个人数据匿名化法律标准明晰——以《网络安全法》第42条为中心

The Clarity of Personal Data Anonymization Legal Standard:Centered on the Section 42 of Cybersecurity Law

《网络安全法》第42条但书条款构成了我国个人数据匿名化规则,该条款将用户同意与数据匿名化确立为数据流通的主要规则。明晰数据匿名化规则与法律标准是理解与适用该条款之前提,亦是促进当前数据产业发展之关键。在比较法上,欧盟更注重数据匿名技术本身,并将匿名化标准提高至数据公开的标准,而美国个人信息去身份标准更强调通过风险评估的方式对标识符的识别性进行判断,构成了两套风格迥异的标准路径。我国数据匿名化法律标准的构建应基于“无法识别个人身份”之前提,以标识符类型化为基础,并以隐私风险评估作为例外,协调匿名化规则与其他规则之衔接。

proviso clause in the section 42 of Cybersecurity Law, is constructing the personal data anonymization rule and establishing the user consent and data anonymization as the main rule of data flow. Clarifying the rule and legal standard of data anonymization is the premise of understanding and application of this clause, which is also the key to promote the development of the current data industry. In terms of comparative law, the EU pay more attention to data anonymous technology itself and increase data anonymization standard to open data standards , however, the American’s standard of de-identification of personal information emphasize to judge the re-identification through the risk assessment approach. These two methods constitute the two standards of different styles. The construction of data anonymous legal standard in our country should process the premise of “unable to identify individual identity” and be based on identifier categorization. Meanwhile ,privacy risk assessment is also cited as an exception and coordinate the anonymous rule with other data rules.