人工智慧技術與個人資料刪除權——以金融應用為中心

Abstract

在當今網路科技高度發展的時代，資訊傳播快速且難以遏止，使「遺忘」不再 輕而易舉，也使社會對個人資料保護的關注日益升高。然而，隨著人工智慧（AI）技術的興起，個人資料刪除權首當其衝地面臨嚴峻挑戰。尤其在金融領域，AI已廣泛應用於信用評分、詐欺偵測與風險管理等高敏感性決策場景，其模型效能高度 依賴長期且完整的個人資料作為基礎。惟深度學習模型本質上係透過將訓練資料 隱含於模型權重中，具有高度黑箱性與不可逆性，即使表面上刪除了原始資料，模型參數中仍可能殘留具可識別性之資訊，凸顯AI應用與刪除權保障之間潛藏的制度張力。 本文以法律經濟學為分析基礎，結合古典經濟學強調的契約自由與行為經濟學揭示的決策偏誤，檢視現行《個人資料保護法》在刪除權設計上的侷限，並比較歐盟《一般資料保護規則》（GDPR）與美國《加州消費者隱私法案》（CPRA）的規範策略。GDPR採取高強度的不可讓渡路徑，刪除權不得透過契約排除或弱化； CPRA則在同樣確保刪除權為基本權的前提下，允許企業以優惠折扣等方式交換資料，但必須符合明確揭露、明示同意與隨時撤回之條件，以市場誘因確保資料供給穩定。對照之下，我國雖在實務上允許透過契約約定保存期限以維持一定彈性，但欠缺明確的對價規範與隨時撤回等可逆性設計，致使同意容易流於形式，並加劇資訊不對稱的風險。 基於比較法觀察與法律經濟分析結果，本文建議未來修法應明文化資料利用的「有償契約自由」並結合行為經濟學導向的「輕推」措施，特別是資訊揭露與隨時撤回，以引導資料主體做出理性與自主的選擇，進而在隱私保障與AI發展之間建立可持續的平衡。

In today’s era of highly developed digital technologies, information spreads rapidly and is difficult to restrain, making “forgetting” no longer effortless and heightening society’s concern for personal data protection. Yet with the rise of artificial intelligence (AI), the right to erasure faces particularly acute challenges. In the financial sector, where AI is widely applied in sensitive decision-making contexts such as credit scoring, fraud detection, and risk management, model performance depends heavily on long-term, stable, and comprehensive datasets. However, deep learning models embed training data implicitly into their parameters, carrying an inherently opaque and irreversible “black-box” nature. Even if the original data is ostensibly deleted, identifiable traces may remain within model weights. Coupled with the prohibitive costs of retraining, this reality greatly undermines the effectiveness of exercising the right to erasure, underscoring the structural tension between AI applications and data protection guarantees. This thesis employs a law-and-economics perspective, integrating the classical economic emphasis on contractual freedom with behavioral economics’ insights on decision-making biases, to examine the limitations of Taiwan’s Personal Data Protection Act (PDPA) in its design of the right to erasure. It further conducts a comparative analysis of the regulatory strategies under the EU General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). While the GDPR adopts a strict inalienability approach—prohibiting any contractual exclusion or dilution of the right to erasure—the CPRA, while still treating the right as a fundamental entitlement, permits companies to exchange data for financial incentives such as discounts, provided that such arrangements meet conditions of explicit disclosure, express consent, and the possibility of withdrawal at any time. By contrast, Taiwan’s regime allows contractual stipulation of retention periods in practice, thereby maintaining some flexibility, yet it lacks explicit provisions on consideration or reversibility (such as withdrawal rights), leaving consent vulnerable to formalism and exacerbating information asymmetry risks. Based on these comparative findings and law-and-economics analysis, this thesis argues that future reforms in Taiwan should explicitly incorporate a framework of “remunerated contractual freedom” while complementing it with behavioral economics-inspired “nudge” measures, particularly robust disclosure obligations and a right of withdrawal. Such a framework would guide individuals toward making informed and autonomous data-sharing decisions, thereby establishing a sustainable balance between privacy protection and AI-driven innovation.