個人信息匿名化的理論基礎與制度建構

匿名化技術作為兼顧數據利用和數據安全的技術始終難以真正落地，原因在於《個人信息保護法》第73條對“匿名化”概念設置了“無法識別”和“不能復原”兩個限定條件，這一苛刻要求使得匿名化制度處於“存而不用”的狀態。雖然匿名化處理無法實現完全匿名已成共識，但是對於相對匿名的判斷標準以及重新識別風險的限定範圍始終存有較大爭議。現階段匿名化制度的理論探討普遍忽視了對該項制度的理論基礎探究，而將解決思路限定在個體權益保護的範疇。在數據關係理論範式下，這種信息要素關聯性指向的是橫向數據關係層面的群體性特徵，而這種群體性特徵恰恰也是數據經濟價值的關鍵所在。因此，匿名化制度的功能定位應當從單純地保障個體信息私密性轉變為在保障數據關聯經濟價值的基礎上降低重新識別風險。在制度建構層面，匿名化信息所要求的“不能復原”應當被解釋為經由事前的風險評估，復原的技術難度和時間成本遠超一般主體所能接受的範圍。

Anonymization technology, as a technology that takes into account both data utilization and data security, has always been difficult to be effectively put into practice, because Article 73 of the Personal Information Protection Law sets two qualifying conditions for the concept of“anonymization”—“unidentifiability”and“irrecoverability”, which is a harsh condition that puts the anonymization system in a state of being just on paper. Although there is a consensus that anonymization cannot achieve complete anonymity, there have been debates about the criteria for determining relative anonymity and the scope of re-risk. At the present stage, the theoretical study of the anonymization system generally ignores the discussion of theoretical basis but only keep eyes on the protection of individual rights and interests. Under the paradigm of data relationship theory, the correlation of information elements focuses on the group characteristics of horizontal data relationship, which is precisely the key to the economic value of data. Therefore, the function of anonymization system should be changed from simply guaranteeing the privacy of individual information to reduction of the risk of re-identification on the basis of the economic value of data association. At the level of system construction, the“irrecoverability”requirement of anonymized information should be interpreted in the following way: with ex ante risk assessment, the technical difficulty and time cost of recovery are far beyond the acceptable range of general public.