個人資料去識別化規範制度之建構研析—以歐盟 GDPR 與美國 HIPAA 隱私規則為借鑑對象

Abstract

去識別化在個人資料保護體制下，被期望能作為開放資料使用與隱私保障兩難下的折衝解套措施。我國個人資料保護法就有規定，公務機關和非公務機關基於公益、學術或統計研究之目的，若有將資料處理達到無從識別特定當事人者，便可在必要範圍內合法對該資料為蒐集、處理和利用，無須取得當事人之同意；我國其他的資料相關法規中，亦有允許以資料去識別化取代當事人同意之類似機制規定。然而，隨著健保資料庫爭議的發生和討論，我國現行去識別化制度規範被顯見存在許多問題和缺失。 在概念釐清上，匿名化與假名化同屬去識別化的概念範圍，前者以永久完全消除資料識別性為目的，後者則指以別名遮蔽識別資訊，達到隱藏資料與個人連結關係之效果，又加密經常與假名化一起提及，但其主要目的是防止資料外洩，與以保障隱私為目的的去識別化本質不同；在政策制度的引進和建構上，須留意到去識別化會減損資料的可利用性，且對非結構化資料能發揮效能十分有限，重新識別風險也難以完全防範，故須強化風險評估和管控措施的實施。 比較法分析發現，歐盟與美國對於去識別化的定位和規範功能的設置有顯著差異。歐盟將去識別化作為資料保護措施，是資料控管者和處理者應履行的義務，實際的放寬管制效果有限；美國法則是在規範中直接明訂去識別化方法，鼓勵規範主體依據法定方法將健康資料進行去識別化後，即可獲得獲得豁免管制，但此制度模式存在對隱私之保障過於不足的問題。 我國法規範模式在限制人民資訊自主權之下，卻幾乎僅以資料去識別化作為唯一、最終的保護措施，且規範標準不明確，實務解釋混亂，對基本權干預明顯欠缺正當性。本研究對我國法規範制度提出的改革建議是：一、以資料揭露模式作為去識別化標準的設置基準框架，使規範逐步明確；二、強化資料使用者的告知義務及對去識別化資料接收者的行為控管，以防止去識別化資料的恣意使用；三、透過法規遵循稽核和事前救濟途徑完善監督機制，確保政策規範的落實。

De-identification, within personal data protection frameworks, aims to balance open data usage and privacy protection. The Personal Data Protection Act allows public and private agencies to use data for public interest, academic, or statistical research without consent if the data is processed to prevent identification of individuals. Other regulations similarly permit de-identification in place of consent. However, controversies, particularly around the health insurance database, have exposed issues and deficiencies in Taiwan’s de-identification regulation and system framework. Conceptually, “anonymization” and “pseudonymization” are both forms of de-identification. Anonymization seeks to permanently eliminate data identifiability, whereas pseudonymization involves using aliases to mask identifying information, thus obscuring the link between the data and individuals. “Encryption” is often mentioned alongside pseudonymization but differs fundamentally in its aim to prevent data leakage rather than protect privacy. In practice, de-identification reduces data usability, is less effective on unstructured data, and cannot completely prevent re-identification risks, necessitating stronger risk assessment and control measures. Comparative legal analysis shows significant differences between the EU and US approaches. The EU sees de-identification as a protective measure with limited regulatory relief. In contrast, US law explicitly outlines de-identification methods, encouraging entities to de-identify health data accordingly. Once de-identified, the data is exempt from certain regulatory controls. However, this model presents concerns regarding insufficient privacy protection. Taiwan’s regulatory model limits citizens’ information autonomy by relying almost exclusively on data de-identification as the primary protection measure. The standards are unclear, leading to inconsistent practical interpretations and lacking legitimacy in fundamental rights intervention. This study concludingly proposes the following reforms for Taiwan's regulatory system: 1. Use a data disclosure model as the basis for setting de-identification standards to gradually clarify the regulations. 2. Strengthen the notification obligations of data users and control over the behavior of recipients of de-identified data to prevent arbitrary use. 3. Enhance supervision through regulatory compliance audits and preemptive relief channels to ensure effective implementation of policy regulations.