個人資料去識別化困境新解—「資料財產權」進路

Abstract

本文首先聚焦於我國近年來各類政府主導的大型資料庫蒐集案例，歸納出其等多以去識別化為由規避取得個資主體的同意，本文因此分別從去識別化於於定義、技術、定位上的困境討論。 首先當前法律定義上內國定義混亂、比較法上因歷史脈絡無法同一比較，且運作上也不足以賦予個人足夠的控制；再者技術層面上也面臨類型化困難、欠缺統一量化標準等困境；最後於定位上，當前GDPR將「匿名化」概念跟其他個資同意、組織、程序保障掛鉤，也愈趨無法解決再識別技術所造成的威脅。 為了因應日漸升高的再識別風險，本文認為（1）應限縮當前歐盟GDPR中的「匿名化」概念，使其與其他個資同意、組織、程序保障脫鉤。（2）應將去識別化處理單純理解為資安風控手段，而非影響個資保護規範適用範圍的前提影響因子。（3）應統一目前「去識別化」於法律上及技術定義上的不同。（4）應立法區分不同利用目的、不同資料類型、不同個資主體，以適用不同的同意授權模式。另外，也應使個體就該模式下需面臨再識別風險有更清楚的認知。 最後，為了使個人就其個資的控制，無論如何皆不因去識別化處理而喪失，本文從病歷、基因資訊的利用案例出發，探討美國法上「資料財產權」的理論是否得以透過談判交易、市場手段、限制授權、金錢賠補償等方式，增加個人對零碎、去識別個資的控制。結論上，本文認為美國法的資料財產權理論，基於人對財產具有控制的素樸想像，應有助於建立個人在資料關係中持續性的控制，進而有機會在理論上解決前述如何就去識別化資料賦予個人控制的難題。只不過從功能性、實用性角度而言，此一理論可能並非唯一解答，具體仍須仰賴立法解決。

This thesis focuses on the trend of government claiming that there’s no need to obtain consents from data subjects, since the personal data has already gone through de-identification. However, this could cause harm to data subjects. To analyze, this thesis then discusses the three dangers of the over-reliance on de-identification which includes that there’s no single definition on de-identification and anonymization; there’re also difficulties in categorizing, or generalizing different standards on the de-identification techniques; further, there’s no general standard to measure or quantify how high the risk of re-identification is; lastly, present GDPR adopts the concept of anonymous information and uses it to distinguish whether GDPR applies, which makes the regulation itself incapable of dealing with the threat of re-identification. This thesis suggest that: (1) the concept of anonymous information should be disconnected with the application of GDPR, (2) the process of de-identification should be simply taken as a measure to safeguard the information security rather than the distinguisher of whether the information concerned applies to GDPR, (3) a single, generalized standard on the techniques of de-identification should be established, though it may be difficult, (4) different kind of purpose of data utilizations, genres, and data subjects should apply to different de-identification models, and different consent models. In addition, data subject should be clearly informed about the risk of re-identification under different models. Lastly, in order to enhance data subjects’ control over their personal information, not to let this control weaken by the process of de-identification, this thesis refers to the past disputes between ownership and privacy in the cases of medical records and genetic information. Some suggested to use ‘privacy as property’ theory in these cases, which aimed to solve the problems by adopting the concept of information market, negotiation, transaction, monetary compensation, and restraints on PII alienation. In essence, this theory considers the instinct of thinking personal information as one’s property help enhance data subjects’ control over their information. Though there may be some downsides of this theory, it’s a good reference to solve the difficulties of people losing control in the process of de-identification. The theory may not be the only answer to the problem, while it does provide a great insight to the dilemma brought by the big data and the new re-identification techniques. The ultimate solution still has to rely on the legislation.