Cloud Computing 2024

Last Updated October 08, 2024

Taiwan

Law and Practice

Authors



Lee, Tsai & Partners is a full-service boutique local firm servicing the Greater China region. The firm’s headquarters are in Taipei, co-operating with a local partner law firm in Shanghai and a representative office of a local IP consulting firm in Beijing. The firm’s cloud computing law practice group includes former judges, a former prosecutor and experienced attorneys and is led by Jaclyn Tsai. The firm has substantial experience representing companies in all instances of Taiwan courts and on landmark cases. Lee, Tsai & Partners also regularly advises clients on the strategic planning and management of IP rights in relation to the high-tech industry, including obtaining patents and trademarks, IP licensing issues, and litigation. The firm’s client profile includes the largest online search engine providers, airlines, semi-conductor manufacturers, telecommunication companies, pharmaceutical companies, infrastructure providers, banks, insurance companies, private equity funds, and venture capitalists. The authors would like to thank David Hung for his research and contribution to this chapter.

In Taiwan, while there is no specific legislation directly regulating cloud computing for private enterprises or cloud service providers, the processing of personal data in cloud environments falls under the scope of the Taiwan Personal Data Protection Act (PDPA). This act mandates that all government agencies and private enterprises utilising cloud services adhere to the PDPA and its associated Enforcement Rules (“Enforcement Rules”) when collecting, processing, or using personal data. Further, if a cloud service provider is engaged by these entities to manage personal data, the provider acts as an agent of the commissioning entity, and, under Article 4 of the PDPA, the provider must follow the same regulations that govern the original data controller, ensuring consistency and compliance across the board.

Definition of Personal Data and Sensitive Personal Data

The PDPA defines personal data as information that can directly or indirectly identify a natural person, which includes but is not limited to a person’s name, date of birth, national identification card number, passport number, physical characteristics, fingerprints, marital status, family information, educational background, occupation, medical records, healthcare information, genetic data, sexual life, physical examination records, criminal records, contact information, financial status, and social activities. Sensitive personal data, which includes medical records, healthcare information, genetic data, sexual life, physical examination records, and criminal records, is subject to stricter regulations and can only be collected, processed, or used under specific conditions as outlined in Article 6 of the PDPA.

Specific Purpose for Collection, Processing and Use of Personal Data

Under the PDPA, any collection, processing, or use of personal data in the cloud must be grounded in a clearly defined purpose with a valid legal basis, as required by Articles 19(1) and 20(1) of the PDPA. Entities must inform data subjects about the purpose of data collection, whether the data is obtained directly from them or through other means.

Regulations for Personal Data in Specific Fields of Cloud Computing

Cloud service providers are required to implement appropriate security measures to protect personal data, as required by Article 27 of the PDPA (see 2.1 Data Security and the Cloud for details of the security measure). If cloud computing involves industries where the central government authority in charge of the industry concerned mandates the establishment of a personal data file security plan, providers must also adhere to the specific personal data security regulations for that industry when collecting, processing, and using personal data. In addition, private enterprises or cloud service providers that use personal data in the banking industry or in the healthcare industry must not only comply with the requirements of the PDPA but also the following provisions:

  • Banking industry: For customer data in the banking sector, if a bank outsources operations involving the use of cloud services, it must comply with the internal control, audit, and supervision measures stipulated in Article 19 of the Regulations Governing Internal Operating Systems and Procedures for Outsourcing of Financial Institution Operation (“Outsourcing Regulations for Financial Institutions”). Additionally, banks using cloud services can refer to the Standards for Outsourcing Operations Using Cloud Services by Financial Institutions and the Guidelines on Applying Emerging Technologies by Financial Institutions to establish management measures for cloud-based customer data.
  • Healthcare industry: Healthcare institutions that use cloud services or commission an entrusted entity to provide cloud services for collecting, processing, or using electronic medical records must also comply with the relevant control and supervision measures outlined in Article 8 of the Regulations Governing Production and Management of Electronic Medical Records by Healthcare Institutions.

Information Obligation and Supervisory Obligation

When utilising cloud services to collect or process an individual’s personal data, government and private enterprises in Taiwan must inform individuals about the purpose, scope, and rights related to their personal data before such collection or processing (Information Obligation). This includes providing clear information about the use of cloud service providers and how personal data will be managed, stored, and protected within the cloud environment.

Further, government and private enterprises that engage cloud service providers to handle personal data are required to supervise and ensure that these providers implement robust internal controls and data management practices in compliance with PDPA standards (Supervisory Obligation). This supervision involves regularly auditing cloud providers, verifying that appropriate security measures are in place, and ensuring that data processing activities adhere to the agreed-upon terms and legal requirements. For detailed information on supervisory obligations, please refer to 4.1 Due Diligence.

Taiwan generally permits the cross-border transfer of personal data under the principle of “openness in principle and prohibition by exception”. The central government authority responsible for a particular industry may impose restrictions where major national interests are involved, where:

  • an international treaty or agreement requires such restrictions; 
  • the receiving country lacks adequate regulations for the protection of personal data and the rights and interests of data subjects may be harmed as a result; or
  • the cross-border transfer of personal data to a third country or territory is intended to circumvent the PDPA.

There are currently three restrictions in place:

  • In 2012, the National Communications Commission restricted the transfer of users’ personal data to Mainland China by communications enterprises.
  • In 2022, the Ministry of Health and Welfare imposed similar restrictions on social worker offices.
  • In 2023, the Ministry of Labor restricted the transfer of clients’ personal data by manpower agencies to Mainland China.

To ensure compliance with these cross-border transfer restrictions, cloud computing service providers are required to establish a personal data security maintenance plan that ensures compliance with any restrictions imposed by central authorities and includes mechanisms for informing data subjects about where their data is being transferred. Further, providers must supervise the recipient’s use of the data to ensure it is handled according to the agreed-upon terms, and they must safeguard the rights of data subjects to access, correct, or delete their data.

In Taiwan, there are no specific laws or regulations that impose penalties exclusively for cloud computing. However, failure to comply with Taiwan’s PDPA and related specific industry data privacy regulations, such as those for the healthcare and finance industries, can result in criminal, civil, and administrative liabilities.

Criminal Liability

If an individual intentionally violates specific provisions of the PDPA – such as those governing the handling of sensitive personal data, general data processing requirements, or restrictions on cross-border data transfers – with the intent to gain unlawful benefits or harm another person’s interests, and this results in damages to others, they may face imprisonment for up to five years and/or a fine of up to TWD1,000,000.

Furthermore, if a person unlawfully alters or deletes personal data files or otherwise compromises their accuracy, causing damage, they may also be subject to the same penalties: imprisonment for up to five years or detention and a fine of up to TWD1,000,000.

Civil Liability

If a private enterprise violates the provisions of the PDPA and causes personal data to be illegally collected, processed, used, or otherwise infringes upon the rights and interests of data subjects, it is liable to compensate the data subjects for damages unless it can prove that such damages were not caused by the private enterprise’s intentional or negligent act.

Administrative Liability

If a private enterprise violates key provisions of the PDPA – such as those concerning the handling of sensitive data, the processing of personal data, or restrictions on cross-border transfers – it may be fined between TWD50,000 and TWD500,000. The central government authority or local government will mandate that the violation be corrected within a specified timeframe. If the agency fails to comply, fines will be imposed for each instance of the violation.

For other violations, such as failing to establish a security and maintenance plan for personal data or improperly handling personal data after business termination, fines can range from TWD20,000 to TWD2,000,000. In cases of serious violations, fines can escalate up to TWD15,000,000 per occurrence.

The Ministry of Digital Affairs has established the Personal Data Management Regulations for Digital Industry, requiring cloud service providers to implement appropriate risk control measures for cloud data. Key requirements include the following:

  • Security maintenance plan – cloud service providers must plan and establish a personal data file security maintenance plan and ensure that employees are aware of personal data protection management policies.
  • Regular inspections – providers must regularly inspect and confirm the status of collected, processed, or utilised personal data and define the scope included in the security maintenance plan.
  • Risk assessment – providers must regularly assess potential risks and adopt appropriate security measures based on the results of these assessments.
  • Internal management procedures – providers must establish internal management procedures to ensure compliance with personal data protection laws during data collection, processing, or utilisation.
  • Information security measures – providers must implement appropriate encryption and back-up protection measures, establish firewalls for information security management to prevent external network intrusions, and regularly update these measures.
  • Monitoring and drills – providers must set up monitoring mechanisms for abnormal access behaviours and conduct regular drills to test response mechanisms.
  • Antivirus and malware protection – providers must continuously update and execute antivirus software and perform regular malware detection.
  • Authentication mechanisms – providers must configure authentication mechanisms with a certain level of complexity for information systems.
  • Data anonymisation – when testing information systems that handle personal data, providers must avoid using real personal data; if real data is used, providers must establish usage regulations and implement anonymisation mechanisms to mask personal data appropriately.
  • System reviews – Providers must regularly review information systems that process personal data and ensure that system changes do not compromise security.

Further, to enhance access control and permissions for cloud-based personal data, cloud service providers should conduct awareness campaigns and educational training on personal data protection for their personnel and establish confidentiality obligations with employees. Upon an employee’s departure, providers must require the return of any media containing personal data and ensure the deletion of any personal data held for business purposes.

Regarding the response, notification, and prevention mechanisms for personal data security incidents by cloud service providers, cloud service providers should establish procedures to control damage, notify affected individuals, and develop corrective and preventive measures post-incident. If a personal data security incident jeopardies normal operations or significantly impacts the rights of many individuals, it must be reported to the Ministry of Digital Affairs within 72 hours. Please refer to 5.2 Investigating and Remedying Data Breaches and 5.3 Notifying Data Breaches for detailed notification mechanisms and procedures.

Ownership of Personal Data

In practice, cloud agreements in Taiwan generally specify that ownership of the information, which includes any personal data stored in the cloud, belongs to the cloud service user. Further, private enterprises in certain industries are required to ensure that the cloud agreements provide certain safeguards. For example, under the Outsourcing Regulations for Financial Institutions, banks are required to retain full ownership of the data and are responsible for ensuring that the cloud service provider does not access customer data except for executing the outsourced services and does not use it beyond the scope of the outsourcing arrangement.

Rights of Data Subjects

Data subjects have the same general rights over their data in the cloud as they do under general circumstances – ie, the right to:

  • inquire or request a review of their personal data;
  • request a copy of their personal data;
  • request supplementation or correction of their personal data;
  • request cessation of collection, processing, or use of their personal data; and
  • request deletion of their personal data.

It should be noted that the above rights are not absolute. For example, in certain fields, such as healthcare, data subjects may have restricted rights to request deletion, as seen with the National Health Insurance Medical Information Cloud Query System, which manages patient data across different medical institutions, including medical visits, medications, and surgeries, ensuring that physicians and pharmacists can access recent medical and medication records when providing clinical treatment or consultations. Data subjects do not have a right to have their personal data stored on this system deleted.

To exercise the above rights, the data subject may submit a request to the cloud service provider. The cloud service provider must approve or reject inquiries or requests for reviews of personal data within 15 days of receipt. For the other requests mentioned above, the cloud service provider must approve or reject the request within 30 days of receipt.

In Taiwan, there are currently no specific laws or regulations that ensure or mandate data portability in the cloud. Consequently, the ability to transfer data between cloud providers typically depends on the terms of individual service agreements and the technical capabilities provided by cloud service providers.

Cloud service providers are responsible for managing data retention and deletion policies in compliance with the PDPA.

Providers may delete or cease processing or using the data if the specific purpose for data collection no longer exists, in compliance with a data subject’s request to delete their personal data, or the retention period has expired. Providers must retain records of the deletion process, including details on the method, time, and location, for at least five years.

While the PDPA does not establish specific due diligence requirements for selecting a cloud service provider, in practice, when choosing a cloud service provider, due diligence should focus on several key areas:

  • ensuring the provider adheres to relevant security standards and data protection regulations, such as the PDPA in Taiwan;
  • reviewing the provider’s policies on data retention, deletion, and recovery, including their procedures for handling data breaches;
  • evaluating the provider’s uptime guarantees, disaster recovery capabilities, and service level agreements (SLAs);
  • assessing the provider’s track record, including customer reviews and any history of security incidents;
  • verifying the provider’s compliance with industry-specific regulations, especially in sectors like finance and healthcare; and
  • scrutinising the terms related to data ownership, access control, and exit strategies to ensure they align with business needs.

When conducting the due diligence, the private enterprise should also consider that it is required, as the commissioning agency, to supervise the cloud service provider’s compliance with the PDPA and the Enforcement Rules, which include:

  • supervising the scope, categories, specific purposes, and duration for which the outsourced entities plan to collect, process, or use personal data;
  • supervising the security maintenance measures adopted by the outsourced entities;
  • confirming any agreed subcontractors if the outsourced entities use them;
  • requiring the outsourced entities to notify and take remedial measures if they violate the PDPA or other relevant personal data protection laws and orders; and
  • ensuring that the outsourced entities return personal data carriers or delete personal data upon termination or dissolution of the outsourcing relationship.

Therefore, when selecting a cloud service provider, the commissioning agency must confirm that it can effectively exercise the aforementioned supervision over the provider.

Specific Provisions in the Financial Sector

When banks outsource cloud service providers to collect, process, or use personal data, they must establish and implement procedures for selecting the outsourced entities and evaluate the following items:

  • confirm that the outsourced activities fall within the legally permissible business scope of the cloud service provider;
  • evaluate the cloud service provider’s qualifications, service levels, recovery capabilities, back-up mechanisms, supply chain relationships, responsibility attribution, and information security measures; and
  • assess the platforms, protocols, interfaces, and file formats provided by the cloud service provider to ensure interoperability and portability.

The securities and futures industries, as well as the insurance industry, are subject to similar regulations.

Specific Requirements for Government Departments

When government agencies build or use cloud services, the outsourced cloud service providers must meet the following conditions:

  • The provider must not be from Mainland China, including Hong Kong and Macao.
  • The information and communication products (including software, hardware, and services) used to provide the agency’s cloud services must not be of Mainland Chinese origin or brand.
  • Domestic team members (including subcontractors) performing outsourced cloud services must not include individuals from Mainland China. For overseas team members, they must have personnel security control mechanisms that meet relevant international standards and pass verification.
  • The physical locations for data access, back-up, and recovery within the cloud services must not be situated in Mainland China, including Hong Kong and Macao.

As stated in 4.1 Due Diligence, cloud service providers handling personal data as part of an outsourcing arrangement are subject to the supervision of the commissioning agency. The parties must clearly specify the matters and scope of supervision in the outsourcing contract. Additionally, cloud service providers should be aware that when companies from other industries outsource them to collect, process, or use personal data, they must comply with the relevant personal data regulations set by the central competent authority of the commissioning party’s industry.

Specific Provisions for the Financial Industry

When banks outsource cloud service providers to collect, process, or use personal data, they must include the following provisions in the contract to ensure personal data security:

  • Confidentiality and security measures: The contract must include confidentiality and security measures for customer data.
  • Immediate notification: The outsourced party must immediately notify the financial institution in the event of significant abnormalities or deficiencies in the outsourced services.

To further ensure compliance with relevant personal data protection regulations, financial regulations establish the following mechanisms:

  • Prohibition on sub-delegation: In principle, sub-delegation is prohibited.
  • Outsourcing abroad: If significant consumer finance business information systems are outsourced abroad, banks must confirm that the outsourced institution’s use, processing, and control of customer data comply with the PDPA. Additionally, banks must retain complete audit records and list them as key audit items.
  • Enforcement actions: If the outsourced party violates these regulations or other laws, competent authorities may, depending on the severity, notify banks to terminate the outsourcing according to contractual provisions, require the outsourced party to make improvements within a specified period, or suspend the outsourcing until the necessary improvements have been confirmed.

The Ministry of Digital Affairs has issued guidelines recommending that data processing agreements clearly outline the cybersecurity responsibilities of cloud service providers, clients, and third parties, such as:

  • defining the secure usage environment for the service and specify the cybersecurity measures or tools that should be adopted;
  • clearly stipulating the obligations of the commissioning agency, such as regularly updating systems and software, installing designated cybersecurity measures or tools, and conducting regular training sessions;
  • clearly stipulating the obligations of the outsourced party (cloud service provider), such as ensuring website security and designing encrypted data transmission channels; and
  • if cloud servers or cloud storage space are leased, outlining the connection architecture and clarifying which party is responsible for data storage and protection management.

Further, the Outsourcing Regulations for Financial Institutions require that data processing agreements for cloud services outsourced by a bank must include, but are not limited to, the following:

  • scope and responsibilities – a clearly defined scope of the outsourced matters and the rights and responsibilities of the outsourced institution;
  • legal compliance – representations that the cloud service provider does not violate laws, public order, or good morals;
  • dispute resolution – mechanisms for resolving consumer disputes;
  • contract termination – material reasons for terminating the outsourcing contract, including clauses where competent authorities notify the parties that the termination or cancellation of the contract;
  • regulatory access – agreement by the cloud service provider that, within the scope of the outsourced matters, competent authorities and the Central Bank may obtain relevant data or reports and conduct financial inspections; and
  • obligations for overseas outsourcing – if significant consumer finance business information systems are outsourced abroad, obligations of the bank with respect to system migration, data processing, and the liability for service interruptions in the event that the outsourced operations need to be transferred to another cloud service provider or back to the bank.

Termination and Exit Strategies for Cloud Service Agreements

In general, cloud service agreements typically include provisions that outline conditions for early termination, including any penalties or notice periods, and provide that, upon termination, there is a data retrieval period during which clients can access and download their data. After this period, data is handled according to the cloud service provider’s personal data security maintenance plan, which must include procedures for legally destroying, transferring, deleting, or ceasing the processing or use of personal data after the termination of business operations. The cloud service provider is to implement these procedures strictly, and records of such implementation should be retained for at least five years.

In addition to general obligations, the financial industry imposes specific requirements when a cloud service provider terminates services to banks, securities and futures firms, or insurance companies. According to the self-regulatory norms, the cloud service provider must delete or destroy all relevant cloud data, including images, customer data, back-ups, and other related information. Furthermore, the provider must issue a certificate confirming the complete deletion of the data.

Migration of Data and Services from One Cloud Provider to Another

There is no right of data portability in Taiwan, and cloud service providers are not legally required to facilitate the migration of data and services to another cloud provider when the user decides to terminate services. Therefore, data and service migration in Taiwan is governed by the contractual arrangements between the cloud service providers and the user.

In practice, when a financial institution plans to migrate data cloud service from one provider to another, the financial institution should consider the potential impact of cloud services on the continued operation of the financial institution and develop a detailed exit plan that includes the following stages:

  • Pre-exit assessment – the financial institution should:
    1. assess the resources required for migration and conduct pre-exit assessment;
    2. confirm whether existing resources are sufficient to cope with the migration process and future operational needs; and
    3. inventory the data and resources to be returned or transferred, plan temporary alternative tools, and assess the costs associated with system migration or data export.
  • In-process handling – the financial institution should execute preparatory tasks for data transfer, utilise the mechanisms provided by the cloud service provider to carry out the data transfer, and conduct data integrity verification tests.
  • Post-confirmation – the financial institution should confirm the completion of system migration or data migration, confirm and test the migrated cloud service and obtain user feedback to continuously adjust the operation process.

Personal Data Protection Act

Private enterprises designated by the competent authority under Article 27, Paragraph 2 of the PDPA are required to establish a personal data file security maintenance plan. In the event of a personal data breach, these agencies should notify the competent authority within a specified time frame (usually within 72 hours) using the prescribed method, in accordance with their respective regulations. However, this notification is not a statutory obligation explicitly stipulated by the PDPA. Consequently, the competent authority of the industry cannot impose penalties solely because a private enterprise failed to notify according to the notification mechanism outlined in the security maintenance regulations.

Cybersecurity Management Act

Additionally, if an entity is designated by the competent authority as a provider of critical infrastructure in fields such as energy, water resources, communications and broadcasting, transportation, banking and finance, emergency rescue, hospitals, central and local government agencies, or high-tech parks under the Cybersecurity Management Act, it must report cybersecurity incidents within one hour of becoming aware of the incident, following the method specified by the central competent authority.

According to Article 21 of the Cybersecurity Management Act, if an entity fails to report a cybersecurity incident, it shall be fined between TWD300,000 and TWD5 million by the central competent authority and ordered to make corrections within a specified period. If corrections are not made within that period, fines may be imposed consecutively.

Disclosure of Material Information by Listed Companies

If a listed company experiences a cybersecurity incident that causes significant damage or impact to the company, it must disclose this as material information. This includes incidents where the company’s information systems, official website, or other digital assets are hacked, damaged, altered, deleted, encrypted, stolen, or subjected to denial-of-service attacks (DDoS), resulting in an inability to operate or provide normal services, or if there is a risk of leakage of personal data or internal document files. The content or explanation of such material information must be reported through the designated internet information reporting system within the specified timeframe.

According to Article 8 of the Personal Data Management Regulations for Digital Industry, industries must formulate “contingency measures to be taken after an incident” and “a mechanism for developing corrective and preventive measures” in response to security incidents such as theft, modification, destruction, loss, or leakage of personal data. Information service providers may investigate the cause of such incidents by retrieving logs to check whether there are abnormal IPs, searching for vulnerabilities in backend systems and frontend websites through information security checks (including code detection, penetration testing, vulnerability scanning, etc), and researching hacking paths to find other possible causes (eg, employees being attacked by social engineering and taking advantage of it), etc. Service providers should focus on investigating their own systems and websites while also assisting their customers in the investigation.

Examples of Remedial and Preventive Measures

  • Improvement of information security measures:
    1. patching of vulnerabilities and partial or complete improvement of system security protection measures (eg, system architecture changes, strengthening of firewalls, encryption of transmission channels, encryption of databases, etc) through the identified causes of the incidents.
  • Changes in personal information handling:
    1. implement data minimisation principles, such as masking sensitive data when transmitting personal information; and
    2. modify the content of personal data collected, change the methods of data transmission, and adjust the location and methods of data storage.
  • Re-evaluation of information security responsibility with the customer:
    1. assess whether the customer can bear the cost of necessary data security protections; and
    2. re-establish data security responsibilities in the contract, or consider not renewing the contract if the customer cannot meet the required security standards to avoid placing excessive risk on the information service provider.

Notification to the Subject

The PDPA requires that data subjects be notified via appropriate means after relevant facts have been clarified where the data subject’s personal data has been stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA by a government or private enterprise. “Notification by appropriate means” includes verbal communication, written notice, phone calls, text messages, email, fax, electronic documents, or other methods that effectively convey the information to the data subjects. However, if direct notification involves disproportionate costs, the agency may, considering technical feasibility and privacy protection, notify the data subjects through the internet, media, or other suitable and public means.

Notification to Competent Authorities

Private enterprises designated by the competent authority to establish a personal data file security maintenance plan, under Article 27, Paragraph 2 of the PDPA, must notify the competent authority in a specified manner within a specified period, as dictated by the regulations of the competent authority in each industry. For instance, if a business in the digital economy sector encounters a personal data security incident that jeopardises its normal operations or the rights and interests of a large number of individuals, it must notify the Ministry of Digital Affairs using a designated notification form within 72 hours of learning about the incident. The notification must include:

  • basic information and contact details of the business;
  • the time of occurrence of the data breach;
  • the type of incident;
  • the number and type of personal data involved;
  • the cause of the incident;
  • the status of the damage;
  • the potential consequences;
  • the countermeasures to be taken; and
  • the time and method of notification to the affected data subjects.

How to Co-ordinate Data Breach Notification with Cloud Service Providers

Data collectors hold ultimate responsibility for notifying relevant parties in the event of a data breach. If a private enterprise entrusts a cloud service provider to collect, process, or use personal data, the private enterprise must appropriately supervise the cloud service provider and explicitly stipulate in the entrustment contract or related documents that, upon learning of a data breach, the cloud service provider is obligated to notify the private enterprise immediately and assist them in notifying the competent authorities.

Cross-border Transfer of Cloud Computing Data

For the cross-border transfer of personal data under the PDPA, please refer to 1.2 Data Privacy and Cross-Border Transfers. Further, certain industries have more stringent requirements for cross-border data transfers. For example, under the Outsourcing Regulations for Financial Institutions, if a financial institution outsources operations outside of Taiwan, and the financial authority in the location of the outsourced institution requests information about its customers in Taiwan, the financial institution must first notify the Taiwan competent authority and obtain its consent before providing the information. Furthermore, when a financial institution outsources its operations and entrusts its information system for major consumer finance business to a foreign country, it must submit the necessary documents to the competent authority for approval.

Data Protection in International Transmission Contracts

When international transmission involves entrusting a cloud service provider to process personal data, Article 8 of the Enforcement Rules requires that commissioning agencies supervise the cloud service provider and explicitly stipulate the relevant terms in the entrustment contract or related documents. The commissioned cloud service provider is permitted to collect, process, or use personal data only within the scope defined by the commissioning agency.

Further, when a private enterprise in an industry designated by the competent authority engages in international data transmission, it must comply with several requirements. First, the private enterprise must examine whether the competent authority has issued any restrictions on international transmission in accordance with Article 21 of the PDPA. The private enterprise must also inform the data subject of the region to which their personal data will be transmitted, as required by Article 8 of the PDPA. Furthermore, the private enterprise is responsible for supervising the data recipient, and these obligations should be clearly stipulated in the contract.

Data Localisation Regulations

Certain types of data must be stored within Taiwan, according to relevant regulations, as detailed below.

Electronic medical records of medical institutions

According to Article 8, Paragraph 2 of the Regulations Governing Production and Management of Electronic Medical Records by Healthcare Institutions, and the Ministry of Health and Welfare’s announcement, the data storage location for cloud services used by medical institutions refers to the physical location of cloud service access, back-ups, and back-up data (including temporary data storage). Unless otherwise approved by the competent authority, these storage locations must be within the territory of Taiwan, and the cloud service provider must not be a company from the People’s Republic of China (PRC).

Customer data entrusted to cloud service providers by financial institutions

According to the Outsourcing Regulations for Financial Institutions, when a financial institution’s outsourced operations involve cloud-based services, customer data from material retail financial business information systems should be stored within Taiwan. If the data is stored offshore, back-ups of important customer data must be retained in Taiwan unless the competent authority grants approval otherwise.

Impact of Data Localisation on Cloud Computing

Relevant industries may prefer to work with localised cloud service providers or vendors that can store data within Taiwan. Foreign cloud service providers may need to establish data centres in Taiwan to comply with these regulatory requirements.

Scope of Application of Personal Information Law and Conflict of Laws

According to relevant interpretations of the PDPA and based on the principle of territoriality, personal data collected, processed, and used within Taiwan is generally subject to the PDPA. Further, under Article 51(2) of the PDPA, the law also applies to government and private enterprises outside Taiwan when they collect, process, or use the personal data of Taiwanese nationals. Therefore, the PDPA applies to Taiwan’s government, individuals, or private sector entities that handle the personal data of Taiwanese people, even when this occurs outside Taiwan’s territory.

Regarding private disputes, the Act Governing the Choice of Law in Civil Matters Involving Foreign Elements does not explicitly specify which country has international jurisdiction over a foreign matter. The court will determine jurisdiction based on a comprehensive evaluation of the international civil litigation interests involved, the connection between the case and a particular country (jurisdiction), and by considering the jurisprudence of domestic civil litigation regulations and international civil judgment rules. The court will weigh the substantive fairness to the parties and the procedural expediency and economy to decide whether Taiwanese courts have jurisdiction. To avoid disputes, it is advisable to expressly provide for jurisdiction and applicable law in the relevant contractual documents.

Risks and Challenges of International Data Transmission in the Cloud

The development of the internet has made it challenging to determine whether the behaviour and outcomes of data processing in the cloud occur within Taiwan’s territory. This ambiguity complicates businesses’ efforts to ascertain whether they must comply with the relevant provisions of the PDPA, thereby increasing both compliance costs and the risk of legal violations. Additionally, the nature of cloud data transmission complicates the ability of competent authorities to determine the scope of their jurisdiction, making enforcing the PDPA more difficult.

Cloud service providers must establish a personal data security audit mechanism, regularly assess the implementation status of their security maintenance plan, and produce an evaluation report.

The audit mechanism should encompass key areas such as “operational management”, “technical protection”, “legal compliance”, and “operational process”. Specific audit focus areas may include:

  • identifying personnel and resources responsible for personal data protection management;
  • defining and inventorying the scope of personal data, including confirming the current status of personal data collected, processed, or used;
  • conducting risk assessment and management;
  • reviewing mechanisms for incident prevention, notification, and response; and
  • evaluating internal management procedures related to personal data.

Personnel or Units Responsible for Conducting Audits

Cloud service providers are advised to appoint personnel with expertise in legal and information security to conduct internal audits to ensure the integrity and accuracy of audit reports. Further, they may engage third-party verification organisations to perform external audits in accordance with personal data protection regulations and international standards, such as BS 10012 and ISO 27701.

Records of Audit Results and Response Measures

  • Retention of audit records: Records of audits must be retained for at least five years.
  • Response measures for audit results:
    1. Data deletion – if it is found that the specific purpose for which personal data was collected no longer exists or the retention period has expired, the personal data should be deleted, or its processing and utilisation should cease.
    2. Addressing deficiencies – if deficiencies are identified during the audit, the causes should be investigated, improvement measures should be evaluated and implemented, and the effectiveness of these measures should be assessed. The entire process should be thoroughly documented.

Penalties

Violations of the aforementioned personal data audit regulations can result in fines ranging from TWD20,000 to TWD2,000,000. In cases of serious violations, or if the entity fails to rectify the non-compliance as instructed by the competent authority, fines may range from TWD150,000 to TWD15,000,000 and may be imposed per violation.

Lee, Tsai & Partners

9F, 218 Tun Hwa S. Rd.
Sec. 2
Taipei
106033
Taiwan
R.O.C.

886-2-23785780

886-2-23785781

lawtec@leetsai.com www.leetsai.com
Author Business Card

Trends and Developments


Authors



Lee, Tsai & Partners is a full-service boutique local firm servicing the Greater China region. The firm’s headquarters are in Taipei, co-operating with a local partner law firm in Shanghai and a representative office of a local IP consulting firm in Beijing. The firm’s cloud computing law practice group includes former judges, a former prosecutor and experienced attorneys and is led by Jaclyn Tsai. The firm has substantial experience representing companies in all instances of Taiwan courts and on landmark cases. Lee, Tsai & Partners also regularly advises clients on the strategic planning and management of IP rights in relation to the high-tech industry, including obtaining patents and trademarks, IP licensing issues, and litigation. The firm’s client profile includes the largest online search engine providers, airlines, semi-conductor manufacturers, telecommunication companies, pharmaceutical companies, infrastructure providers, banks, insurance companies, private equity funds, and venture capitalists.

Introduction

The rapid adoption of cloud computing is reshaping Taiwan’s digital landscape, particularly in key sectors like finance, healthcare, and education. This transformation offers significant opportunities for greater efficiency, innovation, and competitiveness. However, it also introduces complex legal and regulatory challenges that must be addressed to ensure data protection, privacy, and security. Taiwan’s current legal framework, primarily based on the Personal Data Protection Act (PDPA), provides a foundation for managing these concerns. However, notable gaps need to be filled as cloud technology continues to evolve. This article explores the current trends, regulatory challenges, and future directions of cloud computing in Taiwan.

Overview of Cloud Computing in Taiwan

Cloud computing has become a crucial facilitator for various industries in Taiwan, enabling businesses to expand operations, improve services, and stay competitive in a rapidly evolving digital economy. The financial sector, for example, leverages cloud technologies for data analytics, risk management, and customer service enhancements, enabling institutions to streamline operations and meet evolving regulatory requirements. The healthcare sector relies heavily on cloud solutions to manage electronic health records, facilitate telemedicine, and improve patient outcomes through data-driven insights. Similarly, educational institutions are increasingly adopting cloud platforms to support remote learning, digital collaboration, and resource management.

Recognising the strategic importance of cloud computing, the Taiwanese government has actively promoted its adoption across industries. However, given the sensitive nature of the data processed in cloud environments, this growth also necessitates stringent measures to address data protection and cybersecurity concerns.

Current Legal Framework

Personal Data Protection Act (PDPA)

Taiwan’s primary legislation governing data protection is the Personal Data Protection Act (PDPA), enacted in 2012. The PDPA establishes a comprehensive framework for the collection, processing, and use of personal data. It applies to both public and private sectors, ensuring that entities handling personal data comply with strict regulations.

Key provisions of the PDPA include:

  • Lawful basis requirement: Entities must have a lawful basis to collect, process, or use personal data, such as obtaining consent from individuals before collecting or processing their personal data.
  • Purpose limitation: Data must be collected for specific, legitimate purposes and cannot be used for other purposes without a lawful basis.
  • Data subject rights: Individuals have the right to access, correct, and delete their personal data.

The PDPA also imposes specific obligations on data controllers and processors, including informing data subjects about how their data will be used and implementing appropriate security measures to protect personal data. These obligations are particularly critical in cloud environments, where data may be stored and processed across multiple jurisdictions, adding complexity to compliance efforts.

Enforcement rules and sector-specific regulations

The PDPA’s Enforcement Rules provide detailed guidelines on how to comply with the act, particularly in cloud computing contexts. These rules require cloud service providers (CSPs) to implement comprehensive security measures to safeguard personal data, including encryption, access controls, and regular audits.

Beyond the general provisions of the PDPA, certain industries are subject to sector-specific regulations that impose additional requirements on the use of cloud services. For example, the financial sector, regulated by the Financial Supervisory Commission (FSC), mandates that banks establish detailed internal controls, conduct rigorous audits, and adhere to strict data security standards when outsourcing operations to cloud providers. Similarly, the healthcare sector, regulated by the Ministry of Health and Welfare (MOHW), requires healthcare institutions to comply with stringent security measures when managing electronic health records in the cloud, including data localisation requirements that mandate storing data within Taiwan.

These sector-specific regulations ensure that sensitive data is protected according to each industry’s unique needs, but they also add complexity to the regulatory landscape for businesses operating across multiple sectors or jurisdictions.

Regulatory Challenges

Incomplete legislation for cloud services

While the PDPA provides a robust framework for data protection, it does not fully address the unique challenges posed by cloud computing. Key issues such as data localisation, cross-border data transfers, and multi-tenancy complexities remain inadequately addressed in Taiwan’s legal framework.

Data localisation, for instance, is a growing concern, particularly in industries like finance and healthcare, where sensitive data is often required to be stored within Taiwan’s borders to comply with sector-specific regulations. Although the PDPA permits cross-border data transfers under certain conditions, there is no comprehensive legal framework governing data localisation across all sectors. This gap creates uncertainty for businesses and cloud service providers, especially those that operate in multiple jurisdictions or rely on global cloud infrastructure.

Cross-border data transfers present another significant regulatory challenge. Taiwan’s “openness in principle and prohibition by exception” allows for transferring personal data to other countries, provided that adequate protections are in place. However, the lack of detailed guidelines on managing these transfers, particularly when dealing with jurisdictions that have weaker data protection standards, complicates compliance efforts and increases the risk of data breaches.

The complexities of multi-tenancy, where multiple clients share the same cloud infrastructure, further complicate data protection. The PDPA and its Enforcement Rules do not specifically address the unique risks associated with multi-tenancy, such as data isolation and the potential for unauthorised access by other tenants. This oversight leaves a critical gap in Taiwan’s regulatory framework, increasing the challenges for businesses that rely on shared cloud environments.

Sector-specific compliance

In addition to these broader regulatory gaps, businesses operating in regulated sectors such as finance and healthcare must navigate complex and often stringent compliance requirements. The financial industry, for example, is subject to regulations that require banks to implement detailed internal control measures and conduct regular audits when outsourcing operations to cloud service providers. These regulations are designed to ensure that customer data is adequately protected and that cloud services do not compromise the integrity of financial operations.

The healthcare sector faces similar challenges, with regulations requiring healthcare institutions to adopt robust security measures when using cloud services to manage patient data. These measures include encryption, access controls, and compliance with data localisation requirements, which mandate that electronic health records be stored within Taiwan.

These sector-specific regulations add complexity to the regulatory landscape, particularly for businesses operating across multiple sectors or jurisdictions. Ensuring compliance with these regulations while leveraging the benefits of cloud computing requires a careful balance between operational efficiency and regulatory adherence.

Recent Developments

Focus on data localisation

Data localisation has emerged as a significant trend in Taiwan’s regulatory landscape, particularly in the healthcare and financial sectors. While Taiwan does not have a broad data localisation law, sector-specific regulations increasingly require that certain types of data be stored within the country. For instance, the MOHW mandates that electronic health records must be stored within Taiwan, while the FSC requires that critical customer data in the financial sector be backed up locally.

The emphasis on data localisation reflects growing concerns about data sovereignty and national security. These concerns will likely lead to more stringent data localisation requirements as cloud computing evolves, particularly in sensitive industries. For cloud service providers, this may necessitate significant investments in local infrastructure to comply with these requirements, while businesses must carefully consider the impact of data localisation on their cloud strategies.

Enhanced regulatory oversight

In response to the increasing reliance on cloud computing, the Taiwanese government has intensified its focus on data protection and cybersecurity. This has led to clearer guidelines for cloud service providers, particularly regarding security measures that must be implemented to protect personal data. The government’s increased regulatory oversight is also evident in the Cybersecurity Management Act (CMA), enacted in 2018, which requires critical infrastructure sectors to adopt specific cybersecurity measures.

The CMA mandates that organisations develop cybersecurity management plans, appoint cybersecurity officers, and conduct regular security assessments. It also requires timely reporting of cybersecurity incidents to relevant authorities, typically within one hour of becoming aware of the incident. This heightened focus on cybersecurity underscores the importance of protecting data in cloud environments and aligns with international best practices.

Stakeholder Implications

Cloud service providers

The evolving regulatory landscape in Taiwan presents both challenges and opportunities for cloud service providers. Compliance with the PDPA, sector-specific regulations, and the CMA is essential for ensuring that cloud services are secure and legally compliant. Providers must implement robust security measures, such as encryption, access controls, and regular security audits, to protect personal data and demonstrate compliance with Taiwan’s legal requirements.

Cloud service providers must also be prepared to address emerging trends such as data localisation and increased regulatory scrutiny. This may involve significant investments in local infrastructure and the development of compliance strategies that align with the specific requirements of different sectors. Providers that can effectively navigate these challenges will be well-positioned to capitalise on the growing demand for cloud services in Taiwan.

Businesses utilising cloud services

For businesses that rely on cloud services, ensuring compliance with Taiwan’s data protection laws is critical for safeguarding personal data and avoiding regulatory penalties. This requires a comprehensive approach to due diligence when selecting cloud service providers, focusing on security, compliance, and contractual safeguards.

Businesses must also ensure that their use of cloud services aligns with sector-specific regulations and implement appropriate security measures to protect personal data. This includes conducting regular audits and assessments of cloud service providers to ensure that they meet all legal and contractual obligations. Moreover, businesses must be vigilant in supervising cloud service providers, particularly when outsourcing the management of personal data, to ensure that they adhere to the agreed-upon terms and comply with the PDPA and other relevant regulations.

In addition to compliance, businesses must also consider the strategic implications of data localisation. Companies must weigh the benefits of cloud computing against the potential challenges of data localisation and ensure that their cloud service agreements account for these requirements.

Data subjects

Data subjects in Taiwan are granted significant rights under the PDPA, including the right to access, rectify, and erase their personal data. These rights are particularly important in cloud computing, where personal data may be stored and processed across multiple jurisdictions. Businesses and cloud service providers must ensure that data subjects can easily exercise these rights and that their data is handled transparently and securely.

Future Trends

Emergence of cloud-specific regulations

As cloud computing continues to evolve, there is a growing recognition of the need for specific regulations addressing the unique challenges cloud services pose. Potential areas of regulation include data ownership, liability, service level agreements (SLAs), and the responsibilities of cloud service providers and customers.

These regulations could provide greater clarity and certainty for businesses and cloud service providers while also enhancing personal data protection in cloud environments. The development of cloud-specific regulations would help Taiwan align with international best practices and address the growing complexities of cloud computing, particularly in sectors where data sensitivity is high.

Focus on data sovereignty and localisation

Data sovereignty, the concept that data is subject to the laws and governance structures within the nation where it is collected, is likely to gain prominence in Taiwan’s regulatory landscape. As national security and data privacy concerns increase, there may be more stringent requirements for data to be stored and processed within Taiwan’s borders. This focus on data sovereignty could lead to the development of more comprehensive data localisation laws and impact the strategies of businesses and cloud service providers.

For cloud service providers, this trend may necessitate local data centres and infrastructure investments to comply with localisation requirements. Businesses will need to carefully consider the implications of data sovereignty on their cloud strategies, particularly in terms of cost, scalability, and compliance. The growing importance of data sovereignty may also drive greater collaboration between businesses and cloud service providers to ensure that data is managed in accordance with local laws and regulations.

Integration of cybersecurity and data protection

Integrating cybersecurity and data protection regulations is another key trend that will likely shape the future of cloud computing in Taiwan. As cyber threats become more sophisticated, there is a growing need for a unified approach to cybersecurity and data protection that ensures the security and integrity of data in cloud environments.

Future regulatory frameworks may place greater emphasis on the integration of cybersecurity and data protection measures, with a focus on enhancing compliance and reducing the risk of data breaches. This could include the development of more detailed guidelines for cloud service providers and businesses, as well as increased regulatory oversight and enforcement.

International collaboration on data protection standards

Given the global nature of cloud computing, international collaboration on data protection standards is becoming increasingly important. Harmonising data protection standards across jurisdictions could help reduce the complexity of cross-border data transfers and ensure that personal data is adequately protected, regardless of where it is stored or processed.

International collaboration on data protection standards for Taiwanese businesses could provide significant benefits, including greater certainty and reduced compliance costs. Businesses that operate across multiple jurisdictions may find it easier to manage their data protection obligations if there is greater alignment between Taiwan’s regulations and those of other countries.

Increased regulatory scrutiny and compliance requirements

With the rise of cloud computing, regulatory authorities are likely to increase scrutiny of organisations’ compliance with data protection laws. This trend will manifest in more frequent audits, assessments, and enforcement actions aimed at ensuring that businesses adhere to legal requirements. As a result, organisations must prioritise compliance as a core aspect of their cloud strategies.

To navigate this heightened scrutiny, businesses will need to invest in compliance management systems that facilitate ongoing monitoring and reporting. This may involve adopting advanced technologies, such as artificial intelligence and machine learning, to automate compliance processes and identify potential risks. By proactively addressing compliance challenges, organisations can mitigate legal risks and build trust with customers.

The role of artificial intelligence in compliance

Artificial intelligence (AI) is expected to significantly influence the future of compliance in cloud computing. As businesses increasingly rely on AI for tasks such as data analytics, customer service, and decision-making, ensuring that these technologies align with data protection laws becomes essential.

AI can strengthen compliance efforts by automating the processing of data, detecting anomalies in data handling, and providing insights into potential compliance issues. For example, AI-driven tools can monitor data access patterns to identify unauthorised activities or flag unusual processing behaviours that could breach legal requirements. By integrating AI into their compliance frameworks, organisations can better protect personal data while fully leveraging the advantages of cloud computing.

Conclusion

The future of cloud computing in Taiwan is shaped by a complex and evolving regulatory landscape. As cloud adoption continues to grow, the legal framework must keep pace with technological developments, addressing the unique challenges cloud services pose while ensuring personal data protection and compliance with data protection standards.

Stakeholders, including cloud service providers, businesses, and data subjects, must remain vigilant and adaptable as the regulatory environment evolves. By addressing regulatory gaps, enhancing sector-specific regulations, and fostering international collaboration, Taiwan can create a robust and adaptive legal framework that supports the continued growth of cloud computing while protecting the rights and interests of all stakeholders.

Lee, Tsai & Partners

9F, 218 Tun Hwa S. Rd.
Sec. 2
Taipei
106033
Taiwan
R.O.C.

886-2-23785780

886-2-23785781

lawtec@leetsai.com www.leetsai.com
Author Business Card

Law and Practice

Authors



Lee, Tsai & Partners is a full-service boutique local firm servicing the Greater China region. The firm’s headquarters are in Taipei, co-operating with a local partner law firm in Shanghai and a representative office of a local IP consulting firm in Beijing. The firm’s cloud computing law practice group includes former judges, a former prosecutor and experienced attorneys and is led by Jaclyn Tsai. The firm has substantial experience representing companies in all instances of Taiwan courts and on landmark cases. Lee, Tsai & Partners also regularly advises clients on the strategic planning and management of IP rights in relation to the high-tech industry, including obtaining patents and trademarks, IP licensing issues, and litigation. The firm’s client profile includes the largest online search engine providers, airlines, semi-conductor manufacturers, telecommunication companies, pharmaceutical companies, infrastructure providers, banks, insurance companies, private equity funds, and venture capitalists. The authors would like to thank David Hung for his research and contribution to this chapter.

Trends and Developments

Authors



Lee, Tsai & Partners is a full-service boutique local firm servicing the Greater China region. The firm’s headquarters are in Taipei, co-operating with a local partner law firm in Shanghai and a representative office of a local IP consulting firm in Beijing. The firm’s cloud computing law practice group includes former judges, a former prosecutor and experienced attorneys and is led by Jaclyn Tsai. The firm has substantial experience representing companies in all instances of Taiwan courts and on landmark cases. Lee, Tsai & Partners also regularly advises clients on the strategic planning and management of IP rights in relation to the high-tech industry, including obtaining patents and trademarks, IP licensing issues, and litigation. The firm’s client profile includes the largest online search engine providers, airlines, semi-conductor manufacturers, telecommunication companies, pharmaceutical companies, infrastructure providers, banks, insurance companies, private equity funds, and venture capitalists.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.