January 28 is the day when the European Council began the "Convention 108" regarding the automated processing of personal data protection. This legal document in 1981 was also the first international convention to discuss the protection of personal data. In order to let more people understand the importance of personal data protection and privacy, the European Council first launched the "Data Protection Day" in 2007, and then the United States, Canada and other countries also set the same day as "Privacy Day", which promotes the importance of privacy rights. Taiwan Association for Human Rights has been paying attention to privacy protection for a long time. Let us review the major events related to privacy in Taiwan in 2019 and continue to track the development of privacy protection in 2020!
➤ Revision of individual data law: 2020 is expected to establish an independent specialized agency for protections on data assets
2020 is expected to be a year of significant adjustments to the Personal Data Protection Act.
After the personal asset law was amended in 2015, the personal assets of the people could be unknowing used by external parties easily. This is a long-term problem to be solved in our country’s personal asset protection. In addition, the decentralized authority model that the personal asset law has traditionally adopted has spawned a number of problems in asset protection. However, in order to obtain the adequacy decision of the EU's "General Data Protection Regulation" (GDPR), the National Development and Development Commission announced at the end of last year that it would revise the Personal Data Protection Act in 2020 and establish an independent personal data protection authority. To this end, the Taiwan Association for Human Rights also participated in the public hearing on the revision of law organized by the National Development Council and provided principled suggestions.
Whether the provisions of the Personal Data Protection Act will be amended in the direction of meeting human rights protection standards, and how the specialized agency will be established requires the commitment for us altogether to pay attention to the relevant draft law revisions.
- Taiwan Association for Human Rights’ proposal on the amendment of the Personal Data Protection Law (State Development Council Public Hearing List)
- Where to find an independent specialized agency?
- [Introduction of Privacy Institution I] Hong Kong Office of the Privacy Commissioner for Personal Data
➤ Digital eID card: incomplete regulations, yet insist on pushing for implementation
The Ministry of the Interior plans to spend 4.4 billion to fully renew the new eID (a digital chip identity card) in October 2020 as a tool for "digital identification" in the future. The seemingly convenient service hides huge privacy risks. The Ministry of the Interior claimed to reduce card surface data to improve privacy protection, but not only did it fail to express the specific necessity in the full reissuing, but was also unwilling to make enough regulations regarding the chip’s content of the card, such as data reading and database collections. In 2019, in addition to 37 civic organizations jointly requesting that the full renewal of the new eID to be stopped and a review of the renewal, there are also legislators and political parties including the ruling party legislators who have raised questions about the lack of regulations. Regrettably, the Ministry of the Interior still insists on not revising the law, and bids to print and build cases according to the original plan. In 2020, please continue to monitor New eID with us.
- [Joint Statement] We reject the chip ID card!
- Myth of National Identity System: Talks from the World Bank ID4D Project
- [TWIGF side note] chip ID card: risk in privacy or security
- The new digital ID is more fragile than you think (Open Culture Foundation)
- Digital ID’s next year, you should not exchange privacy for convenience (ETtoday)
➤ Facial recognition: Prevalence in public spaces
The past year has been a year of major review of facial recognition applications and usage. In the United States, led by San Francisco, many cities have successively banned the use of facial recognition technology in public places; in Sweden, local governments that try to use facial recognition to control the absence of students are also recalled. In the beginning of 2020, the European Union has also heard that it will consider disabling face recognition in public places in the next five years. But in Taiwan, the situation is not optimistic. In the past year, there have been many applications of face recognition in public places.
For example, in November 2019, the "Smart Video Surveillance System" used by Taiwan Railways was pointed out to have a facial recognition function. Unknown to the public, the Taiwan Railway Group immediately turned off the face recognition function, but the function was enabled as early as 2018. Whether data was collected during the test and how the collected data was processed remains unknown.
In addition, there have been reports of the use of facial recognition in schools at all ages. Taiwan Association for Human Rights also requested the Ministry of Education with a number of civil society organizations to investigate the use of facial recognition in schools, review the need for facial recognition on campus, and formulate standards to protect the privacy of teachers and students on campus. Currently, the Ministry of Education has formulated the "Guidelines for the Protection of Personal Data for the Use of Biometrics on Campus", and the implementation hinges on the supervision of civil society.
Although Taiwan’s Justice Interpretation No. 689 said that it is willing to recognize the right to privacy in public places, it is still a long way from a concrete implementation.
- Don't let Taiwan become a country of full surveillance! ——Response Statement for the Ministry of Communications' "Smart Video Surveillance System"
- Open letter to the Minister of Education: about the use of facial recognition technology on campus
- [Post-conference press release] Facial recognition enters the campus
- Where is the next face (2): Facial recognition Technology towards dystopia
➤ Collecting personal data: the struggle of the government and the enterprise
When Taiwan’s law enforcement agencies request personal data from multinational corporations not located in Taiwan, both parties need to agree on a method of access that complies with the laws of both countries. At the same time, Taiwan’s Communication Security and Surveillance Act have been restricted to be interpreted as a basis for requesting "telecommunications companies" to monitor or retrieve communication records and user data. Therefore, law enforcement agencies usually requires "no approval from prosecutors and judges" to collect personal data from Internet platform.
In October 2019, LINE changed the previous requirement for law enforcement agencies to present "request for votes" to use "search tickets" to obtain personal data. Additionally, it increased the requirement for law enforcement agencies to retrieve funds by requiring an order approved by "judges". Such data can only be retrieved in accordance with such regulations.
Although most multinational companies have regularly published transparent reports of providing user data to the government, local companies have not yet published relevant criteria and statistics. Therefore, we still call on government agencies to proactively publish the latest standards for accessing individual data asset to prevent the abuse of the personal information.
- Don't let personal resources be transferred into unsupervised numbers
- It is difficult to make government information public: the heart of the agency's "administration according to law, no comment"
- International Human Rights Principles to be Observed by National Communications Monitoring
- Judges should pay attention to the content of "the past as gone"
➤ Health Insurance Information: Multiple applications utilizing one after the other, where is the regulation?
In 2019, the government opened two health insurance data applications: a medical image data for institutions to apply for academic and industrial applications and an open software development kit (SDK) for third-party applications as health passports. The government provides people’s sensitive medical data for out-of-purpose use, and does not allow people to withdraw from the application. There are already legal questions in doubt of these applications. The Taiwan Association for Human Rights has even filed a lawsuit against the health insurance department for denying the right to refuse to provide health insurance information to third parties. It is currently waiting on judicial review of the Constitution court. However, while waiting for the constitutional interpretation, the application of health insurance information did not stop because of privacy and legal concerns, but gradually expanded to industrial applications. Although the government claims that "user consent" is required to enable third-party apps to connect with Personal Health Bank, what the public rarely knows is that the Health Insurance Department has been known until the third-party apps have been published on the market and led media to question that "the medical information may be obtained by manufacturers." In addition, the announcement of related regulation was only publicized a week prior to the implementation of the third-party API.
In 2020, please continue to pay attention to the follow-up application of health insurance data with us and the constitutional trends of the health insurance database.
- Chengshe commented: Without your consent, the government will make a profit? (Wu Quanfeng) (Apple Daily)
- Hey, did you know that the health insurance database is under judicial review?
- [Lazy Read] Administrative Litigation Case of Health Insurance Database
➤ Fake news: More discussion on privacy is pending
Coinciding with the general elections of the President of Taiwan and the National Assembly, online platform operators have adopted several measures to prevent false information. These include: cooperating with fact-checking groups, setting up a war room, issuing self-regulatory guidelines, removing associations engaged in untrue activities in accordance with community codes, increasing the transparency of advertising information, or prohibiting political advertising during elections. It is a pity that there is still no action to strengthen privacy protection to prevent false information.
Perhaps decoupling advertising from personal information might be a way to try? From the experience of Cambridge Analytica's in the Brexit referendum, it is clear that advertisers aiming at the accurate placement of personal data is an important reason for accelerating the transmission of false information. However, Taiwan currently only requires political advertisers to verify their true identities and does not accept political advertisements during the election period. There is no review of the root cause of false message transmission. It can start with the implementation of privacy guarantees.
Another aspect of privacy protection is: What risks will the mechanisms of revealing one’s real-name required by the platform bring to users? As a country that accepts anonymity on the Internet, Taiwan must be more careful in the future when dealing with Internet speeches on the grounds of having "fake account numbers".