Taiwan

國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

28

2.3 Taiwan

In Taiwan, the first data protection law was legislated in 1995.⁵³ The purpose of this legislation was primarily in response to the European Union Data Protection Directive requiring all EU trading partners to have comparable data protection laws to receive trans-border personal data from EU countries. The Computer Processed Personal Data Protection Law was renamed as the Personal Information Protection Act (PIPA) and amended on 26 May 2010.⁵⁴ The PIPA became effective on 1 October 2012, except that the provisions relating to sensitive personal data and the notification obligation for personal data indirectly collected before the effectiveness of the PIPA remain ineffective.

Whereas Article 2 (1) of PIPA, personal data means the name, date of birth, I.D.

card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health checks, criminal records, contact information, financial conditions, social activities and other information which may directly or indirectly be used to identify a living natural person; Article 6 of PIPA states “sensitive personal data means the personal data relating to medical treatments, genetic information, sex life, health checks and criminal records”. The provisions relating to sensitive personal data still remain ineffective and the date for enforcement of Article 6 shall be set by the

53 The Computer Processed Personal Data Protection Law was legislated 11 August 1995,

http://db.lawbank.com.tw/FLAW/FLAWDAT08.aspx?lsid=FL010627&ldate=19950811 (Accessed on 20 October 2014).

54 Taiwan Ministry of Justice, Personal Information Protection Act (May 2010),

http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021 (Accessed on 13 March 2015).

‧

appoint a data protection officer. However, if the data controller (government agency or non-government agency) is a government agency, a specific person should be appointed to be in charge of the security maintenance measures. Taiwan, there is no single national data protection authority. The various ministries, cities, counties governments serve as the competent authorities.⁵⁶

In practice, real action to realize the new data protection law is undertaken at the level of compliance assurance for the private sectors. Article 12 of Enforcement Rules of PIPA,⁵⁷ the Institute for Information Industry (III)⁵⁸, a public interest foundation, is responsible for the establishment of a certification program (TPIPAS) and the issue of privacy seal for those organizations pass the privacy audits.⁵⁹ This certification program is planned to raise the compliance of data protection practices for all companies in Taiwan up to an international level through intensive international cooperation under the framework of Cross-border Privacy Enforcement

55 The Executive Yuan is the executive and administrative branch of the Taiwan government, headed by premier. The premier is directly appointed by the president.

http://www.ey.gov.tw/en/cp.aspx?n=95097CAF31185CC1 (Accessed on 2 May 2015).

56 Article 52 of PIPA states: “The competencies prescribed to the government authority in charge of the subject industry at the central government level, municipality directly under the central government, or county or city government may be appointed to the subordinate agencies, other agencies or charitable groups. The personnel of such agencies should fulfill the obligation of confidentiality for all the information obtained during the job-undertaking. The charitable groups prescribed in the preceding Paragraph should not be authorized by the Party in accordance with Paragraph 1 of Article34 for litigation rights and should proceed to the action for damages in its own name.”

57 Taiwan Ministry of Justice, Enforcement Rules of the Personal Information Protection Act

(September, 2012), http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050022 (Accessed on 2 May 2015).

58 Institute for Information Industry (III) was founded as a Non-Governmental Organization (NGO) in 1979 through the joint efforts of public and private sectors to support the development and

applications of the information industry as well as the information society in Taiwan, http://web.iii.org.tw/About/introduction (Accessed on 2 May 2015).

59 Taiwan Personal Information Protection & Administration System, http://www.tpipas.org.tw/index.aspx (Accessed on 2 May 2015).

‧

are frequent meetings among APEC member countries discussing privacy protection issues and its institution building in Asia. It is expected to have an Asian trans-boarder personal data certificate system built on top of each member country’s own privacy assurance program. In addition, PIPA was legislated based on the OECD’s FIP Principles and it is important to look at the relevant relationships between PIPA and FIP (see Table 2.1), where mapping of PIPA Articles on FIP Principles are provided.

OECD FIP Principles Taiwan PIPA Articles

1. Collection Limitation Principle

Chapter I: General Provisions (Art. 5, Art. 6, Art. 8, Art. 9) Chapter II: Information Collection, Processing and Use by a Government Agency (Art. 15)

Chapter III: Information Collection, Processing and Use by a Non-Government Agency (Art. 19)

2. Data Quality Principle Chapter I: General Provisions (Art. 5, Art. 11)

3. Purpose Specification Principle Chapter I: General Provisions (Art. 5, Art. 8, Art. 11.3).

4. Use Limitation Principle

Chapter I: General Provisions (Art. 5)

Chapter II: Information Collection, Processing and Use by a Government Agency (Art. 16)

Chapter III: Information Collection, Processing and Use by a Non-Government Agency (Art. 20)

5. Security Safeguards Principle

Chapter II: Information Collection, Processing and Use by a Government Agency (Art. 18)

Chapter III: Information Collection, Processing and Use by a Non-Government Agency (Art. 27)

6. Openness Principle

Chapter I: General Provisions (Art. 8)

Chapter II: Information Collection, Processing and Use by a Government Agency (Art. 17)

7. Individual Participation Principle Chapter I: General Provisions (Art. 3, Art. 10, Art. 11, Art.

13, Art. 14)

8. Accountability Principle Chapter IV: Damages and Class Litigation (Art. 28-40) Chapter V: Penalties (Art. 41-50)

Table 2.1: Taiwan PIPA Articles and OECD FIP Principles

⁶¹

60 Asia-Pacific Economic Cooperation, APEC Cross-border Privacy Enforcement Arrangement (CPEA), http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx (Accessed on 2 May 2015).

61 Ting-Chi Liu, “The Definition of Personal Data, Data Protection Principles, and the Exemptions of the Personal Information Protection Law–Using CCTV as an Example (2)”, Taiwan Jurist No. 119, (September 2012, pp. 39-53).

‧

Privacy ordering seems to characterize Asian response to the information privacy challenges of the 21st Century. The development should be well-received by the legal paradigm discussed in this thesis—PbD. PbD embeds proactive respect for privacy deeply and meaningfully across the organization, supporting achievement of a much higher privacy standard than FIP has generally provided to date.

While there is no PbD best practices proposed by Taiwan government, the Table 2.2 below demonstrates the legal relationship between PbD, FIP and PIPA which can be treated reference model for stakeholders in mobile apps development, as well as for TIPAPS for their new certification program. According to the following table, there are four PbD Principles are legally binding with PIPA which stakeholders must comply with when developing mobile apps, including Privacy as the Default

Setting, End-to-End Security – Full Lifecycle Protection, Visibility and Transparency – Keep it Open and Respect for User Privacy – Keep it User-Centric.

PbD Principles OECD FIP Principles Taiwan PIPA

1. Proactive not Reactive;

Preventative not Remedial: N/A N/A

2. Privacy as the Default Setting

Collection Limitation Principle Art. 5, 6, 8, 9, 15, 19 Purpose Specification Principle Art. 5, 8, 11.3 Use Limitation Principle Art. 5, 16, 20

3. Privacy Embedded into Design N/A N/A

4. Full Functionality –

Positive-Sum, not Zero-Sum N/A N/A

5. End-to-End Security –

Full Lifecycle Protection Security Safeguards Principle Art. 18, 27 6. Visibility and Transparency –

Keep it Open

Openness Principle Art. 8, 17

Accountability Principle Art. 28-50

7. Respect for User Privacy – Keep it User-Centric

Individual Participation Principle Art. 3, 10, 11, 13, 14

Data Quality Principle Art. 5, 11

Table 2.2: Taiwan PIPA Articles, OECD FIP Principles and PbD Principles

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

32

2.4 Summary

Examining the EU, US and Taiwan privacy regulations and PbD guidelines, it seems Taiwan government can emulate the EU GDPR because PIPA was legislated based on EU privacy framework. Also, Taiwan government should establish a new administrative agency responsible for PIPA, just same as UK’s Information Commissioner’s Office and Germany’s Federal Commissioner for Data Protection and Freedom of Information.⁶² In addition, Taiwan can emulate Section 51 (General Duties of Commissioner) of Data Protection Act 1998 in the UK to propose the best practices of PbD to mobile apps stakeholders in Taiwan. According to PbD guidelines in the US, Taiwan government, academics and industries can reference proposed best practices for mobile apps industries to speed up the processes to conform the new legal paradigm of privacy protection.

The UK ICO and US FTC are more closely aligned with a set of “high-level principles and self-regulation” rather than the more “prescriptive proposals of the WP29, the German Commissioner or now the EU proposal”.⁶³ For this reason, it will be a good idea for Taiwan government officials to take a consideration to adopt EU’s approach on privacy legislations to incorporate PbD framework into PIPA and prepare for PbD best practices for mobile apps stakeholders in Taiwan.

62 Ting-Chi Liu, “Cloud Computing and Personal Data Protection – A Comparative Study between Taiwan’s Personal Data Protection Act and European Data Protection Directive”, Tunghai University Law Review, No. 43 (August 2014, pp. 53-106).

63 David Krebs, “Privacy by Design: Nice-to-have or a Necessary Principle of Data Protection Law?”, Journal for Intellectual Property, Information Technology and Electronic Commerce Law

(JIPITEC), Volume 4, Issue 1 (March 2013, pp. 2-20).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

33

Chapter 3

Privacy Protection Framework — A New Paradigm

The design and implementation of privacy requirements in an Information and Communication Technology (ICT) system is a difficult problem and requires the translation of complex social, legal and ethical concerns into ICT system requirements.

The concept of Privacy by Design (PbD) has been proposed to serve as a guideline on how to address these concerns. PbD consists of a number of principles that can be applied from the beginning of systems development to mitigate privacy concerns and achieve data protection compliance. However, these principles remain vague and leave many open questions about their application when engineering ICT systems.⁶⁴ This is also challenged task for both lawyers and engineers since both are from two different disciplines to achieve the same goal.

PbD designates a software design approach that incorporates privacy requirements from the beginning and throughout the entire software development processes, instead of considering them as an afterthought. To achieve this, it requires an intense interdisciplinary cooperation between legal science, computer science, government officials and operational practices (see Figure 3.1).⁶⁵ For this reason, government officials, academic researchers and industry experts from different

64 Seda Curses, Carmela Troncoso, and Claudia Diaz, Engineering Privacy by Design (January 2011), http://www.cosic.esat.kuleuven.be/publications/article-1542.pdf (Accessed on 15 December 2014)

65 Ira S. Rubinstein and Nathan Good, “Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents”, Berkeley Technology Law Journal Vol. 28 (December 2013, pp.

1333-1414)

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

34

disciplines have been collaborating for the past several years. In 2009, The Privacy Project⁶⁶ provided funding for the initial research project at the first-ever Privacy by Design Research Lab in Arizona State University to focus on publishing academic journal articles based on PbD.⁶⁷ In 2013, PRIPARE Consortium with its eleven partners from privacy community to focus on the research for Privacy and Security by Design methodology for the industry applications, and this project was sponsored by European Union’s Seventh Framework Program (EU FP7).⁶⁸

Figure 3.1: Multidisciplinary Cooperation for Privacy by Design

As increasing number of organizations have an urgent need for well-trained privacy engineers, however, many organizations are already reporting a shortage of

66 The Privacy Project (TPP) was established in 2008 as a result of the privatization of TRUSTe, the leading online privacy services provider. TPP is an independent non-profit corporation dedicated to investigating and recommending enhancements to current privacy policies, practices and

technologies through research, collaboration and education. http://theprivacyprojects.org/

(Accessed on 17 December 2014)

67 Privacy by Design Research Lab (PbD RL), Center for Advancing Business through Information Technology, W.P. Carey School of Business, Arizona State University,

https://researchmatters.asu.edu/stories/new-research-lab-focuses-data-privacy-1325 (Accessed on 17 December 2014)

68 Preparing Industry to Privacy by Design by supporting its Application in Research (PRIPARE):

This project has received funding from the European Union’s Seventh Framework Program (EU FP7) for research, technological development and demonstration under grant agreement number 610613. http://pripareproject.eu/research/ (Accessed on 20 December 2014).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

35

people who are adequately trained to fill this crucial role.⁶⁹Thus, Carnegie Mellon University introduced its new academic program in Fall 2013, the Master of Science in Information Technology Privacy Engineering (MSIT-PE) degree. This first-of-its kind program responds to the rapidly growing need for technical privacy expertise.

MSIT-PE courses will cover legal and policy issues, the mathematical and technical foundations of privacy engineering, software engineering, usability assessment, and management as well as designed for close collaboration with industry and government.⁷⁰

The Organization for the Advancement of Structured Information Standards (OASIS) Privacy by Design Documentation for Software Engineers Technical Committee (PbD-SE TC) is working on the specification of a methodology to help engineers model and document PbD requirements translate the principles to conformance requirements within software engineering tasks, and product artifacts as evidence of PbD-principle compliance”. PbD-SE TC is chaired by Dr. Ann Cavoukian and splits PbD principle into sub-principles, and later into detailed conformance requirements. In June 2014, the OASIS PbD-SE TC jointly published the first version of documentations for software engineers together with privacy experts from academics, government officials and industry leaders.⁷¹

Moreover, Computing Community Consortium has recently invited regulators, academics and industries to build an interdisciplinary community of Privacy by Design through four workshops in 2015: (i) State of Research and Practice in

69 Lorrie Faith Cranor, Norman Sadeh, "A Shortage of Privacy Engineers", IEEE Security & Privacy, Vol.11, No. 2 (March 2013, pp. 77-79).

70 Carnegie Mellon University, Master of Science in Information Technology – Privacy Engineering (MSIT-PE), http://http://privacy.cs.cmu.edu/ (Accessed on 25 December, 2014).

71 Ann Cavoukian, Fred Carter, Dawn Jutla, John Sabo, Frank Dawson, Jonathan Fox, Tom Finneran, and Sander Fieten, Privacy by Design Documentation for Software Engineers Version 1.0 (June 2014),http://docs.oasis-open.org/pbd-se/pbd-se/v1.0/pbd-se-v1.0.html (Accessed on 7 May 2015).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

36

February at University of California Berkeley; (ii) Privacy Enabling Design in May at Georgia Institute of Technology; (iii) Engineering Privacy in August at Carnegie Mellow University; (iv) Regulation as Catalyst, schedule and location are still to be determined.⁷²

3.1 Incorporating Fair Information Practice into Privacy by Design

Fair Information Practice (FIP) is a set of internationally recognized principles for addressing the privacy of personal information. Information privacy is a subset of privacy. FIP principles are important because they provide the underlying policy for many national laws addressing privacy and data protection matters. The international policy convergence around FIP principles as core elements for information privacy has remained in pace since the late 1970s. Privacy law in the US, which are much less comprehensive in scope than laws in some other countries, often reflect some elements of FIP, but not as consistently as the laws of most other nations.

FIP firstly began in the 1970s with a report from the Depart of Health, Education and Welfare (HEW) in the US. The Organization for Economic Cooperation and Development (OECD) revised the principles in a document that became influential principles internationally. FIP principles have evolved over time with different formulations coming from different countries and different sources over the decades. A revision by the OECD 2013 retained the original statement of privacy principles. Elements in addition to FIP are increasingly recognized today as part of international privacy policies, standards and laws.

72 Computing Community Consortium, Visioning Activities – Privacy by Design

Workshop,http://www.cra.org/ccc/visioning/visioning-activities/privacy-by-design (Accessed on 7 May 2015)

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

37

Regulations around the world adopted data protection laws that reflected FIP principles – universal privacy principles for handling personal data. FIPs reflected the three fundamental concepts of data management. First, “Purpose Specification and

Use Limitation” required the reasons for the collection, use and disclosure of personal

identifiable information needed to be identified at or before the time of collection.

Personal information should not be used or disclosed for purposes other than those for which it was collect, except with the consent of the individual or as authorized by law.

Secondly, “User Participation and Transparency” specified that individuals should be empowered to play a participatory role in the lifecycle of their own personal data and should be made aware of the practices associated with its use and disclosure. Third,

“Strong Security” highlighted the confidentiality, integrity and availability of

personal data should be safeguarded, as appropriate to the sensitivity of the information.

In 1973, the HEW in the US issued the highly influential report entitled Records,

Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems (1973). Among many recommendations, the

HEW Report proposed a Code of “Fair Information Practices”, and ended up being the foundation for the Privacy Act of 1974 as well as the OECD Guidelines on the

Protection of Privacy and Trans-border Flows of Personal Data (1980). The so

called Fair Information Practices recommended by HEW Report consist of a number of basic information privacy principles that allocate rights and responsibilities in the collection and use of personal information: there must be no personal-data record-keeping systems whose very existence is secret. There must be a way for an individual to find out what information about him is in a record and how it is used.

There must be a way for an individual to prevent information about him obtained for

‧

one purpose from being used or made available for other purposes without his consent.

There must be a way for an individual to correct or amend a record of identifiable information about him. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must ensure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.⁷³

FIP principles have grown over time with different formulations coming from different countries over the decades, including the EU Data Protection Directive

(DPD), Canadian Standards Association’s (CSA) Privacy Code, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, the US Safe Harbor Principles,

the Global Privacy Standard (GPS)⁷⁴ and the Taiwan Personal Information

Protection Act (PIPA).

⁷⁵ In 2013, OECD issued revised guidelines in a document titled “The OECD Privacy Framework”.⁷⁶ It is noteworthy that the Expert Group that prepared the revisions did not amend the eight basic principles from the 1980 guidelines.

The OECD version of FIP remained unchanged and brief descriptions of these eight principles are important:

73 US Depart of Health, Education, and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Computers, and Rights of Citizens (1973),

http://www.justice.gov/opcl/docs/rec-com-rights.pdf (Accessed on April 30, 2015); See Solove and Schwartz, supra note 1, at 37-38.

74 Ann Cavoukian, Privacy by Design – Take The Challenge (January 2009),

http://www.privacybydesign.ca/index.php/paper/pbd-book/(Accessed on 23 December 2014)

75 Taiwan Ministry of Justice, Personal Information Protection Act (May 2010),

http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021 (Accessed on March 13, 2015)

76 Organization for Economic Cooperation and Development (OECD), The OECD Privacy

Framework (2013), http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf (Accessed on 12 December 2014)

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

39

1. Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2. Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.

3. Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

4. Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the

Purpose Specification Principle except: (a) with the consent of the data subject; or

(b) by the authority of law.

5. Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

6. Openness Principle: There should be a general policy of openness about developments practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identify and usual residence of the data controller.

7. Individual Participation Principle: Individuals should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

40

controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; as a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able

controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; as a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able

在文檔中 「從設計著手保護隱私」的法制化研究―以行動應用程式開發為例 - 政大學術集成 (頁 37-0)