论文部分内容阅读
Abstract: In response to public health emergencies, tracking detection, collection and analysis of a large number of personal health information and mobile information is for the safety of the majority of the public, is the embodiment of the means of public management. It can achieve the purpose of effective prevention and control of infectious diseases, but illegal use of personal information may lead to the leakage of said information, also the interests of the parties concerned will be damaged. This paper analyzes the legal basis of protection of personal information under public health emergencies, combines the extraterritorial practice of personal information protection exemption under public health emergencies, and points out that there are some issues in the protection of personal information under public health emergencies in China, such as lack of special legislation and lack of specific rules of protection of personal information in the public health emergencies. The protection of personal information in public health emergencies in China should speed up the special legislation of personal information protection, standardize the rules of personal information utilization after public health emergencies, and establish the principles of legality, purpose limitation, minimum scope and confidentiality to further standardize the personal information utilization behavior of subject.
Key words: public health emergencies; personal information protection; public interest; personal information protection law
CLC: D 912 DC: A Article ID: 2096-9783(2021)03-0119-09
1 The Origin of the Problem
According to Article 2 of the Emergency Regulations for Public Health Emergencies, a public health emergency is: "a sudden outbreak of a major infectious disease epidemic, mass unexplained disease, major food and occupational poisoning, and other events affecting public health that causes or is likely to cause serious damage to public health." The outbreak of Novel Corona virus Pneumonia in 2020 (hereafter referred to as the NCP) has been declared a public health emergency by the World Health Organization. According to the principle of prevention and control of infectious diseases of "early discovery and early isolation", local governments have actively exerted the advantages of information and communication technology by using big data and other means under the guidance of the Party Central Committee and the State Council, organized and carried out the analysis of big data of telecommunication, and strengthened the tracking and detection of the epidemic tracing for the returned people and other floating personnel during the Spring Festival, including demographic information of returning people and "same journey investigation" services, etc., aims to understand the disease clues at the fastest speed, so as to facilitate the government to carry out targeted epidemic prevention and control work. Practice shows that, compared with the outbreak of SARS 17 years ago, information technology, represented by big data, is playing a vital role in the prevention and control of the epidemic. It can not only grasp the trajectory of confirmed patients, suspected patients and close contacts in a timely, accurate and comprehensive manner, but also issue an effective early warning to all citizens. However, in the course of the community's concerted efforts to deal with the epidemic, irregularities in the use of personal information have emerged, such as the illegal use of personal information for the purpose of finding close contacts of confirmed new coronary cases, and even the uncontrolled dissemination of personal information, such as the publication of other people's names, cell phone numbers, home addresses, ID card numbers and other personal information in WeChat groups. Individuals whose information has been made public have also received phone calls from strangers and harassment through WeChat. The government collects, counts, and circulates health information and mobility information of Wuhan returnees; the community counts residents' body temperature and contains sensitive personal information in temperature charts; and citizens travel on various types of transportation and fill out "health declaration cards" containing health information and personal information, all of which are related to the protection of personal data to varying degrees[1].
In the current complex background of epidemic prevention and control, although the tracking and detection of the source of the epidemic using big data has played an obvious role in epidemic prevention and control, people whose personal information has been leaked and those who have close contact with the confirmed or suspected victims of NCP will certainly become a group of high concern, and in the process of personal information being illegally leaked and disseminated, some extortion, blackmail and malicious acts may occur. The reporting and harassment of individuals and their families has led to the risk of harm to their physical and mental health or to discriminatory treatment. As countries legislate personal information protection in the digital information age becomes a basic social consensus and norm, major public health emergencies force people to rethink how to deal with the boundaries between public interest and private rights in the face of major public health emergencies. Although the collection and use of personal data for public health management purposes plays a significant role in the fight against epidemics, the core rights of individuals should not be denied, and the necessity and appropriateness of some specific measures should be explored. Therefore, in this paper, we will define the scope of personal information, review the current laws and regulations on the use of information in public health emergencies in China, and make recommendations on the legislation and practice of personal information protection based on the experience of extra-territorial protection and exemptions in public health emergencies, so as to lay a foundation for the lawful use of personal information in public health emergencies. 2 Legal Basis and Overseas Practice of Protection of Personal Information Right in Public Health Emergencies
2.1 Legal Basis of Protection of Personal Information Right in Public Health Emergencies—the Current China Approach
2.1.1 Scope of Personal Information
Accurate definition of "personal information" in the context of public health emergencies is a prerequisite for citizens to be able to obtain remedies when their personal information is compromised. Articles 1034 to 1038 of Personality Rights of Civil Code of China have made complete provisions on the protection of personal information, among which article 1034 clearly defines the scope of personal information: "personal information of natural person is protected by law. Personal information is all kinds of information recorded by electronic or other means, which can identify a specific natural person individually or in combination with other information, including a person's given name, date of birth, ID number, biometric information, address, telephone number, e-mail, health information, etc". In addition, article 1034 distinguishes the private information contained in personal information, and emphasizes the application of the relevant provisions of the right of privacy to the private information. In this regard, the concept of "personal sensitive information" has also been put forward in paragraph 3 of the Information Security Technology Personal Information Security Rule, so as to distinguish it from personal information, i.e.: "Personal sensitive information refers to personal information that, if leaked, illegally provided or misused, may jeopardize the safety of persons and property and may easily lead to damage to personal reputation, physical and mental health or discriminatory treatment, including identity ID numbers, personal biometric information, bank account numbers, communication records and contents, property information, whereabouts trails, accommodation information, health and physiological information, transaction information, and personal information of children under the age of 14 (inclusive)."
First of all, personal information has distinguishing characteristics, information that helps identify a specific natural person, either directly or indirectly, is considered personal information. In other words, information that directly identifies a natural person means that the person can be contacted through the data itself, such as portrait, name, identity card number, cell phone number, home address, workplace, etc. of the natural person. In addition, some information by itself cannot accurately point to a specific natural person, but when combined with other information can be linked to a specific natural person, such information should also be regarded as personal information, including the person's special hobbies, gender, age, work units, etc. Secondly, the private information contained in personal information has the characteristics of privacy. Once the information is leaked, it will bring a certain degree of damage to the personal and property security of the information leaked subject, or it may be discriminated by exclusion, abuse and other discriminatory treatment. Obviously, the names, ID numbers, home addresses, contact information, whereabouts and other information collected, counted and circulated by local government departments for real-time monitoring of NCP prevention work, as well as the names, ID numbers, home addresses, contact information, whereabouts and other information of Wuhan returnees and NCP patients all fall within the scope of personal information under the Civil Code of China, and also under the Information Security Technology Personal Information Security Rule for the scope of personal sensitive information. If such information is disclosed, it will cause some degree of damage to the personal and property security of the subject of the disclosed information or may be ostracized, abused and other discriminatory treatment.
2.1.2 Subject of Collecting Personal Information in Public Health Emergencies
In order to meet the needs of public health emergency response, the competent departments or relevant units and authorized organizations can collect, use or circulate personal information. According to the current laws and regulations in China, there may be the following subjects who have the right to collect, use or circulate the personal data of epidemic related personnel:
First, disease prevention and control institutions, such as the health department of the State Council, and authorized institutions, such as health administrative institutions, medical institutions, communities, township residents' committees and villagers' committees authorized by government departments at all levels have the right to collect and release information of epidemic events to the society.
Second, people's governments of provinces, autonomous regions and municipalities directly under the central government have the right to collect and analyze emergency information through various channels in accordance with the emergency plan of the administrative region.
Third, transportation department have the right to require to supervise and urge passenger cars, taxis, online car hailing, etc. to cooperate with the health department, and do a good job in the information submission of the people who are in close contact with the cases in the same vehicle.
Forth, all kinds of enterprises and institutions collect the personal information of students, employees and their families instead of local governments, and report it to local government organs.
2.2 Overseas Practice of Protection of Personal Information Right in Public Health Emergencies——EU General Data Protection Regulations (GDPR) With the increasing number of data generated by social individuals, according to the EU values, basic rights and basic rules, the interests of social individuals must be put in the first place in the collection and application of data. Only when European citizens are convinced that any personal data sharing within the EU will fully comply with EU data protection rules, will citizens believe and accept such innovations. At the same time, with the technological changes in the field of data storage and processing, the number of EU public data and non-personal industry data is increasing day by day in the EU, which provides a continuous driving force for EU innovation and social and economic development.
In order to ensure the safe and legal use and circulation of personal information, countries around the world have successively introduced laws and regulations on personal information protection. In response to the potential dangers in China's personal data protection and governance highlighted by the epidemic, countries around the world have established a considerable degree of practice for reference, the most typical of which is the European Union's General Data Protection Regulation (GDPR). Adopted by the European Parliament on April 14, 2016, the GDPR, which came into force on May 25, 2018, has consistently upheld the information governance model of strengthening the protection of personal information as a fundamental right, and established a series of personal information protection. The GDPR looks at personal information protection rules within the framework of "public society - individual privacy" and opposes restrictions on the use of personal data by governments and organizations, instead establishes the rules for the effective use of personal data by them[2].
Data subject consent is defined in the GDPR as: "The data subject expresses his or her consent to the processing of personal data concerning him or her, either by means of a written declaration or by means of an explicit affirmative action. Such expression of will shall be freely given, specific, informed and unambiguous." Obviously, this provision requires a "clear and unequivocal" positive declaration by the data subject at the time of collection of personal data, and only with the consent of the data subject can the data controller make further use of his or her personal data. However, within the framework of the EU GDPR, the consent of the data subject is not the only lawful basis for the processing of personal data. With regard to the protection of personal data in the context of public health emergencies such as the pneumonia epidemic caused by the novel Corona virus infection, Article 9(1) of the GDPR lists the legal conditions under which infectious disease prevention and medical institutions and related organizations may exceptionally use personal data without the consent of the data subject, including (1) for the performance of a task in the public interest or on the basis of official authority; (2) for the performance by the controller of (3) the processing is necessary to achieve a substantial public interest. In essence, these three legitimate grounds under the GDPR can effectively support the use of personal information by CDCs, health care providers, and related organizations in outbreak prevention and control efforts in the event of a public health emergency. According to the provisions of the EU GDPR, for the purpose of analyzing infectious diseases and early warning, monitoring epidemics and transmission trends, personal sensitive data can be processed for public interest purposes even without the consent of the data subject. 3 The Dilemma of Personal Information Protection under Public Health Emergencies in China
3.1 Lack of Systematic Legal Norms to Protect Personal Information
At present, there is no special personal information protection law in China, and the relevant legal norms have not made systematic provisions on the personal information protection rules in the prevention and control of public health emergencies. Regulations on the protection of personal information are scattered around the Civil Code of China, Law on Prevention and Control of Infectious Diseases, Regulations on Public Health Emergencies, Network Security Law, Notice on Protecting Personal Information and Using Big Data to Support Joint Prevention and Control, etc. Obviously, the existing legal norms do not specify the specific rules for the protection of personal information, nor form a systematic legal norm for the protection of personal information, this situation weakens the overall protection of personal information. Personal information protection provisions scattered in some legal provisions cannot meet the requirements of civil dignity and rights, it needs systematic legal norms of personal information protection.
3.2 Lack of the Specific Rules of Personal Information Protection in Public Health Emergencies
Currently, China has basically established the framework of protection of personal information, but there is still a lack of some detailed rules of collection and utilization rules under public health emergencies. First, there is a lack of regulations on how to use personal information reasonably in public health emergencies. Article 1036 of the Civil Code of China explicitly stipulates that "without the consent of the subject of personal information, the actor shall not bear civil liability for other acts reasonably carried out in order to safeguard the public interest or the legitimate rights and interests of the natural person", but there is no detailed and comprehensive legal provisions on "reasonable implementation". Secondly, there is a lack of standardized measures in the use of personal information. From the personal information leakage incidents during the epidemic period, many information collection and custody subjects have no personal information protection experience, and lack of complete personal information protection operation specification[3]. Law on Prevention and Control of Infectious diseases and Regulations on Public Health Emergencies as the basic normative legal document of public health emergencies, only stipulate above-mentioned subjects have the right to collect, use or circulate personal information in public health emergencies. In addition, also roughly stipulates the corresponding legal responsibilities of the above-mentioned subjects for their non-standard information collection behavior, but does not specify how the above-mentioned subjects should standardize the use of personal information and also there is a lack of detailed provisions on the punishment of personal information disclosure violations. For example, articles 68 and 69 of the Law on Prevention and Control of Infectious Diseases stipulate that "Whoever intentionally divulges information and materials concerning personal privacy of patients with infectious diseases or close contacts shall be ordered by the health administrative department of the people's government at or above the county level to make corrections, circulate a notice of criticism and give a warning; if a crime is constituted, criminal responsibility shall be investigated according to law." Generally speaking, the existing relevant rules are relatively scattered and abstract, and the protection of personal information in special periods is rarely mentioned, there is no systematic and complete legal system for the protection of personal information rights in public health emergencies. It is easy to assume that personal information has not been given due attention and protection in public health emergencies, and cause damage to the personality and property interests of natural persons without further standardization.
4 Proposal to Protecting the Right of Personal Information in Public Health Emergencies in China
4.1 Speed up the Special Legislation of Personal Information Protection
In the information age, personal information protection has become one of the most immediate and realistic interests of the masses. So it is of great significance to formulate a special law on personal information protection to realize, maintain and develop the personal information rights. More than 100 countries in the world have enacted special laws on personal information protection[4]. In contrast to the international practice, European countries have adopted the mode of national legislation leading in the protection of personal data, while the federal government of the United States advocates the mode of self-discipline. On October 13, 2020, the chairman's meeting of the 13th NPC Standing Committee put forward a proposal on the draft personal information protection law, it shows that the conditions for the promulgation of the personal information protection law have reached maturity. The legal system of personal information protection in China has been gradually established, but it is still difficult to adapt to the rapid development of information and the growing needs of people's better life. Therefore, special laws should be formulated and issued on the basis of current laws, which should strengthen the system, pertinence and operability of legal norms, and form a more complete system and provide more powerful legal guarantee in the protection of personal information.
4.2 Standardize the Use and Protection of Personal Information in Public Health Emergencies
4.2.1 Necessity of Protection of the Right to Personal Information in Public Health Emergencies
In reality, whether it was SARS in China in 2003, or the outbreak of various infectious diseases in other countries and regions, the effective control of infectious diseases is the result of timely tracking and analysis of personal information of confirmed or suspected patients, and the NCP infection is no exception. It has been shown that after this public health emergency, the collection, statistics, and circulation of citizens' personal information for the purpose of real-time tracking and monitoring, timely detection, and isolation to cut off the source of infection in the course of epidemic prevention and control are to some extent instrumental in social governance. Local governments and prevention departments collect, analyze, and collect personal information about confirmed and suspected patients, and take quarantine measures on the remaining close contacts in a timely manner. Thus, in responding to public health emergencies, the collection and analysis of personal information of natural persons can be used to achieve effective prevention and control of infectious diseases. In other words, in public health emergencies, the timely collection, analysis, and publication of personal information of confirmed patients, suspected patients, and close contacts is necessary to protect the safety of public health in society. In addition, there is a strong theoretical basis for the collection and use of personal data in the fight against the epidemic. The personal information of natural persons not only serves the interests of citizens' personality, but also the public interest[5]. In other words, personal information is not only used to showcase natural persons to society, but also to inform society about natural persons[6]. From this perspective, personal information is a tool of social governance and has a certain social and public nature. Personal information involves the human dignity of citizens and deserves active legal protection, but when there is a conflict between public interest and private rights, private rights should be surrendered to the public interest. In the epidemic prevention and control, governments and administrative agencies have used their administrative authority to collect and utilize personal information in the public interest for the safety of the majority of the public. However, in the prevention and control of NCP, there were still incidents of personal information collected in the public interest being leaked, causing problems for the parties involved. The list of personal information of Wuhan returnees, collected and compiled by the local government for real-time monitoring, has been circulated in various WeChat groups as a public "wanted list", which not only damages the interests of those whose personal information has been leaked, but also poses another challenge to the balance between personal interests and public interests.
4.2.2 Adding the Legitimate Reasons for Using Personal Information Based on Public Interest Needs
"As a basic principle of personal information processing, the principle of informed consent is as important as the principle of meaningful autonomy in civil law[7], and is the premise and basis for the legitimacy of personal information collection and utilization. It means that the collection, use and circulation of personal information by the subject of personal information requires the explicit consent of the subject of personal information. China's Cybersecurity Law, Infectious Disease Prevention and Control Law, Emergency Regulations for Public Health Emergencies, Decision of the Standing Committee of the National People's Congress on Strengthening the Protection of Network Information, and the Ministry of Industry and Information Technology's Regulations on the Protection of Personal Information of Telecommunications and Internet Users require that the collection and use of citizens' personal information shall be subject to the prior consent of the person whose information is collected. In other words, informed consent is the single most important legal basis for the use of personal information in China. The GDPR of the EU, however, no longer takes informed consent as the only legitimate source of personal information use, but instead provides six bases of legitimacy, one of which is an exception to the principle of informed consent in the public interest. Thus, the collection, use and circulation of personal information without the consent of the data subject is justified in order to achieve the public interest. At this stage, Articles 1034 of Personality Rights of Civil Code of China and Article 5, Paragraph 4 of the Information Security Technology Personal Information Security Standards stipulate that one of the exceptions for the collection and use of personal information by the controller of personal information without the authorization of the subject of the personal information is that it is directly related to public safety, public health and major public interests. It can further recognize the social value of personal information. However, the Code of Information Security Technology for Personal Information Security stipulates that the collection of personal information is no longer subject to the individual's authorization only under certain circumstances, including when public interest is involved, but the further use and circulation of the collected personal information still requires the informed consent of the data subject[12]. Therefore, the paper suggested that China Personal Protection Law could learn from the useful practices of other countries and no longer limit ourselves to the informed consent of the data subject as the only legitimate reason for the use of personal information, but should further break through the shackles and add the collection and use of personal information to the relevant provisions. This includes provisions that allow the use of personal information without the consent of the data subject when it is necessary in the public interest, such as in the case of public health or public safety, thereby providing a variety of exceptions to the principle of informed consent.
4.2.3 Establishing Principles for Using Personal Information in Public Health Emergencies
In the collection and use of personal information in public health emergencies, the seven principles of personal data processing stipulated in Chapter 2 of the EU's GDPR can provide a guide for regulating the use of personal data in public health emergencies in China and help legislators find a balance between personal information protection and public interest. In other words, from the perspective of epidemic prevention and control, the use of personal information is reasonable, but it is necessary to define the scope and extent to which personal information can be used, and the legal subjects of personal data collection should correctly apply the principle of proportionality, within the appropriate and necessary scope of personal use of citizens, without creating unnecessary burdens on these citizens. Because of the information asymmetry between the public and government agents, there may be illegal use of the collected personal data by government agents to maximize their self-utilization, which may harm the interests of the public[13]. Therefore, the paper suggests that the handling of personal data in response to public health emergencies in China requires that subjects who collect and use personal information follow the following principles. First, principle of legality. This includes the lawfulness of the subject and the lawfulness of the procedure. Firstly, the subject collecting personal information shall be a legal entity, and only the subject who has been granted the right to collect information in laws and regulations shall have the right to collect personal information of citizens; other institutions, organizations or individuals cannot collect personal information under the pretext of public health management. Secondly, the subject who collects personal information shall collect or process personal information in accordance with the procedural requirements of laws and regulations, and shall obtain prior consent from the person whose personal information is collected for other purposes, except for the exception that personal information may be collected without the consent of the person. Thirdly, the subject collecting personal information shall comply with the requirements of laws and regulations in terms of the scope, extent and manner of use of personal information.
Second, principle of purpose limitation. The purpose of collecting personal information shall be for a clear and legitimate purpose and the collected personal information cannot be processed for any other purpose afterwards. To solve the conflict between personal health care information and public interest, some scholars proposed to treat the public health information differently according to the risk degree of personal health and medical information, and decide whether to make it public[14]. In response to public health emergencies, the personal information collected by the government and relevant disease prevention agencies should be used for the purposes of public health management and the epidemic prevention and control. In other words, the purpose of personal information collection should be limited to "in order to prevent and control the epidemic in time and ensure the health and safety of social citizens", and it is forbidden to collect personal information without authorization for any other purpose.
Third, the principle of minimum scope. The core of this principle is the issue of "proportionality," which emphasizes that the implementation of a measure is relevant and necessary to achieve its purpose. The principle of proportionality originated from Germany. Otto Meyer, a German administrative jurist, put forward in his book German Administrative Law published in 1895 that administrative power should have the advantage of overriding private interests in pursuit of public welfare, but the infringement of administrative power on the people must conform to the purpose and adopt the method of minimum infringement[15]. In other words, while the use of personal information is reasonable from the point of view of epidemic prevention and control, it should be used within the scope of appropriate and necessary purposes and should not cause unnecessary burdens on citizens or unnecessary negative impacts. Specifically, first, the personal information collected is indeed necessary for the purpose of epidemic prevention and control. In this sense, the means of exposing the personal information of those involved in the epidemic, although necessary for the prevention and control of the epidemic, have clearly exceeded the requirements of the principle of minimum scope. Second, the personal information collected should be relevant information. Relevant information means that the personal information collected by legal entities in the course of epidemic prevention and control should be related to the prevention and control of public health emergencies and be beneficial to epidemic prevention and control. General personal information that does not benefit the prevention and control of an epidemic should not be included in the scope of collection. Fourth, confidentiality principle. The entity that collects personal information is obligated to keep personal information secure when using and distributing sensitive personal information, and to protect the confidentiality and integrity of personal information through access control, encryption, desensitization, and other methods to prevent the leakage or illegal use of personal information during distribution. The market of personal information exchange is not mature, there is a negative correlation between property rights and privacy rights in personal information and the free transfer of personal information may make privacy face many risks[16]. From this point of view, the relevant personal information collecting entity shall observe the principles of anonymity and desensitization in the use of personal information, and shall delete or destroy personal information promptly after its use.
5 Conclusions
The importance of personal data protection in the era of big data is self-evident. In the process of epidemic prevention and control, we attach great importance to the protection of personal data, and at the same time, the reasonable use of personal data as a tool to fight epidemics in an orderly manner, which reflects the balance between the public interest and the protection of private rights and interests, achieves a balance between the use of personal data and public health safety to a certain extent, and is conducive to promoting the role of big data and other new technologies in epidemic prevention and control. Therefore, it is necessary to improve the legislation related to personal information protection and strengthen the rule of law mechanism for personal data sharing between government and enterprises in order to build a systematic, complete, scientific, standardized, and efficient public security emergency management system.
References:
[1] Shao Hongfu, Zhong Jiangniu. Path Selection of the Legal Balance between Public Interest and Private Rights Conflicts in Public Health Emergencies[J]. Social Science Research, 2012(2): 57-62.
[2] Ling Lin, Zhao Yilin. Dual-regulation Mechanism for Personal Information Protection: the EU General Data Protection Regulation[J]. Journalism University, 2019(12): 6-9.
[3] Qin Yang. Legal Protection of Patients' Personal Information and the Role of Public Welfare[J]. Henan Social Science, 2015(9): 67.
[4] Fu Pinggao. On the Purpose of Personal Information Protection - Focusing on the Legal Benefit Distinction of Personal Information Protection[J]. Legal Business Research, 2019(1): 95. [5] Zhou Hanhua. The Legal Position of Personal Information Protection[J]. Legal Business Research, 2020(3): 48.
[6] Jin Song, Zhang Libin. Personal Information Protection in Public Health Emergencies - a Case Study of New Coronavirus Pneumonia[J]. Information Theory and Practice, 2020(6): 8.
[7] Ai Minqi. Principles of Information Law[M]. Wuhan: Wuhan University Press, 2010: 58.
[8] Fan Jiang, Yu Haochang. The Dilemma and Way out of "Informed Consent" in Personal Information Protection[J]. Economic Law Forum, 2018(2): 49-50.
[9] Russell. The History of Western Philosophy: the Next Volume[M]. Yuan Dema,translated. The Commercial Press, 1991: 329.
[10] Xin Baozhang. From Privacy to Personal Information: Theory and Institutional Arrangement of Benefit Re-measurement[J]. China Law, 2015(3): 45-46.
[11] Li Yi. Balancing the Conflict between the Right to Personal Information and Public Interest[J]. Journal of Chongqing Second Teachers' College, 2019(3):17-18.
[12] Huan Minlin. The Dilemma and Way out of Informed Consent Principle in Personal Information Protection[J]. Journal of Beijing University of Aeronautics and Astronautics (Social Science Edition), 2016 (5): 18-19.
[13] Lei Jieqiu et al. Preliminary Discussion on the Protection of Civil Rights in Public Health Crisis Events[J]. Chinese Medical Ethics, 2016(4): 695-696.
[14] Mark J. Taylor. Legal Bases for Disclosing Confidential Patient Information for Public Health: Distinguishing between Health Protection and Health Improvement[J]. Medical Law Review, 2015, 23(5): 348—374.
[15] Otto Meyer. German Administrative Law[M]. Liu Fei translated. Beijing: Commercial Press, 2002: 28-29, 60, 64.
[16] Cohen, J. E. Examined Lives: Informational Privacy and the Subject as Object. Stanford Law Review, 2000, 52(5): 1373-1438.
公共衛生突发事件中个人信息权的保护:
以新型冠状病毒肺炎疫情为背景
孜里米拉·艾尼瓦尔
(中南财经政法大学 知识产权研究中心,武汉430000)
摘 要:在公共卫生突发事件应对中追踪检测、收集及分析大量的个人健康信息和流动信息是出于社会大多数公众的生命安全之考虑,是实现公共管理手段的体现,可以达到对传染疾病的有效防治目的。但个人信息收集主体不规范的行为可能会导致个人信息泄露之可能,造成相关当事人的利益受损,如何平衡个人信息采集与公共利益保护依旧悬而未决。以公共卫生突发事件中的个人信息利用为全新视角,对个人信息保护制度进行研究,对于破解个人信息保护面临的实践难题具有重要的现实意义。本文分析了突发公共卫生事件下个人信息保护的法律依据,结合我国突发公共卫生事件下个人信息保护豁免的域外实践,指出我国突发公共卫生事件下个人信息保护存在一些困境,如在突发公共卫生事件中,个人信息的保护缺乏专门的立法和事后具体的利用规则。未来我国在突发公共卫生事件中,应加快个人信息保护的专门立法,同时应确立合法性原则、目的限定原则、最小范围原则及保密性原则为内容的公共卫生突发事件个人信息处理原则来进一步规范信息控制主体的行为。
关键词:公共卫生突发事件;个人信息保护;公共利益;个人信息保护法
Key words: public health emergencies; personal information protection; public interest; personal information protection law
CLC: D 912 DC: A Article ID: 2096-9783(2021)03-0119-09
1 The Origin of the Problem
According to Article 2 of the Emergency Regulations for Public Health Emergencies, a public health emergency is: "a sudden outbreak of a major infectious disease epidemic, mass unexplained disease, major food and occupational poisoning, and other events affecting public health that causes or is likely to cause serious damage to public health." The outbreak of Novel Corona virus Pneumonia in 2020 (hereafter referred to as the NCP) has been declared a public health emergency by the World Health Organization. According to the principle of prevention and control of infectious diseases of "early discovery and early isolation", local governments have actively exerted the advantages of information and communication technology by using big data and other means under the guidance of the Party Central Committee and the State Council, organized and carried out the analysis of big data of telecommunication, and strengthened the tracking and detection of the epidemic tracing for the returned people and other floating personnel during the Spring Festival, including demographic information of returning people and "same journey investigation" services, etc., aims to understand the disease clues at the fastest speed, so as to facilitate the government to carry out targeted epidemic prevention and control work. Practice shows that, compared with the outbreak of SARS 17 years ago, information technology, represented by big data, is playing a vital role in the prevention and control of the epidemic. It can not only grasp the trajectory of confirmed patients, suspected patients and close contacts in a timely, accurate and comprehensive manner, but also issue an effective early warning to all citizens. However, in the course of the community's concerted efforts to deal with the epidemic, irregularities in the use of personal information have emerged, such as the illegal use of personal information for the purpose of finding close contacts of confirmed new coronary cases, and even the uncontrolled dissemination of personal information, such as the publication of other people's names, cell phone numbers, home addresses, ID card numbers and other personal information in WeChat groups. Individuals whose information has been made public have also received phone calls from strangers and harassment through WeChat. The government collects, counts, and circulates health information and mobility information of Wuhan returnees; the community counts residents' body temperature and contains sensitive personal information in temperature charts; and citizens travel on various types of transportation and fill out "health declaration cards" containing health information and personal information, all of which are related to the protection of personal data to varying degrees[1].
In the current complex background of epidemic prevention and control, although the tracking and detection of the source of the epidemic using big data has played an obvious role in epidemic prevention and control, people whose personal information has been leaked and those who have close contact with the confirmed or suspected victims of NCP will certainly become a group of high concern, and in the process of personal information being illegally leaked and disseminated, some extortion, blackmail and malicious acts may occur. The reporting and harassment of individuals and their families has led to the risk of harm to their physical and mental health or to discriminatory treatment. As countries legislate personal information protection in the digital information age becomes a basic social consensus and norm, major public health emergencies force people to rethink how to deal with the boundaries between public interest and private rights in the face of major public health emergencies. Although the collection and use of personal data for public health management purposes plays a significant role in the fight against epidemics, the core rights of individuals should not be denied, and the necessity and appropriateness of some specific measures should be explored. Therefore, in this paper, we will define the scope of personal information, review the current laws and regulations on the use of information in public health emergencies in China, and make recommendations on the legislation and practice of personal information protection based on the experience of extra-territorial protection and exemptions in public health emergencies, so as to lay a foundation for the lawful use of personal information in public health emergencies. 2 Legal Basis and Overseas Practice of Protection of Personal Information Right in Public Health Emergencies
2.1 Legal Basis of Protection of Personal Information Right in Public Health Emergencies—the Current China Approach
2.1.1 Scope of Personal Information
Accurate definition of "personal information" in the context of public health emergencies is a prerequisite for citizens to be able to obtain remedies when their personal information is compromised. Articles 1034 to 1038 of Personality Rights of Civil Code of China have made complete provisions on the protection of personal information, among which article 1034 clearly defines the scope of personal information: "personal information of natural person is protected by law. Personal information is all kinds of information recorded by electronic or other means, which can identify a specific natural person individually or in combination with other information, including a person's given name, date of birth, ID number, biometric information, address, telephone number, e-mail, health information, etc". In addition, article 1034 distinguishes the private information contained in personal information, and emphasizes the application of the relevant provisions of the right of privacy to the private information. In this regard, the concept of "personal sensitive information" has also been put forward in paragraph 3 of the Information Security Technology Personal Information Security Rule, so as to distinguish it from personal information, i.e.: "Personal sensitive information refers to personal information that, if leaked, illegally provided or misused, may jeopardize the safety of persons and property and may easily lead to damage to personal reputation, physical and mental health or discriminatory treatment, including identity ID numbers, personal biometric information, bank account numbers, communication records and contents, property information, whereabouts trails, accommodation information, health and physiological information, transaction information, and personal information of children under the age of 14 (inclusive)."
First of all, personal information has distinguishing characteristics, information that helps identify a specific natural person, either directly or indirectly, is considered personal information. In other words, information that directly identifies a natural person means that the person can be contacted through the data itself, such as portrait, name, identity card number, cell phone number, home address, workplace, etc. of the natural person. In addition, some information by itself cannot accurately point to a specific natural person, but when combined with other information can be linked to a specific natural person, such information should also be regarded as personal information, including the person's special hobbies, gender, age, work units, etc. Secondly, the private information contained in personal information has the characteristics of privacy. Once the information is leaked, it will bring a certain degree of damage to the personal and property security of the information leaked subject, or it may be discriminated by exclusion, abuse and other discriminatory treatment. Obviously, the names, ID numbers, home addresses, contact information, whereabouts and other information collected, counted and circulated by local government departments for real-time monitoring of NCP prevention work, as well as the names, ID numbers, home addresses, contact information, whereabouts and other information of Wuhan returnees and NCP patients all fall within the scope of personal information under the Civil Code of China, and also under the Information Security Technology Personal Information Security Rule for the scope of personal sensitive information. If such information is disclosed, it will cause some degree of damage to the personal and property security of the subject of the disclosed information or may be ostracized, abused and other discriminatory treatment.
2.1.2 Subject of Collecting Personal Information in Public Health Emergencies
In order to meet the needs of public health emergency response, the competent departments or relevant units and authorized organizations can collect, use or circulate personal information. According to the current laws and regulations in China, there may be the following subjects who have the right to collect, use or circulate the personal data of epidemic related personnel:
First, disease prevention and control institutions, such as the health department of the State Council, and authorized institutions, such as health administrative institutions, medical institutions, communities, township residents' committees and villagers' committees authorized by government departments at all levels have the right to collect and release information of epidemic events to the society.
Second, people's governments of provinces, autonomous regions and municipalities directly under the central government have the right to collect and analyze emergency information through various channels in accordance with the emergency plan of the administrative region.
Third, transportation department have the right to require to supervise and urge passenger cars, taxis, online car hailing, etc. to cooperate with the health department, and do a good job in the information submission of the people who are in close contact with the cases in the same vehicle.
Forth, all kinds of enterprises and institutions collect the personal information of students, employees and their families instead of local governments, and report it to local government organs.
2.2 Overseas Practice of Protection of Personal Information Right in Public Health Emergencies——EU General Data Protection Regulations (GDPR) With the increasing number of data generated by social individuals, according to the EU values, basic rights and basic rules, the interests of social individuals must be put in the first place in the collection and application of data. Only when European citizens are convinced that any personal data sharing within the EU will fully comply with EU data protection rules, will citizens believe and accept such innovations. At the same time, with the technological changes in the field of data storage and processing, the number of EU public data and non-personal industry data is increasing day by day in the EU, which provides a continuous driving force for EU innovation and social and economic development.
In order to ensure the safe and legal use and circulation of personal information, countries around the world have successively introduced laws and regulations on personal information protection. In response to the potential dangers in China's personal data protection and governance highlighted by the epidemic, countries around the world have established a considerable degree of practice for reference, the most typical of which is the European Union's General Data Protection Regulation (GDPR). Adopted by the European Parliament on April 14, 2016, the GDPR, which came into force on May 25, 2018, has consistently upheld the information governance model of strengthening the protection of personal information as a fundamental right, and established a series of personal information protection. The GDPR looks at personal information protection rules within the framework of "public society - individual privacy" and opposes restrictions on the use of personal data by governments and organizations, instead establishes the rules for the effective use of personal data by them[2].
Data subject consent is defined in the GDPR as: "The data subject expresses his or her consent to the processing of personal data concerning him or her, either by means of a written declaration or by means of an explicit affirmative action. Such expression of will shall be freely given, specific, informed and unambiguous." Obviously, this provision requires a "clear and unequivocal" positive declaration by the data subject at the time of collection of personal data, and only with the consent of the data subject can the data controller make further use of his or her personal data. However, within the framework of the EU GDPR, the consent of the data subject is not the only lawful basis for the processing of personal data. With regard to the protection of personal data in the context of public health emergencies such as the pneumonia epidemic caused by the novel Corona virus infection, Article 9(1) of the GDPR lists the legal conditions under which infectious disease prevention and medical institutions and related organizations may exceptionally use personal data without the consent of the data subject, including (1) for the performance of a task in the public interest or on the basis of official authority; (2) for the performance by the controller of (3) the processing is necessary to achieve a substantial public interest. In essence, these three legitimate grounds under the GDPR can effectively support the use of personal information by CDCs, health care providers, and related organizations in outbreak prevention and control efforts in the event of a public health emergency. According to the provisions of the EU GDPR, for the purpose of analyzing infectious diseases and early warning, monitoring epidemics and transmission trends, personal sensitive data can be processed for public interest purposes even without the consent of the data subject. 3 The Dilemma of Personal Information Protection under Public Health Emergencies in China
3.1 Lack of Systematic Legal Norms to Protect Personal Information
At present, there is no special personal information protection law in China, and the relevant legal norms have not made systematic provisions on the personal information protection rules in the prevention and control of public health emergencies. Regulations on the protection of personal information are scattered around the Civil Code of China, Law on Prevention and Control of Infectious Diseases, Regulations on Public Health Emergencies, Network Security Law, Notice on Protecting Personal Information and Using Big Data to Support Joint Prevention and Control, etc. Obviously, the existing legal norms do not specify the specific rules for the protection of personal information, nor form a systematic legal norm for the protection of personal information, this situation weakens the overall protection of personal information. Personal information protection provisions scattered in some legal provisions cannot meet the requirements of civil dignity and rights, it needs systematic legal norms of personal information protection.
3.2 Lack of the Specific Rules of Personal Information Protection in Public Health Emergencies
Currently, China has basically established the framework of protection of personal information, but there is still a lack of some detailed rules of collection and utilization rules under public health emergencies. First, there is a lack of regulations on how to use personal information reasonably in public health emergencies. Article 1036 of the Civil Code of China explicitly stipulates that "without the consent of the subject of personal information, the actor shall not bear civil liability for other acts reasonably carried out in order to safeguard the public interest or the legitimate rights and interests of the natural person", but there is no detailed and comprehensive legal provisions on "reasonable implementation". Secondly, there is a lack of standardized measures in the use of personal information. From the personal information leakage incidents during the epidemic period, many information collection and custody subjects have no personal information protection experience, and lack of complete personal information protection operation specification[3]. Law on Prevention and Control of Infectious diseases and Regulations on Public Health Emergencies as the basic normative legal document of public health emergencies, only stipulate above-mentioned subjects have the right to collect, use or circulate personal information in public health emergencies. In addition, also roughly stipulates the corresponding legal responsibilities of the above-mentioned subjects for their non-standard information collection behavior, but does not specify how the above-mentioned subjects should standardize the use of personal information and also there is a lack of detailed provisions on the punishment of personal information disclosure violations. For example, articles 68 and 69 of the Law on Prevention and Control of Infectious Diseases stipulate that "Whoever intentionally divulges information and materials concerning personal privacy of patients with infectious diseases or close contacts shall be ordered by the health administrative department of the people's government at or above the county level to make corrections, circulate a notice of criticism and give a warning; if a crime is constituted, criminal responsibility shall be investigated according to law." Generally speaking, the existing relevant rules are relatively scattered and abstract, and the protection of personal information in special periods is rarely mentioned, there is no systematic and complete legal system for the protection of personal information rights in public health emergencies. It is easy to assume that personal information has not been given due attention and protection in public health emergencies, and cause damage to the personality and property interests of natural persons without further standardization.
4 Proposal to Protecting the Right of Personal Information in Public Health Emergencies in China
4.1 Speed up the Special Legislation of Personal Information Protection
In the information age, personal information protection has become one of the most immediate and realistic interests of the masses. So it is of great significance to formulate a special law on personal information protection to realize, maintain and develop the personal information rights. More than 100 countries in the world have enacted special laws on personal information protection[4]. In contrast to the international practice, European countries have adopted the mode of national legislation leading in the protection of personal data, while the federal government of the United States advocates the mode of self-discipline. On October 13, 2020, the chairman's meeting of the 13th NPC Standing Committee put forward a proposal on the draft personal information protection law, it shows that the conditions for the promulgation of the personal information protection law have reached maturity. The legal system of personal information protection in China has been gradually established, but it is still difficult to adapt to the rapid development of information and the growing needs of people's better life. Therefore, special laws should be formulated and issued on the basis of current laws, which should strengthen the system, pertinence and operability of legal norms, and form a more complete system and provide more powerful legal guarantee in the protection of personal information.
4.2 Standardize the Use and Protection of Personal Information in Public Health Emergencies
4.2.1 Necessity of Protection of the Right to Personal Information in Public Health Emergencies
In reality, whether it was SARS in China in 2003, or the outbreak of various infectious diseases in other countries and regions, the effective control of infectious diseases is the result of timely tracking and analysis of personal information of confirmed or suspected patients, and the NCP infection is no exception. It has been shown that after this public health emergency, the collection, statistics, and circulation of citizens' personal information for the purpose of real-time tracking and monitoring, timely detection, and isolation to cut off the source of infection in the course of epidemic prevention and control are to some extent instrumental in social governance. Local governments and prevention departments collect, analyze, and collect personal information about confirmed and suspected patients, and take quarantine measures on the remaining close contacts in a timely manner. Thus, in responding to public health emergencies, the collection and analysis of personal information of natural persons can be used to achieve effective prevention and control of infectious diseases. In other words, in public health emergencies, the timely collection, analysis, and publication of personal information of confirmed patients, suspected patients, and close contacts is necessary to protect the safety of public health in society. In addition, there is a strong theoretical basis for the collection and use of personal data in the fight against the epidemic. The personal information of natural persons not only serves the interests of citizens' personality, but also the public interest[5]. In other words, personal information is not only used to showcase natural persons to society, but also to inform society about natural persons[6]. From this perspective, personal information is a tool of social governance and has a certain social and public nature. Personal information involves the human dignity of citizens and deserves active legal protection, but when there is a conflict between public interest and private rights, private rights should be surrendered to the public interest. In the epidemic prevention and control, governments and administrative agencies have used their administrative authority to collect and utilize personal information in the public interest for the safety of the majority of the public. However, in the prevention and control of NCP, there were still incidents of personal information collected in the public interest being leaked, causing problems for the parties involved. The list of personal information of Wuhan returnees, collected and compiled by the local government for real-time monitoring, has been circulated in various WeChat groups as a public "wanted list", which not only damages the interests of those whose personal information has been leaked, but also poses another challenge to the balance between personal interests and public interests.
4.2.2 Adding the Legitimate Reasons for Using Personal Information Based on Public Interest Needs
"As a basic principle of personal information processing, the principle of informed consent is as important as the principle of meaningful autonomy in civil law[7], and is the premise and basis for the legitimacy of personal information collection and utilization. It means that the collection, use and circulation of personal information by the subject of personal information requires the explicit consent of the subject of personal information. China's Cybersecurity Law, Infectious Disease Prevention and Control Law, Emergency Regulations for Public Health Emergencies, Decision of the Standing Committee of the National People's Congress on Strengthening the Protection of Network Information, and the Ministry of Industry and Information Technology's Regulations on the Protection of Personal Information of Telecommunications and Internet Users require that the collection and use of citizens' personal information shall be subject to the prior consent of the person whose information is collected. In other words, informed consent is the single most important legal basis for the use of personal information in China. The GDPR of the EU, however, no longer takes informed consent as the only legitimate source of personal information use, but instead provides six bases of legitimacy, one of which is an exception to the principle of informed consent in the public interest. Thus, the collection, use and circulation of personal information without the consent of the data subject is justified in order to achieve the public interest. At this stage, Articles 1034 of Personality Rights of Civil Code of China and Article 5, Paragraph 4 of the Information Security Technology Personal Information Security Standards stipulate that one of the exceptions for the collection and use of personal information by the controller of personal information without the authorization of the subject of the personal information is that it is directly related to public safety, public health and major public interests. It can further recognize the social value of personal information. However, the Code of Information Security Technology for Personal Information Security stipulates that the collection of personal information is no longer subject to the individual's authorization only under certain circumstances, including when public interest is involved, but the further use and circulation of the collected personal information still requires the informed consent of the data subject[12]. Therefore, the paper suggested that China Personal Protection Law could learn from the useful practices of other countries and no longer limit ourselves to the informed consent of the data subject as the only legitimate reason for the use of personal information, but should further break through the shackles and add the collection and use of personal information to the relevant provisions. This includes provisions that allow the use of personal information without the consent of the data subject when it is necessary in the public interest, such as in the case of public health or public safety, thereby providing a variety of exceptions to the principle of informed consent.
4.2.3 Establishing Principles for Using Personal Information in Public Health Emergencies
In the collection and use of personal information in public health emergencies, the seven principles of personal data processing stipulated in Chapter 2 of the EU's GDPR can provide a guide for regulating the use of personal data in public health emergencies in China and help legislators find a balance between personal information protection and public interest. In other words, from the perspective of epidemic prevention and control, the use of personal information is reasonable, but it is necessary to define the scope and extent to which personal information can be used, and the legal subjects of personal data collection should correctly apply the principle of proportionality, within the appropriate and necessary scope of personal use of citizens, without creating unnecessary burdens on these citizens. Because of the information asymmetry between the public and government agents, there may be illegal use of the collected personal data by government agents to maximize their self-utilization, which may harm the interests of the public[13]. Therefore, the paper suggests that the handling of personal data in response to public health emergencies in China requires that subjects who collect and use personal information follow the following principles. First, principle of legality. This includes the lawfulness of the subject and the lawfulness of the procedure. Firstly, the subject collecting personal information shall be a legal entity, and only the subject who has been granted the right to collect information in laws and regulations shall have the right to collect personal information of citizens; other institutions, organizations or individuals cannot collect personal information under the pretext of public health management. Secondly, the subject who collects personal information shall collect or process personal information in accordance with the procedural requirements of laws and regulations, and shall obtain prior consent from the person whose personal information is collected for other purposes, except for the exception that personal information may be collected without the consent of the person. Thirdly, the subject collecting personal information shall comply with the requirements of laws and regulations in terms of the scope, extent and manner of use of personal information.
Second, principle of purpose limitation. The purpose of collecting personal information shall be for a clear and legitimate purpose and the collected personal information cannot be processed for any other purpose afterwards. To solve the conflict between personal health care information and public interest, some scholars proposed to treat the public health information differently according to the risk degree of personal health and medical information, and decide whether to make it public[14]. In response to public health emergencies, the personal information collected by the government and relevant disease prevention agencies should be used for the purposes of public health management and the epidemic prevention and control. In other words, the purpose of personal information collection should be limited to "in order to prevent and control the epidemic in time and ensure the health and safety of social citizens", and it is forbidden to collect personal information without authorization for any other purpose.
Third, the principle of minimum scope. The core of this principle is the issue of "proportionality," which emphasizes that the implementation of a measure is relevant and necessary to achieve its purpose. The principle of proportionality originated from Germany. Otto Meyer, a German administrative jurist, put forward in his book German Administrative Law published in 1895 that administrative power should have the advantage of overriding private interests in pursuit of public welfare, but the infringement of administrative power on the people must conform to the purpose and adopt the method of minimum infringement[15]. In other words, while the use of personal information is reasonable from the point of view of epidemic prevention and control, it should be used within the scope of appropriate and necessary purposes and should not cause unnecessary burdens on citizens or unnecessary negative impacts. Specifically, first, the personal information collected is indeed necessary for the purpose of epidemic prevention and control. In this sense, the means of exposing the personal information of those involved in the epidemic, although necessary for the prevention and control of the epidemic, have clearly exceeded the requirements of the principle of minimum scope. Second, the personal information collected should be relevant information. Relevant information means that the personal information collected by legal entities in the course of epidemic prevention and control should be related to the prevention and control of public health emergencies and be beneficial to epidemic prevention and control. General personal information that does not benefit the prevention and control of an epidemic should not be included in the scope of collection. Fourth, confidentiality principle. The entity that collects personal information is obligated to keep personal information secure when using and distributing sensitive personal information, and to protect the confidentiality and integrity of personal information through access control, encryption, desensitization, and other methods to prevent the leakage or illegal use of personal information during distribution. The market of personal information exchange is not mature, there is a negative correlation between property rights and privacy rights in personal information and the free transfer of personal information may make privacy face many risks[16]. From this point of view, the relevant personal information collecting entity shall observe the principles of anonymity and desensitization in the use of personal information, and shall delete or destroy personal information promptly after its use.
5 Conclusions
The importance of personal data protection in the era of big data is self-evident. In the process of epidemic prevention and control, we attach great importance to the protection of personal data, and at the same time, the reasonable use of personal data as a tool to fight epidemics in an orderly manner, which reflects the balance between the public interest and the protection of private rights and interests, achieves a balance between the use of personal data and public health safety to a certain extent, and is conducive to promoting the role of big data and other new technologies in epidemic prevention and control. Therefore, it is necessary to improve the legislation related to personal information protection and strengthen the rule of law mechanism for personal data sharing between government and enterprises in order to build a systematic, complete, scientific, standardized, and efficient public security emergency management system.
References:
[1] Shao Hongfu, Zhong Jiangniu. Path Selection of the Legal Balance between Public Interest and Private Rights Conflicts in Public Health Emergencies[J]. Social Science Research, 2012(2): 57-62.
[2] Ling Lin, Zhao Yilin. Dual-regulation Mechanism for Personal Information Protection: the EU General Data Protection Regulation[J]. Journalism University, 2019(12): 6-9.
[3] Qin Yang. Legal Protection of Patients' Personal Information and the Role of Public Welfare[J]. Henan Social Science, 2015(9): 67.
[4] Fu Pinggao. On the Purpose of Personal Information Protection - Focusing on the Legal Benefit Distinction of Personal Information Protection[J]. Legal Business Research, 2019(1): 95. [5] Zhou Hanhua. The Legal Position of Personal Information Protection[J]. Legal Business Research, 2020(3): 48.
[6] Jin Song, Zhang Libin. Personal Information Protection in Public Health Emergencies - a Case Study of New Coronavirus Pneumonia[J]. Information Theory and Practice, 2020(6): 8.
[7] Ai Minqi. Principles of Information Law[M]. Wuhan: Wuhan University Press, 2010: 58.
[8] Fan Jiang, Yu Haochang. The Dilemma and Way out of "Informed Consent" in Personal Information Protection[J]. Economic Law Forum, 2018(2): 49-50.
[9] Russell. The History of Western Philosophy: the Next Volume[M]. Yuan Dema,translated. The Commercial Press, 1991: 329.
[10] Xin Baozhang. From Privacy to Personal Information: Theory and Institutional Arrangement of Benefit Re-measurement[J]. China Law, 2015(3): 45-46.
[11] Li Yi. Balancing the Conflict between the Right to Personal Information and Public Interest[J]. Journal of Chongqing Second Teachers' College, 2019(3):17-18.
[12] Huan Minlin. The Dilemma and Way out of Informed Consent Principle in Personal Information Protection[J]. Journal of Beijing University of Aeronautics and Astronautics (Social Science Edition), 2016 (5): 18-19.
[13] Lei Jieqiu et al. Preliminary Discussion on the Protection of Civil Rights in Public Health Crisis Events[J]. Chinese Medical Ethics, 2016(4): 695-696.
[14] Mark J. Taylor. Legal Bases for Disclosing Confidential Patient Information for Public Health: Distinguishing between Health Protection and Health Improvement[J]. Medical Law Review, 2015, 23(5): 348—374.
[15] Otto Meyer. German Administrative Law[M]. Liu Fei translated. Beijing: Commercial Press, 2002: 28-29, 60, 64.
[16] Cohen, J. E. Examined Lives: Informational Privacy and the Subject as Object. Stanford Law Review, 2000, 52(5): 1373-1438.
公共衛生突发事件中个人信息权的保护:
以新型冠状病毒肺炎疫情为背景
孜里米拉·艾尼瓦尔
(中南财经政法大学 知识产权研究中心,武汉430000)
摘 要:在公共卫生突发事件应对中追踪检测、收集及分析大量的个人健康信息和流动信息是出于社会大多数公众的生命安全之考虑,是实现公共管理手段的体现,可以达到对传染疾病的有效防治目的。但个人信息收集主体不规范的行为可能会导致个人信息泄露之可能,造成相关当事人的利益受损,如何平衡个人信息采集与公共利益保护依旧悬而未决。以公共卫生突发事件中的个人信息利用为全新视角,对个人信息保护制度进行研究,对于破解个人信息保护面临的实践难题具有重要的现实意义。本文分析了突发公共卫生事件下个人信息保护的法律依据,结合我国突发公共卫生事件下个人信息保护豁免的域外实践,指出我国突发公共卫生事件下个人信息保护存在一些困境,如在突发公共卫生事件中,个人信息的保护缺乏专门的立法和事后具体的利用规则。未来我国在突发公共卫生事件中,应加快个人信息保护的专门立法,同时应确立合法性原则、目的限定原则、最小范围原则及保密性原则为内容的公共卫生突发事件个人信息处理原则来进一步规范信息控制主体的行为。
关键词:公共卫生突发事件;个人信息保护;公共利益;个人信息保护法