科技智慧防疫與個人資料保護：陌生但關鍵的資料保護影響評估程序

Smart Technologies for COVID-19 Contact Tracing and Personal Data Protection: An Unfamiliar but Critical Data Protection Impact Assessment Process

10.6199/NTULJ.202106_50(2).0001

張陳弘(Chen-Hung Chang)

資料保護影響評估程序 ； 社交距離App ； 個人資料保護法 ； 歐盟一般性個人資料保護規則 ； 資訊隱私 ； 接觸追蹤工具 ； Data Protection Impact Assessment (DPIA) ； Taiwan Social Distancing APP ； Personal Data Protection Act ； EU General Data Protection Regulation (GDPR) ； Information Privacy ； contact tracing tools

臺大法學論叢

50卷2期（2021 / 06 / 01）

337 - 400

繁體中文

社交距離App作為COVID-19的防疫科技利器，成功關鍵在於能否有超過半數以上之人口下載使用，因此如何取得人們對於此款App於個資保護作為上的信任而選擇下載使用，乃資料管控者無可迴避之任務。本文主張歐盟一般性個人資料保護規則（GDPR）第35條之資料保護影響評估（DPIA）程序，係該App提升個資保護信任的良方。DPIA程序除了能有資料管控者遵法責任滿足的確認、提供檢驗之後所進行的資料蒐用行為是否有按照規劃進行、提供主管機關監管內容的基礎之作用外，還能累積資料管控者就個資保護提升的底蘊，最終達到提升資料主體自由權利保護的作用。即便現行臺灣個人資料保護法並無明文規定DPIA，臺灣政府仍應藉此機會引入，樹立創新科技研發與個資保護雙贏之典範。DPIA即便於歐盟亦仍屬為人所陌生的個資保護程序，更遑論在臺灣。筆者希冀能藉由本文論述，讓國內得以熟悉DPIA程序於個資保護上扮演的角色，亦盼能在未來個資法修法時，提供導入此個資保護程序的參考。

A Taiwanese government agency charged with technology development has announced that it has successfully developed a new mobile software application named ＂social distance app＂ as a tool to prevent COVID-19 infection. For the App to be fully functional, it requires that at least 60% of persons living in Taiwan download to use the App. Given the high population required to use the App and the privacy concerns arising out of the contact tracing function, it is therefore an unavoidable task to provide a sufficient level of comport to users to ease their data protection concerns for using the App. This article has identified a feasible approach-Data Protection Impact Assessment (DPIA), a process for the developer to identify and to mitigate the data protection risks before launching the App. DPIA process provides the data protection officer with a mechanism for ensuring that the agreed actions are delivered within agreed timescales. Although Taiwan's data protection law has not made it mandatory for a DPIA to be put in place before the App is launched, it is advisable that the App developer take the initiative to implement the DPIA to set a model that the users can enjoy the benefits of technological innovation while their rights and freedoms are well protected. For the counterpart in the EU, DPIA has been introduced into the General Data Protection Regulation (GDPR) but it is still a new and unfamiliar process to most people, not to mention that DPIA has not been included into Taiwan's personal data protection laws. This article provides insights into the role of DPIA and examines why DPIA can serve as an effective tool of enhancing user's trust in using the App; furthermore, the article provides suggestions to introduce DPIA mechanism into Taiwan's personal data protection laws for the legislators to consider in a regulatory reform in the near future.

1. 范姜真媺(2013)。個人資料保護法關於「個人資料」保護範圍之檢討。東海大學法學研究，41，91-123。
   連結：
2. 張陳弘(2016)。個人資料之認定：個人資料保護法適用之啟動閥。法令月刊，67(5)，67-101。
   連結：
3. 許宗力(2012)。論法律明確性之審查：從司法院大法官相關解釋談起。臺大法學論叢，41(4)，1685-1742。
   連結：
4. Abeler, J.,Bäcker, M.,Buermeyer, U.,Zillessen, H.(2020).COVID-19 Contact Tracing and Data Protection Can Go Together.JMIR mHealth and uHealth,8(4),1-14.
5. Article 29 Data Protection Working Party. (2018). Guidelines on Automated Individual Decision-making and Profiling for the Purposes of Regulation 2016/679 (17/EN WP251 rev.01). https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053
6. Article 29 Data Protection Working Party. (2017). Guidelines on Data Protection Impact Assessment (DPIA) and Determining Whether Processing is “Likely to Result in a High Risk” for the Purposes of Regulation 2016/679 (17/EN WP248). https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236
7. Article 29 Data Protection Working Party. (2018). Guidelines on Consent Under Regulation 2016/679 (17/EN WP259 rev.01). https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
8. Bygrave, L. A.(2001).The Place of Privacy in Data Protection Law.University of New South Wales Law Journal,24(1),277-283.
9. Claes, E.(Ed.),Duff, A.(Ed.),Gutwirth, S.(Ed.)(2006).Privacy and the Criminal Law.Intersentia.
10. eHealth Network. (2020). Mobile Applications to Support Contact Tracing in the EU’s Fight against COVID-19: Common EU Toolbox for Member States. https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf
11. European Commission. (2011). Privacy and Data Protection Impact Assessment Framework for RFID Applications. https://ec.europa.eu/digital-single-market/en/news/privacy-and-data-protection-impact-assessment-framework-rfid-applications
12. European Data Protection Board. (2020). Guidelines 04/2020 on the Use of Location Data and Contact Tracing Tools in the Context of the COVID-19 Outbreak. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf
13. European Data Protection Board. (2020). Guidelines 03/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the COVID-19 Outbreak. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf
14. Forde, A.(2016).The Conceptual Relationship Between Privacy and Data Protection.Cambridge Law Review,1,135-149.
15. Gellert, R.(2017).The Article 29 Working Party’s Provisional Guidelines on Data Protection Impact Assessment.European Data Protection Law Review,3(2),212-217.
16. IT Governance Privacy Team(2019).EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide.IT Governance Publishing.
17. Klonowska, K. (2020). The COVID-19 Pandemic: Two Waves of Technological Responses in the European Union. HCSS Snapshot. https://hcss.nl/sites/default/files/files/reports/COVID-19%20pandemic%20technological%20responses%20EU.pdf
18. Lambert, P.(2018).Understanding the New European Data Protection Rules.Auerbach Publications.
19. Levin, A.(2018).Privacy by Design by Regulation: The Case Study of Ontario.Canadian Journal of Comparative and Contemporary Law,4(1),115-160.
20. MinterEllison. (2015). Privacy Impact Assessment Report: Personally Controlled Electronic Health Record (PCEHR) System Opt-Out Model. https://www.myhealthrecord.gov.au/sites/default/files/pcehr_opt_out_pia_-_2015.pdf?v=1520887003
21. Mulligan, D. K.,Bamberger, K. A.(2019).Procurement as Policy: Administrative Process for Machine Learning.Berkeley Technology Law Journal,34(3),773-852.
22. Nas, S.(2019).Data Protection Impact Assessment: Assessing the Risks of Using Microsoft Office Proplus.European Data Protection Law Review,5(1),107-113.
23. Venier, S.,Mordini, E.,Friedewald, M.,Schütz, P.,Hallinan, D.,Wright, D.,Finn, R. L.,Gutwirth, S.,Gellert, R.,Turnheim, B.(2013).,未出版
24. Waldman, A. E.(2020).Privacy Law’s False Promise.Washington University Law Revie,97(3),773-834.
25. Wolf, G.,Mendelson, D.(2019).The My health Record System: Potential to Undermine the Paradigm of Patient Confidentiality?.University of New South Wales Law Journal,42(2),619-651.
26. Wright, D.(2012).The State of the Art in Privacy Impact Assessment.Computer Law & Security Review,28(1),54-61.
27. Yordanov, A.(2017).Nature and Ideal Steps of the Data Protection Impact Assessment Under the General Data Protection Regulation.European Data Protection Law Review,3(4),486-495.
28. 吳景欽（2020），〈強制對居家隔離者配戴電子手環有無法律正當性？〉，《民報》，載於：https://www.peoplenews.tw/news/6b6c3054-62c5-4cc9-9a75-6e24a0c4f1fa
29. 李伯璋,陳時中,邱泰源,陳其邁(2020)。台灣運用醫療資訊科技，來面對「COVID-19」。臺灣醫界雜誌，63(5)，8-12。
30. 李建良(2011)。人身自由的憲法保障與強制隔離的違憲審查：釋字第690 號解釋。台灣法學雜誌，186，60-79。
31. 林明鏘(2020)。治傳染性肺炎用重典？：以「居家隔離」與「居家檢疫」管制措施為中心。台灣法學雜誌，388，1-11。
32. 張陳弘,莊植寧(2019).新時代之個人資料保護法制：歐盟 GDPR 與臺灣個人資料保護法的比較說明.新學林.
33. 劉定基(2012)。個人資料保護法講座：第一講個人資料的定義、保護原則與個人資料保護法適用的例外：以監視錄影為例（上）。月旦法學教室，115，42-54。

1. 許哲銘(2023)。科技疫調措施的個人資料保護法適用及調適芻議。科技法律透析，35(3)，50-71。
2. (2022)。從數位憲政與數位信任看我國健保資料庫的爭議與使用。月旦法學雜誌，331，37-53。
3. (2023)。健保資料二次使用之個人資料保護立法芻議－111年憲判字第13號【健保資料庫案】判決之回應－。輔仁法學，66，307-378。
4. (2024)。企業蒐用消費者資料之個資保護法制思維－美國加州消費者隱私法之借鏡。中正大學法學集刊，85，57-129。