China Power

How Asia’s Digital Governance Beacon Balances Data Privacy and the ‘Public Good’

Recent Features

China Power | Society | East Asia

How Asia’s Digital Governance Beacon Balances Data Privacy and the ‘Public Good’

Taiwan’s government has immense amounts of health data on its population. What it can do with that data is the subject of a decade-long lawsuit.

How Asia’s Digital Governance Beacon Balances Data Privacy and the ‘Public Good’
Credit: Depositphotos

Healthcare in Taiwan is extremely good. It is not hard to find claims that the country’s national health insurance system is one of the best in the world, whether it be in international ranking tables or Taiwan’s inclusion in Ezekial Emanual’s recent book “Which Country Has the World’s Best Health Care?The COVID-19 pandemic also demonstrated the strength of healthcare in Taiwan. The island nation of 23.5 million avoided lockdown for all of 2020, and, despite facing outbreaks in 2021 and 2022, has maintained a death per million people, comparable to New Zealand.

Taiwan is built around a single-payer compulsory insurance plan, which is supplemented by (small) out-of-pocket payments to visit doctors. The system now includes 99 percent of the population, and, since its rollout in 1995, the National Health Insurance System has helped reduce income and regional-based health inequalities. The system is not without its challenges, however. It is chronically underfunded and understaffed, and Taiwan’s aging population is only aggravating this problem.

Taiwan has recently also been seen as a beacon of “digital democracy” and good digital governance in Asia, especially thanks to the efforts of Audrey Tang, now Taiwan’s first digital minister. But a decade-long legal case has brought Taiwan’s reputation for responsible digital governance and strong medical care into conflict. The conduit for this conflict has not been the insurance system itself, but the abundant citizen health data produced alongside its operation. A central database, known as the National Health Insurance Database (NHID), was built by the Taiwan Bureau of National Health Insurance (BNHI) in 1998. The database now holds an immense amount of data, including ID numbers, demographic information, and complete medical records for about 99 percent of Taiwan’s population.

This data has been increasingly accessible to researchers since 2000 as a way to promote medical research in Taiwan, with the capacity to link this data with other government databases. As the Taiwanese government pushes to promote the “value-added application” of data in the public sector, the prospect of NIHD data being put to commercial use by private sector companies has been repeatedly hinted at by high-ranking government officials.

The idea of repurposing citizens’ health data in the NHID has long been met with ire from Taiwan’s human rights activists, who worry about users’ right to privacy. Although Taiwan’s Personal Data Protection Act generally prohibits the use of sensitive data, there is a carveout in article 16 of the act that allows for sensitive data use when it is “necessary for statistics or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention.” Article 16 has been used by Taiwan’s National Health Insurance Administration to justify giving researchers access to the NHID without data subjects’ permission or right to opt out.

As early as 2012, the Taiwan Association of Human Rights sued the database after a request by some citizens to not have their data shared was denied. In 2017, Taiwan’s high administrative court ruled against the Taiwan Association for Human Rights, siding with the database. In response, the association took aim at Taiwan’s Personal Data Protection Act itself, calling the act unconstitutional and a violation of individual rights. They submitted a new case, this time to Taiwan’s Constitutional Court.

The Taiwan Association for Human Rights made multiple arguments in its petition for constitutional interpretation. First, they noted the lack of administrative systems to regulate how data can be used and what type of research counts as in “the public interest.” The activists questioned whether all research could really justify a potential privacy breach. The carveout in article 16 provides little guidelines on what exactly is “necessary,” and no laws do this either.

This echoes a common refrain from critics of the Taiwanese government’s protection of individual freedom, wherein the lack of clear legal guidelines provides room for government overreach. Such an argument was successful in halting the rollout of electronic ID cards in Taiwan before the establishment of new laws surrounding data protection. Similar objections also succeeded in limiting the rollout of social media platform regulations in Taiwan before new laws could better define fake news and content that would need to be taken down by platforms.

Crucially, the Taiwan Association for Human Rights also noted the possibility of re-identification of anonymous data through cross referencing with other government data sets, which would make the release of the dataset for researchers a potential privacy violation. The issue of seemingly anonymous data being re-identified has long been an issue globally: In 2006, AOL released to researchers a set of user data that they thought were anonymous, but by cross-referencing certain features of the data, researchers managed to identify almost all of the people in the dataset. Although the National Health Insurance Database has claimed the de-identification process is rigorous, this claim will only ever be truly tested if a re-identification event occurs – at which point, it is already too late.

After years of waiting, in August of this year, the Constitutional Court finally made its ruling. The outcome is generally in favor of citizens’ rights to privacy and information self-determination, but not completely satisfactory for the most progressive human rights activists. In the judges’ view, the article 16 carveout itself was still constitutional. However, the judges found the lack of paths to opt out and institutions to protect citizen’s privacy when sharing public health databases to be problematic. Therefore, the court has now mandated the establishment of an independent supervisory mechanism and clearer legislation regarding when sensitive data can be used.

Similar to the cases of ID cards and content regulation mentioned above, this ruling has once again chipped away at some of the blurred legal lines and unclear guidelines that have plagued Taiwan’s administrative system since the country’s transition away from authoritarianism over three decades ago. With regards to how data and information is used and handled, the Taiwanese government is being increasingly forced to come up with clearer rules.

That said, regarding the question of de-identification, the court ruled that as long as data could not be “directly re-identified,” there was no issue. This leaves the door open to future privacy breaches through cross-referencing multiple data sets. This will likely be an increasingly worrying issue as more and more data are amassed by the state. In sum, the Taiwan Association for Human Rights, and personal privacy advocates more broadly, have won a moderate, if not complete, legal victory.

The latest ruling represents a growing debate, both in Taiwan and globally, about the correct balance between sharing citizens’ data to create greater socioeconomic value and respecting citizens’ personal privacy. Governments around the world must balance the proposed benefits of good governance and innovation that access to data can bring, with individual rights to control how visible we are in the increasingly omnipresent privately and government run spreadsheets that inform decision-making in the age of big data. This issue has been brought into sharp relief during the pandemic, where track-and-trace systems were rolled out as a way to prevent infections, to the ire of many worried about government tracking. Taiwan originally navigated this storm fairly well, rolling out a system borne out of a collaboration of civil society and government actors that used third party databases to anonymize personal data. Indeed, the early success of pandemic prevention in Taiwan is in part due to the constant and intense monitoring that all arriving in Taiwan were placed under during their mandated quarantine.

Although in the NHID case human right advocates have been delivered a win that will also be a win for administrative clarity in Taiwan, it is important to take the other side of the debate seriously as well. For example, some medical researchers have pointed out that the potential for an opt-out mechanism may create biases in data, as the portions of the population who are most likely to opt out are not random. Specifically, those with marginalized medical identities – such as those who are HIV-positive, a population in Taiwan that has historically faced intense medical surveillance – will most likely be more proactive in using any opt-out mechanism. Whether this would cause a blow for HIV research, or broader research that hopes to take into account the effects on populations with HIV in Taiwan, is yet to be seen. The answer will depend both on the uptake of the opt-out options among certain populations, but also on whether researchers can come up with new statistical counterbalances to help address potential sample bias. Regardless, it should at least be celebrated that future research will be undertaken with the consent (even if only tacit) of the population in question to be part of such studies, which should be seen as a win for research ethics.

Taiwan’s ruling places the country more closely in line with guidelines that exist in the United States, which has protected all personal data since the Health Insurance Portability and Accountability Act in 1996, and the European Union, which has similar protections as part of the General Data Protection Regulation passed in 2016. The Constitutional Court has now given the Taiwanese government three years to pass new laws regarding oversight, data usage, and an opt-out mechanism. The specifics of these laws are yet to be revealed and the future for such regulation is still somewhat uncertain. Exactly who will be able to opt out, and under what circumstances, will now be determined by lawmakers, who will also have to rule on exactly what data usage is in the public good. It will be crucial for privacy advocates and all interested in the question of data governance to keep an eye on the news laws that are set to be passed in the next few years.