Constitutional Court Rules on National Health Insurance Case – A Win for Opt-Out Right amidst an Overall Unfounded Judgment on Personal Data Protection Act

The original article in Mandarin. Xin-yi Liao is the translator of this article.

In Taiwan, individuals covered by mandatory national health insurance have been concurrently deprived of their data autonomy. Misinterpreting the Personal Data Protection Act (hereinafter PDPA), the government neither seeks affirmative consent nor answers any opt-out request from the data subjects when handing their sensitive health information to third parties for secondary use under, not just academic but also industrial, research projects. As big data analytics and AI algorithms develop, the frequent and large-scale amalgamations of private data engender higher risk of personal identification. Whereas some other countries have been advancing regulations and codes of ethics in building a data usage environment that respects fundamental human rights, Taiwan has carried over the autocratic mentality of the former regime into data management policies, sparing no citizen from the health insurance data pool exploited as sample dataset for research projects.

The Ruling declared this day (Constitutional Court, 111 Pan Zi No.13) brought a ray of sunshine to endeavors eliminating data exploitation. Back in 2012, upon discovering the National Health Insurance Administration’s secondary use of the people’s health insurance data, Taiwan Association for Human Rights, Taiwan Women's Link, and Civic Coalition for Monitoring National Health Insurance integrated submissions of attestation letters to the  Administration in demanding opt-outs from such undertakings. Ten years had passed when this long-awaited declaration of unconstitutionality by the Grand Justices, which pronounced the Personal Data Protection Act deficient in monitoring secondary use and permitting opt-outs, took place following a series of setbacks in administrative and judicial proceedings.

Opt-Out as Last Resort against Unconstitutional State Practice

We commend the Constitutional Court in pronouncing that the PDPA does not provide legal grounds for the administration to commission a secondary use of personal data collected for national health insurance, and that failing to provide an opt-out venue from such schemes is unconstitutional. As the amendment period is set at a limit of three years, we urge the National Health Insurance Administration, along with its superior, the Ministry of Health and Welfare, to terminate the unconstitutional practices at this very instance, lest the infringement of privacy be prolonged during the deliberation of the amendment.

Privacy Lays Bare as Data Protection Act Declared Constitutional

The PDPA in its current form is lenient on large-scale secondary use of personal data, particularly in safe-harboring actions that purportedly enhance public interest and in deviating from the international standards concerning non-identifiability. Until the relevant provisions are amended to establish procedures determining “public interest” and examining necessity, instances similar to this health insurance case will be lining up just around the corner. The constitutional declaration for the general provisions of data management is likely to be acted upon by the public sector and powerful private players as a go-ahead with dubious operations. Even if the unattended provisions are to be amended following another unconstitutionality ruling in the future, powerful actors will have been accessing our sensitive personal data for more than twenty years.  It is a pity that the Grand Justice bypassed the opportunity to get to the bottom of Taiwan’s regulatory deficiency on data autonomy at a time when realizing data ethics in cushioning the blow the information age had on privacy is ever so important.

Deficient Data Protection Lacking Independent Monitoring Institute

The Constitutional Court echoes their stances in the Constitutional Court 111 Pan Zi No.1 by reiterating that, based on the doctrine of non-delegation, the State has an affirmative obligation to construct institutional and procedural safeguards in the form of statutory instruments. That having an independent monitoring mechanism as one mentioned in the judgment is elemental for countries valuing data protection and indispensable to the realization of our own constitutional principle of due process as ex ante and interim procedural controls is explicated by multiple grand justices in their supplementary opinions.

The ruling is not the finale of the movement but rather a stimulation pushing forward the frontiers of data autonomy among research and industrial institutions, reinvigorating its deliberations as a compartment of realizing State responsibility. We expect legislators to stand alongside the people and their right to data autonomy by amending the relevant provisions in the PDPA as opposed to leaving its vague language conditioning secondary use be interpreted arbitrarily by the Executive and private entities even. In cases where the preponderance of serious public interest compels a large-scale secondary use of sensitive personal data, measures should be on par with countries celebrating the rule of law, which should include prior implementation of data protection impact assessment for risk identification and minimization, and enacting specific laws for deliberating public interests, seeking affirmative consent and answering opt-out demands. Without a doubt, Taiwan Association for Human Rights will be present in subsequent legislative initiatives.