敏感个人信息保护制度的解释性重构  

作　　者：丁晓东[1] Ding Xiaodong

机构地区：[1]中国人民大学法学院

出　　处：《中国法学》2025年第2期168-187,共20页China Legal Science

基　　金：2023年度国家社科基金重大项目“当代中国数字法学基本范畴体系研究”(项目批准号:23&ZD154)的阶段性成果。

摘　　要：我国与域外法律大多以类型列举或存在严重侵害风险界定敏感个人信息,在保护方式上采取二元保护、强化保护。但敏感个人信息保护的理解与适用存在挑战,其界定存在不确定性,保护方式也不尽合理。这一挑战的根源在于敏感个人信息具有场景化特征,个人信息并非因其本身而敏感。在立法层面对敏感个人信息保护进行重构不具有必要性与可行性,应在解释与适用过程中对其进行重构。敏感个人信息的界定应以目的解释为主、参照文义解释,价值判断应以我国国情为依据,风险认知判断应以专家判断为主、兼顾公众感知风险,判断因素应考虑信息主体、处理主体、处理方式、识别概率等。敏感与非敏感个人信息的分类保护应迈向场景化、动态化:在行政监管中,应采取自下而上的场景化保护;在司法与行政执法案例中,应采取以案释法的场景化保护。就强化保护措施而言,应迈向监管下的自我监管。衔接敏感个人信息与私密信息,应在个人信息保护与隐私权保护两种制度下进行分析。Most laws in China and abroad classify sensitive personal information by type or define it as having a serious risk of infringement. In terms of the protection method, these laws adopt sensitive and non-sensitive distinctions and provide enhanced protection for the former. However, there are challenges to understanding and applying sensitive personal information protection. Its definition is indeterminate and its dual protection method is insufficiently rational. The root of this challenge lies in the contextualized nature of sensitive personal information;personal information is not sensitive per se. It is not necessary or realistic to reconstruct sensitive personal information protection at the legislative level. Therefore, it should be restructured in the process of interpretation and application. Specifically, the definition of the concept should be mainly based on purpose interpretation with a reference to textual interpretation;its value judgment should be based on national conditions;its risk analysis should be mainly based on expert judgment, taking into account public perception of risk, and judgment factors should consider the information subject, processing subject, processing method, identification probability, etc. The classification and protection of sensitive and non-sensitive personal information should adopt contextual and dynamic approaches. With regard to administrative regulation, we should adopt a bottom-up contextual approach;with regard to judicial and administrative law enforcement cases, a case-based contextual interpretation of sensitive information should be adopted. To strengthen protective measures, a regulated self-regulation approach should be adopted. The connection between sensitive personal information and private information should be analyzed under two institutional modules: personal information protection and privacy protection.

关 键 词：个人信息保护 敏感个人信息 反歧视 场景化 私密信息 

分 类 号：D923[政治法律—民商法学]