laitimes

【Discussion】Criminal law system for handling the act of disclosing personal information

【Discussion】Criminal law system for handling the act of disclosing personal information

What is your opinion on the "criminal law system for handling the act of disclosing personal information"? Thoughts on this article welcome everyone to leave a message or contribute to participate in the discussion. For the original manuscripts sent by this WeChat public platform, rewards will be given as appropriate based on the amount of reading, and the Hunan Provincial Criminal Rule of Law Research Association will also award the original articles every year and give different levels of rewards. We look forward to hearing from you!

Submission email: [email protected]

Abstract:At present, there is still controversy in the practical and theoretical circles on whether the act of processing disclosed personal information constitutes a crime, and the root cause of this is the failure to clarify the legal interests of the crime of infringing on citizens' personal information, and the way in which the criminal law should carry out relief and regulation in order to achieve the appropriate punishment. The protection of the legal interests of the crime of infringing on citizens' personal information should be recognized as the right to self-determination of personal information, and the concept of individual autonomy contained in it is of great significance to reasonably limit the scope of regulation of the handling of disclosed personal information in the criminal law. For the conviction path of unauthorized handling of disclosed personal information, the secondary authorization standard has the principle of unification of illegal order, the rational purpose investigation theory is vague based on the purpose of disclosure, the objective openness path is relatively single, and the scenario-based path lacks operability. Where there are multiple forms of personal information that have already been disclosed, the boundaries of criminal liability for the handling of disclosed personal information shall be delineated using a typological mindset based on the different entities to be disclosed, the scope of disclosure, and the basis for legality.

Keywords: Publicly available personal information; Infringement of citizens' personal information; the right to self-determination of personal information; Reasonable handling

I. Formulation of the problem

In the era of big data, the collection and application of personal information has become ubiquitous, and while data mining and analysis have brought convenience to society, citizens' personal information is also facing the potential risk of leakage and abuse. In order to protect citizens' personal information, the Criminal Code provides for the crime of infringing on citizens' personal information. However, in judicial practice, there are differences as to whether the disclosed personal information is the target of the crime of infringing on citizens' personal information. For example, in the case of Wang's infringement of citizens' personal information, Wang sold more than 70,000 pieces of information involved in the case, including personal names, telephone numbers, and other content, to others for profit, of which more than 60,000 pieces of information came from the relevant information of the legal representative published on commercial websites such as Baidu, Materials.com, and Self-service Trade Network; The court held that the personal information disclosed was not personal information under the Criminal Law, and was not subject to the crime of infringing on citizens' personal information, so it did not identify the more than 60,000 pieces of personal information that had been disclosed. However, in the case of Li's infringement of citizens' personal information, the court of second instance held that Li's act of selling or providing citizens' personal information that could be publicly queried in Qichacha and Tianyancha exceeded the purpose and scope of the reasonable use of citizens' personal information involved in the case, and that it might cause harm to the safety and tranquility of relevant citizens, and was an act of selling or providing citizens' personal information. In the "case of Wu's infringement of citizens' personal information", Wu downloaded the industrial and commercial registration information disclosed by companies in various regions from websites such as Tianyancha and Qichacha for sale and made a profit, and the public security organs determined that Wu's conduct was suspected of infringing on citizens' personal information in accordance with the provisions of Article 3, Paragraph 2 of the "Interpretation on Several Issues Concerning the Application of Law in Handling Criminal Cases of Infringement of Citizens' Personal Information" (hereinafter referred to as the "Interpretation of Criminal Cases of Infringement of Citizens' Personal Information"), and the procuratorate held that it was based on the Civil Code in the review and prosecution There is no evidence in this case to prove that Wu's sale of lawful and publicly disclosed information was rejected by the rights holder or infringed upon his major interests, and should not be found to constitute the crime of infringing on citizens' personal information.

At the same time, there are also controversies in the theoretical community as to whether the processing of disclosed personal information is subject to criminal laws, mainly including the theory of innocence, the theory of guilt and the theory of qualification. Innocence theorists believe that when personal information is legally and completely disclosed, it means that anyone can legally obtain the personal information, and the essence of "disclosure" is to let people know, according to the theory of personal information security, so the actor's processing of disclosed personal information does not harm the legal interests of the crime of infringing on citizens' personal information. Guilt theorists believe that citizens' personal information is identifiable, even if some information has been disclosed and does not belong to personal privacy, but as long as it has identifiable characteristics, it belongs to the category of citizens' personal information. The limitation theory holds that the subsequent dissemination and use of information should be limited to the initial context, and the key to judging whether the personal information processing behavior is reasonable lies in whether the impact caused by the processing behavior can be accepted by the information subject, or whether it meets the reasonable expectations of the information subject.

It can be seen that there is a lack of consensus in the current practical and theoretical circles on the determination of the handling of disclosed personal information, and this issue can be refined into the following specific issues from an in-depth analysis: first, there are different understandings of the legal interests of the crime of infringing on citizens' personal information, and different conclusions will be drawn on the question of whether the disclosed personal information is the object of protection under the criminal law from the perspective of different legal interests; The second is what criteria should be adopted to define the scope of criminal law protection of disclosed personal information. Therefore, in order to ensure the uniformity of judicial application, it is necessary to explore the boundaries of criminal law protection of disclosed personal information under different circumstances, and reasonably circulate and use disclosed personal information on the premise of fully ensuring the security of personal information.

II. Clarification of the protection of legal interests in the crime of infringing on citizens' personal information

The legal interests of criminal law are not only the product of value exploration and normative recognition of the social experience facts of the constitutional value order carried by the pre-existing law and the criminal law, but also the result of the normative hierarchical adjustment and proportional distribution and protection of the legal interests of the pre-existing law and the criminal law in accordance with the requirements of the constitutional principle of proportionality. In judicial practice, there have been different judgments in the same case for the handling of disclosed personal information, which indicates that there are differences in the judgment of the illegality of such acts, and whether the acts are substantive illegal should be evaluated based on whether they have infringed on legal interests. Therefore, one of the reasons for the controversy over whether disclosed personal information is subject to the crime of infringing on citizens' personal information lies in the different understandings of the legal interests of the protection of this crime.

(1) Disputes over existing doctrines of legal benefits

At present, the legal interests of the protection of the crime of infringing on citizens' personal information can be divided into three categories: the theory of individual legal interests, the theory of supra-personal legal interests, and the theory of dual legal interests. The theory of personal legal interests attaches great importance to the individual attributes of personal information, and includes four theories: the theory of privacy, the theory of general personality rights, the theory of personal information self-determination, and the theory of citizens' personal tranquility: the theory of privacy follows the United States model of personal information protection, and considers the protection of legal interests of this crime as the right to privacy; The general theory of personality rights asserts that the legal interests of this crime are the personal dignity and personal freedom of citizens; The doctrine of personal information self-determination holds that information subjects have the right to control, control and exclude infringement of their personal information in accordance with the law; The doctrine of personal tranquility of citizens is judged by the possibility of threatening the tranquility of private life.

The theory of supra-personal legal interests holds that personal information should be regulated as a public good, and the use of personal information should be managed by a special government agency, with the purpose of promoting the circulation and sharing of personal information for the public interest and public safety. The representative views in the theory of transpersonal legal interests are the theory of information exclusivity and the theory of public information security. The theory of information exclusivity holds that the legal interest of the crime is a collective legal interest, which is embodied in the legal subject's right to dispose of the personal information in its possession, that is, the exclusive right of information. The theory of public information security advocates that the protection of legal interests of the crime of infringing on citizens' personal information is not the personal rights of individuals, but the public information security of society. The theory of dual legal interests holds that the crime has the attribute of dual legal interests, that is, personal legal interests and suprapersonal legal interests.

(2) The advocacy of the theory of personal legal interests

With regard to the above-mentioned doctrinal controversy, the author agrees that the protection of the legal interests of the crime of infringing on citizens' personal information is the theory of the right to self-determination of personal information in the concept of personal legal interests, which will be discussed in detail below.

1. The inadequacy of the theory of transpersonal legal benefits

Although there are many people who hold the theory of suprapersonal legal benefits, whether it is the "public information security theory" or the "information exclusive right" theory, there are the following shortcomings. First of all, the suprapersonal legal interest is not the accumulation of individual legal interests in quantity, but has a status independent of the individual's legal interests. In essence, suprapersonal legal interests are manifested as irreducible personal legal interests, including non-exclusivity in use, non-competition in consumption, and non-distribution. However, the protection of legal interests in the crime of infringing on citizens' personal information does not have the characteristics of supra-personal legal interests. Citizen personal information is generated by and belongs to a specific individual, so it is illogical to consider personal information as something that can be shared by all and is not exclusive to the subject of the information. Second, from the perspective of system interpretation, the crime of infringing on citizens' personal information is located in Chapter 4 of the Specific Provisions of the Criminal Law, "Crimes of Infringing on Citizens' Personal Rights and Democratic Rights", so the legal interests of the crime of infringing on citizens' personal information should also be within the scope of citizens' personal and democratic rights, so the protection of legal interests should be personal legal interests. Finally, scholars who hold the theory of suprapersonal legal interests confuse the protection of legal interests of the crime of infringing on citizens' personal information with the macro governance goal of personal information. The theory of transpersonal legal interests holds that the circulation and sharing of personal information should be promoted for the public interest, but this understanding falls into the trap of discussing the circulation and use of information in general. The macro governance goal of personal information cannot be directly and completely transformed into the value basis for the protection of the legal interests of the crime of infringing on citizens' personal information, and the crime of infringing on citizens' personal information is located in the chapter of "crimes of infringing on citizens' personal rights and democratic rights", which only reflects the governance goal of the dimension of protection of personal legal interests, and is not to promote the circulation and reasonable use of information at the same time, otherwise it will conflict with the chapter system in which it is located.

The same problem is faced with the dual legal benefit doctrine, which is essentially a compromise strategy that seems to solve the problem but in fact makes the answer more ambiguous. The dual legal interests theory takes into account both the protection of personal information rights and the reasonable use of personal information, but these two objectives may conflict with each other in nature, which makes the legal interests of the crime also conflict, and thus there will be inconsistency in the determination of the nature of the act. In addition, if the legal interests of this crime are understood as dual legal interests, when the perpetrator infringes on the rights and interests of citizens in the name of the public interest, regardless of whether or not he infringes on the rights and interests of individual citizens, he can escape criminal responsibility under the protection of superpersonal legal interests, so the theory of dual legal interests is suspected of unduly compressing and restricting the legitimate rights of citizens.

2. Legal interest for the protection of this crime: the right to self-determination of personal information

The identifiability of personal information is an important criterion for determining the significance of citizens' personal information in criminal law. The theory of privacy ignores the differences between the legal systems of China and the United States, personal privacy and personal information are two different concepts, personal information focuses on identification, while personal privacy focuses more on privacy, personal privacy includes a part of personal information that is private, but it cannot cover personal information that is no longer private due to a high degree of disclosure, so the privacy theory will lead to the improper restriction of the content of the legal interests of the crime of infringing on citizens' personal information. Some scholars believe that the personal information of the crime of infringing on citizens' personal information is public and related to the interests of society, and the control of personal information should not be completely decided by individuals. However, this view actually confuses the two concepts of data and information, in the digital age, data has important public value, and protecting personal data from leakage is essential to maintain social management order. However, the personal information protected by the criminal law has the characteristics of being identifiable, can clearly point to a specific individual citizen, and reflects the strong attribute of personal self-determination.

At the same time, the right to self-determination of personal information, as a specific personality right, is based on a precedent law, which better connects the relationship between civil and criminal law. Article 44 of the Personal Information Protection Law of the People's Republic of China stipulates the right to information self-determination, making it clear that information subjects have the right to know and decide on the processing of their personal information, and have the right to restrict or refuse the processing of their personal information by others. The right to self-determination of information is the basic right of citizens to their personal information, and the right to self-determination of personal information is regarded as the legal interest of the protection of the crime of infringing on citizens' personal information, which is the embodiment of the general right of self-determination in the specific crimes of the criminal law.

In addition, based on the consideration of the functions and purposes of different departmental laws, as well as the principle of independence and modesty of the criminal law itself, whether many specific rights and interests in the right to personal information should be included in the legal interests of the criminal law is an issue to be discussed in the discussion of the protection of the legal interests of the crime of infringing on citizens' personal information. In view of the status of the criminal law as a safeguard law, from the perspective of the integration of criminal and civil law, the criminal law should maintain the necessary restraint compared with the pre-existing law in the selection of citizens' personal information protection mode. The scope of protection of citizens' personal information under the criminal law must be narrower than that of the civil law. The methods of conduct for the crime of infringing on citizens' personal information mainly include selling, providing, stealing, or illegally obtaining citizens' personal information in violation of relevant state regulations, and these acts all occur in the process of collecting, using, and disposing of personal information, and the information subject enjoys the right to independently decide the scope and method of disclosing and making others aware of and using the information, which essentially gives the information subject the right to control and control his or her personal information.

Therefore, from the perspective of the right to self-determination of personal information, disclosed personal information is within the scope of protection under the criminal law. The information subject has the right to decide whether to process his or her personal information, and at what time, where, to what extent, and in what manner the personal information will be processed, and the right to information self-determination will not be changed by the disclosure of personal information, and even if the personal information is no longer private, the unauthorized processing of personal information will infringe on the information subject's right to information self-determination.

III. Analysis of the qualitative path for the handling of disclosed personal information

There are many discussions in the theoretical and practical circles about the characterization of the processing of disclosed information, and there are secondary authorization standards, purposefulness investigation theory, objective openness path and scenario-based path, although these paths have certain advantages, but also have obvious shortcomings.

(1) Secondary authorization standards and practical problems

The secondary authorization standard holds that the actor must obtain the authorization of the information subject to process the disclosed personal information, otherwise the processing is a violation of national regulations and may constitute the crime of infringing on citizens' personal information. The direct basis for the second authorization standard is Article 3 of the Interpretation of Criminal Cases of Infringement of Citizens' Personal Information, which stipulates that, in addition to the disclosed personal information that is not identifiable, if the lawfully collected citizens' personal information is provided to others without the consent of the information subject, it is an act of "providing" in the crime of infringing on citizens' personal information.

The secondary authorization standard fully respects the will of the information subject and protects the citizens' right to information self-determination to the greatest extent. However, judging the processing of disclosed personal information based on the criteria for secondary authorization is neither in line with the development of the big data era, nor is it feasible in practice. In real life, the exchange and circulation of personal information is very frequent, and if all the acts of providing disclosed personal information require the second authorization of the information subject, it is too restrictive to the processing and use of disclosed personal information. In today's data age, data controllers, such as data companies, deal with huge amounts of information on a daily basis, and it is impractical to require them to obtain secondary authorization from the information subject for each piece of information. If the identification of a single piece of information in a data collection is affirmed that the information subject has full control over the disclosed personal information, the development and application of big data will be hindered.

In addition, the secondary authorization scheme has the principle of unifying the illegal order. As the last line of defense to protect people's legitimate rights and interests and maintain social stability, if the criminal law deviates from the pre-existing legal norms that focus on redress and restoration, and directly adopts the most severe punishment, this will inevitably destroy the internal coordination and stability of the legal system, and then damage the predictability of the people. There are many blank charges in the Criminal Law of the People's Republic of China, which do not clearly stipulate the specific elements of the crime, and need to be supplemented by other laws and regulations when applied. Therefore, to determine whether a crime is established, it is necessary not only to make an independent judgment in the criminal law, but also to follow the principle of unity of law and order, and to limit the scope of criminalization on the basis of the provisions of the precedent law. Specifically, only acts that are found to be illegal in the precedent law may have criminal illegality, and at the same time, the lawfulness of the precedent law can be used as a cause for the crime in the criminal law. In the case where the Civil Code and the Personal Information Protection Law stipulate that the disclosure of personal information can be processed within a reasonable scope, if the secondary authorization standard is adopted in judicial practice, the lawful act that does not violate the precedent law may be recognized as a crime, which will unduly expand the scope of application of the crime of infringing on citizens' personal information. In fact, this conflict is the result of the "criminal before civil" principle of personal information protection, so after the provisions of the Provisional Law adjust the rules for the protection of personal information, in the application of the Criminal Law, the relevant pre-provisions can also be directly relied on, and the criminal circle can be reset without making amendments to the norms and judicial rules of the Criminal Law.

(2) The theory of purposefulness and its theory are insufficient

The "fitness for purpose standard" is based on the purpose of information disclosure, and holds that if the processing of disclosed personal information does not exceed the purpose or purpose of information disclosure, it is reasonable processing, and conversely, if it deviates from the purpose or purpose of information disclosure, or harms the personal or property safety of the information subject, the processing violates the information subject's right to information self-determination and may constitute the crime of infringing on citizens' personal information.

The "fitness for purpose standard" seems to be able to fully protect the information subject's right to self-determination of personal information, but firstly, the purpose and use of personal information disclosure are often uncertain and complex, and it is difficult to accurately determine them in judicial practice. For example, when an information subject shares personal information on social media, he or she is often unsure of the purpose of disclosing the personal information, and it is difficult to define the purpose of the broad social communication goal. In addition, the purpose and use of personal information disclosure may change over time, and such changes will further lead to ambiguity about the purpose and purpose of disclosure. Second, where it is difficult to determine the purpose or use of personal information disclosure, it is difficult to require the actor to make an accurate judgment when processing the information. In addition, judging whether an information processor has committed a crime based on its subjective intrinsic purpose will increase the instability of criminal law convictions. Finally, even if the purpose of the information subject's disclosure of personal information is clear, there may be a conflict between the subjective purpose of disclosure and the objective disclosure. If the information subject claims that the disclosure of personal information has a specific purpose, but the personal information is in a completely public scenario, it is difficult for the information processor to determine the subjective purpose, and if the information processing that does not meet the subjective purpose is found to be a crime, the space for the free processing of the disclosed personal information will be excessively limited.

(3) The objective degree of openness, the path and its limitations

The objective degree of openness path divides disclosed personal information into fully open personal information, restricted personal information, and illegal disclosure of personal information, and fully open personal information has actually been granted a general authorization, usually does not infringe on the right to personal information, and does not need to be regulated by the criminal law, except when the natural person expressly refuses or the information processing infringes on the major interests of the right holder; However, the processing of personal information that is restricted from disclosure and personal information that has been illegally disclosed requires the consent of the information subject. The "objective open standard" judges whether the information processing behavior is reasonable based on the degree of information openness, which makes up for the limitations of the fitness for purpose standard in practice. However, the degree of openness is only an examination of the disclosed personal information, and important factors such as the subject of disclosure and the method of disclosure are not taken into account, ignoring the complexity of the personal information disclosure scenario, and is not suitable for handling personal information cases with flexibility. Although a lot of information is completely disclosed or restricted from disclosure, it is illegally disclosed personal information, and if this standard is adopted, it will also constitute a crime for the information processor to process the illegally disclosed personal information as legally disclosed personal information without knowing it, which will fall into the dilemma of objective imputation.

(4) Scenario-based paths and their reflections

Based on the contextual integrity theory, the "scenario theory" holds that whether the disclosed personal information is reasonably processed needs to comprehensively consider the specific context of the original collection of personal information, and the subsequent dissemination and use of information cannot go beyond the initial context. The scenario theory is helpful to define the scope of reasonable treatment in individual cases, but it also has certain shortcomings. The doctrine divides the disclosure scenarios of personal information into "life scenarios", "commercial scenarios", "public interest scenarios" and "illegal and criminal scenarios", but the application scenarios of personal information are complex and changeable, and it is difficult for the above classification to comprehensively cover all disclosure scenarios, and there is an overlapping relationship between them. The scenario theory asserts that the flow of information processing from high-risk scenarios to low-risk scenarios is not a crime or crime, while the flow of disclosed personal information from low-risk scenarios to high-risk scenarios may constitute the crime of infringing on citizens' personal information. However, except for the flow from legal scenarios to illegal and criminal scenarios, which can be identified as increased risk, it is difficult to judge the level of risk due to the existence of competition and cooperation between other scenarios.

IV. Typological regulation of the handling of disclosed personal information

This type of case is very complicated due to the differences in the subject, purpose, and object of disclosure of personal information. In view of the shortcomings of the above-mentioned paths, the author believes that a more reasonable approach is to adopt the reasonable handling rules provided for in the precedent law to determine the nature of the processing of disclosed personal information, classify and distinguish the disclosed personal information according to the different subjects, scope of disclosure, and legality basis, and construct different judgment standards based on the specific circumstances of the disclosed information.

(1) Categorical distinctions of disclosed personal information

Based on the existence or absence of a lawful basis for information disclosure, disclosed personal information can first be classified into lawfully disclosed personal information and illegally disclosed personal information. Within the lawful disclosure of personal information, due to the differences in the disclosure subjects, it can be divided into voluntary disclosure of personal information and mandatory disclosure of personal information; At the same time, depending on the scope of disclosure, it can be divided into full disclosure of personal information and limited disclosure of personal information. In different disclosure scenarios, the legality basis and disclosure value reflected in the disclosure status are different, and the personal and property rights that may be damaged to the information subject by subsequent processing actions are also different, so the focus of personal information protection reflected in the disclosure is also different.

Illegally disclosed personal information refers to personal information that has been disclosed without the consent of the information subject or against his or her will, and usually includes the following two situations: one is the act of harming the legal interests of a third party, such as illegally disclosing personal information resulting in the information being disclosed; The second is that state organs violate the principle of proportionality to compel the disclosure of personal information, both of which infringe on the right of self-determination of personal information of information subjects to varying degrees.

Voluntary disclosure of personal information essentially reflects the strong will and purpose of the information subject, such as disclosing one's daily life on the Xiaohongshu platform to shape one's personal image, or disclosing one's basic personal information on job search software to obtain job opportunities, and its legitimacy comes from the exercise of the right of self-determination of personal information, and such information disclosure implies the information subject's informed consent to the information processing to a certain extent and extent. Compulsory disclosure of personal information is to be disclosed on the basis of statutory reasons, and such information mainly includes three situations: (1) personal information disclosed by public authorities in the course of performing their duties in accordance with law, (2) personal information disclosed in the course of news reporting and public opinion supervision, and (3) personal information disclosed by people's courts in judgment documents; The purpose of the disclosure of the first two types of information is to ensure that citizens' right to know can be realized, while the third type of information disclosure is to safeguard judicial fairness. Therefore, the legitimacy of such information disclosure is based on the fact that certain concessions have been made to the protection of rights to the reasonable use of personal information management. When handling cases of compulsory disclosure of personal information, the dual information governance objectives of protecting individual rights and lawful use of information shall be taken into account, so as to ensure that information subjects can fully exercise their information rights, and at the same time maximize the value of information circulation.

For judging the degree of disclosure of legally disclosed personal information, we can refer to the "objective accessibility standard" adopted by Germany, that is, fully disclosed personal information is information set for not having substantive access conditions and is intended to be provided to the public. In other words, full disclosure of personal information is information that can be obtained by the public through ordinary methods without investing a lot of money and time. For example, on social platforms such as Weibo and Xiaohongshu, users only need to register an account to access all public content, and there are no substantial restrictions on browsing and obtaining other people's information. Restricting the disclosure of personal information is manifested as information that can only be obtained by setting restrictions on substantive access and meeting specific restrictions, such as personal information shared in WeChat group chats or moments, which can only be obtained by group members or WeChat friends.

(2) Specific regulatory paths for handling disclosed personal information

1. Handling of illegal disclosure of personal information

In principle, the act of processing illegally disclosed personal information is an infringement of legal interests. Disclosure of personal information without the consent of the information subject means that there is no endorsement of the consent of the information subject in its publicness; However, where the disclosure of personal information is beyond the authorization of the law, the damage to the rights and interests of the information subject is violated by the principle of proportionality due to the excessive emphasis on the public interest, which is a "violation of relevant state regulations". Therefore, such acts will infringe on the rights and interests of individuals, which is an illegal act in the precedent law, and cannot be used as a legal basis for subsequent information processing, and the processing of such information may constitute the crime of infringing on citizens' personal information. However, although such information is illegally disclosed, its disclosure status is objective, and the information processor's handling of such information does not necessarily completely exclude the possibility of criminalization because of the infringement of legal interests of the disclosure. When the perpetrator does not have the possibility of understanding the illegal information disclosure, the consequences caused by the illegal disclosure should not be borne by the information processor, and there is no need to criticize the information processor at this time; If the perpetrator clearly knows that personal information has been illegally disclosed and handles it without authorization, and the circumstances are serious, they shall bear criminal responsibility.

2. Handling of voluntary disclosure of personal information

The information subject's voluntary disclosure of personal information is a disposition of the right to self-determination of personal information, so when the actor reprocesses personal information, the actor must not impair the information subject's right to decide on the scope of the information circulation. Whether the perpetrator's handling of such information constitutes a crime needs to be discussed separately according to the scope of information disclosure.

First, for personal information that is voluntarily and completely disclosed, as long as the processing is not explicitly rejected by the information subject or infringes upon his or her major interests, it is not criminally punishable. Such information is voluntarily published in the public domain by the information rights holder, so it can be considered that the information subject has implied consent to the subsequent information processing. In fact, the disclosure behavior of the information subject is essentially a general consent to the subsequent information processing, which means that the information subject allows others to obtain and use his or her information. In this case, the consent of the information subject is equivalent to the victim's commitment, so the act of the information processor is not illegal, that is, the actor's act of voluntarily disclosing personal information by the information subject is not infringing on legal interests.

Second, for personal information voluntarily disclosed by the information subject within a certain scope, the information processor shall process the information within the scope of the information subject's openness, and if it exceeds this scope, it shall obtain the authorization of the information subject, otherwise the right to self-determination of personal information will be infringed, and the processing will be criminally punishable. It should be noted that the definition of the scope of information disclosure should be limited to the same field, and should not be extended to the same field. The disclosure of personal information by the information subject within a specific scope does not mean that the information is willing to be disclosed on the same platform, so the actor shall process the personal information on the premise of obtaining the consent of the information subject. For example, in the case of Ke Moumou's infringement of citizens' personal information, the defendant Ke Moumou created the "Fannie Gang" software, purchased housing information from real estate agents, and arranged for staff to impersonate real estate agents to obtain housing information and contact numbers from WeChat groups and other websites, and then packaged and sold them on the "Fannie Gang" website in the form of membership packages. In this case, the listing information involved in the case was listed by the landlord to the real estate agency, which was only disclosed to a specific scope, and after the listing information was published on the "Fannie Gang" website, the information involved in the case was changed from a specific scope of disclosure to the whole society, which infringed on the information subject's right to self-determination of personal information.

3. Handling acts of compulsory disclosure of personal information in accordance with the law

In practice, the information rights holder has ceded part of its right to self-determination for the sake of the public interest and has made its information into the public domain, and the information rights holder's control over its own public information is weakened, but the protection of such disclosed personal information by the law should not be weakened, and the risk of abuse of personal information should be reduced as much as possible.

First of all, for personal information that is compulsorily fully disclosed in accordance with the law, the information processing should not be a crime if the right holder does not explicitly refuse or does not have a significant impact on the rights and interests of individuals. State organs may disclose citizens' personal information for different lawful reasons, and in such circumstances, the disclosure of personal information may even be against the will of the information subject, such as citizens' personal information disclosed in judgment documents and the judicial organs' release of basic information on judgment defaulters. The legal basis for compelling the disclosure of personal information is the consideration of the public interest and is the result of a trade-off of interests. This kind of information carries public interests such as the right to know and the circulation of information, and the information subject shall bear a higher obligation to tolerate subsequent processing. From the perspective of strict protection of legal interests, this kind of behavior seems to infringe on the legal interests of the crime of infringing on citizens' personal information, that is, the right to self-determination of personal information. However, the inclusion of these acts in the scope of criminal law is clearly inconsistent with the requirements of information governance, and it does not appropriately restrict the free flow of information. In such cases, it should be treated as a circumstance that meets the grounds for illegal obstruction, so that the crime is dealt with at the level of illegality. For example, in the above-mentioned "Wu X Infringement of Citizens' Personal Information Case", after the actor collected citizens' personal information that was fully disclosed on the industrial and commercial information registration network, and then provided it to a group with business development needs, although the subjective purpose was to make a profit, the personal information disclosed in accordance with the law had more public domain color, and the information processing was not explicitly rejected or caused significant damage to the information subject, so it was a reasonable handling act and did not constitute the crime of infringing on individual citizens.

In addition, for personal information that is compulsorily disclosed within a certain scope in accordance with the law, it is necessary to carry out differentiated processing according to the information subject's authority to dispose of it. When the information subject has the right to dispose of personal information and can fully exercise the right to self-determination of personal information, the actor should inform and obtain authorization before processing the information; Where the public interest takes absolute precedence and the data subject is unable to exercise his or her right to self-determination, such information is often not processed; In addition, when the information subject's authority to dispose of is incomplete, the consent of both the relevant departments and the information subject shall be obtained.

V. Conclusion

Through the analysis of cases in judicial practice, it is found that there are different judgments in the criminal law for the infringement of disclosed personal information, and there are also qualitative differences in the theoretical circles. In order to solve the practical problem, it is first clarified that the legal interests of the protection of the crime of infringing on citizens' personal information are the legal interests of individuals, and the right of self-determination of personal information can be in line with the purpose of the criminal law to establish the crime of infringing on citizens' personal information, and it is reasonable to protect the legal interests of the crime of infringing on citizens' personal information. Regarding the selection of the qualitative path for the processing of disclosed personal information, the secondary authorization standard is neither in line with the development of the big data era, nor is it operable in practice. The fitness for purpose theory makes it difficult to accurately determine the purpose and use of information disclosure, which makes it difficult for this criterion to play a stabilizing role. The objective openness path is relatively simple, and there is a suspicion of objective imputation. In addition, it is difficult to comprehensively cover all public scenarios from the perspective of scenario-based paths, and it is impossible to accurately judge the level of risk to information. This article argues that the handling of disclosed personal information should be classified and discussed according to the different disclosure subjects, disclosure methods, and disclosure scopes. Specifically, the processing of illegally disclosed personal information is usually an infringement of legal interests and constitutes the crime of infringing on citizens' personal information. The processing of personal information that is voluntarily and fully disclosed does not require the consent of the information subject, and as long as it is not explicitly rejected or does not infringe on the material interests of the information subject, it does not have an infringement of legal interests; Where the information subject voluntarily discloses personal information within a specific scope, the perpetrator's handling of this information within that scope is not criminally punishable, and the information subject's authorization and permission should be obtained when processing beyond that scope. The handling of lawful and compulsory full disclosure of personal information is not punishable by criminal law, except where the information subject explicitly refuses or has a significant impact on his or her personal rights and interests; When handling personal information that is compulsorily disclosed within a certain scope in accordance with law, the consent of the information subject shall be obtained when they enjoy the right to dispose of it, and when the information subject does not have the right to dispose of such information, it shall not be processed, and when the information subject's right to dispose is incomplete, dual authorization shall be obtained.

References

[1] Cai Yun. The judicial connotation of citizens' personal information[J].People's Justice,2020(02).

[2] Zhang Yiran. The change of the right of "personal information" in the era of big data and the doctrinal limitation of criminal law protection: From the perspective of the dichotomy of "data property right" and "information self-determination right"[J].Politics and Law,2020(06).

[3] Chu Chencheng, Wei Peilin. Reasonable use of disclosed personal information from the perspective of criminal law: A discussion centered on the concept of personal autonomy law[J].Journal of Chongqing University of Posts and Telecommunications(Social Sciences),2023(5).

[4] Gao Fuping, Wang Wenxiang. The boundary of the crime of selling or providing citizens' personal information: from the perspective of the legal interests protected by the crime of infringing on citizens' personal information[J].Politics and Law,2017(02).

[5] Liu Yanhong. Infringement of Citizens' Personal Information Legal Interests: The Confirmation of Personal Legal Interests and New Rights——An Analysis from the Perspective of Personal Information Protection Law (Draft)[J].China Journal of Criminal Law,2019(05).

[6] Gao Chunan. Reanalysis and scope expansion of citizens' personal information from the perspective of criminal law[J].Chinese Journal of Criminal Law,2019(02).

[7] Wu Weiguang. Critique of the theory of privacy protection of personal data under big data technology[J].Politics and Law,2016(07).

[8] Jing Lijia. The natural turn of the crime of infringing on citizens' personal information in the environment of big data[J].Law Review,2018(02).

[9] Pi Yong, Wang Suzhi. Legal interests and harmful behaviors of personal information infringement in the environment of big data[J].Journal of Hainan University(Humanities and Social Sciences),2017(05).

[10] Yu Haisong. Adjustment of the criminal circle of the crime of infringing on citizens' personal information under the path of "criminal law first"[J].China Law Review,2022(06).

[11] Zhou Guangquan. Tsinghua Law Journal,2021(03).

[12] Wang Huawei. Criminal law protection of disclosed personal information[J].Legal Research,2022(02).

Producer: Zhang Yongjiang

Author: Ai Songxia, 2023 graduate student of law (law) at the Law School of Xiangtan University

Editor: Ai Songxia

Editor-in-charge: Liao Peilei

Review: Li Lan

WeChat public account| Hunan Provincial Criminal Rule of Law Research Association

Sina Weibo| @湖南省刑事法治研究会

Today's headlines| Hunan Provincial Criminal Rule of Law Research Association

Read on