巨量資料應用在台灣個資法架構下的法律風險

112

a pertinent factor that stands in the way of progress on big data analysis.

This paper, by carefully examining relevant articles of Personal Information Protection

Act 2010 in Taiwan, and the legal challenges faced by the collection, processing and

utilization of personal big data, followed by the introduction and implementation of these

articles; notes that the following number of potential practical problems might beset big data

applications within the context of current Personal Information Protection Act 2010: (1) In

terms of information disclosure, data collection and processing would not meet the

requirement of Article 8 and Article 9 of PIPA; (2) Data controllers are very likely to breach

the duty stipulated by Article 11 of PIPA, which is, deleting and discontinuing to process or

use when the specific purpose no longer exists or contract period expires; (3) Some data

collectors might fail to satisfy the specific purpose requirement set by Article 19 of PIPA; (4)

Data controllers might violate Article 20 of PIPA at the first marketing action; (5) They also

might not to meet Article 54 of PIPA which requires a notification to be given at the time

where such personal information is first used.

To further illustrate the point, a variety of big data application examples are exploited,

mapped and analyzed in this paper. Interestingly, most of these examples in this paper draw

on the American experience, a country where personal information protection rules are

applied less stringently and thus encourages, rather than inhibit, big data analysis. Another

message conveyed by this analysis relate to industry type. Stated specifically, big data

analysis has very broad application to a diverse range of information processing

circumstances. Besides, financial and insurance sectors have also echoed this trend, leading

to rapid proliferation of big data applications as compared to other industries.

Among half of the examples, personal information have come to rest in the hands of

data processors, heightening the importance of having particular personal information

protection framework in place for dealing with big data applications. Moreover, the legal

appropriateness of big data collection, processing and utilization behind these examples has

also been placed under the spotlight and the result points out a disturbingly high propensity

of data breach, given the absence of ex ante approval of information owners and the lack of

ex ante notification of data collectors in most examples. On the other hand, the rise of big

data analysis inside domestic institutions also merits attention. As the specific case study

stands, the requirements set by the Personal Information Protection Act 2010 have actually

been poorly attended to, sometimes even left out of account in practice. The foregoing

sample analysis and case study might have some inherent limitations; the relative small

sample scale, for instance, could impair the effectiveness of the results. But such endeavors