Data Protection & Privacy 2024

Last Updated February 13, 2024

Taiwan

Law and Practice

Authors



Chen & Lin counts data protection as one of its main practice areas, due to the emerging technologies that are accumulating, compiling and analysing immense volumes of data. In total, the data protection group has 15 lawyers across three locations (Taipei, Hsinchu and Kaohsiung), who provide advice and assistance to clients from all over the world. The team combines legal experience and adaptability with advanced hi-tech skills and development. The firm is also well connected with law firms in other countries, and is able to provide an international service as a result of co-operation and co-ordination with those firms. Key practice areas include: compliance; providing the latest regulatory developments; advising on appropriate measures for protecting an owner’s data and not infringing another’s right to data; reviewing and commenting on market practice relating to data protection; handling dispute resolution; assisting clients in navigating investigations or court proceedings; defending allegations of infringement; and asserting and enforcing data protection regulations or contract arrangements.

The Personal Data Protection Act (PDPA) is the primary law regulating personal data protection. It was first enacted in August 1995, as the Computer-Process Personal Data Act, and regulated governmental agencies and certain private sectors. The PDPA has been effective since 1 October 2012, and regulates any person – including governmental agencies and all private sector entities – who collects, processes or uses personal data. Privacy and personal data protection are related to the constitutional protection of privacy.

In addition to the PDPA, the Legislative Yuan has also enacted certain special data protection requirements in some sector-specific laws, such as:

  • the Insurance Act;
  • the Financial Holding Company Act;
  • the Banking Act;
  • the Human Biobank Management Act;
  • the Pharmaceutical Affairs Act; and
  • the National Sports Act.

Furthermore, the Trade Secrets Act may apply if the trade secrets of an enterprise are involved. If an offence against computer security is involved, the criminal sanctions of the Criminal Code of the Republic of China may apply. If any national security issue is involved, the National Security Act may apply.

There is no single specific law in Taiwan that regulates all sensitive digital technologies such as artificial intelligence (AI). On the contrary, the different sector-specific laws will cover and govern different aspects and applications of sensitive digital technology such as AI. Recently, legislators have proposed several versions of draft bills governing AI, given its rapid development. These proposals are still under debate and discussion, and have not yet been adopted.

On 16 May 2023, the Legislative Yuan passed amendments to the PDPA to urge non-governmental agencies (ie, the private sector) to input manpower, techniques and funds for the purpose of fulfilling data protection obligations, and to provide support to relevant enforcement authorities for combating fraudsters. Two main points of these amendments are as follows:

  • raising the administrative penalties imposed against non-governmental agencies for violating the obligation of security and maintenance measures; and
  • designating the “Personal Data Protection Commission” (PDPC) as the dedicated competent authority of the PDPA.

See 1.7 Key Developments. The PDPC is scheduled to be officially launched by August 2025.

The Ministry of Digital Affairs, which has been given a broad mandate including overseeing the development of digital infrastructure and cybersecurity, is also in charge of policy and regulation of data security. The Digital Development Ministry may also propose more implementation rules to enhance the regulation of digital technology in more detail. For example, the Ministry of Digital Affairs has enacted “Regulations Regarding the Security Protection Plan for the Processing of Personal Information Files in Digital Economy Industry-Related Non-government Agencies” to improve data security in the field of digital economy industries.

Since the amendments to the PDPA were passed, the PDPC will be the dedicated competent authority of the PDPA. Upon its official launch, the PDPC will integrate those enforcement powers and responsibilities (stated below) spread among the Ministry of Justice (MOJ), the National Development Council, central governmental authorities that supervise the business operation of non-governmental agencies, and local government authorities. The PDPC will also be in charge of promulgating relevant Enforcement Rules of the PDPA. Before the official launch of the PDPC (scheduled for August 2025), the relevant regulators and their authorities are as below.

The MOJ is the main regulator for personal data protection and is in charge of proposing the draft bill of the PDPA, and promulgating the Enforcement Rules of the PDPA. The MOJ and the National Development Council are in charge of issuing various interpretations to answer questions in respect of compliance with the PDPA.

The enforcement of the PDPA is administered by the central governmental authorities that supervise the business operation of non-governmental agencies, and local government authorities. Both central and local governmental authorities have the power to:

  • carry out audits and inspections on non-governmental agencies;
  • request information;
  • demand rectification; and
  • impose administrative penalties against non-governmental agencies for non-compliance with the PDPA.

Under the PDPA, central and local governmental authorities have the power to conduct an audit and inspection on non-governmental agencies, for which they may access the premises of non-governmental agencies, request information, and copy and retain documents. If the non-governmental agency refuses to provide the information and documents, the authorities may – to the extent of least harm – adopt compulsory measures to obtain such information and documents. The non-governmental agency may raise an objection against such compulsory measures. However, if the governmental authority refuses to change such compulsory measures, the non-governmental agency may only argue against such compulsory measures in the proceeding in which it argues the administrative decision on the merits.

As stated in 1.2 Regulators, upon its official launch scheduled for August 2025, the PDPC will be in charge of enforcing the PDPA and will integrate those enforcement powers and responsibilities currently spread among central and local governmental authorities.

Except for the foregoing investigation procedure and the procedural complaint procedure, there are no special procedures regulating the administrative process in respect of investigations and imposed penalties, and in respect of the respondent’s due process and appeal rights and procedures. The general administrative laws will govern, such as:

  • the Administrative Procedure Act;
  • the Administrative Appeal Act; and
  • the Code of Administrative Procedure.

The national system in respect of data protection adopts an “APEC-EU referential” approach. The meeting minutes of the Executive Yuan in connection with the approval to submit the draft bill of the PDPA to the Legislative Yuan addressed that the PDPA incorporates certain provisions under Directive 95/46/EC. As one of APEC’s member economies, Taiwan has executed the APEC Privacy Framework, which indicates nine principles in respect of privacy protection; the PDPA also incorporates the principles guided by the APEC Privacy Framework.

In 2011, APEC developed the Cross-Border Privacy Rules (CBPR) system, under which companies trading within the member economies develop their own internal business rules consistent with the APEC privacy principles to secure cross-border data privacy. Taiwan joined the CBPR system in December 2018, with the Institution for Information Industry applying to be the Accountability Agent under the system. In June 2021, the Institute for Information Industry was recognised by APEC as the Accountability Agent for CBPR verification in Taiwan for domestic enterprises.

Taiwan also joined the EU-led Joint Declaration on Privacy and the Protection of Personal Data in October 2022. The declaration is intended to foster international co-operation to promote high data protection and privacy standards. Taiwan’s inclusion will allow strengthening exchanges and co-operation with EU and Indo-Pacific countries.

Furthermore, in seeking an “adequacy decision” from the European Commission, the Personal Data Protection Office has filed the evaluation reports required for GDPR adequacy status; the application is still under review and discussion. All major laws regulating privacy and personal data protection are at the national level. The relevant regulations at the subnational level are solely relevant to the implementation of those national laws and regulations by the different functioning bureaus of local government.

The major privacy or data protection NGOs include:

  • the Data Protection Association of the Republic of China, which focuses on promoting cybersecurity and data protection by way of giving data protection lectures, advising on encryption methods and providing a data protection consultation service; and
  • the Taiwan Association for Human Rights, an independent NGO focusing on human rights protection, including privacy and personal data protection, by way of policy watching, monitoring and advocacy.

Industry Self-Regulatory Organisations (SROs)

Certain SROs in specific industries, particularly the financial industry, provide guidance to their members in connection with data protection, confidentiality and cybersecurity. For example, the Bankers Association of the Republic of China provides guidance that advises members to take certain data protection measures, including:

  • maintaining the confidentiality of clients’ information;
  • establishing safety control mechanisms for data protection; and
  • reporting any data breaches to the competent authority pursuant to laws and regulations.

The Bankers Association has also proposed draft self-regulatory rules regarding Al applications. According to this draft, banks shall establish internal risk management and periodic inspection mechanisms with respect to AI. The Life Insurance Association of the Republic of China and the Non-Life Insurance Association of the Republic of China provide self-regulatory rules on handling cybersecurity and data protection, requiring members to do the following, for example:

  • adopt rules regarding the use of mobile devices (including “bring your own device”) and social network media, and rules regarding the use of cloud services;
  • establish cybersecurity and data protection mechanisms pursuant to the evaluation principles set forth in the self-regulatory rules;
  • establish app cybersecurity control and management mechanisms pursuant to the operation principles set forth in the self-regulatory rules; and
  • adopt equipment-scrapped procedures (ie, the procedure that shall be followed when disposing of equipment) to ensure that confidential and sensitive information is removed and that the data stored in a hard drive may not be recovered.

The self-regulatory rules further provide that the contents thereof shall be incorporated into the internal audit and control system, and that compliance reviews shall be conducted periodically.

Taiwan adopts the civil law system, and most primary and general laws and regulations follow the laws and regulations of other civil law countries, such as Japan. On the other hand, quite a few laws and regulations regarding modern technology follow US and EU laws. Such a multiple-reference approach is reflected in various laws and regulations, as well as the interpretations thereof. Due to this, it is difficult to state whether Taiwan data protection and cybersecurity procedures follow any single specific model.

As noted in 1.2 Regulators, the enforcement of the PDPA will be administered by the PDPC upon its official launch scheduled for August 2025. Nevertheless, the enforcement of the PDPA is currently still administered by central relevant business governmental authorities and local governmental authorities, rather than by any single governmental authority. It is difficult to obtain a whole picture in respect of the enforcement status of different central and local governmental authorities, since they are not subject to mandatory public disclosure requirements. Given the absence of sufficient available public information, Taiwan does not have a proper basis upon which to note whether the enforcement is relatively aggressive or less so. However, based on the limited public information available, enforcement in respect of data protection by the Financial Supervisory Commission (FSC) will be relatively aggressive compared to other governmental authorities.

Amendments to the PDPA Passed, Penalties Raised, and a Dedicated Competent Authority to be Established

The amendments to the PDPA were passed on 16 May 2023. The amendments modified the administrative sanction procedure and raised the amount of administrative fines imposed against non-governmental agencies for violating the obligation of security and maintenance measures under Article 48 of the PDPA. The amended Article 48 provides that in the event of violation of the above-mentioned obligation by a non-governmental agency, the authority may impose the administrative fine against it immediately and may concurrently order the non-governmental agency to rectify the violation which means the authority could impose administrative fines directly without demanding rectification first. Further, the ceiling for administrative fines was raised and will therefore range from TWD20,000 to TWD2 million. In the event that the violation is a material one or the non-governmental authority fails to rectify the violation within a time limit requested by the authority, the administrative fine will be raised to not less than TWD150,000 and not more than TWD 15 million.

The amendments to the PDPA provide that the PDPC will be the dedicated authority of the PDPA. The PDPC, upon its official launch, will integrate the enforcement authorities and relevant responsibilities spread across the central governmental authorities that supervise the business operation of non-governmental agencies, local governmental authorities, the MOJ and the National Development Council. This shift signifies an evolution in the regulator’s functions and approach – ie, from a “decentralised system” to a “dedicated supervisory system”, which also aligns with the global trend adopted in Europe, Japan and South Korea, etc. The PDPC aims to officially launch by August 2025.

Dcard

Dcard is a popular Taiwan social media platform for the young generation. In November 2023, it was reported that Dcard’s office was searched by police, owing to hundreds of cases involving anonymous postings on Dcard that led to fraud, child and teenager safety issues, and to defamation cases. It was the very first case where a social media platform was searched for its members’ alleged illegal activities on the platform. The police reportedly requested Dcard to provide its members’ information for the purpose of the investigation. Dcard refused based on the PDPA and the judgment of the Constitutional Court; and the police had no choice but to search Dcard’s offices.

Several days later, the police clarified that although they brought a search warrant with them to Dcard, they did not actually “search the office” but only requested Dcard to provide the relevant documents. Dcard declared that it had always co-operated with prosecutors’ offices and the police in their investigations; Dcard will assist in these authorities’ investigation under the premise of protecting users’ privacy rights, and will try to find the most appropriate approach thereto.

This case shows the conflict between government access to data and an individual’s privacy. The Criminal Investigation Bureau emphasised that while freedom of speech is a fundamental right, its protection does not extend to shielding criminal activities carried out under the veil of anonymity; to protect the victim’s rights, the police request the information required in accordance with the law.

Vehicle-Sharing Platform Risking the Exposure of Personal Data of Its More Than 400,000 Users

In January 2023, a security researcher discovered a database containing iRent (a large vehicle-sharing platform in Taiwan) customers’ personal data (including full names, cell phone numbers, email addresses, home addresses, photos of their drivers’ licences, and partially redacted payment card details) on a cloud server that was inadvertently accessible to the public. Because the database was not password-protected or encrypted, anyone on the internet could access this iRent customer data. The database, which contained about 4.2 terabytes of data, was exposed on the open web for at least nine months before the researcher discovered it.

This incident instantly captured widespread public attention as iRent is the largest vehicle-sharing platform in Taiwan. iRent explained that its temporary database did not properly block external connections, resulting in the database potentially being accessed by external parties using specific tools and techniques to access information of members, with 400,000 members potentially being affected.

The Directorate General of Highways and the Taipei Municipal Transportation Bureau separately imposed a fine of TWD200,000 and TWD90,000 for the data leakage. iRent was also ordered to improve its data security.

After this incident, a councillor of Taipei City Council considered that because the amount of fines under Taipei City’s autonomous ordinance for data breach was too low, enterprises often overlook the severity of such incidents and lack giving earnest attention to data security measures. With fines set at a level that does not proportionately reflect the potential impact and damages resulting from breaches, there is a diminished incentive for enterprises to proactively invest in robust security measures. Therefore, the councillor proposed a draft amendment to the “Taipei City Autonomous Ordinance Governing Ridesharing Services Management”. This amendment was passed in December 2023. Under the new ordinance, if a data breach results from the enterprise’s intentional act or negligence, the Department of Transportation of Taipei City may revoke or cancel its operational licence.

The Preparatory Office of the PDPC Launched

Since the Constitutional Court judgment rendered in August 2022 (No 111-Shien-Pan-Zi-13) requires an independent supervisory mechanism in the PDPA, in May 2022 legislators passed the amendments to the PDPA, providing that the PDPC will be established as the dedicated authority of the PDPA. On 5 December 2023, the Preparatory Office of the PDPC was officially launched. The main tasks of this preparatory office include:

  • the enactment of the organic law for the PDPC;
  • further amendments to the PDPA; and
  • establishment of a mechanism for supervision and reports regarding personal data protection issues.

Two Draft Guidelines Regarding Innovative Use of Data Proposed

The Ministry of Digital Affairs proposed drafts of the “Data Altruism Guideline” and the “Privacy-Enhancing Technologies Application Guideline”, aiming to promote the innovative use of data. With sports data for example, data of a swimmer (eg, age, gender, swimming distance, calories burned) can be used for research or for developing new services after de-identification. Furthermore, since numerous countries are actively engaged in the development and implementation of privacy-enhancing technologies (PETs), the Ministry of Digital Affairs also proposed the “Privacy-Enhancing Technologies Application Guideline” as a complementary measure to enhance privacy protection.

These guidelines are not mandatory but are proposed to seek public opinion. If legalisation is required, further amendments to the PDPA may also be proposed.

It is not mandatory to appoint a data protection officer. The Enforcement Rules of the PDPA suggest that data protection personnel should be allocated, and indicate that this will be one of the approaches towards establishing the appropriate data protection measures. However, according to the PDPA, governmental agencies should assign data protection personnel when they keep personal data.

According to the PDPA, the collecting and processing of personal data (except sensitive personal data) must be with and within the specified purpose, and must meet any of the following statutory criteria:

  • be based on any other law that specifically provides that the data collector can collect personal data without consent;
  • be based on any contractual or quasi-contractual relationship between the data collector and the data subject;
  • the data subject voluntarily makes the personal data public;
  • it is necessary for statistical or academic research by an academic research institute for the purpose of public interest, and the personal data is processed or disclosed in a manner that does not permit the identification of the data subject;
  • be based on the consent of the data subject;
  • be necessary for the public interest;
  • the personal data is obtained from a generally accessible source, unless the interest of the data subject takes priority over that of the data collector or data controller; and
  • the personal data collection and processing do not harm the rights and interests of the data subject.

As previously noted, certain sector-specific laws, regulations or guidance promulgated by the associations of specific industries provide the standards in respect of establishing cybersecurity systems that apply the concepts of “privacy by design” or “privacy by default”.

Under the PDPA, governmental agencies and non-governmental agencies should take appropriate data protection measures, which may include conducting privacy, fairness or legitimate impact analyses and other measures (such as preventing personal data from being stolen, altered, damaged, destroyed or disclosed). Furthermore, the relevant business governmental authority may designate a non-governmental agency to set up a plan of security measures for personal data or the disposal measures for personal data upon the termination of business.

According to the PDPA, the data subject shall have the following rights:

  • to access their personal data that has been collected;
  • to copy their personal data files;
  • to supplement or correct their personal data that has been collected;
  • to object to the collection, processing and use of their personal data; and
  • to request the deletion of their personal data that has been collected.

Any advance waiver of such rights by the data subject will be null and void.

The governmental agency or the non-governmental agency should ensure the accuracy of personal information and correct or supplement it, either ex officio/at its discretion or upon a request from the data subject. The governmental agency or non-governmental agency should – again, either ex officio/at its discretion or upon a request from the data subject – delete the personal data or discontinue the collection, processing or use of personal data in the following circumstances:

  • when the purpose of such data collection no longer exists or the stated time period expires, unless it is necessary for the performance of an official duty or the fulfilment of a legal obligation and has been recorded, or when it is agreed by the data subject in writing; or
  • when the collection, processing or use of such data violates the PDPA.

Under the PDPA, personal data could be used when it is necessary for a governmental agency or academic institute to perform statistical or other academic research only after anonymisation, de-identification and pseudonymisation. Currently, there is no law or regulation specifically regulating emerging technologies (such as profiling, microtargeting, automated decision-making, online monitoring or tracking, big data analysis or AI). Nevertheless, in the cases relevant to these emerging technologies, current laws may apply (eg, the PDPA and the Criminal Code), depending on the legal issues involved.

The PDPA aims to prevent harm to personality rights, which includes reputation and privacy. Therefore, the concepts of “injury” or “harm” under the PDPA include pecuniary damages and non-pecuniary damages. Also, if there is infringement to reputation, a proper rehabilitation action may be requested.

Under the PDPA, “sensitive data” is defined as personal data regarding medical records, medical treatment, genetic information, sexual life, health examinations and criminal record. Such sensitive data may not be collected, processed or used unless the statutory requirements are satisfied (such as compliance with the laws and regulations, and obtaining written consent from the data subject).

AI Data

Currently, there are no general and primary rules governing AI data in Taiwan. Several draft bills governing the development of AI have been proposed but are still under debate in the Legislative Yuan. In the cases relevant to AI data, current laws (eg, the PDPA) shall apply.

Financial Data

Financial conditions fall within the definition of personal data under the PDPA, and the PDPA will apply thereto. Furthermore, under the Banking Act, a bank must keep customer information and related information on the deposits, loans or remittances of its customers and transaction materials in confidence.

Health Data

As previously noted, medical records and health examination records fall within the definition of personal data under the PDPA, and the PDPA will therefore apply. Furthermore, according to the National Health Insurance Act, the insurer (ie, the Bureau of National Health Insurance of the Ministry of Health and Welfare) may require hospitals to provide certain personal data necessary for the insurer to carry out and administer the business of national health insurance. The obtaining of information by the insurer in accordance therewith, and the storage and use of such information, should comply with the PDPA.

In 2018, the NHIA adopted a cloud-based medical records management platform, which aims to enable physicians to better understand a patient’s condition and to quickly deliver suitable services during regular and emergency visits by accessing historical diagnoses, test results and treatments saved on the cloud system. According to the National Health Insurance Act and Regulations Governing the Production and Issuance of the National Health Insurance IC Card and Data Storage, medical care institutions shall access medical records stored in or uploaded through National Health Insurance IC Cards when providing medical services for patients based on medical needs. Therefore, since it is expressly required by law and is within the necessary scope for the National Health Insurance Administration to perform its statutory duties, the processing and use of medical records stored in the cloud system are in accordance with the PDPA.

Communications Data

There are no general and primary rules governing communications data in Taiwan (such as voice telephony, the internet or social media). If the content involves personal data collection, processing and use, it should be in compliance with the PDPA. If it involves certain specific offences or serious crimes, the Communication Security and Surveillance Act will govern, under which a warrant issued by the court will be required for obtaining the communications data of suspects or defendants.

The issue of the right to be forgotten was once discussed by the court. In a Taiwan Taipei District Court case (Case No 104-Su-Geng-Yi-Zi-31), the plaintiff (the former CEO of a professional baseball team) was charged with the offence of fraud owing to alleged involvement in a match-fixing scandal. Ultimately, the court rendered a judgment of not guilty. The individual then took legal action against a famous internet search engine, claiming that it should take down certain search results, which he claimed infringed his right of privacy, his reputation and his right to be forgotten.

Given the absence of a statutory provision directly addressing the right to be forgotten, the court discussed and interpreted the right to be forgotten based on the concept of the right of privacy. The court indicated that the match-fixing scandal involved the public interest and, furthermore, that the use of such information did not violate the PDPA since it was obtained from publicly available resources. Although such public information may impose certain restrictions on the plaintiff, such restrictions could be justified, since keeping such information publicly available would be in the public interest. A Supreme Court judgment (Case No 109-Tai-Shang-Zi-1015) adopted a different view and stated that the internet platform provider is obliged to examine the content if a user notifies the internet platform provider of the infringing content and requests removal. If there are reasons to believe the user’s assertion, the internet platform provider is obliged to take prevention measures in order to suspend the infringement, such as taking down the infringing content. Otherwise, the internet platform provider may be treated as an accomplice in the infringement of others’ rights.

From these judgments, it is obvious that the courts will make decisions on a case-by-case basis, based on the impact of the content being kept on the internet search engine or social media and the protection of public interest.

Children’s Privacy

Names, faces, characteristics and other personal identification information may relate to the privacy of children and constitute personal data, so the PDPA will apply thereto. In 2017, a parent child-life blogger uploaded a video on Facebook that showed her harshly dressing down her four-year-old daughter, who cried and confessed her wrongdoing. This video caught the public attention and the blogger was blamed by the public for disregarding her child’s privacy. However, there has not yet been any case in which a child has sued a parent for infringement of their privacy or personal data protection in Taiwan.

The Protection of Children and Youths Welfare and Rights Act regulates the confidentiality requirement for the case files and personal data of children and youths who are subject to special treatment under the Act, as well as the information of their families. Furthermore, the Act prohibits certain information in respect of children and youths – such as criminal cases and drug abuse – from being disclosed by promotional material or on TV, the internet, other media or public channels. Failure to comply with the act may result in administrative fines.

Given that children are exposed under online privacy/harmful information threats, a draft “Children’s Internet Personal Data Protection Act” was proposed in March 2020, to strengthen the protection of children’s data online. Under this draft, internet operators must take reasonable measures to protect the confidentiality, safety and completeness of children’s data, and the violator may be subject to punitive damages of ten times the actual damages.

Students’ Data

More and more universities and high schools are implementing face recognition systems to track students’ class attendance or to allow access to the library by scanning students’ faces at the entrance and exit points. Nevertheless, critics worry that the excessive use of this technology could turn into the surveillance of students. The Ministry of Education has stipulated a guideline of personal data protection for schools using biometric characteristics recognition techniques. In addition to restating that the collection and use of personal data collected by the biometric characteristics recognition techniques shall be subject to the PDPA, the guideline stipulates that the original biometric characteristics data shall not be preserved unless necessary, and that the collected personal data shall be pseudonymised.

The PDPA regulates the collection and use of personal data for marketing purposes. When a non-governmental agency uses personal information for the purpose of marketing but the data subject refused the marketing, such marketing must stop immediately. Also, the non-governmental agency should offer ways for the data subject to express their refusal at the time such marketing first appears in public, and should compensate any necessary cost and expense for expressing such refusal.

Moreover, the Financial Holding Company Act provides that financial holding companies’ subsidiaries engaging in co-selling activities among themselves should apply to the FSC for prior approval and ensure that such activities will not harm the interests of customers. The subsidiaries of the financial holding company should comply with the provisions of the PDPA with regard to the joint collection, processing and use of the basic personal data and dealing or transaction records of customers.

In Taiwan, there are no general and primary rules regulating all types of online marketing. Nevertheless, for electronic marketing, the Consumer Protection Committee has promulgated guidance advising that enterprises collect and use consumers’ personal information in accordance with the law, and provide reasonable protective measures.

In Taiwan, issues relevant to workplace privacy mainly focus on email monitoring.

In most cases, a Taiwan court uses two standards to determine whether email monitoring is in violation of employees’ privacy rights, as follows:

  • whether the employees have a reasonable privacy expectation for these emails; and
  • if there is no reasonable privacy expectation, whether it is prohibited by law for employers to monitor employees’ emails.

The concept of “reasonable privacy expectation” is based on Article 3 of the Communication Security and Surveillance Act, which provides that the communications under surveillance are limited to those that have content that may reasonably be expected to be private or secret by the persons who are monitored, with sufficient factual support. Some court rulings further point out that if the company has an email policy in place and has explicitly stated that employees’ emails will be monitored, or if the employees have signed written consent for email monitoring, it is hard to say that the employees have a reasonable expectation of privacy for such emails.

Whistle-Blowing

According to the Labour Standards Act, upon the discovery of any violation by the business entity of labour laws or administrative regulations, an employee may file a complaint with the employer, the competent authorities or the inspection agencies. The employer cannot then:

  • terminate the employment relationship;
  • change the employment terms and conditions;
  • reduce the wages or the rights and other benefits; or
  • take any unfavourable measure against such employee.

If the employer violates any of these prohibitions, such action shall be null and void.

Also, the competent authority receiving the complaint should keep the identity of the complainant in confidence, and should not disclose any information that might reveal it. Any authority that violates this shall be liable for damages so caused to the complainant. In addition, public officials shall be held liable under criminal and administrative laws.

There are criminal liabilities and administrative liabilities under the PDPA. The standard for conviction in a criminal proceeding is “beyond a reasonable doubt” – ie, the prosecutor must present evidence that is credible and sufficient to prove that no reasonable doubt exists against the guilty judgment on the defendant. Regarding administrative sanctions, the governing authority must prove that an act in breach of duty under the PDPA has been committed intentionally or negligently.

Enforcement Penalties

The criminal penalties for violation of the PDPA include imprisonment for not more than five years, or criminal fines of not more than TWD1 million, or both.

The administrative penalties for violation of the PDPA are administrative fines of no less than TWD20,000 but no more than TWD1.5 million. The legal representative, manager or other representatives of a non-governmental agency may be subject to the same fines when the non-governmental agency receives an administrative fine.

If there are any other violations of other criminal laws or administrative laws or regulations, criminal or administrative penalties in accordance with such laws or regulations would be imposed.

Recent Enforcement Cases

On 28 November 2023, the Shanghai Commercial and Savings Bank was fined TWD10 million by the FSC for personal data leakage of their clients. According to the FSC, there are about 14,000 data subjects whose personal data (including names and information of ID cards) has been leaked. The FSC found that the lack of sufficient internal control systems resulted in the data leakage, and therefore imposed the fines on Shanghai Commercial and Savings Bank.

Private Litigation

In general, the burden of proof in civil litigation shall be borne by the plaintiff, who is obliged to establish all the requisite elements of a case, through evidence. Therefore, if the plaintiff filed a lawsuit for alleged privacy or data infringement under the Civil Code, the burden of proof is borne by the plaintiff, who has to establish that the defendant has wrongfully damaged the plaintiff’s rights intentionally or negligently, and that injuries have arisen therefrom.

Nevertheless, the PDPA has special rules for the plaintiff’s burden of proof in a civil case under the PDPA – whereby the law lifts a certain burden of proof from the plaintiff. Therefore, once the plaintiff has met their burden of proof by establishing the infringement of their rights from a non-governmental agency’s illegal collection, processing and use of personal information, or from other means of infringement due to violations of the PDPA, the burden of proof shifts to the defendant to show that such action was unintentional or non-negligent.

If the plaintiff has proved that a governmental agency infringes the rights of personal data due to violations of the PDPA and that there are injuries arising therefrom, the governmental agency should be liable for damages and compensation, unless it can prove that the damages were caused by natural disaster, incident or other force majeure.

Class Actions

Class actions are allowed in Taiwan. For cases caused by the same cause and fact, and where multiple data subjects are infringed, the organisations regulated by the PDPA may – after obtaining a written authorisation of litigation rights of 20 or more data subjects – represent such data subjects in bringing a lawsuit to the competent court in its own name.

The first data breach class action lawsuit was brought by the Consumers’ Foundation against a travel agency for the alleged illegal disclosure of collected personal data in March 2018.

Major Cases (Private)

In a Taiwan High Court Case (Case No 107-Shang-Yi-Zi-383), the plaintiff (a female successor of a large enterprise) claimed that the defendants (the plaintiff’s ex-husband, as well as a male successor of another larger enterprise and his lawyer and private detectives) should compensate her injuries for having used a GPS locator on her car to track her locations. The court opined that the plaintiff had a reasonable expectation of privacy for her movement and visiting places, even if she was in public places, so the defendants had violated the plaintiff’s privacy by tracking her location without legitimate reasons using the GPS locator (the defendants explained they used the GPS locator owing to the driver being under suspicion of drug abuse, but such explanation did not persuade the court). The defendants were ordered to compensate the plaintiff in non-pecuniary damages of TWD250,000.

Under the Communication Security and Surveillance Act, a warrant from the competent court will generally be required in order to obtain data in criminal cases.

The Communication Security and Surveillance Act sets up certain safeguards to protection privacy, as detailed below.

  • The enforcement authority must file at least one report every 15 days during the period of communications surveillance, describing the progress of conducting the surveillance and/or whether it is necessary to continue the surveillance. The prosecutor or the judge issuing the warrant may also order the enforcement authority to submit a report at any time. If a situation arises where the surveillance should not be conducted continuously, the judge shall withdraw the warrant and discontinue the surveillance, at their discretion based on experience and logic.
  • Surveillance devices shall not be installed or placed in a private residence.
  • Content obtained from surveillance that is irrelevant to the purpose of the surveillance shall not be included in the written record of such surveillance.
  • Prior to the expiry of the communications surveillance, the surveillance activity should be halted immediately if it is deemed unnecessary by the prosecutor or the trial judge.
  • When the communication surveillance ends, a notice will be provided to the person under surveillance stating:
    1. the relevant information of the surveillance case, and the case number of the authority issuing the warrant;
    2. the actual period of surveillance;
    3. whether communications information corresponding to the purpose of the surveillance has been obtained; and
    4. the remedy procedure.

When it is necessary to conduct surveillance on the domestic, cross-border or offshore communications of foreign forces or hostile foreign forces (or their agents) in order to collect intelligence on such forces – including organisations with the aim of operating international or cross-border terrorist activities – to protect national security, the head of the national security authority may issue a warrant to do so. If the subject under surveillance has household registration in Taiwan, the judicial approval level shall be escalated and prior approval from the judge of the High Court will be required. However, this restriction does not apply in the event of an emergency, in which case the national security authority should inform the competent High Court judge of the issuance of the warrant and obtain the permission ex post facto. If permission is not granted within 48 hours, the surveillance activity should be halted immediately.

The privacy safeguards are basically the same as for general criminal cases, provided that:

  • the decision to halt or continue the surveillance will be made by the head of the national security authority; and
  • the ex post written notice to the person under surveillance will only apply when the person under surveillance has household registration in Taiwan.

In Taiwan, the feasible solution will be by way of judicial co-operation assistance, which shall be processed by the governmental judicial agencies. Taiwan is not a signatory to the OECD Declaration of December 2022, and has not signed the CLOUD Act agreement with the USA. Nevertheless, Taiwan has signed agreements on mutual judicial co-operation in criminal matters with the USA, the Philippines, South Africa, China, Poland, the Republic of Nauru, Belize, the Slovak Republic, and Saint Vincent and the Grenadines. Taiwan has also signed agreements on mutual judicial co-operation in civil matters with China, Vietnam and the Slovak Republic. Under such agreements, an organisation invoking a foreign government access request may obtain and transfer personal data to foreign governmental agencies.

A recent case in which a judicial police officer placed a GPS locator on a suspect’s car to investigate a smuggling case sparked public debate in connection with government access to personal data. It was debated whether prosecutors or judicial police officers could collect and use GPS records for investigation purposes. The court opined that GPS records were non-public activities of people and that, therefore, collecting or using such GPS records would infringe privacy rights. Since there was no statutory basis for collecting and using GPS records to investigate crimes, there was no legal reason for prosecutors or judicial police officers to do so. However, some argued that such opinions would lead to difficulties in criminal investigations, and it was suggested that the authorities should amend the relevant laws to keep up with new technology.

In September 2020, the MOJ proposed a draft Technological Investigations Act, empowering the authorities to exploit new technology and equipment to conduct investigations. Following the criticism received for the alleged infringement of privacy rights, the MOJ has proposed a new draft bill of the “Technological Investigations and Protection Act”. This revised bill aims to strike a balance between using new technologies to facilitate the investigation of crimes and upholding fundamental protection of privacy rights.

Under the PDPA, the governmental authority in charge of the pertinent industry may limit international data transfers if:

  • they involve important national interests;
  • a national treaty or agreement specifies otherwise;
  • the country receiving personal information lacks proper regulations towards the protection of personal information and it might harm the rights and interests of the data subject; or
  • international transfers of personal information are made through an indirect method in which the provisions of the PDPA may not be applicable.

The communications enterprises, social worker offices or human resource agencies are prohibited by respective governmental authorities in charge of the pertinent industry from transferring their subscribers’ or their clients’ personal data to China, since China lacks proper regulations concerning personal data protection.

There are no specific mechanisms or derogations in Taiwan that apply to international data transfers.

If a financial institution wishes to outsource its data entry, processing and output operations of an information system related to consumer finance business to an offshore service provider, it must submit the documents to the FSC for approval.

Further, electronic payment businesses wishing to outsource their data-processing operations should obtain the FSC’s approval in advance.

In general, there is no specific data localisation requirement under the PDPA. As stated in 4.1 Restrictions on International Data Issues, international transfer of personal data is permitted in principle, unless otherwise prohibited by central governmental authorities. Nevertheless, competent authorities may still promulgate sectoral rules governing certain industries to store or process specific data within the territory of Taiwan.

No software code, algorithm, encryption or similar technical detail is required to be shared with the Taiwan government.

As previously noted (see 3.3 Invoking Foreign Government Obligations), the contractual parties should provide judicial co-operation assistance under the judicial co-operation assistance agreements, pursuant to which an organisation may collect or transfer data.

There is no concept of “blocking” in Taiwan.

Most emerging technologies – such as big data analytics, automated decision-making, profiling or microtargeting, AI, internet of things (IoT) or ubiquitous sensors, facial recognition, drones and “dark patterns” or online manipulation – are not specifically addressed in the law or regulations. Depending on the legal issues involved, different laws or regulations may apply, including the PDPA, the Criminal Code and the Trade Secrets Act. However, developments in the following fields are worth noting.

In December 2018, a provision governing autonomous vehicles was added to the Regulations of Road Transportation Safety, according to which any enterprise or car research institute with a legal registration certificate may apply for a licence and road test for autonomous vehicles. Relevant road safety regulations shall be applicable to such autonomous driving.

For issues related to AI, several draft bills have been proposed but are still under debate and discussion in the Legislative Yuan.

Biometric Data

Biometric data is specifically regulated under the Human Biobank Management Act and the Regulations Governing the Collection, Management and Use of Individual Biometric Data.

The Human Biobank Management Act regulates the establishment, management and applications of the human biobank, and protects the rights of information privacy of biological database participants. Under the Human Biobank Management Act, a “human specimen” includes derivatives – such as cells, tissues, organs or bodily fluids – that are collected from a human body or produced by experimental operations and are sufficient to provide adequate information to identify the participant’s biometrics. If the biometric data is stolen, leaked, tampered with or otherwise infringed, the operator of the biobank should immediately investigate the matter, report it to the competent authority and notify the relevant participants in an appropriate manner. Personnel engaged in the collection, processing, storage or use of biological specimens may not disclose any confidential or other personal data or information of the participant that is known or obtained as a result of their work.

The Regulations Governing the Collection, Management and Use of Individual Biometric Data, enacted in accordance with the Immigration Act, regulate the collection, management and use of fingerprints or facial characteristics for the National Immigration Agency of the Ministry of the Interior, as regards recognising an individual when foreign people enter Taiwan or apply for residency or permanent residency. Those who obtain the data within the scope of their authority or employment must maintain the confidentiality of such data, and shall be punished in accordance with the PDPA or relevant regulations if they violate this obligation.

In November 2017, a member of the Legislative Yuan proposed an amendment to revise the Household Registration Act, allowing the government to establish a database collecting a certain kind of biometric data of citizens for identification purposes (eg, the unique iris information of an individual). However, in Interpretation No 603, the Grand Justice held that fingerprints are important personal data, so are protected under rights of information privacy. Therefore, the government collecting the fingerprints of citizens without specifying the purposes of collecting such data in the Household Registration Act would be a violation of the Constitution. According to this interpretation, the collection of an individual’s iris information may also be in violation of the Constitution if there is no law specifying the compelling public purposes for collecting such data.

Given the conclusion of Interpretation No 603, the proposal in November 2017 to establish a database collecting certain kinds of biometric data from citizens was heavily criticised, and was finally withdrawn.

Geolocation

There have been criminal cases where the defendants used GPS to record plaintiffs’ locations and to track vehicles. The issue involved therein was whether the drivers of the cars monitored by the GPS have reasonable privacy expectations. In those cases, the courts gave an affirmative answer because people could not tell where those cars on the road come from and go to, although they are seen on the road. Therefore, the drivers had reasonable privacy expectations for their movement. Accordingly, someone using GPS to track the movements of others would infringe the rights of privacy and may be in violation of the Criminal Code and the PDPA.

Disinformation, Deepfakes or Other Online Harms

As fake news and disinformation spread more and more rapidly, they can influence users, manipulating them for political or economic reasons. To combat fake news and disinformation, relevant laws have been amended and sanctions on different types of fake news have been newly added. For example, sanctions for people who spread rumours or untrue information about “disasters” have been newly added to the Disaster Prevention and Protection Act. Similar sanctions for spreading fake news have also been added to the Food Administration Act, the Agricultural Products Market Transaction Act and the Act Governing Food Safety and Sanitation. Furthermore, the penalty for disseminating fake news concerning epidemic conditions of communicable diseases has been increased under the Communicable Disease Control Act.

The Legislative Yuan has passed the draft amendments to the Criminal Code, adding several offences regarding deepfakes, such as “distributing fictitious sexual images generated using computer synthesis or other technological methods”, and “committing the offence of fraud by means of fake images or sound generated using computer synthesis or other technological methods”. Furthermore, amendment of the Civil Servants Election and Recall Act and the Presidential and Vice Presidential Election and Recall Act have been passed, providing that if a candidate is aware of a deepfake video of themself, they may apply to the police for identification – if the video is identified as a deepfake, they may request the broadcast TV enterprises or internet service to stop broadcasting, restrict browsing, remove or take down said video, as the case may be.

Fiduciary Duty for Privacy or Data Protection

Neither the PDPA nor the Taiwan Company Act specifically provides that the violation of privacy or data protection will automatically constitute a breach of fiduciary duty; the matter is subject to the violation circumstance and would be determined by the competent court on a case-by-case basis.

In Taiwan, the government is devoted to the establishment of “digital government”. In 2007, the National Development Council outsourced the establishment of the Taiwan E-Governance Research Center (TEG), which seeks to systematically develop evaluation indices and databases of digital government-related planning, and to promote a wide range of e-governance collaboration and international co-operation and alignment.

The National Development Council formulated the “Digital Government Programme 2.0 of Taiwan (2021–2025)” to accelerate various response measures for promoting the government’s digital transformation. The National Development Council will:

  • co-ordinate the implementation of various ministries;
  • strengthen the transformation of cross-domain service processes from the needs of the people; and
  • use a safe and reliable data transmission platform to share data across agencies.

The government will continue its efforts in the following areas:

  • accelerating the release of high-value data and facilitating the utilisation of such data;
  • utilising the data of people’s livelihoods to optimise policies; and
  • intensifying the service provided with new technology.

The First Personal Data Infringement Class Action in Taiwan

The first personal data infringement class action was brought by the Consumers’ Foundation against a travel agency in March 2018, with the court rendering its decision in October 2019.

In this case, the Consumers’ Foundation claimed TWD4,509,575 of compensation on behalf of 25 consumers, on the grounds that a travel agency leaked the personal data collected and thus caused damages to the consumers. The travel agency countered that the data breach was caused by a malicious hacking attack, and that it had notified the data subjects of the data breach after the occurrence of such attack; therefore, it should not be held liable for the data breach.

The court rendered a judgment in favour of the defendant, opining that the travel agency had established a security and maintenance plan for the protection of personal data files, and that it had conducted internal audits, education and training for cybersecurity personnel and had changed the passwords for the computer system periodically.

Therefore, although there was a data breach caused by a hacking attack, the court held that the travel agency was not in violation of the PDPA and thus should not be held liable for the data breach. The Consumer Foundation filed an appeal against this judgment. During the procedure in the court of second instance, the Consumers’ Foundation and the travel agency reached a settlement.

The First Grand Court Ruling Regarding the PDPA

In December 2020, the Grand Court made the first ruling regarding the PDPA.

The defendant had obtained the certificate of obligatory claim, the distribution table of compulsory enforcement and the stock report of his brother, and delivered such documentation to others. Since the defendant used the others’ personal data illegally with the intention of impairing another person’s interests, he was convicted of contravening Article 41 of the PDPA, which provides that “[I]f a person, with the intention of obtaining unlawful gains for himself/herself or a third party, or with the intention of impairing another person’s interests, is in violation of Paragraph 1, Article 6, Articles 15, 16, 19, and Paragraph 1, Article 20, or an order or decision relating to the restrictions on cross-border transfers made by the central government authority in charge of the industry concerned in accordance with Article 21 of the PDPA, thereby causing damage to others, the person shall be sentenced to imprisonment for no more than five years; in addition thereto, a fine of no more than TWD1 million may be imposed”.

The defendant filed an appeal to the Supreme Court, making a defence that “impairing another person’s interest” in Article 41 of the PDPA should be limited to “property interests”, and does not include non-property interests. Since the victim of the offence did not suffer any “property” damage, the defendant’s act did not constitute the above-mentioned offence. The Supreme Court ruled that this legal issue should be submitted to the Grand Court, since it is arguable whether “impairing another person’s interest” includes both property and non-property interests, and there were different opinions among the divisions of the Supreme Court.

The Grand Court made its decision on 9 December 2020, ruling that the “unlawful gains” referred to in “with the intention of obtaining unlawful gains for himself/herself or a third party” under Article 41 of the PDPA are limited to property interests, while the “interests” referred to in “with the intention of impairing another person’s interests” under Article 41 of the PDPA shall include both property and non-property interests.

In general legal due diligence, data protection compliance will be included in the overall legal compliance section, which focuses on whether the due diligence target has any judgment record or administrative punishment owing to non-compliance issues, including non-compliance with data protection. The internal data protection rules and data protection compliance in respect of employment matters will be the focus of legal due diligence as well.

Furthermore, due diligence coverage and density in respect of data protection will be enlarged for certain types of industry. For example, if the target company’s business is strongly involved in or related to personal data or information, such as a business related to targeted advertisements, the focus should be on whether/how the collection and processing of personal data comply with applicable laws. This may include (and might not be limited to) the following:

  • the type of data being collected and processed, and whether it includes any personal data or sensitive personal data;
  • if yes, how the business collects, uses, shares, stores and deletes personal data;
  • the lawful bases upon which the target company relies to collect and/or process personal data, and related supporting documents; and
  • if the personal data is not collected directly from data subjects themselves, what contractual arrangements are in place with the collector of the data.

As for an industry that collects consumers’ or customers’ personal data for promotion or other purposes (eg, retailers or financial services providers), since the competent authorities of certain industries (eg, internet retailers, banks or finance industries) have enacted security regulations and maintenance plans for the protection of personal data files, besides the above-mentioned areas, the due diligence scope may also include whether proper security measures are implemented to prevent the personal data from being stolen or disclosed, and whether there is a security and maintenance plan in place for the protection of personal data files in accordance with the relevant regulations.

Under Taiwan law, a listing company shall disclose material information regarding the company on the website designated and maintained by the authority. “Material information” includes any material effect on company finances or business resulting from an administrative disposition, and the occurrence of any material event that results in circumstances where the administrative fines for one single event have accumulated to TWD1 million or more, or that causes a material loss to the company. Therefore, if administrative fines are imposed for one single event accumulating to TWD1 million or more owing to violation of the Cyber Security Management Act (CSMA) (eg, failing to report knowledge of a cybersecurity incident to the central governmental authority), any cybersecurity incident causing material loss, or any of the administrative dispositions in accordance with the CSMA by the authority leading to a material effect on company finances or business, the listing company must disclose such information. The disclosure must include the information and content in the format required by the authority.

There are further disclosure requirements for certain specific industries, such as electronic payment enterprises, financial enterprises and travel agencies, which should report cybersecurity or data breaches to the competent authority pursuant to the applicable laws and regulations within the time limit requested thereunder.

News Media Bargaining Code Considered

As more and more people obtain news from the internet instead of from TV or newspapers, digital platforms, including social media platforms, increasingly contribute to the online distribution of news content.

In this way, many news publishers have become more dependent on digital platforms as key sources of traffic, and have no choice but to distribute their journalism via those internet platforms. Some regulatory initiatives have focused on ensuring the fair remuneration for news content distributed through internet platforms with substantial market power.

In Taiwan, some scholars have jointly proposed a draft Act after mainly consulting Australia’s News Media and Digital Platform Mandatory Bargaining Code. There are currently five versions of draft bills proposed to the Legislative Yuan for further discussion and consideration. The purpose of the draft bills is to facilitate the progress in empowering news media to bargain with digital platforms. Under the draft bills, a news business may apply to the competent authority (the Ministry of Digital Affairs) for registration to participate in the bargaining. A platform is obliged to negotiate with the news business to reach consensus on the sum to be paid over the use of news content. Mediation and/or an arbitration to settle on the amount to be paid for the news content are also available under the draft bills.

While the competent authority (the Ministry of Digital Affairs) addressing the issue of these competitive dynamics between news publishers and digital platforms has not decided on the approach to be taken in Taiwan, the proposed draft bills are among the options to be considered. According to the Ministry of Digital Affairs, in formulating the legislation regarding news media bargaining, the experience and legislative framework of other countries (such as the USA, Canada and Australia) should continuously be considered. 

Proposed Bills Governing the Development of AI

The rapid advancement of AI has prompted significant attention from lawmakers in Taiwan, leading to several proposals of draft bills aimed at governing both the development of AI and the potential risks and harms it may bring. Legislators are actively addressing the need for comprehensive regulatory frameworks to manage AI’s ethical implications and data privacy concerns. Different regulatory regimes have been proposed, such as a dedicated data act for AI or special examination by a dedicated committee when an AI project involves sensitive data. These proposals are under debate and discussion in the Legislative Yuan and have not yet been enacted.

There are no further significant issues.

Chen & Lin

Bank Tower, 12th Floor
205 Tun Hwa North Road
Taipei
Taiwan (Republic of China), 105

+886 2 2715 0270

+886 2 2514 7510

chchen@chenandlin.com www.chenandlin.com
Author Business Card

Trends and Developments


Authors



Lee and Li, Attorneys-at-Law is one of Taiwan’s largest and most reputable law firms, offering comprehensive legal services performed by over 100 lawyers admitted in Taiwan and more than 100 accountants, patent attorneys and other professional personnel. The firm’s professional and sophisticated legal practice has gained recognition from clients worldwide, leading to prestigious accolades such as “Taiwan Law Firm of the Year” in Chambers Asia-Pacific and Greater China Region Awards 2023, and in Chambers Asia-Pacific Awards 2021. These achievements not only highlight the exceptional talent within the firm but also showcase its expertise across various legal domains, including energy law, M&A, banking and finance, capital markets, corporate matters and investment, data protection, TMT, intellectual property, real estate, dispute resolution and labour law.

The (Re)introduction of the Personal Data Protection Act

The Personal Data Protection Act (PDPA) is the primary statute regulating the collection, processing and use of personal data in Taiwan. The PDPA was first enacted and named as the Computer-Processed Personal Data Protection Act in 1995. It underwent an overhaul and was renamed in 2010, with the amendments taking effect on 1 October 2012. Article 55 of the PDPA further authorises the Ministry of Justice (MOJ) to establish the Enforcement Rules of the Personal Data Protection Act (the “Enforcement Rules”), which provide further guidelines on the interpretation and implementation of the PDPA.

Besides establishing the Enforcement Rules, the MOJ also answered questions from various government and non-government agencies regarding how to interpret and comply with the PDPA. Nonetheless, to enhance co-operation among ministries and commissions and to ensure consistent application of the PDPA, on 10 January 2019 the MOJ announced that the National Development Commission (NDC) would assume such role from the MOJ thereafter. Another important mission of the NDC is to obtain an adequacy decision from the EU. In order to perform these tasks, the NDC established a Personal Data Protection Office in July 2018.

The framework of the PDPA is similar to that of the EU’s data protection legislation, as a key source of reference for the 2010 amendments was Directive 95/46/EC, adopted by the EU in 1995. However, there is currently no independent supervisory authority dedicated to personal data protection matters in Taiwan. Enforcement of the PDPA is administered by the central competent authorities in charge of the relevant industries and by local governments. Both the central and local government authorities have the power to carry out inspections and to impose administrative penalties on non-government agencies in accordance with the PDPA.

The Proliferation of Data Security Maintenance Regulations

In addition to the PDPA and the Enforcement Rules, considering that some industry sectors (such as financial institutions, telecommunications businesses and healthcare institutions) hold a significant number of high-risk and sensitive personal data, Paragraphs 2 and 3, Article 27 of the PDPA authorise the central competent authorities in charge of the relevant industries to designate one or more industry sectors under their supervision and to require them to set up a security maintenance plan for personal data files by promulgating relevant data security maintenance regulations, under which more detailed data protection requirements would be in effect.

To urge ministries and commissions to implement the supervision and management of non-government agencies, the Executive Yuan (ie, the Cabinet) has convened regular collaborative meetings for implementing personal data protection among ministries and commissions since 22 December 2020, and has required ministries and commissions to adopt the following measures, one after another.

  • Amend their existing data security maintenance regulations to explicitly require non-government agencies to report data breaches to the central competent authorities within 72 hours, so as to ensure a consistent reporting process and timeline for data breaches among ministries and commissions.
  • Amend their existing data security maintenance regulations to stipulate requirements for cross-border transfer of personal data, including:
    1. informing data subjects of the destination of data transfer before transferring their personal data abroad; and
    2. requiring non-government agencies to supervise data recipients in terms of the anticipated processing or use of personal data, and in terms of relevant matters concerning how data subjects exercise their rights in relation to personal data.
  • Amend their existing data security maintenance regulations to require non-government agencies using IT systems to collect, process or use personal data to adopt additional cybersecurity measures, so as to ensure the security of personal data.
  • Regularly review the necessity of stipulating new data security maintenance regulations for specific industry sectors under their supervision by considering:
    1. the scale of non-government agencies;
    2. the quantity or nature of personal data retained by non-government agencies;
    3. the potential impact on data subjects as a result of a data breach; and
    4. the frequency of cross-border data transfer, etc.

As a result, increasingly more data security maintenance regulations are promulgated by ministries and commissions for different industry sectors. Due to the diversification and digital transformation of business across all sectors, the application of various data security maintenance regulations has also become more complex, causing non-government agencies’ compliance burdens to increase sharply.

The PDPA at a Crossroads

To solve the enforcement difficulties encountered owing to the decentralised approach of management, and to establish an independent supervision mechanism for personal data protection by August 2025 (as required by the Constitutional Court’s 111-Shien-Pan-13 judgment), the Legislative Yuan (ie, the Congress) passed the amendments to the PDPA on 16 May 2023. Article 1-1 of the amended PDPA stipulates that the Personal Data Protection Commission (PDPC) will act as the competent authority of the PDPA and will integrate those enforcement powers spread among ministries, commissions and local governments from the date of establishment of the PDPC.

After half a year of preparation, the Preparatory Office of the PDPC was established on 5 December 2023. In addition to completing the enactment of the PDPC’s organic statute and officially establishing the PDPC, the Preparatory Office’s tasks include initiating the Phase 2 amendments of the PDPA. In fact, as early as the implementation of the EU General Data Protection Regulation (GDPR) in 2018, the Taiwan government has actively pursued an adequacy decision from the EU and has been preparing draft amendments to the PDPA accordingly. Nevertheless, with the establishment of the PDPC, it is expected that the process of amending the PDPA might be accelerated.

Similar to the 2010 amendments, the EU’s data protection legislation (namely, the GDPR) is still a key source of reference for the Taiwan government for preparing draft amendments to the PDPA. Although the Preparatory Office of the PDPC has yet to announce the draft bill seeking the public’s comments, the amended PDPA can be expected to become similar to the EU GDPR.

Following International Standards for Cross-Border Data Transfers

As an example, the relevant rules regarding cross-border transfers of personal data may be amended in the future. Under the current PDPA, cross-border transfers of personal data are, in principle, permitted. Nonetheless, Article 21 of the PDPA authorises the central competent authorities in charge of the relevant industry sectors to impose restrictions on cross-border transfers of personal data under any of the following circumstances:

  • where the transfer would prejudice any material national interest;
  • where the transfer is prohibited or restricted under an international treaty or agreement;
  • where the country to which the personal data is to be transferred does not afford sound legal protection of personal data, thereby affecting the rights or interests of the data subjects; and
  • where the purpose of the transfer is to evade restrictions under the PDPA.

On 25 September 2012, the National Communications Commission (NCC) issued a blanket order prohibiting communications enterprises (ie, telecommunications carriers and broadcasting operators) from transferring subscribers’ personal data to the People’s Republic of China (PRC) on the grounds that the personal data protection laws in the PRC are still inadequate. On 21 January 2022 and 20 February 2023, the Ministry of Health and Welfare (MOHW) and the Ministry of Labour (MOL) respectively issued a blanket order prohibiting social worker offices and human resources agencies from transferring their service targets’ personal data to the PRC for the same reason. Nevertheless, thus far, no other central competent authority has issued any order prohibiting personal data from being transferred outside Taiwan.

Similar to the EU GDPR, it is likely that the cross-border transmission of personal data will only be permitted under certain conditions outlined in the amended PDPA. While connecting globally and following the global trend, the Taiwan government also takes a proactive position in seeking an adequacy decision from the EU and introducing other international data transfer mechanisms such as the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems. To help Taiwanese enterprises obtain CBPR certification, the Taiwan government successfully facilitated the Institute for Information Industry (III) – a think tank funded and established by the Taiwan government and that has already long assisted the Taiwan government in handling PDPA-related matters – in becoming an Accountability Agent for the APEC CBPR system in 2021. Currently, the III is eligible to certify an enterprise’s or organisation’s ability to provide appropriate protections for personal data in Taiwan.

The Challenges of Using Artificial Intelligence (AI)

AI-related laws in Taiwan are still under development. Since May 2018, some political parties had proposed draft AI bills in the Legislative Yuan; nevertheless, the Legislative Yuan did not take any further move to discuss or enact such bills. Furthermore, all the draft bills are “basic acts” that do not stipulate any specific requirements or rights but that simply provide high-level guidelines/principles and ethical considerations for the development of AI.

In April 2023, the National Science and Technology Council (NSTC) announced it will propose a draft AI Basic Act, with various ministries and commissions involved in the drafting process. However, in September 2023 the Minister of the NSTC announced that the drafting work was temporarily suspended to allow more time to monitor and evaluate international trends. Instead of enacting laws to regulate AI at this stage, Taiwan’s administrative authorities tend to issue guidelines that are essentially non-binding administrative guidance and resort to industry sectors’ self-regulation. On 28 December 2023, the Financial Supervisory Commission (FSC) took the lead in releasing the Draft Guidelines on the Use of Artificial Intelligence in the Financial Industry (the “Draft FSC AI Guidelines”) to seek public opinion.

AI tools often involve automated decisions being made on the basis of personal data. To protect data subjects from solely automated decision-making, the EU GDPR not only requires data controllers to provide information on the existence of automated decision-making but also grants data subjects the right to not be subject to a decision based solely on automated processing. There are no similar disclosure requirements or data subject rights under the current PDPA. However, in the Draft FSC AI Guidance, the FSC suggested the following core principles regarding data protection.

  • While using AI systems, financial institutions should strive to avoid unfairness caused by algorithmic biases by:
    1. staying alert to potential biases in datasets; and
    2. ensuring reasonable grounds for any AI-based decisions relying on personal attributes (Core Principle II of the Draft FSC AI Guidance).
  • While using AI systems to provide financial services, financial institutions should protect customers’ privacy and respect their choice not to use AI-based services, such as by:
    1. adhering to the principle of “data minimisation”; and
    2. giving customers alternative options instead of using AI-based services (Core Principle III of the Draft FSC AI Guidance).
  • While using AI systems to interact with customers, financial institutions should ensure the transparency and interpretability of AI systems, such as regards:
    1. how customers’ rights/benefits will be affected;
    2. how the AI model’s algorithms operate; and
    3. the process of prediction or decision-making (Core Principle V of the Draft FSC AI Guidance).

Although the Draft FSC AI Guidance has yet to be officially issued and is for financial institutions’ reference only, to a considerable extent, it represents the government authorities’ position on the processing of personal data by AI algorithms and what requirements may be in place. It is likely that similar transparency and interpretability requirements might be included in the amended PDPA.

The PDPA as a Tool for Combating Scams

Given the numerous recent data leaks and breaches, causing victims to be targeted by fraudsters, and in order to urge non-government agencies to strengthen personal data protection, the penalties for data breaches have also been raised (since 31 May 2023). Pursuant to Paragraphs 2 and 3, Article 48 of the PDPA, in the event of a data breach, the central competent authorities in charge of the relevant industries as well as the local government authorities may immediately impose an administrative fine ranging from TWD20,000 to TWD2 million, without needing to designate a time limit for the non-government agency to rectify the breach first. If the non-government agency fails to rectify the breach within such time limit or if the breach is material, the aforesaid administrative fine can be raised to between TWD150,000 and TWD15 million.

Moreover, since the second half of 2022, the ministries and commissions in charge of the relevant industry sectors have launched multiple administrative inspections in accordance with Article 22 of the PDPA. When conducting such inspections, besides checking whether non-government agencies have fulfilled their obligations to protect personal data, government authorities also treat the PDPA as a tool for combating fraud. If the Criminal Investigation Bureau (CIB) receives a certain number of scam reports against a non-government agency via its 165 anti-fraud hotline and website, the CIB would presume that the non-government agency has data leakage problems and would transfer those fraud cases to the relevant central competent authorities to initiate administrative inspections in accordance with Article 22 of the PDPA.

Even if the non-government agency has not experienced any data breach, and if those scam reports arose from phishing attacks whereby data subjects voluntarily provided their personal data to scammers and thus suffered monetary losses, the central competent authorities would still urge the non-government agency to implement anti-fraud measures through launching administrative inspections. If the non-government agency is unwilling to co-operate, it may face repeated administrative inspections. It is rather unfortunate that the Taiwan government confuses scams with data breaches and treats the PDPA as an anti-scam tool, but it seems to be working.

Lee and Li, Attorneys-at-Law

8F, No 555, Sec 4, Zhongxiao E Rd
Taipei 11072
Taiwan

+886 2 2763 8000

+886 2 2766 5566

attorneys@leeandli.com www.leeandli.com
Author Business Card

Law and Practice

Authors



Chen & Lin counts data protection as one of its main practice areas, due to the emerging technologies that are accumulating, compiling and analysing immense volumes of data. In total, the data protection group has 15 lawyers across three locations (Taipei, Hsinchu and Kaohsiung), who provide advice and assistance to clients from all over the world. The team combines legal experience and adaptability with advanced hi-tech skills and development. The firm is also well connected with law firms in other countries, and is able to provide an international service as a result of co-operation and co-ordination with those firms. Key practice areas include: compliance; providing the latest regulatory developments; advising on appropriate measures for protecting an owner’s data and not infringing another’s right to data; reviewing and commenting on market practice relating to data protection; handling dispute resolution; assisting clients in navigating investigations or court proceedings; defending allegations of infringement; and asserting and enforcing data protection regulations or contract arrangements.

Trends and Developments

Authors



Lee and Li, Attorneys-at-Law is one of Taiwan’s largest and most reputable law firms, offering comprehensive legal services performed by over 100 lawyers admitted in Taiwan and more than 100 accountants, patent attorneys and other professional personnel. The firm’s professional and sophisticated legal practice has gained recognition from clients worldwide, leading to prestigious accolades such as “Taiwan Law Firm of the Year” in Chambers Asia-Pacific and Greater China Region Awards 2023, and in Chambers Asia-Pacific Awards 2021. These achievements not only highlight the exceptional talent within the firm but also showcase its expertise across various legal domains, including energy law, M&A, banking and finance, capital markets, corporate matters and investment, data protection, TMT, intellectual property, real estate, dispute resolution and labour law.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.