The Supreme People's Procuratorate released typical cases of personal information protection procuratorial public interest litigation

According to the official WeChat news of the Supreme People's Procuratorate, the Supreme People's Procuratorate released a batch of typical cases of personal information protection procuratorial public interest litigation on March 3.

On November 2021, 11, the Personal Information Protection Law came into effect, expressly authorizing the procuratorate to initiate public interest litigation in the field of personal information protection. It is understood that procuratorial organs across the country filed and handled more than 1,2022 personal information protection public interest litigation cases in 6000.

The typical cases released this time include 8 administrative public interest litigation cases involving the Xinwu District Procuratorate of Wuxi City, Jiangsu Province urging the protection of consumers' personal information in service venues, of which 4 are pre-litigation supervision cases of administrative public interest litigation. Procuratorial organs flexibly use methods such as pre-litigation consultations, public hearings, and procuratorial suggestions to urge administrative organs to perform their duties in accordance with law, and promote active rectification and reform of relevant illegal entities, fully reflecting the characteristics of giving play to the advantages of the administrative public interest litigation system, activating the efficiency of administrative law enforcement, and taking the purpose of safeguarding the public interest before litigation as the best judicial state. The Wangcheng District Procuratorate of Changsha City, Hunan Province urges administrative public interest litigation cases for the protection of personal biometric information, issues procuratorial recommendations to relevant administrative organs, and invites people's congress deputies, CPPCC members, volunteers, experts, and scholars to serve as hearing officers, to hold public hearings on matters such as whether administrative organs have fully performed their duties in accordance with law and whether the public interest has been effectively protected, eliminating the risk of leakage of citizens' personal information, and truly safeguarding the public interest.

These typical cases also reflect the strengthening of the coordinated performance of duties between criminal prosecution and public interest litigation prosecution, giving full play to the advantages of linkage, pursuing the criminal responsibility of the perpetrator in accordance with the law, pursuing the responsibility for public interest damages, and giving play to the unique value of the procuratorial public interest litigation system by putting forward demands such as stopping the infringement, eliminating the danger, and compensating for losses; Pay attention to traceability governance, and promote the solution of common and root cause problems within industries, fields, and systems.

The person in charge of the Eighth Procuratorate of the Supreme People's Procuratorate said that in the next step, the procuratorial organs will continue to increase the intensity of public interest litigation in the field of personal information protection, highlight the protection of personal information of key personnel and key areas, and strictly protect sensitive categories of information and the personal information of specific groups.

Protection of Personal Information

Typical cases of procuratorial public interest litigation

Contents

1. The People's Procuratorate of Xinwu District, Wuxi City, Jiangsu Province, urges the protection of consumers' personal information in service establishments in administrative public interest litigation

2. The People's Procuratorate of Wangcheng District, Changsha City, Hunan Province, urges the protection of personal biometric information in an administrative public interest litigation case

3. Huzhou City Procuratorate of Zhejiang Province v. Zhejiang G Tourism Development Co., Ltd. Civil Public Interest Lawsuit for Infringement of Citizens' Personal Information

4. The People's Procuratorate of Yichun City, Jiangxi Province urges the protection of medical and health personal information in administrative public interest litigation cases

5. Qingtongxia City People's Procuratorate of Ningxia Hui Autonomous Region sued Zhang Moumou and others for infringing on citizens' personal information in a criminal incidental civil public interest lawsuit

6. Shanghai Pudong New Area People's Procuratorate v. Zhang for infringing on citizens' personal information in a criminal incidental civil public interest lawsuit

7. The People's Procuratorate of Bao'an District, Shenzhen City, Guangdong Province, sued a certain person for infringing on citizens' personal information in a criminal incidental civil public interest lawsuit

8. The Dadong District People's Procuratorate of Shenyang City, Liaoning Province, urges the standardization of government affairs disclosure, personal information protection, and administrative public interest litigation cases

Case one

Wuxi City, Jiangsu Province

The Xinwu District People's Procuratorate urges protection

Personal information of consumers in service venues

Administrative public interest litigation

【Keywords】

Pre-litigation procedures for administrative public interest litigation Service venues Consumer sensitive personal information Digital technology

【Essence】

Procuratorial organs carry out special oversight of service venues' forced collection, non-encrypted transmission, illegal storage, or failure to regularly delete consumers' sensitive personal information, causing potential security hazards in information leakage, draft and issue pre-litigation procuratorial recommendations, urge functional departments to perform regulatory duties in accordance with law, and maintain the security of consumers' personal information.

【Basic facts of the case】

A gym in Xinwu District, Wuxi City, Jiangsu Province uses an information management system with functions such as face recognition and fingerprint recognition, and forces members to swipe their faces or enter fingerprints to enter. Because the management system adopts hierarchical layering, front-end and back-end separation and other technologies, consumers can only see the collected personally identifiable information on the front-end platform interface, and are not informed of the personal information collection list and authority. After some members explicitly refused face collection and recognition, the gym used the photo input system provided by the member when applying for a card as a face swipe entry and exit credential without authorization, and refused to delete the photo and other information on the grounds that the member requested to delete the photo and other information, which infringed the legitimate rights and interests of many consumers and harmed the public interest.

【Investigation and supervision of performance of duties】

On June 2022, 6, volunteers of the "Yixin for Gong" procuratorial cloud platform reported to the Xinwu District People's Procuratorate of Wuxi City, Jiangsu Province (hereinafter referred to as the Xinwu District People's Procuratorate) that a gym in Xinwu District had infringed on consumers' sensitive personal information. The Xinwu District People's Court used the public welfare damage risk prevention and control platform to investigate service venues prone to illegal collection of personal information through data cross-comparison and intelligent analysis, drew a "digital map" of risk prevention and control, and found 21 case leads in the city, including 16 cases involving Xinwu District. After preliminary investigation, the Xinwu District Court officially filed the case on August 5, 2022.

The Xinwu District People's Court introduced professional technical institutions to assist in the investigation and collection of evidence, inspected the information management system of the service site involved in the case, and issued expert opinions, believing that the system had security risks in the transmission and storage of personal information. In response to the necessity and reasonableness of the collection and storage of personal information by service venues involved in the case, invite public security, market supervision, third-party professional institutions, and so forth to hold discussion meetings. The Xinwu District People's Court held that in accordance with Articles 2022, 8 and 12 of the Personal Information Protection Law of the People's Republic of China and Article <>, Paragraph <> of the Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Related to the Use of Facial Recognition Technology to Handle Personal Information, consumers' faces, fingerprints, etc. are biometric sensitive personal information, and the service venues involved in the case are public places, which are not necessary to maintain public safety and have not obtained the consumer's separate consent, and are compulsorily collected, non-encrypted transmission, The illegal storage and failure to regularly delete sensitive personal information has harmed the legitimate rights and interests of many consumers. In accordance with Articles <> and <> of the Personal Information Protection Law of the People's Republic of China, Article <>, Article <>.<>, and Article <>.<>.<> of the Law of the People's Republic of China on the Protection of Consumer Rights and Interests, on August <>, <>, the Xinwu District People's Court issued a pre-litigation procuratorial recommendation for administrative public interest litigation to the Xinwu District Market Supervision Administration, urging the service venues involved in the case to be handled in accordance with the law, and earnestly performing their duties to protect the legitimate rights and interests of consumers; Carry out industry regulation and rectification, increase supervision efforts, and establish long-term mechanisms to prevent similar illegal acts.

After receiving the procuratorial recommendations, the Xinwu District Market Supervision Administration conducted collective conversations with the five service venues involved in the case, ordered corrections, organized and carried out special law enforcement actions, and established regular inspections, interviews, notifications and other regulatory mechanisms. The service venues involved in the case promptly rectify the situation, change the way they enter the venue, employ security measures to transmit and periodically delete personal information, and report the management of personal information to the regulatory departments.

The Xinwu District People's Court and the District Market Supervision Administration carried out a "retrospective", carried out on-site acceptance, and confirmed that the service venues involved in the case were rectified and corrected. At the same time, the Xinwu District People's Court transferred the other 11 case leads to the Wuxi Municipal People's Procuratorate (hereinafter referred to as the Wuxi Municipal People's Procuratorate). The Wuxi Municipal People's Court carried out special supervision activities on the protection of citizens' personal information in service venues, organizing the city's procuratorial organs to investigate 126 service venues such as gyms and supermarkets, supervising and rectifying 56 problem venues, deleting more than 9300,3000 pieces of illegally collected information, and publicizing more than <>,<> times to business operators and consumers, effectively ensuring the security of citizens' personal information.

【Typical significance】

The amount of information collected by public service places such as gyms and supermarkets is large, wide-ranging, and sensitive, and supervision is not in place, which will seriously endanger the personal and property safety of many consumers. In this case, the procuratorial organs actively played their public interest litigation procuratorial functions, using digital technology to solve difficult problems such as the discovery of clues, investigation and evidence collection, and damage determination in the field of citizens' personal information protection through methods such as "professional evidence collection + special demonstration + expert opinion", formulated and issued pre-litigation procuratorial recommendations, carried out special supervision, urged administrative organs to perform their duties in accordance with law, promoted the standardized collection, transmission, storage, and deletion of personal information by service venues, strengthened data security management and control, and promoted the protection of the entire chain of personal information.

Case 2

Changsha City, Hunan Province

Urged by the Wangcheng District People's Procuratorate

Protect personal biometric information

Administrative public interest litigation

【Keywords】

Administrative Public Interest Litigation Pre-litigation Procedures Personal biometric information Principles for processing personal information Public hearings

【Essence】

In response to issues such as excessive collection of personal biometric information such as fingerprints and facial recognition in the construction of informatization, and failure to implement a graded network security protection system, procuratorial organs clarify the connotation and extension of the "legality, propriety, necessity, and creditworthiness" principles of personal information processing, clarify the legally-prescribed duties of each functional department, urge them to fully perform their duties in accordance with law, coordinate and link, eliminate the risk of citizens' personal information leakage, and truly preserve the public interest.

　　【基本案情】

　　湖南省长沙市望城区卫生健康局(以下简称区卫健局)为推进数字化门诊建设，自2019年7月12日起，要求长沙市望城区辖区内17家医疗卫生机构陆续使用电子签核系统推送疫苗接种知情告知书，疫苗受种者或监护人点击“同意”时系统自动采集指纹和人脸识别信息，收集电子数据的存储及主机均由各社区卫生服务中心管理。截至2022年3月11日，上述机构共收集83万余条涉及指纹、人脸识别等个人生物识别信息。

　　【调查和督促履职】

　　2022年2月11日，湖南省长沙市望城区人民检察院(以下简称望城区院)接到群众举报，反映自己和孩子的指纹和人脸等个人生物识别信息被医疗卫生机构过度收集，存在泄露风险。望城区院经初步调查确认属实，遂于2022年3月19日、5月16日分别对望城区卫健局、长沙市公安局望城分局(以下简称区公安分局)立案调查。

　　望城区院通过现场勘验、委托第三方单位对电子签核系统进行安全检测、调取相关书证与电子数据、询问相关人员、咨询专业人员等方式进行调查取证，查明：根据《中华人民共和国个人信息保护法》第五条、第六条、第二十八条至第三十条的规定，望城区17家医疗卫生机构违反个人信息处理的合法、正当、必要和诚信原则，过度收集服务对象指纹和人脸等个人生物识别信息，未按要求解决电子签核系统的弱口令、数据未加密等安全漏洞，未能防患未经授权的访问及个人信息泄露、篡改、丢失等高风险，未落实网络安全等级保护制度要求，对敏感个人信息保护的内部管理不到位。望城区卫健局和区公安分局对上述医疗卫生机构收集、处理敏感个人信息活动未尽到监管职责。

　　2022年5月11日、16日，望城区院分别向区卫健局、区公安分局送达行政公益诉讼诉前检察建议，建议区卫健局改进征求知情同意的方式，避免过度收集指纹或人脸识别信息等个人生物识别信息；完善技术和管理措施，防止未经授权的访问及个人信息泄露、篡改、丢失。建议区公安分局对17家医疗卫生机构未履行网络安全等级保护责任的行为依法处理。同时将上述检察建议抄送望城区网信部门。

　　望城区卫健局、区公安分局收到检察建议后高度重视，部署开展了专项行动。望城区卫健局认真进行调研，研究解决方案，并向长沙市卫生健康委员会(以下简称市卫健委)专题汇报，长沙市卫健委以望城整改方案为蓝本推进全市医疗卫生机制规范、合法处理个人信息。望城区公安分局召开专门网络安全会议，对全区医疗卫生机构进行网络安全检查。望城区卫健局、区公安分局召集医疗卫生机构、系统开发单位、网络安全检测公司、区数据中心等单位多次召开座谈会，望城区院和区委网信办受邀参会。截至2022年6月10日，全区23家单位均已完成电子签核系统升级，取消生物识别信息功能；21家单位已彻底删除既往数据，并按照保密文件要求将已收集个人生物识别信息交区疾控中心代为封存保管，疫苗有效期满后进行硬盘格式化删除；升级后的电子签核系统完善了内部信息安全管理制度、加强系统物理隔离、对数据传输和存储加密保护、新增限制授权访问等安全防护措施，信息安全等级保护经专家评定为1级，系统改为局域网内部运行，于2022年8月初在全区正式启用。

　　2022年8月8日，望城区院跟进监督发现，升级后的电子签核系统采用电子屏签字的方式确认接种告知并在局域网运行；收集的电子签字、疫苗接种等个人信息已加密；已收集的个人生物识别信息已在医疗卫生机构彻底删除。上述整改方式在全市范围内推广已显成效。同年8月11日，该院组织召开听证会，邀请人大代表、政协委员、“益心为公”志愿者及专家学者担任听证员，与会人员一致认为行政机关已采取积极有效措施全面履职，敏感个人信息被侵害的重大风险已消除。

　　【典型意义】

　　检察机关聚焦民生关切，依法能动履行公益诉讼检察职能，通过现场勘验和委托安全检测等智慧检察手段，发现公益事业单位个人信息保护安全风险，督促行政机关对过度收集的个人生物识别信息数据采取“备份封存+本地彻底删除+到期彻底删除”方式消除安全风险，并进行“电子签核系统升级改造+网络安全等级保护”技术整改，平衡好个人信息保护与公共事务管理中个人信息合理利用的关系，充分实现“互联网+”与公共卫生服务领域保障数据信息安全的良好结合，推动加强个人信息保护与公共卫生服务信息化建设的协同发展。通过办案将个人信息处理“合法、正当、必要和诚信原则”的内涵和外延予以具体化，落实网络安全等级保护制度，推动相关法律制度在司法办案中落地见效。

案例三

　　浙江省湖州市检察机关诉

　　浙江G旅游发展有限公司

　　侵害公民个人信息

　　民事公益诉讼案

　　【关键词】

　　民事公益诉讼 游客个人信息 人脸识别 数据删除

　　【要旨】

　　检察机关针对景区违法采集游客人脸信息的情形，坚持上下联动、一体化推进，督促行政机关加强监管，促使景区运营企业合法合规收集、使用和存储人脸信息数据，开展人脸信息数据删除现场勘验，充分保障游客的知情权和选择权等合法权益，切实保护游客个人信息安全。

　　【基本案情】

　　A景区由浙江G旅游发展有限公司(以下简称G公司，其控股股东是某国有公司)负责实际运营。2020年7月，A景区通过招标委托浙江H科技有限公司(以下简称H公司)建设完成人脸识别系统，并投入运行。系统使用期间，A景区在采集游客人脸信息时未依法履行告知义务，存在强制要求购票游客录入人脸信息、“刷脸”入园的情形，且景区未对采集到的人脸信息定期予以删除，致使游客个人信息被侵害，损害了社会公共利益。

　　【调查和督促整改】

　　2021年10月，最高人民检察院(以下简称最高检)根据志愿者反映，将A景区要求游客“刷脸”入园、涉嫌侵害游客人脸信息的线索交由浙江省人民检察院(以下简称浙江省院)办理。2021年11月初，湖州市人民检察院(以下简称湖州市院)、湖州市南浔区人民检察院(以下简称南浔区院)联合成立专案组对该线索立案调查，对A景区人脸识别系统前端完成电子取证。经调查发现，A景区现场购票除要求游客提供身份证外，还要求游客进行“刷脸”认证，且未告知“刷脸”入园的必要性及后续如何处理刷脸信息，对游客人脸信息储存和使用缺乏具体制度规范。同年11月12日，浙江省院、湖州市院、南浔区院会同当地旅游度假区管委会、G公司等景区运营主体，同时邀请了浙江省消费者权益保护委员会相关工作人员和法律专家，围绕涉案人脸信息被侵害问题召开磋商会，就G公司删除景区前期采集储存的人脸信息数据，规范人脸信息的收集和使用等事项达成共识。同时，湖州市院与湖州市网信办开展磋商，网信部门对G公司提出整改要求。同年11月18日，湖州市院向G公司制发检察建议，督促G公司积极整改，确保依法运营。

　　2021年11月24日，G公司回复检察机关称，已委托H公司通过远程操作，将景区违规收集储存的人脸信息数据进行删除。为确保删除工作符合规范，切实维护公民信息安全，浙江省院组织技术力量会同办案人员赴现场开展技术勘验，湖州市院邀请人大代表、人民监督员进行现场见证。在相关人员的监督下，A景区前期采集、储存游客人脸信息共计120万余条完全删除。同时，G公司已建立起人脸信息采集和使用的制度规范。目前，景区门口和购票处已设置告知牌，告知游客“刷脸”入园的相关事项，征求游客意愿，游客可以自由选择人脸识别、购买纸质门票、网络购票等多种方式进入景区。对于采用人脸识别进入景区的游客，景区会根据游客入园的需要合理设置人脸数据删除的期限，并在游客游玩结束后自动删除人脸信息，确保游客人脸信息安全。

　　【典型意义】

　　人脸信息属于敏感个人信息，一旦被泄露或者非法使用，容易导致人格尊严受到侵害或者人身、财产安全受到危害。本案中，景区违法采集游客人脸信息，严重侵害了游客个人信息安全，检察机关充分发挥一体化办案优势，坚持依法办案与服务营商环境、个人信息保护与景区智能化建设有机结合，融合社会公众力量共同参与监督，督促行政机关加强监管，促使信息处理者依法整改，建立合规体系，在提升景区管理智能化水平的同时，推动形成个人信息保护合力，实现办案效果最优化。

　案例四

　　江西省宜春市人民检察院

　　督促保护医疗健康个人信息

　　行政公益诉讼案

　　【关键词】

　　行政公益诉讼诉前程序 医疗健康个人信息 保险营销 行业治理

　　【要旨】

　　针对医疗机构非法向保险代理机构提供患者医疗健康信息进行保险营销的行为，检察机关可以通过诉前检察建议督促行政机关依法履职，消除个人信息泄露隐患，推动行业规范治理，切实保护公民个人信息安全。

　　【基本案情】

　　2021年以来，部分保险代理机构与江西省宜春市中心城区5家大型医院达成协议，由保险代理机构在合作医院推销相关保险产品。部分保险代理机构业务人员在推销保险产品过程中，为精准销售“手术意外险”等险种，通过合作医院违法获取大量患者的姓名、手术类型、联系电话等医疗健康信息，对相关患者进行保险推销，患者不堪其扰。该行为严重侵害患者的合法权益，损害了社会公共利益。

　　【调查和督促履职】

　　2022年2月，江西省宜春市人民检察院(以下简称宜春市院)收到群众举报，称其家属办完住院手续后，有保险代理机构业务人员向其推销“手术意外险”。宜春市院立案办理并进行全面摸排核实，一是查明医疗健康信息泄露源头。通过走访宜春市中心城区各大医院，了解医院与保险代理机构签订合作协议情况，并初步核实保险代理机构业务人员通过医院手术科室护士站查询病人纸质病历或登录病历管理系统违法获取大量患者医疗健康信息(包括病人姓名、身份证号、联系方式、手术类型等)的情况。二是通过大数据比对分析，发现保险代理机构业务人员手机通话记录与患者办理住院手续时间点相吻合，手机通话的先后顺序反映患者在办理住院手续后不久即会接到保险代理机构业务人员电话，进一步印证了患者个人信息泄露的事实。

　　宜春市院审查认为，根据《中华人民共和国个人信息保护法》《医疗机构病历管理规定》等法律法规，医疗健康等信息属于敏感个人信息，未经公民本人同意，或未具备具有法律授权等个人信息保护法规定的理由，医院向保险代理机构提供患者医疗健康信息，改变了公民公开个人信息的范围、目的和用途，不属于法律规定的合理处理；保险从业人员收集、使用获取的医疗健康信息从事保险营销违反国家规定，侵害了不特定多数患者个人信息权利。卫生健康部门对侵害医疗患者个人信息的行为负有监管职责。

　　2022年7月8日，宜春市院向宜春市卫生健康委员会(以下简称宜春市卫健委)制发行政公益诉讼诉前检察建议，要求其依法处理相关医院，采取有效整改措施，及时堵塞患者个人信息保护漏洞；加强日常监管，对本辖区范围内所有医疗机构开展全面清查；加强个人信息保护宣传教育，切实增强医护人员关于患者个人信息的保护意识。

　　宜春市卫健委收到检察建议后，组织召开加强患者诊疗信息安全管理工作部署会，督促5家涉案医院限期整改，制定出台《第三方保险业务关于患者医疗健康信息的保密规定》，明确规定保险代理机构业务人员接触患方时间、不得私自提前与患方联系等，并规范患者诊疗信息查询程序，堵塞信息泄露漏洞。同时，宜春市卫健委在全市439家医疗机构部署开展为期一个月的患者诊疗信息安全专项整顿活动，共发现并整改重大信息安全隐患37个，推动建立风险防范机制256项，组织12994名医务人员分期分批参加患者诊疗信息安全培训，进一步增强医疗健康信息保护意识，筑牢公民个人信息安全防护网。

　　【典型意义】

　　医疗健康信息属于可能影响公民人身、财产安全的敏感个人信息。本案中，医疗机构违反法律规定的合法、正当、必要和诚信的原则，未经患者同意向保险代理机构提供相关个人信息，严重侵害公民个人信息安全和合法权益，扰乱了社会公共秩序。检察机关运用大数据比对等方式全面调查取证，依法发出检察建议，督促行政机关查处医疗机构违法违规行为，并通过开展专项整顿、安全培训等方式，堵塞医疗健康信息安全漏洞，推动医疗机构、医疗从业人员增强风险防范意识，强化行业自律，健全医疗健康信息保护长效机制。

　案例五

　　宁夏回族自治区

　　青铜峡市人民检察院诉

　　张某某等人侵犯公民个人信息

　　刑事附带民事公益诉讼案

　　【关键词】

　　刑事附带民事公益诉讼 股民个人信息 电信网络诈骗 公益损害赔偿金 二审改判

　　【要旨】

　　针对非法利用信息网络侵害众多公民个人信息违法行为，检察机关可以提起刑事附带民事公益诉讼，依法追究行为人的刑事与民事双重责任，对侵犯公民个人信息违法犯罪行为起到有效震慑作用，有力维护法律权威尊严、社会公平正义和社会公共利益。

　　【基本案情】

　　张某某非法获取股民电话号码、相关证券公司信息及创建虚假股票投资微信群码，提供给吴某“吸粉引流”话务团伙用于电信网络诈骗。2020年11月至2021年5月，吴某组织“吸粉引流”话务团伙10余人先后在宁夏青铜峡、湖北武汉、湖北鄂州租住房屋，冒充相关证券公司客服拨打客户电话5万余次，为200多个涉电信网络诈骗群“吸粉引流”14130人。每拉1人进群视为做成一单，每单获利10元不等。吴某自组织“吸粉引流”话务以来，收到上线张某某扣除每单获利后转账资金703142.7元，其在扣除每单获利后按照下线做成单数将款层层转至下线人员。公安机关以张某某等人非法利用信息网络罪移送检察机关审查起诉。

　　【调查和诉讼】

　　2021年9月10日，宁夏回族自治区青铜峡市人民检察院(以下简称青铜峡市院)在办理张某某等人非法利用信息网络罪一案过程中，发现该案存在侵犯众多公民个人信息行为，可能损害社会公共利益。2021年10月8日，青铜峡市院依法以刑事附带民事公益诉讼立案。检察机关经审查认为：违法所得是行为人实施违法犯罪活动而获取的不法财物，依法应予追缴；公益损害赔偿是行为人因实施民事侵权行为对社会公共利益造成损害应承担的民事赔偿责任。追缴违法所得与公益损害赔偿的责任性质、侵害主体均不同，追缴违法所得和承担公益损害赔偿可以同时适用。2021年11月29日，青铜峡市院向青铜峡市人民法院提起刑事附带民事公益诉讼，请求依法判令各被告删除所有非法获取的公民个人信息，解散、删除创建的微信群，消除潜在的公民信息泄露风险，依据违法所得数额支付公益损害赔偿金，并在国家级媒体上向社会公众赔礼道歉。

　　开庭审理时，一审法院结合公安机关补充侦查结果，认定被告张某某等16人为实施电信诈骗等违法犯罪发布信息，违法所得数额为739581.08元，其行为构成非法利用信息网络罪，应依法判处有期徒刑，没收违法所得并处罚金。刑事没收违法所得与民事公益损害赔偿金属于双罚，同时适用加重了对被告的惩罚，仅支持在国家级媒体公开道歉、删除信息和解散微信群的诉讼请求。一审宣判后，被告人朱某、王某某对刑事判决不服提出上诉。青铜峡市院认为一审判决对公益损害赔偿金不予支持，混淆了刑事责任与民事责任的界线，属适用法律错误，经请示吴忠市人民检察院同意，于2022年2月21日依法提出上诉。

　　2022年6月7日，吴忠市中级人民法院经开庭审理后，对朱某、王某某当庭提出的撤诉请求，裁定准许撤诉，并作出二审判决，认为检察机关起诉要求民事赔偿，符合法律规定。原判追缴各被上诉人违法所得与附带民事公益诉讼起诉人要求承担民事赔偿责任并不矛盾，各被上诉人被追缴违法所得，再行承担民事赔偿责任，不属于重复赔偿，一审判决适用法律错误，应予纠正。同时认定张某某等16人犯非法利用信息网络罪事实清楚，证据确实、充分，定罪准确，量刑适当，维持原判。以犯非法利用信息网络罪判处张某某等16人七个月至一年六个月有期徒刑不等，没收违法所得，并处3千元至6千元罚金不等；依法支持检察机关公益诉讼损害赔偿金诉请，判决各被告按照没收的违法所得金额承担民事赔偿责任，共计赔偿损失739581.08元。目前，案件已进入执行程序。

　　【典型意义】

　　侵犯公民个人信息犯罪严重危害公民个人信息安全，易引发电信网络诈骗等衍生犯罪，社会危害性较大。本案中，检察机关充分发挥刑事、公益诉讼检察职能联动优势，依法对非法利用信息网络犯罪提起刑事附带民事公益诉讼，追究违法行为人的刑事与民事双重责任，追缴违法所得并承担民事公益损害赔偿金，对非法获取、使用公民个人信息的行为形成惩治震慑，实现了“三个效果”的有机统一。

案例六

　　上海市浦东新区人民检察院

　　诉张某侵犯公民个人信息

　　刑事附带民事公益诉讼案

　　【关键词】

　　刑事附带民事公益诉讼 客户订单个人信息 公益损害赔偿金 调解

　　【要旨】

　　检察机关在办理涉网络的侵犯公民个人信息刑事案件时，对侵害众多个人信息权益的，可依法提起刑事附带民事公益诉讼，诉请被告承担停止侵害、消除危险、赔偿损失等民事责任。相关公益损失难以直接计算的，按照侵权人通过网络交易获得的利益确定赔偿金额。

　　【基本案情】

　　2021年7月下旬，张某通过网络技术手段非法侵入某软件公司计算机信息系统，获取该公司系统内客户订单信息6万余条。客户订单信息中包含消费者姓名、手机、住址、交易记录等信息。之后，张某将上述个人信息出售给他人，并在暗网获利人民币38760元。因客户交易信息泄露，某软件公司被第三方交易平台索赔，部分客户接到诈骗电话，众多消费者面临诈骗风险，公共利益处于持续受损状态。

　　【调查和诉讼】

　　上海市浦东新区人民检察院(以下简称浦东区院)通过上海市检察机关“公益诉讼全息办案智能辅助系统”发现张某侵犯公民个人信息线索。2021年12月8日，浦东区院以张某侵犯公民个人信息刑事附带民事公益诉讼立案。检察机关统筹发挥刑事检察与公益诉讼检察职能作用，引导公安机关调取某软件公司被索赔、消费者接到诈骗电话及张某通过网络交易获利等证据，证明张某实施违法侵权行为、社会公共利益受损及二者存在因果关系。

　　2022年1月24日，浦东区院以张某犯侵犯公民个人信息罪向浦东新区人民法院提起刑事附带民事公益诉讼，诉请判令张某在国家级新闻媒体上对其侵犯公民个人信息的行为公开赔礼道歉，删除保存在阿里云等存储介质内的公民个人信息数据，并按其侵犯公民个人信息的获利赔偿人民币38760元。

　　2022年3月2日，浦东新区人民法院公开开庭审理本案。围绕公益损害与私益损害的区别及违法所得的庭审焦点，浦东区院认为，张某窃取及转卖行为导致众多消费者人身财产损失风险及个人信息保护秩序的破坏，无法通过张某与技术公司赔偿等私益赔偿得以实现。通过提起公益损害赔偿可以更好地修复受损公益，起到惩罚及预防违法行为的作用。根据《中华人民共和国民法典》第一千一百八十二条规定，赔偿数额按照被侵权人因此受到的损失或者侵权人因此获得的利益予以确定。据此检察机关认定张某应赔偿数额为通过网络获利的金额人民币38760元。在浦东新区人民法院主持下，张某认可检察机关附带民事公益诉讼提出的诉讼请求，双方达成调解。

　　2022年6月1日，浦东新区人民法院在互联网上公告调解协议，公告期满后未收到任何意见或建议。2022年7月1日，浦东新区人民法院作出调解书。张某已按照调解书内容履行全部诉讼请求。2022年8月12日，浦东新区人民法院判决被告人张某犯侵犯公民个人信息罪，判处有期徒刑三年、缓刑四年，并处罚金。

　　【典型意义】

　　通过非法入侵计算机系统的方式获取大量公民个人信息并通过网络出售牟利，是侵害众多公民个人信息权益的一种表现形式。本案中，检察机关在依法追究其刑事责任的同时，通过公益诉讼追究侵权人应承担的民事责任，体现保护公益、全面追责的独特价值。检察机关在提起附带民事公益诉讼时，可提出停止侵害、删除数据、赔偿损失等诉请。公益诉讼损害赔偿是建立在维护个人信息安全秩序基础上对受损公益提出的补偿。针对网络侵害的特点，相关公益损失难以直接计算的，可以按照侵权人通过网络交易获得的利益确定公益损害赔偿金额，对于办理同类案件具有一定的借鉴意义。

　案例七

　　广东省深圳市

　　宝安区人民检察院诉付某等人

　　侵犯公民个人信息

Criminal incidental civil public interest litigation

【Keywords】

Criminal incidental civil public interest litigation Express bill personal information Data collection tools Enterprise data compliance

【Essence】

Where internal employees of leading enterprises in the express delivery industry use their work convenience to leak information, and a large number of citizens' personal information is infringed due to the poor management of the express delivery industry's data collection tool "bagun", the procuratorial organs pursue the civil liability of violators with criminal incidental civil public interest litigation, and urge enterprises to standardize the collection and management of sending and delivery user information in accordance with the law through the formulation and issuance of social governance procuratorial recommendations, and comprehensively maintain the security of users' personal information.

【Basic facts of the case】

Since October 2020, 10 people, including Fu Mou, the supervisor of the business point of a courier company and the warehouse manager, have used their position to inquire about the courier tracking number corresponding to the specified mobile phone number through the supervisor account of the business point, and then sent the courier tracking number to the purchaser through the mobile phone photo, and the purchaser obtained all the information of the courier tracking number in a courier company through the "Ba Gun" (express industry data collection tool), including the name of the sender, contact information, delivery address, item information, etc., seriously violating the security of citizens' personal information. It harms the public interest.

【Investigation and Litigation】

The Bao'an District People's Procuratorate of Shenzhen Municipality, Guangdong Province (hereinafter referred to as the Bao'an District People's Procuratorate) discovered clues in a criminal case in a civil public interest lawsuit involving infringement of citizens' personal information by eight people including Fu in a criminal case. The public interest litigation procuratorial department gave full play to the advantages of integrated case handling, participated in the investigation of criminal cases throughout the process, clarified the evidence chain, fully grasped the illegal facts of Fu and other 8 people and the damage to social public interests, and visited a courier company several times to understand its daily supervision mode and operation process.

In August 2021, the Bao'an District People's Court filed a criminal incidental civil public interest lawsuit in accordance with the law, requesting that Fu and eight others be ordered to pay 8,8.240183 yuan in compensation for their infringement of citizens' personal information. After trial, the people's court rendered a judgment in May 08, upholding all the claims of the Bao'an District People's Court, and sentenced Fu and the other eight to fixed-term imprisonment ranging from 2022 months to 5 years and fines for the crime of infringing on citizens' personal information; The judgment was made to pay a total of 8,8.240183 yuan in public interest litigation damages to 08 others. At present, Fu and other 8 people have paid the public interest litigation compensation in full.

During the handling of the case, the Bao'an District People's Court found that the express delivery industry generally had problems such as excessive authority settings, low security levels of account and password of the order check system, and inadequate management of "bagun". As a leading enterprise in the express delivery industry, although a courier company has taken a variety of security measures, there is still room for improvement in hardware setting and risk control of management processes. On October 2022, 10, the Bao'an District People's Court issued a procuratorial recommendation to a courier company, suggesting that it rectify and manage the management loopholes of personal information involved in the case, and standardize personal information collection and management measures in accordance with the law.

After receiving the inspection suggestions, a courier company actively carried out rectification and hired a professional institution to sort out the whole process of personal information leakage risk points. The first is to optimize the confidentiality system of users' personal information, implement confidential content, refine confidentiality links, and clarify confidentiality responsibilities. Strictly set up the inquiry and access rights of employees at different levels, and implement the "account responsibility system"; Second, according to the service scope or service object, assign the minimum required data access rights of internal personnel, and the courier can only query the relevant address information of its service customers, and hide the customer's real mobile phone number through the one-click dial function; The third is to strictly control account security risks, and use the CAS framework to carry out unified user login management of applications; The fourth is to develop another APP to gradually replace the "bagu", synchronously strengthen the management of the existing "bagun", Bao'an District People's Court timely follow-up supervision, invite people's congress deputies to visit the business site of a courier company, spot check the rectification situation of management personnel login system, "baggun" inquiry authority, etc., and confirm that the risk of public welfare damage has been eliminated after organizing rectification and acceptance.

【Typical significance】

The logistics industry has a large amount of citizens' personal life information, and after big data analysis, it can accurately draw a map of users' shopping habits, consumption levels, and life trajectories, which is very easy to breed illegal behaviors such as fraud and unfair competition. In this case, the procuratorate increased the cost of infringement and deterred illegal crimes through criminal incidental civil public interest litigation, and at the same time focused on realizing the transformation from "back-end punishment" to "whole-process risk control" through the formulation and issuance of social governance procuratorial recommendations, guiding the benign operation of leading enterprises in the express delivery industry, establishing general standards for the security protection of personal information of express delivery enterprises, and realizing the radiation effect of "from point to line and from line to surface".

Case Eight

Shenyang, Liaoning Province

The Dadong District People's Procuratorate urges standardization

Protection of personal information for government affairs disclosure

Administrative public interest litigation

【Keywords】

Pre-litigation procedures for administrative public interest litigation Personal information for affordable housing Government affairs disclosure De-identification processing

【Essence】

In response to the failure of government administrative departments to effectively protect citizens' personal information in the process of government affairs disclosure, procuratorial organs have achieved the protection of citizens' personal information by performing their public interest litigation oversight duties, while providing legal support for administrative departments' open government affairs work and promoting the formation of standardized plans for information disclosure.

【Basic facts of the case】

The "Shenyang Housing Security Network" published information such as lottery results and rent allocation results of public rental housing security personnel applying for a number of public rental housing projects from 2013 to 2022, and various lists included more than 87000,<> pieces of information such as the name, ID number, household registration location, housing number of the applicant, population of the applicant family, per capita living floor area, per capita disposable monthly income, etc. The above-mentioned citizens' personal sensitive information has not been de-identified or anonymized, there are serious security risks, and the public interest has been continuously harmed.

【Investigation and supervision of performance of duties】

On May 2022, 5, the Dadong District People's Procuratorate of Shenyang City, Liaoning Province (hereinafter referred to as the Dadong District People's Procuratorate) received a report from the public reflecting the above problems. After the jurisdiction designated by the Shenyang Municipal People's Procuratorate, the Dadong District People's Court opened a case for investigation on May 12 of the same year. After investigation, the administrative department in charge of affordable housing in Shenyang did not de-identify and anonymize personal sensitive information sufficient to determine citizenship in accordance with the law in the process of government affairs disclosure, resulting in more than 5,18 pieces of personal information with serious security risks. On May 87000, 2022, the Dadong District People's Court issued a pre-litigation procuratorial recommendation for administrative public interest litigation to the administrative department in charge of affordable housing in Shenyang, suggesting that it strengthen the review of published government public information, and promptly de-identify the personal information involved in this case to prevent personal information leakage.

After receiving the procuratorial suggestions, the department attached great importance to them, and immediately sent personnel to discuss with the Dadong District People's Court and reached a consensus on rectification. Subsequently, after seeking approval from the superior department and the audit department on the rectification plan discussed by both parties, the department sorted out and checked the relevant information of the "Shenyang Housing Security Network", organized a comprehensive investigation of various work websites, and adopted point-to-point de-identification and concealment measures for sensitive personal information involving citizens. Information that has exceeded the publication period shall be immediately removed from the Internet. For the information to be publicized in the future, through the office software program design, the information is processed in accordance with the established rectification plan before uploading the information to the network: the second character in the two-character name is replaced by a symbol; The words in the middle of the three-character name are replaced with symbols; The 7th-14th digits of the ID card number are replaced with symbols; In the public rental housing applicant's public information, the home address is publicized to the district and county streets, and is no longer specific to the building number and house number; In the announcement of computer allocation results, the "computer allocation room number" is announced to the street name, and the specific residential area and building number and house number are replaced by symbols; In the public information of low-income housing families with difficulties, the applicant's ID card number, the community where the family is located, the relationship between family members, the number of family members, the specific circumstances of hardship, etc. are no longer disclosed.

In August 2022, the Dadong District People's Court conducted follow-up supervision, logged on to relevant websites to inquire, and found that all information related to individual citizens published on the website had been de-identified for ID card numbers and names, and unnecessary publicity items were no longer publicized, and the content of publicity was implemented in accordance with the rectified standards, and the risk of public welfare damage had been eliminated.

【Typical significance】

The protection of citizens' personal information is widespread in the process of government affairs disclosure of many government departments, and the protection of sensitive personal information is often ignored based on the requirement that affordable housing information must be publicly disclosed. In this case, the procuratorial organ made a useful exploration on how to balance and balance between open government affairs activities and the protection of citizens' personal information, and did not "handle the case on the case", but discussed solutions with the administrative organs, and urged them to take the initiative through procuratorial suggestions, which not only ensured that the administrative organs comprehensively demonstrated the fairness, impartiality and openness of their work procedures, but also took into account the security of citizens' personal information, reflecting the judicial concept of win-win, win-win and win-win case-handling, and achieved good legal and social effects.