论数据平台组织结构作为个人信息保护合规的工具

Data Platform Organizational Structure as an Instrument to Personal Information Protection Compliance

面对数据平台的认知优势,立法者通过重塑其组织结构,推动个人信息保护合规的内生化建构。外部行为规范给企业造成的负担是点状的,内部组织规范则是对企业理性的结构性重塑,意味着国家能够对企业产生持久深远的影响,现有理论欠缺足够的解释力。经典的比例原则建立在经验性预测基础之上,组织调控的复杂性和不稳定性导致比例原则的限制功能降低,应当利用一致性要求弥补被削弱的内容审查。立法者在风险进路基础之上对数据平台提出的组织结构要求不仅需要维护企业自身理性,还必须确保个人信息保护合规的有效性。与直接规制数据平台外部行为相比,通过规制其组织结构实现个人信息保护对立法者提出了更高要求。

The processor of personal information is the primary party responsible for personal information protection.In order to contribute to the implementation of this primary responsibility,the Personal Information Protection Law stipulates that data platforms shall appoint personal information protection officers,establish personal information protection compliance systems according to state regulations,and establish an independent body composed mainly of outside members to supervise personal information protection circumstances.The intervention of the state in the organizational structure of data platforms promotes the formation of a new regulatory model for personal information protection compliance,which has important research value in analyzing the theoretical basis and intervention limits of this regulatory model.The research first adopts normative analysis methods to categorize the reshaping of the organizational structure of data platform by the state,and then explores in an innovative manner the limits and logic of the organizational obligations by using the principles of proportionality and consistency derived from the empirical research results.Due to the fact that external behavioral norms cannot guarantee the utilisation,on the part of data platforms,of their cognitive advantages to achieve risk management in personal information protection,the state puts into practice the organizational norms to develop the internalization of corporate compliance with personal information protection.In the process of continuous intervention in the autonomy of data platform operations,private intervention obligations lack explanatory capacity as a consequence of the focus on the relationship of responsibility.This is mainly influenced by the fact that traditional state intervention is substantial and specific,while the reshaping of corporate rational structures by legislators is realised by impacting the decision-making process of enterprises in order to change their future decision-making logics.The classical principle of proportionality is developed on empirical predictions.By examining the shaping of the organizational structure of data platforms by legislators with the assistance of this traditional fundamental rights protection mechanism,it can be observed that it lacks the delicate regulatory power that once existed when state intervention was direct.In terms of legitimate purposes,the goals listed by legislators are very abstract.Since it is not yet clear how organizational norms work and to what extent they truly deliver public interest,it is difficult to measure in an accurate way the utility of intervention measures in promoting legitimate purposes.In order to better examine the obstructive effects caused by the state's reshaping of corporate rational structures,content examination should start from the objective dimension of fundamental rights and strengthen it with the requirement of consistency.This means that the organizational structure requirements proposed by the state for data platforms on the basis of risk pathways must not only undermine the cognitive potential of enterprises,thereby hindering their own logic,but also ensure that the actions of enterprise organizations are guided by personal information protection.According to the requirement of consistency,it is advisable that lawmakers make supplementary provisions on the organizational obligations that data platforms should undertake in the Personal Information Protection Law.The transformation of the risk regulatory model presents challenges to the review tools of traditional administrative law,and contemporary administrative law should conduct more in-depth and all-inclusive research on the institutional arrangements for coordinating different participants with different behavioral logics.After all,compared with directly regulating external behaviors of enterprises,realizing the public interest by regulating their internal organizational structures places higher demands on legislators.