個人信息洩露風險損害的賠償責任

Compensation Liability of Risk Damage Caused by Personal Information Breach

《個人信息保護法》第69 條確立了侵害個人信息權益損害賠償的請求權基礎，但並未明確規定應予救濟的損害類型。當個人信息洩露並未實際造成次生損害時，其侵害後果具有無形性、不確定性、風險導向性，統一損害概念難以完全涵蓋，有必要重構原生損害概念及其賠償責任。個人信息洩露原生損害賠償對象並非計算差額或個人信息的市場價值減損，而是面向未來的實質性風險。風險損害應採用動態體系的評價方法，落實於第三人動機、信息敏感性、安全技術措施、濫用證據等要素，其結論取決於諸要素協動後的綜合權衡。風險損害的賠償範圍包括風險預防費用、使用利益喪失、內心焦慮損害、維權合理開支等，應建立其數額量化的酌定因素和區間。

Article 69 of the Personal Information Protection Law establishes the basis of the claim for damages for infringement of personal information rights and interests, but does not specify the types of damage that should be remedied. When the personal information breach does not actually cause secondary damage, its infringement consequences are intangible, uncertain and risk-oriented, which is difficult to be fully covered by the unified damage concept. It is necessary to reconstruct the concept of primary damage and its compensation liability. The object of compensation for the primary damage caused by the personal information breach is not the difference in calculation or the diminution of the market value of personal information, but the future-oriented substantial risks. Risk damage should adopt a flexible system evaluation method, which is implemented in the elements of the third party’s motivation, information sensitivity, security technology measures, and evidence of abuse. The conclusion depends on the comprehensive balance after the coordination of the elements. The scope of compensation for risk damage includes risk prevention costs, loss of use benefits, inner anxiety damage, and reasonable expenses for safeguarding rights, and discretionary factors and intervals for quantifying their amounts should be established.