論電商平臺業者個資外洩之民事損害賠償責任

Abstract

隨著數位經濟與電商產業蓬勃發展，企業大量蒐集與運用個人資料，帶來營運效率提升的同時，也加劇個資外洩風險，嚴重威脅消費者隱私與財產安全。近年來臺灣屢見重大個資外洩事件，引發社會高度關注，亦突顯現行法律在責任認定、損害救濟與制度設計上的不足與挑戰。 本研究旨在探討電商平台業者於個人資料外洩事件中所涉及的民事損害賠償責任，透過三重路徑展開：其一，分析歐盟GDPR第82條損害賠償制度之理論架構與法院判決發展，檢視控制者過失推定、非財產損害可賠性與損害賠償計算原則；其二，系統整理十二件臺灣法院個資外洩判決，分析法院對於過失責任、相當因果關係、舉證責任分配及損害範圍的認定標準與歧異見解；其三，檢視臺灣個人資料保護法第27條「適當安全維護措施」規範與施行細則內容，探討業者實務遵循困境及法律規範之模糊性。 研究結果指出，臺灣實務採行「過失推定」模式，惟各級法院在因果關係判斷與損害範圍認定上歧見甚大，致使企業法律風險難以預測。相較之下，歐盟GDPR強調法律義務明確化、精神損害補償與預防性制度設計，具有可供我國借鏡之價值。本文據此提出制度建議，包括：明確化安全維護標準、引進資料保護長與DPIA機制、強化事故通報義務、補強損害賠償體系，並健全獨立監理機構，以建立具前瞻性與可預期性的個資保護制度。 本研究期盼能為電商平台建立風險應對機制提供參考，並為臺灣未來個資法制改革方向提出具體建議，實現消費者權益保障與數位產業發展之雙重目標。

With the rapid development of the digital economy and e-commerce industry, businesses are collecting and utilizing vast amounts of personal data. While this practice enhances operational efficiency, it simultaneously increases the risk of data breaches, posing significant threats to consumer privacy and financial security. In recent years, Taiwan has witnessed a surge in high-profile personal data leak incidents, revealing critical deficiencies in the current legal framework regarding liability attribution, damage recovery, and institutional design. This study explores the civil liability of e-commerce platform operators in the context of personal data breaches through a three-pronged approach. First, it examines the structure and judicial interpretation of Article 82 of the EU General Data Protection Regulation (GDPR), focusing on the presumption of fault, compensability of non-material damage, and principles for calculating damages. Second, it systematically analyzes twelve Taiwanese court decisions involving data breach cases, highlighting divergent judicial approaches to negligence, causation, burden of proof, and scope of compensable damages. Third, it evaluates the regulatory requirements under Article 27 of Taiwan’s Personal Data Protection Act and its implementing rules, discussing the ambiguity and compliance challenges faced by businesses in practice. The research finds that while Taiwanese courts generally adopt a presumption of negligence, they show substantial inconsistency in assessing causation and damages, resulting in significant legal uncertainty for businesses. In contrast, the GDPR provides a clearer and more stringent liability framework, emphasizing legal certainty, compensation for emotional distress, and preventive governance. Drawing from this comparative analysis, the study proposes several reforms for Taiwan’s legal system, including clarifying security obligations, introducing Data Protection Officers (DPOs) and Data Protection Impact Assessments (DPIAs), strengthening incident notification requirements, enhancing the civil compensation regime, and establishing an independent regulatory authority. This research aims to offer practical guidance for e-commerce platforms in managing data breach risks and to contribute concrete recommendations for future reforms of Taiwan’s personal data protection regime, striving to balance consumer rights protection and digital industry development.