法律翻译 | 用户个人信息被黑客攻击，企业应否担责？奥斯尼克诉Equifax案

译者 | 田薇 上海交通大学

一审 | TYQ 外交学院

二审 | 李正茂 香港大学

编辑 | 扎恩哈尔·阿黑哈提 新疆农业大学

责编 | 李薇 浙江工商大学

Owsianik v. Equifax Canada Co.

奥斯尼克诉Equifax案

[Overview]

【案情概述】

这是关于三起独立集体诉讼的上诉案。在此次上诉中，上诉人奥斯尼克试图将侵犯隐私权的构成要件应用于出于商业目的而收集和存储他人个人信息的被上诉人Equifax。上诉人认为被上诉人应当承担责任，原因在于其未采取足够措施保护信息而导致了第三方（“黑客”）非法访问或使用上诉人的个人信息。

[Decisions]

【判决结果】

安大略上诉法院最终裁定驳回这三项上诉。根据案件事实，被上诉人未采取任何可能侵犯原告隐私的行为。上诉人所指控的侵权行为是由未知的黑客实施的，法律上并无依据将黑客的行为归因于数据库被告。在上诉人的主张中，被上诉人的过错在于未能采取适当的措施保护上诉人免受黑客的侵权行为。被上诉人可能对未能保护上诉人存储的隐私负责，因为这涉及到过失、合同以及各种法律上的义务。然而，虽然被上诉人未能履行其基于合同以及法律规定应当对上诉人数据妥善保存的义务，但黑客对上诉人隐私的侵犯不能转化为被上诉人对上诉人隐私的侵犯。

（图片来源于网络）

[Analysis]

【法院论证】

Can Equifax be liable for the tort of intrusion upon seclusion?

Equifax可能对侵犯隐私权的侵权行为承担责任吗？

The tort of intrusion upon seclusion is one of several intentional torts which, when taken together, provide “broad protection of the plaintiff’s personal integrity and autonomy”.[1]Generally speaking, intentional torts require that the defendant engage in the proscribed conduct with a specified state of mind. 

侵犯隐私权的侵权行为是几种故意侵权行为之一，这些侵权行为综合起来“为原告的人格完整性（personal integrity）和自主性提供了广泛的保护”。一般来说，故意侵权要求被告以特定的心态实施被禁止的行为。

The elements of the tort of intrusion upon seclusion are laid down in Jones[1], at para. 71. I would describe them as follows:

• the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement];

• the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and

• a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish [the consequence requirement].

侵犯隐私权的构成要件已在Jones案中列明，见第71段。构成要件如下：

·被告无合法理由地侵犯了原告的私人事务或关注领域【行为要件】；

·实施侵入或侵犯行为是故意或过失的【主观要件】；

·一般理性人会认为侵犯隐私（的行为）是高度冒犯的，引起了痛苦、羞辱或苦恼【后果要件】。

In Jones, the conduct component of the tort was never in dispute. The defendant admitted that she had, without lawful excuse, taken advantage of her employment to look at the plaintiff’s banking records and related information on 174 occasions. On any definition, the defendant’s conduct amounted to a deliberate invasion by her of the plaintiff’s personal privacy.

在Jones案中，侵权行为的认定从无争议。被告承认，在没有合法理由的情况下，利用自己的职务地位查看了原告的银行记录和相关信息共174次。无论如何定义，被告的行为都构成对原告个人隐私的故意侵犯。

The conduct component is very much in issue in this case. Equifax stored the data and accessed and used the data for commercial purposes. That is not, however, the conduct which is alleged to have constituted the interference with the plaintiffs’ privacy. As set out above (at para. 23), the alleged intrusion occurred when:

The defendants failed to take appropriate steps to guard against unauthorized access to sensitive financial information involving the Class Members’ private affairs or concerns.

本案中，行为要件是非常有争议的。Equifax存储并以商业目的访问和使用该数据。然而，这并不是原告所称侵犯其隐私的行为。如上所述（见第23段），原告所指的侵犯行为发生在以下情形：

被告未能采取适当措施去防止未经授权的第三人访问涉及集体成员私人事务或关注领域的敏感财务信息。

On the allegation made, Equifax failed to take steps to prevent independent hackers from conduct that clearly invaded the plaintiffs’ privacy interests in the documents stored by Equifax. Equifax did not, however, itself interfere with those privacy interests. The wrong done by Equifax arose out of Equifax’s failure to meet its obligations to the plaintiffs to protect their privacy interests. Like the majority in the Divisional Court, I conclude the claim fails at this fundamental level. There is simply no conduct capable of amounting to an intrusion into, or an invasion of, the plaintiff’s privacy alleged against Equifax in the claim.

据指控，Equifax未能采取措施防止黑客实施明显侵犯原告存储在Equifax文件中的隐私的行为。然而，Equifax本身并未侵犯这些隐私利益。Equifax所犯的过错来源于未能履行保护原告隐私利益的义务。与上诉庭的多数意见一样，我认为指控在基本层面上就无法成立。在该指控中，原告声称Equifax存在的对其隐私的侵犯或侵入行为实际上并不存在。

Ms. Owsianik submits that her claim does allege an intrusion upon seclusion because she pleads that the defendant acted recklessly. Jones recognizes that recklessness will suffice to establish liability.

奥斯尼克女士认为被告存在侵犯隐私的行为，因为被告的行为属于过失行为。Jones案认可了过失行为足以承担责任。

Ms. Owsianik’s submission misunderstands the relationship between the two elements of the tort. The first element, the conduct requirement, requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy. The prohibited state of mind, whether intention or recklessness, must exist when the defendant engages in the prohibited conduct. The state of mind must relate to the doing of the prohibited conduct. The defendant must either intend that the conduct which constitutes the intrusion will intrude upon the plaintiffs’ privacy, or the defendant must be reckless that the conduct will have that effect. If the defendant does not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness with respect to the consequences of some other conduct, for example the storage of the information, cannot fix the defendant with liability for invading the plaintiffs’ privacy.

奥斯尼克女士的观点误解了侵权行为的两个要件之间的关系。第一个要件，即行为要件，要求被告的行为构成对原告隐私的故意侵犯。禁止的心态，无论是故意还是过失，在被告实施被禁止的行为时就必须存在。这种心态必须与被禁止的行为相关。被告要么有意使构成侵入的行为侵犯原告的隐私，要么侵犯隐私的后果源自被告的过失。如果被告没有实施侵犯原告隐私的行为，被告的其它行为比如信息存储的过失不能令其承担对侵犯原告隐私的责任。

Intention is established if the defendant meant to intrude upon the privacy of the plaintiff or knew that it was a substantially certain consequence of the act which constitutes the intrusion. Recklessness, also a subjective state of mind, refers to the realization at the time the prohibited conduct is being done that there is a risk that the conduct will intrude upon the privacy of the plaintiffs, coupled with a determination to nonetheless proceed with that conduct. The degree of recklessness required to fix liability can vary and need not be addressed in these reasons.

故意的成立在于被告有意侵犯原告隐私，或者明知侵犯隐私是侵入行为的必然后果。而过失，也是一种主观心态，指的是在实施被禁止的行为时意识到这种行为可能会侵犯原告的隐私，却仍然决定进行这种行为。需要强调的是，确立责任所需的过失程度可以有所不同，而这并不需要在本文中详细讨论。

In summary, the claim brought against Equifax fails at the conduct component of the tort of intrusion upon seclusion. Equifax’s negligent storage of the information cannot in law amount to an invasion of, or an intrusion upon, the plaintiffs’ privacy interests in the information. Equifax’s recklessness as to the consequences of its negligent storage cannot make Equifax liable for the intentional invasion of the plaintiffs’ privacy committed by the independent third-party hacker. Equifax’s liability, if any, lies in its breach of a duty owed to the plaintiffs, or its breach of contractual or statutory obligations.

总之，对Equifax提出的指控在侵犯隐私权的行为要件上未能成立。Equifax对信息存储的过失在法律上不能构成对原告隐私利的侵犯。Equifax对其存储疏忽后果的过失并不能使其对黑客故意侵犯原告隐私承担责任。Equifax的责任（如果有的话）在于其违反对原告的义务，或者违反合同或法定义务。

Counsel on behalf of Ms. Owsianik submits that the extension of the tort from the actual intruder to entities who fail to adequately protect information in their possession is, like the recognition of the tort in Jones, an incremental development in the common law: Jones, at para.65. Counsel contends that the development is fully justified, given the state of the law in other jurisdictions, the realities of modern technology, the threats to individual privacy posed by the accumulation of large amounts of private information, and the absence of any effective remedy for persons whose information held in databases is accessed and used improperly.

奥斯尼克女士的代理律师提出，将侵权行为从实际入侵者扩展到未能充分保护其信息的实体（就像在Jones案中承认该侵权行为一样）是普通法逐步发展的一个方向：Jones，第65段。律师辩称，考虑到其他司法管辖区法律的现状、现代科技的发展、因大量私人信息积累带来的个人隐私威胁，以及对那些信息在数据库中被不当访问和使用的人缺乏有效救济的情况，这种发展是完全合理的。

I do not agree that extending liability for the commission of the intentional tort of invasion of privacy by a stranger to Equifax would amount to an incremental change in the law. The extension of the common law proposed in this submission would not be a small step along a well-established path, but would be a giant step in a very different direction.

我不认为将黑客故意侵犯隐私的侵权行为责任扩展到Equifax会构成法律上的逐步变化。这份意见中提出的普通法发展并非沿着已经确立的路径迈出的一小步，而是朝着截然不同的方向迈出的一大步。

On the alleged facts, Equifax did not unlawfully access any information. No one acting on Equifax’s behalf, or in consort with Equifax, did so. No one for whom Equifax could be held vicariously liable accessed any private information. A third-party stranger to Equifax accessed the information.

根据原告所指控的事实，Equifax并未非法获取任何信息，也没有任何代表Equifax行事或与Equifax合作的人实施此行为。任何能使Equifax承担间接责任的人都并未获取任何私人信息。获取这些信息的是与Equifax毫无关联的第三人。

To impose liability on Equifax for the tortious conduct of the unknown hackers, as opposed to imposing liability on Equifax for its failure to prevent the hackers from accessing the information, would, in my view, create a new and potentially very broad basis for a finding of liability for intentional torts. A defendant could be liable for any intentional tort committed by anyone, if the defendant owed a duty, under contract, tort, or perhaps under statute, to the plaintiff to protect the plaintiff from the conduct amounting to the intentional tort. The security guard who fell asleep on the job, recklessly allowing an assailant to assault the person who the security guard was obliged to protect, would become liable for battery. The garage operator who negligently, and with reckless disregard to the risk of theft, left the keys in a vehicle entrusted to his care, would become a thief if an opportunistic stranger stole the car from the garage parking lot.

在我看来，令Equifax就未知黑客的侵权行为而不是就其未能阻止黑客访问信息的行为承担责任，会为故意侵权行为的责任承担创造一个崭新且可能非常广泛的依据。如果被告负有基于合同、侵权或法定义务，就可能承担保护原告免受任何第三者故意侵权伤害的责任。在工作中睡着的保安，过失地让受自己保护的人遭受袭击，其需对袭击承担责任。如果车库管理员疏忽大意且（对于发生偷窃的风险）过于自信地将钥匙留在了其管理的车上导致车辆被偷走，他就会因此成为一个小偷。

（图片来源于网络）

Not only would the scope of intentional torts expand, that expansion would radically reconfigure the border between the defendant’s liability for the tortious conduct of third parties, and the defendant’s direct liability for its own failure to properly secure the information of the plaintiffs. 

不仅故意侵权行为的范围会扩大，这种扩展还会从根本上重新划定被告对第三方侵权行为承担的责任与被告对自身未能妥善保护原告信息的责任之间的界限。

The distinction between the two forms of liability is made clear in Fullowka v. Pinkerton’s of Canada Ltd., 2010 SCC 5, [2010] 1 S.C.R. 132. In that case, the plaintiffs sued Pinkerton’s (and others) who were responsible for mine safety during a violent strike. The plaintiffs alleged Pinkerton’s had failed to protect the victims who were killed in a bombing caused by a striker. 

这两种责任形式的区别在Fullowka v. Pinkerton’s of Canada Ltd.[1]一案中得到明确阐述。在该案中，原告起诉在一次激烈罢工期间负责矿山安全Pinkerton’s（以及其他人）。原告声称Pinkerton’s未能保护那些在罢工者引发的爆炸中死亡的受害者。

Cromwell J., for a unanimous court, explained the nature of Pinkerton’s’ potential liability, at paras. 16-17: The appellants do not allege that either Pinkerton’s or the Government actually inflicted the fatal injuries on the murdered miners; rather, they allege that Pinkerton’s and the government breached a duty to take reasonable care to prevent the harm inflicted by Mr. Warren [the bomber]. The Court of Appeal characterized this as a claim that Pinkerton’s and the government were liable for Mr. Warren’s tort (para. 98). This however is not the right way to frame the issue because it does not accurately reflect the appellants’ claims.

Cromwell法官在该案第16-17段解释了Pinkerton’s潜在的责任性质：“上诉人并未主张Pinkerton’s或政府对被害矿工造成实际上的致命伤害；相反，他们认为Pinkerton’s和政府违反了采取措施预防Warren（爆炸者）造成伤害的合理注意义务。上诉法院将此视为让Pinkerton’s和政府对Warren的侵权行为负责的诉请（第98段）。然而，这并不是问题的正确界定方式，因为它并没有准确地反映出上诉人的主张。”

We are here concerned with allegations of direct liability. Simply put, the appellants do not claim that Pinkerton’s and the government are responsible for Mr. Warren’s tort; the claim is that they were negligent in trying to prevent it. The appellants’ position is that primary liability should be imposed based on the fault of these two defendants. The question is not, therefore, whether these defendants are responsible for the tort of another, but whether they, in relation to another’s tort, failed to meet the standard of care imposed on them and thereby caused the ultimate harm.

“我们关注的是直接责任的指控。简而言之，上诉人并未主张Pinkerton’s和政府应对Warren的侵权行为负责，而是认为他们在防止侵权行为时疏忽大意。上诉人的立场是（认为）应基于两被告的过错对其施加主要责任。因此，问题并非是这些被告是否应对他人的侵权行为负责，而是在涉及第三人侵权的场合下是否未能履行应尽的注意义务并因此造成了最终的伤害。”

The words of Cromwell J. ring true here. On a reading of the actual allegations in the Statement of Claim, the real complaint against Equifax is that it failed to guard the information it was duty-bound to protect.

Cromwell法官的话用在这里很贴切。从诉状中的实际指控来看，对Equifax的真正控诉是它未能保护有义务去保护的信息。

The law relating to a defendant’s potential liability for the tortious conduct of “strangers” is well-developed in Canada and in England. That law will impose liability on Equifax if the plaintiff can show that Equifax had an obligation at tort, under contract, or perhaps under statute, to protect the private information stored in its database from access by third-party hackers, and failed to do so, thereby causing economic harm to the plaintiffs. The law as it exists properly fixes liability on the defendant for the defendant’s misconduct and provides remedies consistent with the remedies available in contract and negligence for that kind of misconduct. I am not persuaded there are deficiencies in the present law calling out for the drastic change endorsed by the appellant.

关于被告对第三人侵权行为可能负有潜在责任的法律，在加拿大和英国已经有了相当成熟的发展。如果原告能够证明Equifax基于侵权、合同或者法律有义务保护其数据库中存储的私人信息不被第三人获取但却未能这样做，从而给原告造成了经济损害，那么Equifax将会承担法律上的责任。现行法律妥善地对被告的不当行为施加了责任，并提供了与合同和此类不当行为的过失相一致的补救措施。我并不认为目前的法律存在上诉人提出的需要深刻变革的漏洞。

The appellant further argues that expanding the tort of intrusion upon seclusion the way she suggests is consistent with American caselaw. The parties in all three proceedings have referred to various American authorities said to support their respective positions on the expansion of the tort to include negligent Database Defendants.

上诉人进一步主张，按照她所建议的方式扩展侵犯隐私的侵权行为是符合美国判例法的。这三个诉讼中的当事人均提到了各种美国法先例以支持他们对将侵权行为扩展至包括疏忽大意在内的的数据库被告的立场。

There can be no doubt that the American jurisprudence has long recognized the right to privacy as important and worthy of the protection of tort law. It is equally clear that the analysis in Jones was heavily influenced by American commentary. However, as is often the case, the sheer quantity of American caselaw and the different statutory provisions at play in many of the cases, make it difficult to arrive at any generalized conclusion about the state of the law.

毫无疑问，美国法律界长期以来一直认可隐私权作为一项重要且值得通过侵权法予以保护的权利。同样明确的是，Jones案中的法院说理受到了舆论的极大影响。然而，像往常一样，大量的美国判例法和案件中涉及的不同法律条款，使得法官难以得出关于法律状态的一般性结论。

The American cases relied on by the appellants do affirm the importance of privacy rights and several of them affirm that a real injury can be suffered when there is a loss of privacy. The cases also make clear that a negligent actor can be held liable for reasonably foreseeable harms to which their actions give rise, including reasonably foreseeable intentional harms committed by independent third parties. This, however, does nothing to support the view that negligent parties in this position should also be held liable for the intentional torts.

上诉方所依赖的美国判例确实肯定了隐私权的重要性，其中一些案例也确认了在隐私丧失时可能导致真正的损害。这些案例也明确指出，疏忽行为者可以对自己或独立第三方行为导致的能够被合理预见到的损害负责。然而，这并不能支持在本案情况下疏忽方也应对故意侵权行为负责的观点。

In my view, the state of the American jurisprudence does not provide a justification for extending the tort to negligent database defendants.

在我看来，美国现有法律并不足以为将侵权行为扩展至疏忽的数据库被告提供理由。

Ms. Owsianik submits that the remedies available against Equifax in a claim based on breach of contract, negligence, or breach of a statute, are inadequate. She contends that just as in Jones, she and her fellow victims are left in circumstances that “cry out for a remedy”: Jones, at para. 69.

奥斯尼克女士提出，法律针对Equifax基于合同违约、疏忽或违反法律的诉讼所提供的救济措施是不充分的。她认为，就像在Jones案中一样，她和其他受害者被置于“迫切需要救济”的境地。

In Jones, the plaintiff had no remedy of any kind against the defendant who had intentionally invaded her privacy. Ms. Owsianik and the other class members have a remedy against the hackers who intentionally invaded their privacy.

They can sue for invasion of privacy. No doubt, they face a very real problem. In most cases it will be impossible to identify, much less sue, the hackers. The inability to sue the actual hackers is not, however, justification for creating a remedy against a different defendant who has committed a different tort for which the plaintiffs have all the usual remedies available to them. The inability to successfully sue the hacker is no reason to make a Database Defendant liable, not only for its own wrongdoing, but also for the invasion of privacy perpetrated by the hacker.

在Jones案中，原告对于故意侵犯其隐私的被告并未获得任何救济。奥斯尼克女士和其他成员对那些故意侵犯其隐私的黑客享有救济措施。

他们可以起诉那些黑客侵犯自己的隐私。毫无疑问，他们面临着一个非常现实的问题。在大多数情况下，要想确定黑客的身份甚至去起诉黑客是不可能的。然而，在原告可以采取所有通常的救济措施的情况下，无法实际起诉黑客并不是针对另一位犯下不同侵权行为的被告创设救济措施的正当理由。无法成功起诉黑客并不是使数据库被告不仅为自己的不当行为负责还要为第三人侵犯隐私权承担责任的理由。

（图片来源于网络）

To award “moral damages” against Equifax for what is essentially its negligence or breach of contract runs contrary to the very purposes underlying the award of such damages. Moral damages are awarded to vindicate the rights infringed, and in recognition of the intentional harm caused by the defendant. These purposes are served only if the damages are awarded against the actual wrongdoer, that is the entity that invaded the privacy of the plaintiff.

判定Equifax就其实质上的疏忽或违约行为进行“精神损害赔偿”与创设此类赔偿的目的背道而驰。精神损害赔偿是为了维护被侵犯的权利，也是为了承认被告故意造成的伤害。只有让实际的不法行为者也就是真正侵犯原告隐私权的实体赔偿损失，精神损害赔偿的目的才能实现。

Ms. Owsianik and the other plaintiffs have remedies against Equifax. Those remedies are the same remedies available to anyone who can prove the claims advanced in tort, contract, and statute by the plaintiffs against Equifax.

奥斯尼克女士和其他原告对Equifax享有救济措施。这些救济措施与任何能够证明原告基于侵权、合同和法律对Equifax提出索赔的人可获得的救济措施相同。

The plaintiffs’ “no remedy” argument really comes down to the assertion that because the remedies available in contract and negligence require proof of pecuniary loss, the plaintiffs who cannot prove pecuniary loss are left with no remedy. With respect, this is not what the court meant in Jones when it described the plaintiff as being without remedy. The plaintiffs here are in the same position as anyone else who advances the kind of claim the plaintiffs have advanced here. Because the claim sounds in negligence and contract, the plaintiffs must prove pecuniary loss. The plaintiffs’ position is miles away from the predicament faced by the plaintiff in Jones.

原告“没有救济”的论点实际上可归结为这样的主张：因为基于合同和疏忽的可得救济需要证明财产损失，无法证明财产损失的原告将无法获得救济。恕我直言，Jones案中所指的原告无法获得救济并不是此意。此处的原告和任何提出类似索赔的人处于相同的位置，因为索赔涉及到疏忽和合同，原告必须证明遭受了财产损失。原告的立场与Jones案中原告所面临的困境相去甚远。

While it cannot be said the plaintiffs are left without a remedy, it is true that the inability to claim moral damages may have a negative impact on the plaintiffs’ ability to certify the claim as a class proceeding. In my view, that procedural consequence does not constitute the absence of a remedy. Procedural advantages are not remedies.

虽然不能说原告没有救济措施，但无法提出精神损害赔偿确实可能会对原告将此诉讼证明为集体诉讼的能力产生负面影响。在我看来，这种程序上的后果并不等同于缺乏救济。程序上的优势也并非救济措施。

The plaintiffs have not made out the case for extending the tort of intrusion upon seclusion to Database Defendants whose negligent storage of information permits independent hackers to access that information. That is not to say that the risk to privacy presented by the accumulation of private information by Database Defendants is not real. It may be that existing common law remedies do not adequately encourage Database Defendants to take all reasonable steps to protect the private information under their control. Parliament and provincial legislatures have enacted legislation intended to protect informational privacy. It is certainly open to Parliament and the legislatures to expand these protections to provide for what Parliament and the legislatures might regard as more effective remedies against Database Defendants who do not take proper steps to secure the information under their control.

原告没有提出将侵犯隐私的侵权行为扩展到数据库被告的理由，这些被告因疏忽存储信息而造成独立黑客得以获取该类信息。这并不是说数据库被告累积私人信息不存在隐私风险。可能现有的普通法救济未能充分鼓励数据库被告采取一切合理措施保护其所掌控的私人信息。国会和各州议会已经颁布了旨在保护信息隐私的法律并且完全有可能扩大这些保护，以便提供更有效的救济措施，从而防止数据库被告不采取适当措施保护其控制的信息。

原文链接：

https://www.canlii.org/en/on/onca/doc/2022/2022onca813/2022onca813.pdf

注释