Master candidate, School of Civil and Commercial Economics, China University of Political Science and Law
piece de resistance
I. Personal information and personal information rights of e-commerce consumers
Second, the dilemma of protecting consumers' personal information and property interests.
Third, the protection path of personal information property interests of e-commerce consumers.
label
With the digital economy in China becoming a new driving force for economic development, e-commerce, as an important part, plays an important role in social and economic development and people's lives. However, while e-commerce is booming, it also exposes the problem that consumers' personal information protection is not in place. Due to the lack of laws and industry regulations, as well as the secrecy and undetectability of network technology, illegal acts against the personal information of e-commerce consumers have been repeatedly banned. For example, in August 2008+2065438, in the case that the group leaked personal information of guests, Liu stole a large amount of guest information from the group system by hacking and sold it on the dark internet. These behaviors seriously infringe on the rights and interests of consumers and affect their normal life and safety. Based on the grim situation of consumer information protection, how to protect consumer information more effectively needs to be further improved.
I. Personal information and personal information rights of e-commerce consumers
Status of personal information
There is no consensus on the status of personal information in academic circles. From the attribute of "personal information protection", there are two different viewpoints: legal interest protection and rights protection.
The theory of legal interest protection holds that personal information is an interest protected by law, and personal information itself is the direct object of legal protection. Scholars who support this view believe that according to the literal interpretation of legal norms, the expression "personal information of natural persons is protected by law" should be understood as "personal information" as the object of legal protection. In addition, scholars who support the theory of legal interest protection also take the balance of interests between the protection and utilization of personal information as the starting point. They believe that with the increasing scale of network use, data processing plays an increasingly important role in the economy and society, and the publicity of personal information will become more and more prominent. Therefore, the attitude towards personal information should be changed from the unilateral protection thought of personal control to the position of social control.
The viewpoint supporting the theory of right protection holds that "personal information is protected" should be regarded as a right given to natural persons by law, no matter from the characteristics of personal information, the need of practical protection or the result of legal interpretation. On the one hand, personal information is collected and used with the consent and permission of the owner. Starting from this feature, individuals should enjoy the ability to exert influence on their information actively, and this ability will always exist and will not change regardless of whether there is a legal relationship between individuals and information processors. Therefore, this ability should be regarded as an inherent right of natural persons. On the other hand, with the rapid development of network technology, personal information has been seriously violated. If natural persons can be given relevant rights, when their personal information is illegally collected or used, they can directly invoke the right of personal information to safeguard their legitimate rights and interests. Protecting the personal information of natural persons through the mode of legal interest protection will make natural persons in a weak position in personal information processing activities, leading to more passive individuals who are already in a weak position in personal information collection and utilization activities. In addition, although the concept of "personal information right" is not clearly defined in Articles11and 1034 of the Civil Code, from other provisions in Chapter VI of the Personal Rights Law, the law has recognized the obligations of information processors and the rights of natural persons. The above rights and obligations are only logical if natural persons are recognized as having rights to their information.
Although the theory of legal interest protection can be explained from the perspective of arts and sciences, it will lead to many problems and may bring a series of legal difficulties to the actual protection of personal information of natural persons in practice. First of all, from the content of the law, if personal information is regarded as interest, it is difficult to logically agree with the legal interest essence of personal information given to natural persons by Article 1037 of the Civil Code. In the protection of natural persons' legitimate rights and interests in civil law, the protection of rights belongs to a higher level than the protection of legal interests, which leads to the logical dilemma that 1034, which focuses on the protection of interests, is difficult to command 1037, which focuses on the protection of rights. Secondly, from the perspective of legal practice, if the legal interest protection mode is adopted, it is difficult for natural persons to take adequate, necessary and active preventive measures before their own interests are damaged, and in most cases they can only get corresponding compensation in the form of relief afterwards; In the post-event relief link, it is also restricted by multiple factors such as the legality of interests and the necessity of protection. In today's era of rapid flow of personal information, such a protection model obviously puts the natural person as the owner of personal information in a passive position.
As can be seen from the above discussion, the difference between the two protection paths mainly lies in the degree and scope of personal information protection, as well as the value orientation and interest balance between information protection and information utilization. Although the civil code does not directly express the right to personal information, considering the extensive use of personal information and the grim situation faced by information protection, it is of great practical significance to confirm the right to personal information for protecting personal information and promoting the rational use of personal information in the current information age.
Orientation of consumers' personal information right
Consumer personal information plays an important role in e-commerce transactions, the development of digital economy and social life. It is not only closely related to the personality of consumers, but also can produce huge property value through huge accumulation. Therefore, the right to personal information is considered to have both personality and property attributes. The purpose of protecting property interests is to strengthen the information subject's control over its information and strengthen the individual's disposition position on its information, which is also the core of all rights of personal information right. Information autonomy is a response to the background of information commercialization and property right. Of course, this will not change the inherent personality attribute of personal information, nor will it shake the status of the personality right part of personal information right. Therefore, the property attribute of personal information right can be regarded as the property part of a complete compound right, and the personal information protection system should consider the characteristics of personal information property.
Property interests and ownership in personal information of e-commerce consumers
1. Define consumers' personal information according to "identifiability" and "relevance"
The concept of consumer personal information comes from general personal information, which is information provided or generated by consumers when they buy, use goods or receive services. Its core lies in being able to identify specific consumers, that is, personal information is "identifiable". However, considering that consumers often provide or produce personal information in the process of consumption and transaction, the concept of consumer personal information should be different from general personal information. According to the practical experience of social life, when consumers are engaged in consumption activities, they will usually produce or be captured by e-commerce operators some information that is difficult to directly identify a specific consumer but is of great significance to consumption activities, such as transaction records. Therefore, if we only take identifiability as an important factor to determine consumers' personal information, it is inevitable that the scope is not GAI and the definition is not comprehensive. Considering the particularity of consumers' activities, we should expand the content of consumers' personal information to a certain extent and appropriately break through the restriction of "identifiability".
In fact, even outside the field of e-commerce, with the continuous expansion of the scope of information based on "identifiability", many scholars advocate that personal information can be divided into "direct identification" and "indirect identification" based on "identifiability" and "relevance", and the criterion is whether a certain information can identify a specific individual. The so-called "relevance" means that information itself does not have the particularity of identifying a specific person, but it can increase the description of a specific person and enrich the cognition of a specific person.
2. Classification of consumers' personal information
According to the dichotomy of "identification" and "association", the personal information of consumers in e-commerce transactions should include the following two categories. One is the identity information of consumers. As the name implies, the identity information of consumers is personal information related to their specific identity, such as name, address, identity number, etc. Like general personal information, it is characterized by obvious identifiability. Identity information is closely related to consumers' personality and should be completely under the control of consumers. Its property interests and commercial value are subordinate to their personal attributes, so the property interests of identity information should be completely owned by consumers. The other is consumer behavior information, that is, personal information generated by consumers in the process of e-commerce transactions and in the process of using or accepting services, including browsing history, transaction records, communication records with e-commerce operators, etc. Compared with identity information, this kind of information is not recognizable, but it can accurately reflect the trajectory of consumers in e-commerce activities. Through the in-depth excavation and analysis of technical means, we can know their consumption preferences and habits, living needs, and even property status. Compared with identity information, the personality attribute of consumer behavior information is weakened, while the property attribute is enhanced. Especially with the transformation of product marketing mode of operators to precise targeted marketing, analyzing consumer behavior information can greatly improve marketing efficiency and save costs. Therefore, it is necessary to bring this kind of information into the scope of consumer personal information protection, and attribute the property interests in behavioral information to consumers.
Some scholars believe that information stored by consumers in personal cyberspace should also be included in the protection scope of consumers' personal information, such as information in e-mail. However, this paper holds that it is still uncommon to provide personal information across service providers in e-commerce transactions, so such information is usually not directly used in the field of e-commerce, especially in the trading activities of consumers. Compared with the above two types of information, the risk of infringement of stored information in e-commerce activities is relatively small, so it is not necessary to include it in consumers' personal information.
In addition, after consumers' personal information is collected, it will be processed and integrated, and a kind of derivative information (such as statistical data, group portraits, etc. ) will be generated from the identity or behavior of consumers' personal information, but it has lost contact with consumers. Whether derivative information should be included in the category of consumers' personal information has different academic views. This paper holds that, first of all, derivative information has the characteristics of anonymity and irrelevance, which makes it difficult to contact consumers directly and has lost the necessary personality characteristics of personal information. If consumer personal information is included for protection, the scope of protection will be too broad, and the effectiveness and pertinence of protection will be insufficient, which is really unnecessary; Secondly, although derivative information comes from consumer information, its property value mainly comes from the labor paid by operators through technical means such as integration, analysis, processing and mining. Therefore, if the derivative information is classified as consumer personal information, it will dampen the enthusiasm of enterprises for innovation and hinder the development of digital economy. Therefore, it is appropriate to classify derivative information as enterprise data property.
Second, the dilemma of protecting consumers' personal information and property interests.
The current legal protection is insufficient.
The subject and content of personal information rights and property interests in e-commerce are not clear.
In China, the current laws on the personal information protection obligations of e-commerce operators or information processors mostly stay at the level of declaration obligations, and there is no clear stipulation on what obligations e-commerce operators should undertake in the process of protecting consumers' information, and the current laws are not comprehensive in terms of how to bear legal responsibilities in the case of personal information infringement. The special e-commerce law and consumer protection law focus on punishing illegal e-commerce operators through administrative means. For example, the first paragraph of Article 18 of the E-Commerce Law prohibits e-commerce operators from practicing "algorithmic price discrimination", and those who violate this provision will face administrative punishment as stipulated in Article 77 of the Law, but there is no clear provision on how to relieve the injured consumers. This model can indeed effectively punish the enterprises or individuals involved and maintain the stability of the market operation, but for consumers whose personal information is infringed, such provisions are obviously not enough.
There are many difficulties in judicial practice.
First of all, it is difficult to properly resolve personal information rights disputes in the field of e-commerce through liability for breach of contract. First, most e-commerce platform operators will show their service terms or privacy policies to consumers before they use their products or services. Such clauses can be regarded as contracts between platform operators and consumers on personal information processing. Therefore, when platform operators collect or process consumer information in violation of relevant regulations, consumers should be able to obtain relief by investigating their liability for breach of contract. However, looking through such clauses, it can be found that almost no platform operators write the liability for breach of contract into the privacy policy, so it is difficult for consumers to hope that the liability for breach of contract of e-commerce platform operators can be remedied. Second, in e-commerce activities, there are many other operators besides platform operators (such as operators in the platform), but the privacy policy formulated by platform operators does not apply to the transactions between consumers and other e-commerce operators. Therefore, if there is a personal information dispute between consumers and other e-commerce operators, it will be more difficult to investigate the liability of the operators for breach of contract.
Disadvantages of simple property right protection model
From the nature of personal information property interests, it should be appropriate to adopt the mode of property rights protection, but personal information is complex. If we treat their personality attributes and property attributes separately and completely ignore their personality attributes, this pure property right protection will cause a series of serious consequences.
First of all, according to the purpose of protecting property rights, the obligee should enjoy complete control over his own property and fully abide by the principle of autonomy of will in disposition and use. Starting from this principle, personal information will inevitably fall into a completely commercialized and market-oriented situation. By then, information transactions will become free, and all kinds of unfair phenomena will prevail under the cloak of "autonomy of the will" to avoid supervision and sanctions. For example, due to differences in occupation, property and social status. Different individuals will have different values on their personal information after market evaluation, and this phenomenon of value differentiation is obviously irreconcilable with the personality attribute of personal information, which is a complete subversion of its personality attribute. Although personal information has both personality value and property value, these two attributes are inseparable for any specific personal information. Therefore, taking absolute property rights protection will greatly impact the personality right of personal information, which not only does not meet the purpose of protecting the complex nature of personal information rights, but also does not meet the expectations of the general concept of society for personal information protection, which is not conducive to promoting the development of digital industry.
To sum up, it is difficult to effectively protect the property interests of personal information under the current legal framework. Therefore, this paper believes that we should consider implementing the concept of consumer protection in the field of e-commerce information protection, so that consumers' information rights can be fully protected and fully relieved. First of all, the adoption of consumer protection mode in the field of personal information of e-commerce can ensure the substantive fairness between consumers and e-commerce operators. A major feature of consumer rights protection is to fully consider the weak position of consumers in trading activities. Therefore, in view of this feature, consumers are given preferential protection in many aspects, while operators are given more obligations and heavier responsibilities. Compared with the traditional civil law, which insists on the equality of the parties and takes their own will as the leading factor, this concept of inclined protection is more suitable for the reality of consumer activities. In e-commerce, because consumers and operators conduct transactions through information networks, the contracts concluded by both parties are mostly format clauses (such as privacy policies) drawn up by operators in advance. Compared with traditional consumption activities, consumers have lost the realistic conditions of full consultation with operators. In the process of personal information processing, operators have mastered a lot of resources and technologies, so it is difficult for consumers to achieve equal status with e-commerce operators through effective channels, and the gap between the trading status of the two parties is increasingly wide. Therefore, in e-commerce activities, putting personal information under the framework of consumer protection is a feasible way to fully protect consumers' rights and interests and ensure the substantive fairness of trading activities.
Third, the protection path of personal information property interests of e-commerce consumers.
Clarify the definition of e-commerce consumers
In view of the fact that there is no clear concept of consumer in China's Consumer Protection Law and Electronic Commerce Law, it is necessary to analyze this right subject.
1. E-commerce consumers should be natural persons who buy, use or accept services.
First of all, the purpose of consumer rights protection is to correct the weak position of consumers in order to balance the relationship between the two parties to the transaction. However, legal persons and other subjects are often equal in transactions, even in a mutually advantageous position, so they do not need special protection. Paying attention to protecting the weak in consumption activities is also one of the manifestations of the difference between consumption relationship and contract relationship. Secondly, personal information points to a specific natural person, so natural person is the subject of personal information right; Because enterprises have the characteristics of large amount of information and strong processing ability, the information they collect and process can create huge economic benefits for them, and the results obtained through technical means are often more important than the information itself. Therefore, although the value of information held by enterprises comes from consumers' personal information, it should be regarded as the benefits enjoyed by enterprises because of its large amount of information and strong processing ability. Therefore, it should be protected in the form of trade secrets and transaction data. If it is classified as "personal information", it can neither be logically consistent with the general meaning of the word "personal information right" nor exceed the protection scope of the general personality right.
Second, the right subject has consumption, that is, the act of buying, using goods or receiving services. It is worth noting that the natural person who uses the goods purchased by others is also a consumer and does not necessarily have a trading relationship with the operator.
2. E-commerce consumers do not take "for the needs of living consumption" as the element.
Considering the characteristics of e-commerce transactions, it is necessary to expand the concept of "consumer" in e-commerce activities. In the Law on the Protection of Consumers' Rights and Interests, "consumers" should be based on daily consumption needs, and the consumer behavior subject for production or business purposes should not be identified as consumers. However, in e-commerce transactions, natural persons do not directly participate in transactions because of their daily needs. If their rights and interests are infringed in general consumption activities, they can be regarded as basically equal to the operators because they are not based on daily needs, so they can get relief through contract law alone without inclined protection; However, from the perspective of personal information protection, it is also in a weak position in front of e-commerce operators with strong processing ability, and the personal information it provides or exposes in trading activities may face security or interest risks, which is no different from the behavior of consumers based on their daily consumption needs. In order to balance the interests of all parties, we should protect the personal information rights of such consumers. Therefore, the subject should not be limited to natural persons who need daily consumption, but all natural persons who consume for various purposes in e-commerce transactions should be included in the protection scope of consumers' personal information rights.
Refine the obligations of e-commerce operators
Both the E-commerce Law and the Consumer Protection Law stipulate that e-commerce operators who process information should have the obligation to protect consumers' personal information. As can be seen from the legal provisions, the above two laws limit the subject of information protection obligation in e-commerce transactions to e-commerce operators. In the whole process of e-commerce transaction, there is a legal relationship between consumers and multiple subjects. The obligations of other subjects are extended from e-commerce operators, and the contents of the obligations are similar, mostly included in the obligations of operators. Therefore, only the information protection obligations of operators are discussed here.
The property attribute of personal information right is mainly reflected in supporting individuals to enjoy a certain degree of domination and control over their information, and the core of each function of personal information right is a high embodiment of the property attribute of personal information right, because the right to decide refers to consumers' right to decide and control personal information processing, which reflects the respect for consumers' free will. It can be said that the right to decide personal information is the embodiment of the principle of autonomy of will in the field of information protection. Only when consumers have the right to make their own decisions can they really enhance their control over the personal information processing process. Starting from the right of information decision, in the process of collecting personal information, the right of personal information should have the right of informed consent; In the information use stage, the right to personal information should have the ability to correct and delete. In addition, because consumer personal information has important commercial value in the field of e-commerce, it is often regarded as a special commodity in information exchange and processing activities, resulting in use value and exchange value. Operators of different e-commerce platforms realize data sharing through data exchange and data sharing, and at the same time provide accurate push and personalized service for consumers and profit from it. At this time, the exchanged consumer information circulates among different platforms in the form of commodities. Therefore, as the right holder of this special commodity, consumers should have the right to allow others to use it for compensation, which is also the embodiment of consumers' independent decision on their personal information.
Therefore, from the perspective of corresponding rights and obligations, the obligation to protect personal information should include the following contents:
1. obligation to notify
In order to protect consumers' right to know, e-commerce operators should inform consumers about the situation in a clear and affirmative way before processing information, so that consumers can fully know and make decisions and choices independently; When the scope or purpose of processing information changes, it shall inform and re-obtain consent; The obligor shall also inform consumers of the ways to consult and copy relevant information, and the channels to contact operators and other obligors to correct or delete information. Whether the obligation to inform is properly performed should be judged by combining the comprehensive factors such as the way of informing, the general concept of society, and the habits of the industry.
2. Obligation to use consumer information reasonably
The basis of reasonable use is legal use. When using consumer information, we should first abide by the provisions of laws and administrative regulations and must not use consumer information for illegal purposes. Secondly, in the relationship of rights and obligations with consumers, this obligation includes both the obligation of fair use within the scope of consumers' "informed consent" and the obligation of fair use within the scope of licensing contracts after consumers' permission. The first paragraph of Article 1038 of the Civil Code stipulates the duty of omission of the processor and delimits the scope for the e-commerce operators to fully and properly perform their duties.
3. Information security obligations
According to the second paragraph of Article 1038 of the General Principles of Civil Law, the obligor shall take necessary technical measures to prevent the infringement of consumers' personal information rights, such as physical isolation, firewall, effective monitoring and prevention mechanism, etc.
4. Obligation to pay remuneration
The sale of personal information is undoubtedly an act that should be prohibited and condemned, but consumers, as the main body of personal information, should be allowed to gain benefits through the property value of their personal information. Therefore, under the premise of prohibiting consideration transactions before information processing, relevant systems should be designed reasonably to affirm consumers' right to obtain information benefits. Some scholars suggest that e-commerce operators should set up relevant funds to distribute the benefits gained from handling consumers' personal information, so that consumers can effectively enjoy the property benefits of their information. This paper holds that the form of setting up a fund can properly solve the contradiction between consumers' enjoyment of information property benefits and the small amount of profits made by a single consumer and the difficulty in distribution, and it is a mechanism that can fully take into account the legitimate rights and interests of most consumers.
The imputation principle of confirming the presumption of fault
According to the imputation principle of fault presumption, when a dispute occurs, the personal information processor should prove that he is not at fault in handling activities. It should be noted that in the process of proof, the consumer should bear the initial burden of proof for the fault of the processor, including the infringement of the consumer's own personal information rights, the improper behavior of the processor in the trading activities, causality and other factors, which should reach the degree that the processor can be presumed to be at fault; Subsequently, e-commerce operators should bear the burden of proof to prove that "their actions are not at fault". If the third party is at fault and in line with the public interest, they can refute the consumer's claims, otherwise they should bear the corresponding adverse consequences.
Introduce punitive damages system
Finally, punitive damages can also have a deterrent effect on other social subjects through the severity of their responsibilities, thus curbing the occurrence of other similar behaviors and maintaining market order and the stability of economic life.
In view of the above functions, punitive damages also have great practical value in the field of personal information. The main system value of punitive damages lies in its "revenge" and "sanction", not in actually filling the victims' losses. In this respect, punitive damages are similar to moral damages, because it is difficult to prove specific losses and determine the amount of compensation. Therefore, in cases that do not involve property interests, the victim should not be supported to ask for punitive damages. Introducing punitive damages in the field of personal information protection in e-commerce will change the inherent defects of general compensatory damages in the era of big data and provide property support for protecting consumers' personal information rights.
The essence of punitive damages is to punish and punish the illegal acts of operators, and filling the losses of victims is in a secondary position in the purpose of punitive damages system, which can even be regarded as a liability system that can be applied independently of compensatory damages. Therefore, punitive damages to operators need not be based on the actual losses of consumers, and can also effectively avoid the dilemma that consumers are difficult to prove their actual losses. In other words, even if consumers have not suffered losses because their personal information has been infringed by operators, they should be liable for compensation for the purpose of punishing operators for illegally handling information.
label