法律翻译 | 生物识别隐私侵权界定——Cothron 诉White Castle指纹识别信息侵权

译者 | 任沐希 中南财经政法大学 LL.B. 

一审 | 俞悠悠 国际关系学院法学院

二审 | 王槐语 上海交通大学法学院

编辑 | 陈玉昕 香港中文大学 LL.M.

         余卓妍 西安交通大学法学院

责编 | 李   薇 浙江工商大学法学院

Cothron v. White Castle System, Inc.

Cothron employed by a White Castle restaurant in Illinois since 2004, filed a class action on behalf of all Illinois White Castle employees. White Castle required its employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor verified each scan and authorized the employee’s access. The complaint alleged that White Castle implemented this biometric-collection system in violation of the Biometric Information Privacy Act (740 ILCS 14/15(b), (d), which became effective in 2008 and provides that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data without first providing notice to and receiving consent from the person; a private entity may not “disclose, redisclose, or otherwise disseminate” biometric data without consent. White Castle did not seek her consent to acquire her fingerprint biometric data until 2018.

自2004年以来受雇于伊利诺伊州一家White Castle餐厅的Cothron，代表所有伊利诺伊州的White Castle员工提起了集体诉讼。White Castle要求其员工扫描指纹，以访问他们的工资单和计算机。由第三方供应商验证每次扫描，并授权员工访问。诉状称，White Castle实施这种生物识别收集系统，违反了《生物识别信息隐私法（Biometric Information Privacy Act，以下简称“BIPA”）》（740ILCS14/15（b）、（d）)。该法案于2008年生效，规定私人实体不得“收集、捕获、购买、通过交易接收或以其他方式获取”一个人的生物识别数据，除非事先通知该人并征得该人的同意；私人实体不得“披露，未经同意重新披露或以其他方式传播”生物识别数据。White Castle直到2018年才试图征得Cothron的同意，以获取她的指纹生物识别数据。

White Castle argued that the action was untimely because her claim accrued in 2008 when White Castle first obtained her biometric data after the Act’s effective date. The district court agreed with Cothron. The Seventh Circuit certified an interlocutory appeal, then certified a question to the Illinois Supreme Court, which held that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).

White Castle辩称，Cothron的诉讼行为是不及时的，因为她的索赔请求权在2008年就产生了，当时White Castle在该法案生效日期后首次获得她的生物识别数据。地区法院支持Cothron的主张。第七巡回法院核准了中间上诉，然后向伊利诺伊州最高法院求证了这个问题；州最高法院认为，每当私人实体违反BIPA第15（b）或15（d）条款，扫描或传输个人的生物识别标识符或信息时，都会根据该法案产生一项独立的索赔请求权。

Did the defendant’s actions cause damage to the plaintiff in the sense of BIPA and tort law? Can the plaintiff claim damages for the defendant's conduct?

被告涉案行为是否对原告造成了BIPA和侵权法意义上的损害？原告是否可以就被告涉案行为请求损害赔偿？^[2]

Does the defendant's scanning and comparing fingerprints to the same third party constitute collection and disclosure under BIPA? Will they independently give rise to the plaintiff's right to claim damages in tort? And whether statutory damages can be calculated independently of each claim for damages?

是否被告每一次扫描、向同一第三方比对指纹的行为都构成BIPA所规定的收集、披露行为？是否都会独立地引起原告侵权损害赔偿请求权的发生？以及是否每一损害赔偿请求权都可以独立地计算法定损害赔偿金？

（图片源自网络）

Section 15(b) mandates informed consent from an individual before a private entity collects biometric identifiers or information. Specifically, section 15(b) provides that “[n]o private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information unless it first” obtains informed consent from the individual or the individual’s legally authorized representative.

第15（b）条要求私人实体在收集生物识别标识符或信息之前获得个人的知情同意。具体而言，该条文规定，“任何私人实体不得收集、获取、购买、通过贸易接收或以其他方式获取个人或客户的生物识别标识符或生物识别信息，除非它首先”获得个人或个人的合法授权代表的知情同意。

As plaintiff explains in her complaint, White Castle obtains an employee’s fingerprint and stores it in its database. The employee must then use his or her fingerprint to access paystubs or White Castle computers. With the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.To the extent White Castle is suggesting that “collection” or “capture” occurs only when an entity first obtains a print to store in its database—and subsequent authentication scans therefore cannot be collections or captures.

正如原告在诉状中解释的那样，White Castle公司会获取一名员工的指纹，并将其存储在数据库中。然后，员工必须使用他或她的指纹来访问工资单或White Castle的电脑。在随后的扫描中，指纹会与存储的指纹副本进行比较。被告未能解释，如果不在员工每次需要访问他或她的电脑和工资单时都进行一次指纹收集或捕获，这样一个系统该如何运作。在某种程度上，White Castle暗示“收集”或“捕获”只发生在实体首次获得要存储在其数据库中的指纹时——因此，后续的身份验证扫描不可能属于收集或捕获。

We agree with the federal district court that “[a] party violates Section 15(b) when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent. This is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection.” Our appellate court has reached the same conclusion, determining that “the plain language of [section 15(b)] establishes that it applies to each and every capture and use of plaintiff’s fingerprint or hand scan. Almost every substantive section of the Act supports this finding.”

我们同意联邦地区法院的观点，即“[a]一方在未经事先知情同意的情况下收集、捕获或以其他方式获取一个人的生物特征信息，违反了第15（b）条。实体第一次扫描指纹或以其他方式收集生物特征信息时确实如此，但随后的每次扫描或收集也同样如此。”本院上诉法院也得出了同样的结论，认定“[第15（b）条]的明文规定，它适用于对原告指纹或手部扫描的每一次采集和使用。该法案中几乎每一个实质性部分都支持这一结论。”

Similar to section 15(b), section 15(d) mandates consent or legal authorization before a specific action is taken. It provides that “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” it obtains informed consent from the individual or their legal representative or has other legal authorization to disclose that information.

与第15（b）条类似，第15（d）条要求在采取具体行动之前获得同意或法律授权。该条规定，“拥有生物识别标识符或生物识别信息的私人实体不得披露、再披露或以其他方式传播个人或客户的生物识别标识符或生物识别信息，除非”获得个人或其法定代表人的知情同意，或获得披露该信息的其他法律授权。

We do not believe that we have to specifically determine the meaning of “redisclose” in section 15(d) because the other terms in that section are broad enough to include repeated transmissions to the same party. The plain language of section 15(d) supports the conclusion that a claim accrues upon each transmission of a person’s biometric identifier or information without prior informed consent.

我们认为，我们无需具体明确第15（d）条中“重新披露”的含义，因为该节中的其它术语足够宽泛，足以包括“向同一方的重复传输”。第15（d）条的简明语言支持以下结论，即在未经事先知情同意的情况下，每次传输个人的生物识别标识符或信息都会产生索赔请求权。

White Castle maintains that this court’s decisions interpreting the Act define a right to secrecy in and control over biometric data and define the “injury” as loss of control or secrecy. Citing Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶¶ 33-34, White Castle contends that the Act allows a claim for an individual’s loss of the “right to control” biometric information and that, once an individual loses control over the secrecy in his or her biometric information, it cannot be recreated, resulting in the loss of any confidentiality.Because a person cannot keep information secret from another entity that already has it.

White Castle坚持认为，本院解释该法案的决定定义了一项对生物特征数据保密和控制的权利，并将“损害”定义为失去控制或保密。White Castle引用了Rosenbach诉六旗娱乐公司案（简称“Rosenbach案”），2019IL 123186,¶¶ 33-34,辩称该判例允许个人对失去“控制生物识别信息的权利”提出索赔，且一旦个人失去对其生物识别信息保密性的控制，该信息就不能被重新创建，从而导致任何保密性的丧失；因为一个人不能对已经拥有信息的另一个实体保密。

White Castle misreads our decisions in Rosenbach, West Bend Mutual Insurance Co., and McDonald. As a preliminary observation, we note that none of those decisions involved, let alone analyzed, the question of claim accrual under the Act.

White Castle误读了我们在Rosenbach案, West Bend互助保险公司和麦当劳案中的决定。在初步观察下，我们注意到这些决定均不涉及（更不用说分析了）BIPA规定的应计索赔问题。

Focusing on the section 15 violation in Rosenbach, the same provision at issue in this case, we determined that, “[w]hen a private entity fails to comply with one of section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.” Critically, Rosenbach explains that an individual raising a section 15 claim is not required to plead or prove actual damages because the statutory violation, “in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”

针对Rosenbach案中违反第15条（与本案涉及的条款一致）的情况，我们认定，“当私人实体未能遵守第15条的要求之一时，该违法行为构成对任何生物识别标识符或生物识别信息受到该违法行为影响的个人或客户之法定权利的侵犯、损害或否认。”关键是，Rosenbach案已阐明，提出第15条索赔的个人不需要抗辩或证明实际损害，因为违法行为“本身就足以支持个人或客户的法定诉因”。

Thus, contrary to White Castle’s position, Rosenbach does not stand for the proposition that the “injury” for a section 15 claim is predicated on, or otherwise limited to, an initial loss of control or privacy. Instead, Rosenbach clearly recognizes the statutory violation itself is the “injury” for purposes of a claim under the Act, which is entirely consistent with our decision here. Our subsequent decisions in West Bend Mutual Insurance Co. and McDonald adhered to Rosenbach’s construction of the Act and similarly recognized that a claim under the Act is a private cause of action based exclusively on a statutory violation.

因此，与White Castle的立场相反，Rosenbach案并不支持第15条索赔的“损害”应基于或限于最初的控制丧失或隐私丧失的主张。相反，Rosenbach案清楚地认识到，违法行为本身就是可以根据该法提出索赔的“损害”，这与我们在此的决定完全一致。我们随后对West Bend互助保险公司和麦当劳案的判决坚持Rosenbach案对BIPA的解释，并同样承认BIPA项下的索赔是完全基于违法行为的私人诉因。

（图片源自网络）

In sum, we conclude that the plain language of section 15(b) and 15(d) shows that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent.

总而言之，我们得出结论，第15（b）条和第15（d）条的简明语言表明，在未经事先知情同意的情况下，每次扫描或传输生物识别标识符或生物识别信息都可以根据该法案产生索赔请求权。