Behind Normalcy:
Taiwan’s fervent COVID-19 response raise critical privacy and due process concerns
Author | Elisa Chang
Editor | Xin-yi Liao
“Relatively normal” might have been how most Taiwanese described their 2021 New Year celebration. After being mostly untouched by the COVID-19 pandemic in its first year, residents in the country continued to enjoy daily activities that were considered a luxury by many – shopping, dining indoors, even going to concerts. Behind the normalcy, however, has been an ongoing series of debate around the country’s disease control endeavors and the rights to privacy.
During the 2021 New Year long weekend, news broke out that the authorities had charged several individuals attending local concerts for breaking the “self-health management” (自主健康管理) rule, a soft quarantine period following home quarantine or suspected exposure. The individuals were caught as the government rolled out what is called “electronic fence 2.0” that uses cellular base stations to triangulate a mobile phone’s real-time location with the aim of flagging mobile numbers holders that weren’t supposed to be in close proximity to crowds.
The technique was a new rendition of the original “electronic fence” deployed in early 2020 to enforce quarantine rules. Both systems require those subject to quarantine to provide their mobile numbers to authorities, who work closely with the country’s telecom giants, to automatically track if their devices have “wandered off” or been turned off. Individuals are also required to answer phone calls or text messages during the day to prove the device is not left unattended. The difference between the original electronic fence and its successor is that the former issues alerts when you leave a certain area, whilst the latter does so when you enter specific hot zones.
While the electronic fence system has surely encouraged compliance to instructions set for hampering community transmission, the intrusiveness of the measures, as well as the lack of transparency and public consultation, have rung the alarm bell for many human rights and privacy advocates. Although the Taiwanese CDC has promised the removal of data after 28 days, the system’s intertwined connections with law enforcement authorities, the telecom industry, and other monitoring methods on alternative systems remain unclear. In essence, there hasn’t been much clarity around to what extent data is collected, shared and stored – not to mention the fuzzy legal basis for its deployment that sets dangerous precedents of bypassing data protection and due process requirements.
Rapid response or fast deterioration of privacy ?
Fast forward to April 2021, Taiwan saw a sudden surge in COVID-19 cases after community viral transmission broke out in the bustling Wanhua District of its capital. To issue SMS warnings of virus exposure, the CDC, in collaboration with telecom companies, used geo-location tracking to identify over 600,000 mobile number holders having visited the “high -risk zone” within a span of 4 weeks. With neither informed consent nor proper notice, the authorities also went on to tag the National Health Insurance digital profiles of over 150,000 individuals labeled “high-risk” for their place of work, travel history, or past visits. This was done through overlay analyses that used databases from the National Immigration Agency and the local police force in Wanhua.
The Taiwan Association for Human Rights (TAHR) lodged a freedom of information request in June 2021 over the CDC’s principles and factual implementation in regards to the substantive criteria and procedural safeguards for digital surveillance and data processing. The CDC justified their digital surveillance and profiling with a general mandate of disease control conferred by through Communicable Disease Control Act, and excused their failure to notify targeted citizens with the exemption clauses within the Personal Data Protection Act. Report has it that the government worked with internet service providers to track browsing habits of foreign visitors in order to target public health information, to which the CDC vehemently denied implementation.
Eyes on Real-identity Tracing Databases
As Taiwan imposed Level Three Restriction in May 2021 after more cases arose, the government rolled out a digital “real-identity tracing system” (實聯制) for contact tracing. Individuals visiting public spaces, including shops, event venues, and public transit, are requested to scan a QR code that would direct users to send a pre-formulated SMS message with a venue code to the “1922” public health hotline.
Similar to the idea behind contact tracing apps used in other countries, the theory behind Taiwan’s 1922 SMS system is to more efficiently identify potential exposures by analyzing the digital/SMS “footprints” of confirmed COVID-19 patients and alert those who might have crossed paths with them recently. Compared to contact tracing apps, the real-name registration rule is implemented by each public venue and does not rely on people downloading a separate app to be effective. Nonetheless, it was created as a centralized system, unlike many apps that feature a decentralized design.
In June 2021, Yuan-Sen Chang, a Judge at the Taichung District Court blew the whistle on police’s access to the real-name registration database for the purpose of crime investigation. During his review of a search warrant request, Chang noticed that the police had narrowed down the suspect’s whereabouts through his 1922 SMS details which were included in the bundle of data the police had acquired from the telecom provider. The fact that the police was granted a warrant in accordance with the Communication Security and Surveillance Act without having to approach the CDC, does not spare the CDC from breaking faith with the public over their broken promise of keeping personal data from being accessed for a purpose other than pandemic control. This violation is especially concerning as the real-name registration system has been widely implemented.
Finding the balance
There is no doubt that Taiwan has performed tremendously well during the pandemic thanks to many effective policies and the collective efforts by the public. However, the welfare of citizens and residents lies not only in successful public health interventions, but also the consistent respect for human rights. The authorities must abide by the rule of law in its decision-making and conduct and avoid over-exercising its power through the loose interpretations of “necessity” and “public benefit.”
To sum up, the TAHR has called for the government to review and revise its many digital public health interventions, to fill the legal vacuum and to establish cohesive data protection policies. Authorities must also be more transparent when it comes to publicizing details behind its decision-making, data management plans, and relevant performance reports. Clear privacy policy and consent agreement must be established to achieve minimal data collection and help the public hold government agencies and stakeholders accountable. Finally, while it is hard to come to a comprehensive understanding during a public health emergency, routine assessments on the risk and impacts of these interventions should be in place to regularly evaluate their necessity and introduce timely mechanisms to protect people’s rights and privacy.
Disease control and privacy do not need to be a zero-sum game. In fact, as the lines between one’s physical and digital identities blur, our personal data and digital privacy must be protected just as our physical health to advance public wellbeing. As another new year approaches, there is much for the world to see Taiwan’s potential in not just effective pandemic control, but in doing so with a growing awareness and respect for human rights.
【Reference】
看得見的「類細胞簡訊」與看不見的「健保卡註記」:誰是高風險族群?
