After a decade of controversy over the research database of the National Health Insurance (the “NHI”), the Constitutional Court finally handed down its judgment thereon (Ref. No. 111-Shien-Pan-13, the “Judgment”) on August 12, 2022, finding that Subparagraph 4 of the proviso to Paragraph 1, Article 6 of the Personal Data Protection Act (the “PDPA”) is not unconstitutional. However, the Constitutional Court also found that, because the PDPA and the National Health Insurance Act (the “NHI Act”) are indeed inadequate in terms of the protection of information privacy, the relevant laws should be amended or new laws should be specifically promulgated within three years of the date of the Judgment to stipulate the following issues:
1.the establishment of an independent monitoring mechanism for the protection of personal data;
2.the requirements and controls governing the use of the NHI data by the competent authority, i.e., the National Health Insurance Administration (the “NHIA”) under the Ministry of Health and Welfare, for the purpose of establishing databases, as well as the release of the personal data (i.e., establishing the rules for material issues such as the subject, purpose, requirements, scope and manner of storage, processing, external transmission and external access of the database and the organizational and procedural supervision and protection mechanisms); and
3.the rules relating to the cessation (opt-out) of the use of the NHI data as requested by the data subject (where the relevant laws are not amended or new laws are not promulgated within three years, data subjects may request the cessation (opt-out) of the use of his/her NHI data for out-of-scope use).
The following is a brief description of the background of the case and the main points of the Constitutional Court’s decision and the implications thereof.
The NHI system has been implemented in Taiwan since 1995, and the NHIA, the competent authority for the NHI business, has collected considerable amount of NHI data, including personal NHI data, over the years. The NHIA formerly entrusted the NHI data to the National Health Research Institute (the “NHRI”) to build the National Health Insurance Research Database, which had been available for external use between 2000 and 2016. The NHIA has also established the National Health Insurance Information Integration Service to provide access to the NHI data, which has been pseudonymized through encryption algorithms, for external use.
In 2012, the claimants (seven natural persons) sent separate letters to the NHIA refusing to allow the NHIA to release their personal NHI data to third parties for purposes other than those related to the NHI business, and the NHIA rejected their claims. The claimants filed subsequent petitions and administrative lawsuits that resulted in unfavorable final judgments against them, and in 2017, they filed a petition for interpretation of the Constitution, requesting that the relevant statute be declared unconstitutional.
B.Summary of Reasoning
1.Scope of personal data: The NHI data is a highly sensitive kind of special personal data with a high degree of individual differences, which may be objectively restored via extreme means to indirectly identify a specific data subject, which is a scientific fact; therefore, the NHI data of an individual, whether in its original form or after processing (such as encryption or anonymization), is still “directly or indirectly identifiable to that individual”, that is, “personal data” protected under the PDPA.
In addition, the Judgment also mentions the possibility of processing the NHI data of individuals as anonymous data with no possibility of reversionary identification, which is no longer personal data protected under Article 22 of the Constitution on information privacy, but has lost the characteristic of being able to selectively cross-reference variables and establish correlation, and therefore may not be able to achieve statistical or academic research purposes. In any event, it appears that such data is no longer the subject of the Judgment.
2.Reaffirmation and clarification on the privacy of personal data under personal control. The Judgment reaffirms that privacy is protected under Article 22 of the Constitution, that people may decide whether and how to disclose their personal data, and that they have the right to ex ante control through consent prior to use, and ex post control during and after use, including the right to request deletion, cessation of use or restriction of use of personal data.
3.Subparagraph 4 of the proviso to Paragraph 1, Article 6 of the PDPA is not unconstitutional: The exception to the provision that highly sensitive and specific personal data may be collected, processed or used without the consent of the data subject is “(iv) where it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject”. This paragraph allows a government agency or academic research institution to collect, process, and use personal NHI data for medical or health purposes, and provides the relevant requirements. The Constitutional Court opines that the meaning of which is still understandable and foreseeable, and can be subject to judicial review; it is not contrary to the principle of legal certainty. In addition, the purpose of collection, processing, and use is limited to medical and health care, and the purpose is to promote the development of medical and health care through statistical or academic research, which is in line with the public interest of particular importance. Moreover, this paragraph already requires the obligation to take de-identification measures (although re-identification may still be possible), but the means are sufficient to significantly reduce the possible infringement, so it is not contrary to the principle of proportionality.
4.Independent monitoring mechanism for personal data protection should be established: In terms of information privacy protection, the necessary organizational and procedural safeguards should be taken for the personal data collected. In particular, the NHI data of individuals is no longer in the control of individuals, and how to avoid its abuse or improper leakage depends on the independent mechanism of supervision to ensure that the specific circumstances are in accordance with the principle of proportionality. However, the PDPA and other related laws and regulations as a whole do not have an independent monitoring mechanism for the protection of personal data, and the protection of personal information privacy is inadequate, so the authorities should establish the relevant legal framework within three years from the date of the Judgment.
5.Relevant laws should be amended or new laws should be promulgated to govern the establishment of databases and release of personal data: Article 79 and Article 80 of the NHI Act only provide for the NHIA’s collection of the NHI data and related data. The PDPA regulates how the NHIA should preserve and use the NHI data collected, the legal requirements and proper procedures to be followed, and the appropriate protection mechanism to prevent the misuse and improper leakage of such information. However, the PDPA is a framework regulation, not a specific law on the collection and use of personal NHI data, and its provisions do not cover the legal organizational and procedural requirements related to the external transmission, processing, or use of personal NHI data. Therefore, in order to amend the law or adopt a special law to provide for the retention, processing, external transmission, and external use of the NHI data in the database, the subject, purpose, requirements, scope, and manner, as well as the related organizational and procedural supervision and protection mechanisms, as well as other important matters, the authorities should complete the relevant legal framework within three years from the date of the Judgment.
6.The right of the data subject to request the cessation of use should be stipulated under amended laws or new laws: Based on the right to ex post facto control of personal data, regarding the NHIA’s restriction on the privacy of personal information by collecting personal NHI data for the purpose of conducting NHI business and providing it to government agencies or academic research institutions for purposes other than original collection, the right to request the cessation of use of a data subject’s personal data shall remain protected under Article 22 of the Constitution. The NHI Act and the NHI database, as a whole, do not allow data subjects to request the cessation (opt-out) of use, and the procedures to be followed for cessation of use are not stipulated. The authorities shall complete the relevant legal framework within three years from the date of the Judgment. If the relevant law is not enacted or amended after the deadline, the data subject may request the cessation (opt-out) of the use for out-of-scope purposes.
C.Implications of the Case
1.The Judgment adopts a broader definition of highly sensitive special personal data, and where, objectively, the data subject may still be indirectly identified in extreme means, the NHI data is still considered personal data under the Judgment. Therefore, even though the highly sensitive personal data has been encrypted or anonymized, it may still be considered as personal data based on the circumstances of the case, and the application of the PDPA cannot be ruled out, so attention should be paid when handling the relevant circumstances.
2.The Judgment recognizes that the NHI database is still necessary to be established and the NHI data still need to be released for medical or health purposes, but it should comply with the principle of proportionality of means. Therefore, the balance between public interest and information privacy should be achieved by establishing an independent monitoring mechanism, regulating the establishment of a database and the requirements and controls for the release of personal data, and ensuring the data subjects’ right to request an opt-out. We will continue to monitor the progress of the relevant authorities in amending relevant laws or promulgating new laws, and assist clients in responding to the relevant authorities with legal and regulatory opinions, so as to promote the establishment of a legal system that best strikes the balance among different legal interests.