Research On Tort Liability Of Personal Information Breaches

In the era of big data,the professionalism and complexity of big data technology have led to structural changes in the purpose and mode of personal information processing,resulting in the “digital gap” of knowledge,information and technology between natural persons and personal information processors.The infringement of personal information breaches presents the characteristics different from the general infringement disputes,such as the concealment of infringement,the diversification of diffusion channels,the intangibility and uncertainty of infringement consequences,the large scale of infringement forms and the information asymmetry between victims and personal information processors.To a certain extent,it subverts the social scene of the traditional tort law,and challenges the damage judgment,damage imputation,defense cause and liability bearing of personal information breaches.Therefore,this thesis takes the interpretation and application of Article 69 of the Personal Information Protection Law on tort liability for infringement of personal information right and interest as the core,aims to achieve the coordinated co-governance of the new forms of infringement of personal information breaches in the Personal Information Protection Law and the Civil Code,and follows the idea of “damage judgment-damage imputation-defense cause-liability bearing”,carry out a systematic study on the tort liability of personal information breaches.In addition to the introduction and conclusion,the full text is divided into four chapters.The first chapter is from personal information breaches to personal information breaches damage.Only by realizing the transformation from personal information breaches to personal information breaches damage,can we move from factual damage to legal damage,so as to lay the foundation for tort imputation and damage relief of personal information breaches.The infringement consequences of personal information breaches are usually not shown in the traditional forms of damage such as immediate personal injury and property impairment,but more reflected in new secondary damage such as algorithmic discrimination,relationship control,credit damage,information monitoring and identity theft,as well as new original damage of the risk of the above secondary damage in the future and negative emotional distress such as fear,anxiety and unease about future risks,this leads to the difficult problem of determining the damage of personal information breaches.In view of the intangibility and uncertainty of personal information breaches damage the theory of unified damage concept represented by difference theory,objective damage theory and norm theory is difficult to radiate the full value position of personal information breaches damages.Therefore,it is necessary to discuss the specific types of damage separately.On the one hand,when the breaches of personal information actually causes secondary damage,the redeemable of the new type of secondary damage should be conditionally recognized.At this point,the original damage of personal information breaches should be absorbed by the secondary damage unless the breached personal information still has residual risk of future abuse.On the other hand,when the secondary damage does not occur in reality,the object of compensation for the the original damage of the breaches of personal information is not the difference of the victim’s property status or the reduction of the market value of personal information,but the future risk of secondary damage and the inner anxiety about the future risk.Among them,future risk damage belongs to property damage,which is unrealistic,risk-oriented,diffused and difficult to assess.In practice,it often faces the challenges of infringement of rights and interests,objectivity of damage and urgency of damage.In this context,even if the victim can prove that the breaches of personal information is caused by the illegal behavior of the personal information processor,he cannot obtain relief,which obviously does not conform to the occurrence rule of personal information breaches damage.Therefore,it is necessary to recognize that the infringement of the right to self-determination of personal information can satisfy the requirements of infringement of rights and interests,recognize that the risk of sustained infringement of the personal and property safety of the victim caused by the breaches of personal information meets the requirements of objectivity of damage,and the standard “imminent” should be turned to “substantial risk” to determine the urgency of the risk of future damage.In individual cases,redeemable of future risk damage is tested according to the intent of the personal information thief or visitor,the sensitivity of personal information,the security measures of personal information,and the evidence of abuse of personal information.Mental anxiety injury belongs to mental injury,but whether it can meet the requirements of “infringement on the personal rights and interests of natural persons” and“serious mental injury” in Article 1183(1)of the Civil Code has been questioned by judicial practice.To ensure that the compensation of mental damage for the victim can be fully covered,infringement of personal information rights and interests can constitute“infringement of the personal rights and interests of natural persons” should be recognized.As long as the breaches of personal information is enough to cause rational people to suffer from fear,anxiety,anxiety and other non-minor mental pain,the existence of inner anxiety damage should be recognized.The second chapter is the imputation basis for tort liability of personal information breaches.After realizing the transformation from personal information breaches to personal information breaches damage,the subsequent task is to input the personal information breaches damage into the default imputation elements,so as to draw the conclusion whether the personal information processors should assume tort liability.In view of the information asymmetry between natural persons and personal information processors,it is often difficult for victims to prove all elements of tort liability for personal information breaches according to the high possibility standard in traditional theory,and the law should appropriately ease their burden of proof.The victim only needs to prove:(1)The personal information processors who have collected and stored his personal information;(2)According to the rule of prima-facie proof,there is a causality between the infringement of personal information right and interest and the breaches behavior(as a whole)of(several)personal information processors;(3)The victim suffered damage due to the infringement of personal information right and interest.As for the causality between the infringement of personal information right and interest and the breaches behavioral individual of several personal information processors,fault and illegal elements,legal presumption should be implemented.Specifically,first,the imputation principle of personal information breaches tort liability in China has experienced the legislative change from general fault liability to constructive fault liability,the constructive fault liability established in paragraph 1 of Article 69 of the Personal Information Protection Law can be applicable to personal information processing in the violation of personal information rights and interests,can also be applied to personal information processing in violation of the other personal rights,property rights and interests of natural person.Personal information processors can prove that they have fulfilled their obligations to ensure the security of personal information by providing evidence,or even if it performs the above obligations,it can not prevent the infringement results of personal information breaches,so as to overturn the presumption of fault.Second,the high complexity of big data technology creates an objective obstacle to the proof of causality,and the behavior synergy of several personal information processors obscures the real infringer,both of them jointly cause the problem of uncertainty of causality.For the former,the rule of prima-facie proof should be introduced to make up for the lack of specific evidence due to the victim’s lack of proof ability;the latter should apply the common dangerous behavior system of Article 1170 of the Civil Code by analogy.After the victim proves that there is a causality between the infringement of his personal information right and interest and the overall behavior of several personal information processors,it is presumed that the causality between the individual behavior of each personal information processor and the infringement of personal information right and interest is established.In order to avoid the infinite extension of the chain of causality,the court should adopt considerable causality and regulatory purposes to limit the scope of compensation for personal information breaches damage.Third,in view of the diversified types of interests carried on personal information,the scope of tort law protection of personal information right and interest has high uncertainty.Illegality evaluation is of great significance in the imputation of damage caused by personal information breaches.The illegality evaluation of the infringement of personal information breaches should adopt the theory of behavior illegality,the personal information processors should bear the burden of proof for the legality,legitimacy and necessity of its processing behavior,and dynamically weigh the illegality of the behavior in combination with the elements specified in Article 998 of the Civil Code and the elements of sensitive of personal information.The third chapter is the defense of tort liability for personal information breaches.If the imputation basis belongs to the positive constituent elements of the tort liability of personal information breaches,then the defense is the negative constituent elements of the tort liability of personal information breaches,which hinders the establishment of tort liability.Personal information not only attaches the personality rights and interests of natural persons,but also carries the economic of personal information processors and public interests.This means that the protection of personal information of natural persons can not be absolute,but should achieve the balance between the protection and utilization of personal information through the defense system.The defenses of tort liability of personal information breaches are scattered in the provisions of Civil Code and Personal Information Protection Law,so it is necessary to sort it out systematically.First,in addition to the general defenses established in the General Part and Tort Liability Part of the Civil Code,paragraph 1 of Article 13 of the Personal Information Protection Law also stipulates the legitimacy basis of personal information processing,which is complementary to Article 1036 of the Civil Code,the two together constitute the special defenses for personal information processors to deliberately disclose personal information.Second,informed consent is the most important legal basis of personal information processing.On the positive level,it can produce the private law effect of quasi legal acts,while on the negative level,it can transform the formal illegal personal information breaches into legal disclosure,and exempt the personal information processors from tort liability.Informed is the premise and basis of consent.The personal information processors can be exempted from the obligation of informed only when the laws or administrative regulations stipulate that it should be kept confidential,does not need to be informed,or the inform will hinder the state organs from performing its statutory duties.Consent must meet the conditions of consent ability,full knowledge,voluntary and explicit.If a personal information processor provides personal information to other processors or discloses personal information,it shall obtain the separate consent of a natural person.Third,informed consent is not the only legal basis for personal information processing.The legal licensing reasons for personal information processing can be stipulated by laws and administrative regulations,so that personal information disclosure objectively against the wishes of natural persons will not be evaluated as an illegal act in tort liability law.The legal permission of personal information processing is based on the theory of restriction of personal information right and interest,which can be divided into two types: Defense for safeguarding public interests and defense for promoting the rational use of personal information,and should be limited by the principle of proportion.The fourth chapter is the assumption of tort liability of personal information breaches.When it is determined that the personal information processors should bear the tort liability,the next question is: how should the personal information processors bear the tort liability of personal information breaches? In this regard,the new tort forms of personal information breaches will also lead to three difficult problems: the calculation of damages,the liability of the multiple person tort and the procedural law problems of mass tort.First,in order to prevent the risk of damage to the victim caused by personal information breaches from materializing,the tort damages of personal information breaches not only needs to “look back” to fill the actual damage suffered by the victim,but also should “look forward” to actively participate in risk control and resolution,so as to risk prevention costs,loss of use and rights protection costs shall be included in the scope of compensation for future risk damage.The benefit compensation of personal information breaches infringement is a calculation method in the same order as the loss suffered by the victim.Its compensation standard includes net profit standard and proposed royalty standard.Based on the intangibility and uncertainty of personal information breaches damage,discretion is the most commonly used calculation method in practice.In this regard,the court should take the nature,degree and duration of the illegal act,the severity of the consequences of the infringement and the possibility of remedy,and the sensitivity of the leaked personal information as the common discretionary factors,while the degree of fault is the unique discretionary factor of mental damages.Second,paragraph 2 of Article 20 of the Personal Information Protection Law establishes the multiple person tort rule of “joint and several liability according to the law” for the joint processing of personal information.The word “according to the law” indicates that the personal information breaches by the joint processor of personal information may not only constitute a joint injurious act in Article 1168 of the Civil Code,it may also constitute a joint dangerous act of Article 1170,or even a tort of several persons without intentional contact in Article 1171 or Article 1172,and shall bear joint and several liability or proportional liability.If the personal information breaches damage is caused by the intentional behavior of a third party and the personal information processor violates the obligation of personal information security protection,the personal information processor shall bear corresponding supplementary liability.If the personal information breaches damage is caused by the trustee’s behavior,the personal information processor cannot be exempted from tort liability by proving that it has no instruction or selection fault.Third,in order to solve the procedural law problems caused by the mass micro-infringement of personal information breaches,it is necessary to establish and improve the public interest actions and class actions system.The public interest actions of tort liability of personal information breaches take the infringement of the rights and interests of “many” individuals as the cause of action,which should be comprehensively judged in combination with the sensitivity of personal information,the group of victims,the field of personal information processing,the number of victims,time-space connection and other factors.Public interest actions and representative actions cannot replace the class actions system.China should build a class action model with group members as representatives,so as to form an overall mechanism and culture to deal with mass tort actions of personal information breaches.In short,in the era of big data in which the infringement of personal information breaches is becoming increasingly prominent,when the victim uses the tort law to protect the infringed personal information right and interest,the “digital gap” between the victim and personal information processors should not be a blocking progress and stumbling block to the relief of personal information breaches infringement.The proposal of this thesis is to adopt the interpretation route of gradualism rather than a sweeping legal reform.People only needs to flexibly explain the damage judgment,damage imputation,defense reasons and responsibility bearing of tort liability of personal information breaches according to the characteristics of personal information breaches tort disputes in the big data era,which is enough to achieve the balance between personal information protection and utilization,rights and interests protection and freedom of behavior.