Data Protection Law and Future of Taiwanese Data Privacy
This text delves into the intricacies of data protection laws and the future of data privacy in Taiwan. It covers key concepts such as privacy basics, warrant doctrine, definitions in European data protection law, and the distinction between classical privacy and modern broader privacy in the context of data protection laws.
Download Presentation

Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Data Protection Law and Future of Taiwanese data privacy K.S. Park Korea University Law School kyungsinpark@korea.ac.kr Open Net Korea www.opennetkorea.org
Privacy - Basics Intrusion into privately held area OR Revealing privately held information privacy infringement Exception: to save life, protect security, reveal corruption How about to investigate crime ? OK but since the powerful actor, the state is doing it, presumption of innocence requires special procedure
Warrant Doctrine Special protection when State is infringing individuals privacy for criminal punishment Why? Due process = no rights to be infringed before notice and hearing by a neutral tribunal how do you force hearing on unwilling individuals? force a quasi-hearing based not on conviction but on probable cause Warrant = Probable cause certified in writing by a responsible official independent of and disinterested in prosecutorial progress
What is private? US: categorical (black & white) 3rd party doctrine EU: incremental - e.g. walking in gay pride march US: becoming more incremental Congress on metadata, Jones, Riley, Carpenter State surveillance, not very different because of public intereste but Difference is when private parties collect and use data.
Europe: Data Protection Law Definitions: Personal Data all data about an identifiable person INCLUDING PUBLIC DATA Data Subject the person whom the personal data is about Data File an aggregate of personal data made easily searchable Data Controller a person who operates the data file for business purposes Consent Right: All Data Controllers must NOT process unless Consented to by Data Subjects EXCEPT. . . Public interest, etc. ALSO, Data Subjects have absolute right of access, right of correction, right to oppose/stop processing (RTBF?), right to delete (RTBF?), and right to receive notifications of breach.
Classical privacy vs. modern broader privacy (data protection law) Privacy Applicable only to confidential information Protects only from collection and disclosure (usually to the public) against data subject s will Data protection Usually applies to all information including non-confidential ones Protects from collection and disclosure not affirmatively approved by data subject Default: All personal information is private unless indicated otherwise! All processing are prohibited unless consented to otherwise.
Own Data about Oneself K.S. Park is a Professor. Let s assume you run an educational website and want to spread info about K.S. Park. You need my consent to receive that data? You need my consent for you to relay that data to a 3rd person? You need my consent for you to use that data in making comments about me? Owning data as if you own a car Let s say you let you friend borrow a car from you for weekend use inside the city consent for new use consent for transferring to a 3P right to get it back right to check
So, limited application Applied only against DATA CONTROLLERS (using data file for business purposes) cf. phone numbers list in your personal mobile phones? Applied only against Searchable files cf. your lecture notes
What is good about data protection law? You go to library to check out a book. The library keeps the list of books you checked out. Can the library sell the data to election campaigners so that they will contact you selectively for political bias? Can the library use the data to figure out your political beliefs? What if the library keeps incorrect data?
Good usage of data protection norms in Korea Striking down internet real name law Striking down warrantless access to user data Forcing telcos to respond to data access Forcing telcos to notify breaches Stopping sale of user data to others for marketing purposes Targeted advertising
Targeted advertising Behavior data what sites/postings do you read for how long. Targeted advertising uses behavioral data When you sign on FB or Youtube, what do you agree to and what do you expect? How about behavioral data on 3rdparty websites? Can click-signing FB Terms of Use be consent for collecting and processing 3rd party websites?
Role of Meta/Google Can put targeted banner ads if they know when individuals visit websites with banner ad spaces Website operators wanting more $$ for their online spaces can sign up to let Meta/Google place targeted ads on their website spaces. At the same time, they can inform Meta/Google the fact that users visited their websites, augmenting the individual preferences data. Why Meta/Google? Because (1) already have much individual preferences data for targeting (2) can also optimize using behavioral data of many to infer what users may want
Cookie consent Origin of cookie Hansel and Gretel leaving cookie crumb not to get lost in the Dark Forest Instead of leaving crumbs in location visited, user keeps records of locations visited as a file on the device so other apps/webs user visit will know where user has been
Harms of targeted advertising Filter bubble / Echo chamber extremism Works with content monetization rewards posting of extreme content by recommending them extremism But benefits of targeted advertising: SME website operators can sell their online presence at $$$ independence of journalism Even monetization is important for HRDs/ What to do? moderation by data protection law informed consent
Data protection law responds: Korea s PIPC Sept 2022: Hard for consumers to expect 3rdparty websites to be used for marketing Europe: Affirmative cookie consent; GDPR requires consent for data collection and cookie automates collection so requires consent Originally, consent implied by visiting but GDPR requires explicit consent cookie consent rule website operators doing targeted advertising must obtain informed consent , meaning, for non-essential (like marketing) cookies, can only opt-in (explain opt-out )
Can TW DPC issue a similar decision? Article 5. The collection, processing and use of personal data shall be carried out in a way that respects the data subject's rights and interest, in an honest and good-faith manner, shall not exceed the necessary scope of specific purposes, and shall have legitimate and reasonable connections with the purposes of collection. very broad? Article 15/17 reasonably related to the original purpose (Feb 2020 amendment)
AI-based optimization & data protection law AI can enhance Optimization AI depends on big data used as training data. Some big data are personal data data protection law 3V = Variety + Volume + Velocity Variety requires combining PAST and FUTURE DATABASES but that is unconsented-to use! Problem: Creativity comes from UNPREDICTED USE UNCONSENTED-TO USE Solution: Anonymize databases so that data are no longer personal data and therefore can be used w/o consent outside data protection law problem solved?
Is Anonymization Data Processing? Working Party considers that anonymisation as an instance of further processing of personal data can be considered to be compatible with the original purposes of the processing but only on condition the anonymisation process is such as to reliably produce anonymised information
So When is data identifiable/anonymized? When is data identifiable? If permanently anonymized, value of data lost need for pseudonymized data Pseudonymized data: identifier removed not permanently but stored somewhere. Is this personal data? What if identifiable by combining with other data ? If pre-identifier-removal original exists, all data are still physically identifiable personal data!!! (GDPR)
Breyer(ECJ c582/14) - Identified by whom? - By the controller or by any other person - Webhost s unconsented-to storing of dynamic IP address: Even though German law prohibits ISP from transmitting the additional data necessary to identify the individual, it appears that, in certain cases, such as a cyberattack, the webhost may contact the competent authority which can in turn obtain the information from the ISP.
GDPR classifies such data as pseudonymized data and protects as personal data Personal data Exempt from consent requirement for processing for big data purposes But right to access, right to correction, all in tact.
Access right is important because. . . Big Three problems with AI: - Garbage in Garbage out sanitization of training data needs re-identification - Data monopoly - data portability - Income inequality - ?? Anyway, to supply data portability and open data to sanitization , we need to apply data protection law s access right.
Taiwan exemption where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as provided by the data provider or disclosed by the data collector, may not lead to the identification of a specific data subject; -article 6 sensitive data -article 9 3P collection -article 19/20 non-G collection/ processing/ use
Difference with GDPR/Korean Law? Taiwan law: no concept of pseudonymized data as personal data + no concept of identifiable by combination Currently unidentifiable data but physically re- identifiable by combination may be left out of data protection regime, especially access right, correction right.
Definition of personal data Taiwan any information that may be used to directly or indirectly identify a natural person Korea Information which uniquely identify a person + Information that can be easily combined with other data to identify a person -> ease in obtaining data + ease in matching data
Taiwan RTBF? Article 11. In the event of a dispute regarding the accuracy of the personal data, the government or non-government agency shall, on its own initiative or upon the request of the data subject, cease processing or using the personal data, unless the processing or use is either necessary for the performance of an official or business duty, or has been agreed to by the data subject in writing, and the dispute has been recorded. (No Correction but Just a dispute for correction triggers this!!!)
Publicly available data Lawfully publicly available data does not need correction of bargaining imbalance no need for ownership-like control data protection laws of Germany (pre- 2017), Canada, Australia, Singapore, India : exception for publicly available data Taiwanese law: Article 19 (3/7) 3. where the per sonal data has been manifestly made public by the data subject or publicized legally 7. where the personal data is obtained from publ icly available sources unless the data subject has an overriding int erest in prohibiting the processing or use of such personal data; But no such exception for using ??