个人信息保护影响评估:制度内涵与完善路径

Personal Information Protection Impact Assessment:Institutional Connotation and Improvement Path

《个人信息保护法》第55条明确提出了个人信息处理者在开展个人信息处理活动前进行个人信息保护影响评估的要求。国际上在个人信息处理领域存在隐私影响评估、数据保护影响评估、算法影响评估三种典型样态。隐私影响评估与数据保护影响评估的保护范围大致相同;数据保护影响评估主要关注个人权利的保护,算法影响评估具有更广泛的社会公共利益价值导向。我国个人信息保护影响评估在制度定位上与数据保护影响评估一脉相承,应更多纳入对社会群体造成影响的公共利益方面的考量。个人信息保护影响评估制度缺乏向公众强制披露的机制,同时带来了监督与问责的障碍,需要充分整合政府机构、社会公众、行业组织等多元力量建立协同监督的客观机制,以弥补现有个人信息保护影响评估制度透明度、正当程序、公众审查空间不足的问题。

Article 55 of the Personal Information Protection Law clearly stipulates personal information protection impact assessment by personal information processors before personal information processing activities.There are three typical modes in the international field of personal information processing:privacy impact assessment,data protection impact assessment,and algorithmic impact assessment.Privacy impact assessment and data protection impact assessment roughly cover the same protection scope;data protection impact assessment mainly focuses on the protection of individual rights,and algorithmic impact assessment is more broadly oriented towards social and public interest values.China’s impact assessment of personal information protection is in the same line with data protection impact assessment in terms of institutional positioning,and should include more considerations of public interest that influences social communities.The system of personal information protection impact assessment lacks the mechanism of mandatory disclosure to the public,which brings supervision and accountability obstacles.Full integration of government agencies,the public,industry representatives,and external experts is required to establish a plural and objective mechanism of collaborative supervision,so as to complement the deficiencies in the transparency,due procedures,and public review space of the existing personal information protection impact assessment system.