从抽象价值层面分析，已公开个人信息价值高、获取难度低，因此被侵害风险极高，有必要立法保护。但当个人信息主动或被动公开，其必然包含不可忽视的流通价值，所以在制定保护规范时，既要落实个人信息保护，也要确保信息合理流通，但二者平衡恰是立法难点。从具体规范层面分析，已公开个人信息的刑法规范缺位导致实践中相似案件裁判间直接或间接的矛盾，影响了法的安定性和可检验性。而且与《民法典》《个人信息保护法》等前置立法不一致，影响了法秩序的统一性。所以，研究已公开个人信息刑法保护机制十分必要。

习近平总书记在党的二十大报告中强调，要坚持问题意识。因此必须抓住已公开个人信息刑事司法实践中切实存在的问题，由表及里、层层分析、找出“病灶”。通过整理56份符合本文语境的裁判文书，可知当前实践中存在四大显著问题：基础概念定性不清、公开属性避而不谈、具体规则适用混乱、同类行为定性不一。导致如此程度分歧的直接原因有二，分别是未严格把握个人信息的可识别性认定标准、法律规范援引错误。特别是后者的错误，常由适用“二次授权”原则导致，适用该标准就是默认了涉案信息的收集行为具有当然合法性，然而司法实践中收集行为是否具有刑事合法性往往是裁判重点。进一步深入剖析发现，已公开个人信息刑法保护制度之所以从基本概念这一研究起点处就存在争议，根本原因源于价值认知层面。分别是侵犯公民个人信息罪保护法益的价值取向不同、已公开个人信息的认识不充分。因为法益认识不一，所以产生了已公开个人信息是否属于刑法保护对象的争议；因为对已公开个人信息认识不充分，所以认识不到已公开个人信息和一般个人信息的显著不同。而综合两个问题，就导致了公民个人信息的现有立法能否有效保护已公开个人信息、已公开个人信息较一般个人信息是否更应侧重信息合理利用的争议。一千个人心中有一千个哈姆雷特，认知层面的不同很难“自由地”达成一致，必须先由规范定调。本文认为，已公开个人信息绝对属于刑法保护范畴，而且因其与一般个人信息具有显著区别，现有立法已无法有效保护。当前已公开个人信息已经成为数字社会的重要组成部分，《刑法》或相关司法解释确有必要与《民法典》、《个人信息保护法》等前置法统一思路，增设针对已公开个人信息的刑事规范。

已公开个人信息的相关法律问题，并非我国特有。通过总结分析欧盟、德国、美国、日本、新加坡、韩国、法国、加拿大等国相关法律规范，可获得已公开个人信息立法的两点共识，一是已公开个人信息公共性更强，必须通过立法保障其流动空间；二是绝大多数立法在个人信息安全和信息流动价值的天平上更倾向前者。由此获得了完善我国已公开个人信息刑法保护机制的两方面启示。一是整体价值倾向方面，我国个人信息保护整体环境较为严格，不可直接生搬硬套宽容氛围下的法律规范。但也不能忽视当前国际主流立法倡导的、符合数字社会需求的保护信息流动空间的价值取向。二是具体规范设置方面，必须要保留具体情境中的调节空间，可采取设置例外情形的立法方式。另外在确定侵犯公民已公开个人信息的刑法边界时尽量采用确定性客观标准。

已公开个人信息的刑法保护机制的完善可以分“三步走”，由里及表，从基本概念到制度架构，每一步都要扎实有效。第一步，厘清基本概念。明确刑法语境下已公开个人信息的判断标准，即何为个人信息？何为已公开？个人信息要严格把握可识别性标准，并从“语境”和“使用目的”两方面予以限制认定，只有三者均符合才属于侵犯公民个人信息罪的客体。判断属于信息处于已公开状态要同时满足三个条件，分别是信息主体的明示或推定的同意、达到完全公开共享程度、合法公开。第二步，明确保护目标。确定侵犯公民个人信息罪的保护法益，从可识别性划定的公共领域和私人领域边界出发，立足于侵犯公民个人信息罪设立的根本目的及该罪的公法属。本文认为侵犯公民个人信息罪的法益是个人法益观立场下的双层个人信息安全法益，该法益由表层法益信息安全和里层法益信息主体安全构成，二者互为表里、同属一体、互不冲突，后者为根本。表层法益的存在是为了达到保护信息主体安全的目的，对一般个人信息来说只要规制不特定信息处理者的获取行为，保障该信息处于安全、不可随意获取的状态，就能规避风险穿透表层法益而侵害里层的信息主体安全。对已公开个人信息来说，表层法益已经被刺破，已公开个人信息的信息主体几近赤裸地存在于网络空间，所以刑法领域保护已公开个人信息就是保护里层法益即信息主体安全。第三步，提出完善方案。以双层个人信息安全法益为基础，提出了已公开个人信息刑法类型化保护机制。对涉及三类不同的已公开个人信息的行为区别判断。对于违法公开的个人信息，相关行为具有当然的刑事违法性。而对于依法依规强制公开的个人信息和信息主体自愿公开的个人信息而言，只有在客观上直接对信息主体安全造成威胁或实质损害，或者直接作用于相关行为人危害信息主体安全的行为上，该行为才可能具有刑事违法性。该判断依据以保护个人信息安全为原则，以满足公共利益和信息主体个人意愿为例外。

When analyzed at the abstract value level, the high value and easier approach of disclosed personal information result in an exceptionally high risk for subject’s safety. So it’s necessary to protect it by law. However, whether personal information is deliberately or passively shared, it implies that it has a circulation value that cannot be ignored. As a result, when developing disclosed personal information protect criminal law norms，it is essential to implement both personal information protection and the reasonable circulation of information; however, striking a balance between the two is precisely the difficulty of legislation. When analyzed from a specific normative level, the absence of criminal law norms for the protection of disclosed personal information leads to directly or indirectly contradictory decisions in similar cases in judicial practice, affecting the stability and testability of the law. And this problem also made the inconsistency with the Civil Law of the People's Republic of China and the People's Republic of China Law on the Protection of Personal Information, and other legislations which always are used before the Criminal Law. As a result, the need of analyzing the criminal law protection system for disclosed personal information is self-evident.

In the 20th Party Congress report, Xi Jinping, General Secretary of the CPC Central Committee, emphasized that it is the fundamental task of theory to keep to the sense of problem and to answer and guide the solution of problems. Thus, it is necessary to use the actual problems in the criminal judicial practice of disclosed personal information as the starting point for research.

By summarizing and collating the 56 cases retrieved from the website of BeiDa Law Treasure that are related to the issues discussed in this paper, it is concluded that there are four main problems in the current judicial practice for disclosed personal information, unclear definition of the concept of corporate information, no discussion of the public attributes of the information involved, confusion in the application of adjudication bases, and inconsistency in the characterization of similar behaviors. It can be seen that there is an urgent need to systematically sort out the reasons for the problems, and based on the results to give a reasonable improvement of the resolutions for the criminal problem of disclosed personal information. The direct cause of the above problems is the lack of a strict attitude of the criteria for determining the personal information, and the wrong invocation of legal norms. Particularly, the second error is often caused by the application of the principle of "secondary authorization", which presupposes that the collection of the information in question is lawful. If this provision is applied directly to criminal cases involving disclosed personal information, it is tantamount to a direct determination that the collection is lawful. However, the collection of disclosed personal information can never be considered lawful.

Further analyzing the direct reason, we can find that the fundamental reason why the criminal law protection system of disclosed personal information is controversial from the basic concept is the different value orientation of the legal interests of the crime of violating citizens' personal information, as well as the insufficient understanding of the disclosed personal information. Because of insufficient recognition of disclosed personal information, it's the failure to recognize the significant difference between disclosed personal information and general personal information. Then, when the two cognitive levels converge together, in the criminal law protection of disclosed personal information, the question arises whether the existing legislation on citizens' personal information can effectively protect the disclosed personal information, and whether the disclosed personal information should be more focused on the rational use of information than general personal information.

A thousand people have a thousand Hamlets in their hearts, and it is difficult to "freely" agree on different levels of cognition. Therefore, it is necessary to set the tone by the definitive legislation, in order to efficiently and qualitatively help judicial practice, and at the same time, to guide the research power of all aspects to "twist together" to the next stage. As far as I'm concerned, the disclosed personal information absolutely belongs to the scope of protection of personal information in criminal law, and because it is significantly different from general personal information, the existing legislation can not be effectively protected. Therefore, it is necessary for the Criminal Law or relevant judicial interpretations to harmonize their thinking with the Civil Law, the Personal Protection Law and other predecessor laws, and to set up additional criminal norms for disclosed personal information.

The legal issues related to disclosed personal information are not unique to our country, but have received widespread attention around the world. By summarizing and analyzing the legislation on disclosed personal information in the European Union, Germany, the United States, Japan, Singapore, South Korea, France, Canada and other countries, it can be seen that there are currently four mainstream legislative models.

Two points of legislative consensus are summarized from them (which do not include the relevant Russian legislation, as I believe that the concept of closure is not applicable in the current information age). First, the public nature of disclosed personal information is more prominent, so it is necessary to ensure a certain amount of space for the flow of disclosed personal information through legislation. Secondly, compared with the value of the flow of information, the vast majority of legislation is more or less more focused on the protection of the rights of the subject of disclosed personal information. At the same time, we gained two inspirations for improving the criminal law protection mechanism of China's disclosed personal information. On the one hand, it is about the overall value tendency. It is not reasonable to directly copy the tolerant legislation, which is not consistent with our strict environment. However, it is also important to pay attention to the value orientation of affirming the space for the flow of information, which is conveyed by the current international mainstream legislation and which is in line with the needs of the digital society. On the other hand, with regard to the establishment of a specific system, it is necessary to preserve the space for regulating the balance of legal interests in respect of disclosed personal information by means of legislation that provides for exceptions. At the same time, in determining the boundaries of the crime of violating citizens' personal information, try to use objective criteria rather than subjective criteria. In conclusion, the legislation on criminalization of disclosed personal information should be advanced step by step, taking into account the "efforts" made by the predecessor law and the current state of judicial practice.

The first step is to clarify the basic concepts and the criteria for judging disclosed personal information in the context of criminal law. To make the definition of “personal information” and “disclosed” be definite and clear. Personal information should strictly grasp the criterion of identifiability, and should be limited in terms of "context" and "purpose of use". Only personal information that meets all three of the above criteria is an object of the crime of violating citizens' personal information. There are also three criteria for determining “disclosed”: express or presumed consent of the subject of the information, reaching the level of full public sharing, and lawful disclosure. The second step is to clarify the objective of protection. Determine the legal interest of the crime of violating citizens' personal information. Starting from the boundary between the public and private spheres delineated by identifiability, and based on the fundamental purpose of this kind of crime, the legal interest shall be the double layer of personal information security legal interest. Specifically, the legal interest protected this crime is personal information security, which consists of the surface legal interest of information security and the inner legal interest of the security of the information subject, which are mutually exclusive, belong to the same body and do not conflict with each other. The latter is the root of the legal interests. The existence of the superficial layer legal interest is to protect the security of information. It is mainly for general personal information. In most cases, as long as the acquisition behavior of unspecified information processors is managed, we can ensure that the information is in a safe and inaccessible state, the subject of information can be protected from the dangers. In the case of disclosed personal information, the focus of protection is shifted to the inner layer of legal interests, which is the safety of the information subject. Because the subject of public personal information is more vulnerable when it concerns about disclosed personal information. The third step is to propose an improvement program. Based on the legal interests of personal information security, three different categories of disclosed personal information are judged differently. Behavior concerning unlawful disclosed personal information is criminally illegal. For personal information that is mandatorily disclosed in accordance with laws and regulations and personal information that is voluntarily disclosed by the subject of information, the act is deemed to be criminally unlawful only if the act of the perpetrator objectively and directly poses a threat to the security of the subject of information or causes material damage, or if it directly acts on the harmful acts of the relevant perpetrator against the security of the subject of information. This judgment is based on the principle of protecting the legal interests of the security of personal information, with the exception of satisfying the public interest and the individual will of the subject of information.