委托处理个人信息的私法规制

委托处理个人信息是信息流动、共享与利用的必然选择。《个人信息保护法》第21条专门为委托处理个人信息提供了规范基础,填补了《民法典》《电子商务法》《网络安全法》等规范空白,但就该条的规范内容如何解释适用,对委托处理私法规制的目的、对象及方式等要素的具体展开,仍需藉由解释论予以完善。由于司法实践中,信息处理者通常会援引其与第三人之间存在合同或其他交易安排,系由他人造成了损害而与自身的处理行为无关,给信息主体的权益保护带来了挑战,这构成了委托处理私法规制的核心。作为对委托处理进行私法规制的基础论证,委托处理的法律结构不同于共同处理,信息处理者与受托人之间为从属关系,信息处理者决定了处理的目的、方式,受托人只能按信息处理者的指示处理个人信息。为了更好地保障信息主体的合法权益,委托处理关系内部合同应当包含必备条款以确保受托人合法处理数据,且信息处理者可以检查受托人是否遵守这些规定。相较于《个人信息保护法》第20条由内部主体约定各方的权利义务,第21条第1款详细列举委托处理的目的、期限、处理方式、个人信息的种类、保护措施以及双方的权利和义务等事项,是值得肯定的立法选择。结合《个人信息保护法》第21条第2款以及域外法的通常规则,受托人应当承担依指示处理、服务结束后的返还(或删除)、保密三项法定义务。此外,在转委托、告知同意以及适当化任命与监督上不能适用委托合同的一般规则,其目的在于确保受托人正确、合适地履行职责,遵守个人信息保护法规。对于各方的责任承担,《个人信息保护法》第69条规定了损害赔偿责任,同时,依靠《民法典》规范实现体系拓展,使信息主体的权益救济不仅可以通过人格权编加以解决,还可以通过侵权责任编进行兜底保护。然而,《个人信息保护法》第21条并未规定信息处理者与受托人之间如何进行责任划分,构成法律漏洞。为消解委托处理中责任主体不明的救济困境,应当通过连带责任规则实现信息主体的权益救济。具体而言,在漏洞填补上可以借助共同危险行为理论,类推适用《民法典》第1170条的规定,除非能够证明损害确实是由对方引起,否则要求信息处理者与受托人就同一处理中的损害承担连带责任。

Civil law regulation of entrusted processing of personal information

Entrusted processing of personal information is an inevitable option of information flowing, sharing, and using. Article 21 of the Personal Information Protection Law (PIPL) specifically provides a regulatory basis for entrusted processing of personal information, filling the normative gaps of the Civil Code, the Electronic Commerce Law and the Network Security Law. However, how to interpret and apply the regulatory content of this article, and the specific development of the purpose, objects, methods and other elements of the entrusted processing still needs to be improved through interpretation. In judicial practice, information processors often cite the existence of contracts or other transaction arrangements with a third party, in which the damage is caused by others rather than their own processing behaviors, which brings challenges to the protection of the rights and interests of information subjects. This is the core of civil law regulation of entrusted processing. As the basic argument of private law regulation of entrusted processing, the legal structure of entrusted processing is different from joint processing, in which there is a subordinate relationship between the information processor and the entrusted party. The information processor decides the purpose and method of processing, and the entrusted party can process the personal information only as instructed by the information processor. In order to better safeguard the rights of information subjects, the internal contract of entrusted processing relationship must include mandatory provisions to ensure that the entrusted party legally processes data and the information processor can check whether the entrusted party has complied with these provisions. Compared with Article 20 of the PIPL which stipulates the rights and obligations of each party shall be agreed upon by an internal person, Article 21.1 that lists in detail the purpose, duration, and method of the entrustment, types of personal information, protection measures as well as the rights and obligations of the parties is a positive legislative choice. In accordance with Article 21.2 of the PIPL and the general rules of foreign law, the entrusted party shall bear three statutory obligations, including process as instructions, return or deletion, and keep confidentiality. In addition, the general rules of entrustment contracts cannot apply to sub-entrustment, notification of consent, as well as appropriate appointment and supervision, which are for the purpose of ensuring that the entrusted party can correctly and appropriately perform its duties and comply with the regulations on the protection of personal information. As for the assumption of liability of the parties, Article 69 of the PIPL provides for the liability for damages. Meanwhile, the system is expanded by relying on the norms of the Civil Code. Therefore, the remedy of the rights and interests of the information subject can not only be solved through the Personality Rights Part, but also be protected through the Tort Liability Part. However, Article 21 of the PIPL does not provide for the division of responsibilities between the information processor and the entrusted party, which constitutes a legal loophole. In order to alleviate the relief predicament of liability subject, the rights relief of the information subject should be realized through joint and several liability rules. Specifically speaking, the theory of joint dangerous acts may be used, and by analogy the provisions of Article 1170 of the Civil Code may be applied, which requires the information processor and the entrusted party to be jointly liable for damages in the same transaction, unless it can be proved that the damages are actually caused by the other parties.