探索激励相容的个人数据治理之道——中国个人信息保护法的立法方向
周汉华探索激励相容的个人数据治理之道——中国个人信息保护法的立法方向
Exploring An Incentive-compatible Personal Information Protection Regime
期刊名称:《法学研究》
期刊年份:
作者:周汉华
单位:中国社会科学院法学研究所
中文关键词:激励相容;个人信息保护法;个人信息控制权;信息安全风险;大数据时代
英文关键词:incentive compatible;Law on the Protection of Personal Data;right of control over person information;information security;the age of big data
中文摘要:
在大数据时代,信息控制者对于个人信息有很强的利用激励而缺乏同等程度的保护激励。如果法律规则只是简单施加各种禁止性或者强制性规定,势必因为激励不相容影响有效实施。尽管立法模式不同,不论欧盟还是美国,近年来都在探索建立激励相容的个人数据治理体系。我国目前的个人信息保护相关立法存在法律要求与信息控制者内部治理机制脱节、刑法制裁与其他法律手段脱节、责任规范与行为规范脱节等问题。个人信息保护法应以培育信息控制者内部治理机制为目标,以构筑有效的外部执法威慑为保障,促使信息控制者积极履行法律责任,并对违法行为予以制裁。个人信息保护法应确认信息主体在公法上的个人信息控制权,不能也不应该回避基本权利话语。个人信息保护法的实施,需要先从信息安全风险管理角度切入,由易到难,循序渐进,推动激励相容机制实现。
英文摘要:
In the age of big data, data controllers have very strong incentive to use personal information but lack the same incentive to protect them. Therefore, legal rules will not be implemented effectively due to incentive incompatibility, if they only impose various prohibitive or compulsory obligations on the data controller. Though EU and U.S. have adopted different approaches to personal information legislation, among other differences, both of them have been pursuing the establishment of incentive compatible personal information protection regime, especially in recent several years alone with the coming of the age of big data. However, this trend of development has been ignored by most Chinese experts. The current legislation on personal information protection in China have such problems as separation between external legal requirements and data controllers' internal governance structure, disconnection between penal sanctions and other legal remedies, and divorce of behavior obligations from legal consequences. The Personal Information Protection Law should take the fostering of data controllers' internal governance structure as its objective and the establishment of an effective external deterrence mechanism of law enforcement as its safeguard, so as to encourage proactive implementation of responsibility for data security and punish violation of the law. Meanwhile, the Law should recognize the right of the subject of data to control his/her own information in public law, and should not avoid the discourse of fundamental rights. To realize incentive compatibility, China must ensure that the implementation of the Personal Information Protection Law is consistent with the law-making process, proceed from the risk management of information security, and take an incremental, step-by-step approach to the implementation of the law.
全文阅读: 点击下载
