New Version of Personal Information Protection Act and Personal Information Protection & Administration System

I.Summary

In 1995, the Computer-Processed Personal Data Protection Law was implemented in the Republic of China.  With the constant development of information technology and the limitations in the application of the legislation, the design of the original legal system is no longer consistent with practical requirements. Considering the increasing number of incidents of personal data leaks, discussions were carried out over a long period of time and the new version of the Personal Information Protection Act was passed after three readings in April, 2010. The title of the law was changed to Personal Information Protection Act. The new system has been officially implemented since 1 October, 2012. The new Act not only revised the provisions of the law in a comprehensive way, but also significantly increased the obligations and responsibilities of enterprises. In terms of civil liability, the maximum amount of compensation for a single incident is 200 Million NTD. For domestic industries, how to effectively respond to the requirements under the Personal Information Protection Act and adopt proper corresponding measures to lower the risk has become a key task for enterprise operation.

II. Main Points

1. Implementation of the Enforcement Rules of the Personal Information Protection Act

Personal information protection can be said the most concerned issue in Taiwan recently. As a matter of fact, the Computer-Processed Personal Data Protection Law was established in Taiwan as early as August 1995. After more than 10 years of development, computer and information technology has evolved significantly, and many emerging business models such as E-commerce are extensively collecting personal data. It has become increasingly important to properly protect personal privacy. However, the previous Computer-Processed Personal Data Protection Law was only applicable to certain industries, i.e. the following 8 specific industries: the credit investigation business, hospital, school, telecommunication business, financial business, securities business, insurance business, and mass media. And other business was  designated by the Ministry of Justice and the central government authorities in charge of concerned enterprises. In addition, the law only protected personal information that was processed by “computer or automatic equipment”.  Personal information that was not computer processed was not included.  There were clearly no sufficient regulations for the protection of personal data privacy and interest.

There were numerous incidents of personal data leaks. Among the top 10 consumer news issued by the Consumer Protection Committee of the Executive Yuan in 2007, “incidents of personal data leaks through E-commerce and TV shopping” was on the top of the list. This provoked the Ministry of Justice and the Ministry of Economic Affairs to “jointly designate” the retail industry without physical boutique (including 3 transaction models: online shopping, catalogue shopping and TV shopping) to be governed by the Computer-Processed Personal Data Protection Law since 1 July 2010.

To allow the provisions of the personal information protection legal system to meet the environment of rapid change, the Executive Yuan proposed a Draft Amendment to the Computer-Processed Personal Data Protection Law very early and changed the title to the Personal Information Protection Act. The draft was discussed many times in the Legislative Yuan. Personal Information Protection Act was finally passed after three readings in April 2010, which was officially published by the Office of the President on 26 May.

Although the new law was passed in April 2010, to allow sufficient time for enterprises and the public to understand and comply the new law, the new version of the personal information protection law was not implemented on the date of publication. In accordance with Article 56 of the Act, the date of implementation was to be further established by the Executive Yuan. After discussions over a long period of time, the Executive Yuan decided for the Personal Information Protection Act to be officially implemented on 1 October 2012. However, the implementation of two articles is withheld: Article 6 of the Act about the principal prohibition against the collection, processing and use of special personal information and Article 54 about the obligation to notice the Party within one year for personal information indirectly acquired before the implementation of the new law.

In terms of the personal data protection legal system, other than the most important Personal Data Protection Act, the enforcement rules established in accordance with the main law also play a key role. The previous Enforcement Rules of the Computer-Processed Personal Data Protection Law were published and implemented on 1 May, 1996. Considering that the Computer-Processed Personal Data Protection Law was amended in 2010 and that its title has been changed to the Personal Data Protection Act, the Ministry of Justice also followed the amended provisions under the new law and actively studied the Draft Amendment to the Enforcement Rules of the Computer-Processed Personal Data Protection Act. After it was confirmed that the new version of the Personal Data Protection Act would be officially launched on 1 October 2012, the Ministry of Justice announced officially the amended enforcement rules on 26 September, 2012. The title of the enforcement rules was also amended to the Enforcement Rules of the Personal Data Protection Act. The new version of personal data protection law and enforcement rules was thus officially launched, creating a brand new era for the promotion of personal data protection in Taiwan.

II. Personal Data Administration System and Information Privacy Protection Charter

Before the amendment to the Personal Data Protection Act was passed, the Legislative Yuan made a proposal to the government in June 2008 to promote a privacy administration and protection certification system in Taiwan, in reference to foreign practices. In August of the following year, the Strategic Review Board of the Executive Yuan passed a resolution to promote the E-Commerce Personal Data Administration and Information Security Action Plan. In December of the same year, approval was granted for the plan to be included in the key government promotion plans from 2010 to 2013.

Based on this action plan, since October 2010, the Ministry of Economic Affairs has asked the Institution for Information Industry to execute an E-Commerce Personal Data Administration System Setup Plan.  Since 2012, the E-Commerce Personal Data Administration System Promotion Plan and the Taiwan Personal Information Protection and Administration System (TPIPAS) have been established and promoted, with the objective of procuring enterprises to, while complying with the personal data protection legal system, properly protect consumers’ personal information through the establishment of an internal administration mechanism and ensuring that the introducing enterprises meet the requirements of the system. The issuance of the Data Privacy Protection Mark (dp.mark) was also used as an objective benchmark for consumers to judge the enterprise’s ability to maintain privacy.  

Regarding the introduction of the personal data administration system, enterprises should establish a content administration mechanism step by step in accordance with the Regulations for Taiwan Personal Information Protection and Administration System. Such system also serves as the review benchmark to decide whether domestic enterprises can acquire the Data Privacy Protection Mark (dp.mark). Since domestic enterprises did not have experience in establishing internal personal data administration system in the past, starting 2011, under the Taiwan Personal Information Protection and Administration System, enterprises received assistance in the training of system professionals such as Personal Data Administrators and Personal Data Internal Appraisers. Quality personal data administrators can help enterprises establish complete internal systems. Internal appraisers play the role of confirming whether the systems established by the enterprises are consistent with the system requirements. As of 2012, there are almost 100 enterprises in Taiwan that participate in the training of system staff and a total of 426 administrators and 131 internal appraisers.  In terms of the introduction of TPIPAS, in additional to the establishment and introduction of administration systems by qualified administrators, enterprises can also seek assistance from external professional consulting institutions. Under the Taiwan Personal Information Protection and Administration System, applications for registration of consulting institutions became available in 2012. Qualified system consulting institutions are published on the system website. Today 9 qualified consulting institutions have completed their registrations, providing enterprises with personal data consulting services.

After an enterprise completes the establishment of its internal administration system, it may file an application for certification under the Taiwan Personal Information Protection and Administration System.  The certification process includes two steps: “written review” and “site review”. After the enterprise passing certification, it is qualified to use the Data Privacy Protection Mark (dp.mark). Today 7 domestic companies have passed TPIPAS certification and acquired the dp.mark: 7net, FamiPort, books.com.tw, LOTTE, GOHAPPY, PAYEASY and Sinya Digital, reinforcing the maintenance of consumer privacy information through the introduction of personal data administration system.

III. Event Analysis

The Taiwan Personal Information Protection and Administration System (TPIPAS) is a professional personal data administration system established based on the provisions of the latest version of the domestic Personal Data Protection Act, in reference to the latest requirements of personal data protection by international organizations and the experience of main countries in promoting personal data administration system. In accordance with the practical requirements to protect personal data by industries, TPIPAS converted professional legal conditions into an internal personal data administration procedure to effectively assist industries to establish a complete and proper personal data administration system and to comply with the requirements of personal data legislations. With the launch of the new version of the Personal Data Protection Act, introducing TPIPAS and acquiring dp.mark are the best strategies for enterprises to lower the risk from the personal data protection law and to upgrade internal personal data administration capability.

※New Version of Personal Information Protection Act and Personal Information Protection & Administration System,STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=105&tp=2&i=168&d=6370 (Date:2024/04/21)
Quote this paper
You may be interested
The Tax Benefit of “Act for Establishment and Administration of Science Parks” and the Relational Norms for Innovation

The Tax Benefit of “Act for Establishment and Administration of Science Parks” and the Relational Norms for Innovation   “Act for Establishment and Administration of Science Parks” was promulgated in 1979, and was amended entirely in May 15, 2018, announced in June 6. The title was revised from “Act for Establishment and Administration of Science ‘Industrial’ Parks” to “Act for Establishment and Administration of Science Parks” (it would be called “the Act” in this article). It was a significant transition from traditional manufacture into technological innovation.   For encouraging different innovative technology enter into the science park, there is tax benefit in the Act. When the park enterprises import machines, equipment, material and so on from foreign country, the import duties, commodity tax, and business tax shall be exempted; moreover, when the park enterprises export products and services, it will have given favorable business and commodity tax free.[1] Furthermore, the park bureaus also exempt collection of land rent.[2] If they have approval for importing or exporting products, they do not need to apply for permission.[3] In the sub-law, there is also regulations of bonding operation.[4] To sum up, for applying the benefit of the act, enterprises approved for establishment in science parks still require to manufacture products. Such regulations are confined to industrial industry. Innovative companies dedicate in software, big data, or customer service, rarely gain benefits from taxation.   In other norms,[5] there are also tax deduction or exemption for developing innovative industries. Based on promoting innovation, the enterprises following the laws of environmental protection, laborers’ safety, food safety and sanitation,[6] or investing in brand-new smart machines for their own utilize,[7] or licensing their intellectual property rights,[8] can deduct from its taxable income. In addition, the research creators from academic or research institutions,[9] or employee,[10] can declare deferral of the income tax payable for the shares distributed. In order to assist new invested innovative enterprises,[11] there are also relational benefit of tax. For upgrading the biotech and new pharmaceuticals enterprises, when they invest in human resource training, research and development, they can have deductible corporate income tax payable.[12] There is also tax favored benefits for small and medium enterprises in using of land, experiment of research, technology stocks, retaining of surplus, and additional employees hiring.[13] The present norms of tax are not only limiting in space or products but also encouraging in “research”. In other word, in each steps of the research of innovation, the enterprises still need to manufacture products from their own technology, fund and human resources. If the government could encourage open innovation with favored taxation, it would strengthen the capability of research and development for innovative enterprises.   Supporting the innovation by taxation, the government can achieve the goal of scientific development more quickly and encourage them accepting guidance. “New York State Business Incubator and Innovation Hot Spot Support Act” can be an example, [14]the innovative enterprises accepting the guidance from incubators will have the benefit of tax on “personal income”, “sales and use” and “corporation franchise”. Moreover, focusing on key industries and exemplary cases, there are also the norms of tax exemption and tax abatement in China for promoting the development of technology.[15]The benefit of tax is not only in research but also in “the process of research”.   To sum up, the government of Taiwan provides the benefit of tax for advancing the competition of outcomes in market, and for propelling the development of innovation. In order to accelerate the efficiency of scientific research, the government could draw lessons from America and China for enacting the norms about the benefit of tax and the constitution of guidance. [1] The Act §23. [2] Id. §24. [3] Id. §25. [4] Regulations Governing the Bonding Operations in Science Parks. [5] Such as Act for Development of Small and Medium Enterprises, Statute for Industrial Innovation, Act for the Development of Biotech and New Pharmaceuticals Industry. [6] Statute for Industrial Innovation §10. [7] Id. §10-1. [8] Id. §12-1. [9] Id. §12-2. [10] Id. §19-1. [11] Id. §23-1, §23-2, §23-3. [12] Act for the Development of Biotech and New Pharmaceuticals Industry §5, §6, §7. [13] Act for Development of Small and Medium Enterprises Chapter 4: §33 to §36-3. [14] New York State Department of Taxation and Finance Taxpayer Guidance Division, New York State Business Incubator and Innovation Hot Spot Support Act, Technical Memorandum TSB-M-14(1)C, (1)I, (2)S, at 1-6 (March 7, 2014), URL:http://www.wnyincubators.com/content/Innovation%20Hot%20Spot%20Technical%20Memorandum.pdf (last visited:December 18, 2019). [15] Enterprise Income Tax Law of the People’s Republic of China Chapter 4 “Preferential Tax Treatments”: §25 to §36 (2008 revised).

Review of Taiwan's Existing Regulations on the Access to Bioloical Resources

The activities of accessing to Taiwan's biological resources can be governed within certain extent described as follows. 1 、 Certain Biological Resources Controlled by Regulations Taiwan's existing regulation empowers the government to control the access to biological resources within certain areas or specific species. The National Park Law, the Forestry Act, and the Cultural Heritage Preservation Act indicate that the management authority can control the access of animals and plants inside the National Park, the National Park Control Area, the recreational area, the historical monuments, special scenic area, or ecological protection area; forbid the logging of plants and resources within the necessary control area for logging and preserved forestry, or control the biological resources inside the natural preserved area. In terms of the scope of controlled resources, according to the guidance of the Wildlife Conservation Act and the Cultural Heritage Preservation Act, governmental management authority is entitled to forbid the public to access the general and protected wild animals and the plant and biological resources that are classified as natural monuments. To analyse the regulation from another viewpoint, any access to resources in areas and of species other than the listed, such as wild plants or microorganism, is not regulated. Therefore, in terms of scope, Taiwan's management of the access to biological resources has not covered the whole scope. 2 、 Access Permit and Entrance Permit Taiwan's current management of biological resources adopts two kinds of schemes: access permit scheme and entrance permit in specific areas. The permit allows management authority to have the power to grant and reject the collection, hunting, or other activities to access resources by people. This scheme is similar to the international standard. The current management system for the access to biological resources promoted by many countries and international organizations does not usually cover the guidance of entrance in specific areas. This is resulting from that the scope of the regulation about access applies for the whole nation. However, since Taiwan has not developed regulations specifically for the access of bio-research resources, the import/export regulations in the existing Wildlife Conservation Act, National Park Law, Forestry Act, and Cultural Heritage Preservation Act may provide certain help if these regulations be properly connected with the principle of access and benefit sharing model, so that they will help to urge people to share the research interests. 3 、 Special Treatments for Academic Research Purpose and Aborigines Comparing to the access for the purpose of business operation, Taiwan's regulations favour the research and development that contains collection and hunting for the purpose of academic researches. The regulation gives permits to the access to biological resources for the activities with nature of academic researches. For instance, the Wildlife Conservation Act, National Park Law, and theCultural Heritage Preservation Act allow the access of regulated biological resources, if the academic research unit obtains the permit, or simply inform the management authority. In addition, the access by the aborigines is also protected by the Forestry Act, Cultural Heritage Preservation Act, and the Aboriginal Basic Act. The aborigines have the right to freely access to biological resources such as plants, animals and fungi. 4 、 The Application of Prior Informed Consent (PIC) In topics of the access to and benefit sharing of biological resources, the PIC between parties of interests has been the focus of international regulation. Similarly, when Taiwan was establishing theAboriginal Basic Act, this regulation was included to protect the aborigines' rights to be consulted, to agree, to participate and to share the interests. This conforms to the objective of access and benefit sharing system. 5 、 To Research and Propose the Draft of Genetic Resources Act The existing Wildlife Conservation Act, National Park Law, Forestry Act,Cultural Heritage Preservation Act, Aboriginal Basic Act provide the regulation guidance to the management of the access to biological resources within certain scope. Comparing to the international system of access and benefit sharing, Taiwan's regulation covers only part of the international guidance. For instance, Taiwan has no regulation for the management of wild plants and micro-organism, so there is no regulation to confine the access to wild plants and microorganism. To enlarge the scope of management in terms of the access to Taiwan's biological resources, the government authority has authorize the related scholars to prepare the draft of Genetic Resources Act. The aim of the Genetic Resources Act is to establish the guidance of the access of genetic resources and the sharing of interests in order to preserve the genetic resources. The draft regulates that the bio-prospecting activity should be classified into business and academic, with the premise of not interfering the traditional usages. After classification, application of the permit should be conducted via either general or express process. During the permit application, the prospector, the management authority, and the owner of the prospected land should conclude an agreement jointly. In the event that the prospector wishes to apply for intellectual property rights, the prospector should disclose the origin of the genetic resources and provide the legally effective documents of obtaining these resources. In addition, a Biodiversity Fund should be established to manage the profits derived from genetic resources. The import/export of genetic resources should also be regulated. Violators should be fined.

The Research on ownership of cell therapy products

The Research on ownership of cell therapy products 1. Issues concerning ownership of cell therapy products   Regarding the issue of ownership interests, American Medical Association(AMA)has pointed out in 2016 that using human tissues to develop commercially available products raises question about who holds property rights in human biological materials[1]. In United States, there have been several disputes concern the issue of the whether the donor of the cell therapy can claim ownership of the product, including Moore v. Regents of University of California(1990)[2], Greenberg v. Miami Children's Hospital Research Institute(2003)[3], and Washington University v. Catalona(2007)[4]. The courts tend to hold that since cells and tissues were donated voluntarily, the donors had already lost their property rights of their cells and tissues at the time of the donation. In Moore case, even if the researchers used Moore’s cells to obtain commercial benefits in an involuntary situation, the court still held that the property rights of removed cells were not suitable to be claimed by their donor, so as to avoid the burden for researcher to clarify whether the use of cells violates the wishes of the donors and therefore decrease the legal risk for R&D activities. United Kingdom Medical Research Council(MRC)also noted in 2019 that the donated human material is usually described as ‘gifts’, and donors of samples are not usually regarded as having ownership or property rights in these[5]. Accordingly, both USA and UK tends to believe that it is not suitable for cell donors to claim ownership. 2. The ownership of cell therapy products in the lens of Taiwan’s Civil Code   In Taiwan, Article 766 of Civil Code stipulated: “Unless otherwise provided by the Act, the component parts of a thing and the natural profits thereof, belong, even after their separation from the thing, to the owner of the thing.” Accordingly, many scholars believe that the ownership of separated body parts of the human body belong to the person whom the parts were separated from. Therefore, it should be considered that the ownership of the cells obtained from the donor still belongs to the donor. In addition, since it is stipulated in Article 406 of Civil Code that “A gift is a contract whereby the parties agree that one of the parties delivers his property gratuitously to another party and the latter agrees to accept it.”, if the act of donation can be considered as a gift relationship, then the ownership of the cells has been delivered from donor to other party who accept it accordingly.   However, in the different versions of Regenerative Medicine Biologics Regulation (draft) proposed by Taiwan legislators, some of which replace the term “donor” with “provider”. Therefore, for cell providers, instead of cell donors, after providing cells, whether they can claim ownership of cell therapy product still needs further discussion.   According to Article 69 of the Civil Code, it is stipulated that “Natural profits are products of the earth, animals, and other products which are produced from another thing without diminution of its substance.” In addition, Article 766 of the Civil Code stipulated that “Unless otherwise provided by the Act, the component parts of a thing and the natural profits thereof, belong, even after their separation from the thing, to the owner of the thing.” Thus, many scholars believe that when the product is organic, original substance and the natural profits thereof are all belong to the owner of the original substance. For example, when proteins are produced from isolated cells, the proteins can be deemed as natural profits and the ownership of proteins and isolated cells all belong to the owner of the cells[6].   Nevertheless, according to Article 814 of the Civil Code, it is stipulated that “When a person has contributed work to a personal property belonging to another, the ownership of the personal property upon which the work is done belongs to the owner of the material thereof. However, if the value of the contributing work obviously exceeds the value of the material, the ownership of the personal property upon which the work is done belongs to the contributing person.” Thus, scholar believes that since regenerative medical technology, which induces cell differentiation, involves quite complex biotechnology technology, and should be deemed as contributing work. Therefore, the ownership of cell products after contributing work should belongs to the contributing person[7]. Thus, if the provider provides the cells to the researcher, after complex biotechnology contributing work, the original ownership of the cells should be deemed to have been eliminated, and there is no basis for providers to claim ownership.   However, since the development of cell therapy products involves a series of R&D activities, it still need to be clarified that who is entitled to the ownership of the final cell therapy products. According to Taiwan’s Civil Code, the ownership of product after contributing work should belongs to the contributing person. However, when there are numerous contributing persons, which person should the ownership belong to, might be determined on a case-by-case basis. 3. Conclusion   The biggest difference between cell therapy products and all other small molecule drugs or biologics is that original cell materials are provided by donors or providers, and the whole development process involves numerous contributing persons. Hence, ownership disputes are prone to arise.   In addition to the above-discussed disputes, United Kingdom Co-ordinating Committee on Cancer Research(UKCCCR)also noted that there is a long list of people and organizations who might lay claim to the ownership of specimens and their derivatives, including the donor and relatives, the surgeon and pathologist, the hospital authority where the sample was taken, the scientists engaged in the research, the institution where the research work was carried out, the funding organization supporting the research and any collaborating commercial company. Thus, the ultimate control of subsequent ownership and patent rights will need to be negotiated[8].   Since the same issues might also occur in Taiwan, while developing cell therapy products, carefully clarifying the ownership between stakeholders is necessary for avoiding possible dispute. [1]American Medical Association [AMA], Commercial Use of Human Biological Materials, Code of Medical Ethics Opinion 7.3.9, Nov. 14, 2016, https://www.ama-assn.org/delivering-care/ethics/commercial-use-human-biological-materials (last visited Jan. 3, 2021). [2]Moore v. Regents of University of California, 793 P.2d 479 (Cal. 1990) [3]Greenberg v. Miami Children's Hospital Research Institute, 264 F. Suppl. 2d, 1064 (SD Fl. 2003) [4]Washington University v. Catalona, 490 F 3d 667 (8th Cir. 2007) [5]Medical Research Council [MRC], Human Tissue and Biological Samples for Use in Research: Operational and Ethical Guidelines, 2019, https://mrc.ukri.org/publications/browse/human-tissue-and-biological-samples-for-use-in-research/ (last visited Jan. 3, 2021). [6]Wen-Hui Chiu, The legal entitlement of human body, tissue and derivatives in civil law, Angle Publishing, 2016, at 327. [7]id, at 341. [8]Okano, M., Takebayashi, S., Okumura, K., Li, E., Gaudray, P., Carle, G. F., & Bliek, J. UKCCCR guidelines for the use of cell lines in cancer research.Cytogenetic and Genome Research,86(3-4), 1999, https://europepmc.org/backend/ptpmcrender.fcgi?accid=PMC2363383&blobtype=pdf (last visited Jan. 3, 2021).

Reviews on Taiwan Constitutional Court's Judgment no. 13 of 2022

Reviews on Taiwan Constitutional Court's Judgment no. 13 of 2022 2022/11/24 I.Introduction   In 2012, the Taiwan Human Rights Promotion Association and other civil groups believe that the National Health Insurance Administration released the national health insurance database and other health insurance data for scholars to do research without consent, which may be unconstitutional and petitioned for constitutional interpretation.   Taiwan Human Rights Promotion Association believes that the state collects, processes, and utilizes personal data on a large scale with the "Personal Data Protection Law", but does not set up another law of conduct to control the exercise of state power, which has violated the principle of legal retention; the data is provided to third-party academic research for use, and the parties involved later Excessive restrictions on the right to withdraw go against the principle of proportionality.   The claimant criticized that depriving citizens of their prior consent and post-control rights to medical data is like forcing all citizens to unconditionally contribute data for use outside the purpose before they can use health insurance. The personal data law was originally established to "avoid the infringement of personality rights and promote the rational use of data", but in the insufficient and outdated design of the regulations, it cannot protect the privacy of citizens' information from infringement, and it is easy to open the door to the use of data for other purposes.   In addition, even if the health insurance data is de-identified, it is still "individual data" that can distinguish individuals, not "overall data." Health insurance data can be connected with other data of the Ministry of Health and Welfare, such as: physical and mental disability files, sexual assault notification files, etc., and you can also apply for bringing in external data or connecting with other agency data. Although Taiwan prohibits the export of original data, the risk of re-identification may also increase as the number of sources and types of data concatenated increases, as well as unspecified research purposes.   The constitutional court of Taiwan has made its judgment on the constitutionality of the personal data usage of National Health Insurance research database. The judgment, released on August 12, 2022, states that Article 6 of Personal Data Protection Act(PDPA), which asks“data pertaining to a natural person's medical records, healthcare, genetics, sex life, physical examination and criminal records shall not be collected, processed or used unless where it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject”does not violate Intelligible principle and Principle of proportionality. Therefore, PDPA does not invade people’s right to privacy and remains constitutional.   However, the judgment finds the absence of independent supervisory authority responsible for ensuring Taiwan institutions and bodies comply with data protection law, can be unconstitutional, putting personal data protection system on the borderline to failure. Accordingly, laws and regulations must be amended to protect people’s information privacy guaranteed by Article 22 of Constitution of the Republic of China (Taiwan).   In addition, the judgment also states it is unconstitutional that Articles 79 and 80 of National Health Insurance Law and other relevant laws lack clear provisions in terms of store, process, external transmission of Personal health insurance data held by Central Health Insurance Administration of the Ministry of Health and Welfare.   Finally, the Central Health Insurance Administration of the Ministry of Health and Welfare provides public agencies or academic research institutions with personal health insurance data for use outside the original purpose of collection. According to the overall observation of the relevant regulations, there is no relevant provision that the parties can request to “opt-out”; within this scope, it violates the intention of Article 22 of the Constitution to protect people's right to information privacy. II.Independent supervisory authority   According to Article 3 of Central Regulations and Standards Act, government agencies can be divided into independent agencies that can independently exercise their powers and operate autonomously, and non- independent agencies that must obey orders from their superiors. In Taiwan, the so-called "dedicated agency"(專責機關) does not fall into any type of agency defined by the Central Regulations and Standards Act. Dedicated agency should be interpreted as an agency that is responsible for a specific business and here is no other agency to share the business.   The European Union requires member states to set up independent regulatory agencies (refer to Articles 51 and 52 of General Data Protection Regulation (GDPR)). In General Data Protection Regulation and the adequacy reference guidelines, the specific requirements for personal data supervisory agencies are as follows: the country concerned should have one or more independent supervisory agencies; they should perform their duties completely independently and cannot seek or accept instructions; the supervisory agencies should have necessary and practicable powers, including the power of investigation; it should be considered whether its staff and budget can effectively assist its implementation. Therefore, in order to pass the EU's adequacy certification and implement the protection of people's privacy and information autonomy, major countries have set up independent supervisory agencies for personal data protection based on the GDPR standards.   According to this research, most countries have 5 to 10 commissioners that independently exercise their powers to supervise data exchange and personal data protection. In order to implement the powers and avoid unnecessary conflicts of interests among personnel, most of the commissioners are full-time professionals. Article 3 of Basic Code Governing Central Administrative Agencies Organizations defines independent agency as "A commission-type collegial organization that exercises its powers and functions independently without the supervision of other agencies, and operates autonomously unless otherwise stipulated." It is similar to Japan, South Korea, and the United States. III.Right to Opt-out   The judgment pointed out that the parties still have the right to control afterwards the personal information that is allowed to be collected, processed and used without the consent of the parties or that meets certain requirements. Although Article 11 of PDPA provides for certain parties to exercise the right to control afterwards, it does not cover all situations in which personal data is used, such as: legally collecting, processing or using correct personal data, and its specific purpose has not disappeared, In the event that the time limit has not yet expired, so the information autonomy of the party cannot be fully protected, the subject, cause, procedure, effect, etc. of the request for suspension of use should be clearly stipulated in the revised law, and exceptions are not allowed.   The United Kingdom is of great reference. In 2017, after the British Information Commissioner's Office (ICO) determined that the data sharing agreement between Google's artificial intelligence DeepMind and the British National Health Service (NHS) violated the British data protection law, the British Department of Health and Social Care proposed National data opt-out Directive in May, 2018. British health and social care-related institutions may refer to the National Data Opt-out Operational Policy Guidance Document published by the National Health Service in October to plan the mechanism for exercising patient's opt-out right. The guidance document mainly explains the overall policy on the exercise of the right to opt-out, as well as the specific implementation of suggested practices, such as opt-out response measures, methods of exercising the opt-out right, etc.   National Data Opt-out Operational Policy Guidance Document also includes exceptions and restrictions on the right to opt-out. The Document stipulates that exceptions may limit the right to Opt-out, including: the sharing of patient data, if it is based on the consent of the parties (consent), the prevention and control of infectious diseases (communicable disease and risks to public health), major public interests (overriding) Public interest), statutory obligations, or cooperation with judicial investigations (information required by law or court order), health and social care-related institutions may exceptionally restrict the exercise of the patient's right to withdraw.   What needs to be distinguished from the situation in Taiwan is that when the UK first collected public information and entered it into the NHS database, there was already a law authorizing the NHS to search and use personal information of the public. The right to choose to enter or not for the first time; and after their personal data has entered the NHS database, the law gives the public the right to opt-out. Therefore, the UK has given the public two opportunities to choose through the enactment of special laws to protect public's right to information autonomy.   At present, the secondary use of data in the health insurance database does not have a complete legal basis in Taiwan. At the beginning, the data was automatically sent in without asking for everyone’s consent, and there was no way to withdraw when it was used for other purposes, therefore it was s unconstitutional. Hence, in addition to thinking about what kind of provisions to add to the PDPA as a condition for "exception and non-request for cessation of use", whether to formulate a special law on secondary use is also worthy of consideration by the Taiwan government. IV.De-identification   According to the relevant regulations of PDPA, there is no definition of "de-identification", resulting in a conceptual gap in the connotation. In other words, what angle or standard should be used to judge that the processed data has reached the point where it is impossible to identify a specific person. In judicial practice, it has been pointed out that for "data recipients", if the data has been de-identified, the data will no longer be regulated by PDPA due to the loss of personal attributes, and it is even further believed that de-identification is not necessary.   However, the Judgment No. 13 of Constitutional Court, pointed out that through de-identification measures, ordinary people cannot identify a specific party without using additional information, which can be regarded as personal data of de-identification data. Therefore, the judge did not give an objective standard for de-identification, but believed that the purpose of data utilization and the risk of re-identification should be measured on a case-by-case basis, and a strict review of the constitutional principle of proportionality should be carried out. So far, it should be considered that the interpretation of the de-identification standard has been roughly finalized. V.Conclusions   The judge first explained that if personal information is processed, the type and nature of the data can still be objectively restored to indirectly identify the parties, no matter how simple or difficult the restoration process is, if the data is restored in a specific way, the parties can still be identified. personal information. Therefore, the independent control rights of the parties to such data are still protected by Article 22 of the Constitution.   Conversely, when the processed data objectively has no possibility to restore the identification of individuals, it loses the essence of personal data, and the parties concerned are no longer protected by Article 22 of the Constitution.   Based on this, the judge declared that according to Article 6, Item 1, Proviso, Clause 4 of the PDPA, the health insurance database has been processed so that the specific party cannot be identified, and it is used by public agencies or academic research institutions for medical and health purposes. Doing necessary statistical or academic research complies with the principles of legal clarity and proportionality, and does not violate the Constitution.   However, the judge believes that the current personal data law or other relevant regulations still lack an independent supervision mechanism for personal data protection, and the protection of personal information privacy is insufficient. In addition, important matters such as personal health insurance data can be stored, processed, and transmitted externally by the National Health Insurance Administration in a database; the subject, purpose, requirements, scope, and method of providing external use; and organizational and procedural supervision and protection mechanisms, etc. Articles 79 and 80 of the Health Insurance Law and other relevant laws lack clear provisions, so they are determined to be unconstitutional.   In the end, the judge found that the relevant laws and regulations lacked the provisions that the parties can request to stop using the data, whether it is the right of the parties to request to stop, or the procedures to be followed to stop the use, there is no relevant clear text, obviously the protection of information privacy is insufficient. Therefore, regarding unconstitutional issues, the Constitutional Court ordered the relevant agencies to amend the Health Insurance Law and related laws within 3 years, or formulate specific laws.

TOP