Covid-19 and Data Privacy Challenges in Taiwan

By Chuan-Feng Wu (external contributor)

At the onset of the Covid-19 pandemic, Taiwan has adopted numerous novel digital technologies for contact tracing, social distancing, home quarantine, and pandemic investigation. Effective digital governance, including big data analytics and smart technology, is regarded as the main contributor to Taiwan’s success in containing the pandemic. For example, the Government’s solution to the challenging pandemic investigation for the linkage between patients and potential cases is exploring patients’ daily footprints (down to every hour) through mobile phone tracking (and maybe surveillance camera). The result is then disclosed to the public so that those who have visited these places can stay alert. In another example, an electronic fence which triangulates the location of a potential case’s mobile phone relative to nearby cell towers, owned by mobile operators, is formed to enforce quarantine and self-health management. All mobile network operators have agreed to assist the Government to track individuals’ mobile location data (or to deliver the collected data to the Government) and the National Communications Commissions, responsible for broadcasting and telecommunication regulation, has also given its consent. Despite the potential derogation of privacy protection arising from these measures, Taiwan’s population has generally accepted the Government’s use of its emergency powers to deploy these technologies. This is not only because of the Government’s transparent communication of disease control measures on a daily basis, but also of the citizens’ trust in their democratically elected and appointed bureaucrats.

However, as the worst outbreak since 2020 (10,438 infected (including local and imported cases) from 13 May 2020 to 8 June 2021 and 296 deaths) unfolds in Taiwan, privacy concerns are raised once again because the exemptions from personal data protection were further expanded without clear boundaries as to what purpose the collected data could or could not serve. For example, without informing the data subjects, the Central Epidemic Command Center (CECC) provided phone numbers of all residents (regardless of whether they are potential cases or not) in the Wanhua district (where the outbreak started) and location data (collected from telecom operators) to a laboratory to analyze the residents’ digital footprints and put special notations in their National Health Insurance (NHI) cards. This measure was later questioned for unjustifiably expanding the CECC’s emergency powers and violating individuals’ privacy. In the face of Taiwan’s first wave of Covid-19 infections that leads to tighter privacy restrictions imposed by the Government, it is important to re-evaluate the pandemic’s implications for privacy in Taiwan.

The first challenge regarding privacy and personal data protection in the Covid-19 pandemic in Taiwan is the vague, unclear boundary of the Government’s emergency powers to loosen privacy protection and to allow a broader range of accessibility to personal data. The Government’s powers are generally set out in Article 7 of the Special Act for Prevention, Relief and Revitalization Measures for Severe Pneumonia with Novel Pathogens (the Special Act), where the CECC commander is authorized to implement 'necessary' disease control measures. But the blanket authorization, granting an expansive power subject to the necessity requirement only, is criticized for potential violations of the principles of rule of law and legal clarity. From the Government’s standpoint, the uncertainty of the novel disease needs to be taken into consideration and some flexibility is necessary when applying the legal clarity principle, especially in rapidly developing pandemic circumstances where it is impossible to expect that all disease control actions are anticipated or squarely fall into strict legal construction. However, it has been more than a year since the declaration of Covid-19 as a Public Health Emergency of International Concern (PHEIC). As more has been learned about the virus and the control measures, it is illegitimate to continue using the Special Act and its blanket authorization as the only legal basis for processing personal data without consent or beyond its original collection purposes. Along with new data and knowledge of how the virus spreads and what to watch for, the Government is then expected to bear the responsibility for making updated decrees or executive acts describing the means, objectives, and practices of the collection, use, and disclosure of personal data in a more detailed manner, rooted in proper legal basis and competences. Nonetheless, the Government has failed to adjust the Special Act over time, and a proper indication as to the circumstances and conditions that authorize the Government to resort to privacy restriction measures for disease control has yet to be developed.

The second challenge is that the CECC fails to comprehensively disclose what personal data has been collected, how it was collected and processed, and for what purposes the data was used. Even though the Government issues daily updates regarding Covid-19 with a large degree of transparency, the CECC is reluctant be totally transparent about the deployment of digital measures and operating mechanisms due to concerns that citizens may find ways to cheat the system. However, without the aforementioned information, the Government’s response cannot be justifiably scrutinized. More importantly, due to the broad emergency powers authorized by the Special Act and the serious violations of privacy, the Government needs to show a high degree of defense with regards to its measures, given the scope of personal data the Government collected, the means of data collection, the precise policy purposes, and the number of different factors and alternatives that would have been considered. Concerns over misuse of personal data would continue to surface if emergency exemptions are not provided with sufficient information as to what purpose could or could not be served.

The third challenge is the lack of an independent data protection authority responsible for overseeing the use of personal data and safeguarding individuals against data abuse in Taiwan’s personal data protection framework. The National Development Council (NDC) is designated as the competent authority in charge of interpreting the Personal Data Protection Act (PDPA) and regulating personal data processing in Taiwan. However, the NDC’s independence in personal data protection is questioned because the NDC is also in charge of Taiwan’s economic, industrial, and social development, where promoting personal data utilization is essential. Therefore, there is no decent authority to assess or to ensure whether the CECC’s disease control measures are in line with data governance and privacy principles. Even though the CECC tried to establish guidelines to balance privacy concerns and crisis response when implementing privacy-restrictive measures to combat Covid-19 (eg, personal data collected by the Government or business entities should not be used for purposes other than pandemic investigations and should be deleted after 28 days), without an independent data protection authority, it remains unclear how the 'necessity' of these measures is to be interpreted, whether the interpretation is independently overseen, and to whom individuals can file complaints. This could lead to arbitrary interpretation and decisions that contravene privacy and personal data protection. Therefore, human rights advocates have strongly urged the Government to contemplate the need to establish an independent data protection authority, who is expected to play a key role during the pandemic crisis in advising on the Government’s proposed emergency legislation and helping the data controllers seek legal certainty (as noted in the OECD’s policy response to ensure data privacy while battling Covid-19).

The final challenge is the bypassing of the Communication Security and Surveillance Act (CSSA) during the pandemic, where individuals’ telecommunication data is monitored in the electronic fence system without an interception order issued by a judge (Article 5) or by the Director of the National Security Bureau (Article 7). When criticized by the Congress at a special hearing, the Ministry of Justice (MOJ) defended the policy on the basis that only criminal surveillance and intelligence surveillance are regulated by the CSSA, whereas epidemiological surveillance (including telecommunication surveillance of Covid-19 patients and potential cases) is regulated by the Communicable Disease Control Act (CDC Act), the Personal Data Protection Act (PDPA), and the Special Act, with no requirement for an interception order. Although the argument is supported by some scholars, the MOJ’s position is challenged by prosecutors questioning that mobile location data, regarded as private communication protected by the CSSA (Article 3), cannot be well protected without strict procedural safeguards. Additionally, it is also questionable to cite the CDC Act to authorize the CECC’s telecommunication surveillance since the Act offers no explanation on objectives, thresholds, conditions, or procedural due process regarding the application of such measures, as well as the Special Act. Bypassing the CSSA may also be a slippery slope in terms of potential human rights violations. As a recent example, the police was accused by a district court judge of using the CDC’s SMS contact tracing system for criminal investigation without an interception order; but the accusation was later denied by the CECC. Therefore, even if the CSSA cannot be applied to regulate epidemiological surveillance, its legal and procedural requirements should not be ignored and should be included in amendments to the CDC Act or the Special Act.

Until the end of the pandemic, big data analysis and technology-assisted public health measures will be continuously used to contain Covid-19. However, the aforementioned privacy concerns would undermine the public’s trust in the Government and can adversely impact the effectiveness of the crisis response measures. Therefore, even though it seems difficult to fully preserve individual privacy in this difficult time, the Government still needs to cautiously design and implement Covid-19 restrictions, and be aware of the balance between data protection and public health.