自動化人臉辨識衍生訴訟評釋──以美國法之規範路徑與訴訟實踐為中心

Lawsuits Concerning Automatic Facial Recognition: The US Laws’Development Path and Judicial Cases

自動化人臉辨識憑藉身分驗證辨識上的強勢效能，乃人工智慧應用中亟具發展前景之領域，引發人民個資之蒐集使用及隱私侵害日益嚴峻。相關法制爭議觸發的基本規範性問題亟待釐清。本文以美國法關於自動人臉辨識技術之規範體系與指標性判決為主軸，聚焦伊利諾州《生物特徵資料隱私法》法制規範之適用課題並據此提出我國法制發展建議。
本文首先涵括出於不同「規範主體」、涉及不同「保護客體」，以及出於不同「應用情境」（特定目的）之可能態樣，其次，聚焦美國聯邦法院判決，並以起訴合法要件及訴訟權能貫穿其中，爬梳資料主體援引伊利諾州《生物特徵資料隱私法》所提起之標竿判決及其隱藏問題。進而就生物特徵資料於我國個人資料保護法之評價與適用課題進行論述梳理，最後提出我國法制設計與完備方向建議。
本文認為我國法規調適有兩大途徑，分別為在個資法增訂特別條款、抑或另立人臉辨識特別法：前者體現於若我國認為人臉識別應有受到適度規範之必要時，於現行個資法中增訂相應之特別條款。後者則係人臉識別應用所涉領域之專門立法（部門立法）中，置入特別規定，本文傾向後者之路徑選擇，主張以「緊密剪裁適用情境之類型化規範」、「兼顧『事前監管』與『事後救濟』之雙重保障機制」及「執法領域排序優先之公私部門立法之路徑選擇」為主軸，促使我國個資法之適用問題在法制層面做出一定程度的涵容調適。

With its rapid growth in recent years, Automatic Facial Recognition (AFR) has become the most promising biometric technique. However, AFR’s unwarranted collection and use of consumers’personal data have also become an increasing threat to privacy protection. Taiwan’s personal data protection laws are mostly made by borrowing EU’s relevant regulations. Hence, the existing discourse on the protection of data producers in Taiwan highlights the interpretation of EU’s General Data Protection Regulation (GDPR), and lacks studies of the US laws’development path. To address this research gap, this paper focuses on the regulatory framework and landmark judgments concerning AFR in U.S. law, with a specific emphasis on the applicability issues of the Illinois Biometric Information Privacy Act. Based on this examination, suggestions for the development of legal frameworks in Taiwan are proposed.
This paper first explores various potential scenarios based on different“regulatory subjects,”“protected subjects,”and“application contexts”(specific purposes). Next, it examines U.S. federal court rulings, with a focus on the legal requirements for filing lawsuits and jurisdictional issues, to identify benchmark judgments and underlying issues raised by data subjects invoking the Illinois Biometric Information Privacy Act. Subsequently, it discusses the evaluation and applicability issues of biometric data under the Taiwanese Personal Data Protection Act, before proposing directions for the development and enhancement of legal frameworks in Taiwan.
This paper proposes two approaches for regulatory adaptation: amending the Personal Data Protection Act to include specific provisions or enacting a separate facial recognition special law. The former involves adding relevant special clauses to the existing Personal Data Protection Act when deemed necessary for moderate regulation of facial recognition. The latter entails incorporating specific provisions into specialized legislation (departmental legislation) pertaining to the areas of facial recognition application. This article leans towards the latter path of choice, advocating for a framework that includes“context-based typological regulations,”“a dual protection mechanism balancing‘ex-ante regulation’and‘ex-post remedies,’”and‘a prioritization strategy legislation in law enforcement.’This approach aims to achieve a certain degree of accommodation and adjustment in the legal framework for the application of the Personal Data Protection Act.