Contributed By Chen & Lin Attorneys-at-Law
The Personal Data Protection Act (PDPA) is the primary law regulating personal data protection. The PDPA was first enacted in August 1995 and was named the Computer-Process Personal Data Act, which regulated governmental agencies and certain private sectors. The PDPA, effective from 1 October 2012, regulates any person, including governmental agencies and all private sectors, who collects, processes or uses personal data. Privacy and personal data protection are related to the constitutional protection of privacy.
In addition to the PDPA, the Legislative Yuan has also enacted certain special data protection requirements in some sector-specific laws, such as the Insurance Act, the Financial Holding Company Act, the Banking Act, the Human Biobank Management Act, the Pharmaceutical Affairs Act and the National Sports Act.
Further, if the trade secret of an enterprise is involved, the Trade Secrets Act may apply. If an offence against computer security is involved then the criminal sanction of the Criminal Code of the Republic of China (the Criminal Code) may apply. If any national security issue is involved, the National Security Act may apply.¬Although the Executive Yuan issued Information Security Management Directions for the Executive Yuan and its Subordinate Agencies in 1999, hitherto there was no specific law in Taiwan directly addressing the general and primary standard of cyber-security and regulating cyber-security matters that was applicable to all industries for around two decades. During that period, cyber-security was incidentally addressed in certain sector-specific laws and regulations that regulated the data protection requirement. In June 2018, the Information and Communication Security Management Act (ICSMA) was enacted. This act, effective from 1 January 2019, aims to establish a primary and general law regulating the cyber-security system of governmental agencies and private sectors.
The Ministry of Justice (MOJ) is the main regulator for personal data protection. The MOJ is in charge of proposing the draft bill of the PDPA, promulgating the Enforcement Rules of the PDPA and issuing various interpretations to answer questions in respect of compliance with the PDPA.
The enforcement of the PDPA is administered by the central governmental authorities that supervise the business operation of non-governmental agencies and local government authorities. Both central and local governmental authorities have the power to:
Under the ICSMA, the regulator for governmental agencies will be the supervising governmental authority. If there is no such supervising governmental authority, the regulator will be the Executive Yuan. The regulator for non-governmental agencies will be the relevant central governmental authorities. In the event of the cyber-security requirement addressed in sector-specific laws and regulations, the regulator will be the relevant governmental authority specified thereunder.
Under the PDPA, central and local governmental authorities have the power to conduct an audit and inspection on non-governmental agencies. For such an audit and inspection, the authorities may access the premises of non-governmental agencies, require information, and copy and retain documents. In the event that the non-governmental agency refuses to provide the information and documents, the authorities may, to the extent of least harm, adopt compulsory measures to obtain information and documents. The non-governmental agency may raise an objection against such compulsory measures. However, if the governmental authority refuses to change such compulsory measures, the non-governmental agency may only argue such compulsory measures in the proceeding in which it argues the administrative decision on the merits.
Except for the foregoing investigation procedure and the procedural compliant procedure, there are no special procedures regulating the administrative process in respect of the investigation and penalty imposed, and the respondent’s due process and appeal rights and procedures. The general administrative laws – such as the Administrative Procedure Act, the Administrative Appeal Act and the Code of Administrative Procedure – will govern.
The national system in respect of data protection adopts an 'APEC-EU referential' approach. The meeting minutes of the Executive Yuan in connection with the approval to submit the draft bill of the PDPA to the Legislative Yuan addressed that the PDPA incorporates certain provisions under Directive 95/46/EC. Besides, Taiwan, as one of APEC’s member economies, executed the APEC Privacy Framework. The APEC Privacy Framework indicated nine principles in respect of privacy protection and the PDPA also incorporates the principles guided by the APEC Privacy Framework.¬In 2011, APEC developed the Cross-Border Privacy Rules (CBPR) system, under which companies trading within the member economies develop their own internal business rules consistent with the APEC privacy principles to secure cross-border data privacy. Taiwan joined the CBPR system in December 2018.
All major laws regulating privacy and personal data protection are at the national level. The relevant regulations at the subnational level are solely relevant to the implementation of those national laws and regulations by the differently functioning bureaus of local government.
The major privacy or data protection NGOs include (i) the Data Protection Association of the Republic of China, an organisation focusing on promoting cybersecurity and data protection by way of giving data protection lectures, advising on encryption methods and providing a data protection consultation service; and (ii) the Taiwan Association for Human Rights, an independent NGO focusing on human rights protection, including privacy and personal data protection, by way of policy watching, monitoring and advocacy.
SROs (Industry Self-Regulatory Organisations)
Certain SROs in respect of a specific industry, in particular the financial industry, provide guidance to their members in connection with data protection, confidentiality and cyber-security. For example, (i) the Bankers Association of the Republic of China provides guidance advising members to take certain data protection measures, including to keep clients’ information in confidence, to establish the safety control mechanism for data protection and to report to the competent authority pursuant to the laws and regulations when a data breach occurs; and (ii) the Life Insurance Association (LIA) of the Republic of China provides self-regulatory rules on handling cyber-security and data protection, which requires its members, for example, to adopt rules regarding the use of mobile devices (including 'bring your own device') regarding the use of social network media and rules regarding the use of cloud services, and to establish cybersecurity and data protection mechanisms pursuant to the evaluation principles LIA sets forth to establish APP cyber-security control and management mechanisms pursuant to the operation principles LIA sets forth, and to adopt equipment scrapped procedures so as to ensure that confidential and sensitive information is removed and the data stored in the hard drive may not be recovered. The self-regulatory rules further provide that the contents of such self-regulatory rules shall be incorporated into the internal audit and control system, and compliance reviews shall be conducted periodically.
Given the current regulation status as above, the data protection and cyber-security system is developing in Taiwan.
Taiwan adopts the civil law system and most primary and general laws and regulations follow the laws and regulations of other civil law countries, such as Japan. On the other hand, quite a few laws and regulations in respect of modern technology follow US laws and EU laws. Such a multiple-reference approach is reflected in various laws and regulations, as well as the interpretations thereto. Given such, it is difficult to state that Taiwan data protection and cyber-security follows any single specific model.
As noted above, the enforcement of the PDPA is administered by central relevant business governmental authorities and local governmental authorities, rather than by any single governmental authority. It is difficult to have a whole picture in respect of the enforcement status of different central and local governmental authorities, since it is not subject to mandatory public disclosure requirements. Given the absence of sufficient public information available, Taiwan does not have a proper basis to note that the enforcement is relatively aggressive or less so. However, based on the limited public information available, enforcement in respect of data protection by the Financial Supervisory Commission (FSC) will be relatively aggressive compared with other governmental authorities.
TSMC Cyber-security Incident
Taiwan Semiconductor Manufacturing Co (TSMC), the world’s largest contract chip-maker, encountered a virus attack on some of its fabrication plants for semiconductor manufacture in August 2018.
The virus attack incident was caused by an operational error of a USB during software installation, then spread throughout TSMC’s network and infected some of TSMC’s fabrication plants for semiconductor manufacture tools, including the most advanced seven-nanometer equipment.
It took TSMC several days to deal with the virus, which included suspending production, detecting and removing the virus, and operation recovery. While the storm over the incident quickly quietened down, TSMC booked losses of USD84 million for the virus attack. It was the first large-scale cyber-attack involving a manufacturing plant in the history of Taiwan’s hi-tech industry.
After the cyber-security incident, TSMC has taken actions to close this security gap and strengthen security measures.
Rules to Ban Chinese Products with Security Threats
The Executive Yuan is compiling a detailed blacklist of Chinese technology companies, as security concerns fuel a campaign to restrict the use of equipment from manufacturers such as Huawei. According to the cyber-security department of the Executive Yuan, it intended to complete and publish a list of Chinese companies that could pose security threats by the end of March 2019 and update the list from time to time. All central governmental departments supervised by the Executive Yuan, government-controlled organisations and the specific private sectors designated by relevant governmental agencies will be bound by such rules. Besides, according to the cyber-security department of the Executive Yuan, the Executive Yuan and its subordinated agencies also prohibit their officials and staff members from using Chinese social networking apps, such as Wechat, on their business mobile phones.
The Personal Data Protection Office
The Personal Data Protection Office, which is tasked with standardising data protection across all governmental agencies in conformity with EU regulations, began operations in July 2018. The office aims to align the nation’s data protection privacy measures with the EU’s General Data Protection Regulation and further obtain an adequacy decision for international data transfer between the EU and Taiwan.
Certain whistle-blower events in respect of financial holdings companies in 2016 and 2017 caught the attention of the FSC, the MOJ and the public. In response to the whistle-blower protection needed in the private sector, the MOJ has revised and finalised the draft bill on the protection of whistle-blowers that will regulate whistle-blower protection in governmental agencies and the private sector. The draft will be submitted to the Legislative Yuan for further review and discussion.
It is not a mandatory requirement to appoint a data protection officer. The Enforcement Rules of the PDPA suggest that data protection personnel shall be allocated and indicate it will be one of the approaches to establish the appropriate data protection measures. However, according to the PDPA, governmental agencies shall assign data protection personnel when they keep personal data.
According to the PDPA, except for sensitive personal data, the legal requirements for collecting and processing personal data are as follows: (i) it shall be with and within the specified purpose, and (ii) it shall meet any of the following statutory matters:
As noted above, certain sector-specific laws and regulations or guidance promulgated by the associations of specific industries provide the standards in respect of establishing cybersecurity systems that are the application of 'privacy by design' or a 'by default' concept.
Under the PDPA, governmental agencies and non-governmental agencies shall take appropriate data protection measures, which may include privacy impact analyses and other measures, such as preventing personal data from being stolen, altered, damaged, destroyed or disclosed. Furthermore, the relevant business governmental authority may designate a non-governmental agency for setting up the plan of security measures for the personal data or the disposal measures for the personal data after termination of business.
According to the PDPA, the data subject shall have the following rights:
Any advance waiver of any foregoing right by the data subject will be null and void.
The governmental agency or the non-governmental agency should, ex officio/at its discretion or upon a request from the data subject, ensure the accuracy of personal information and correct or supplement it. The governmental agency or the non-governmental agency should, ex officio/at its discretion or upon a request from the data subject, delete the personal data or discontinue the collection, processing or use of personal data, when (i) the purpose of such data collection no longer exists or the stated time-period expires, unless it is necessary for the performance of an official duty or fulfilment of a legal obligation and has been recorded, or when it is agreed by the data subject in writing; or (ii) the collection, processing or use of such data violates the PDPA.
Under the PDPA, when it is necessary to perform statistical or other academic research by a governmental agency or academic institute, personal data could be used for this purpose, after anonymisation, de-identification and pseudonymisation. There is no law or regulation specifically regulating emerging technologies, such as profiling, automated decision-making, online monitoring or tracking, big data analysis, or artificial intelligence. Nevertheless, in the cases relevant to these emerging technologies, current laws (eg, the PDPA and the Criminal Code) may apply depending on the legal issues involved.
The PDPA aims to prevent harm on personality rights, which includes reputation and privacy. Therefore, the concept of 'injury' or 'harm' under the PDPA includes pecuniary damages and non-pecuniary damages. Also, if there is infringement to reputation, a proper rehabilitation action may be requested.
Under the PDPA, 'sensitive data' means personal data in respect of medical records, medical treatment, genetic information, sexual life, health examinations and criminal record. Such sensitive data shall not be collected, processed or used unless the statutory requirements – such as compliance with the laws and regulations, and obtaining written consent from the data subject – are satisfied.
Financial conditions fall within the definition of personal data under the PDPA and the PDPA will apply thereto. Furthermore, under the Banking Act, a bank shall keep customer information, related information on deposits, loans or remittances of its customers and transaction materials in confidence.
As noted above, medical records and health examination records fall within the definition of personal data under the PDPA and the PDPA will apply. Furthermore, according to the National Health Insurance Act, the insurer (ie, the Bureau of National Health Insurance of the Ministry of Health and Welfare) may require hospitals to provide certain personal data necessary for the insurer to carry out and administer the business of the national health insurance. The information obtained by the insurer in accordance with the above, and the storage and use of such information should be in compliance with the PDPA.
There is no specific law in Taiwan directly addressing the general and primary rules governing any specific communication data, such as voice telephony, internet or social media. If the content involves personal data collection, processing and use shall be in compliance with the PDPA. If it involves certain specific offences or serious crimes, the Communication Security and Surveillance Act will govern; under this act, a warrant issued by the court will be required for obtaining the communication data of suspects or defendants.¬The issue of the right to be forgotten was once discussed by the court. In a Taiwan Taipei District Court case (case No 104-Su-Geng-Yi-Zi-31), the plaintiff, the former CEO of a professional baseball team, was charged with the offence of fraud due to alleged involvement in a match-fixing scandal. At the end, the court rendered a judgment of not guilty. The individual then took legal action against a famous internet search engine and claimed that the defendant – ie, the search engine – should take down certain search results. In this case, he claimed that the search results had infringed his right of privacy, reputation and right to be forgotten. Given the absence of statutory provision directly addressing the right to be forgotten, the court discussed and interpreted the right to be forgotten based on the concept of right of privacy. The court indicated that the match-fixing scandal involved the public interest and, further, the use of such information did not violate the PDPA since it was obtained from publicly available resources. Although such public information may cause certain restrictions to the plaintiff, such restrictions could be justified, since keeping such information publicly available will be in the public interest.
Names, faces, characteristics and other personal identification information involve the privacy of children; also, the foregoing are the personal data of children and the PDPA will apply thereto. In 2017, a parent child-life blogger uploaded a video on Facebook that showed the blogger harshly dressing down her four-year-old daughter, who cried and confessed her wrongdoing. This video caught the public attention and the blogger was blamed by the public for disregarding her child’s privacy. However, up to the present, there is no case in which a child has sued a parent for infringement of his or her privacy or personal data protection in Taiwan.
Besides, the Protection of Children and Youths Welfare and Rights Act regulates the confidentiality requirement for the case files and personal data of children and youths who are subject to special treatment under the act, as well as the information of their families. Furthermore, the act prohibits certain information in respect of children and youths – such as criminal cases and drug abuse – from being disclosed by promotional material or on TV, the internet, other media or public channel. Failure to comply with the foregoing may result in administrative fines.
The PDPA regulates the collection and use of personal data for marketing purposes. When a non-governmental agency uses personal information for the purpose of marketing but the data subject refused, such marketing shall stop immediately. Also, the non-governmental agency shall offer ways to the data subject for him or her to express his or her refusal at the time such marketing first appears in public and compensate any necessary cost and expense to express such refusal.
Moreover, when financial holding companies’ subsidiaries engage in co-selling activities among themselves, the Financial Holding Company Act provides that such companies shall apply to the FSC for prior approval and make sure that such activities will not harm the interests of customers. The subsidiaries of the financial holding company shall comply with provisions of the PDPA with regard to joint collection, process and use of the basic personal data and dealing or transaction records of customers.
There is no specific law in Taiwan directly addressing the general and primary rules regulating all types of online marketing. Nevertheless, for electronic marketing, the Consumer Protection Committee has promulgated the guidance advising that the enterprises shall collect and use consumers’ personal information in accordance with laws, and provide reasonable protective measures.
In Taiwan, issues relevant to workplace privacy mainly focus on email monitoring.
In most cases, the Taiwan court uses two standards to determine whether email monitoring is in violation of the employees’ privacy rights: (i) whether the employees have reasonable privacy expectation on these emails and (ii) if there is no reasonable privacy expectation, whether it is prohibited by laws for employers to monitor employees’ emails.
The concept of 'reasonable privacy expectation' is based on Article 3 of The Communication Security and Surveillance Act, which provides that the communications under surveillance are limited to those that have content that may reasonably be expected to be private or secret by the persons who are monitored, with sufficient factual supports. Some court rulings further point out that if the company has an email policy in place and has explicitly stated that employees’ emails would be monitored, or the employees have signed written consent of email monitoring, then it is hard to say that the employees have reasonable expectation of privacy on such emails.
According to the Labour Standards Act, an employee, upon discovery of any violation by the business entity of labour laws or administrative regulations, may file a complaint to the employer, competent authorities or inspection agencies. The employer shall not therefore terminate the employment relationship, change the employment terms and conditions, reduce the wages or the rights and other benefits, or take any unfavourable measure against such employee. If the employer violates any of the actions mentioned above, that action shall be null and void.
Also, the competent authority receiving the complaint shall keep the identity of the complainant in confidence and shall not disclose any information that might reveal the identity of the complainant. The competent authority violating the above shall be liable for damages so caused to the labour. In addition, public officials shall be held liable to criminal and administrative laws.
There are criminal liabilities and administrative liabilities under the PDPA. The standard for conviction in a criminal proceeding is 'beyond a reasonable doubt'; that is, the prosecutor must present evidence that is credible and sufficient to prove no reasonable doubt existing against the guilty judgment to the defendant. In regards to administrative sanction, the governing authority must prove that an act in breach of duty under the PDPA is committed intentionally or negligently.
The criminal penalties for violation of the PDPA include imprisonment for not more than five years, or criminal fines of not more than TWD1 million, or both.
The administrative penalties for violation of the PDPA are administrative fines of no less than TWD20,000 but no more than TWD500,000. Also, the legal representative, manager or other representatives of a non-governmental agency may be subject to the same fines when the non-governmental agency receives an administrative fine.
In the event that there are any other violations of other criminal laws or administrative laws or regulations, criminal or administrative penalties in accordance with such laws or regulations would be imposed.
Recent Enforcement Cases
In December 2018, TLG Insurance Co, Ltd was fined TWD1,800,000 by the FSC due to failure to adopt proper security measures to prevent personal data collected from being stolen or disclosed.
In January 2018, First Life Insurance Co, Ltd was fined TWD1,200,000 for (i) failing to evaluate the risk of the collected personal data and (ii) failing to serve notice to the data subject with the statutory notice items and the way of consent prior to the collection of personal data.
In general, the burden of proof in civil litigation shall be borne by the plaintiff, who is obligated to establish, through evidence, all the requisite elements of a case. Therefore, if the plaintiff filed a lawsuit for alleged privacy or data infringement under the civil code, the burden of proof is borne by the plaintiff. The plaintiff has to establish that the defendant has wrongfully damaged the plaintiff’s rights intentionally or negligently and there are injuries that have arisen therefrom.
Nevertheless, the PDPA has special rules for the plaintiff’s burden of proof in a civil case under the PDPA, under which the law lifts up certain burden of proof of the plaintiff. Therefore, once the plaintiff has met his or her burden of proof by establishing the infringement on his or her rights from a non-governmental agency’s illegal collection, processing and using of personal information, or other ways of infringement due to violation of the PDPA, the burden of proof shifts to the defendant to show that it is unintentional or non-negligent.
In the event that the plaintiff has proved that a governmental agency infringes the rights of personal data due to violation of the PDPA and there are injuries arising therefrom, the government agency should be liable for damages and compensation unless it can prove the damages were caused by natural disaster, incident or other force majeure.
Class actions are allowed in Taiwan. For cases caused by the same cause and fact, and where there are multiple data subjects infringed, the organisations regulated by the PDPA may – after obtaining a written authorisation of litigation rights of 20 or more data subjects – represent such data subjects to bring a lawsuit to the competent court by its own name.
The first data breach class action lawsuit has been brought by the Consumers’ Foundation against a travel agency for the alleged illegal disclosure of collected personal data in March 2018.
Major Cases (Private)
In a Taiwan High Court case (case No 106-Shang-Zi-1160), the plaintiff claimed that the defendant, which was a search engine, shall remove certain search engine results and recommended search keywords regarding the plaintiff’s match-fixing scandal since the collection and use of his personal data were in violation of the PDPA. The court opined that (i) such match-fixing scandal was a matter of public interest and concern, and therefore no prior consent is required upon the collection and use of such personal data; and (ii) since the match-fixing scandal was of public interest and had been brought to the public attention, the specific purpose of the collection of personal data still exists and the time period of collection has not expired; therefore, the collection and use of personal data did not violate the PDPA.
Under the Communication Security and Surveillance Act, in general, a warrant from the competent court will be required for obtaining data in criminal cases.
The Communication Security and Surveillance Act sets up certain safeguards to protection privacy, as detailed below.
When it is necessary to conduct surveillance on the domestic, cross-border or offshore communications of foreign forces or hostile foreign forces (or their agents) to collect intelligence on foreign forces or hostile foreign forces – including organisations with the aim of operating international or cross-border terrorist activities – to protect national security, the head of the national security authority may issue the warrant. If the subject under surveillance has household registration in Taiwan, the judicial approval level shall be escalated and prior approval from the judge of the High Court will be required. However, this restriction does not apply in the event of an emergency. In the event of an emergency, the national security authority should inform the competent High Court judge of the issuance of the warrant and obtain the permission ex post facto. If permission is not granted within 48 hours, the surveillance activity should be halted immediately.
The privacy safeguards are basically the same as the above general criminal cases, provided that (i) whether the surveillance shall be halted or continued will be determined by the head of the national security authority and (ii) the ex post written notice to the person under surveillance will solely apply to the case when the person under surveillance has household registration in Taiwan.
In Taiwan, the feasible solution will be by way of judicial co-operation assistance, which shall be processed by the governmental judicial agencies. Taiwan has signed agreements on mutual judicial co-operation in criminal matters with the USA, the Philippines, South Africa and China. Also, Taiwan has signed agreements on mutual judicial co-operation in civil matters with China and Vietnam. In these agreements, both parties shall provide judicial co-operation assistance to each other. Under such, an organisation invoking a foreign government access request may obtain and transfer personal data to foreign governmental agencies.
A recent case, in which a judicial police officer applied a Global Positioning System (GPS) locator on a suspect’s car to investigate a smuggling case, sparked public debate in connection with government access to personal data. It was debated whether prosecutors or judicial police officers could collect and use GPS records for investigation purposes. The court opined that GPS records were non-public activities of people and that therefore it would infringe rights of privacy to collect or use such GPS records. Since there was no statutory basis to collect and use GPS records to investigate crimes, there was no legal reason for prosecutors or judicial police officers to do so. However, some argued that such opinions would lead to difficulties in investigations of crimes and it was suggested that the authorities should amend relevant laws to keep up with new technology.
Under the PDPA, the governmental authority in charge of the subject industry may limit international data transfers if:
On 25 October 2012, the National Communications Commission issued an administrative rule stating that since China lacks proper regulations towards personal data protection, communications enterprises are prohibited from transferring their subscribers’ personal data to China.
There is no specific mechanism in Taiwan that applies to international data transfers.
If a financial institution would like to outsource its operations of data entry, processing and output of an information system related to consumer finance business to an offshore service-provider, it must submit the documents to the FSC for approval.
There is no data localisation requirement under Taiwan law.
No software code or algorithm or similar technical detail is required to be shared with the Taiwan government.
As noted above, the contractual parties shall provide judicial co-operation assistance pursuant to the judicial co-operation assistance agreements. An organisation may collect or transfer data pursuant to the judicial co-operation assistance agreements.
There is no blocking concept in Taiwan.
Most of the emerging technologies – such as big data analytics, automated decision-making, profiling, artificial intelligence, Internet of Things (IoT), facial recognition and drones – are not specifically addressed in the law or regulations. Depending on the legal issues involved, different laws or regulations may apply, including the PDPA, the Criminal Code and the Trade Secrets Act. However, it is worth noting some of the developments in the following fields.
In December 2018, a provision governing autonomous vehicles was newly added to The Regulations of Road Transportation Safety. According to this provision, any enterprise or car research institute with a legal registration certificate may apply for a licence and road test for autonomous vehicles. Relevant road safety regulations shall be applicable to such autonomous driving.
Biometric data is specifically regulated under the Human Biobank Management Act and the Regulations Governing the Collection, Management and Use of Individual Biometric Data.
The Human Biobank Management Act regulates the establishment, management and applications of the human biobank. It also protects the rights of information privacy of biological database participants. Under the Human Biobank Management Act, 'human biobank' includes derivatives – such as cells, tissues, organs or bodily fluids – that are collected from a human body or produced by experimental operations and are sufficient to provide adequate information for identifying the participant’s biometrics. In the event that the biometric data is stolen, leaked, tampered with, or otherwise infringed, the operator of the biobank shall immediately investigate the matter, report same to the competent authority and notify relevant participants in an appropriate manner. Personnel engaged in the collection, processing, storage, or use of biological specimens shall not disclose any confidences or other personal data or information of the participant that is known or obtained as a result of their work.
The Regulations Governing the Collection, Management and Use of Individual Biometric Data, which is enacted in accordance with the Immigration Act, regulates the collection, management and use of fingerprints or facial characteristics for the National Immigration Agency of the Ministry of the Interior to recognise an individual when foreign people enter Taiwan or apply for residency or permanent residency. Those who obtain the data within the scope of his or her authority, or employment shall maintain the confidentiality of such data and shall be punished in accordance with the PDPA or relevant regulations if he or she violates the obligation of confidentiality.
In November 2017, a member of the Legislative Yuan proposed an amendment to revise the Household Registration Act, allowing the government to establish a database collecting a certain kind of a citizen’s biometric data (eg, unique iris information of an individual) for identification purposes. However, in Interpretation No 603, the Grand Justice held that fingerprints are important personal data, so they were protected under rights of information privacy. Therefore, it was in violation of the constitution if the government collected the fingerprints of citizens without specifying the purposes of collecting such data in the Household Registration Act. According to this interpretation, the collection of an individual’s iris information may also be in violation of the constitution if there is no law specifying the compelling public purposes of collecting such data.
Given the conclusion of Interpretation No 603, the proposal in November 2017 to establish a database collecting certain kinds of biometric data from citizens was heavily criticised and the proposal was finally withdrawn.
There have been criminal cases where the defendants used GPS to record plaintiffs’ location and vehicle track. The issue involved therein was whether the drivers of the cars monitored by the GPS have reasonable privacy expectations. In those cases, the courts gave an affirmative answer because people could not tell where those cars on the road come from and go to, although being seen on the road. Therefore, the drivers had reasonable privacy expectations upon their movement. Accordingly, it would infringe others’ rights of privacy and may be in violation of the Criminal Code and the PDPA if someone uses GPS to track others’ movement.
In Taiwan, there is currently no specific set of laws that addresses the standard to be complied with in connection with cybersecurity. Rather, cybersecurity is involved mostly when it comes to the application of certain current laws or regulations. In other words, it is regarded as an ancillary element rather than a target to be regulated. Also, current laws and regulations that would be related to cybersecurity adopt the ex post approach instead of the ex ante approach, except for the field of personal data protection.
In the Criminal Code, Chapter 36 is dedicated to offences against computer security, containing the legal provisions that are most directly related to cybersecurity. The relevant offences are as follows:
In the event that the above three offences are committed against the computers and related equipment of a public office, the punishment shall be increased by up to one half (Article 361 of the Criminal Code). The criminal prosecution of the offences under the above articles shall be initiated by complaint (Article 363 of the Criminal Code); without such complaint, a criminal investigation will not be opened.
Furthermore, for a person who makes computer programs specifically to commit the offences under Article 358 to Article 360 of the Criminal Code and cause injury to the public or another, such person shall be punished by imprisonment for not more than five years or short-term imprisonment; in lieu thereof, or in addition thereto, a fine of not more than TWD600,000 may be imposed (Article 362 of the Criminal Code). Unlike the offences under Article 358 to Article 360, the investigation authority can open the criminal investigation on its own initiative.
If the computer or related equipment is not only used for security breach but also to exercise unlawful control over other people’s assets, the following offences would apply:
If frauds under Article 339 of the Criminal Code are committed by dissemination of false information to the general public through broadcasting TV, electronic communication, internet or other media, the wrongdoer shall be sentenced to imprisonment for no less than one year and no more than seven years; in addition thereto, a fine of no more than TWD1 million may be imposed (Article 339-4 of the Criminal Code).
In addition, Article 220, paragraph 2 of the Criminal Code regards electronic records as documents for the purpose of applying the provisions under the Criminal Code. Therefore, for example:
The above offences in connection with forgery of electronic records could be investigated on the initiative of the investigation authority. No complaint from the victim is required.
Depending on the information protected, other laws may apply. If the target of the security breach is personal information then civil, criminal or administrative liability under the PDPA would apply. The legal consequences for the infringement of trade secrets are governed by the Trade Secrets Act. In the event that classified national security information is involved, the Classified National Security Information Protection Act would apply.
As aforementioned, the ICSMA took effect from 1 January 2019. The ICSMA regulates the security management of information and communication, which will include cyber-security (see below).
Given the absence of any specific law that governs cyber-security, there is currently no regulator acting as the overarching cyber-security authority under the current regime. Currently, it is the central authorities in charge of the relevant businesses that act as the regulator in the field of information security. Depending on the relevancy to IT, the activeness of such authorities varies. For example, the financial authority, the FSC, adopts several guidelines in connection with the information security of financial institutions; the communication authority, the National Communications Commission, also promulgates guidance for the telecommunication business on information security.
In the ICSMA, various governmental agencies are charged with different tasks. Generally speaking, it will be the responsibility of the Executive Yuan to establish the underlying policy with respect to security of information and communication; the relevant business authority will be the authorities to implement the ICSMA.
There are currently no key frameworks that are de jure or de facto standards, or provide commonly deployed guidance. However, the Bureau of Standards, Metrology and Inspection of the Ministry of Economic Affairs, referring to ISO 27001, establishes standards for the information security management system in the Chinese National Standards of 27001 (the CNS 27001). Although it is not a legally binding standard, this firm believes that the CNS 27001 would serve as an important reference to evaluate the soundness of an information security management system.
The Executive Yuan has a regulation to set up an information security policy, division of labour in connection with information security, management and training of staff for information security, security management of the computer system and the internet, management of access to system, security management of the development and maintenance of the system, security management of information assets, security management of physical objects and the environment, and other matters regarding the management of information security. However, such regulation is an internal rule and only governs the Executive Yuan and its subordinates. Non-governmental agencies are not covered by the above regulation.
Currently, the ICSMA aims to set up more complete statutory requirements for prophylactic planning to be adopted to deal with the cyber-security issues. The target of ICSMA includes governmental agencies and specific private sectors designated by the relevant governmental agencies. Under the ICSMA, all governmental agencies, other than the military and intelligence agencies, are required to adopt, amend and implement security of information and communication (the Information Security Plan) according to its designated security level of information and communication, the type, amount, nature of the information kept or processed, as well as the scale and nature of the system of information and security. A governmental agency is required to appoint a security officer, to be responsible for the promotion and inspection of information and security. Whoever assumes the position of security officer should be the deputy of such agency or other proper staff of such agency. A governmental agency is required to report the implementation of the Information Security Plan to the competent agency at a higher level or to the supervisory agency (or to the Executive Yuan if there is no such agency). This competent/supervisory agency is in charge of auditing the implementation of the Information Security Plan by the agency that is its subordinate or is supervised by it.
As for the private sector, the ICSMA authorises the relevant business authority to assign the status of critical infrastructure provider (the Critical Infrastructure Provider) after consulting with relevant governmental agencies, NGOs, experts or scholars. Such assignment shall be approved by the Executive Yuan. The Critical Infrastructure Provider is required to adopt, amend and implement the Information Security Plan according to its designated security level of information and communication, the type, amount, nature of the information kept or processed, as well as the scale and nature of the system of information and security. The relevant business authority shall audit the implementation of the Information Security Plan by the Critical Infrastructure Provider. In the event of deficiencies found in the Information Security Plan, the Critical Infrastructure Provider shall submit an improvement report to the Relevant Business Authority. The ICSMA does not specify the items to be included in the Information Security Report and the coverage of the Critical Infrastructure Provider, which are left to be elaborated in the rules and regulations adopted by the relevant business authority.
For certain non-governmental agencies other than the Critical Infrastructure Provider (the Non-CIP Agency), they are required to adopt, amend and implement the Information Security Plan according to its designated security level of information and communication, the type, amount, nature of the information kept or processed as well as the scale and nature of the system of information and security. The ICSMA authorises the relevant business authority to ask the Non-CIP Agency to report the implementation of the Information Security Plan as well as audit the Non-CIP Agency in connection with its implementation of the Information Security Plan. In the event of deficiencies found in the Information Security Plan, the relevant business authority shall ask the Non-CIP Agency to provide an improvement report. Similarly, further details are left to be elaborated in the rules and regulations adopted by the relevant business authority.
In the context of cyber-security, there are currently no multinational treaties or agreements that would directly apply to the individual or entity in Taiwan. Rather, such treaties or agreements need to be incorporated into the laws, rules or regulations so as to be legally binding.
In the context of personal data, the PDPA requests non-governmental agencies to adopt security measures to prevent the personal data they keep from being stolen, damaged, destroyed or disclosed. The PDPA further authorises the relevant business authority to designate non-governmental agencies to set up the plan of security measures for the personal data file or the disposal measures for the personal data after termination of business. The details of such a plan are not specified in the PDPA but left to the relevant business authority to craft the details.
For critical infrastructure, the Atomic Energy Council sets up a guideline for the review of the plan of information and communication security in connection with the critical digital assets of nuclear plants. This guideline provides instructions to establish the Information Security Plan for nuclear plants and the process to set up, implement and maintain such a plan.
The ICSMA does not specify the security requirements to be complied with, but provides that a process of inspection to ensure the Information Security Plan is sufficient. For governmental agencies, the inspection is conducted by the supervising governmental authority (or the Executive Yuan if there is no such supervising governmental authority); for certain non-governmental agencies, the Executive Yuan is in charge of the inspection.
The Executive Yuan has announced the process to respond to information security emergency events. In this announcement, information security events are categorised into four levels:
The above announcement also provides the process to report an information security event. In brief, in the event of an information security event, such an event should, within 30 minutes from its occurrence, be reported to the Information Security Operation Team for support and to accomplish an internal report process. The Information Security Operation Team should seek for a solution. The Information Security Operation Team should, within 30 minutes, report the facts of such an event, the possible scope to be affected, an evaluation of the loss incurred, application for support and the emergency response measures to the National Information and Communication Security Emergency Centre. If an information security event would be likely to lead to civil or criminal cases, the prosecutor’s office and the investigation authority should be informed.
Similarly, the ICSMA provides that the governmental agency shall establish the report and response mechanism for an information security event. Upon acquiring knowledge of information security events, the governmental agency shall report to the competent agency at a higher level or the supervisory agency, and the Executive Yuan. The governmental agency is also required to submit the investigation report and the process and the improvement report to the competent agency at a higher level or the supervisory agency, or the Executive Yuan if there is no such agency. The above requirements also apply to the Critical Infrastructure Provider and the Non-CIP Agency. The Critical Infrastructure Provider and the Non-CIP Agency shall submit the investigation report and the process and the improvement report to the Relevant Business Authority. Such reports shall be submitted to the Executive Yuan if it is a major information security event. Under authorisation of the ICSMA, the Executive Yuan promulgates a regulation that further elaborates the details of the report and reaction with respect to information communication events.
In addition, listed companies under Taiwan law are required to make timely disclosure for events having a material effect on shareholders’ equity or securities prices through the Market Observation Post System (MOPS). Therefore, if a data breach happens to a listed company, such company would need to disclose such an event to the investors through the MOPS. In the two data breach incidents identified in 6.9 Significant Cyber-security, Data Breach Regulatory Enforcement and Litigation, the two companies whose systems were hacked made their MOPS disclosures.
To adopt cyber-security defensive measures, compliance of the PDPA is required if the collection, process, use or international transmission of personal data is involved. Also, compliance with the Trade Secrets Act needs to be verified; otherwise, adopting such measure may lead to legal liabilities thereunder.
As noted above, the current data breach reporting and notification mechanism is based on internal regulations promulgated by the Executive Yuan. The statutory requirement or authorisation of information sharing in connection with cyber-threat are regulated in the ICSMA according to the reporting obligation imposed on governmental agencies and non-governmental agencies, with a regulation promulgated by the Executive Yuan for further details.
If any individual or entity would like to share information voluntarily with respect to cyber-threat, they should comply with the laws that would restrict such sharing, such as the PDPA or the Trade Secrets Act.
In addition to the 2018 TSMC cyber-security incident as aforementioned, there have been two other major data breach regulatory enforcements in Taiwan, in 2016 and 2017.
First Commercial Bank Data Breach
From May 2016, a criminal group made use of loopholes in the call recording system of First Commercial Bank’s London branch to hack into its ATM system and insert malicious software therein. From 10-12 July 2016, members of the criminal group approached 21 ATMs in 22 branches of First Commercial Bank that had been targeted, collaborating with their accomplices overseas to withdraw cash of more than TWD83.27 million therefrom. The investigation authority arrested three foreign suspects who were still in Taiwan and retrieved TWD77.48 million that had been withdrawn. The three suspects were indicted and, based on the violation of Article 359 and Article 339-2 of the Criminal Code, sentenced to four years and ten months, four years and eight months, and four years and six months, with criminal fines of TWD50,000, TWD40,000 and TWD30,000, respectively.
According to Article 45-1, paragraph 1 of the Banking Act, a bank shall establish an internal control system and audit system; regulations governing the objectives, principles, policies, operating procedures, qualifications and conditions for internal auditors, the scope of internal control audits that a certified public accountant shall be engaged to undertake and other matters requiring compliance shall be prescribed by the competent authority. Due to the security flaw that led to the above abnormal withdrawal activities, on 13 September 2016, the FSC fined First Commercial Bank TWD10 million for the violation of Article 45-1, paragraph 1 according to Article 129, sub-paragraph 7 of the Banking Act and ordered the bank to suspend ATM cardless withdrawal temporarily in accordance with sub-paragraph 2, paragraph 1, Article 61-1 of the Banking Law; this facility was later resumed from 7 June 2017.
Far Eastern International Bank Data Breach
On 3 and 5 October 2017, malicious software was reported to be inserted into the system of Far Eastern International Bank and USD60 million was transferred to accounts in Cambodia, Sri Lanka and the USA through the international SWIFT banking network. All but USD160,000 of the stolen funds was retrieved by the bank. The police in Sri Lanka have reportedly arrested two suspects.
On 12 December 2017, the FSC indicated that the bank’s information security defence system was not completely sound, the account management was inappropriate, the bank had not strengthened its SWIFT safety system, the bank had not effectively conveyed the relevant rules and regulations to be complied with, and the bank’s internal control was not effectively implemented, thus fining Far Eastern International Bank TWD8 million for the violation of Article 45-1, paragraph 1 according to Article 129, sub-paragraph 7 of the Banking Act. The FSC also requested the bank to raise the expertise level of its information security unit, increase the number of members in its information security team, enhance its awareness of information security risk and strengthen the function of its information security system.