The Personal Data Protection Act (PDPA) is the primary law regulating personal data protection. The PDPA was first enacted in August 1995, as the Computer-Process Personal Data Act, and regulated governmental agencies and certain private sectors. The PDPA has been effective since 1 October 2012, and regulates any person, including governmental agencies and all private sectors, who collects, processes or uses personal data. Privacy and personal data protection are related to the constitutional protection of privacy.
In addition to the PDPA, the Legislative Yuan has also enacted certain special data protection requirements in some sector-specific laws, such as the Insurance Act, the Financial Holding Company Act, the Banking Act, the Human Biobank Management Act, the Pharmaceutical Affairs Act and the National Sports Act.
Furthermore, the Trade Secrets Act may apply if the trade secret of an enterprise is involved. If an offence against computer security is involved, then the criminal sanction of the Criminal Code of the Republic of China (the Criminal Code) may apply. If any national security issue is involved, the National Security Act may apply.
The Ministry of Justice (MOJ) is the main regulator for personal data protection and is in charge of proposing the draft bill of the PDPA, promulgating the Enforcement Rules of the PDPA and issuing various interpretations to answer questions in respect of compliance with the PDPA.
The enforcement of the PDPA is administered by the central governmental authorities that supervise the business operation of non-governmental agencies and local government authorities. Both central and local governmental authorities have the power to:
Under the PDPA, central and local governmental authorities have the power to conduct an audit and inspection on non-governmental agencies. For such an audit and inspection, the authorities may access the premises of non-governmental agencies, require information, and copy and retain documents. If the non-governmental agency refuses to provide the information and documents, the authorities may, to the extent of least harm, adopt compulsory measures to obtain such information and documents. The non-governmental agency may raise an objection against such compulsory measures. However, if the governmental authority refuses to change such compulsory measures, the non-governmental agency may only argue against such compulsory measures in the proceeding in which it argues the administrative decision on the merits.
Except for the foregoing investigation procedure and the procedural complaint procedure, there are no special procedures regulating the administrative process in respect of investigations and penalties imposed, and the respondent’s due process and appeal rights and procedures. The general administrative laws will govern, such as the Administrative Procedure Act, the Administrative Appeal Act and the Code of Administrative Procedure.
The national system in respect of data protection adopts an "APEC-EU referential" approach. The meeting minutes of the Executive Yuan in connection with the approval to submit the draft bill of the PDPA to the Legislative Yuan addressed that the PDPA incorporates certain provisions under Directive 95/46/EC. Besides, as one of APEC’s member economies, Taiwan has executed the APEC Privacy Framework, which indicates nine principles in respect of privacy protection; the PDPA also incorporates the principles guided by the APEC Privacy Framework.
In 2011, APEC developed the Cross-Border Privacy Rules (CBPR) system, under which companies trading within the member economies develop their own internal business rules consistent with the APEC privacy principles to secure cross-border data privacy. Taiwan joined the CBPR system in December 2018.
All major laws regulating privacy and personal data protection are at the national level. The relevant regulations at the subnational level are solely relevant to the implementation of those national laws and regulations by the different functioning bureaus of local government.
The major privacy or data protection NGOs include:
SROs (Industry Self-Regulatory Organisations)
Certain SROs in respect of a specific industry, particularly the financial industry, provide guidance to their members in connection with data protection, confidentiality and cybersecurity. For example, the Bankers Association of the Republic of China provides guidance that advises members to take certain data protection measures, including maintaining the confidentiality of clients’ information, establishing safety control mechanisms for data protection and reporting any data breaches to the competent authority pursuant to the laws and regulations. The Life Insurance Association (LIA) of the Republic of China provides self-regulatory rules on handling cybersecurity and data protection, requiring members, for example, to adopt rules regarding the use of mobile devices (including "bring your own device") and the use of social network media, and rules regarding the use of cloud services; to establish cybersecurity and data protection mechanisms pursuant to the evaluation principles set forth by the LIA; to establish APP cybersecurity control and management mechanisms pursuant to the operation principles set forth by the LIA; and to adopt equipment scrapped procedures so as to ensure that confidential and sensitive information is removed and that the data stored in the hard drive may not be recovered. The self-regulatory rules further provide that the contents of such self-regulatory rules shall be incorporated into the internal audit and control system, and compliance reviews shall be conducted periodically.
Given the current regulation status, as above, the system for data protection and cybersecurity is developing in Taiwan.
Taiwan adopts the civil law system, and most primary and general laws and regulations follow the laws and regulations of other civil law countries, such as Japan. On the other hand, quite a few laws and regulations regarding modern technology follow US and EU laws. Such a multiple-reference approach is reflected in various laws and regulations, as well as the interpretations thereof. Due to this, it is difficult to state that Taiwan data protection and cybersecurity follows any single specific model.
As noted above, the enforcement of the PDPA is administered by central relevant business governmental authorities and local governmental authorities, rather than by any single governmental authority. It is difficult to have a whole picture in respect of the enforcement status of different central and local governmental authorities, since they are not subject to mandatory public disclosure requirements. Given the absence of sufficient available public information, Taiwan does not have a proper basis upon which to note that the enforcement is relatively aggressive or less so. However, based on the limited public information available, enforcement in respect of data protection by the Financial Supervisory Commission (FSC) will be relatively aggressive compared with other governmental authorities.
Endeavour to Seek an Adequacy Decision from the European Commission
To seek an “adequacy decision” from the European Commission, the Personal Data Protection Office was set up on 4 July 2018 to deal with relevant matters, and filed an evaluation report required for GDPR adequacy status. The National Development Council has conducted three negotiations for the adequacy decision; the second round of negotiations will be conducted during the spring of 2020. Being responsible for securing an adequacy decision from the European Commission, the National Development Council has also held several meetings with experts and scholars, conducting an overall review of the current PDPA.
According to the National Development Council, a committee will be established as an independent supervisory authority for personal data protection. Furthermore, the draft amendment to the current PDPA and the law of organisation for the independent supervisory authority for personal data protection are expected to be proposed. The draft amendment will focus on fulfilling the requirement of the adequacy decision, so as to achieve the goal of being granted an adequacy decision by the European Commission within 2020.
The Changeover of New Electronic Identification Cards
The Ministry of Interior has proposed a plan to issue new electronic identification cards that combine the functions of the existing national ID cards and Citizen Digital Certificates. This plan was approved by the Executive Yuan in August 2019, and the changeover will start in October 2020.
According to the Ministry of Interior, the new identification card will only display limited personal data, including the cardholder’s name, date of birth and ID card number on the front, and marital status on the back. The cardholder’s birth date, card issuance and expiration dates will be displayed in Chinese and English. Different from the original identification cards, to protect the cardholder’s privacy, details such as the cardholder’s gender, parents’ names, spouse’s name, birthplace, address and military service type/status will no longer be shown on the card but will only be accessible via the chip embedded in the card.
The new electronic identification cards will be a physical as well as virtual proof of identification, and will allow digital signatures, privacy protection, and autonomy of information disclosure. These new cards aim to help with a transition to a “smart” government, and to boost innovative applications and industry development.
The plan of issuing the new electronic identification cards has attracted criticism that the risks of data breaches will increase and that they may lead to inappropriate government surveillance, since the chip may use the built-in RFID technology, which may enable remote tracking. Critics proposed that if the issuance of the new electronic identification card is imperative, there should at least be a comprehensive corresponding law and an authority established to specifically regulate this matter.
For such critics, the Central Engraving and Printing Plant, which is in charge of producing the new electronic identification cards, has stated that the new electronic identification cards will be produced in accordance with chip safety standards and requirements under the International Civil Aviation Organization (ICAO) 9303 Standard and ISO 14443 Standard. Furthermore, there will be a Unique ID (UID) in the chip of every electronic identification card to prevent the misuse or leakage of the chips. Therefore, the Ministry of Interior restated that there will be no risk of cybersecurity or data breaches, and there is no need to stipulate a new special law because the current PDPA and the Cyber Security Management Act (CSMA) have provided sufficient protection.
It seems that the plan of issuance of new electronic identification cards will be implemented as scheduled in spite of the contrary opinions.
Individual Immigration Data Accessible on National Health Insurance ID Cards to Efficiently Cope with Covid-19 Outbreak in China
To prevent the potential adverse impact of the Covid-19 (originally called “2019-nCoV") outbreak in China from January 2020, the National Health Insurance Administration worked with the National Immigration Agency to link National Health Insurance cardholders’ travel records to China, Hong Kong and Macao within a recent 14-day period to National Health Insurance Administration's Covid-19 cloud database. As the cases of Covid-19 infection continued to increase, the database has been further expanded to cover travel records to Japan, South Korea, Singapore and Thailand, and the coverage period has been extended to the past 30 days instead of 14 days. Hospitals and clinics will transfer any patient with such travel record and suspected related symptoms to designated hospitals for further appropriate medical treatment.
According to the Regulations Governing Immigration Inspection and Data Collection and Utilization, when a governmental agency needs to obtain individuals’ entry and departure information, such governmental agency may submit an application with a legal basis and purpose to the National Immigration Agency, which will provide such data after its review and approval of such application. Furthermore, the National Health Insurance Act provides that the National Health Insurance Administration may require relevant agencies to provide the necessary information it needs to carry out the business of national health insurance, which the agencies may not refuse. According to the PDPA, the National Health Insurance Administration may use such personal data based on the authority provided by laws and the reasonable requirement to protect the data subject as well as the public. Bearing this legal basis in mind, the National Immigration Agency shall have the legal basis to provide such entry/departure information to the National Health Insurance Administration. On the other hand, National Health Insurance Administration shall also have the legal basis to use such personal data.
It is not a mandatory requirement to appoint a data protection officer. The Enforcement Rules of the PDPA suggest that data protection personnel shall be allocated, and indicate that it will be one of the approaches to establish the appropriate data protection measures. However, according to the PDPA, governmental agencies shall assign data protection personnel when they keep personal data.
According to the PDPA, the collecting and processing of personal data (except sensitive personal data) shall be with and within the specified purpose, and shall meet any of the following statutory matters:
As noted above, certain sector-specific laws and regulations or guidance promulgated by the associations of specific industries provide the standards in respect of establishing cybersecurity systems that apply the concepts of "privacy by design" or "privacy by default".
Under the PDPA, governmental agencies and non-governmental agencies shall take appropriate data protection measures, which may include privacy impact analyses and other measures, such as preventing personal data from being stolen, altered, damaged, destroyed or disclosed. Furthermore, the relevant business governmental authority may designate a non-governmental agency for setting up a plan for security measures for the personal data or the disposal measures for the personal data after the termination of business.
According to the PDPA, the data subject shall have the following rights:
Any advance waiver of any such rights by the data subject will be null and void.
The governmental agency or the non-governmental agency should ensure the accuracy of personal information and correct or supplement it, either ex officio/at its discretion or upon a request from the data subject. The governmental agency or non-governmental agency should – again, either ex officio/at its discretion or upon a request from the data subject – delete the personal data or discontinue the collection, processing or use of personal data when (i) the purpose of such data collection no longer exists or the stated time period expires, unless it is necessary for the performance of an official duty or the fulfilment of a legal obligation and has been recorded, or when it is agreed by the data subject in writing; or (ii) the collection, processing or use of such data violates the PDPA.
Under the PDPA, when it is necessary for a governmental agency or academic institute to perform statistical or other academic research, personal data could be used for this purpose only after anonymisation, de-identification and pseudonymisation. There is no law or regulation specifically regulating emerging technologies, such as profiling, automated decision-making, online monitoring or tracking, big data analysis, or artificial intelligence. Nevertheless, in the cases relevant to these emerging technologies, current laws may apply (eg, the PDPA and the Criminal Code), depending on the legal issues involved.
The PDPA aims to prevent harm on personality rights, which includes reputation and privacy. Therefore, the concepts of "injury" or "harm" under the PDPA include pecuniary damages and non-pecuniary damages. Also, if there is infringement to reputation, a proper rehabilitation action may be requested.
Under the PDPA, "sensitive data" is defined as personal data in respect of medical records, medical treatment, genetic information, sexual life, health examinations and criminal record. Such sensitive data shall not be collected, processed or used unless the statutory requirements are satisfied, such as compliance with the laws and regulations, and obtaining written consent from the data subject.
Financial conditions fall within the definition of personal data under the PDPA, and the PDPA will apply thereto. Furthermore, under the Banking Act, a bank shall keep customer information and related information on deposits, loans or remittances of its customers and transaction materials in confidence.
As noted above, medical records and health examination records fall within the definition of personal data under the PDPA, and the PDPA will apply. Furthermore, according to the National Health Insurance Act, the insurer (ie, the Bureau of National Health Insurance of the Ministry of Health and Welfare) may require hospitals to provide certain personal data that is necessary for the insurer to carry out and administer the business of national health insurance. The information obtained by the insurer in accordance with the above, and the storage and use of such information, should be in compliance with the PDPA.
During 2018, the National Health Insurance Administration adopted a cloud-based medical records management platform, which aims to enable physicians to better understand the patient’s condition and quickly deliver suitable services during regular and emergency visits by accessing historical diagnoses, test results and treatments saved on the cloud system. According to the National Health Insurance Act and Regulations Governing the Production and Issuance of the National Health Insurance IC Card and Data Storage, medical care institutions shall access medical records stored in or uploaded through National Health Insurance IC Cards when providing medical services for patients based on medical needs. Therefore, since it is expressly required by law and is within the necessary scope for the National Health Insurance Administration to perform its statutory duties, the processing and use of medical records stored in the cloud system are in accordance with the PDPA.
There is no specific law in Taiwan directly addressing the general and primary rules governing any specific communication data, such as voice telephony, internet or social media. If the content involves personal data collection, processing and use shall be in compliance with the PDPA. If it involves certain specific offences or serious crimes, the Communication Security and Surveillance Act will govern; under this act, a warrant issued by the court will be required for obtaining the communication data of suspects or defendants.
The issue of the right to be forgotten was once discussed by the court. In a Taiwan Taipei District Court case (case No 104-Su-Geng-Yi-Zi-31), the plaintiff, the former CEO of a professional baseball team, was charged with the offence of fraud due to alleged involvement in a match-fixing scandal. At the end, the court rendered a judgment of not guilty. The individual then took legal action against a famous internet search engine and claimed that the defendant – ie, the search engine – should take down certain search results. In this case, he claimed that the search results had infringed his right of privacy, reputation and right to be forgotten. Given the absence of statutory provision directly addressing the right to be forgotten, the court discussed and interpreted the right to be forgotten based on the concept of the right of privacy. The court indicated that the match-fixing scandal involved the public interest and, further, the use of such information did not violate the PDPA since it was obtained from publicly available resources. Although such public information may cause certain restrictions to the plaintiff, such restrictions could be justified, since keeping such information publicly available will be in the public interest.
Names, faces, characteristics and other personal identification information relate to the privacy of children and constitute personal data, so the PDPA will apply thereto. In 2017, a parent child-life blogger uploaded a video on Facebook that showed the blogger harshly dressing down her four-year-old daughter, who cried and confessed her wrongdoing. This video caught the public attention and the blogger was blamed by the public for disregarding her child’s privacy. However, there has not yet been any case in which a child has sued a parent for infringement of his or her privacy or personal data protection in Taiwan.
The Protection of Children and Youths Welfare and Rights Act regulates the confidentiality requirement for the case files and personal data of children and youths who are subject to special treatment under the act, as well as the information of their families. Furthermore, the act prohibits certain information in respect of children and youths – such as criminal cases and drug abuse – from being disclosed by promotional material or on TV, the internet, other media or public channel. Failure to comply with the act may result in administrative fines.
More and more universities or high schools are implementing face recognition systems to track class attendance of students or to allow access to the library by scanning students’ faces at the entrance and exit points. Nevertheless, critics worry that the excessive use of this technology could turn into surveillance of students. The Ministry of Education has stipulated a guideline of personal data protection for schools using biometric characteristics recognition techniques. In this guideline, besides restating that the collecting and use of personal data collected by the biometric characteristics recognition techniques shall be subject to the PDPA, it is stipulated that the original biometric characteristics data shall not be preserved unless necessary, and the collected personal data shall be pseudonymised.
The PDPA regulates the collection and use of personal data for marketing purposes. When a non-governmental agency uses personal information for the purpose of marketing but the data subject refused, such marketing shall stop immediately. Also, the non-governmental agency shall offer ways for the data subject to express his or her refusal at the time such marketing first appears in public, and shall compensate any necessary cost and expense to express such refusal.
Moreover, the Financial Holding Company Act provides that financial holding companies’ subsidiaries engaging in co-selling activities among themselves shall apply to the FSC for prior approval and make sure that such activities will not harm the interests of customers. The subsidiaries of the financial holding company shall comply with the provisions of the PDPA with regard to the joint collection, process and use of the basic personal data and dealing or transaction records of customers.
There is no specific law in Taiwan that directly addresses the general and primary rules regulating all types of online marketing. Nevertheless, for electronic marketing, the Consumer Protection Committee has promulgated guidance advising that the enterprises shall collect and use consumers’ personal information in accordance with laws, and provide reasonable protective measures.
In Taiwan, issues relevant to workplace privacy focus mainly on email monitoring.
In most cases, the Taiwan court uses two standards to determine whether email monitoring is in violation of employees’ privacy rights, as follows:
The concept of "reasonable privacy expectation" is based on Article 3 of the Communication Security and Surveillance Act, which provides that the communications under surveillance are limited to those that have content that may reasonably be expected to be private or secret by the persons who are monitored, with sufficient factual support. Some court rulings further point out that if the company has an email policy in place and has explicitly stated that employees’ emails would be monitored, or if the employees have signed written consent for email monitoring, then it is hard to say that the employees have a reasonable expectation of privacy for such emails.
According to the Labour Standards Act, upon the discovery of any violation by the business entity of labour laws or administrative regulations, an employee may file a complaint to the employer, the competent authorities or the inspection agencies. The employer cannot then terminate the employment relationship, change the employment terms and conditions, reduce the wages or the rights and other benefits, or take any unfavourable measure against such employee. If the employer violates any of these prohibitions, such action shall be null and void.
Also, the competent authority receiving the complaint shall keep the identity of the complainant in confidence, and shall not disclose any information that might reveal the identity of the complainant. Any authority that violates this shall be liable for damages so caused to the complainant. In addition, public officials shall be held liable to criminal and administrative laws.
There are criminal liabilities and administrative liabilities under the PDPA. The standard for conviction in a criminal proceeding is "beyond a reasonable doubt" – ie, the prosecutor must present evidence that is credible and sufficient to prove that no reasonable doubt exists against the guilty judgment to the defendant. In regards to administrative sanctions, the governing authority must prove that an act in breach of duty under the PDPA has been committed intentionally or negligently.
The criminal penalties for violation of the PDPA include imprisonment for not more than five years, or criminal fines of not more than TWD1million, or both.
The administrative penalties for violation of the PDPA are administrative fines of no less than TWD20,000 but no more than TWD500,000. Also, the legal representative, manager or other representatives of a non-governmental agency may be subject to the same fines when the non-governmental agency receives an administrative fine.
If there are any other violations of other criminal laws or administrative laws or regulations, criminal or administrative penalties in accordance with such laws or regulations would be imposed.
Recent Enforcement Cases
In May 2019, Nan Shan Life Insurance Company was fined TWD2,400,000 by the FSC. Nan Shan Life Insurance Company was found, among others, to have failed to establish a procedure to handle non-significant cybersecurity incidents and abnormal events found by its managing platform. Furthermore, the personal data collected by Nan Shan Insurance Company could be copied to personal computers without control measures, and such personal data was not pseudonymised.
In September 2019, Allianz Life Insurance Company was fined TWD4,000,000 by the FSC for, among other offences, failing to establish specific procedures to fix vulnerability and track the progress in a cybersecurity incident, which may therefore cause improper management.
In general, the burden of proof in civil litigation shall be borne by the plaintiff, who is obligated to establish, through evidence, all the requisite elements of a case. Therefore, if the plaintiff filed a lawsuit for alleged privacy or data infringement under the civil code, the burden of proof is borne by the plaintiff, who has to establish that the defendant has wrongfully damaged the plaintiff’s rights intentionally or negligently and that injuries have arisen therefrom.
Nevertheless, the PDPA has special rules for the plaintiff’s burden of proof in a civil case under the PDPA, under which the law lifts a certain burden of proof off the plaintiff. Therefore, once the plaintiff has met his or her burden of proof by establishing the infringement on his or her rights from a non-governmental agency’s illegal collection, processing and use of personal information, or other ways of infringement due to violations of the PDPA, the burden of proof shifts to the defendant to show that it is unintentional or non-negligent.
If the plaintiff has proved that a governmental agency infringes the rights of personal data due to violations of the PDPA and that there are injuries arising therefrom, the governmental agency should be liable for damages and compensation, unless it can prove that the damages were caused by natural disaster, incident or other force majeure.
Class actions are allowed in Taiwan. For cases caused by the same cause and fact, and where there are multiple data subjects infringed, the organisations regulated by the PDPA may – after obtaining a written authorisation of litigation rights of 20 or more data subjects – represent such data subjects in bringing a lawsuit to the competent court by its own name.
The first data breach class action lawsuit was brought by the Consumers’ Foundation against a travel agency for the alleged illegal disclosure of collected personal data in March 2018.
Major Cases (Private)
In a Taiwan High Court Case (case No. 107-Shang-Yi-Zi-383), the plaintiff (a female successor of a large enterprise) claimed that the defendants (the plaintiff’s ex-husband as well as a male successor of another larger enterprise and his lawyer and private detectives) should compensate her injuries for having used a GPS locator on her car to track her locations. The court opined that even if the plaintiff was in public places, she still had the reasonable expectation of privacy for her movement and visiting places; therefore, the defendants had violated the plaintiff’s privacy by tracking her location without legitimate reasons using the GPS locator (the defendants explained they used the GPS locator due to the driver being under suspicion of drug abuse, but such explanation did not persuade the court). The defendants were ordered to compensate the plaintiff non-pecuniary damages of TWD250,000.
Under the Communication Security and Surveillance Act, a warrant from the competent court will generally be required for obtaining data in criminal cases.
The Communication Security and Surveillance Act sets up certain safeguards to protection privacy, as detailed below.
When it is necessary to conduct surveillance on the domestic, cross-border or offshore communications of foreign forces or hostile foreign forces (or their agents) in order to collect intelligence on foreign forces or hostile foreign forces – including organisations with the aim of operating international or cross-border terrorist activities – to protect national security, the head of the national security authority may issue a warrant to do so. If the subject under surveillance has household registration in Taiwan, the judicial approval level shall be escalated and prior approval from the judge of the High Court will be required. However, this restriction does not apply in the event of an emergency, in which case the national security authority should inform the competent High Court judge of the issuance of the warrant and obtain the permission ex post facto. If permission is not granted within 48 hours, the surveillance activity should be halted immediately.
The privacy safeguards are basically the same as for general criminal cases, provided that (i) the decision to halt or continue the surveillance will be made by the head of the national security authority; and (ii) the ex post written notice to the person under surveillance will only apply when the person under surveillance has household registration in Taiwan.
In Taiwan, the feasible solution will be by way of judicial co-operation assistance, which shall be processed by the governmental judicial agencies. Taiwan has not signed the Cloud Act agreement with the USA, but has signed agreements on mutual judicial co-operation in criminal matters with the USA, the Philippines, South Africa and China. Taiwan has also signed agreements on mutual judicial co-operation in civil matters with China and Vietnam. Under such agreements, an organisation invoking a foreign government access request may obtain and transfer personal data to foreign governmental agencies.
A recent case, in which a judicial police officer applied a GPS locator on a suspect’s car to investigate a smuggling case, sparked public debate in connection with government access to personal data. It was debated whether prosecutors or judicial police officers could collect and use GPS records for investigation purposes. The court opined that GPS records were non-public activities of people and that, therefore, collecting or using such GPS records would infringe privacy rights. Since there was no statutory basis to collect and use GPS records to investigate crimes, there was no legal reason for prosecutors or judicial police officers to do so. However, some argued that such opinions would lead to difficulties in criminal investigations, and it was suggested that the authorities should amend the relevant laws to keep up with new technology.
Under the PDPA, the governmental authority in charge of the pertinent industry may limit international data transfers if:
On 25 October 2012, the National Communications Commission issued an administrative rule stating that communications enterprises are prohibited from transferring their subscribers’ personal data to China, since China lacks proper regulations towards personal data protection.
There is no specific mechanism in Taiwan that applies to international data transfers.
If a financial institution would like to outsource its operations of data entry, processing and output of an information system related to consumer finance business to an offshore service provider, it must submit the documents to the FSC for approval.
There is no data localisation requirement under Taiwan law.
No software code or algorithm or similar technical detail is required to be shared with the Taiwan government.
As noted above, the contractual parties shall provide judicial co-operation assistance under the judicial co-operation assistance agreements, pursuant to which an organisation may collect or transfer data.
There is no concept of "blocking" in Taiwan.
Most of the emerging technologies – such as big data analytics, automated decision-making, profiling, artificial intelligence, Internet of Things (IoT), facial recognition and drones – are not specifically addressed in the law or regulations. Depending on the legal issues involved, different laws or regulations may apply, including the PDPA, the Criminal Code and the Trade Secrets Act. However, developments in the following fields are worth noting.
In December 2018, a provision governing autonomous vehicles was added to the Regulations of Road Transportation Safety. According to this provision, any enterprise or car research institute with a legal registration certificate may apply for a licence and road test for autonomous vehicles. Relevant road safety regulations shall be applicable to such autonomous driving.
Biometric data is specifically regulated under the Human Biobank Management Act and the Regulations Governing the Collection, Management and Use of Individual Biometric Data.
The Human Biobank Management Act regulates the establishment, management and applications of the human biobank. It also protects the rights of information privacy of biological database participants. Under the Human Biobank Management Act, a "human specimen" includes derivatives – such as cells, tissues, organs or bodily fluids – that are collected from a human body or produced by experimental operations and are sufficient to provide adequate information for identifying the participant’s biometrics. In the event that the biometric data is stolen, leaked, tampered with or otherwise infringed, the operator of the biobank shall immediately investigate the matter, report it to the competent authority and notify the relevant participants in an appropriate manner. Personnel engaged in the collection, processing, storage or use of biological specimens shall not disclose any confidences or other personal data or information of the participant that is known or obtained as a result of their work.
The Regulations Governing the Collection, Management and Use of Individual Biometric Data, enacted in accordance with the Immigration Act, regulate the collection, management and use of fingerprints or facial characteristics for the National Immigration Agency of the Ministry of the Interior to recognise an individual when foreign people enter Taiwan or apply for residency or permanent residency. Those who obtain the data within the scope of their authority or employment shall maintain the confidentiality of such data, and shall be punished in accordance with the PDPA or relevant regulations if they violate the obligation of confidentiality.
In November 2017, a member of the Legislative Yuan proposed an amendment to revise the Household Registration Act, allowing the government to establish a database collecting a certain kind of citizen’s biometric data (eg, the unique iris information of an individual) for identification purposes. However, in Interpretation No 603, the Grand Justice held that fingerprints are important personal data, so are protected under rights of information privacy. Therefore, the government collecting the fingerprints of citizens without specifying the purposes of collecting such data in the Household Registration Act would be a violation of the constitution. According to this interpretation, the collection of an individual’s iris information may also be in violation of the constitution if there is no law specifying the compelling public purposes of collecting such data.
Given the conclusion of Interpretation No 603, the proposal in November 2017 to establish a database collecting certain kinds of biometric data from citizens was heavily criticised, and the proposal was finally withdrawn.
There have been criminal cases where the defendants used GPS to record plaintiffs’ locations and track vehicles. The issue involved therein was whether the drivers of the cars monitored by the GPS have reasonable privacy expectations. In those cases, the courts gave an affirmative answer because people could not tell where those cars on the road come from and go to, although they are seen on the road. Therefore, the drivers had reasonable privacy expectations for their movement. Accordingly, it would infringe the rights of privacy and may be in violation of the Criminal Code and the PDPA if someone uses GPS to track the movements of others.
In Taiwan, the government is devoted to the establishment of “digital government”. In 2007, the National Development Council outsourced the establishment of the Taiwan E-Governance Research Center (TEG), which seeks to systematically develop evaluation indices and databases of digital government-related planning, and to promote a wide range of e-governance collaboration and international co-operation and alignment.
The missions of TEG include the following:
During the earlier phase of digital government, the government focused mainly on building the government network infrastructure, developing internet applications, and promoting and popularising government internet services. During the fourth phase (2012-2016), the digital government programme sought to provide comprehensive services by improving internal operational efficiency and enhancing the quality of services available to the public, with a focus on social care and fair participation as part of a vision of seamless services and improving people’s lives. 2017-2020 is the fifth phase of digital government, and the goal is to achieve three objectives of “providing people-centric convenient services”, “implementing open, transparent and smart governance”, and “optimising evidence-based effective policy”.
The First Personal Data Infringement Class Action in Taiwan
The first personal data infringement class action was brought by the Consumers’ Foundation against a travel agency in March 2018, with the court rendering its decision in October 2019.
In this case, the Consumers’ Foundation claimed TWD4,509,575 compensation on behalf of 25 consumers, on the grounds that a travel agency leaked the personal data collected and thus caused damages to the consumers. The travel agency countered that the data breach was caused by a malicious hacking attack, and that it has notified the data subjects of the data breach after the occurrence of such attack; therefore, it should not be held liable for the data breach.
The court rendered a judgment in favour of the defendant, opining that the travel agency had established a security and maintenance plan for the protection of personal data files, and that it had conducted internal audits, education and training for cybersecurity personnel, and changed the passwords for the computer system periodically.
Therefore, although there was a data breach caused by a hacking attack, the court held that the travel agency was not in violation of the PDPA and thus should not be held liable for the data breach. The Consumer Foundation has filed an appeal against this judgment, which is now pending at the Taiwan High Court.
Personal Data Infringement on the Website of Employment Agency
During 2017, a job seeker (who is also a member of an employment agency’s website) filed a complaint to the employment agency that he kept receiving an interview invitation from an insurance company, even though he had chosen to block this type of company from obtaining his personal data. The employment agency then filed a criminal report to the authority. After investigation, the prosecutor found out that many job seekers on the website chose to block insurance companies from obtaining their contact information. To successfully recruit employees, an employee of an insurance company borrowed the account of another non-insurance company to obtain the job seekers' personal data (including names, dates of birth, education, occupation, ID numbers and contact information). The prosecutor then made an indictment decision against this employee for his illegal collection and processing of personal data. The court found that the defendant had violated the PDPA due to his illegal collection and processing of personal data, and the defendant was sentenced to six months' imprisonment.
Data Breach Regarding One of Taiwan’s Confirmed Cases of Covid-19
Due to the threat of Covid-19, police agencies periodically check on the residents under home quarantine. A deputy police chief stationed at Taipei’s Police Precinct allegedly took photographs of a person’s file, which included the name, address and diagnosis, when he was checking on a Taipei resident under home quarantine, as one of Taiwan’s confirmed cases of Covid-19. Such deputy police chief then allegedly shared the personal information on social media with a few friends. This case has been referred to prosecutors to investigate a breach of the PDPA and the Criminal Code.
First Commercial Bank Data Breach
From May 2016, a criminal group made use of loopholes in the call recording system of First Commercial Bank’s London branch to hack into its ATM system and insert malicious software therein. From 10-12 July 2016, members of the criminal group approached 21 ATMs in 22 branches of First Commercial Bank that had been targeted, collaborating with their accomplices overseas to withdraw more than TWD83.27 million in cash therefrom. The investigation authority arrested three foreign suspects who were still in Taiwan and retrieved TWD77.48 million that had been withdrawn. The three suspects were indicted and, based on the violation of Article 359 and Article 339-2 of the Criminal Code, sentenced to four years and ten months, four years and eight months, and four years and six months, with criminal fines of TWD50,000, TWD40,000 and TWD30,000, respectively.
According to Article 45-1, paragraph 1 of the Banking Act, a bank shall establish an internal control system and audit system; regulations governing the objectives, principles, policies, operating procedures, qualifications and conditions for internal auditors, the scope of internal control audits that a certified public accountant shall be engaged to undertake and other matters requiring compliance shall be prescribed by the competent authority. Due to the security flaw that led to the above abnormal withdrawal activities, on 13 September 2016 the FSC fined First Commercial Bank TWD10 million for the violation of Article 45-1, paragraph 1 according to Article 129, sub-paragraph 7 of the Banking Act, and ordered the bank to suspend ATM cardless withdrawal temporarily in accordance with sub-paragraph 2, paragraph 1, Article 61-1 of the Banking Law; this facility was later resumed from 7 June 2017.
Far Eastern International Bank Data Breach
On 3 and 5 October 2017, malicious software was reported to be inserted into the system of Far Eastern International Bank, and USD60 million was transferred to accounts in Cambodia, Sri Lanka and the USA through the international SWIFT banking network. All but USD160,000 of the stolen funds was retrieved by the bank. The police in Sri Lanka have reportedly arrested two suspects.
On 12 December 2017, the FSC indicated that the bank’s information security defence system was not completely sound, that the account management was inappropriate, that the bank had not strengthened its SWIFT safety system nor effectively conveyed the relevant rules and regulations to be complied with, and that the bank’s internal control was not effectively implemented. Far Eastern International Bank was fined TWD8 million for the violation of Article 45-1, paragraph 1 according to Article 129, sub-paragraph 7 of the Banking Act. The FSC also requested the bank to raise the expertise level of its information security unit, increase the number of members in its information security team, enhance its awareness of information security risk and strengthen the function of its information security system.
In general legal due diligence, the data protection compliance will be included in the overall legal compliance section, which focuses on whether the due diligence target has any judgment record or administrative punishment due to non-compliance issues, including non-compliance with data protection. The internal data protection rules and data protection compliance in respect of employment matters will be the focus of legal due diligence as well.
Furthermore, due diligence coverage and density in respect of data protection will be enlarged for certain types of industry. For example, if the target company’s business is strongly involved in or related to personal data or information, such as a business related to targeted advertisements, the focus should be on whether/how the collection and processing of personal data comply with applicable laws. This may include but not be limited to the following:
As for an industry that collects consumers' or customers’ personal data for promotion or other purposes (eg, retailers or financial services providers), since the competent authorities of certain industries (eg, internet retailers, banks or finance industries) have enacted security regulations and maintenance plans for the protection of personal data files, besides the abovementioned areas, the due diligence scope may also include whether proper security measures are implemented to prevent the personal data from being stolen or disclosed, and whether there is a security and maintenance plan in place for the protection of personal data files in accordance with the relevant regulations.
Under Taiwan law, a listing company shall disclose material information regarding the company on the website designated and maintained by the authority. “Material information” includes any material effect on company finances or business resulting from an administrative disposition, and the occurrence of any material event that results in circumstances where the administrative fines for one single event have accumulated to TWD1 million or more, or that causes a material loss to the company. Therefore, if administrative fines are imposed for one single event accumulating to TWD1 million or more due to violation of the CSMA (eg, failing to report knowledge of a cybersecurity incident to the central governmental authority), any cybersecurity incident causing material loss, or any of the administrative dispositions in accordance with the CSMA by the authority leading to a material effect on company finances or business, the listing company shall disclose such information. The disclosure shall include the information and content in the format required by the authority.
There are further disclosure requirements for certain specific industries, such as electronic payment enterprises, financial enterprises and travel agencies. Such enterprises shall report cybersecurity or data breaches to the competent authority pursuant to the applicable laws and regulations within the time limit requested thereunder.
There are no further significant issues.