Font Size: a A A

Research On Civil Obligation Of Personal Information Security Protection

Posted on:2022-01-18Degree:DoctorType:Dissertation
Country:ChinaCandidate:Z Z GaoFull Text:PDF
GTID:1526307037470644Subject:Civil and Commercial Law
Abstract/Summary:
With the rapid development of big data technology,the security risks caused by personal information processing have new characteristics and raised to a new level,which has also attracted more and more attention from the society.In response to the development of science and technology in the era of big data,the law needs to respond to social concerns and provide institutional support to protect the rights and interests of personal information subjects and promote the development of digital technology and digital economy.In this context,it is necessary and urgent to examine the shortcomings of the existing legal system,construct a new personal information security theory and promote the improvement of the civil legal system of personal information security.Clearly defining the connotation and extension of personal information security is one of the most basic problems in the construction of personal information protection system.There are essential differences between "personal information security" from the perspective of civil law and "information security" oriented by traditional technology,which are reflected in various aspects,such as context source,protection object,value goal,protection means and so on.Although information security contains the elements of personal information,the implementation of the requirements of public law on information security will undoubtedly help to maintain the controllable state of personal information.However,information security focuses on national interests and social public welfare,which does not completely overlap with the private interest value embodied in personal information.It is inappropriate to define personal information security by information security(data security or network security)and define personal information security as the lower concept of information security,which is not conducive to the protection of the civil rights and interests of personal information subjects.Personal data security from the perspective of civil law is a presumption of factual state based on the fact that the personal information subject has not been damaged by personal and property rights and interests due to information processing,on the premise of the dual value balance of protecting the rights and interests of the information subject and promoting the development of digital economy,aiming at building the trust relationship between the personal information subject and the personal information controller.Personal information security is not that personal information itself is in a static and controllable state,but emphasizes that the security and stability of civil basic rights will not be damaged by personal information processing behavior.Article 111 and paragraph 2 of article 1038 of the civil code specify that personal information is protected by law,and the information processor shall ensure the security of personal information.However,this provision can not constitute a complete basis for the right of claim.Even if we seek institutional support from the perspective of system interpretation,contract law and tort law can not effectively respond to the practical needs of ensuring personal information security.Therefore,it is urgent and necessary to construct the obligation of personal information security protection from the system.Comparing the theory of risk responsibility and the theory of communication security obligation,the background of personal information security protection obligation is more consistent with the "risk responsibility theory".The construction of personal information security protection obligation based on risk responsibility theory should include the following elements: first,the subject of personal information security protection obligation is the personal information processor in the business field.Second,the object of personal information security protection obligation is complex,including not only private information belonging to the category of privacy,but also personal rights,property rights and economic interests related to personal information.Third,the obligation of personal information security protection belongs to the result obligation responsible for the damage result.As long as an event endangering personal information security occurs and causes damage to the obligee,the obligor needs to bear responsibility.The purpose of constructing the obligation of personal information security protection is not to sanction the obligor,but also to prevent relevant risks,and pay more attention to the reasonable distribution of unfortunate damage.With the development of digital technology,the ability of personal information controllers to deal with personal information has increased rapidly,which also greatly increases the risk of damage to the subject of personal information.Because such risks are inevitable,the personal information controller should fulfill the security protection obligation of personal information,apply the risk responsibility theory,so as to reasonably allocate risks and realize social justice.Based on the above premise,the composition of tort liability of personal information security protection obligation includes the following contents: first,the damage concerned by personal information security protection obligation is not the personal information itself,but the loss of personality,property and other rights and interests of natural persons associated with personal information.On the one hand,article 1037 of the civil code belongs to the referral law,and its application depends on the explicit provisions of other laws based on specific situations,which does not give the subject of personal information the universal right to decide personal information.At the same time,the disclosure or expanded dissemination of general personal information does not involve personal privacy,and the act itself is difficult to directly constitute damage in tort law.From the perspectives of "closeness between information and personal rights","law of social communication" and "cost comparison of legal protection path",the tampering and damage of general personal information should not be regarded as damage in tort law.On the other hand,the specific situations in which personal information is processed to cause damage include three categories.They are "infringement of property rights due to personal information disclosure","infringement of personal rights due to personal information disclosure" and "loss of economic interests due to personal information disclosure".Second,based on the connotation characteristics that personal information security protection obligation belongs to result obligation,the tort liability of personal information security protection obligation applies the principle of "no fault liability".Based on the principles of "consistent income and risk","risk control","saving total social cost","corporate social responsibility" and "substantive equality",that is,in the field of information control of personal information controller,personal information leakage event leads to personal and property rights and interests loss of personal information subject,regardless of whether the personal information controller is at fault or not,It does not affect the composition of tort liability.Third,in the judgment of causality,the composition of tort liability of personal information security protection obligation does not apply to considerable causality.Personal information security protection obligation is a risk sharing rule established to balance the power imbalance between personal information subject and personal information controller.From the value choice of protecting the rights and interests of the subject of personal information,establishing trust relationship,promoting information circulation and promoting the development of digital economy,the intervention of the direct cause of the direct infringer should not be the reason to block the causal relationship between the personal information controller and the occurrence of damage.Moreover,in terms of the burden of proof of causality,in order to balance the power imbalance between the information controller and the personal information subject and protect the rights and interests of the personal information subject,the fact presumption mode of inversion of the burden of proof should be adopted.The personal information subject only needs to prove that the personal information associated with the damage is controlled by the personal information controller and that the disclosure has indeed occurred,that is,the personal information controller shall prove that the personal information is not leaked from the personal information controller,otherwise it shall bear the adverse consequences of failure to provide evidence.Fourth,the personal information security protection obligation does not emphasize the process and measures of risk prevention and avoidance,but requires the controller to be responsible for the relevant damage results.Personal information processing behavior objectively accumulates personal information in space and time,and increases the risk that personal information is illegally used and infringes on the rights and interests of personal information subjects.Therefore,the attribution(evaluation)of personal information security protection obligation is the relevant risk brought by personal information processing itself,not whether the information security technical measures have been implemented.Where the rights and interests of the personal information subject are damaged due to personal information processing,the personal information subject may claim tort damages.Fifthly,article 1036 of China’s Civil Code stipulates three exemptions for dealing with personal information.However,these three items are not standard deterministic provisions,and their judicial application needs to be judged and explained on "reasonable implementation" and "reasonable treatment".As far as the obligation of personal information security protection is concerned,the consent of the personal information subject to the personal information controller to process personal information does not of course exempt the obligation of security protection of personal information.Whether the personal information controller needs to perform the security obligation for the collected and summarized personal information disclosed by natural persons and legally disclosed personal information should not be generalized.Among them,the further disclosure of personal negative information should ensure the data quality and timeliness through data filtering and cross inspection,so as to avoid infringing on the reputation,privacy and other personal rights and interests of the subject of personal information;If the personal information controller expands the scope of information disclosure or integrates the public information,it objectively exceeds the meaning scope of the personal information subject to disclose the information by itself,and shall not be exempted on the ground that the relevant information is public information.Based on the balance of interests between different stakeholders,in order to safeguard the public interests or the legitimate interests of natural persons,the disclosure of personal information by the personal information controller shall be included in the scope of exemption from the obligation of personal information security protection,so as to better encourage the personal information controller to actively protect the public interests and the legitimate rights and interests of natural persons that may be damaged immediately,Avoid ignoring the public interests and the legitimate rights and interests of natural persons on the grounds of fulfilling the obligation of personal information security protection.The determination of the damage compensation scope of personal information security protection obligation is directly related to the realization of the legal effect of personal information security protection obligation.The current academic debate on the calculation rules of personal information security liability damage amount is mainly about how to calculate the damage amount of "out of control of personal information itself".However,in order to balance the rights and interests of victims,protect and protect the freedom of behavior of legal subjects,tort law does not include all natural damages into the scope of relief.From the perspective of value balance and social cost,"personal information out of control" should not be included in the scope of civil damage compensation.The damage scope of personal information security liability shall be limited to the objective losses caused by personal information processing,including the loss of property rights,personal rights and the loss of economic interests caused by personal information out of control.The measurement and calculation of the above scope of loss should adopt the principle of complete compensation,that is,the "difference theory".The principle of full compensation adopts the "all have nothing" mode of damage compensation,that is,if the tort liability is established,all losses will be compensated,and if the tort liability is not established,no compensation will be made.The "all or nothing" model may cause substantial injustice in individual cases.Therefore,the reduction and exemption system of damage compensation came into being.Specific relief norms such as "profit and loss offset","negligence","self willing risk","livelihood discretionary reduction" and "maximum compensation" are worth discussing in the field of personal information security responsibility.First,different from the traditional view that the insurance benefits should not be offset against the damage,the personal information security insurance benefits should be deducted from the compensation amount of the personal information controller;Second,the personal information subject actively discloses relevant personal information on the network platform,and the personal information subject fails to properly keep its sensitive information,which constitutes a "voluntary risk-taking" behavior,and the personal information controller may be exempted from the security responsibility;Third,if the personal information subject is "at fault" for the occurrence of personal information security events,the scope of reducing liability shall be determined according to the cause of the personal information subject and at fault for the damage results.If the personal information subject has a small fault,the scope of liability for damage shall not be reduced;Fourth,based on the universal application of commercial insurance system and the institutional goal of personal information security protection obligation to maximize the protection of the rights and interests of personal information subjects and construct the trust relationship between personal information subjects and personal information controllers,discretionary clauses and limited compensation should not be used in the field of personal information security protection obligation.Personal information security liability often involves multiple tort subjects.Between the direct infringer and the personal information controller(indirect infringer),if the personal information controller violates the obligation of personal information security protection,the tort liability compensation shall apply the "supplementary liability" sharing rule.That is,the relevant damages shall be borne by the direct infringer first.When the direct infringer cannot or cannot find the compensation,the personal information security protection obligor shall make supplementary compensation.When multiple personal information controllers are involved,multiple personal information controllers increase the risk that the personal and property rights and interests of the personal information subject are infringed.The information processing behavior of each personal information controller constitutes common risk responsibility,and each actor should bear continuous responsibility for the victim.At the same time,it should be clear that the personal information controller can be exempted from his liability only when he can prove the specific infringer.If he can only prove that the direct infringer does not obtain information from himself,he can not be exempted.Several persons responsible for personal information security shall equally share the relevant compensation share.In response to the development of science and technology in the era of big data,the flow and sharing of personal information can bring a wide range of social benefits,which is mainly reflected in the aggregation of personal data,which can optimize machine learning algorithms,improve the corresponding technical level and service quality,and promote social and economic development.However,at the same time,the technological development in the era of big data will also bring new social risks to personal information security,with strong negative externalities.Therefore,the protection of personal information security should be incorporated into the new constitutional mission under the framework of the state to ensure people’s security.It is reasonable and legitimate for public law to intervene in the security protection of personal information.Specifically,big data applications are "monopolized" by data processors,objectively forming the expansion of "data power",resulting in the regulation and protection of personal information security by private law,facing the obstacles of system failure,and the private law rights and interests associated with personal information are threatened,which requires the intervention of public law;The value and function of personal information have expanded from the private domain to the public domain.The security of personal information will be directly related to national security,political security and social public interests because of the aggregation of information,and the disorderly flow of personal information also poses a threat to the above-mentioned public welfare,which needs the intervention of public law;Data has changed the basis of power.In the process of digital transformation,government departments also need to regulate the behavior boundary of government processing personal information through public law.At the same time,the openness of civil law also provides legal and technical space for public law to intervene in the security protection of personal information.The provisions on "rights" such as "query","correction","copy" and "deletion" in the civil code provide the way for civil law to connect public law.To construct an institutional system of public law and private law to protect personal information security,we need to clarify their focus on functional orientation,adjustment object and normative content.Among them,private law mainly plays the function of damage filling,while public law mainly plays the function of risk prevention;The adjustment object of private law focuses on private rights and interests,while the adjustment object of public law focuses on public interests;Private law should be positioned as judicial law,while public law should be positioned as behavior regulation law.Based on the above distinction,in order to achieve the goal of supplementing and strengthening the protection of private rights of personal information,on the one hand,public law should carry out specific system design in limiting the arbitrary public power and clarifying the negative obligations of the government to ensure the security of personal information.On the other hand,public law,especially administrative law,needs to effectively regulate "data rights" and implement the government’s positive obligation to ensure personal information security by clarifying the organizational requirements of administrative regulators,clarifying the code of conduct and organizational structure of information processors,and giving instrumental rights to personal information subjects.In order to achieve the goal of personal information security,we need to make efforts in two aspects from the perspective of the operation of public law system and private law system.First,build a personal information security public interest litigation system that "endows the people’s Procuratorate with the subject qualification of the plaintiff","defines the principle of punitive compensation" and "adopts the dual regulation parallel mode of administrative public interest litigation and civil public interest litigation",so as to further strengthen the protection of private law and make up for the limitations of public law.The second is to comprehensively apply the liability for damages under the framework of civil law and consumer law,the administrative law liability and even criminal liability for violating the compliance requirements of personal information processing under the framework of administrative law and criminal law,so as to realize the coordination of various legal liability systems.To sum up,the construction of personal information security system should take "security" and "development" values as the basis for weighing and leading,give consideration to security(order)and development(freedom)in legislation,and promote development on the premise of ensuring security,so as to form an "inclusive" development oriented legal system.On the specific path,we need to promote the completion of the institutional goal of personal information security through the interaction and cooperation between national coercion and people’s autonomy.
Keywords/Search Tags:Personal information security, Personal information security protection obligations, Liability to Hazard, Cooperation between public law and private law
Related items