个人信息流通利用的制度基础——以信息识别性为视角

《个人信息保护法》以信息主体同意为基础,构筑了个人控制的个人信息直接利用制度,但其是否为流通利用提供了通道仍存疑问。信息因其识别性能的差异,可区分为直接标识符、间接标识符和准标识符,三者给个人权益带来的危害风险不同。《个人信息保护法》规定的匿名化和去标识化本质上是针对特定数据集中信息识别风险的制度安排,能消除因信息本身识别性产生的风险,而很难消除基于识别分析的识别性产生的风险。因此,缺失针对“基于识别分析的识别性产生的风险”的措施,现行关于匿名化和去标识化的规范均不能支撑个人信息流通利用。去标识化需要改造成为“去直接标识符+识别控制”的受控去标识化制度,在防控个人信息识别风险的前提下,为个人信息流通利用提供制度保障,以最大化实现个人信息的社会价值。

Institution Foundation of Personal Information Sharing-From the Perspective of Information Identifiability

The Personal Information Protection Law(PIPL) establishes a system of direct utilization of personal information under the control of individuals, but it is questionable whether it provides a channel for the sharing of personal information. Information has different identifiers: direct identifiers are directly linked to the identity of the information subject, indirect identifiers can identify individuals but are not directly linked to their identity, and quasi-identifiers can profile individuals by combining two or more linkable information. The three types of identifiers bring different risks of harm to the rights and interests of individuals. Both anonymization and de-identification provided for in the PIPL are essentially institutional arrangements against the personal identifiable information risk within a particular dataset, which can eliminate the risk arising from the identification of the information itself, but not that arising from profiling. Therefore, in the absence of measures for addressing the risk from profiling, neither the anonymization nor the de-identification under the current PIPL can support the sharing of personal information. Now that the PIPL defines anonymized information as non-personal information, to prevent deregulation, it is necessary to interpret stringently as to whether anonymization meets the requirements of the PIPL, and to make de-identification a legal system that is in line with the requirement of the international community and can ensure the safe sharing and use of personal information. The PIPL should arrange for the consent before processing and the controlling rights during processing according to the role of different types of information in the identification analysis and the possibility for individuals to control or prevent improper identification. What must be removed for de-identification is the direct identifiers, and the consent before processing should also be limited to direct identifiers. For indirect identifiers, a possible path is to allow their use, but at the same time allow individuals to refuse their use(as opposed to consent before processing), and limit their use or the manner of their use by law or industry self-regulation. For other non-identifiable information, the only way to prevent infringement and provide remedies for individuals is to control the identifying and analyzing conduct. This identification control is not intended to absolutely prohibit the processor from performing profiling, but rather to prohibit identification through profiling. In short, de-identification needs to be reconstituted into a controlled de-identification system of "de-direct identifier + identification control" to allow each industry to develop a controlled de-identification mechanism suitable for its own risk and explore security measures for ensuring the sharing and use of personal information in accordance with the spirit of the personal protection law. Only in this way can we, on the premise of controlling the personal identifiable risk, provide an institutional foundation for the sharing of personal information and maximize the social utilities of personal information.