IP地址、Cookies、BSSID、TC字符串,这些信息虽然未必能直接识别出信息主体的姓名,但通过与其他信息相结合能够“识别”出特定自然人。我国《民法典》对个人信息的定义是:个人信息是以电子或者其他方式记录的能够单独或者与其他信息结合识别特定自然人的各种信息。欧洲《通用数据保护条例》第4条将“个人信息”定义为,已识别到的或可被识别的自然人的所有信息。可见,“可识别”对于我们判断哪些信息属于个人信息显得特别重要。
关于“可识别”的理解,欧洲《通用数据保护条例》认为,可被识别的自然人是指能够被直接或间接通过识别要素得以识别的自然人。欧盟的第29条数据保护工作组的表述更形象,“a natural person can be considered as‘identified’when, within a group of person, he or she is‘distinguished’from all other members of the group.”即,“可识别,就是能在人群中认出某一个特定的自然人”。欧洲《通用数据保护条例》在“重述”第26条(Recital 26)指出:在判断一个自然人是否是可以被识别的时候,应当将所有合理的方法都考虑进去,并且考虑这些方法的合理性时要结合成本、当前技术可行性等因素。在前文提到的案例中,同样给了我们在实践中把握“可识别”的重要经验:
没有与“其他信息”去结合识别,这个信息就不构成“个人信息”?
Google与Judith Vidal-Hall等上诉案件中,Google主张,Google实际将能够与cookie结合的其他信息进行了分割,也就是没有用“其他信息”去和cookie结合去识别个人身份,所以cookie信息不构成个人信息。英国上诉法院没有支持这样的观点,认为,欧盟法律对个人信息的定义中,可以间接识别个人身份的信息,只要是掌握在数据处理者手中,能够被用于识别个人身份就构成个人信息,是否实际已经这么使用或者是否准备这么使用都是无关紧要的。
As regards the wording of section 1(1)(b), this refers simply to information “in the possession of”the data controller, and appears only to be concerned with whether data “can be used” to identify an individual (not with whether it has been used or is intended to be used in this way). On a straightforward and literal construction of the section, therefore, the fact that a data controller might not aggregate the relevant information in practice is immaterial. What matters is whether the defendant has “other information” actually within its possession which it could use to identify the subject of the BGI, regardless of whether it does so or not.
“其他信息”无法获取,手里的信息就不构成个人信息?
Patrick Breyer与Federal Republic of Germany案中,德国联邦政府是网站内容提供方,本身不掌握Breyer的IP地址,德国联邦法院由此产生了误判,IP地址是否属于个人信息要本案中要分情况,在互联网服务提供者手中才能视为个人信息,因为互联网服务提供商手中还有“其他信息”能结合识别Breyer的身份。如果是像德国联邦政府这样的网站内容提供者,并没有能力获得“其他信息”,所以此时IP地址就不是个人信息。欧盟法院并不赞同这个观点,认为,根据欧盟法律,判断一个信息是否属于可间接识别个人的信息,考虑的不仅是当前这个信息控制者通过合理手段可以获得的信息,还要考虑其他主体通过合理手段可以获取的信息,换言之,欧盟法律并不要求这些信息都掌握在同一个主体手中,才认定构成个人信息。
Furthermore, recital 26 of Directive 95/46 states that, to determine whether a person is identifiable,account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.In so far as that recital refers to the means likely reasonably to be used by both the controller and by‘any other person’, its wording suggests that, for information to be treated as‘personal data’ within the meaning of Article 2(a) of that directive, it is not required that all the information enabling the identification of the data subject must be in the hands of one person.
只是信息处理规则的制定者,完全不接触信息,还是个人信息的控制者?
有时候,我们会认为,只要不接触信息就能与信息安全风险相切割。在IAB Europe v Gegevensbeschermingsautoriteit案中,IAB Europe在整个业务中都不接触信息,但因为制定TC字符串的处理规则,被判定为个人信息的联合控制者(joint-controller)而承担责任。欧盟法院对此的回答是:一个公共机构,如果它为其会员提供处理个人信息的规则,其中不仅包括信息处理的技术规范,还有包括信息分发、存储的规则,那么应当被定义为“联合控制者”。原因是,这个公共机构对这个信息处理的过程施加了影响,并与会员主体共同决定了信息处理的目的和方法,这个公共机构并不直接接触信息的这样的客观事实并不会因此将其从联合控制者的角色中排除。
First,a sectoral organisation,in so far as it proposes to its members a framework of rules that it has established relating to consent to the processing of personal data,which contains not only binding technical rules but also rules setting out in detail the arrangements for storing and disseminating personal data relating to such consent,must be classified as a joint controller' ...... where it exerts influence over the personal data processing at issue,for its own purposes,and determines jointly with its members,the purposes and means of such processing.The fact that such a sectoral rganisation does not itself have direct access to the personal data ...... does not preclude it from holding the status of joint controller......;