萬國法律事務所

More than two decades ago, the Taiwanese government established the National Health Insurance Research Databank (“Databank”).  The Databank widely collects patients' health insurance data, including each patient's diagnosis, time of medical visits, discharge time, and payments.  Such data are extensively utilized for academic research.  In 2017, the legitimacy of this establishment and utilization of the Databank was challenged before Taiwan's Constitutional Court.
 
In this case, Petitioners tried to “opt out” from the Databank and requested Taiwan's National Health Insurance Administration, MOHW (“NHIA”) to cease further processing of their health data for purposes other than health insurance as this is the initial purpose for which their insurance and health data was collected.  After their opt-out requests were denied by the NHIA, Petitioners filed an administrative lawsuit against the NHIA, requesting the administrative court to enable their same requests.
 
Taiwan's Personal Data Protection Act (“PDPA”) provides stronger protection for sensitive personal data (including one's health/medical information).  Nonetheless, the PDPA provides an exception under Article 6(1)(iv) (“Provision”) that allows further processing of sensitive personal data (including health data) when “it is necessary for statistics or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data may not lead to the identification of a specific data subject.”  Taiwan's administrative courts reviewed the Provision and held that Petitioners had no right to “opt out” from the Databank.  The issues were subsequently brought before the Constitutional Court.
 
On 12 August 2022, the Constitutional Court rendered its 111 Year Hsien-Pan-Tzi No. 13 Judgment (“Judgment”) and held that:
 
(1) The exception for further processing of health data provided under the Provision does not violate the Constitution.
(2) The lack of an independent supervisory mechanism under the PDPA and relevant regulations constitutes a potential violation of the Constitution.  The legislature is required to establish such mechanism within three years.
(3) There is a lack of regulations specifying which transferee institutions may further process data in the Databank, purposes, requirements, scope, and methods of storage, process, and transfer of data in the Databank under the Taiwan National Health Insurance Act.  Lack of such regulations violates the Constitution.
 
  The legislature is required to make necessary revisions to current relevant laws within three years from the date the Judgment rendered.
(4) The lack of an “opt-out” mechanism that allows a data subject to request the NHIA to stop further processing his/her health data for purposes other than the initial purpose for which such data was collected is a violation of the Constitution.  The legislature is required to make necessary revisions to current relevant laws within three years.  Otherwise, data subjects will have the right to request the NHIA to cease such further processing.
 
The Judgment further sheds light on some key issues related to academic usages of sensitive personal data (including health data):
(1) The Provision aims to improve medical care and public health through academic research, which are significant public interests.  However, the proper balance between the public interests pursued by specific academic research and the protection of individual's privacy must be determined on a case-by-case basis by an independent supervisory mechanism.
(2) The Provision requires the personal data to be de-identified before such data is allowed to be further processed. In the Constitutional Court's majority view, de-identification of personal data significantly reduces the risk of infringement on the data subject's privacy and is deemed as a suitable approach to achieve the Provision's aim.
(3) As individuals cannot control the usage of their personal data stored in the Databank, protection of such data relies heavily on an independent supervisory mechanism to prevent abuse or breach of such data.  By law, the legislature is required to establish such a mechanism.  Although the Constitutional Court leaves it to the legislature to determine whether the required independent supervisory mechanism should be a single “overall supervisory mechanism” or multiple individual supervisory mechanisms, established by the laws and regulations that govern different sectors. It approvingly notes that the EU’s data protection law (“GDPR”) requires each member state to provide one or more independent supervisory authorities to monitor the protection of privacy.
(4) The Taiwanese government has the obligation to establish organizational and procedural protective measures, sufficiently securing data subjects’ privacy if they want to mandatorily collect citizens' health insurance data to establish the Databank and transfer the data to third parties for further processing   The legislature shall establish legal requirements and due process regulating the NHIA's transfers of the data stored in the Databank.
(5) It has a long established principle under which a data subject has the right to delete, terminate, or limit the processing of his/her data.  The legislature shall provide the right to opt-out and establish a process by which data subjects may request the NHIA to cease further processing of his/her data.
 
However, there are a number of dissenting opinions from members of the Constitutional Court, stating that:
(1) The purposes for “statistics or academic research related to healthcare and public health” as provided by the Provision is a vague and broad concept.  Moreover, not all academic research involves significant public interests.  According to some dissenting Justices, Taiwan’s legislature should establish a more nuanced standard to determine if such concessions should be made to the right to privacy for research purposes.
(2) The Provision fails to set up standards for de-identification of data.  This might put personal data at great risk of being re-identified.  According to some of the dissenting Justices, this lack of standards for de-identification of personal data is unconstitutional. 
 
As the Judgment is a landmark case where the Constitutional Court had the chance to review the proper balance between the protection of an individual's privacy and the public interests that may be achieved through the establishing of a large-scale databank in the information era. The constitutional values and requirements revealed in the Judgment will likely set the regulatory tone for the many more large-scale databanks expected to be established in the future.
 
Formosa Transnational, established in 1974, is a renowned full-service law firm in Taiwan.  Please visit our website for further information.

Authors: Peng Kwang Chen, Partner of Formosa Transnational and Pamela Huang, Senior Attorney of Formosa Transnational