion 15/2011 on the definition of consent,WP 187(2011).
(2)2017年下半年中央网信办等四部门联合对微信、淘宝等十款网络产品和服务的隐私条款进行评审,重点评估是否明确告知用户收集个人信息及收集使用方式等。2018年1月支付宝年度账单事件中,支付宝与芝麻信用软件因用户信息流转通知不够清晰明确且未经用户选择同意的问题被网信办约谈整改。
(3)《个人信息安全规范》在《网络安全法》的基础上,规定了选择同意的示例,要求数据主体做出主动性选择的动作,并为破除一揽子授权的困境,建议区分核心功能和附加功能,要求使用附加功能需要二次授权。
(4)依据法经济学原理,当公共利益等所需时,需经权利主体同意的财产规则可转化为通过赔偿即可使用的责任规则。参见丁利、韩光明:“现状还是底线?---征收拆迁中的补偿与规则适用”,载《政法论坛》2012年第3期。
(1)The Federation of European Direct and Interactive Marketing,Data Industry Platform,Proposal for a balanced approach on consent,Position Paper(20 Dec.2011);Industry coalition for data protection,Paper on Proposals for a new EU legal framework on data protection,available at:www.bsa.org/~/media/Files/Policy/Security/DataB reach/eudataprotect.ashx,accessed Oct.31,2018.
(2)Audiencia Nacional,11 April 2012(JUR/2012/148319),quoted from Paolo Balboni,et al.,Legitimate Interest of the Data Controller New Data Protection Paradigm:Legitimacy Grounded on Appropriate Protection,International Data Privacy Law,vol.3,no.4(2013),p.251.
(3)Volker und Markus Schecke and Eifert(C-92/09 and C-93/09,EU:C:2010:662,para.77).
(4)Ryne(C-212/13,EU:C:2014:2428,para.34).
(5)Valsts policijas Rīgas re4iona pārvaldes Kārtības policijas pārvalde v.Rīgas pavaldības SIA Rīgas satiksme(Case C-13/16,ECLI:EU:C:2017:336).
(1)Garante per la Protezione dei Dati Personali(Italian Data Protection Authority),Balancing of interests:data collection by CRAs without consent(Rome,16 Nov.2004).
(2)Information Commissioner Office,Credit agreements-Data sharing(6 Nov.2006).
(3)ASNEF and FECEMD v.Administración del Estado(Joined cases C-468&469/10,ECLI:EU:C:2010:638).
(4)Article 29 Working Party,Letter from the Article 29 Working Party to Google in Relation to Its New Privacy Policy(Brussels,16 Oct.2012).
(5)Report of the Du¨sseldorfer Kreis,Whistleblowing-Hotlines:Internal Warning Systems and Employee Data Protection,p.3,quoted from Paolo Balboni,et al.,Legitimate Interest of the Data Controller New Data Protection Paradigm:Legitimacy Grounded on Appropriate Protection,International Data Privacy Law,vol.3,no.4(2013),p.252.
(6)ASNEF and FECEMD v.Administración del Estado(Joined cases C-468&469/10,ECLI:EU:C:2010:638).
(7)Breyer(Case C582/14,ECLI:EU:C:2016:779).
(8)European Parliament,Committee on Civil Liberties,Justice and Home Affairs,Rapporteur Albrecht,Draft Report on the proposal for a regulation of the European Parliament and the Council on the protection of individual with regard to processing of personal data and on the free movement of such data(General Data Protection Regulation),COM(2012)0011-C7-0025/2012-2012/011(COD),(Strasbourg,17 Dec.2012).
(9)International Chambers of Commerce,ICC Position on Legitimate Interests,ETD/STM,28 Oct.2015,available at:http://www.iccgermany.de/fileadmin/user_upload/Content/Digitale_Wirtschaft/373-537legitimateint11-2015.pdf,accessed Oct.25,2018.
(1)European Data Protection Supervisor,Additional EDPS Comments on the Data Protection Reform Package(Brussels,15 Mar.2013).
(2)Article 29 Data Protection Working Party,Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,WP217(2014),p.25.英国ICO《欧盟通用数据保护条例指南》则将合法利益测试(legitimate interests assessment)解构为:(1)确认合法利益;(2)证明数据使用的必要性;(3)与个人利益、权利和自由进行平衡。本文采用欧盟29条工作组建议的检验步骤。下文是对29条工作组意见的归纳和分析。
(3)我国2017年5月9日发布的《最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》第一条也已专门将行踪轨迹纳入保护范围,目的在于防止绑架等犯罪活动。
(4)29条工作组表述为“临时平衡”。鉴于衡量的是在遵循一般性义务的基础上是否已经取得平衡,本文表述为“一般性义务上的平衡”。
(1)Breyer(Case C582/14,ECLI:EU:C:2016:779).
(2)欧盟《通用数据保护条例》第5条第1款第b项。
(3)欧盟《通用数据保护条例》绪言第50条。
(4)Copland v.United Kingdom App No.62617/00(ECHR 3 April 2007),para.42.
(1)UK Information Commissioner’s Office,ICO Guide to the General Data Protection Regulation(GDPR),available at:https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/,assessed May 14,2018.
(2)大数据“杀熟”目前已成为热点议题。
(3)European Commission,Special Eurobarometer 359:Attitudes on Data Protection and Electronic Identity in the European Union(2011),available at:http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf,accessed Oct.31,2018,p.146.
(1)European Data Protection Supervisor,Meeting the Challenges of Big Data,Opinion 7/2015.EDPS,19 Nov.2015,available at:https://edps.europa.eu/sites/edp/files/publication/15-11-19_big_data_en.pdf,assessed Oct.31,2018.
(1)Article 29 Working Party,Letter from the Article 29 Working Party to Google in Relation to Its New Privacy Policy(Brussels,16 Oct.2012).
(2)关于数据控制者的规管模式研究,参见谢琳:“香港资料处理者的个人资料保护责任问题研究”,载《当代港澳研究》2013年第3期。
(3)Soering v.United Kingdom,11 ECtHR(ser.A)at§89(1989).
(1)《个人信息安全规范》起草者洪延青博士也指出,由于安全规范只能在网络安全法框架下制定,例外情况只能列举,不可能代替合法利益所给予的灵活性,参见“《个人信息安全规范》史上最内行解读”,来源:南方都市报2018-02-06,http://toutiao.3g.oeeee.com/mp/toutiao/BAAFRD00002018020566911.html,最后访问日期:2018-03-13。
(2)Google Spain SL and Google Inc.v.Agencia Espanola de Proteccion de Datos(AEPD)and Mario Costeja Gonzalez(Case C-131/12,EU:C:2014:317).
[2]Daniel J.Solove,Privacy Self-Management and the Consent Dilemma,126 Harv.L.Rev.1880(2013).
[3]Viktor Mayer-Schanberger&Yann Padova,Regime Change?Enabling Big Data through Europe's New Data Protection Regulation,17 Colum.Sci.&Tech.L.Rev.315(2016).
[4]UK Information Commissioner's Office,Big Data,Artificial intelligence,Machine Learning and Data Protection(2017).
[5]范为:“大数据时代个人信息保护的路径重构”,载《环球法律评论》2016年第5期。
[6]谢琳、李旭婷:“个人信息财产权之证成”,载《电子知识产权》2018年第6期。
[7]Article 29 Data Protection Working Party,Opinion 06/2014on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,WP217(2014).
[8]Federico Ferretti,Data Protection and the Legitimate Interest of Data Controllers:Much ado about Nothing or the Winter of Rights?,Common Market Law Review,vol.51,no.4(2014).
[9]Irene Kamara&Paul De Hert,Understanding the Balancing Act behind the Legitimate Interest of the Controller Ground.In Evan Seligner,Jules Polonetsky&Omer Tene(eds.),The Cambridge Handbook of Consumer Privacy,Cambridge:Cambridge University Press(2018).
[10]Christopher B.Kuner,Proportionality in European Data Protection Law and Its Importance for Data Processing by Companies,Privacy&Security Law Report,vol.7,no.44(2008).
[11]Frederik J.Zuiderveen Borgesius,Personal Data Processing for Behavioural Targeting:Which Legal Basis?,International Data Privacy Law,vol.5,no.3(2015).
[12]周汉华:“探索激励相容的个人数据治理之道---中国个人信息保护法的立法方向”,载《法学研究》2018年第2期。
[13]龙卫球:“数据新型财产权构建及其体系研究”,载《政法论坛》2017第4期。
(1)欧盟《通用数据保护条例》(REGULATION(EU)OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data,简称General Data Protection Regulation)第6(1)(f)条。早在1995年,欧盟的《个人数据保护指令》就已对合法利益豁免做出规定。
(1)欧盟29条工作组在其关于同意机制的意见中指出,同意机制已被滥用,应对其进行限缩解释。Article 29 Data Protection Working Party,Opinion 15/2011 on the definition of consent,WP 187(2011).
(2)2017年下半年中央网信办等四部门联合对微信、淘宝等十款网络产品和服务的隐私条款进行评审,重点评估是否明确告知用户收集个人信息及收集使用方式等。2018年1月支付宝年度账单事件中,支付宝与芝麻信用软件因用户信息流转通知不够清晰明确且未经用户选择同意的问题被网信办约谈整改。
(3)《个人信息安全规范》在《网络安全法》的基础上,规定了选择同意的示例,要求数据主体做出主动性选择的动作,并为破除一揽子授权的困境,建议区分核心功能和附加功能,要求使用附加功能需要二次授权。
(4)依据法经济学原理,当公共利益等所需时,需经权利主体同意的财产规则可转化为通过赔偿即可使用的责任规则。参见丁利、韩光明:“现状还是底线?---征收拆迁中的补偿与规则适用”,载《政法论坛》2012年第3期。
(1)The Federation of European Direct and Interactive Marketing,Data Industry Platform,Proposal for a balanced approach on consent,Position Paper(20 Dec.2011);Industry coalition for data protection,Paper on Proposals for a new EU legal framework on data protection,available at:www.bsa.org/~/media/Files/Policy/Security/DataB reach/eudataprotect.ashx,accessed Oct.31,2018.
(2)Audiencia Nacional,11 April 2012(JUR/2012/148319),quoted from Paolo Balboni,et al.,Legitimate Interest of the Data Controller New Data Protection Paradigm:Legitimacy Grounded on Appropriate Protection,International Data Privacy Law,vol.3,no.4(2013),p.251.
(3)Volker und Markus Schecke and Eifert(C-92/09 and C-93/09,EU:C:2010:662,para.77).
(4)Ryne(C-212/13,EU:C:2014:2428,para.34).
(5)Valsts policijas Rīgas re4iona pārvaldes Kārtības policijas pārvalde v.Rīgas pavaldības SIA Rīgas satiksme(Case C-13/16,ECLI:EU:C:2017:336).
(1)Garante per la Protezione dei Dati Personali(Italian Data Protection Authority),Balancing of interests:data collection by CRAs without consent(Rome,16 Nov.2004).
(2)Information Commissioner Office,Credit agreements-Data sharing(6 Nov.2006).
(3)ASNEF and FECEMD v.Administración del Estado(Joined cases C-468&469/10,ECLI:EU:C:2010:638).
(4)Article 29 Working Party,Letter from the Article 29 Working Party to Google in Relation to Its New Privacy Policy(Brussels,16 Oct.2012).
(5)Report of the Du¨sseldorfer Kreis,Whistleblowing-Hotlines:Internal Warning Systems and Employee Data Protection,p.3,quoted from Paolo Balboni,et al.,Legitimate Interest of the Data Controller New Data Protection Paradigm:Legitimacy Grounded on Appropriate Protection,International Data Privacy Law,vol.3,no.4(2013),p.252.
(6)ASNEF and FECEMD v.Administración del Estado(Joined cases C-468&469/10,ECLI:EU:C:2010:638).
(7)Breyer(Case C582/14,ECLI:EU:C:2016:779).
(8)European Parliament,Committee on Civil Liberties,Justice and Home Affairs,Rapporteur Albrecht,Draft Report on the proposal for a regulation of the European Parliament and the Council on the protection of individual with regard to processing of personal data and on the free movement of such data(General Data Protection Regulation),COM(2012)0011-C7-0025/2012-2012/011(COD),(Strasbourg,17 Dec.2012).
(9)International Chambers of Commerce,ICC Position on Legitimate Interests,ETD/STM,28 Oct.2015,available at:http://www.iccgermany.de/fileadmin/user_upload/Content/Digitale_Wirtschaft/373-537legitimateint11-2015.pdf,accessed Oct.25,2018.
(1)European Data Protection Supervisor,Additional EDPS Comments on the Data Protection Reform Package(Brussels,15 Mar.2013).
(2)Article 29 Data Protection Working Party,Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,WP217(2014),p.25.英国ICO《欧盟通用数据保护条例指南》则将合法利益测试(legitimate interests assessment)解构为:(1)确认合法利益;(2)证明数据使用的必要性;(3)与个人利益、权利和自由进行平衡。本文采用欧盟29条工作组建议的检验步骤。下文是对29条工作组意见的归纳和分析。
(3)我国2017年5月9日发布的《最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》第一条也已专门将行踪轨迹纳入保护范围,目的在于防止绑架等犯罪活动。
(4)29条工作组表述为“临时平衡”。鉴于衡量的是在遵循一般性义务的基础上是否已经取得平衡,本文表述为“一般性义务上的平衡”。
(1)Breyer(Case C582/14,ECLI:EU:C:2016:779).
(2)欧盟《通用数据保护条例》第5条第1款第b项。
(3)欧盟《通用数据保护条例》绪言第50条。
(4)Copland v.United Kingdom App No.62617/00(ECHR 3 April 2007),para.42.
(1)UK Information Commissioner’s Office,ICO Guide to the General Data Protection Regulation(GDPR),available at:https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/,assessed May 14,2018.
(2)大数据“杀熟”目前已成为热点议题。
(3)European Commission,Special Eurobarometer 359:Attitudes on Data Protection and Electronic Identity in the European Union(2011),available at:http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf,accessed Oct.31,2018,p.146.
(1)European Data Protection Supervisor,Meeting the Challenges of Big Data,Opinion 7/2015.EDPS,19 Nov.2015,available at:https://edps.europa.eu/sites/edp/files/publication/15-11-19_big_data_en.pdf,assessed Oct.31,2018.
(1)Article 29 Working Party,Letter from the Article 29 Working Party to Google in Relation to Its New Privacy Policy(Brussels,16 Oct.2012).
(2)关于数据控制者的规管模式研究,参见谢琳:“香港资料处理者的个人资料保护责任问题研究”,载《当代港澳研究》2013年第3期。
(3)Soering v.United Kingdom,11 ECtHR(ser.A)at§89(1989).
(1)《个人信息安全规范》起草者洪延青博士也指出,由于安全规范只能在网络安全法框架下制定,例外情况只能列举,不可能代替合法利益所给予的灵活性,参见“《个人信息安全规范》史上最内行解读”,来源:南方都市报2018-02-06,http://toutiao.3g.oeeee.com/mp/toutiao/BAAFRD00002018020566911.html,最后访问日期:2018-03-13。
(2)Google Spain SL and Google Inc.v.Agencia Espanola de Proteccion de Datos(AEPD)and Mario Costeja Gonzalez(Case C-131/12,EU:C:2014:317).
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |