論個人資料保護法之「當事人同意」

按「當事人同意」作為個人資料蒐集處理利用的合法事由 之一，對於當事人的人格權保護和促進個人資料的合理利用而言，具有相當重要之意義。 由於我國個資法第 7 條對於當事人同意，僅規定資料蒐集者之告知義務，至於是否尚需具備其他要件方為有效之同意並 未明確規定，例如當事人之同意是否需為明示同意或亦承認默示同意之效力？又當事人之同意是否必須為具體、個別的同意， 還是允許有概括同意之空間？有關未成年人個人資料是否應取得其父母或監護人之同意？抑或是以未成年人具有辨別事理之能力，瞭解同意之意義為已足？除此之外，資料蒐集者和個資當事人間存在地位不對等之關係時，當事人之同意是否能作為有效的手段以保障其個資之自主控制？凡此，均有待釐清和需要實務及學說之闡釋與補充。 本文擬就上述問題為討論，以協助釐清當事人同意的概念和內涵並提出建議，期望當事人同意得以發揮其功能，真正落實當事人資訊自主。

The consent of a data subject is one of the legitimizing grounds for the processing of personal data. It is of great significance for the protection of individuals' personal rights and the rational use of their personal data. Since article 7 of the Personal Data Protection Act requires only the data controller's disclosure obligation, it is unclear whether additional requirements are needed to make the consent a valid basis for the processing of personal data. Will it be sufficient for consents to be implicit or should it be given in an explicit way? Should the consent be specific or is it appropriate to give a blanket consent? Where a person is under the age of majority, should consent be given by a parent or guardian or is it sufficient when a person is able to appreciate the nature and effect of giving consent? Moreover, there are rising concerns about whether consent provides a valid legal ground for processing personal data where there is a significant imbalance between the data subject and data controller. This article aims to offer a comprehensive analysis of the concept of consent in data protection and wishes to contribute to clarify the above-mentioned questions.