新興科技下的資訊隱私保護：「告知後同意原則」的侷限性與修正方法之提出

Information Privacy Protection in the Era of Emerging Technologies: Limitations of the Informed Consent Principle and Proposed Amendments

現行資訊隱私保護制度設計的核心乃在貫徹「告知後同意」原則，著重在「蒐集」當下取得當事人同意其個資被蒐集及符合蒐集目的的使用，藉此滿足保障「控制」利益的資訊隱私保護。然而，新興科技的發展使得資訊隱私的威脅逐漸轉換地出現在個人資料被「蒐集後」的「再使用」過程。一味地貫徹告知後同意原則的適用，不僅現實上甚難實踐而阻礙科技發展或研究推行，有時亦無助於、甚或可能有害於隱私保障。因此，如何修正告知後同意原則在個人資料保護上的適用，成為面臨新興科技造成資訊隱私保護挑戰的重要課題。本文主張「強調多重面向資訊隱私利益並結合隱私傷害的綜合權衡法」之資訊隱私保護理論，可使得資訊隱私保護不再僅執著於控制利益而生過度管制個資的蒐集可能；帶入親密性與秘密性隱私利益的方法論，可以更為有效地權衡科技發展利益與隱私保護利益。最後，本文整理告知後同意原則於我國個人資料保護法的規範結構，並進一步以本文提出的告知後同意原則之修法方法，檢討此立法規範的妥適性，以及能否有效因應新興科技發展所形成之新型態的隱私擔憂。

The current information privacy policy is generally structured based on the notice-and-choice (or informed consent) principle which contains two core privacy theories. One is that the goal of information privacy is to ensure that personal control over an individual’s personal data is fully protected. The other theory is based on the assumption that in the free market, the individual, the person who controls personal data and the person who uses personal data will eventually strike a balance between the protection of privacy and the interests of using personal data. However, the traditional notice-and-choice principle has faced difficulties in protecting privacy to resist threats caused by new technologies. The notice-and-choice protects individual privacy from the angle that collectors shall obtain the individual’s consent “at the time” when the data is collected in order to ensure that such individual’s “control interest” over his own data is protected. However, when the application of new technologies aims to explore new opportunities in “reusing” personal data for a new purpose which might be different from the original purpose of collection, the traditional notice-and-choice notion appears to be insufficient to protect individual privacy because the notice lacks a mechanism in dealing with privacy problems when personal data are reused. On the other hand, enforcing the notice-and-choice principle could place unnecessary burden on data collectors and data users when the principle universally requires them to obtain consents from data subjects which does not guarantee privacy protection and is likely to adversely impede innovation of new technologies. It is therefore important in the new era of new technologies that the traditional privacy protection notion be amended and/or supplemented in order to properly deal with new privacy concerns.
This article proposes a privacy theory which, unlike traditional theory wherein only personal control interest is considered, takes into consideration of other information privacy interests as well as the potential privacy harms associated with such interests. This article locates other privacy interests and harms that should be evaluated－including the interest of intimacy and secrecy. One of the advantages of including other privacy interests is to find the right balance between privacy protection and technology innovation when the various interests are comprehensively evaluated. Furthermore, this article examines the current Taiwan Personal Data Protection Act to evaluate whether the provisions that were written following the notice-and-choice principle are appropriate in resolving privacy concerns caused by new technologies. When several deficiencies under the current law are pointed out, this article applies the proposed privacy theory in several cases to demonstrate that the proposed theory is feasible in supplementing the traditional notice-and-choice principle in the new technology era.