This article examines the limitations of the application of traditional information privacy theory to disputes relating to modern technologies. If information privacy is understood as an individual’s right to full control over his information, activities involving the collection, process and use of personal data cannot be conducted without the data subject’s consent because his privacy rights would be affected as a result of such activities. Instead of the privacy interest approach, this article introduces a privacy harm approach to reconcile the defects of traditional privacy theory. The privacy interest approach helps identify situations in which an individual’s information privacy conflicts with the free flow of information, and the privacy harm approach comes into play to precisely evaluate and determine the reasonable extent of protection of the respective interest. This article applies this privacy-harm-oriented approach to Taiwan Taipei High Administrative Court Judgment, Tsai v. NHIA, to examine that the modified information privacy theory is helpful to resolve the information privacy dispute at issue.

This article elaborates the reasons why imposing a universal rule that the data controller must obtain the data subject’s consent before using his health data is of no real help in protecting health privacy and is detrimental to medical research. This notion can be supported by the following concepts: 1. shifting the liability of privacy protection to the data subject will increase the risk of privacy invasion; 2. in the multi-faceted privacy interest concept, granting decision-making rights to an individual cannot guarantee privacy protection; 3. it will add unreasonable costs to medical research.

By applying the privacy harm approach, this article further analyzes the importance of considering the likelihood of privacy harm regarding health information. In this approach, because identifiable health information and identified health information are subject to different likelihoods of privacy harm, different degrees of privacy protection and privacy rules should apply to them in their respective contexts.