在数字化时代,科学研究成为一种典型的数据应用场景。科学研究大规模处理个人数据隐含的“道德伦理问题上的非对称性”引致个人权利与公共利益之间的权益冲突。中国既有法制对于科学研究处理个人数据行为的规制呈现规范内容不一致、指向模糊、保障措施不足等问题。以《一般数据保护条例》为代表的域外法制从规范定位、可处理数据范围、目的限制原则的适用、数据主体同意的规定、数据主体权利克减、技术性与组织性保障措施等方面确立了相对完整的法律规制体系。可以考虑在《中华人民共和国个人信息保护法》中增设“科学研究”相关条款,同时,通过适当豁免研究人员的数据处理义务、附条件克减数据主体的个人权利以及调整同意模式,打造激励相容的数据处理行为要件,此外,尚需完善技术性和组织性保障措施以确保数据处理规范有序。
In the digital age, the coexistence of the value and risk of using personal data for scientific research prevails, and the key question is not whether the data should be used for research, but how to obtain the benefits of scientific research based on the basic principles of respecting ethics and privacy. In this regard, when research may bring harm to the subject of research or other relevant persons, the law needs to intervene in a timely manner and set limits for it, and this restriction itself should also abide by the provisions of the law.
In spite of the promulgation of Personal Information Protection Law of the People's Republic of China in 2021, it does not directly stipulate the purpose of "scientific research", and the regulation of scientific research behavior in China's established legal system is in a sporadic state, far from being systematized. It does not provide clear and appropriate guidance for scientific research on the processing of personal data, whether based on the direct content of the provisions or the normative interpretation. Moreover the legal regulation of similar scientific research behaviors sometimes shows inconsistencies, and there is a lack of special data processing supervision authorities and supervision mechanisms in the legal norms.
The study has the following findings. First, the legislative model for "scientific research" in most countries is to adopt the legislative path of the Basic Law positioning and supplemented by other relevant norms of a lower rank. Second, the trend of legislation is not to impose absolute restrictions on scientific research in terms of the type and scope of individuals, but to impose restrictions on data processing behavior, thereby creating a relaxed environment for scientific research. Third, the innovation of scientific research stems from its uncertainty, the discovery of new materials or the improvement of research methods will change the specific purpose of the original research. If the purpose of its data processing behavior is strictly limited, it may inhibit the vitality of scientific research, and thus the principle of unconstrained purpose has become the mainstream model of extraterritorial legislation. Fourth, the consent of the subject or alternative measures needs to be sought for personal data with legibility, and consent is not required for personal data that is not identifiable. In general, the binding force of consent is weakening in cases where the principle of limitation of purpose is exempted from application. Fifth, the extraterritorial legal system basically recognizes the derogation of personal data rights in scientific research acts, but there are different approaches in the types and degrees of derogations of derogation rights. The current consensus is that derogations from the rights of data subjects should not only comply with the statutory preconditions, but also take corresponding protective measures. Sixth, at present, the safeguards for scientific research to process personal data include both technical and organizational measures. Specific types of measures for both types of measures are still being explored.
It is proposed that first the normative construction of China's scientific research on the handling of personal data should be provided by the Personal Information Protection Law, and the special law regulating various specific research acts needs to provide more detailed rules according to their respective circumstances. Second, in terms of the assumption of the obligations of data processors, scientific researchers can receive special preferential treatment for the processing of personal data based on the consideration of public welfare expansion. Third, consent of data subjects is a developing concept, and as scientific research clarifies the data types of individuals, the precise application of tiered consent and layered consent models will highlight the effectiveness of consent. Fourth, in scientific research, absolute de-identification cannot be blindly required for different types of research, and processed data that is extremely unlikely to be identified or not harmed in the context of the current situation are acceptable, but it is still necessary to regularly assess and monitor whether there are new risks and if the technical means already taken are necessary to update and adjust. Fifth, it is necessary to improve the technical and organizational safeguardsfor data processing in scientific research.
[1] SEE LINDEN K, KELLI A, NOUSIAS A. A CLARIN contractual framework for sharing personal data for scientific research[M]//SIMOV K, ESKEVICH M. Selected papers from the CLARIN annual conference 2019. Linkoping University Electronic Press,2020:75-84.
[2] Academy of Medical Sciences. Personal data for public good: using health information in medical research[EB/OL].[2021-02-02].http://www.acmedsci.ac.uk/index.php?pid=99&puid=62.
[3] 刘静怡.社群网络时代的隐私困境:以Facebook为讨论对象[J].台大法学论丛,2012,41(1):9-10.
[4] HELEN NISSENBAUM. Privacy in context: technology, policy, and the integrity of social life[M].Stanford University Press,2009:140-160.
[5] 柴之芳.科学研究是一项公益事业[J].科技导报,2017,35(1):9.
[6] 王悠然.公共价值科学研究有待重视[N].中国社会科学报,2020-08-21(003).
[7] VAYENA E, HAEUSERMANN T, ADJEKKUM A, et al. Digital health: meeting the ethical and policy challenges[J]. Swiss Medical Weekly,2018, 148: w14571.
[8] BIETZ M, PATRICK K, BLOSS C. Data donation as a model for citizen science health research[J].Citizen Science: Theory and Practice, 2019,4(1):1-11.
[9] DEACON HARRIET. Racism and medical science in South Africa's Cape Colony in the mid-to late nineteenth century[J].Wash Lee Law Review,2000,15:190-206.
[10] MARK J TAYLOR.Health research, data protection, and the public interest in notification[J]. Medical Law Review, 2011,19:267-303.
[11] MICHAEL WEIL, SATISH LALCHAND. Five questions about the misuse of consumer data[EB/OL].[2021-06-17]. https://www2.deloitte.com/us/en/pages/advisory/articles/five-questions-about-the-misuse-consumer-data.html.
[12] 李震山.来者犹可追,正视个人资料保护问题[J].台湾法学杂志,2005,76(5):229.
[13] 王德志.论我国学术自由的宪法基础[J].中国法学, 2012,29(5):15.
[14] KRUTZINNA J, FLORIDI L. Ethical medical data donation: a pressing issue[M]//KRUTZINNA J, FLORIDI L. The ethics of medical data donation. Philosophical Studies Series, Springer, 2019.
[15] RICHTER G, BORZIKOWSKY C, LESCH W, et al. Secondary research use of personal medical data: attitudes from patient and population surveys in the Netherlands and Germany[J].European Journal of Human Genetics, 2021, 29(3): 495-502.
[16] VAYENA E, GASSER U, WOOD A, et al. Elements of a new ethical framework for big data research[J]. Wash Lee Law Review,2016,72(3):420-441.
[17] 周汉华.个人信息保护法(专家建议稿)及立法研究报告[M].北京:法律出版社, 2006:9.
[18] 赵宏.《民法典》时代个人信息权的国家保护义务[J]. 经贸法律评论,2021,26(1):12.
[19] 联合国贸易和发展会议(UNCTAD)统计数据[EB/OL].[2021-04-24].https://unctad.org/page/data-protection-and-privacy-legislation-worldwide.
[20] 高富平.论个人信息处理中的个人权益保护——“个保法”立法定位[J].学术月刊,2021,65(2):112.
[21] 欧盟一般数据保护条例[EB/OL].丁晓东,译. [2021-04-21].https://wenku.baidu.com/view/f7365a101fd9ad5 1f01dc281e53a580216fc5027.html.
[22] 邱文聪.健保资料库案会议记录[J].月旦法学杂志,2018,20(1):73.
[23] 刘颖.日本个人信息保护法[J].北外法学,2021(2):217-256.
[24] EVELIEN BROUWER. Legality and data protection law: the forgotten purpose of purpose limitation[M]//BESSELINK LFM, PRECHAL S, PENNINGS F.The eclipse of the legality principle in the European Union. Alphen aan de Rijn: Kluwer Law International, 2011:273-294.
[25] 张陈弘.GDPR关于搜用一般个人资料之合法事由规范[J].月旦法学杂志,2019,19(2):177.
[26] 巴西《通用数据保护法》与越南《个人数据保护法(草案)》译文[EB/OL].[2021-04-22].https://www.secrss.com/articles/29976.
[27] 世新大学.欧盟国家个人资料保护法制因应GDPR之调适[R/OL].[2021-04-23]. https://www.ndc.gov.tw/nc_1871_34353.
[28] 周汉华.探索激励相容的个人数据治理之道——中国个人信息保护法的立法方向[J].法学研究,2018,65(2):3-23.
[29] 梁泽宇.个人信息保护中目的限制原则的解释与适用[J].比较法研究, 2018,32(5):16-30.
[30] ROTHSTEIN M A, KNOPPERS B M, HARRELL H L. Comparative approaches to biobanks and privacy[J]. Journal of Law Medicine & Ethics, 2016, 44(1):161-172.
[31] International ethical guidelines for epidemiological studies[EB/OL].[2021-04-17]. https://cioms.ch/wp-content/uploads/2017/01/WEB-CIOMS-EthicalGuidelines.pdf.
[32] JANE KAYE, EDGAR A WHITLEY, DAVID LUND, et al. Dynamic consent: a patient interface for twenty-first century research networks[J]. European Journal of Human Genetics,2015,2(23):141-145.
公众号
订阅号
企业微信客服
鄂公网安备 42010602003780号