大数据时代个人数据利用与保护的均衡——“资源准入模式”之提出

在大数据时代，传统的人格权、财产权两种个人数据保护路径不仅无法为个人隐私提供实质性保障，而且已成为制约数据利用的重要掣肘。借助经济学上的公共物品概念可以发现，所谓平衡个人数据的利用与保护实际上就是如何合理圈定数据流转范围的问题，应采用兼顾个人数据利用与保护的“资源准入模式”：第一，只有具备数据安全保障能力的企业才能收集、使用个人数据，且个人数据只能在适格企业范围内流转；第二，被收集后的个人数据以可逆转的方式在适格企业范围内成为公共物品；第三，应匹配相应的私权规则、激励规则、行政监管手段，并对接统一的数据资源平台。

Balance of Utilization and Protection of Personal Data in Big Data Era: The Proposal of Resource Access Model

In recent years, the total amount of global data has grown at an exponential rate, most of it resulting from ″human behaviors″ and thus is ″personal data″. The drive and synchronization of those data are indispensable for the development of a variety of technologies, such as the Internet of Things, Big Data, Cloud Computing and Artificial Intelligence. However, the aggregation and circulation of personal data has the risk of violating individual privacy. Therefore, how to govern personal data in the information age has become a difficult problem. In this regard, we would like to discuss issues in personal data governance for modern states from four aspects. First, a goal of data governance should be to evolve with the development and the needs of the times. And the objectives of privacy protection as well as data circulation and utilization should be balanced and achieved in coordination. Second, the objects of governance need to be distinguished with different systems designed for protecting personal information with the fields of public law and private law. This is because public law concerns the self-restriction of state power, while private law is using public power to regulate private relations. In particular, the actions of handling of personal data by private citizens in a purely personal manner should not be regulated（ex ante) by personal data protection legislation. But it should be appropriate by using（ex post) regulatory means to strengthen criminal deterrence and increase the cost of rights infringement. A possible result of improper（ex ante) regulation may lead to infringement of the most basic freedom of thoughts and freedom of actions of individual citizens that may be viewed as an over-correction. Third, we should focus on innovation in the mechanisms of governance. Data dividends are internal driving forces for companies to collect, use, and exchange data. Relying solely on command-control type of governance cannot alter a company's profit-driven nature. Economic incentives, such as financial supports, tax breaks, and market access, could be used to encourage companies to adhere to the rules of personal data protection. In addition, the government can increase citizens awareness of privacy protection, and thus effectively trigger social supervision mechanisms, forcing companies to abide by the rules of data protection. Fourth, an ″informed consent″ framework needs to be properly designed. It should be noted that the reason why personal data has value is because of its ″reusability″. Therefore, to what extent personal data is protected is a question of how to control data flow. We try to address this issue by constructing a theoretical model of ″data pool″. ″Data pool″ is personal data, with the consent of citizens that can be collected and put into a ″pool″ and then become ″public goods″. Personal data in this ″pool″ can be shared, traded, or used（only) by ″eligible firms″, in a variety of ways without the need for consent from the original data owners. However, tort law, criminal law, and relevant administrative laws and regulations that protect citizens privacy will still constitute the boundaries of handling personal data. The so-called ″eligible firms″ refer to those having met the requirements of safe use of data in all dimensions, such as technical precautions and risk warning, and having obtained ″data access permission″. Whether a party agrees to allow personal data to become public goods depends on factors such as privacy preferences, incentives（for example, commercial discounts), and the enforcement of privacy policies. Legislators should set up ″guiding principles of public goods plus agreed exemptions（which means citizens can grant the usage of their personal data to only one or several companies and restrict the scope of personal data being used)″ to encourage and guide personal data to be circulated as public goods. Those principles should be supplemented by rules of private rights（such as rights to information, amendment and termination), appropriate administrative means of supervision（such as registration of data collection and data transferring, with data transferring restricted among only ″eligible″ companies) and administrative incentives. The above theoretical model should be supported by a unified data resource platform. At this time there are experimental big data trading centers established in China that function as hardware assurance for the above theoretical model.