个人信息侵权的理论反思与规范构建

Theoretical Reflection and Normative Construction of Personal Information Infringement

个人信息侵权规则体系对于发挥私法在个人信息利益保护中的作用、确保法律规范的准确适用具有重要意义。“可识别规则”将可能识别个人身份的信息均纳入规制范围,体现了公法对信息处理全过程的关注,与公法全面保障信息安全、经济安全和国家安全的功能相匹配。但私法对“可识别规则”的借鉴则造成了保护的信息范围过广,与私法关注个人信息人格利益的定位不符。故而需要对侵权责任法保护的个人信息范围进行限缩,在具体侵权样态中进行具体化判定。个人信息侵害造成的实际损害并不明确,差额说在适用上存在一定的障碍,而风险损害说则面临风险不确定与风险多样等问题,亦难被采纳。较为妥适的办法是采取规范损害说,将个人信息侵权损害认定为法律保护的利益状态之变化以及给个人造成的精神损害两方面。而在归责原则方面,应当将《个人信息保护法》第69条确立的过错推定原则的适用范围限制在采用自动化处理技术的场合,对于普通公民之间的个人信息侵权则应回归一般过错原则。

The system of personal information infringement rules is of great significance for giving play to the role of private law in the protection of personal information interests and ensuring the accurate application of legal norms.The“rules of identifiability”include all information that may identify personal identity into the scope of regulation,which reflects the public law’s concern for the whole process of information processing,and matches the public law’s function of comprehensively ensuring information security,economic security and national security.However,the reference of“identifiable rules”by private law has resulted in the wide range of information to be protected,which is inconsistent with the orientation that private law pays attention to personal information personality interests.Therefore,it is necessary to limit the personal information protected by the tort liability law and make specific judgments in specific tort patterns.The actual damage caused by personal information infringement is not clear.The difference theory has certain obstacles in application,while the risk damage theory is also difficult to be adopted due to the uncertainty of risk and the certainty of infringement damage.The more appropriate way is to adopt the theory of normative damage,which identifies the personal information infringement damage as the change of the interest state protected by law and the spiritual damage caused to individuals.As for the principle of liability fixation,the application scope of the principle of fault presumption established in Article 69 of the Personal Information Protection Law should be limited to the occasions where automatic processing technology is used,and the personal information infringement between ordinary citizens should return to the general fault liability.