Accordingto Paragraph 1 of Article 2 of the Personal Data Protection Act which wasamended and promulgated on May 26, 2010, "personal data" refers to anatural person's name, date of birth, ID Card number, passport number,features, fingerprints, marital status, family information, educationbackground, occupation, medical records, healthcare data, genetic data, dataconcerning a person's sex life, records of physical examination, criminalrecords, contact information, financial conditions, data concerning a person'ssocial activities and any other information that may be used to directly orindirectly identify a natural person.

Thereason for this amendment is that social patterns arecomplex, and although some data may not explicitly name an individual, oncerevealed, they can still be used to identify a specific person, therebyinfringing on personal privacy. Therefore, the definition of personal data hasbeen expanded to include "any other information that may be used to directly or indirectly identifya natural person," in order to fully protectpersonality rights. According to this provision, any information that canidentify a specific person may be legally assessed as personal data.

However, according to the general public’sunderstanding, a natural person’s data such as name, date of birth, ID Card number,passport number, features, fingerprints, marital status, family information,education background, occupation, medical records, healthcare data, geneticdata, data concerning a person's sex life, records of physical examination,criminal records, contact information, and financial conditions are considered personal data because they are reasonably expectedto be private and are not to be disclosed to others. There is no question thatsuch data pertain to personal data. But the meaning of the phrases, "data concerning a person'ssocial activities” and “any other information that may be used to directly orindirectly identify a natural person," mentionedin the article are less clear. Such obscurity may cause individuals or businessadministrators to misjudge the scope of personal data protection, and oneshould pay special attention to this possibility of misjudgment.

Mobilephone numbers are personal data

For example, regarding whether mobile phonenumbers are considered personal data, some argue that mobile phone numbers are simplycombinations of numbers with no specific characteristics of identification.  Therefore, they are not personal data.However, people nowadays carry their mobile phones with them at all times, andwith the popularity of mobile payments and various commercial apps, mobilephones have become an integral part of people’s daily life. In addition topeople like the entertainer Barbie Hsu, whose long-time-no-contact ex-boyfriendwas able to contact her since her mobile phone number had not changed for 20years, the number portability services launched by the telecommunication companiesalso allow mobile phone numbers to be used by specific people for a long time. Asa result, mobile phone numbers have become highly linked to individuals due tolong-term usage and are provided with exclusive and unique ownership, which candirectly identify a specific person. Therefore, judicial practices recognizemobile phone numbers as personal data (Taiwan High Court Tainan Branch105-Shang-Yi-Zi No. 393 Criminal Judgment).

It should be noted that whether the"telecom operator" to which a mobile phone number belongs (such asChunghwa Telecom, Taiwan Mobile, Far EasTone, etc.) should also be consideredpersonal data? Judicial practice holds that since telecom operator informationare ancillary to phone numbers and can be compared, combined, and analyzed withother personal information such as names, national ID Card number to“indirectly identify” a person’s “social activities.” Also, they are “contactinformation” which is a type of personal data as provided in the Personal DataProtection Act (Taiwan Taipei District Court 103-Xiao-Shang-Zi No. 155 Civil Judgment).That is, through linkage with other information, “telecom operator information”can be used to deduce, by “indirect identification,” the services of a certaintelecom operator that a certain person uses, which is the certain person’s"social activities.” Thus, telecom operator information is personalinformation.

Objectiverecognition of personal data is becoming more prevalent

Thisopinion, which recognize the “indirect identification” of a certain person’s“social activities”  as personal data,seems to have adjusted from subjective recognition of personal data in the past(i.e., determining by the possibility that a data collector may identify a specificperson by linking all other information) Instead, it is gradually aligning withthe objective recognition of personal data adopted by EU’s GDPR (i.e., objectivelydetermining by the possibility that the data may be linked with other data toidentify a specific person). This is worth observing. Take a company’s internalextension table as an example. If the company does not disclose it to the public,when determining whether such information pertains to personal data, since theextension table may be linked with other personal data (such as names) toindirectly identify a specific person’s social activities under his/herposition in the company, it is highly likely that such data may be recognizedas personal data under objective recognition.

Lastly,even if the recognition of personal data in thePersonal Data Protection Act is determined by objective recognition, non-governmententities can still collect, process, and utilize personal data if they complywith the obligation to inform, the principle of intended use, and legalrequirements. Under Taiwan's Personal Data Protection Act, the clearest way toprevent illegal use of personal data is to use the data "with the consentof the parties." However, it should be noted that the consent for use exccedsthe specific purpose refers to an individual's separate expression of consentafter the collector has clearly informed the individual of the other purposesand scope of use, and their consent’s impact on their rights. And the consentof the use of the special personal data requires written forms. Therefore, inorder to prevent disputes, when a company collects, processes, and utilizespersonal data, it should have a professional draft the consent document, sothat it may fulfill the obligation to inform, obtain prior consent from the ownerof the personal data, and keep a record that can be examined in the future.

This article was published in the Expert’sCommentary Column of the Commercial Times. https://view.ctee.com.tw/tax/48700.html