Note: 
This summary constitutes no part of the Judgment but is prepared by the Department of Clerks for the Constitutional Court only for the readers’ reference.
Original paragraph numbers that the summarized texts correspond to are put into lenticular brackets after each paragraph. 

Headnotes
 

In this Judgment, the Taiwan Constitutional Court (hereinafter the “TCC”) upheld the constitutionality of Subparagraph 4, proviso of Paragraph 1, Article 6 of the Personal Data Protection Act (hereinafter “PDPA”), while declaring the pertaining regulations, Articles 79 and 80 of the National Health Insurance Act (hereinafter the “NHI Act”), unconstitutional. The TCC applied strict scrutiny and found the disputed PDPA provisions, which restrict the data subject’s right to data protection, proportionate. However, the constitutional protection of privacy requires sufficient legal institutions such as supervisory instruments for storing, processing, transmitting, and providing personal data, which cannot be found under existing regimes. The TCC deemed the lack of protection in the existing regime as unconstitutional. The TCC also noted that the lack of regulations enabling the data subject’s right to opt-out is also in violation of the Constitution.
 

Background Note
 

Taiwan implemented the National Health Insurance (NHI) system in 1995. All citizens and working residents are obliged to join the NHI unless there is legal exemption^[1]. For the purpose of reimbursement and accounting, medical agencies have to provide relevant data to the National Health Insurance Administration, Ministry of Health and Welfare (hereinafter the “NHIA” and “MOHW”). Said practice has led to the accumulation of massive personal data including medical records, prescriptions, medical images…etc. 
 

The NHIA commissioned the National Health Research Institute (a non-profit foundation established by the government) to establish a National Health Insurance Research Database (hereinafter the “NHI Database”). The NHI Database may be accessed by external applicants since 2000. Said commission between the NHIA and NHRI ended in 2016, after which all original data and disc documents were handed back to NHIA. The NHIA later established the Applied Health Research Data Integration Service and the Health and Welfare Data Science Center to manage NHI data. Under different levels of scrutiny, researchers of academic institutions may be granted access to the NHI data per request for research purposes other than the implementation of NHI. 
 

Petitioners of this case consist of NGO activists from the Taiwan Association for Human Rights, National Health Insurance Watch, and the Taiwan Women’s Link, who believed that the NHIA has illegally provided people’s personal NHI data to external users for usage other than the enforcement of NHI, consequently violating their right to data protection. The petitioners sent legal attest letters to the NHIA in 2012, requesting the NHIA not to transmit their NHI data to third parties. The NHIA denied their request on the account that the NHIA has conducted sufficient data protection mechanisms to ensure fair usage and that its action is for the advancement of national welfare. After the following administrative appeal and litigations, the petitioner’s case was dismissed finally by the Supreme Administrative Court in 2017. The petitioners lodged for constitutional review later that year.  
 

Summary of the Judgment 
 

Holding
 

1. Subparagraph 4, proviso of Paragraph 1, Article 6 of the Personal Data Protection Act (hereinafter the “disputed provision I”) stipulates that “Data pertaining to a natural person's medical records, healthcare, genetics, sex life, physical examination and criminal records shall not be collected, processed or used unless on any of the following bases: (…) 4. where it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject; (Subparagraph 4)”. The disputed provision I does not violate the principle of legal certainty and the principle of proportionality, therefore not in conflict with the right to data protection guaranteed by Article 22 of the Constitution.
    
2. Viewing comprehensively the Personal Data Protection Act (hereinafter “PDPA”) and other pertaining regulations, there is an insufficiency of independent supervisory instruments on data protection, which raises concerns about its constitutionality. The competent authority shall, within a grace period of three years from the announcement of this judgment, ensure relevant legal mechanisms be established to fulfill the right to protection of personal data under the Constitution. 
    
3. Articles 79 and 80 of the National Health Insurance Act (hereinafter the “NHI Act”)^[2][3] lack explicit regulations on the subject, aims, legal elements, scope, and measures on how the NHI data, as a database, may be preserved, processed, transmitted externally, and provided externally by the NHIA. The stated provisions also fail to provide explicit regulations on important subjects such as supervisory instruments regarding organizational and procedural data protection matters. Within this parameter, current regulations violate the protection of personal data guaranteed by Article 22 of the Constitution.^[4] The competent authority shall, within the grace period of three years, amend pertaining provisions in the NHI Act and other laws, or establish special laws to regulate said matters explicitly. 
    
4. In terms of the usage of personal health insurance data beyond its original collecting purpose, transmitted from the NHIA to other government agencies or academic research institutes, the existing legal regime lack regulations allowing the data subjects to opt-out, consequently violating the protection of personal data guaranteed by Article 22 of the Constitution. The competent authority shall, within the grace period of three years, amend or establish relevant laws that stipulate explicitly on the subject, reasons, procedure, and effect in requesting (or denying exceptionally) opt-out. If the amendment or establishment of said laws is past due, the data subject shall request directly to opt-out in terms of the usage of their NHI data. 
    

Reasoning
 

Data protection guarantees the right to control personal data before, during, and after the usage of data. The pertaining parties’ (hereinafter “data subjects”) right to control personal data after its usage shall include the right to erasure, right to opt-out, right to object, and right to restrict processing. 【32】
 

If one can reverse the processing of certain data and identify its data subject indirectly, whether the reverse process is difficult or not, said data shall still be deemed as personal data. The data subject’s autonomous control of said data shall be protected under the Constitution. On the contrary, if one cannot objectively trace the processed data to the extent that it is intelligible to identify its data subject, said data lose the nature of personal data, with its data subject consequently losing the protection of the stated right.【35】
 

The NHI data consist of highly sensitive personal data, which displays a high level of individual differences that are objectively possible to relate to certain data subjects. Therefore, NHI data, whether original or processed, is a kind of data that may be linked back to its data subject directly or indirectly. The data subject’s right to autonomous control over such data is protected by the Constitution.【36】
 

Where Part 1 of the Holding is concerned:
 

In terms of whether the disputed provision I violates the principle of legal certainty, as the provision may be construed as the adoption of pseudonymization measures in a manner that the personal data can no longer be attributed to a specific data subject, the textual meaning of "may not lead to the identification of a specific data subject" is comprehensible, it is predictable for the general public, also, it may be scrutinized and defined by the judiciary. In conclusion, the disputed provision I does not violate the principle of legal certainty.【40, 41】
 

In terms of whether the disputed provision I violates the principle of proportionality, since the core of data protection lies in the protection of the right to autonomous control over personal data, the TCC shall determine its standard of review with consideration to the nature of the personal data collected, and its importance to privacy. 【42, 44】
 

Personal NHI data stipulated in the disputed provision I contains massive personal information that may illustrate matters that are extremely private and sensitive, such as a person’s living area, track of activities, previous working environment, social incidents encountered, family and economical life, modes of decision making…and so on. NHI data may be used for automated-profiling, therefore is of a private, sensitive nature prone to affect the data subject’s socio-economical life. The breaching of a person’s NHI data is more severe than that of a person’s fingerprint. For this reason, the TCC deems that strict scrutiny shall apply in this case to decide whether the disputed provision I violates the principle of proportionality. That is to say, the purpose of the provision shall be of compelling public interest; the measure adopted shall be effective in achieving its purpose, and the less restrictive; and there shall be an equitable balance between the restricted rights and the public interest achieved. 【45】
 

Article 157 of the Constitution  and Paragraphs 5 and 8, Article 10 of the Additional Articles of the Constitution^[6][7] explicitly confers the responsibility to promote public health and medicine on the state. The purpose of the disputed provision I is to discover effective cures for diseases and to promote public health and medicine through the accumulation of scientific knowledge. In this sense, “statistics gathering or academic research (…) for the purpose of healthcare, public health (…)” in the disputed provision I does amount to a compelling public interest.【46, 48】
 

The disputed provision I stipulates the obligation to adopt pseudonymization measures, to the extent that the processed personal data can no longer be attributed to a specific data subject without the use of additional information under current technology and reasonable cost. These measures are sufficient to significantly reduce the breach of data protection when NHI data is collected. Furthermore, the disputed provision I has not only expressly restricted the NHI data collectors to government agencies and academic institutes but also stipulates that pertaining data may only be collected where it is necessary for statistics and academic research. Therefore, the disputed provision I complies with the principle of data minimization and may be deemed as the less restrictive measure. In conclusion, the disputed provision I does not violate this principle of proportionality, and it conforms to the right to protection of personal data under Article 22 of the Constitution.【54-56,59】
 

Where Part 2 of the Holding is concerned:
 

To ensure data protection, in addition to the requirement that the purpose and elements of data collection shall be stipulated explicitly by law, organizational and procedural protective instruments for the data collected shall be established. Establishing independent supervisory instruments is crucial to ensure the data collectors comply with the law, and prevent the collected data from leaking or being abused. How these instruments shall be established is up to the legislative branch.【61】
 

Viewing comprehensively from PDPA and other pertaining regulations, there is a lack of independent supervisory instruments to protect personal data, which raises concerns regarding their constitutionality.【62】
 

Where Part 3 of the Holding is concerned:
 

Articles 79 and 80 of the National Health Insurance Act (hereinafter the “disputed provisions II”) are all the regulations on the collection and access of NHI data under Chapter 9 of the NHI Act. However, the disputed provisions II only regulate directly how the NHIA should collect NHI data. As for the legal elements and due process on these data’s storage and usage, and the important matters on appropriate preventive mechanisms against data abuse and data breach, the disputed provisions II only stipulate that they shall comply with the provisions in the PDPA, which only provides a regulatory framework. Specific aspects of NHI data collection and the organizational or procedural requirements regarding the data’s processing, usage, and transmission outside the NHIA are not regulated. 【66】
 

In regards to the stated aspects, viewing the disputed provisions II and pertaining regulations comprehensively, the NHIA fails to regulate important subjects such as the supervisory instruments on the organizational and procedural matters on data protection, and the required legal elements and due process for handling NHI data, including the subject, aims, legal elements, scope and measures on how the NHI data, as a database, may be preserved, processed, transmitted externally, and provided externally. At most, there are only administrative directives established by the NHIA and MOHW, which lack explicit authorization by law. Within this parameter, the disputed provisions II fail to meet the requirement of the Gesetzesvorbehalt principle under Article 23 of the Constitution^[8], consequently violating the protection of personal data under Article 22 of the Constitution.【67】
 

Where Part 4 of the Holding is concerned:
 

Personal data collected, processed, or used with the consent of the data subject (or in certain situations where the data subject’s consent is not required), shall still be under the data subject’s right to ex post facto control over personal data. The data subject does not lose the right to erasure, to restrict data processing, to object, and to opt-out merely because consent has been given or was not required to collect his or her data.【69】
 

Viewing comprehensively the disputed provisions and pertaining regulations, Article 11 of the PDPA stipulates that data collectors, data processors, and data users are obligated to actively or per the request of the data subject, to erase, stop collecting, cease collecting or stop using the collected personal data when the validity of the data is in doubt (Paragraph 2); when the time limit of usage has ended or the purpose of usage has ceased to exist (Paragraph 3); or when personal data was illegally obtained, processed or abused (Paragraph 4). However, not all usage of personal data is regulated in current regulations, just like the issue of this case, which concerns the protection of personal data which was legally obtained, processed, or used within the time limit of usage, and under its original purposes of collection. The stated articles in PDPA is not sufficient in data protection in all kinds of situation, therefore existing legal regime are not sufficient in protecting the right to ex post facto control over personal data as required by the Constitution.【70】
 

The data subject’s right to opt-out shall be guaranteed by Article 22 of the Constitution when the NHIA provides personal NHI data to government agencies or academic research institutes for usage other than its original purpose. However, viewing comprehensively from the existing legal regime, the data subject is barred from opting out without considering the balance between data protection and the purpose of usage under different circumstances, as well as the necessity of respective restrictive measures. There is also a lack of procedural regulations for opting out. Considering the above, the existing legal regime is apparently insufficient in data protection required by Article 22 of the Constitution.  【71】
 

[1] Please refer to J.Y. Interpretation No.472. 

[2] Article 79 of the NHI Act: “The Insurer may require relevant agencies to provide the necessary information it needs to carry out the business of the Insurance, which the agencies may not refuse.(Paragraph 1)
The information obtained by the Insurer in accordance with the preceding paragraph should be handled responsibly and prudently. The storage and use of relevant information should be carried out according to the Personal Information Protection Act. (Paragraph 2)”

[3] Article 80 of the NHI Act: “The Competent Authority may, to review insurance disputes or for administrative reasons, ask the insured, the group insurance applicants, the premium withholders, and contracted medical care institutions to provide relevant documents, such as account records, receipts, medical history, diagnosis records, or cost of medical expenses, and other documents or relevant information. The beneficiaries, the group insurance applicants, premium withholders, and contracted medical care institutions shall not elude, reject, obstruct, or misrepresent, misreport or misstate. (Paragraph 1)
The Competent Authority shall determine the scope, accessing procedure and rules for interviewing and inquiry pertaining to the relevant information in the preceding paragraph. (Paragraph 2)”

[4] Article 22 of the Constitution: “All other freedoms and rights of the people that are not detrimental to social order or public welfare shall be guaranteed under the Constitution.”

[5] Article 157 of the Constitution: “The State, in order to improve national health, shall establish extensive services for sanitation and health protection, and a system of public medical service.”

[6] Paragraph 5, Article 10 of the Additional Articles of the Constitution: “The State shall promote universal health insurance and promote the research and development of both modern and traditional medicines.”

[7] Paragraph 8, Article 10 of the Additional Articles of the Constitution: ”The State shall emphasize social relief and assistance, welfare services, employment for citizens, social insurance, medical and health care, and other social welfare services.”

[8] Article 23 of the Constitution: “All the freedoms and rights enumerated in the preceding Articles shall not be restricted by law except by such as may be necessary to prevent infringement upon the freedoms of other persons, to avert an imminent crisis, to maintain social order or to advance public welfare.”