October 2022
Hannah Kuo, Jaime Cheng, and Aaron Chen
The Constitutional Court released the 111-Xian-Pan-Zi No.13 Constitutional Decision of August 12, 2022, holding that the provision of the personal data of the citizens collected in the health insurance database by the National Health Insurance Administration of the Ministry of Health and Welfare (formerly known as the Bureau of National Health Insurance of the Department of Health) (hereinafter, the “NHIA”) to third parties for secondary use is partially unconstitutional, and that relevant regulations should be amended within three years of the date the decision is announced, i.e.August 12, 2022. This Constitutional Court decision is noteworthy since it will have a far-reaching impact on the legislation and practice of personal information protection in Taiwan and may accelerate the legal amendment to the Personal Data Protection Act in Taiwan. This decision is highlighted below.
I. Case backgrounds:
For more than 20 years, the NHIA has been collecting a significant amount of medical data from Taiwan citizens for National Health Insurance enrollment and reimbursement, and have been making the health insurance data available to government agencies, academic institutions or relevant industries for use by creating the National Health Insurance database on its own or through the National Health Research Institute and incorporating the data into the Health and Welfare Data Science Center established by the Ministry of Health and Welfare. In March 2012, the Taiwan Association for the Human Rights, the National Health Insurance Civilian Surveillance Alliance, the Taiwan Women’s Link, and other organizations that believe that the provision of the National Health Insurance database lacks a clear legal basis and has never been communicated to the individuals concerned or obtained their consents, launched a campaign to urge the citizens to send postal demand letters to the NHIA to communicate their refusal to the release of their National Health Insurance data to any third party. After the NHIA rejected the application, the applicants brought an administrative action in the administrative court with a final decision rendered against them in January 2017. Thereafter, they applied to the Constitutional Court for a constitutional interpretation.
II. Highlights of the Constitutional Court decision
1. The provision under the Personal Data Protection Act that medical data may be used for statistical or academic research is constitutional.
Article 6, Paragraph 1 (Proviso), Subparagraph 4 of the Personal Data Protection Act provides that a government agency or an academic institution may collect, process, or use personal data such as medical records or medical treatment, genes, and health examination data without the consent of the individuals concerned if it is necessary for statistical or academic research for the purpose of healthcare or public health, provided that such data, as processed by the data provider or as disclosed by the data collector, cannot identify specific individuals. The Grand Justices held that this provision has restricted the subject and purposes of utilization and imposed the obligation to take de-identification measures. Since it does not violate the principle of legal clarity and the principle of proportionality, it does not violate the obligation to protect individual’s right to information privacy under Article 22 of the Constitution.
2. A lack of an independent supervisory mechanism for personal data protection in Taiwan is potentially unconstitutional.
In the past, Judicial Interpretation No. 603 indicated that for the protection of the right to information privacy, not only is it necessary to specifically stipulate by law the purposes and requirements for the collection and use of personal data but also necessary organizational and procedural protection measures should be taken for the collected personal data. In this decision, the Grand Justices held that the independent supervision mechanism for personal data protection is particularly important of all the necessary organizational and procedural protection measures mentioned above. An independent supervision mechanism makes it possible to consider if the specific circumstance meets the principle of proportionality when an individual personal data utilization application is filed, so as to ensure that both the collection and utilization of personal data meet the requirements under relevant laws and regulations and to further enhance the legality and credibility of personal data utilization. Since the Personal Data Protection Act and other related laws in Taiwan all lack an independent supervision mechanism for personal data protection, the protection of personal information privacy is certainly inadequate and is potentially unconstitutional. The related agencies are required to create the relevant legal regime within three years of the date the decision is announced, i.e.August 12, 2022.
3. The provisions on the data processing, storage, external transmission, and external provision and utilization related to the National Health Insurance database are unconstitutional for lack of clarity.
The National Health Insurance Act only provides that “the Personal Data Protection Act shall be followed” as to the manners of storage and utilization of the data collected by the NHIA, the legal requirements and due process that should be followed, and important matters such as how to prevent data misuse and improper leakage. However, the Personal Data Protection Act is a framework regulation, not a special law on the collection and use of personal health insurance data, and its provisions do not cover important organizational and procedural issues related to the external transmission, processing, or use of personal health insurance data. The National Health Insurance Act and other related laws do not contain clear legal provisions on the subject, purposes, requirements, scope, and manners concerning the database storage, processing, external transmission, and external provision and use of personal health insurance data. This does not meet the principle of legal reservation under Article 23 of the Constitution and violates the obligation to protect the individual’s right of information privacy under Article 22 of the Constitution. The relevant authorities are required to amend the National Health Insurance Act or other related laws or enact other special laws within three years from the date of pronouncement of the decision.
4. The failure of the National Health Insurance database to provide an opt-out right is unconstitutional.
To protect individual information privacy right under Article 22 of the Constitution, an individual concerned should have the right of ex post control over personal data, and the right of an individual concerned to request the deletion, the cessation of use, or to limit the use of the personal data is not lost because the individual concerned has given consent in the past or the requirements for compulsory collection are satisfied. The restriction on the prior consent of the individual concerned under Article 6, Paragraph 1 (Proviso), Subparagraph 4 of the Personal Data Protection Act does not undermine the exercise of the individual’s right of ex post control over his/her personal health insurance data. The NHIA’s provision of personal health insurance data to government agencies or academic research institutions for use beyond the original collection purposes lacks relevant requirements for the “opt-out right” that allows the individual concerned to request the termination of the use of personal data and violates the spirit of protecting the information privacy right under Article 22 of the Constitution. The relevant authorities are required to enact or amend relevant laws within three years from the day the decision was pronounced to specifically stipulate the subject, cause, procedure, effect, and other matters concerning requests to stop the processing of personal data and the exceptional circumstance where such requests need to be complied with. If relevant laws are not enacted or amended within the required period, the individuals concerned can request the cessation of use beyond the original purposes.
III. Impact of this decision:
This decision marks another opinion conveyed by the Grand Justices on the protection of personal information privacy right after Judicial Interpretation No. 603 and has a far-reaching impact on the legislation and practice of personal data protection in Taiwan.
1. The “de-identification obligation” for the statistics and academic research under the Personal Data Protection Act is clarified:
Under the current Personal Data Protection Act, for personal data used for statistics or research, the personal data may only be processed or disclosed only to the extent that they cannot “identify any specific individual concerned.” The Enforcement Rules of the Personal Data Protection Act define “the inability to identify specific individuals” as the “inability to identify specific individuals by coding, anonymizing, and hiding part of personal data or by other means.” In the past, since the processing of data through coding or other methods specified in the enforcement rules may not necessarily achieve the result of the “inability to identify specific individuals”, there were significant doubts in practice as to the method and degree of a de-identification.
In this decision, the Grand Justices define the “de-identification” obligation to “make it impossible to identify specific individuals” as “the circumstance where the data do not contain information that can directly identify specific individuals but it is still possible that such information may indirectly identify specific individuals.” The data are only required to achieve the extent that direct identification is impossible, which is similar to pseudonymization under the EU GDPR, but not the extent of anonymization, where there is no possibility of restoring identification.
The Grand Justices’ interpretation to limit the “de-identification” to where the data does not permit direct identification is undoubtedly more favorable to government agencies or academic research institutions that wish to use personal data for statistical or academic research purposes. After all, if one adopts the view that data should be fully de-identified, the value of such data for statistical or scientific research purposes may be quite limited. Conversely, however, allowing data disclosed for statistical or research studies to indirectly identify individuals may weaken the protection of those whose data are used.
2. Government authorities are urged to specifically stipulate the use of data by law, instead of generally citing the Personal Data Protection Act.
In this case, the NHIA’s collection, processing, and use of the citizens’ medical data and creation of the National Health Insurance database are primarily governed by Article 79 of the National Health Insurance Act, which provides: ” The Insurer may require relevant agencies to provide the necessary information it needs to carry out the business of the Insurance, which the agencies may not refuse.
The information obtained by the Insurer in accordance with the preceding paragraph should be handled responsibly and prudently. The storage and use of relevant information should be carried out according to the Personal Information Protection Act.” The provisions of the Personal Data Protection Act were generally cited.
In this regard, the Grand Justices held that the Personal Data Protection Act is only a framework regulation and does not provide organizational and procedural requirements for the external transmission, processing, or use of health insurance data, while the Ministry of Health and Welfare and the National Health Insurance Bureau only provide for the use of the National Health Insurance data by prescribing their own administrative regulations with a lack of a clear legal hierarchy. This does not meet the requirement for the principle of legal reservation under Article 23 of the Constitution.
In fact, there are quite a few provisions of special laws that generally cites the provisions of the Personal Data Protection Act for matters relating to personal data, and similar provisions exist in the finance, labor, pharmaceutical, and other professional laws.[1] The declaration of unconstitutionality in this decision will also compel the relevant authorities to re-evaluate the need to enact special laws for the use of personal data in their respective fields, instead of generally citing the Personal Data Protection Act.
3. The right of the individual concerned to opt-out based on the information privacy right granted by the Constitution is recognized.
The “opt-out right” of the individual concerned to request the termination of the use of his/her personal data after they are collected under the Personal Data Protection Act is primarily stipulated in Article 11, Paragraphs 2, 3, and 4 of the Personal Data Protection Act, where the individual concerned may request the deletion and cessation of the processing and use of his/her personal data only under three circumstances, namely, “disputes over the accuracy of personal data,” “the disappearance of the specific purpose of personal data collection, or the expiration of the collection”, and “illegal collection, processing, or use of personal data.”
In this case, the Grand Justices reiterated that the right to information privacy of individuals to control their personal data is guaranteed under Article 22 of the Constitution, and that the right to information privacy protects the “right of ex post control” of the individuals to request the deletion or cessation or restriction of the use of his or her personal data, and the right of ex post control is not affected or lost because the individual has given his or her prior consent or because the conditions for compulsory collection and use are met. The Grand Justices also stated that the provisions of the Personal Data Protection Act regarding requests to cease the collection, processing, or use of personal data do not cover all circumstances in which personal data are used, and do not meet the constitutional requirement of protecting the right to control personal data after the fact. There is no relevant procedural requirement for a request to cease the use of the personal health insurance data legally collected by the NHIA for handling the health insurance business and provided to public agencies or academic research institutions for use beyond the original collection purpose. If all individuals concerned are indiscriminately prohibited from requesting the cessation of use, the protection of personal information privacy is obviously inadequate.
In this ruling, the Grand Justices recognized that the right to opt out is based on the constitutional right of the individuals concerned to information privacy, and that public agencies may not indiscriminately restrict the exercise of the right of ex post control without proper weighing and differentiation. In the future, when government agencies promote the mandatory inclusion of all citizens or systems involving data release (e.g., digital ID cards or inter-governmental T-Road data transfer platform), they should also pay attention to whether an opt-out right is provided to individuals to comply with the constitutional protection of personal information privacy.
IV. Conclusions:
With the advancement of technology, the value of data is also increasing day by day. How to fully implement the protection of personal privacy while promoting the use of data is a thorny issue in countries around the world. The constitutional interpretation of Taiwan’s National Health Insurance database is only a reflection and microcosm of contemporary data issues, and there are still many issues worthy of discussion and attention, particularly the amendment to the Personal Data Protection Act. The previous opportunity to amend the Personal Data Protection Act of Taiwan was in 2017 when the National Development Council took over the role of the Ministry of Justice as the interpretation authority of the Personal Data Protection Act, and the operation of amending the Personal Data Protection Act was launched to apply to the EU for GPDR adequacy decisions. However, due to the extensive scope of the amendment to the Personal Data Protection Act, no substantial progress has been made for many years. Since the Grand Justices in this case have instructed that the Personal Data Protection Act should be amended, and the applicants, respondents, experts, scholars and amici curiae debated the regulation of the Personal Data Protection Act during the trial of this case, and many academic and research institutions successively conducted in-depth discussions on the related issues outside the litigation, and many of the Grand Justices in this case have expressed further opinions in some of their dissenting opinions, this may accelerate the revision of the Personal Data Protection Act of Taiwan and make the relevant regulations more comprehensive.
[1] For example, Article 43, Paragraph 2 of the Financial Holding Company Act stipulates that the joint marketing among the subsidiaries of a financial holding company and the joint collection, processing and use of other basic personal data, transaction data, and other relevant data of customers shall be handled in accordance with the relevant provisions of the Personal Data Protection Act. Article 32, Paragraph 4 of the Labor Occupational Accident Insurance and Protection Act provides that an insurer that handles the labor occupational accident insurance business or the central competent authority that retains, processes, and uses data related to the review of insurance disputes shall be governed by the Personal Data Protection Act. Article 15 of the newly amended Regulations for the Management of Drug Safety Surveillance provides that when pharmaceutical dealers need to collect, process, or utilize personal data in order to conduct drug safety surveillance, they shall follow the requirements of the Personal Data Protection Act and its relevant regulations.
The contents of all materials (Content) available on the website belong to and remain with Lee, Tsai & Partners. All rights are reserved by Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors’ opinions do not represent the position of Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Lee, Tsai & Partners.