Data Protection & Privacy 2024 Comparisons

The Personal Data Protection Act (PDPA) is the primary law regulating personal data protection. It was first enacted in August 1995, as the Computer-Process Personal Data Act, and regulated governmental agencies and certain private sectors. The PDPA has been effective since 1 October 2012, and regulates any person – including governmental agencies and all private sector entities – who collects, processes or uses personal data. Privacy and personal data protection are related to the constitutional protection of privacy.

In addition to the PDPA, the Legislative Yuan has also enacted certain special data protection requirements in some sector-specific laws, such as:

• the Insurance Act;
• the Financial Holding Company Act;
• the Banking Act;
• the Human Biobank Management Act;
• the Pharmaceutical Affairs Act; and
• the National Sports Act.

Furthermore, the Trade Secrets Act may apply if the trade secrets of an enterprise are involved. If an offence against computer security is involved, the criminal sanctions of the Criminal Code of the Republic of China may apply. If any national security issue is involved, the National Security Act may apply.

There is no single specific law in Taiwan that regulates all sensitive digital technologies such as artificial intelligence (AI). On the contrary, the different sector-specific laws will cover and govern different aspects and applications of sensitive digital technology such as AI. Recently, legislators have proposed several versions of draft bills governing AI, given its rapid development. These proposals are still under debate and discussion, and have not yet been adopted.

On 16 May 2023, the Legislative Yuan passed amendments to the PDPA to urge non-governmental agencies (ie, the private sector) to input manpower, techniques and funds for the purpose of fulfilling data protection obligations, and to provide support to relevant enforcement authorities for combating fraudsters. Two main points of these amendments are as follows:

• raising the administrative penalties imposed against non-governmental agencies for violating the obligation of security and maintenance measures; and
• designating the “Personal Data Protection Commission” (PDPC) as the dedicated competent authority of the PDPA.

See 1.7 Key Developments. The PDPC is scheduled to be officially launched by August 2025.

The Ministry of Digital Affairs, which has been given a broad mandate including overseeing the development of digital infrastructure and cybersecurity, is also in charge of policy and regulation of data security. The Digital Development Ministry may also propose more implementation rules to enhance the regulation of digital technology in more detail. For example, the Ministry of Digital Affairs has enacted “Regulations Regarding the Security Protection Plan for the Processing of Personal Information Files in Digital Economy Industry-Related Non-government Agencies” to improve data security in the field of digital economy industries.

Since the amendments to the PDPA were passed, the PDPC will be the dedicated competent authority of the PDPA. Upon its official launch, the PDPC will integrate those enforcement powers and responsibilities (stated below) spread among the Ministry of Justice (MOJ), the National Development Council, central governmental authorities that supervise the business operation of non-governmental agencies, and local government authorities. The PDPC will also be in charge of promulgating relevant Enforcement Rules of the PDPA. Before the official launch of the PDPC (scheduled for August 2025), the relevant regulators and their authorities are as below.

The MOJ is the main regulator for personal data protection and is in charge of proposing the draft bill of the PDPA, and promulgating the Enforcement Rules of the PDPA. The MOJ and the National Development Council are in charge of issuing various interpretations to answer questions in respect of compliance with the PDPA.

The enforcement of the PDPA is administered by the central governmental authorities that supervise the business operation of non-governmental agencies, and local government authorities. Both central and local governmental authorities have the power to:

• carry out audits and inspections on non-governmental agencies;
• request information;
• demand rectification; and
• impose administrative penalties against non-governmental agencies for non-compliance with the PDPA.

Under the PDPA, central and local governmental authorities have the power to conduct an audit and inspection on non-governmental agencies, for which they may access the premises of non-governmental agencies, request information, and copy and retain documents. If the non-governmental agency refuses to provide the information and documents, the authorities may – to the extent of least harm – adopt compulsory measures to obtain such information and documents. The non-governmental agency may raise an objection against such compulsory measures. However, if the governmental authority refuses to change such compulsory measures, the non-governmental agency may only argue against such compulsory measures in the proceeding in which it argues the administrative decision on the merits.

As stated in 1.2 Regulators, upon its official launch scheduled for August 2025, the PDPC will be in charge of enforcing the PDPA and will integrate those enforcement powers and responsibilities currently spread among central and local governmental authorities.

Except for the foregoing investigation procedure and the procedural complaint procedure, there are no special procedures regulating the administrative process in respect of investigations and imposed penalties, and in respect of the respondent’s due process and appeal rights and procedures. The general administrative laws will govern, such as:

• the Administrative Procedure Act;
• the Administrative Appeal Act; and
• the Code of Administrative Procedure.

The national system in respect of data protection adopts an “APEC-EU referential” approach. The meeting minutes of the Executive Yuan in connection with the approval to submit the draft bill of the PDPA to the Legislative Yuan addressed that the PDPA incorporates certain provisions under Directive 95/46/EC. As one of APEC’s member economies, Taiwan has executed the APEC Privacy Framework, which indicates nine principles in respect of privacy protection; the PDPA also incorporates the principles guided by the APEC Privacy Framework.

In 2011, APEC developed the Cross-Border Privacy Rules (CBPR) system, under which companies trading within the member economies develop their own internal business rules consistent with the APEC privacy principles to secure cross-border data privacy. Taiwan joined the CBPR system in December 2018, with the Institution for Information Industry applying to be the Accountability Agent under the system. In June 2021, the Institute for Information Industry was recognised by APEC as the Accountability Agent for CBPR verification in Taiwan for domestic enterprises.

Taiwan also joined the EU-led Joint Declaration on Privacy and the Protection of Personal Data in October 2022. The declaration is intended to foster international co-operation to promote high data protection and privacy standards. Taiwan’s inclusion will allow strengthening exchanges and co-operation with EU and Indo-Pacific countries.

Furthermore, in seeking an “adequacy decision” from the European Commission, the Personal Data Protection Office has filed the evaluation reports required for GDPR adequacy status; the application is still under review and discussion. All major laws regulating privacy and personal data protection are at the national level. The relevant regulations at the subnational level are solely relevant to the implementation of those national laws and regulations by the different functioning bureaus of local government.

The major privacy or data protection NGOs include:

• the Data Protection Association of the Republic of China, which focuses on promoting cybersecurity and data protection by way of giving data protection lectures, advising on encryption methods and providing a data protection consultation service; and
• the Taiwan Association for Human Rights, an independent NGO focusing on human rights protection, including privacy and personal data protection, by way of policy watching, monitoring and advocacy.

Industry Self-Regulatory Organisations (SROs)

Certain SROs in specific industries, particularly the financial industry, provide guidance to their members in connection with data protection, confidentiality and cybersecurity. For example, the Bankers Association of the Republic of China provides guidance that advises members to take certain data protection measures, including:

• maintaining the confidentiality of clients’ information;
• establishing safety control mechanisms for data protection; and
• reporting any data breaches to the competent authority pursuant to laws and regulations.

The Bankers Association has also proposed draft self-regulatory rules regarding Al applications. According to this draft, banks shall establish internal risk management and periodic inspection mechanisms with respect to AI. The Life Insurance Association of the Republic of China and the Non-Life Insurance Association of the Republic of China provide self-regulatory rules on handling cybersecurity and data protection, requiring members to do the following, for example:

• adopt rules regarding the use of mobile devices (including “bring your own device”) and social network media, and rules regarding the use of cloud services;
• establish cybersecurity and data protection mechanisms pursuant to the evaluation principles set forth in the self-regulatory rules;
• establish app cybersecurity control and management mechanisms pursuant to the operation principles set forth in the self-regulatory rules; and
• adopt equipment-scrapped procedures (ie, the procedure that shall be followed when disposing of equipment) to ensure that confidential and sensitive information is removed and that the data stored in a hard drive may not be recovered.

The self-regulatory rules further provide that the contents thereof shall be incorporated into the internal audit and control system, and that compliance reviews shall be conducted periodically.

Taiwan adopts the civil law system, and most primary and general laws and regulations follow the laws and regulations of other civil law countries, such as Japan. On the other hand, quite a few laws and regulations regarding modern technology follow US and EU laws. Such a multiple-reference approach is reflected in various laws and regulations, as well as the interpretations thereof. Due to this, it is difficult to state whether Taiwan data protection and cybersecurity procedures follow any single specific model.

As noted in 1.2 Regulators, the enforcement of the PDPA will be administered by the PDPC upon its official launch scheduled for August 2025. Nevertheless, the enforcement of the PDPA is currently still administered by central relevant business governmental authorities and local governmental authorities, rather than by any single governmental authority. It is difficult to obtain a whole picture in respect of the enforcement status of different central and local governmental authorities, since they are not subject to mandatory public disclosure requirements. Given the absence of sufficient available public information, Taiwan does not have a proper basis upon which to note whether the enforcement is relatively aggressive or less so. However, based on the limited public information available, enforcement in respect of data protection by the Financial Supervisory Commission (FSC) will be relatively aggressive compared to other governmental authorities.

Amendments to the PDPA Passed, Penalties Raised, and a Dedicated Competent Authority to be Established

The amendments to the PDPA were passed on 16 May 2023. The amendments modified the administrative sanction procedure and raised the amount of administrative fines imposed against non-governmental agencies for violating the obligation of security and maintenance measures under Article 48 of the PDPA. The amended Article 48 provides that in the event of violation of the above-mentioned obligation by a non-governmental agency, the authority may impose the administrative fine against it immediately and may concurrently order the non-governmental agency to rectify the violation which means the authority could impose administrative fines directly without demanding rectification first. Further, the ceiling for administrative fines was raised and will therefore range from TWD20,000 to TWD2 million. In the event that the violation is a material one or the non-governmental authority fails to rectify the violation within a time limit requested by the authority, the administrative fine will be raised to not less than TWD150,000 and not more than TWD 15 million.

The amendments to the PDPA provide that the PDPC will be the dedicated authority of the PDPA. The PDPC, upon its official launch, will integrate the enforcement authorities and relevant responsibilities spread across the central governmental authorities that supervise the business operation of non-governmental agencies, local governmental authorities, the MOJ and the National Development Council. This shift signifies an evolution in the regulator’s functions and approach – ie, from a “decentralised system” to a “dedicated supervisory system”, which also aligns with the global trend adopted in Europe, Japan and South Korea, etc. The PDPC aims to officially launch by August 2025.

Dcard

Dcard is a popular Taiwan social media platform for the young generation. In November 2023, it was reported that Dcard’s office was searched by police, owing to hundreds of cases involving anonymous postings on Dcard that led to fraud, child and teenager safety issues, and to defamation cases. It was the very first case where a social media platform was searched for its members’ alleged illegal activities on the platform. The police reportedly requested Dcard to provide its members’ information for the purpose of the investigation. Dcard refused based on the PDPA and the judgment of the Constitutional Court; and the police had no choice but to search Dcard’s offices.

Several days later, the police clarified that although they brought a search warrant with them to Dcard, they did not actually “search the office” but only requested Dcard to provide the relevant documents. Dcard declared that it had always co-operated with prosecutors’ offices and the police in their investigations; Dcard will assist in these authorities’ investigation under the premise of protecting users’ privacy rights, and will try to find the most appropriate approach thereto.

This case shows the conflict between government access to data and an individual’s privacy. The Criminal Investigation Bureau emphasised that while freedom of speech is a fundamental right, its protection does not extend to shielding criminal activities carried out under the veil of anonymity; to protect the victim’s rights, the police request the information required in accordance with the law.

Vehicle-Sharing Platform Risking the Exposure of Personal Data of Its More Than 400,000 Users

In January 2023, a security researcher discovered a database containing iRent (a large vehicle-sharing platform in Taiwan) customers’ personal data (including full names, cell phone numbers, email addresses, home addresses, photos of their drivers’ licences, and partially redacted payment card details) on a cloud server that was inadvertently accessible to the public. Because the database was not password-protected or encrypted, anyone on the internet could access this iRent customer data. The database, which contained about 4.2 terabytes of data, was exposed on the open web for at least nine months before the researcher discovered it.

This incident instantly captured widespread public attention as iRent is the largest vehicle-sharing platform in Taiwan. iRent explained that its temporary database did not properly block external connections, resulting in the database potentially being accessed by external parties using specific tools and techniques to access information of members, with 400,000 members potentially being affected.

The Directorate General of Highways and the Taipei Municipal Transportation Bureau separately imposed a fine of TWD200,000 and TWD90,000 for the data leakage. iRent was also ordered to improve its data security.

After this incident, a councillor of Taipei City Council considered that because the amount of fines under Taipei City’s autonomous ordinance for data breach was too low, enterprises often overlook the severity of such incidents and lack giving earnest attention to data security measures. With fines set at a level that does not proportionately reflect the potential impact and damages resulting from breaches, there is a diminished incentive for enterprises to proactively invest in robust security measures. Therefore, the councillor proposed a draft amendment to the “Taipei City Autonomous Ordinance Governing Ridesharing Services Management”. This amendment was passed in December 2023. Under the new ordinance, if a data breach results from the enterprise’s intentional act or negligence, the Department of Transportation of Taipei City may revoke or cancel its operational licence.

The Preparatory Office of the PDPC Launched

Since the Constitutional Court judgment rendered in August 2022 (No 111-Shien-Pan-Zi-13) requires an independent supervisory mechanism in the PDPA, in May 2022 legislators passed the amendments to the PDPA, providing that the PDPC will be established as the dedicated authority of the PDPA. On 5 December 2023, the Preparatory Office of the PDPC was officially launched. The main tasks of this preparatory office include:

• the enactment of the organic law for the PDPC;
• further amendments to the PDPA; and
• establishment of a mechanism for supervision and reports regarding personal data protection issues.

Two Draft Guidelines Regarding Innovative Use of Data Proposed

The Ministry of Digital Affairs proposed drafts of the “Data Altruism Guideline” and the “Privacy-Enhancing Technologies Application Guideline”, aiming to promote the innovative use of data. With sports data for example, data of a swimmer (eg, age, gender, swimming distance, calories burned) can be used for research or for developing new services after de-identification. Furthermore, since numerous countries are actively engaged in the development and implementation of privacy-enhancing technologies (PETs), the Ministry of Digital Affairs also proposed the “Privacy-Enhancing Technologies Application Guideline” as a complementary measure to enhance privacy protection.

These guidelines are not mandatory but are proposed to seek public opinion. If legalisation is required, further amendments to the PDPA may also be proposed.

It is not mandatory to appoint a data protection officer. The Enforcement Rules of the PDPA suggest that data protection personnel should be allocated, and indicate that this will be one of the approaches towards establishing the appropriate data protection measures. However, according to the PDPA, governmental agencies should assign data protection personnel when they keep personal data.

According to the PDPA, the collecting and processing of personal data (except sensitive personal data) must be with and within the specified purpose, and must meet any of the following statutory criteria:

• be based on any other law that specifically provides that the data collector can collect personal data without consent;
• be based on any contractual or quasi-contractual relationship between the data collector and the data subject;
• the data subject voluntarily makes the personal data public;
• it is necessary for statistical or academic research by an academic research institute for the purpose of public interest, and the personal data is processed or disclosed in a manner that does not permit the identification of the data subject;
• be based on the consent of the data subject;
• be necessary for the public interest;
• the personal data is obtained from a generally accessible source, unless the interest of the data subject takes priority over that of the data collector or data controller; and
• the personal data collection and processing do not harm the rights and interests of the data subject.

As previously noted, certain sector-specific laws, regulations or guidance promulgated by the associations of specific industries provide the standards in respect of establishing cybersecurity systems that apply the concepts of “privacy by design” or “privacy by default”.

Under the PDPA, governmental agencies and non-governmental agencies should take appropriate data protection measures, which may include conducting privacy, fairness or legitimate impact analyses and other measures (such as preventing personal data from being stolen, altered, damaged, destroyed or disclosed). Furthermore, the relevant business governmental authority may designate a non-governmental agency to set up a plan of security measures for personal data or the disposal measures for personal data upon the termination of business.

According to the PDPA, the data subject shall have the following rights:

• to access their personal data that has been collected;
• to copy their personal data files;
• to supplement or correct their personal data that has been collected;
• to object to the collection, processing and use of their personal data; and
• to request the deletion of their personal data that has been collected.

Any advance waiver of such rights by the data subject will be null and void.

The governmental agency or the non-governmental agency should ensure the accuracy of personal information and correct or supplement it, either ex officio/at its discretion or upon a request from the data subject. The governmental agency or non-governmental agency should – again, either ex officio/at its discretion or upon a request from the data subject – delete the personal data or discontinue the collection, processing or use of personal data in the following circumstances:

• when the purpose of such data collection no longer exists or the stated time period expires, unless it is necessary for the performance of an official duty or the fulfilment of a legal obligation and has been recorded, or when it is agreed by the data subject in writing; or
• when the collection, processing or use of such data violates the PDPA.

Under the PDPA, personal data could be used when it is necessary for a governmental agency or academic institute to perform statistical or other academic research only after anonymisation, de-identification and pseudonymisation. Currently, there is no law or regulation specifically regulating emerging technologies (such as profiling, microtargeting, automated decision-making, online monitoring or tracking, big data analysis or AI). Nevertheless, in the cases relevant to these emerging technologies, current laws may apply (eg, the PDPA and the Criminal Code), depending on the legal issues involved.

The PDPA aims to prevent harm to personality rights, which includes reputation and privacy. Therefore, the concepts of “injury” or “harm” under the PDPA include pecuniary damages and non-pecuniary damages. Also, if there is infringement to reputation, a proper rehabilitation action may be requested.

Under the PDPA, “sensitive data” is defined as personal data regarding medical records, medical treatment, genetic information, sexual life, health examinations and criminal record. Such sensitive data may not be collected, processed or used unless the statutory requirements are satisfied (such as compliance with the laws and regulations, and obtaining written consent from the data subject).

AI Data

Currently, there are no general and primary rules governing AI data in Taiwan. Several draft bills governing the development of AI have been proposed but are still under debate in the Legislative Yuan. In the cases relevant to AI data, current laws (eg, the PDPA) shall apply.

Financial Data

Financial conditions fall within the definition of personal data under the PDPA, and the PDPA will apply thereto. Furthermore, under the Banking Act, a bank must keep customer information and related information on the deposits, loans or remittances of its customers and transaction materials in confidence.

Health Data

As previously noted, medical records and health examination records fall within the definition of personal data under the PDPA, and the PDPA will therefore apply. Furthermore, according to the National Health Insurance Act, the insurer (ie, the Bureau of National Health Insurance of the Ministry of Health and Welfare) may require hospitals to provide certain personal data necessary for the insurer to carry out and administer the business of national health insurance. The obtaining of information by the insurer in accordance therewith, and the storage and use of such information, should comply with the PDPA.

In 2018, the NHIA adopted a cloud-based medical records management platform, which aims to enable physicians to better understand a patient’s condition and to quickly deliver suitable services during regular and emergency visits by accessing historical diagnoses, test results and treatments saved on the cloud system. According to the National Health Insurance Act and Regulations Governing the Production and Issuance of the National Health Insurance IC Card and Data Storage, medical care institutions shall access medical records stored in or uploaded through National Health Insurance IC Cards when providing medical services for patients based on medical needs. Therefore, since it is expressly required by law and is within the necessary scope for the National Health Insurance Administration to perform its statutory duties, the processing and use of medical records stored in the cloud system are in accordance with the PDPA.

Communications Data

There are no general and primary rules governing communications data in Taiwan (such as voice telephony, the internet or social media). If the content involves personal data collection, processing and use, it should be in compliance with the PDPA. If it involves certain specific offences or serious crimes, the Communication Security and Surveillance Act will govern, under which a warrant issued by the court will be required for obtaining the communications data of suspects or defendants.

The issue of the right to be forgotten was once discussed by the court. In a Taiwan Taipei District Court case (Case No 104-Su-Geng-Yi-Zi-31), the plaintiff (the former CEO of a professional baseball team) was charged with the offence of fraud owing to alleged involvement in a match-fixing scandal. Ultimately, the court rendered a judgment of not guilty. The individual then took legal action against a famous internet search engine, claiming that it should take down certain search results, which he claimed infringed his right of privacy, his reputation and his right to be forgotten.

Given the absence of a statutory provision directly addressing the right to be forgotten, the court discussed and interpreted the right to be forgotten based on the concept of the right of privacy. The court indicated that the match-fixing scandal involved the public interest and, furthermore, that the use of such information did not violate the PDPA since it was obtained from publicly available resources. Although such public information may impose certain restrictions on the plaintiff, such restrictions could be justified, since keeping such information publicly available would be in the public interest. A Supreme Court judgment (Case No 109-Tai-Shang-Zi-1015) adopted a different view and stated that the internet platform provider is obliged to examine the content if a user notifies the internet platform provider of the infringing content and requests removal. If there are reasons to believe the user’s assertion, the internet platform provider is obliged to take prevention measures in order to suspend the infringement, such as taking down the infringing content. Otherwise, the internet platform provider may be treated as an accomplice in the infringement of others’ rights.

From these judgments, it is obvious that the courts will make decisions on a case-by-case basis, based on the impact of the content being kept on the internet search engine or social media and the protection of public interest.

Children’s Privacy

Names, faces, characteristics and other personal identification information may relate to the privacy of children and constitute personal data, so the PDPA will apply thereto. In 2017, a parent child-life blogger uploaded a video on Facebook that showed her harshly dressing down her four-year-old daughter, who cried and confessed her wrongdoing. This video caught the public attention and the blogger was blamed by the public for disregarding her child’s privacy. However, there has not yet been any case in which a child has sued a parent for infringement of their privacy or personal data protection in Taiwan.

The Protection of Children and Youths Welfare and Rights Act regulates the confidentiality requirement for the case files and personal data of children and youths who are subject to special treatment under the Act, as well as the information of their families. Furthermore, the Act prohibits certain information in respect of children and youths – such as criminal cases and drug abuse – from being disclosed by promotional material or on TV, the internet, other media or public channels. Failure to comply with the act may result in administrative fines.

Given that children are exposed under online privacy/harmful information threats, a draft “Children’s Internet Personal Data Protection Act” was proposed in March 2020, to strengthen the protection of children’s data online. Under this draft, internet operators must take reasonable measures to protect the confidentiality, safety and completeness of children’s data, and the violator may be subject to punitive damages of ten times the actual damages.

Students’ Data

More and more universities and high schools are implementing face recognition systems to track students’ class attendance or to allow access to the library by scanning students’ faces at the entrance and exit points. Nevertheless, critics worry that the excessive use of this technology could turn into the surveillance of students. The Ministry of Education has stipulated a guideline of personal data protection for schools using biometric characteristics recognition techniques. In addition to restating that the collection and use of personal data collected by the biometric characteristics recognition techniques shall be subject to the PDPA, the guideline stipulates that the original biometric characteristics data shall not be preserved unless necessary, and that the collected personal data shall be pseudonymised.

The PDPA regulates the collection and use of personal data for marketing purposes. When a non-governmental agency uses personal information for the purpose of marketing but the data subject refused the marketing, such marketing must stop immediately. Also, the non-governmental agency should offer ways for the data subject to express their refusal at the time such marketing first appears in public, and should compensate any necessary cost and expense for expressing such refusal.

Moreover, the Financial Holding Company Act provides that financial holding companies’ subsidiaries engaging in co-selling activities among themselves should apply to the FSC for prior approval and ensure that such activities will not harm the interests of customers. The subsidiaries of the financial holding company should comply with the provisions of the PDPA with regard to the joint collection, processing and use of the basic personal data and dealing or transaction records of customers.

In Taiwan, there are no general and primary rules regulating all types of online marketing. Nevertheless, for electronic marketing, the Consumer Protection Committee has promulgated guidance advising that enterprises collect and use consumers’ personal information in accordance with the law, and provide reasonable protective measures.

In Taiwan, issues relevant to workplace privacy mainly focus on email monitoring.

In most cases, a Taiwan court uses two standards to determine whether email monitoring is in violation of employees’ privacy rights, as follows:

• whether the employees have a reasonable privacy expectation for these emails; and
• if there is no reasonable privacy expectation, whether it is prohibited by law for employers to monitor employees’ emails.

The concept of “reasonable privacy expectation” is based on Article 3 of the Communication Security and Surveillance Act, which provides that the communications under surveillance are limited to those that have content that may reasonably be expected to be private or secret by the persons who are monitored, with sufficient factual support. Some court rulings further point out that if the company has an email policy in place and has explicitly stated that employees’ emails will be monitored, or if the employees have signed written consent for email monitoring, it is hard to say that the employees have a reasonable expectation of privacy for such emails.

Whistle-Blowing

According to the Labour Standards Act, upon the discovery of any violation by the business entity of labour laws or administrative regulations, an employee may file a complaint with the employer, the competent authorities or the inspection agencies. The employer cannot then:

• terminate the employment relationship;
• change the employment terms and conditions;
• reduce the wages or the rights and other benefits; or
• take any unfavourable measure against such employee.

If the employer violates any of these prohibitions, such action shall be null and void.

Also, the competent authority receiving the complaint should keep the identity of the complainant in confidence, and should not disclose any information that might reveal it. Any authority that violates this shall be liable for damages so caused to the complainant. In addition, public officials shall be held liable under criminal and administrative laws.

There are criminal liabilities and administrative liabilities under the PDPA. The standard for conviction in a criminal proceeding is “beyond a reasonable doubt” – ie, the prosecutor must present evidence that is credible and sufficient to prove that no reasonable doubt exists against the guilty judgment on the defendant. Regarding administrative sanctions, the governing authority must prove that an act in breach of duty under the PDPA has been committed intentionally or negligently.

Enforcement Penalties

The criminal penalties for violation of the PDPA include imprisonment for not more than five years, or criminal fines of not more than TWD1 million, or both.

The administrative penalties for violation of the PDPA are administrative fines of no less than TWD20,000 but no more than TWD1.5 million. The legal representative, manager or other representatives of a non-governmental agency may be subject to the same fines when the non-governmental agency receives an administrative fine.

If there are any other violations of other criminal laws or administrative laws or regulations, criminal or administrative penalties in accordance with such laws or regulations would be imposed.

Recent Enforcement Cases

On 28 November 2023, the Shanghai Commercial and Savings Bank was fined TWD10 million by the FSC for personal data leakage of their clients. According to the FSC, there are about 14,000 data subjects whose personal data (including names and information of ID cards) has been leaked. The FSC found that the lack of sufficient internal control systems resulted in the data leakage, and therefore imposed the fines on Shanghai Commercial and Savings Bank.

Private Litigation

In general, the burden of proof in civil litigation shall be borne by the plaintiff, who is obliged to establish all the requisite elements of a case, through evidence. Therefore, if the plaintiff filed a lawsuit for alleged privacy or data infringement under the Civil Code, the burden of proof is borne by the plaintiff, who has to establish that the defendant has wrongfully damaged the plaintiff’s rights intentionally or negligently, and that injuries have arisen therefrom.

Nevertheless, the PDPA has special rules for the plaintiff’s burden of proof in a civil case under the PDPA – whereby the law lifts a certain burden of proof from the plaintiff. Therefore, once the plaintiff has met their burden of proof by establishing the infringement of their rights from a non-governmental agency’s illegal collection, processing and use of personal information, or from other means of infringement due to violations of the PDPA, the burden of proof shifts to the defendant to show that such action was unintentional or non-negligent.

If the plaintiff has proved that a governmental agency infringes the rights of personal data due to violations of the PDPA and that there are injuries arising therefrom, the governmental agency should be liable for damages and compensation, unless it can prove that the damages were caused by natural disaster, incident or other force majeure.

Class Actions

Class actions are allowed in Taiwan. For cases caused by the same cause and fact, and where multiple data subjects are infringed, the organisations regulated by the PDPA may – after obtaining a written authorisation of litigation rights of 20 or more data subjects – represent such data subjects in bringing a lawsuit to the competent court in its own name.

The first data breach class action lawsuit was brought by the Consumers’ Foundation against a travel agency for the alleged illegal disclosure of collected personal data in March 2018.

Major Cases (Private)

In a Taiwan High Court Case (Case No 107-Shang-Yi-Zi-383), the plaintiff (a female successor of a large enterprise) claimed that the defendants (the plaintiff’s ex-husband, as well as a male successor of another larger enterprise and his lawyer and private detectives) should compensate her injuries for having used a GPS locator on her car to track her locations. The court opined that the plaintiff had a reasonable expectation of privacy for her movement and visiting places, even if she was in public places, so the defendants had violated the plaintiff’s privacy by tracking her location without legitimate reasons using the GPS locator (the defendants explained they used the GPS locator owing to the driver being under suspicion of drug abuse, but such explanation did not persuade the court). The defendants were ordered to compensate the plaintiff in non-pecuniary damages of TWD250,000.

Under the Communication Security and Surveillance Act, a warrant from the competent court will generally be required in order to obtain data in criminal cases.

The Communication Security and Surveillance Act sets up certain safeguards to protection privacy, as detailed below.

• The enforcement authority must file at least one report every 15 days during the period of communications surveillance, describing the progress of conducting the surveillance and/or whether it is necessary to continue the surveillance. The prosecutor or the judge issuing the warrant may also order the enforcement authority to submit a report at any time. If a situation arises where the surveillance should not be conducted continuously, the judge shall withdraw the warrant and discontinue the surveillance, at their discretion based on experience and logic.
• Surveillance devices shall not be installed or placed in a private residence.
• Content obtained from surveillance that is irrelevant to the purpose of the surveillance shall not be included in the written record of such surveillance.
• Prior to the expiry of the communications surveillance, the surveillance activity should be halted immediately if it is deemed unnecessary by the prosecutor or the trial judge.
• When the communication surveillance ends, a notice will be provided to the person under surveillance stating:
1. the relevant information of the surveillance case, and the case number of the authority issuing the warrant;
2. the actual period of surveillance;
3. whether communications information corresponding to the purpose of the surveillance has been obtained; and
4. the remedy procedure.

When it is necessary to conduct surveillance on the domestic, cross-border or offshore communications of foreign forces or hostile foreign forces (or their agents) in order to collect intelligence on such forces – including organisations with the aim of operating international or cross-border terrorist activities – to protect national security, the head of the national security authority may issue a warrant to do so. If the subject under surveillance has household registration in Taiwan, the judicial approval level shall be escalated and prior approval from the judge of the High Court will be required. However, this restriction does not apply in the event of an emergency, in which case the national security authority should inform the competent High Court judge of the issuance of the warrant and obtain the permission ex post facto. If permission is not granted within 48 hours, the surveillance activity should be halted immediately.

The privacy safeguards are basically the same as for general criminal cases, provided that:

• the decision to halt or continue the surveillance will be made by the head of the national security authority; and
• the ex post written notice to the person under surveillance will only apply when the person under surveillance has household registration in Taiwan.

In Taiwan, the feasible solution will be by way of judicial co-operation assistance, which shall be processed by the governmental judicial agencies. Taiwan is not a signatory to the OECD Declaration of December 2022, and has not signed the CLOUD Act agreement with the USA. Nevertheless, Taiwan has signed agreements on mutual judicial co-operation in criminal matters with the USA, the Philippines, South Africa, China, Poland, the Republic of Nauru, Belize, the Slovak Republic, and Saint Vincent and the Grenadines. Taiwan has also signed agreements on mutual judicial co-operation in civil matters with China, Vietnam and the Slovak Republic. Under such agreements, an organisation invoking a foreign government access request may obtain and transfer personal data to foreign governmental agencies.

A recent case in which a judicial police officer placed a GPS locator on a suspect’s car to investigate a smuggling case sparked public debate in connection with government access to personal data. It was debated whether prosecutors or judicial police officers could collect and use GPS records for investigation purposes. The court opined that GPS records were non-public activities of people and that, therefore, collecting or using such GPS records would infringe privacy rights. Since there was no statutory basis for collecting and using GPS records to investigate crimes, there was no legal reason for prosecutors or judicial police officers to do so. However, some argued that such opinions would lead to difficulties in criminal investigations, and it was suggested that the authorities should amend the relevant laws to keep up with new technology.

In September 2020, the MOJ proposed a draft Technological Investigations Act, empowering the authorities to exploit new technology and equipment to conduct investigations. Following the criticism received for the alleged infringement of privacy rights, the MOJ has proposed a new draft bill of the “Technological Investigations and Protection Act”. This revised bill aims to strike a balance between using new technologies to facilitate the investigation of crimes and upholding fundamental protection of privacy rights.

Under the PDPA, the governmental authority in charge of the pertinent industry may limit international data transfers if:

• they involve important national interests;
• a national treaty or agreement specifies otherwise;
• the country receiving personal information lacks proper regulations towards the protection of personal information and it might harm the rights and interests of the data subject; or
• international transfers of personal information are made through an indirect method in which the provisions of the PDPA may not be applicable.

The communications enterprises, social worker offices or human resource agencies are prohibited by respective governmental authorities in charge of the pertinent industry from transferring their subscribers’ or their clients’ personal data to China, since China lacks proper regulations concerning personal data protection.

There are no specific mechanisms or derogations in Taiwan that apply to international data transfers.

If a financial institution wishes to outsource its data entry, processing and output operations of an information system related to consumer finance business to an offshore service provider, it must submit the documents to the FSC for approval.

Further, electronic payment businesses wishing to outsource their data-processing operations should obtain the FSC’s approval in advance.

In general, there is no specific data localisation requirement under the PDPA. As stated in 4.1 Restrictions on International Data Issues, international transfer of personal data is permitted in principle, unless otherwise prohibited by central governmental authorities. Nevertheless, competent authorities may still promulgate sectoral rules governing certain industries to store or process specific data within the territory of Taiwan.

No software code, algorithm, encryption or similar technical detail is required to be shared with the Taiwan government.

As previously noted (see 3.3 Invoking Foreign Government Obligations), the contractual parties should provide judicial co-operation assistance under the judicial co-operation assistance agreements, pursuant to which an organisation may collect or transfer data.

There is no concept of “blocking” in Taiwan.

Most emerging technologies – such as big data analytics, automated decision-making, profiling or microtargeting, AI, internet of things (IoT) or ubiquitous sensors, facial recognition, drones and “dark patterns” or online manipulation – are not specifically addressed in the law or regulations. Depending on the legal issues involved, different laws or regulations may apply, including the PDPA, the Criminal Code and the Trade Secrets Act. However, developments in the following fields are worth noting.

In December 2018, a provision governing autonomous vehicles was added to the Regulations of Road Transportation Safety, according to which any enterprise or car research institute with a legal registration certificate may apply for a licence and road test for autonomous vehicles. Relevant road safety regulations shall be applicable to such autonomous driving.

For issues related to AI, several draft bills have been proposed but are still under debate and discussion in the Legislative Yuan.

Biometric Data

Biometric data is specifically regulated under the Human Biobank Management Act and the Regulations Governing the Collection, Management and Use of Individual Biometric Data.

The Human Biobank Management Act regulates the establishment, management and applications of the human biobank, and protects the rights of information privacy of biological database participants. Under the Human Biobank Management Act, a “human specimen” includes derivatives – such as cells, tissues, organs or bodily fluids – that are collected from a human body or produced by experimental operations and are sufficient to provide adequate information to identify the participant’s biometrics. If the biometric data is stolen, leaked, tampered with or otherwise infringed, the operator of the biobank should immediately investigate the matter, report it to the competent authority and notify the relevant participants in an appropriate manner. Personnel engaged in the collection, processing, storage or use of biological specimens may not disclose any confidential or other personal data or information of the participant that is known or obtained as a result of their work.

The Regulations Governing the Collection, Management and Use of Individual Biometric Data, enacted in accordance with the Immigration Act, regulate the collection, management and use of fingerprints or facial characteristics for the National Immigration Agency of the Ministry of the Interior, as regards recognising an individual when foreign people enter Taiwan or apply for residency or permanent residency. Those who obtain the data within the scope of their authority or employment must maintain the confidentiality of such data, and shall be punished in accordance with the PDPA or relevant regulations if they violate this obligation.

In November 2017, a member of the Legislative Yuan proposed an amendment to revise the Household Registration Act, allowing the government to establish a database collecting a certain kind of biometric data of citizens for identification purposes (eg, the unique iris information of an individual). However, in Interpretation No 603, the Grand Justice held that fingerprints are important personal data, so are protected under rights of information privacy. Therefore, the government collecting the fingerprints of citizens without specifying the purposes of collecting such data in the Household Registration Act would be a violation of the Constitution. According to this interpretation, the collection of an individual’s iris information may also be in violation of the Constitution if there is no law specifying the compelling public purposes for collecting such data.

Given the conclusion of Interpretation No 603, the proposal in November 2017 to establish a database collecting certain kinds of biometric data from citizens was heavily criticised, and was finally withdrawn.

Geolocation

There have been criminal cases where the defendants used GPS to record plaintiffs’ locations and to track vehicles. The issue involved therein was whether the drivers of the cars monitored by the GPS have reasonable privacy expectations. In those cases, the courts gave an affirmative answer because people could not tell where those cars on the road come from and go to, although they are seen on the road. Therefore, the drivers had reasonable privacy expectations for their movement. Accordingly, someone using GPS to track the movements of others would infringe the rights of privacy and may be in violation of the Criminal Code and the PDPA.

Disinformation, Deepfakes or Other Online Harms

As fake news and disinformation spread more and more rapidly, they can influence users, manipulating them for political or economic reasons. To combat fake news and disinformation, relevant laws have been amended and sanctions on different types of fake news have been newly added. For example, sanctions for people who spread rumours or untrue information about “disasters” have been newly added to the Disaster Prevention and Protection Act. Similar sanctions for spreading fake news have also been added to the Food Administration Act, the Agricultural Products Market Transaction Act and the Act Governing Food Safety and Sanitation. Furthermore, the penalty for disseminating fake news concerning epidemic conditions of communicable diseases has been increased under the Communicable Disease Control Act.

The Legislative Yuan has passed the draft amendments to the Criminal Code, adding several offences regarding deepfakes, such as “distributing fictitious sexual images generated using computer synthesis or other technological methods”, and “committing the offence of fraud by means of fake images or sound generated using computer synthesis or other technological methods”. Furthermore, amendment of the Civil Servants Election and Recall Act and the Presidential and Vice Presidential Election and Recall Act have been passed, providing that if a candidate is aware of a deepfake video of themself, they may apply to the police for identification – if the video is identified as a deepfake, they may request the broadcast TV enterprises or internet service to stop broadcasting, restrict browsing, remove or take down said video, as the case may be.

Fiduciary Duty for Privacy or Data Protection

Neither the PDPA nor the Taiwan Company Act specifically provides that the violation of privacy or data protection will automatically constitute a breach of fiduciary duty; the matter is subject to the violation circumstance and would be determined by the competent court on a case-by-case basis.

In Taiwan, the government is devoted to the establishment of “digital government”. In 2007, the National Development Council outsourced the establishment of the Taiwan E-Governance Research Center (TEG), which seeks to systematically develop evaluation indices and databases of digital government-related planning, and to promote a wide range of e-governance collaboration and international co-operation and alignment.

The National Development Council formulated the “Digital Government Programme 2.0 of Taiwan (2021–2025)” to accelerate various response measures for promoting the government’s digital transformation. The National Development Council will:

• co-ordinate the implementation of various ministries;
• strengthen the transformation of cross-domain service processes from the needs of the people; and
• use a safe and reliable data transmission platform to share data across agencies.

The government will continue its efforts in the following areas:

• accelerating the release of high-value data and facilitating the utilisation of such data;
• utilising the data of people’s livelihoods to optimise policies; and
• intensifying the service provided with new technology.

The First Personal Data Infringement Class Action in Taiwan

The first personal data infringement class action was brought by the Consumers’ Foundation against a travel agency in March 2018, with the court rendering its decision in October 2019.

In this case, the Consumers’ Foundation claimed TWD4,509,575 of compensation on behalf of 25 consumers, on the grounds that a travel agency leaked the personal data collected and thus caused damages to the consumers. The travel agency countered that the data breach was caused by a malicious hacking attack, and that it had notified the data subjects of the data breach after the occurrence of such attack; therefore, it should not be held liable for the data breach.

The court rendered a judgment in favour of the defendant, opining that the travel agency had established a security and maintenance plan for the protection of personal data files, and that it had conducted internal audits, education and training for cybersecurity personnel and had changed the passwords for the computer system periodically.

Therefore, although there was a data breach caused by a hacking attack, the court held that the travel agency was not in violation of the PDPA and thus should not be held liable for the data breach. The Consumer Foundation filed an appeal against this judgment. During the procedure in the court of second instance, the Consumers’ Foundation and the travel agency reached a settlement.

The First Grand Court Ruling Regarding the PDPA

In December 2020, the Grand Court made the first ruling regarding the PDPA.

The defendant had obtained the certificate of obligatory claim, the distribution table of compulsory enforcement and the stock report of his brother, and delivered such documentation to others. Since the defendant used the others’ personal data illegally with the intention of impairing another person’s interests, he was convicted of contravening Article 41 of the PDPA, which provides that “[I]f a person, with the intention of obtaining unlawful gains for himself/herself or a third party, or with the intention of impairing another person’s interests, is in violation of Paragraph 1, Article 6, Articles 15, 16, 19, and Paragraph 1, Article 20, or an order or decision relating to the restrictions on cross-border transfers made by the central government authority in charge of the industry concerned in accordance with Article 21 of the PDPA, thereby causing damage to others, the person shall be sentenced to imprisonment for no more than five years; in addition thereto, a fine of no more than TWD1 million may be imposed”.

The defendant filed an appeal to the Supreme Court, making a defence that “impairing another person’s interest” in Article 41 of the PDPA should be limited to “property interests”, and does not include non-property interests. Since the victim of the offence did not suffer any “property” damage, the defendant’s act did not constitute the above-mentioned offence. The Supreme Court ruled that this legal issue should be submitted to the Grand Court, since it is arguable whether “impairing another person’s interest” includes both property and non-property interests, and there were different opinions among the divisions of the Supreme Court.

The Grand Court made its decision on 9 December 2020, ruling that the “unlawful gains” referred to in “with the intention of obtaining unlawful gains for himself/herself or a third party” under Article 41 of the PDPA are limited to property interests, while the “interests” referred to in “with the intention of impairing another person’s interests” under Article 41 of the PDPA shall include both property and non-property interests.

In general legal due diligence, data protection compliance will be included in the overall legal compliance section, which focuses on whether the due diligence target has any judgment record or administrative punishment owing to non-compliance issues, including non-compliance with data protection. The internal data protection rules and data protection compliance in respect of employment matters will be the focus of legal due diligence as well.

Furthermore, due diligence coverage and density in respect of data protection will be enlarged for certain types of industry. For example, if the target company’s business is strongly involved in or related to personal data or information, such as a business related to targeted advertisements, the focus should be on whether/how the collection and processing of personal data comply with applicable laws. This may include (and might not be limited to) the following:

• the type of data being collected and processed, and whether it includes any personal data or sensitive personal data;
• if yes, how the business collects, uses, shares, stores and deletes personal data;
• the lawful bases upon which the target company relies to collect and/or process personal data, and related supporting documents; and
• if the personal data is not collected directly from data subjects themselves, what contractual arrangements are in place with the collector of the data.

As for an industry that collects consumers’ or customers’ personal data for promotion or other purposes (eg, retailers or financial services providers), since the competent authorities of certain industries (eg, internet retailers, banks or finance industries) have enacted security regulations and maintenance plans for the protection of personal data files, besides the above-mentioned areas, the due diligence scope may also include whether proper security measures are implemented to prevent the personal data from being stolen or disclosed, and whether there is a security and maintenance plan in place for the protection of personal data files in accordance with the relevant regulations.

Under Taiwan law, a listing company shall disclose material information regarding the company on the website designated and maintained by the authority. “Material information” includes any material effect on company finances or business resulting from an administrative disposition, and the occurrence of any material event that results in circumstances where the administrative fines for one single event have accumulated to TWD1 million or more, or that causes a material loss to the company. Therefore, if administrative fines are imposed for one single event accumulating to TWD1 million or more owing to violation of the Cyber Security Management Act (CSMA) (eg, failing to report knowledge of a cybersecurity incident to the central governmental authority), any cybersecurity incident causing material loss, or any of the administrative dispositions in accordance with the CSMA by the authority leading to a material effect on company finances or business, the listing company must disclose such information. The disclosure must include the information and content in the format required by the authority.

There are further disclosure requirements for certain specific industries, such as electronic payment enterprises, financial enterprises and travel agencies, which should report cybersecurity or data breaches to the competent authority pursuant to the applicable laws and regulations within the time limit requested thereunder.

News Media Bargaining Code Considered

As more and more people obtain news from the internet instead of from TV or newspapers, digital platforms, including social media platforms, increasingly contribute to the online distribution of news content.

In this way, many news publishers have become more dependent on digital platforms as key sources of traffic, and have no choice but to distribute their journalism via those internet platforms. Some regulatory initiatives have focused on ensuring the fair remuneration for news content distributed through internet platforms with substantial market power.

In Taiwan, some scholars have jointly proposed a draft Act after mainly consulting Australia’s News Media and Digital Platform Mandatory Bargaining Code. There are currently five versions of draft bills proposed to the Legislative Yuan for further discussion and consideration. The purpose of the draft bills is to facilitate the progress in empowering news media to bargain with digital platforms. Under the draft bills, a news business may apply to the competent authority (the Ministry of Digital Affairs) for registration to participate in the bargaining. A platform is obliged to negotiate with the news business to reach consensus on the sum to be paid over the use of news content. Mediation and/or an arbitration to settle on the amount to be paid for the news content are also available under the draft bills.

While the competent authority (the Ministry of Digital Affairs) addressing the issue of these competitive dynamics between news publishers and digital platforms has not decided on the approach to be taken in Taiwan, the proposed draft bills are among the options to be considered. According to the Ministry of Digital Affairs, in formulating the legislation regarding news media bargaining, the experience and legislative framework of other countries (such as the USA, Canada and Australia) should continuously be considered. 

Proposed Bills Governing the Development of AI

The rapid advancement of AI has prompted significant attention from lawmakers in Taiwan, leading to several proposals of draft bills aimed at governing both the development of AI and the potential risks and harms it may bring. Legislators are actively addressing the need for comprehensive regulatory frameworks to manage AI’s ethical implications and data privacy concerns. Different regulatory regimes have been proposed, such as a dedicated data act for AI or special examination by a dedicated committee when an AI project involves sensitive data. These proposals are under debate and discussion in the Legislative Yuan and have not yet been enacted.

There are no further significant issues.