NPA collection of data unlawful

By Liu Ching-yi 劉靜怡( professor in the College of Social Sciences at National Taiwan University, Board Member of Taiwan Association for Human Rigths)
Translated by Paul Cooper

8th June 2014 Taipei Times

The Council of Grand Justices’ Constitutional Interpretation No. 603 puts it clearly: “Where it is necessary for the state to ... set up databases ... for the purposes of any particular major public interest, it shall not only prescribe by law the purposes of such collection, which shall be necessary and relevant to the achievement of the purposes of such major public interest, but also prohibit by law any use other than the statutory purposes ... in a manner that is sufficient to ensure the accuracy and safety of the information ... and take any and all necessary protective measures both organizationally and procedurally ... to protect the people’s right of information privacy.”

However, police have recently been misusing the Cloud Computing Applications and Industry Development Program, and have been using mobile devices to download household registration data to run comparison checks on personal information, including examining ID photos with face recognition programs.
Above and beyond concerns about whether this constitutes an abuse of power in the collection of information, there is absolutely no basis in law for authorities to manage and use personal data this way; indeed, it is in violation of the requirements of the constitutional interpretation cited above. This illegal and unconstitutional political sleight of hand not only tramples over data autonomy and personal dignity, it also runs counter to the fundamental requirement in a country run according to the rule of law that the government be self-regulating. Misuse of power leads to a return to authoritarian rule.

The National Police Agency (NPA) has tried to hush up the issue by invoking the Police Power Exercise Act (警察職權行使法). Although this act does authorize the police to use technology to amass information on participants during marches or public events, the activities must still conform with legal procedure. Using the information obtained in this way to analyze personal information can be considered an invasion of personal rights and rights to data privacy. As this goes against the principle of Vorbehalt des Gesetzes — statutory reservation — how can such a policy be justified? The Household Registration Act (戶籍法) authorizes the creation of an ID photo databank for the purpose of household registration only, so this cannot be used as a justification for the police’s policy.
The purpose of legislating the Personal Information Protection Act (個人資料保護法) was to protect, through procedural stipulations, people’s data privacy and data autonomy.

In essence, it is a personal data protection procedure law and absolutely cannot be transformed into a justification for the public authorities to have access to citizens’ personal information when they need it for “any use other than the statutory purposes.”
If the police want to justify this kind of action, they will have to look elsewhere. If this point is lost on even a major judicial body such as the NPA, how can its professed intention to set up internal controls be effective?
Following the stabbings on Taipei’s MRT metropolitan railway system, the NPA ordered more spot checks on what it calls high-risk groups — homeless people, people with mental disorders and “antisocial types,” and to establish a database to store the information it obtained.

In addition to there being, again, no clear legal authorization for this, it is highly debatable whether the aforementioned groups should be included, far and beyond any abstract objections, or whether this would constitute the illegal use of personal data.

Data security expert Simson Garfinkel cautioned about this issue more than a decade ago, saying that this type of intrusion was uncivilized and should not be tolerated in a constitutional democracy, as it leads to prejudice. Behind this intimidatory manipulation of personal data is the implicit threat that the authorities can secretly use and control your personal information as and when they see fit at any point in the future, which again smacks of authoritarianism.

Renowned US investigative journalist Edwin Black has written extensively about the historical lessons that should be drawn from the way the Nazi regime used information technologies available to them at the time to locate Jews and send them to concentration camps, and how the East German Stasi, under its guiding principle of Wir sind Uberall — we are everywhere — was so successful in its stated endeavor. At one point the East German government had secret files on 6 million of its people, a full one-third of the country’s population at the time, allowing the Stasi to amass vast — and completely unsupervised — records on its populace.

More recent examples include the administration of former US president George W. Bush, which Harvard law professor Jack Goldsmith termed the “terror presidency” for abusing executive branch powers to set up a range of databanks in the name of “the fight against terrorism” to control intelligence in the US and abroad. These records have only grown in scale since US President Barack Obama came into office.
In his book No Place to Hide: Edward Snowden, the NSA, and the US Surveillance State, US journalist Glenn Greenwald offers a more detailed insight on the issue, in the light of the Snowden affair. Is it possible that we can learn nothing from these international examples, all of which have occurred in living memory? Is the information state not something we should feel wary of?