-
I’ll be recording this. Is this OK with you?
-
For sure. I’m recording too. [laughs]
-
OK. We do have a data protection law here. It was largely outlined after the previous EU data privacy law. It is inherently pretty compatible with the new directive improved by the Article 29 Working Party.
-
There’s a few issues in the new privacy law for us. The old contested issue, when we had that debate, was on health and other sensitive information. There was a section in the privacy law that required a much more strict measurement of the data protection endeavors. Criteria for this data was not enacted two years ago, but it is now. (Note: It was enacted on 2016-03-15.) We are conformant with the GDPR and the new directives on this point.
-
The other contested point is the so-called uninformed use outside its original collective purpose.
-
Repurposing for big data.
-
That’s exactly right. The law is pretty clear. You can only use it for academic research purposes. In a lot of EU countries, the enactment of this is similar to that in Taiwan, saying that it must be used for the public good and for research.
-
Alternatively, it must be for the public good, but it may also used in a statistical way, not the raw data.
-
Mm-hmm.
-
The law protects a few uses. Some are pretty common, such as I mentioned for research, in many EU countries, there’s a special clause for historians to protect the archival or the interpretation of history.
-
There’s no such clause in the Taiwan counterpart. Instead, we have crime prevention in the same position. This says something about the values that the legislators care about.
-
Beyond that, what exactly is this "statistical use" when compared to raw personal data? There was a CNS standard, the one you just mentioned, CNS 29100, that says after a certain de-identification process, then we can use the results because it has minimal privacy impact for statistical use, instead of raw data.
-
That applies to data that is being processed for commercial use, if you anonymize it?
-
If it is just statistics, then the privacy law doesn’t govern it. Right?
-
Yeah.
-
Of course, statistics can be sold and commercially used just like any other open data. The thing is that the court has ruled that the unit collecting the data, the personal data, must be the same one that processes this data. It can’t turn it over to some other company and say, "Hey, anonymize this for me."
-
The collector must also be the processor?
-
That’s exactly right. After processing, if it is not personal data anymore, then it’s free to just hand it over to the open data platform or some other agency.
-
In practice, it is actually very difficult. So far, the only case in Taiwan that has completed this CNS 29100 process is one that outlines the personal income in all the different areas, so that you can know how income changes, year after year, in the average residence. It’s obviously a valuable, statistically speaking, data set.
-
To protect privacy sufficiently, they used k-anonymity, which is a crude way to anonymize this data. It says that one must not be distinguished from a group of, say, 25 people or so.
-
If I am alone in a basic statistical area, the size of a county or a township, and I’m the only one earning above a certain amount of money, then my data is going to be removed from the data set.
-
Because you stand out, and it’s obvious who you are. You could be identified, so it must be removed. Is that the idea?
-
Right, exactly. Then the outcome, when you calculate the average, the mean, whatever linear regression you want to run with it, it’s just not very useful. It is privacy-protecting though. That’s the only case so far that we’ve done as to using this standard.
-
It remains controversial, because according to our current privacy law, for every collecting agency, its governing ministry is the data protection agency.
-
There is no notion of a cross-sectoral data protection agency, such as in many EU countries. Actually, with the new directive, it’s now required.
-
Here because there is no single DPA, every ministry is its own DPA.
-
That sounds potentially problematic, maybe. [laughs]
-
In the case of the taxation or the income graph, it’s not that problematic, because all the collection is done by the Ministry of Finance. There is no cross-ministerial project of any kind going on here.
-
Of course, their data center has sufficient information technology prowess to handle this process. For that particular case, it actually worked.
-
But as you correctly inferred, if the data collection involves more than one ministry, and one thinks that it’s private data and the other one does not, then we have a problem, because there is no upper level DPA that judges between those ministries.
-
In a fact, this means that all the private data processing occurs as if it’s a EU, with each ministry as a member state.
-
That’s a good analogy. Understood.
-
If I may, I want to extend how these laws are potentially applicable to the collection of data through smart cities here. I think that the first question is, in Taiwan, is there a concept of a smart city as an entity, in which the owner of data collected through the projects would be the government?
-
Or, are they individual projects or initiatives that are public/private partnerships, in which data collected from that initiative might be owned, either by part of the government, or the private company that installed the project?
-
There is, for example, the eTag project, which along the highway here has fee-collecting, remote sensing machines, where you put a sticker on your car. It automatically calculates the highway fares for you so you don’t have to stop your car to pay for the eTag.
-
That was built with a private sector company, but authorized, of course, by the Ministry of Transport and Communications, being its own DPA in this regard. They did actually anonymize the eTag trail, for example, within a certain hour, between this segment and that segment, how many cars have passed through it, and published it as open data.
-
I think that fits exactly what you talked about. It’s implemented by a central, national ministry, supported by the local regional or city governments’ department of transportation, built by a private company, which has the same liability and contractual obligations. Then it provides this data to its governing ministry, which then processes and publishes it as open data.
-
I think it fits your description.
-
Sure. That’s one example, and that I like. Is that structure always the case, when it comes to smart cities initiatives in Taiwan or are there variants in which the data might not be published opening, and could be sold commercially?
-
For example, for the payment cards, there’s, of course, a lot of it that was structured like the initiative that was proposed by the private sector. Then, as its data collection terms, it’s always opt-in, and it always asks for the citizen’s consent, so the citizen signs up knowing whether the usage data will be sold commercially.
-
The local government may also just provide a field for an experiment to run. In a more recent case, the Taipei city mayor just allocated one particular fast lane for a certain autonomous car.
-
The bus.
-
Yes, the small bus to drive between 1:00 AM and 4:00 AM. These kinds of partnerships are also common, where the private sector has an idea, and then a regional government says, "OK, here’s a zone in it where you can make experiments in."
-
This all sounds very good. The reason I’m asking you is I have no real idea about where Taiwan sits, vis-à-vis other countries in the region or the EU. This is pretty useful.
-
When you look at Taiwan and compare potentially with Korea, I was at the IDEAS show, where you made a video introduction. There was a representative from South Korea’s data protection agency there. I’ve heard that Korea is quite advanced and quite stringent when it comes to data protection, because of its history.
-
I’ve heard Hong Kong’s laws were drafted by a British lawyer and are quite strict on privacy. I don’t know about enforcement. How do you think Taiwan sits? I learned about something else that at the show there, the CBPR with APEC, which is the same data protection across economies.
-
We did do a thorough check of our currency privacy law when compared with the new 2018 EU GDPR. After we enacted the sensitive data protection clause, the main thing that’s left is our different interpretation of data protection agencies, with each ministry being its own DPA, which is frankly quite strange when compared with other countries.
-
Otherwise, I would say also that initially there were cases where ministry interpreted the data protection laws kind of differently, because they have different information technology capabilities.
-
However, after a ruling by the supreme administration court just this year, on January 25th, the number 54 judgment of the highest administration court, it established exactly what the court thinks means by collection, by processing, by using, and how intra-agency data exchange is viewed, how to balance public good and the anonymity or privacy rights.
-
It’s a pretty comprehensive judgment. After this judgment this January, every ministry now is more or less on the same baseline when it comes to interpreting the law.
-
I would say that on average, most of them tilted toward the Privacy by Design side, because the court really emphasized the importance of data minimization, privacy by design, and anonymization, which are all, of course, part of our law already, but every ministry might have interpreted it differently.
-
The court really took the effort to explain it in layperson’s words. I think that that is a great translation between algorithmic and the legalese languages, and I commend them for that.
-
It makes our job much easier going forward, and we are now, I would say, as strict or even more strict compared to our regional counterparts.
-
Is there a provision for algorithmic transparency and making algorithms work clear for the public potentially, or as clear as possible in that law?
-
Sorry, what was that about algorithmic transparency?
-
You were mentioning the interpretation of the Supreme Court. Does that include provisions on algorithmic transparency? That’s been left out, as far as I understand it, so far. I was speaking to an academic in the UK who said she was disappointed with how far the GDPR had gone in terms of things like algorithmic transparency.
-
Right, I see what you are asking now. Unfortunately, we didn’t, at that time, endorse the national standard of the OAS (Open API Specification) as the common API standard. That happened just this month.
-
At the time, there was no national standard basis on data exchange and on publishing the data descriptions in machine-readable format, which is a fundamental issue that we needed to solve before we can update the procurement to require this of vendors, on which they can then prepare and publish descriptions of their API algorithms.
-
At the time the ruling was made in January, the Open API spec was not part of the National Development Council’s standard, so the court couldn’t anticipate a future and refer to that. So we’re still working on it.
-
For sure. To follow up on the question about working on it, when these laws are going to be reviewed, presumably they would be reviewed through the digital democracy platforms that exist, like vTaiwan.
-
That’s exactly right. It will happen right there on vTaiwan. We have a Digital Nation working group, comprised of many ministries. One subdivision, co-chaired by the head of the National Development Council and yours truly, is now working weekly to make sure that we will first review the data protection agency law proposal.
-
I commissioned a research on whether it is actually allowed for our ministerial DPAs to praticipate in the APEC Cross Border Privacy Framework. [laughs] It’s like every ministry is a member, but does that actually work?
-
If it doesn’t, we can perhaps consider the French model, where they have the justice system, the legislation system, the administration, as well as other sectors all join in a multi-stakeholder way to form a DPA.
-
This, I think, is a pretty good method because just the ministries alone wouldn’t convince the legislators, and we have a separate agency for oversight, called the Corrective Yuan, which is a constitutional body. I think this redesign needs to happen in a way that involves all the stakeholders. Fortunately, we already have the vTaiwan platform to do this.
-
After our DPA deliberation, we will then have a open data law deliberation, where we try to review our freedom of information laws, and also the laws on obtaining data, and the Charges and Fees lawor, and review those to see if we can make sure that "open data by default" needs to be not just regulation but a law. Or, if it doesn’t require a law, at least we can make sure those regulations are consistent with each other. That’s going to be our next step.
-
Then maybe we will move on to algorithmic transparency, or, as some stakeholders have argued, data localization -- or the rejection of data localization -- needs to be deliberated.
-
Understood. Do you have any idea about a timeline for those?
-
Our initial review with the Premier is going to happen soon, on August 17th. Then, the schedules will be published on vTaiwan.
-
I expect we’ll start on September, at the latest October. Just this week, we have announced a sandbox policy sketch for uncrewed vehicles, including boats, cars, drones, and hybrids.
-
It doesn’t distinguish between cars, airplanes and so on, because there may be a lot of hybrids in the future, and the outline is already on vTaiwan.
-
vTaiwan is now also discussing sharing economy and non-consensual pornography. There’s a lot of interesting things going on.
-
Just a general question, I also saw a request from D21, requesting guidance as part of the EU’s digital single market review. They said, "Our specific task is to identify the most important emerging trends concerning the impact of digital technology on democracy, sexual inequality, and make policy recommendations," and they asked for input.
-
That speaks to a larger question. I look at what you’re doing and what the government is doing, and I see a working model that other governments apparently are already seeking emulate or to learn from. It’s a bit of a weird question, but how do you feel about that? [laughs] Is it welcomed? Obviously, it’s going to be welcomed, but what are your thoughts on that?
-
We learned a lot from our international counterparts, as well. Our current vTaiwan system was directly influenced, I would say bug-for-bug compatible at the beginning [laughs], with the Cornell University’s RegulationRoom project. We improved upon their work, and we also incorporated the Focused Conversation Method from the Canadian ICA.
-
Then we added to our interface a lot of things we learned from our Icelandic Pirate friends, the City of Madrid friends, and also our counterparts in Paris. I would say we’re able to get where we are by taking the best practices.
-
I think we’re fortunate enough in a place where the civil society’s demand of transparency exceeds elsewhere in the world. This means that we get to deploy technologies even when it’s expensive.
-
Why do you think that is? What is it about Taiwanese society that has enabled that position?
-
A few things. People younger than me doesn’t remember the martial law, but people older than me, they fought very hard to have freedom of speech.
-
We’re the first generation literally to speak freely. In France or in other places, there is hundreds of years of political wisdom to learn from, on how to work in a representative democracy. But in Taiwan, there was no representative democracy.
-
When presidential election was first implemented, it came more or less the same time as the World Wide Web, as all the other tools that enable peer-to-peer democracy, in addition to representative democracy.
-
It’s not like 200 years of republics, and then 20 years of World Wide Web. It’s 20 years of World Wide Web and 20 years of representative democracy. [laughs]
-
I think people started demanding a lot, because the World Wide Web just worked this way. However, we’re not quite Estonia, where the constitution was written after the Internet, but I think it’s comparable this way.
-
There was a question in there that I’m sure that you’ve answered hundreds of times, but I will ask anyway, because it will help frame the article that I’m going to be writing about this. It’s the question about the instances of the digital democracy platforms that you think are most successful or potentially most demonstrative of how this should work or how that system should work.
-
The initial vTaiwan, the very first vTaiwan case where we worked on the closely-held-company law, the whole process was designed for that case. I think it’s very fortunate that we have this as our first case.
-
First, the company law is a very important law, and the stakeholders are many. When we did this, we did do it mostly for small and medium enterprises and for start-ups. The start-ups who set up their registration in the Cayman Islands doesn’t really have an association.
-
You mean that start-ups that have registered overseas, there’s no entity which binds them together?
-
There’s no one person who can say, "OK, if you convince me, then you also convince all our members."
-
It’s interesting. I interviewed a start-up founder on Friday who wrote on the back of a notepad why he is going to establish in the Cayman Islands, because of the lack of flexibility of the stock-holding and stock issuance options in Taiwan.
-
That’s exactly right. They need to learn about the closely-held-company law, because we learned from the Cayman Islands entrepreneurs when making that law. It’s actually a hit, because it did take in a lot of stakeholder interests, like the anti-dilution, the special voting rights, and all the other things.
-
The point here is that there is no association for "start-ups who set up their office in the Cayman Islands". We can’t do it the usual, representational way, because there are no representatives. Our next case being the teleworking directive, again there is no labor union of teleworkers.
-
Sorry. I have just one final question. Where are the deliberations on the company law at the moment, in terms of passage through the legislative Yuan?
-
You mean the current generation of company law?
-
Yeah.
-
There are two parts of it that are in vTaiwan, the social enterprise part and the company with the English-names part. The other parts are not handled in vTaiwan; their stakeholders are not primarily Internet users. It is done in the other platform, the Join platform. I’ll paste you a link to the Join platform which outlines what actually happened.
-
Thanks.
-
Because vTaiwan was, and still is, something that we hoped to reach people who are Internet users, in order to not skew stakeholders too much. We arrived on that when we did the teleworkers’ case because the teleworkers doesn’t have a labor union, and there shouldn’t be. A teleworking programmer, teleworking writer, and a teleworking designer don’t really work in the same fashion.
-
Again, we can’t ask the head of a labor union to come. It’s not representative that way. I think the first few cases are very fortunate. They clearly addressed the cases where representation is lacking, and the results that we made are genuinely useful for the stakeholders involved.
-
The legislators, at that time, was blocking each other, filibustering, as they are prone to do around that time of discussing constitutional amendments. They had to let this closely-held-company law pass through, though, because it’s obvious the stakeholders wanted and many of the aides in each party have already witnessed or even participated in its formation. There’s no reason to block it, so it was fast-tracked.
-
I think it signaled goodwill between the legislation and the administration for a process like this. Internationally speaking, when we do things like participatory budgets or other democratic innovations, the first resistance always comes from the elected representatives in the city council or in the legislative bodies.
-
They may see it as something that takes away their budget-allocating power or decision-making power. However, because we structured it in a way that says, "No, it is just collecting consensus, we still respect the legislation," and the legislators are free to join and help us set a due process, I think it created a goodwill that still carries on to this day.
-
How does that dynamic work, having sourced views and built consensus, when it does come to drafting legislation? How does the process work, just generally? You invite people in to submit their views on vTaiwan?
-
vTaiwan is many, many steps. There’s an article about the process called "vTaiwan: Public Participation Methods on the Cyberpunk Frontier of Democracy." I don’t know whether you’ve seen that, but I’ll just paste you a link. It explained the process pretty well, but I’ll quickly summarize.
-
First, we have three different admin groups, for lack of a better term. We have the civil society facilitators and civic hackers. Then we have the Information Industry Institute, which serves as translator between legalese and layperson’s speech.
-
Then we have each ministry which offers the topics that they would like to consult about, and we have the previously cyberspace minister, now digital minister, who provides the binding power that binds those three groups together. Every agenda can be proposed by any of those three groups, but it needs to be consented by the other two groups. Otherwise, it doesn’t get there.
-
When we first come with a topic, we then survey the stakeholder groups, people who have published anything on this topic and/or people who have expressed an interest in any way, including legislators, and invite them to a series of pre-meetings to determine if and when they think is a good time to talk about whether this process is a good process.
-
What kind of title should we call it? We spend two months on the proper title for the UberX case to make it neutral enough and specific enough so none of the stakeholders will boycott the process. Just the frame-setting is very involved.
-
All this, of course, happening in the open, outside of the administration office, on weekly small hackathons and meet-ups. Once we have a title that we all agree on and a time frame that we agree on, then the governing ministry or the proposer makes a slide explaining what this is all about. We collaboratively edit it and make sure that all the stakeholders agree of their portrayal in this light.
-
Then we publish it to reach as many people as possible, often with rolling surveys or questionnaires, to make sure that it reaches as far as possible in audience. Then we hold a face-to-face meeting, livestreamed, and we invite everyone who contributed constructively during the align part to this face-to-face meeting.
-
If they can’t make it to the face-to-face meeting, they can also include through livestream and type in their efforts. Of course, everything is transcribed in real time and so on. A facilitator then determines the agenda, which is always crowd-sourced.
-
Basically, the idea is that we provide a binding power tools like pol.is, by saying our face-to-face multi-stakeholder meeting will have its agenda entirely determined by the consensus on pol.is, which means that we don’t talk about anything that’s not on pol.is. It makes people want to contribute, because it determines the agenda.
-
Then the pol.is system automatically calculates the majority opinion. What is the divisive parts? What are the most controversial? What are the most unclear parts of this open-ended survey? Anybody can write in anything for other people to vote on.
-
Then we make another presentation to explain this and ask what the participants feel about this shared, common feelings. The participants react with their own feelings, and then also try to come up with interpretations or ideas that try to address their feelings. Previously, in brainstorming sessions, there are no ways to say this idea is more worth exploring than some other idea. It was entirely subjective.
-
Now we simply say there is a consensus of feelings, and the ideas that are worth exploring are the ideas that take care of those feelings. I think that’s the other part. After the factual part of the initial setting and the reflective part, which is the online collection of feelings, then we move on to the ideation or interpretive part, where people come up with the ideas.
-
Then, after we have those ideas, then we make it to the decisional stage, where the ministry must engage in an online, real-time, or at most seven days after every question the public asks, a conversation or dialogue, and explain their own ratification, translation of this into the beliefs. The civil society’s free to propose their alternative version, as well.
-
Finally, the Minister or the Premier signs one of those versions into accepted version and sends it to the legislation. Or, if it’s a regulation, then it just takes effect.
-
In terms of legislation, what’s the track record in terms of it being passed? Has every proposal that’s been sent for legislation been passed?
-
Yeah, I think so. There’s one that was withdrawn by the administration itself, the one on online alcohol sales. Everything else, the Cybersecurity Act is still being reviewed. Closely-held-companies, of course, passed. The e-Taxation Act is passed.
-
The cyber-bullying is interesting, because the multi-stakeholder consensus is that we don’t need a law for that. The Financial Experimentation Technology Act is now awaiting review. We expect it to be passed within a couple months.
-
So the legislation never rejected anything from vTaiwan. Some of them are still in progress. Some of them already passed. The UberX one is, of course, passed, as well. Online alcohol sales is the only exception, because the administration withdrew it itself.
-
Laws and regulations, in total, how many of each have been passed?
-
The laws are, first, closely-held-corporation. Then e-Tax, that’s the second. UberX, that’s the third. The FinTech Act, that’s the fourth. Cybersecurity, the fifth. The new company law, if you count that, that’s the sixth. Six laws in total, and it doesn’t count the drones act, because that’s still in the vTaiwan process.
-
The regulations are teleworking, telemedicine, consumer protection of online shopping, distance education, the open data directive. What else? Personal data protection. I think there’s six or seven regulations, as well, so about six each.
-
That’s amazing. [laughs] Just to get a bit more context, when you were talking about the deliberations, how many people roughly? Just to get an idea about the scope of stakeholders’ voices...
-
It really depends. On highly controversial ones, like UberX, there’s thousands. On relatively obscure ones, such as the very technical data de-identification thing, [laughs] there’s really not much.
-
I think the average is, at most, in the hundreds.
-
The online livestream and the transcript has a lot more views than people who have joined in one way or the other. A lot of people want to learn about it, but for things that are highly technical, not many people feel entitled to speak about it. But for UberX, everybody has an opinion.
-
That was going to be another question. When’s the next online livestream, potentially? Is there an easy way that I can just be notified?
-
Look it up? Yeah, of course. If you participated, you’ll be notified. [laughs]
-
Otherwise, I’ll just remember to include you in our next notification. You can also come to our hackathon.
-
In any case, the next one is August the 17th, at 6:00 PM, and you can subscribe, I think, on https://livehouse.in/channel/vtaiwan for our notification.
-
There’s also a Facebook page, which may be easier at this moment, at https://www.facebook.com/vtaiwan.tw/.
-
There is also an event website, www.vTaiwan.org.tw, which lists all the important dates that’s going on.
-
A final question, because I’m sure you’ve got a lot to do. You mentioned that not that many people would be commenting on the open data or the privacy aspects. How important is the privacy discussions that are on-going at the moment to civil society, generally? What’s your understanding or your feeling about how aware people are of the importance of protecting their privacy?
-
That’s one of the reasons why we did this non-consensual pornography discussion. There’s, of course, privacy. There’s data protection. There’s secret-keeping. There’s the constitutional right of secure communication. All these are different concepts academically, but if you’re concerned about one, chances are that you can be convinced to be concerned on something that is related but actually not the same.
-
Non-consensual porn is one of the more visceral parts of this discussion. First, it happens a lot, and also because, at the moment, the Taiwan criminal law system only punishes those footage that was taken without consent. If it was consensual when it was taken, but then the people break up, then there is no criminal law that regulates the dissemination of those pictures.
-
I think that’s one of the ways we engage the civil society, by actually having cases that happen in day-to-day lives. Otherwise, we’ll have to resort to metaphors, which are leaky. I mean that it doesn’t abstract really well.
-
For example, consider the metaphor of chemical pollution for data protection. If you don’t anonymize or de-identify the data sufficiently, then it leaks something about you. While the pollution isn’t that much -- it’s not really toxic, because it can’t really be directly identified to you -- if you combine it with some other data set, then, at some point it reaches pollution levels, and then you get sick.
-
That’s a stretch. [laughs] If you have better metaphors, tell me. For mathematical things like that, I can’t really do better than this, which is why we always try to interest people with things that actually concern them.
-
There’s also a deliberation, although not vTaiwan, going on for the eID system, where we currently have a PKI card, and then we have a national ID card. The national ID card doesn’t have a chip. The eID card doesn’t have a photo on it.
-
There’s a proposal from the Ministry of Interior, because both are organized by the ministry, they want to merge those cards together. The thing is, the PKI card is not compulsory, while the paper card is compulsory. So they’re like, "OK, let’s merge it, and then you can opt-in to activate the chip. If you don’t activate the chip, the chip is still there, but it doesn’t do anything. It’s as good as a paper card." Isn’t that great? [laughs]
-
Of course, it’s going to change the dynamics a lot, because perhaps people would feel uncool if they don’t activate the PKI chip. If they do activate a chip, perhaps at the beginning, there will be questions on if I authenticate myself this way, with the chip, versus with paper-based photo identification, does it leave a permanent record? Is there an Estonian-like system, where I get to view all the audit trail of all my data being used with this card?
-
There’s a lot of questions, but because it relates to people’s day-to-day use of their medical insurance card and their national ID card, the deliberation is made possible because it relates to their current day-to-day experience.
-
If we start by explaining the Digital Signature Act or PKI, then it’s a lost cause.
-
Thank you very much. This has been super fascinating. I hope maybe some time in the future we could do this again.
-
Of course, yeah.
-
The way I work is, I’m not quite sure what I’m going to do with the interview yet. It might run as a stand-alone or I might want to re-pitch this towards the UK. Whatever I do, I’ll notify you about what’s happening.
-
Right, sure. You did an audio recording only?
-
Yeah.
-
Because I didn’t get a video to work, either. Anyway, [laughs] all right. Thank you so much. Have a good local time.
-
Yes, thank you, and good luck with continuing what you’re doing.
-
Cheers.