第二章 客戶資訊在美國法上之保護
第一節 個人資訊隱私之保護
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
第二章 客戶資訊在美國法上之保護
客戶個人資訊多半涉及個人資訊隱私,美國雖然是隱私權法制的起源地之一,
但其聯邦層級的個人資訊隱私保護法制相當分散,故本文擬就該國眾多資訊隱私 法案及判決加以分析統整,期待能瞭解該國個人資訊隱私保護法制之現況。
而當客戶資訊符合營業秘密之要件時,即受美國「統一營業秘密法」、「經濟 間諜法」及「反不正競爭法」之保護。本文就上述三項法規之法律要件及違反的 法律效果加以介紹,並比較其所保護營業秘密之範圍及效果上的差異,供赴美發 展之企業得以遵循。
第一節 個人資訊隱私之保護
1980 年,美國聯邦大法官 Louis Brandies 對隱私權有一句名言闡釋,「The Right To Be Let Alone」,亦即人民有安靜獨處的權利,因此「不被干擾」便是隱私權的 核心價值。而人從出生到死亡,經歷了無數社會活動,不論是就學、工作、交易、
社交等,均累積了大量個人資訊,該等資訊若與國家安全或公共利益無涉,原則 上均得由當事人自行決定是否公開或提供他人利用;若違背資訊當事人之意願,
任意取得資訊並予以公開或濫用,干擾當事人的生活,當然就是侵害其隱私權。
此即資料隱私權之由來,又稱「個人資料自決權」10。
壹、美國憲法對於個人資訊隱私之保護
在美國法上,並未如同我國發展出獨立一部個人資料保護法典,統整出上位 之指導原則後,再建立跨領域資料保護處理之法規範體系。相反地,美國聯邦層 級的個人資訊隱私權保護法制甚為分散,除在憲法層級上加以討論外,更須就眾
10陳銘祥、劉靜怡、蔡達智、戴豪君、吳兆琰、邱映儀,科技與法律,頁64-65,2010 年 9 月。
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
多法案及判決加以分析,方能描繪出該國針對個人資訊隱私保護法制之全貌。
在憲法層面,美國最高法院在 Roe v. Wade 案中,承認個人在醫療方面之隱私 權,此乃憲法所賦予之權利11。至於具體醫療資料之處理問題上,美國最高法院 在Whalen v. Roe 案12中指出,除受憲法增補條文第四條保障之個人不受政府對其 私人事務之監督與入侵以外,個人尚有兩種不同之隱私利益:其一為避免個人事 務之公開(non-disclosure interest or informational seclusion),其二為對若干重要決 定之自主決定利益。該判決亦提到:「雖然建置醫療紀錄資料庫本身未必違憲,但 需有適當之防護措施,且若涉及大規模蒐集個人資料並建置電腦化資料庫,則仍 對隱私造成威脅。」由此可見,病患之個人資料(客戶資訊),亦在隱私權保障之 範圍內。
貳、隱私權法
美國對於個人資訊之收集及運用限制,在聯邦及各州有極多不同之專法規定,
其中較具一般性之聯邦法為1974 年之隱私權法(Privacy Act)與資訊自由法 (Freedom of Information Act),以及 1988 年之電腦比對及隱私保護法(Computer matching and Privacy Protection Act) 13。上述法規之規範對象不限於政府部門,政 府所控制之國營企業(Government controlled corporation)雖屬私法人,但仍在規範 效力範圍內14。隱私權法就個人資料之定義為:任何被機構所持有之關於個人資訊 的物品或集合;該等資訊包含(但不限於)當事人之教育、金融活動、就醫、犯罪
11410 U.S. 113 (1973).
12429 U.S. 589 (1977).
13關於美國資訊隱私權之具體內容,詳參Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law, 1996。其對聯邦立法之介紹見該書第五章。
14 5 U.S.C. § 552(f) For purposes of this section, the term—
(1) “agency” as defined in section 551 (1) of this title includes any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any
independent regulatory agency.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
或受雇紀錄,而內容具備當事人之姓名或身分證號或其他個人特徵,例如:指紋、
聲紋或照片等15。由此可知,金融業之客戶的資產及信用狀況,與醫療業之病患 的病歷資料等,皆在隱私權法保障之範圍。
而該法亦規定機構對個人資訊之儲存需與所欲達成之目的有關聯(relevant)且 必要(necessary)者為限,且需儘量向本人(subject individual)蒐集資料;而個人資料 之紀錄應力求正確及完整,並建立適當之行政及技術安全措施以確保個人資料紀 錄之安全16。該法原則禁止在未經本人之書面請求或同意下,逕自公開個人資料 紀錄,惟有十二項例外之規定17,例如:對所有聯邦執法機關之揭露,以及對政府 有關部門及國會之揭露。其中,應用最廣之例外則為「例行性之使用」(routine use),
但此種應用應與其原始蒐集之目的「相容」(compatibility),且需對本人有實際通 知(actual notice),並將擬議之例行性使用公開於聯邦政府公報(federal register)18。
15 5 U.S.C. § 552 a (a) (4) the term “record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.
16 5 U.S.C. § 552 a (e) Each agency that maintains a system of records shall—
(1) maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President;
(2) collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs;
(5) maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.
17 5 U.S.C. § 552 a(b) Conditions of Disclosure.
18 5 U.S.C. § 552 a
(a) Definitions.— For purposes of this section—(7) the term “routine use” means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.
(e) Agency Requirements.— Each agency that maintains a system of records shall—(4) subject to the provisions of paragraph (11) of this subsection, publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records, which notice shall
include—(D) each routine use of the records contained in the system, including the categories of users and the purpose of such use.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
由此可知,企業在蒐集客戶資訊時,需與所欲達成之目的有關聯且必要,例如:
金融業限於調查客戶之資產及信用狀況,不得調查客戶之婚姻狀況及性傾向,且 需儘量向本人蒐集資料,以力求個人資料之正確及完整性,並建立安全措施以保 護個人資料紀錄之安全,避免外洩。另外,除有法定例外之情形,否則在未經本 人之書面請求或同意下,不得公開客戶資料紀錄。
而當事人請求機構給予其所持有牽涉該當事人之個人資料時,機構若拒絕給 予,民事法院得命該機構提供;當事人請求機構修正其所持有牽涉該當事人之個 人資料時,機構若拒絕修正,法院得命該機構修正之。又若機構未依本法規定妥 善保管個人資料,致當事人受損害時,得向法院請求損害賠償19。因此,當病患
19 5 U.S.C. § 552 a (g)
(1) Civil Remedies.— Whenever any agency
(A) makes a determination under subsection (d)(3) of this section not to amend an individual’s record in accordance with his request, or fails to make such review in conformity with that subsection;
(B) refuses to comply with an individual request under subsection (d)(1) of this section;
(C) fails to maintain any record concerning any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such record, and consequently a determination is made which is adverse to the individual; or
(D) fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual,
the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.
(2)
(A) In any suit brought under the provisions of subsection (g)(1)(A) of this section, the court may order the agency to amend the individual’s record in accordance with his request or in such other way as the court may direct. In such a case the court shall determine the matter de novo.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
要求醫院提供其自身之病歷,或要求醫院修正錯誤之就醫紀錄,而遭醫院拒絕時,
得請求法院命醫院提供病歷或修改紀錄。又若因醫院未採取安全措施,致病歷外 洩而病患受有損害時,亦得要求醫院負損害賠償責任。
在1988 年通過之電腦比對及隱私保護法(Computer matching and Privacy Protection Act)修改隱私權法之規定,就資訊比對20增加額外之程序限制,例如:資 料提供機構(source agency)與收受機構(recipient agency)須先訂立書面協議,比對 前應做成本效益分析,且各機構應先設立「資訊確保處」(Data Integrity Board)。
若在比對後欲對個人採取不利措施(adverse action),機構之人員應先作獨立之查
(B) The court may assess against the United States reasonable attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed.
(3)
(A) In any suit brought under the provisions of subsection (g)(1)(B) of this section, the court may enjoin the agency from withholding the records and order the production to the complainant of any agency records improperly withheld from him. In such a case the court shall determine the matter de novo, and may examine the contents of any agency records in camera to determine whether the records or any portion thereof may be withheld under any of the exemptions set forth in subsection (k) of this section, and the burden is on the agency to sustain its action.
(B) The court may assess against the United States reasonable attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed.
(4) In any suit brought under the provisions of subsection (g)(1)(C) or (D) of this section in which the court determines that the agency acted in a manner which was intentional or willful, the United States shall be liable to the individual in an amount equal to the sum of—
(A) actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000; and
(B) the costs of the action together with reasonable attorney fees as determined by the court.
20資訊比對(Data matching)係指就兩筆以上之紀錄做電子比較,用以發現被記載於一個以上的資料 庫中之特定個人。
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
證(independent verification);或如資訊限於利益給付(benefits)之指明與金額,而對 提供之資訊正確性有高度信心,機構皆應通知本人事實之認定,並予本人對其正 確性提出異議機會21。因此,當醫院或銀行等眾多機構就其個別所擁有之客戶資 訊相互作交叉比對時,均須依照該法所訂之流程辦理,以保障個人之資訊隱私。
在資訊使用之監督方面,隱私權法要求機構建立內部及外部之監督機制,各 機構應指定「隱私權執法人員」(Privacy Act Official),評估該機構遵守隱私權法 之情形。此外,依電腦比對及隱私權保護法之規定,各機構之首長應指定高級職 員擔任「資訊確保處」之成員,檢討機構內部資訊比對之活動有無違法之情事。
因此,在牽涉大量客戶資訊之產業,例如:醫療業、金融服務業等,「資訊確保處」
及「隱私權執法人員」即扮演舉足輕重之地位,須評估企業在客戶資訊之運用上,
是否符合隱私權相關法規,以避免可能之法律風險。
至於機構之外部監督部分,則為管理及預算局(Office of management and Budget)與國會之委員會。前者僅對資訊使用之政策架構提出指導原則(Guidelines) 與通知,其關切重點主要在於資訊使用之效率,對資訊保護著墨不多22。後者則 依隱私權法之規定23,負責收取各機構就紀錄體系建立及修改之擬議通知,實務 上係由眾議院之政府資訊小組委員會(sub-Committee on Government information) 擔任此項監督工作。
參、特殊類型資訊之保護法制
除前述規定就個人資訊之蒐集利用行為做統一規範外,美國法就不同之資訊 種類尚有專法加以規範,且各該專法多涉及私人機構就個資之蒐集利用行為。因
除前述規定就個人資訊之蒐集利用行為做統一規範外,美國法就不同之資訊 種類尚有專法加以規範,且各該專法多涉及私人機構就個資之蒐集利用行為。因