Cloud Computing 2024 Comparisons

In Taiwan, while there is no specific legislation directly regulating cloud computing for private enterprises or cloud service providers, the processing of personal data in cloud environments falls under the scope of the Taiwan Personal Data Protection Act (PDPA). This act mandates that all government agencies and private enterprises utilising cloud services adhere to the PDPA and its associated Enforcement Rules (“Enforcement Rules”) when collecting, processing, or using personal data. Further, if a cloud service provider is engaged by these entities to manage personal data, the provider acts as an agent of the commissioning entity, and, under Article 4 of the PDPA, the provider must follow the same regulations that govern the original data controller, ensuring consistency and compliance across the board.

Definition of Personal Data and Sensitive Personal Data

The PDPA defines personal data as information that can directly or indirectly identify a natural person, which includes but is not limited to a person’s name, date of birth, national identification card number, passport number, physical characteristics, fingerprints, marital status, family information, educational background, occupation, medical records, healthcare information, genetic data, sexual life, physical examination records, criminal records, contact information, financial status, and social activities. Sensitive personal data, which includes medical records, healthcare information, genetic data, sexual life, physical examination records, and criminal records, is subject to stricter regulations and can only be collected, processed, or used under specific conditions as outlined in Article 6 of the PDPA.

Specific Purpose for Collection, Processing and Use of Personal Data

Under the PDPA, any collection, processing, or use of personal data in the cloud must be grounded in a clearly defined purpose with a valid legal basis, as required by Articles 19(1) and 20(1) of the PDPA. Entities must inform data subjects about the purpose of data collection, whether the data is obtained directly from them or through other means.

Regulations for Personal Data in Specific Fields of Cloud Computing

Cloud service providers are required to implement appropriate security measures to protect personal data, as required by Article 27 of the PDPA (see 2.1 Data Security and the Cloud for details of the security measure). If cloud computing involves industries where the central government authority in charge of the industry concerned mandates the establishment of a personal data file security plan, providers must also adhere to the specific personal data security regulations for that industry when collecting, processing, and using personal data. In addition, private enterprises or cloud service providers that use personal data in the banking industry or in the healthcare industry must not only comply with the requirements of the PDPA but also the following provisions:

• Banking industry: For customer data in the banking sector, if a bank outsources operations involving the use of cloud services, it must comply with the internal control, audit, and supervision measures stipulated in Article 19 of the Regulations Governing Internal Operating Systems and Procedures for Outsourcing of Financial Institution Operation (“Outsourcing Regulations for Financial Institutions”). Additionally, banks using cloud services can refer to the Standards for Outsourcing Operations Using Cloud Services by Financial Institutions and the Guidelines on Applying Emerging Technologies by Financial Institutions to establish management measures for cloud-based customer data.
• Healthcare industry: Healthcare institutions that use cloud services or commission an entrusted entity to provide cloud services for collecting, processing, or using electronic medical records must also comply with the relevant control and supervision measures outlined in Article 8 of the Regulations Governing Production and Management of Electronic Medical Records by Healthcare Institutions.

Information Obligation and Supervisory Obligation

When utilising cloud services to collect or process an individual’s personal data, government and private enterprises in Taiwan must inform individuals about the purpose, scope, and rights related to their personal data before such collection or processing (Information Obligation). This includes providing clear information about the use of cloud service providers and how personal data will be managed, stored, and protected within the cloud environment.

Further, government and private enterprises that engage cloud service providers to handle personal data are required to supervise and ensure that these providers implement robust internal controls and data management practices in compliance with PDPA standards (Supervisory Obligation). This supervision involves regularly auditing cloud providers, verifying that appropriate security measures are in place, and ensuring that data processing activities adhere to the agreed-upon terms and legal requirements. For detailed information on supervisory obligations, please refer to 4.1 Due Diligence.

* The authors would like to thank David Hung for his research and contribution to this chapter.

Taiwan generally permits the cross-border transfer of personal data under the principle of “openness in principle and prohibition by exception”. The central government authority responsible for a particular industry may impose restrictions where major national interests are involved, where:

• an international treaty or agreement requires such restrictions; 
• the receiving country lacks adequate regulations for the protection of personal data and the rights and interests of data subjects may be harmed as a result; or
• the cross-border transfer of personal data to a third country or territory is intended to circumvent the PDPA.

There are currently three restrictions in place:

• In 2012, the National Communications Commission restricted the transfer of users’ personal data to Mainland China by communications enterprises.
• In 2022, the Ministry of Health and Welfare imposed similar restrictions on social worker offices.
• In 2023, the Ministry of Labor restricted the transfer of clients’ personal data by manpower agencies to Mainland China.

To ensure compliance with these cross-border transfer restrictions, cloud computing service providers are required to establish a personal data security maintenance plan that ensures compliance with any restrictions imposed by central authorities and includes mechanisms for informing data subjects about where their data is being transferred. Further, providers must supervise the recipient’s use of the data to ensure it is handled according to the agreed-upon terms, and they must safeguard the rights of data subjects to access, correct, or delete their data.

In Taiwan, there are no specific laws or regulations that impose penalties exclusively for cloud computing. However, failure to comply with Taiwan’s PDPA and related specific industry data privacy regulations, such as those for the healthcare and finance industries, can result in criminal, civil, and administrative liabilities.

Criminal Liability

If an individual intentionally violates specific provisions of the PDPA – such as those governing the handling of sensitive personal data, general data processing requirements, or restrictions on cross-border data transfers – with the intent to gain unlawful benefits or harm another person’s interests, and this results in damages to others, they may face imprisonment for up to five years and/or a fine of up to TWD1,000,000.

Furthermore, if a person unlawfully alters or deletes personal data files or otherwise compromises their accuracy, causing damage, they may also be subject to the same penalties: imprisonment for up to five years or detention and a fine of up to TWD1,000,000.

Civil Liability

If a private enterprise violates the provisions of the PDPA and causes personal data to be illegally collected, processed, used, or otherwise infringes upon the rights and interests of data subjects, it is liable to compensate the data subjects for damages unless it can prove that such damages were not caused by the private enterprise’s intentional or negligent act.

Administrative Liability

If a private enterprise violates key provisions of the PDPA – such as those concerning the handling of sensitive data, the processing of personal data, or restrictions on cross-border transfers – it may be fined between TWD50,000 and TWD500,000. The central government authority or local government will mandate that the violation be corrected within a specified timeframe. If the agency fails to comply, fines will be imposed for each instance of the violation.

For other violations, such as failing to establish a security and maintenance plan for personal data or improperly handling personal data after business termination, fines can range from TWD20,000 to TWD2,000,000. In cases of serious violations, fines can escalate up to TWD15,000,000 per occurrence.

The Ministry of Digital Affairs has established the Personal Data Management Regulations for Digital Industry, requiring cloud service providers to implement appropriate risk control measures for cloud data. Key requirements include the following:

• Security maintenance plan – cloud service providers must plan and establish a personal data file security maintenance plan and ensure that employees are aware of personal data protection management policies.
• Regular inspections – providers must regularly inspect and confirm the status of collected, processed, or utilised personal data and define the scope included in the security maintenance plan.
• Risk assessment – providers must regularly assess potential risks and adopt appropriate security measures based on the results of these assessments.
• Internal management procedures – providers must establish internal management procedures to ensure compliance with personal data protection laws during data collection, processing, or utilisation.
• Information security measures – providers must implement appropriate encryption and back-up protection measures, establish firewalls for information security management to prevent external network intrusions, and regularly update these measures.
• Monitoring and drills – providers must set up monitoring mechanisms for abnormal access behaviours and conduct regular drills to test response mechanisms.
• Antivirus and malware protection – providers must continuously update and execute antivirus software and perform regular malware detection.
• Authentication mechanisms – providers must configure authentication mechanisms with a certain level of complexity for information systems.
• Data anonymisation – when testing information systems that handle personal data, providers must avoid using real personal data; if real data is used, providers must establish usage regulations and implement anonymisation mechanisms to mask personal data appropriately.
• System reviews – Providers must regularly review information systems that process personal data and ensure that system changes do not compromise security.

Further, to enhance access control and permissions for cloud-based personal data, cloud service providers should conduct awareness campaigns and educational training on personal data protection for their personnel and establish confidentiality obligations with employees. Upon an employee’s departure, providers must require the return of any media containing personal data and ensure the deletion of any personal data held for business purposes.

Regarding the response, notification, and prevention mechanisms for personal data security incidents by cloud service providers, cloud service providers should establish procedures to control damage, notify affected individuals, and develop corrective and preventive measures post-incident. If a personal data security incident jeopardies normal operations or significantly impacts the rights of many individuals, it must be reported to the Ministry of Digital Affairs within 72 hours. Please refer to 5.2 Investigating and Remedying Data Breaches and 5.3 Notifying Data Breaches for detailed notification mechanisms and procedures.

Ownership of Personal Data

In practice, cloud agreements in Taiwan generally specify that ownership of the information, which includes any personal data stored in the cloud, belongs to the cloud service user. Further, private enterprises in certain industries are required to ensure that the cloud agreements provide certain safeguards. For example, under the Outsourcing Regulations for Financial Institutions, banks are required to retain full ownership of the data and are responsible for ensuring that the cloud service provider does not access customer data except for executing the outsourced services and does not use it beyond the scope of the outsourcing arrangement.

Rights of Data Subjects

Data subjects have the same general rights over their data in the cloud as they do under general circumstances – ie, the right to:

• inquire or request a review of their personal data;
• request a copy of their personal data;
• request supplementation or correction of their personal data;
• request cessation of collection, processing, or use of their personal data; and
• request deletion of their personal data.

It should be noted that the above rights are not absolute. For example, in certain fields, such as healthcare, data subjects may have restricted rights to request deletion, as seen with the National Health Insurance Medical Information Cloud Query System, which manages patient data across different medical institutions, including medical visits, medications, and surgeries, ensuring that physicians and pharmacists can access recent medical and medication records when providing clinical treatment or consultations. Data subjects do not have a right to have their personal data stored on this system deleted.

To exercise the above rights, the data subject may submit a request to the cloud service provider. The cloud service provider must approve or reject inquiries or requests for reviews of personal data within 15 days of receipt. For the other requests mentioned above, the cloud service provider must approve or reject the request within 30 days of receipt.

In Taiwan, there are currently no specific laws or regulations that ensure or mandate data portability in the cloud. Consequently, the ability to transfer data between cloud providers typically depends on the terms of individual service agreements and the technical capabilities provided by cloud service providers.

Cloud service providers are responsible for managing data retention and deletion policies in compliance with the PDPA.

Providers may delete or cease processing or using the data if the specific purpose for data collection no longer exists, in compliance with a data subject’s request to delete their personal data, or the retention period has expired. Providers must retain records of the deletion process, including details on the method, time, and location, for at least five years.

While the PDPA does not establish specific due diligence requirements for selecting a cloud service provider, in practice, when choosing a cloud service provider, due diligence should focus on several key areas:

• ensuring the provider adheres to relevant security standards and data protection regulations, such as the PDPA in Taiwan;
• reviewing the provider’s policies on data retention, deletion, and recovery, including their procedures for handling data breaches;
• evaluating the provider’s uptime guarantees, disaster recovery capabilities, and service level agreements (SLAs);
• assessing the provider’s track record, including customer reviews and any history of security incidents;
• verifying the provider’s compliance with industry-specific regulations, especially in sectors like finance and healthcare; and
• scrutinising the terms related to data ownership, access control, and exit strategies to ensure they align with business needs.

When conducting the due diligence, the private enterprise should also consider that it is required, as the commissioning agency, to supervise the cloud service provider’s compliance with the PDPA and the Enforcement Rules, which include:

• supervising the scope, categories, specific purposes, and duration for which the outsourced entities plan to collect, process, or use personal data;
• supervising the security maintenance measures adopted by the outsourced entities;
• confirming any agreed subcontractors if the outsourced entities use them;
• requiring the outsourced entities to notify and take remedial measures if they violate the PDPA or other relevant personal data protection laws and orders; and
• ensuring that the outsourced entities return personal data carriers or delete personal data upon termination or dissolution of the outsourcing relationship.

Therefore, when selecting a cloud service provider, the commissioning agency must confirm that it can effectively exercise the aforementioned supervision over the provider.

Specific Provisions in the Financial Sector

When banks outsource cloud service providers to collect, process, or use personal data, they must establish and implement procedures for selecting the outsourced entities and evaluate the following items:

• confirm that the outsourced activities fall within the legally permissible business scope of the cloud service provider;
• evaluate the cloud service provider’s qualifications, service levels, recovery capabilities, back-up mechanisms, supply chain relationships, responsibility attribution, and information security measures; and
• assess the platforms, protocols, interfaces, and file formats provided by the cloud service provider to ensure interoperability and portability.

The securities and futures industries, as well as the insurance industry, are subject to similar regulations.

Specific Requirements for Government Departments

When government agencies build or use cloud services, the outsourced cloud service providers must meet the following conditions:

• The provider must not be from Mainland China, including Hong Kong and Macao.
• The information and communication products (including software, hardware, and services) used to provide the agency’s cloud services must not be of Mainland Chinese origin or brand.
• Domestic team members (including subcontractors) performing outsourced cloud services must not include individuals from Mainland China. For overseas team members, they must have personnel security control mechanisms that meet relevant international standards and pass verification.
• The physical locations for data access, back-up, and recovery within the cloud services must not be situated in Mainland China, including Hong Kong and Macao.

As stated in 4.1 Due Diligence, cloud service providers handling personal data as part of an outsourcing arrangement are subject to the supervision of the commissioning agency. The parties must clearly specify the matters and scope of supervision in the outsourcing contract. Additionally, cloud service providers should be aware that when companies from other industries outsource them to collect, process, or use personal data, they must comply with the relevant personal data regulations set by the central competent authority of the commissioning party’s industry.

Specific Provisions for the Financial Industry

When banks outsource cloud service providers to collect, process, or use personal data, they must include the following provisions in the contract to ensure personal data security:

• Confidentiality and security measures: The contract must include confidentiality and security measures for customer data.
• Immediate notification: The outsourced party must immediately notify the financial institution in the event of significant abnormalities or deficiencies in the outsourced services.

To further ensure compliance with relevant personal data protection regulations, financial regulations establish the following mechanisms:

• Prohibition on sub-delegation: In principle, sub-delegation is prohibited.
• Outsourcing abroad: If significant consumer finance business information systems are outsourced abroad, banks must confirm that the outsourced institution’s use, processing, and control of customer data comply with the PDPA. Additionally, banks must retain complete audit records and list them as key audit items.
• Enforcement actions: If the outsourced party violates these regulations or other laws, competent authorities may, depending on the severity, notify banks to terminate the outsourcing according to contractual provisions, require the outsourced party to make improvements within a specified period, or suspend the outsourcing until the necessary improvements have been confirmed.

The Ministry of Digital Affairs has issued guidelines recommending that data processing agreements clearly outline the cybersecurity responsibilities of cloud service providers, clients, and third parties, such as:

• defining the secure usage environment for the service and specify the cybersecurity measures or tools that should be adopted;
• clearly stipulating the obligations of the commissioning agency, such as regularly updating systems and software, installing designated cybersecurity measures or tools, and conducting regular training sessions;
• clearly stipulating the obligations of the outsourced party (cloud service provider), such as ensuring website security and designing encrypted data transmission channels; and
• if cloud servers or cloud storage space are leased, outlining the connection architecture and clarifying which party is responsible for data storage and protection management.

Further, the Outsourcing Regulations for Financial Institutions require that data processing agreements for cloud services outsourced by a bank must include, but are not limited to, the following:

• scope and responsibilities – a clearly defined scope of the outsourced matters and the rights and responsibilities of the outsourced institution;
• legal compliance – representations that the cloud service provider does not violate laws, public order, or good morals;
• dispute resolution – mechanisms for resolving consumer disputes;
• contract termination – material reasons for terminating the outsourcing contract, including clauses where competent authorities notify the parties that the termination or cancellation of the contract;
• regulatory access – agreement by the cloud service provider that, within the scope of the outsourced matters, competent authorities and the Central Bank may obtain relevant data or reports and conduct financial inspections; and
• obligations for overseas outsourcing – if significant consumer finance business information systems are outsourced abroad, obligations of the bank with respect to system migration, data processing, and the liability for service interruptions in the event that the outsourced operations need to be transferred to another cloud service provider or back to the bank.

Termination and Exit Strategies for Cloud Service Agreements

In general, cloud service agreements typically include provisions that outline conditions for early termination, including any penalties or notice periods, and provide that, upon termination, there is a data retrieval period during which clients can access and download their data. After this period, data is handled according to the cloud service provider’s personal data security maintenance plan, which must include procedures for legally destroying, transferring, deleting, or ceasing the processing or use of personal data after the termination of business operations. The cloud service provider is to implement these procedures strictly, and records of such implementation should be retained for at least five years.

In addition to general obligations, the financial industry imposes specific requirements when a cloud service provider terminates services to banks, securities and futures firms, or insurance companies. According to the self-regulatory norms, the cloud service provider must delete or destroy all relevant cloud data, including images, customer data, back-ups, and other related information. Furthermore, the provider must issue a certificate confirming the complete deletion of the data.

Migration of Data and Services from One Cloud Provider to Another

There is no right of data portability in Taiwan, and cloud service providers are not legally required to facilitate the migration of data and services to another cloud provider when the user decides to terminate services. Therefore, data and service migration in Taiwan is governed by the contractual arrangements between the cloud service providers and the user.

In practice, when a financial institution plans to migrate data cloud service from one provider to another, the financial institution should consider the potential impact of cloud services on the continued operation of the financial institution and develop a detailed exit plan that includes the following stages:

• Pre-exit assessment – the financial institution should:
1. assess the resources required for migration and conduct pre-exit assessment;
2. confirm whether existing resources are sufficient to cope with the migration process and future operational needs; and
3. inventory the data and resources to be returned or transferred, plan temporary alternative tools, and assess the costs associated with system migration or data export.
• In-process handling – the financial institution should execute preparatory tasks for data transfer, utilise the mechanisms provided by the cloud service provider to carry out the data transfer, and conduct data integrity verification tests.

• Post-confirmation – the financial institution should confirm the completion of system migration or data migration, confirm and test the migrated cloud service and obtain user feedback to continuously adjust the operation process.

Personal Data Protection Act

Private enterprises designated by the competent authority under Article 27, Paragraph 2 of the PDPA are required to establish a personal data file security maintenance plan. In the event of a personal data breach, these agencies should notify the competent authority within a specified time frame (usually within 72 hours) using the prescribed method, in accordance with their respective regulations. However, this notification is not a statutory obligation explicitly stipulated by the PDPA. Consequently, the competent authority of the industry cannot impose penalties solely because a private enterprise failed to notify according to the notification mechanism outlined in the security maintenance regulations.

Cybersecurity Management Act

Additionally, if an entity is designated by the competent authority as a provider of critical infrastructure in fields such as energy, water resources, communications and broadcasting, transportation, banking and finance, emergency rescue, hospitals, central and local government agencies, or high-tech parks under the Cybersecurity Management Act, it must report cybersecurity incidents within one hour of becoming aware of the incident, following the method specified by the central competent authority.

According to Article 21 of the Cybersecurity Management Act, if an entity fails to report a cybersecurity incident, it shall be fined between TWD300,000 and TWD5 million by the central competent authority and ordered to make corrections within a specified period. If corrections are not made within that period, fines may be imposed consecutively.

Disclosure of Material Information by Listed Companies

If a listed company experiences a cybersecurity incident that causes significant damage or impact to the company, it must disclose this as material information. This includes incidents where the company’s information systems, official website, or other digital assets are hacked, damaged, altered, deleted, encrypted, stolen, or subjected to denial-of-service attacks (DDoS), resulting in an inability to operate or provide normal services, or if there is a risk of leakage of personal data or internal document files. The content or explanation of such material information must be reported through the designated internet information reporting system within the specified timeframe.

According to Article 8 of the Personal Data Management Regulations for Digital Industry, industries must formulate “contingency measures to be taken after an incident” and “a mechanism for developing corrective and preventive measures” in response to security incidents such as theft, modification, destruction, loss, or leakage of personal data. Information service providers may investigate the cause of such incidents by retrieving logs to check whether there are abnormal IPs, searching for vulnerabilities in backend systems and frontend websites through information security checks (including code detection, penetration testing, vulnerability scanning, etc), and researching hacking paths to find other possible causes (eg, employees being attacked by social engineering and taking advantage of it), etc. Service providers should focus on investigating their own systems and websites while also assisting their customers in the investigation.

Examples of Remedial and Preventive Measures

• Improvement of information security measures:
1. patching of vulnerabilities and partial or complete improvement of system security protection measures (eg, system architecture changes, strengthening of firewalls, encryption of transmission channels, encryption of databases, etc) through the identified causes of the incidents.
• Changes in personal information handling:
1. implement data minimisation principles, such as masking sensitive data when transmitting personal information; and
2. modify the content of personal data collected, change the methods of data transmission, and adjust the location and methods of data storage.
• Re-evaluation of information security responsibility with the customer:
1. assess whether the customer can bear the cost of necessary data security protections; and
2. re-establish data security responsibilities in the contract, or consider not renewing the contract if the customer cannot meet the required security standards to avoid placing excessive risk on the information service provider.

Notification to the Subject

The PDPA requires that data subjects be notified via appropriate means after relevant facts have been clarified where the data subject’s personal data has been stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA by a government or private enterprise. “Notification by appropriate means” includes verbal communication, written notice, phone calls, text messages, email, fax, electronic documents, or other methods that effectively convey the information to the data subjects. However, if direct notification involves disproportionate costs, the agency may, considering technical feasibility and privacy protection, notify the data subjects through the internet, media, or other suitable and public means.

Notification to Competent Authorities

Private enterprises designated by the competent authority to establish a personal data file security maintenance plan, under Article 27, Paragraph 2 of the PDPA, must notify the competent authority in a specified manner within a specified period, as dictated by the regulations of the competent authority in each industry. For instance, if a business in the digital economy sector encounters a personal data security incident that jeopardises its normal operations or the rights and interests of a large number of individuals, it must notify the Ministry of Digital Affairs using a designated notification form within 72 hours of learning about the incident. The notification must include:

• basic information and contact details of the business;
• the time of occurrence of the data breach;
• the type of incident;
• the number and type of personal data involved;
• the cause of the incident;
• the status of the damage;
• the potential consequences;
• the countermeasures to be taken; and
• the time and method of notification to the affected data subjects.

How to Co-ordinate Data Breach Notification with Cloud Service Providers

Data collectors hold ultimate responsibility for notifying relevant parties in the event of a data breach. If a private enterprise entrusts a cloud service provider to collect, process, or use personal data, the private enterprise must appropriately supervise the cloud service provider and explicitly stipulate in the entrustment contract or related documents that, upon learning of a data breach, the cloud service provider is obligated to notify the private enterprise immediately and assist them in notifying the competent authorities.

Cross-border Transfer of Cloud Computing Data

For the cross-border transfer of personal data under the PDPA, please refer to 1.2 Data Privacy and Cross-Border Transfers. Further, certain industries have more stringent requirements for cross-border data transfers. For example, under the Outsourcing Regulations for Financial Institutions, if a financial institution outsources operations outside of Taiwan, and the financial authority in the location of the outsourced institution requests information about its customers in Taiwan, the financial institution must first notify the Taiwan competent authority and obtain its consent before providing the information. Furthermore, when a financial institution outsources its operations and entrusts its information system for major consumer finance business to a foreign country, it must submit the necessary documents to the competent authority for approval.

Data Protection in International Transmission Contracts

When international transmission involves entrusting a cloud service provider to process personal data, Article 8 of the Enforcement Rules requires that commissioning agencies supervise the cloud service provider and explicitly stipulate the relevant terms in the entrustment contract or related documents. The commissioned cloud service provider is permitted to collect, process, or use personal data only within the scope defined by the commissioning agency.

Further, when a private enterprise in an industry designated by the competent authority engages in international data transmission, it must comply with several requirements. First, the private enterprise must examine whether the competent authority has issued any restrictions on international transmission in accordance with Article 21 of the PDPA. The private enterprise must also inform the data subject of the region to which their personal data will be transmitted, as required by Article 8 of the PDPA. Furthermore, the private enterprise is responsible for supervising the data recipient, and these obligations should be clearly stipulated in the contract.

Data Localisation Regulations

Certain types of data must be stored within Taiwan, according to relevant regulations, as detailed below.

Electronic medical records of medical institutions

According to Article 8, Paragraph 2 of the Regulations Governing Production and Management of Electronic Medical Records by Healthcare Institutions, and the Ministry of Health and Welfare’s announcement, the data storage location for cloud services used by medical institutions refers to the physical location of cloud service access, back-ups, and back-up data (including temporary data storage). Unless otherwise approved by the competent authority, these storage locations must be within the territory of Taiwan, and the cloud service provider must not be a company from the People’s Republic of China (PRC).

Customer data entrusted to cloud service providers by financial institutions

According to the Outsourcing Regulations for Financial Institutions, when a financial institution’s outsourced operations involve cloud-based services, customer data from material retail financial business information systems should be stored within Taiwan. If the data is stored offshore, back-ups of important customer data must be retained in Taiwan unless the competent authority grants approval otherwise.

Impact of Data Localisation on Cloud Computing

Relevant industries may prefer to work with localised cloud service providers or vendors that can store data within Taiwan. Foreign cloud service providers may need to establish data centres in Taiwan to comply with these regulatory requirements.

Scope of Application of Personal Information Law and Conflict of Laws

According to relevant interpretations of the PDPA and based on the principle of territoriality, personal data collected, processed, and used within Taiwan is generally subject to the PDPA. Further, under Article 51(2) of the PDPA, the law also applies to government and private enterprises outside Taiwan when they collect, process, or use the personal data of Taiwanese nationals. Therefore, the PDPA applies to Taiwan’s government, individuals, or private sector entities that handle the personal data of Taiwanese people, even when this occurs outside Taiwan’s territory.

Regarding private disputes, the Act Governing the Choice of Law in Civil Matters Involving Foreign Elements does not explicitly specify which country has international jurisdiction over a foreign matter. The court will determine jurisdiction based on a comprehensive evaluation of the international civil litigation interests involved, the connection between the case and a particular country (jurisdiction), and by considering the jurisprudence of domestic civil litigation regulations and international civil judgment rules. The court will weigh the substantive fairness to the parties and the procedural expediency and economy to decide whether Taiwanese courts have jurisdiction. To avoid disputes, it is advisable to expressly provide for jurisdiction and applicable law in the relevant contractual documents.

Risks and Challenges of International Data Transmission in the Cloud

The development of the internet has made it challenging to determine whether the behaviour and outcomes of data processing in the cloud occur within Taiwan’s territory. This ambiguity complicates businesses’ efforts to ascertain whether they must comply with the relevant provisions of the PDPA, thereby increasing both compliance costs and the risk of legal violations. Additionally, the nature of cloud data transmission complicates the ability of competent authorities to determine the scope of their jurisdiction, making enforcing the PDPA more difficult.

Cloud service providers must establish a personal data security audit mechanism, regularly assess the implementation status of their security maintenance plan, and produce an evaluation report.

The audit mechanism should encompass key areas such as “operational management”, “technical protection”, “legal compliance”, and “operational process”. Specific audit focus areas may include:

• identifying personnel and resources responsible for personal data protection management;
• defining and inventorying the scope of personal data, including confirming the current status of personal data collected, processed, or used;
• conducting risk assessment and management;
• reviewing mechanisms for incident prevention, notification, and response; and
• evaluating internal management procedures related to personal data.

Personnel or Units Responsible for Conducting Audits

Cloud service providers are advised to appoint personnel with expertise in legal and information security to conduct internal audits to ensure the integrity and accuracy of audit reports. Further, they may engage third-party verification organisations to perform external audits in accordance with personal data protection regulations and international standards, such as BS 10012 and ISO 27701.

Records of Audit Results and Response Measures

• Retention of audit records: Records of audits must be retained for at least five years.
• Response measures for audit results:
1. Data deletion – if it is found that the specific purpose for which personal data was collected no longer exists or the retention period has expired, the personal data should be deleted, or its processing and utilisation should cease.
2. Addressing deficiencies – if deficiencies are identified during the audit, the causes should be investigated, improvement measures should be evaluated and implemented, and the effectiveness of these measures should be assessed. The entire process should be thoroughly documented.

Penalties

Violations of the aforementioned personal data audit regulations can result in fines ranging from TWD20,000 to TWD2,000,000. In cases of serious violations, or if the entity fails to rectify the non-compliance as instructed by the competent authority, fines may range from TWD150,000 to TWD15,000,000 and may be imposed per violation.