The Data Protection and Privacy Law Sources in Taiwan

The Personal Data Protection Act (PDPA) is the primary law regulating personal data protection. It was first enacted in August 1995, as the Computer-Process Personal Data Act, and regulated government agencies and certain private sectors. The PDPA has been effective since 1 October 2012 and regulates any person – including government agencies and all private sector entities – who collects, processes or uses personal data. Privacy and personal data protection are related to the constitutional protection of privacy.

In addition to the PDPA, the Legislative Yuan has also enacted certain special data protection requirements in some sector-specific laws, such as:

• the Insurance Act;
• the Financial Holding Company Act;
• the Banking Act;
• the Human Biobank Management Act;
• the Pharmaceutical Affairs Act; and
• the National Sports Act.

Furthermore, the Trade Secrets Act may apply if the trade secrets of an enterprise are involved. If an offence against computer security is involved, the criminal sanctions of the Criminal Code of the Republic of China may apply. If any national security issue is involved, the National Security Act may apply.

On 16 May 2023, the Legislative Yuan passed amendments to the PDPA to urge non-government agencies (ie, the private sector) to input manpower, techniques and funds for the purpose of fulfilling data protection obligations, and to provide support to relevant enforcement authorities for combating fraudsters. Two main points of the 2023 amendments are as follows:

• raising the administrative penalties imposed against non-government agencies for violating the obligation of security and maintenance measures; and
• designating the Personal Data Protection Commission (PDPC) as the dedicated competent authority of the PDPA (the Preparatory Office of the PDPC was formed on 5 December 2023, accordingly).

On 11 November 2025, further amendments to the PAPA were promulgated; however, their effective date has not yet been determined. The main purpose of these amendments is to align with the PDPC to be established (which is a Preparatory Office now) and to grant the PDPC relevant enforcement powers, including administrative supervision over both government and non-government agencies, as well as co-operation mechanisms with other competent authorities with regard to supervision on non-government agencies.

The main points of these amendments are as follows:

• the establishment of a supervision mechanism for government agencies;
• the obligation for government agencies and non-government agencies to implement response measures, maintain records of incidents, and report personal data breaches, along with the revision of the conditions for notifying the affected parties; and
• transition of supervisory authority – the amendments establish transitional arrangements for the gradual transfer of supervisory authority over non-governmental agencies’ personal data protection matters to the PDPC. During the transition period, designated central or local authorities will continue to exercise supervisory powers, which will be progressively assumed by the PDPC. The relevant competent authorities will continue to administer industry-specific data protection regulations and may prescribe more stringent requirements.

For clarity, unless otherwise referred to, the PDPA referred to herein will be the version amended and passed on 11 November 2025.

The national system in respect of data protection adopts an “APEC-EU referential” approach. The meeting minutes of the Executive Yuan in connection with the approval to submit the draft bill of the PDPA to the Legislative Yuan addressed that the PDPA incorporates certain provisions under Directive 95/46/EC. As one of APEC’s member economies, Taiwan has executed the APEC Privacy Framework, which indicates nine principles in respect of privacy protection; the PDPA also incorporates the principles guided by the APEC Privacy Framework.

In 2011, APEC developed the Cross-Border Privacy Rules (CBPR) system, under which companies trading within the member economies develop their own internal business rules consistent with the APEC privacy principles to secure cross-border data privacy. Taiwan joined the CBPR system in December 2018, with the Institution for Information Industry applying to be the Accountability Agent under the system. In June 2021, the Institute for Information Industry was recognised by APEC as the Accountability Agent for CBPR verification in Taiwan for domestic enterprises.

Taiwan also joined the EU-led Joint Declaration on Privacy and the Protection of Personal Data in October 2022. The declaration is intended to foster international co-operation to promote high data protection and privacy standards. Taiwan’s inclusion will allow strengthening exchanges and co-operation with EU and Indo-Pacific countries.

Furthermore, in seeking an “adequacy decision” from the European Commission, the Personal Data Protection Office has filed the evaluation reports required for GDPR adequacy status; the application is still under review and discussion. All major laws regulating privacy and personal data protection are at the national level. The relevant regulations at the sub-national level are solely relevant to the implementation of those national laws and regulations by the different functioning bureaus of local government. Additionally, certain competent authorities have established specific regulations requiring security and maintenance plans for the protection of personal data within the industries under their supervision. These regulations are applicable to each specific industry.

The PDPA provides for extraterritorial application under defined circumstances. It applies to both government agencies and non-government entities that, outside the territory of Taiwan, collect, process or use the personal data of Taiwanese nationals. Accordingly, the territorial scope of the PDPA is extended based on the nationality of the data subject, irrespective of the location where the data-related activities are conducted.

Furthermore, criminal liability for intentional violations is established by specified provisions of the PDPA, including unlawful collection, processing, use, alteration or deletion of personal data, where such conduct is undertaken for the purpose of obtaining unlawful benefits for oneself or a third party, or of harming the interests of others, and where such conduct results in actual damage. The law expressly provides for extraterritorial criminal jurisdiction by stipulating that when Taiwanese nationals commit the aforementioned offences against other Taiwanese nationals outside the territory of Taiwan, the PDPA shall likewise apply.

In conclusion, the PDPA has extraterritorial effect where personal data relating to Taiwanese nationals is handled abroad, and where Taiwanese nationals engage in specified misconduct involving personal data against other Taiwanese nationals outside Taiwan, thereby subjecting such conduct to the regulatory and criminal enforcement mechanisms of the PDPA.

Artificial Intelligence Fundamental Act and Interplay Between AI and Data Protection Regulations

Taiwan’s government also acknowledges the rapid development of emerging technologies, such as AI, and the complex data-related challenges these innovations bring. As a result, the government is also continuously revisiting and examining whether the current regulatory regime could duly catch all new relevant technologies. Under the AI trend, the Artificial Intelligence Fundamental Act was passed by Taiwan’s Legislative Yuan on 23 December 2025, and sets out a framework for the development and deployment of AI, guided by seven key principles: “Sustainable Development and Welfare”, “Human Autonomy”, “Privacy Protection and Data Governance”, “Cybersecurity and Safety”, “Transparency and Explainability”, “Fairness and Non-discrimination” and “Accountability”. These principles are designed to ensure that AI technologies are developed in a responsible and ethical manner, balancing innovation with public trust and societal well-being.

Among these, the principle of Privacy Protection and Data Governance plays a critical role in safeguarding individuals’ rights in the face of rapidly advancing AI technologies. The Act specifically mandates that AI development must prioritise the protection of personal data privacy, reflecting a commitment to constitutional privacy rights. This includes a focus on minimising the collection and use of personal data, ensuring that only data which is necessary for AI purposes is gathered. By adopting the data minimisation principle, the law seeks to prevent unnecessary data collection that could increase the risk of privacy breaches or misuse.

The interplay between AI and data protection regulations is critical in ensuring that AI technologies do not infringe on privacy rights or create unintended security risks. As AI relies heavily on large datasets to make predictions and decisions, there are significant concerns about how this data is managed. The Artificial Intelligence Fundamental Act seeks to ensure that AI systems adhere to stringent data protection principles while also driving innovation.

Following the enactment of the Artificial Intelligence Fundamental Act and the announcement of the core principles thereunder, it is anticipated that the Taiwan authorities will further promulgate implementing regulations and establish a more comprehensive and structured regulatory regime in line with the continued development, deployment and utilisation of artificial intelligence technologies.

General Principles and Data Subject Rights Under the PDPA

Principles and requirements for personal data processing include the following.

• Lawfulness and purpose limitation – personal data should only be collected, processed and used for specific, legitimate purposes. In principle, data should only be processed within the defined scope and not retained longer than the period initially communicated to the data subject. Any further processing for new purposes requires additional consent or a lawful basis.
• Ensure accuracy of personal data – the accuracy of personal data must be ensured, and it should be corrected or supplemented when necessary, either proactively or upon the request of the data subject.
• Transparency – data subjects should be fully informed about the collection of their data. This includes, among others, detailing who is collecting the data, the purpose behind the collection, what types of data are being gathered and how it will be used. Additionally, data subjects should be made aware of their rights, such as access, correction and deletion of their personal data.
• Security and confidentiality – appropriate security measures must be in place to prevent personal data from being stolen, altered, damaged, destroyed or disclosed.
• Respect for data subject rights – the rights of individuals to access, correct or erase their personal data must be respected and facilitated by organisations. Data subjects should be able to easily exercise their rights in a transparent and user-friendly manner.
• Restrictions on international transfer – when the competent authority imposes restrictions on international data transfers, non-government agencies must comply with these limitations and refrain from transferring the data.

Data subject rights include the following:

• access and inspection of personal data;
• obtain copies of personal data;
• correction or supplementation of personal data;
• suspension of collection, processing or use; and
• deletion of personal data.

A compliance checklist includes the following:

• notice and transparency – inform data subjects of the items required under the PDPA;
• consent management – obtain and document consent where required;
• purpose limitation – ensure processing aligns with specific, legitimate purposes;
• data accuracy – correct or supplement inaccurate data as needed;
• data security – implement security measures to prevent being stolen, altered, damaged, destroyed or disclosed;
• data subject requests – establish procedures to respond to access, correction, suspension or deletion requests;
• marketing compliance – provide opt-out mechanism for marketing use;
• international transfer – comply with restrictions on cross-border data transfers; and
• (as applicable) – compliance with further sector-specific data protection management and maintenance regulations promulgated by the relevant competent business authority.

Under the PDPA, medical records, healthcare, genetics, sex life, physical examination and criminal records are considered “sensitive data” and the collection, processing and use of such data must be solely limited to any of the statutory exceptional events – eg, when required by law, when public authorities or private entities are performing statutory duties within a necessary scope, provided appropriate security measures are taken, or when consent is given by the data subject in writing. Otherwise, the collection, processing and use of such sensitive data shall be prohibited.

In general, companies providing products or services used by healthcare providers shall process and use personal data in compliance with the PDPA.

Regarding processing personal data for research or development purposes, on 2 December 2025, the Legislative Yuan passed the National Health Insurance Data Management Act. Under that act, medical institutions, academic research institutions, universities and legal entities or institutions commissioned by government agencies may apply to use National Health Insurance (NHI) data outside its original statutory purposes (eg, policy analysis or academic research). Such use is limited to public-interest objectives and is subject to strict safeguards, including the requirement that NHI data be de-identified prior to use and that approved use be conducted only within designated secure environments. The use results may not contain any information capable of identifying an individual data subject, and commercial or profit-oriented use is expressly prohibited.

Data subjects have the right to request the cessation of the use for purposes outside the original statutory purposes of all or part of their NHI data. Once recorded, further use for purposes outside the original statutory purposes is prohibited, except for statutory duties by public authorities or urgent threats to life or safety.

As mentioned in 1.1 Overview of Data and Privacy-Related Laws, the Artificial Intelligence Fundamental Act, which establishes a framework for the development and deployment of AI, was passed by Taiwan’s Legislative Yuan on 23 December 2025.

Under the Artificial Intelligence Fundamental Act, the use of personal data in AI research and applications must comply with privacy-protective principles. Competent authorities are required to consult with the personal data protection authority to prevent unnecessary collection, processing or use of personal data and to promote the integration of data protection measures by design and by default, thereby safeguarding individual rights throughout the AI lifecycle. This provides specific guidance ensuring that data protection is embedded from the earliest stages of AI system development and deployment.

The regulatory regime is explicitly risk based. A risk classification framework aligned with international standards must be established, and competent authorities are tasked with issuing corresponding risk-based management regulations. High-risk AI applications are subject to enhanced oversight, with certain uses restricted or prohibited under defined conditions. Clear assignment of responsibilities and accountability mechanisms, including remedies, compensation or insurance, are mandated for high-risk AI. Furthermore, government use of AI requires risk assessments and internal control mechanisms proportionate to the nature of the application. Together, these measures ensure that AI deployment and operation uphold data protection obligations, embedding risk mitigation, transparency, human oversight and accountability across the AI lifecycle.

In the event that a government or non-government entity becomes aware that personal data it retained has been stolen, altered, damaged, lost or disclosed, the entity is obligated to notify the data subjects concerned.

Where the breach meets specific reporting thresholds, the entity must report the breach to the relevant authorities. The entity must take immediate and effective measures to mitigate the breach, prevent further damage and document the facts, impacts and corrective actions taken. It is also required to retain relevant records for inspection by the supervisory authority.

The specific details regarding the notification process, reporting timelines, scope of reporting, containment measures and record retention shall be subject to rules further established by the supervisory authority. Non-compliance with these obligations may result in the imposition of fines.

In the event of a significant and high-profile data breach, the competent authority is likely to initiate an investigation to determine the cause of the incident and assess whether further action is required, such as holding the responsible parties accountable, imposing fines or requiring the entity to submit corrective action plans.

The PDPC will be the dedicated competent authority of the PDPA. Upon its official launch, the PDPC will integrate those enforcement powers and responsibilities (stated below) spread among the Ministry of Justice (MOJ), the National Development Council, central government authorities that supervise the business operation of non-government agencies, and local government authorities. Further, the PDPC will prioritise the regulation of non-government agencies that do not have a clearly designated competent authority. As for non-government agencies that already have been governed by a competent authority due to the feature of business, transitional provisions will apply. During the transitional period, the supervision by their central or local competent authority will remain in effect temporarily, and the regulatory powers of each respective competent authority will be gradually migrated to the PDPC in phases. This approach aims to achieve the legislative policy goal of centralising and unifying personal data protection oversight.

Before the official launch of the PDPC, the relevant regulators and their authorities are as below.

The MOJ is the main regulator for personal data protection and is in charge of proposing the draft bill of the PDPA, and promulgating the Enforcement Rules of the PDPA (which will be migrated to the PDPC after it is official launched). The MOJ and the National Development Council are in charge of issuing various interpretations to answer questions in respect of compliance with the PDPA.

The enforcement of the PDPA is administered by the central government authorities that supervise the business operation of non-government agencies, and local government authorities. Both central and local government authorities have the power to:

• carry out audits and inspections on non-government agencies;
• request information;
• demand rectification; and
• impose administrative penalties against non-government agencies for non-compliance with the PDPA.

The official establishment of the PDPC is still pending, and it is therefore not yet able to fully exercise the above functions and powers, as the relevant organic law governing its organisation remains under review and discussion. Notwithstanding the foregoing, the PDPC’s preparatory office has, in practice, begun to provide certain advisory input on data protection matters to other relevant authorities.

For the typical investigative workflow, please see 1.8 Enforcement Proceedings and Fines.

Administrative Investigations and Enforcement

In the event that a competent authority considers a non-government entity may have violated relevant regulations or deems it necessary to assess the entity’s compliance, the authority may initiate an investigation. This investigation typically involves notifying the entity or its personnel to provide necessary explanations, submit required documents, or take other actions for co-operation. The authority may also send personnel to inspect the premises, request explanations from relevant personnel or collect evidence. During such inspections, the competent authority has the right to seize or duplicate any personal data or files that are relevant to the investigation.

Following the investigation, if the competent authority finds no violation, the entity may agree to the publication of such investigation results. If the entity disagrees with the authorities’ actions, the entity may file an objection. Where the objection is deemed justified, the authority must modify or suspend the action; otherwise, the authority may proceed with enforcement measures. Should the entity remain dissatisfied with the decision, it may further file an administrative appeal or initiate administrative litigation.

Administrative sanctions for violations of the law include fines, orders to cease the collection, processing or use of personal data, mandatory deletion of personal data files, confiscation or destruction of unlawfully collected data, and public disclosure of the violation and the name of the entity and its responsible persons. Further, administrative fines for violations of the PDPA range from TWD20,000 to TWD15 million.

There are no further explicit unified standards for penalties regarding violation of the PDPA. Nevertheless, as a general rule for administrative control, the fines imposed by administrative authorities shall be in proportion to the degree of violation, and must not involve abuse of discretion or violate the principle of proportionality. The authorities may consider factors such as the circumstances of the violation and frequency of violations when determining the amount of the fine. Based on the limited publicly available information, enforcement of data protection requirements by the Financial Supervisory Commission (FSC), as the competent authority for financial institutions, appears to be relatively more aggressive compared to that of other governmental authorities. With respect to non-financial sector data protection enforcement, where the data breach is serious, involves a substantial volume of personal data, reflects inadequate or substandard protective measures, and results in individuals being subject to fraud or scams, the applicable administrative fines are likely to be higher and may exceed TWD1 million.

Criminal Liability

Under the PDPA, a violating person bears criminal liability if they intentionally seek unlawful benefits for themselves or a third party, or intend to harm others, and illegally collect, process, use, alter, delete or otherwise interfere with personal data, including violating statutory obligations or restrictions on international data transfers, thereby causing damage to others. Such conduct may result in imprisonment of up to five years, detention and/or a criminal fine of up to TWD1 million. Where the offender is a public official who commits the offence by abusing their official authority, opportunity or means, the penalty may be increased by up to one-half. The defendant may appeal against the judgment to the High Court, and, where the statutory requirements are met, may further appeal to the Supreme Court.

In determining the sentence or fine in a criminal case, courts usually consider the nature and seriousness of the offence, the extent of harm or damage caused, the intent and level of fault of the defendant, any illegal benefit obtained, the defendant’s personal circumstances, prior criminal record and whether there are mitigating or aggravating factors, so that the punishment is fair and proportionate.

Civil Liability

Under the PDPA, civil liability arises when a government agency or a non-government entity violates the PDPA and causes personal data to be unlawfully collected, processed, used or otherwise infringes upon an individual’s rights, resulting in damage. Government agencies are generally liable for damages unless the harm was caused by force majeure, while non-government entities are liable unless they can prove the absence of intent or negligence. Victims may claim compensation not only for property damage, but also for non-property damage, including harm to reputation, and may request appropriate measures to restore reputation. Where actual damages are difficult or impossible to prove, courts may award statutory damages ranging from TWD500 to TWD20,000 per person per incident, subject to an overall cap for mass claims, unless the total harm exceeds that cap. If the party disagrees with the judgment, they may file an appeal.

When determining the amount of compensation in a civil case, courts generally consider the nature of the wrongful conduct, the extent of actual damage suffered by the victim, the degree of intent or negligence of the wrongdoer, and the economic circumstances of the parties.

Severe Administrative Fines Against Financial Institutions for Data Protection Violation Remains Unchanged

On 9 December 2025, an employee of the CTBC Bank, acting without any business-related necessity, privately accessed and queried customers’ personal data through the bank’s internal systems. The Financial Supervisory Commission (FSC) determined that the CTBC Bank had deficiencies in its protection of customers’ personal data and had failed to properly implement its internal control system. On this basis, the FSC imposed an administrative fine of TWD2 million on the CTBC Bank.

Severe Administrative Fines Against Non-Financial Institutions for Data Protection Violation

On 19 June 2024, a chain fitness company, WorldGym, and its legal representative – ie, the Chairman of the company, were each fined TWD1.4 million by the authority for:

• failing to implement appropriate security measures, which led to a personal data breach (TWD1.2 million); and
• failing to notify the affected data subjects after the data breach (TWD0.2 million).

The reasons that the fitness company and its legal representative were subject to the severe fines include that the company has been classified by the National Police Agency as a “high-risk business”, indicating a heightened vulnerability to personal data breaches that could be exploited by scam groups to carry out scams against the public, and, in this case, individuals were also reportedly defrauded by scam groups using the leaked personal data, resulting in actual financial damages/losses.

Proactive Administrative Investigation Against High-Profile Data Incidents

Since late 2024, the competent authorities have adopted a practice of proactively initiating investigations into high-profile personal data incidents, regardless of whether such incidents occur domestically or overseas. Where a reportedly serious data incident occurs outside Taiwan but involves, or may involve, personal data of individuals in Taiwan, the relevant Taiwan authority will proactively commence an investigation against the related Taiwan entity.

By way of example, a widely used social media platform across Taiwan, Japan, Korea and other Asian jurisdictions was reported to have suffered a serious data incident involving approximately 440,000 personal data records, more than 100 of which were related to Taiwan individuals. In response, the competent authority, the Ministry of Digital Affairs, proactively initiated an intensive investigation into the group’s Taiwan presence. Similarly, in 2025, certain systems of well-known luxury brands were reportedly hacked overseas, potentially affecting a substantial volume of Taiwan personal data, and the Ministry of Economic Affairs likewise launched investigations into such incidents to clarify the impact on Taiwan personal data as well as the data protection compliance of its relevant Taiwan presences.

These developments demonstrate a shift in the authorities’ enforcement approach toward a more proactive and assertive stance in the enforcement of data protection laws.

Practical Takeaways for Organisations

In line with global data protection trends and efforts to prevent the unlawful use of leaked data, Taiwan authorities have adopted a more proactive and assertive approach to the enforcement of data protection laws. In addition, they have begun to conduct more intensive investigations and to impose more stringent sanctions where violations are identified in the end. In light of these developments, enterprises, regardless of acting as data collectors, processors and/or controllers, are advised to strengthen their data protection governance, internal controls and overall compliance frameworks.

Trends in Data Breach Litigation Related to Fraudsters Exploiting Leaked Personal Data

In Taiwan, cases of fraudsters exploiting leaked personal data to scam data subjects have become increasingly prevalent. There is a growing trend of data subjects, who suffer both material and non-material damage, seeking compensation from the businesses responsible for the data breaches. The majority of courts held that the material damage suffered by the data subjects is a result of the fraudsters’ actions, not those of the business, and therefore, no causation exists between the data breach and the material damage. However, some of them further held that the emotional distress suffered by the data subjects in the fraud event is linked to the business’s data breach, allowing data subjects to seek compensation for non-material damage. When claiming non-material damages, the claimant must substantiate the nature of the harm suffered. For example, in cases where the victim’s personal data is leaked, resulting in fraud by fraudsters, the courts have recognised that the data breach and subsequent fraud caused the claimant emotional distress, thus justifying compensation for non-material damages. Where such non-material damages are difficult or impossible to prove, the court may award statutory damages of up to TWD20,000 per data subject per incident. While this amount may appear modest on an individual basis, the aggregate exposure could be substantial in the context of mass claims or class actions.

Case Regarding Right to be Forgotten

A well-known case is one in which a former professional baseball CEO claimed the right to be forgotten and requested Google Inc. to remove search results related to his match-fixing scandal. This case began in 2017, and has been heard by the district court, the High Court and the Supreme Court. The Supreme Court has twice remanded the case for re-examination by the High Court. In these judgments, the courts generally recognise that the right to be forgotten falls within the scope of privacy rights and is protected under the Constitution. However, search engine operators’ provision of search results, although commercially driven or for profit, should still be protected under the freedom of speech protected by the Constitution. Such search results should not be arbitrarily restricted or deleted, as doing so would undermine the performance freedom and neutrality of search engine operators which could, in turn, affect the public’s perception and judgement, and even threaten the foundation of democratic constitutionalism. Therefore, when determining whether certain search results should be deleted, courts seek to strike a balance between public interest and privacy rights. The Supreme Court restated the foregoing view and opined that the data subject may also request the deletion of the collected or processed data if there is a more significant interest that needs to be protected. This includes many factors such as whether the data subject is a public figure, and whether the data has been outdated or causes disproportionate negative privacy impacts on the data subject. The Supreme Court also considers whether the deletion would affect or hinder the public’s right to know.

From the above, it is clear that the courts attempt to balance public interest with privacy rights. In deciding whether specific search results should be deleted, the High Court and the Supreme Court have reached different conclusions based on the consideration of those factors. The match-fixing scandal was 14 years ago. At the second review of the Supreme Court in 2024, it dismissed the judgment of the High Court again and requested the High Court to reconsider and seek a balance between the right to be forgotten and the public’s right to know based on all the relevant factors.

Taken together, these judgments have significantly shaped the framework for privacy-related litigation in Taiwan, particularly with respect to the right to be forgotten. The courts apply a contextual balancing test between privacy rights and competing constitutional interests, notably freedom of speech and the public’s right to know. Rejecting any automatic right to deletion, the courts assess factors such as the data subject’s public status, the passage of time, ongoing relevance, proportionality of the privacy impact and the effect of deletion on public discourse. Accordingly, the right to be forgotten is subject to judicial scrutiny rather than automatic enforcement.

Collective Redress Mechanisms – Class Action

The PDPA provides a collective redress mechanism through class actions for data protection violations. For cases caused by the same cause and fact, and where multiple data subjects are infringed, the organisations regulated by the PDPA may – after obtaining a written authorisation of litigation rights of 20 or more data subjects – represent such data subjects in bringing a lawsuit to the competent court in its own name. Regarding class action, the legislation does not provide a specific timeline for the completion of judicial proceedings. However, in the first data breach class action case (please see below for details), the court took approximately eight months to render a first-instance judgment, after which the parties settled during the appellate proceedings.

The First Data Breach Class Action

The first personal data infringement class action was brought by the Consumers’ Foundation against a travel agency in March 2018, with the court rendering its decision in October 2019.

In this case, the Consumers’ Foundation claimed TWD4,509,575 compensation on behalf of 25 consumers, on the grounds that a travel agency leaked the personal data collected and thus caused damages to the consumers. The travel agency countered that the data breach was caused by a malicious hacking attack, and that it had notified the data subjects of the data breach after the occurrence of such attack; therefore, it should not be held liable for the data breach.

The court rendered a judgment in favour of the defendant, opining that the travel agency had established a security and maintenance plan for the protection of personal data files, and that it had conducted internal audits, education and training for cybersecurity personnel, and changed the passwords for the computer system periodically.

Therefore, although there was a data breach caused by a hacking attack, the court held that the travel agency was not in violation of the PDPA and thus should not be held liable for the data breach. The Consumer Foundation has filed an appeal against this judgment. During the procedure in the court of second instance, the Consumers’ Foundation and the travel agency reached a settlement.

In Taiwan, there is currently no unified law specifically governing cross-sector data access and data-sharing frameworks in the context of emerging technologies such as the Internet of Things and cloud computing. Nevertheless, in response to the rapid development of AI and the indispensable role of data in AI training and applications, a draft Data Innovation and Utilization Promotion Act has been proposed and is presently under deliberation by the Legislative Yuan. The draft bill aims to facilitate the circulation and utilisation of data, enhance national competitiveness in the digital domain and promote data-driven innovation by encouraging the opening and sharing of data. Under the draft, data may be classified and made available as “open data” or “shared data” in accordance with applicable licensing and usage conditions for the purpose of promoting data innovation and utilisation. Nevertheless, where such data involves personal data, it still must be governed by and processed in compliance with the PDPA. Government agencies, with respect to the government data under their control, are required to promote data innovation and utilisation within the scope of their respective statutory functions pursuant to the draft legislation, and to periodically review their implementation to ensure compliance with the PDPA, the Cyber Security Management Act, the Trade Secrets Act, the Copyright Act and other relevant laws. In addition, the draft empowers government agencies to encourage inter-industry co-operation to establish secure, accessible and interoperable data-sharing mechanisms, and to promote the voluntary sharing of industry-held data under fair, reasonable and non-discriminatory data-sharing terms.

The draft Data Innovation and Utilization Promotion Act is currently under legislative review, and its final provisions and regulatory framework have not yet been determined. Upon enactment, the Act is expected to establish a legal foundation for data sharing and utilisation while ensuring compliance with personal data protection, cybersecurity and other applicable legal requirements.

Pursuant to the draft Data Innovation and Utilization Promotion Act, the promotion of data sharing and utilisation is intended to facilitate innovation and support applications such as AI; however, such activities remain subject to the continued applicability of existing legal regimes. The processing of personal data must adhere to the requirements of the PDPA, including the establishment of a lawful basis, observance of purpose limitation and the implementation of appropriate security measures. Similarly, non-personal data, including information potentially protected under intellectual property or trade secret laws, must be managed in accordance with all relevant legal obligations, so as to prevent infringement of proprietary rights. In this manner, the draft legislation seeks to enable the circulation and innovative use of data while ensuring ongoing compliance with established statutory protections governing privacy, cybersecurity and intellectual property.

Under the draft Data Innovation and Utilization Promotion Act, government agencies may provide open data (ie, data that is licensed for use without limitation as to purpose, geographic region or duration, and is provided in a machine-readable, widely accepted format) in accordance with principles of searchability, accessibility, interoperability and reusability, and must provide metadata or explanatory information to facilitate interpretation. They are also required to maintain the integrity, accuracy, usability and timeliness of open data, and may encourage inter-industry co-operation to establish secure, accessible and interoperable data-sharing mechanisms. Shared government data (ie, government data that is shared and licensed for use under specific conditions, including the right of the licensor to withdraw the authorisation) must be provided on a non-exclusive basis under fair, reasonable and non-discriminatory conditions, unless justified by public interest.

Personal data may only be shared or utilised in compliance with the PDPA, with appropriate safeguards to ensure security and lawful processing. In the context of the data altruistic mechanism, only government agencies or non-profit entities are permitted to act as operators, and such operators must possess adequate technical and organisational capacity in information security and personal data protection to safeguard individuals’ personal data and maintain cybersecurity. Any sharing or use of personal data must be accompanied by appropriate protection mechanisms, in accordance with guidelines to be issued by the competent personal data protection authority.  The competent authority shall also prescribe the operational procedures of the mechanism, including registration and termination of operators and other relevant matters.

Accordingly, organisations acting as data altruistic operators should therefore assess their eligibility, establish the necessary technical and organisational capabilities, register with the competent authority, implement internal processes to manage authorisations, and adopt measures to protect personal data in accordance with regulatory guidelines. As the detailed operational rules and protective measures have not yet been fully clarified, the precise obligations of organisations will become clearer once these provisions are established.

In general, the competent authority of the draft Data Innovation and Utilization Promotion Act is the Ministry of Digital Affairs, which is responsible for overseeing the operation of the data altruistic mechanism, including registration, termination and related procedures of operators. For matters relating to the protection of personal data, the competent authorities (eg, the PDPC) will be responsible for issuing guidelines to ensure that personal data involved is properly safeguarded. The Ministry of Digital Affairs co-ordinates with the personal data protection authority to ensure compliance with the PDPA, and the draft law’s requirements for non-exclusive and non-discriminatory data sharing reflect the need to avoid unfair practices and restrictions on competition.

As this draft Act remains a draft and the related subordinate regulations have not yet been established, the operational framework will be more clearly defined once these provisions are formally issued.

The PDPA does not have specific provisions directly addressing cookies, SDKs and other device identifiers. Nevertheless, their use, which typically involves collecting personal data from users’ devices, must comply with the general principles of the PDPA. This includes:

• providing certain information required by the PDPA, such as the name of the business, the types of personal data being collected, the rights of the data subjects, and the duration, location, recipients and methods of data use, and this information is usually provided in the form of a cookie policy or privacy notice;
• obtaining informed consent from data subjects;
• ensuring that data is used only for specified purposes within the scope of data subjects’ consent;
• implementing appropriate security measures to protect personal data; and
• respecting data subjects’ rights, such as to access, rectify, delete, or request a copy of their personal data, or demand the cessation of the collection, processing or use of their personal data.

Personalised or Targeted Advertising

Personalised or targeted advertising is not specifically regulated under a separate legal framework in Taiwan, but it is governed by the general provisions of the PDPA. Since personalised or targeted advertising often involves the collection and analysis of personal data to target individuals with tailored ads by way of collecting and analysing the browser records and footprint and at least partial IP information, it must comply with the requirements set out in the PDPA (please refer to 4.1 Use of Cookies). Therefore, businesses engaging in personalised or targeted advertising must adhere to the PDPA’s general data protection principles to ensure legal compliance. This includes adhering to the requirements when performing profiling and ensuring that, if sensitive data is involved, the collection, processing and use of such data fully comply with the legal requirements for handling sensitive data (please refer to 1.3 Special Categories of Personal Data).

Other Online Marketing Practices

The PDPA regulates the collection and use of personal data for marketing purposes. When a non-governmental agency uses personal information for the purpose of marketing but the data subject refused the marketing, such marketing must stop immediately. Also, the non-governmental agency should offer ways for the data subject to express their refusal at the time such marketing first appears in public, and should compensate any necessary cost and expense for expressing such refusal.

Moreover, the Financial Holding Company Act provides that financial holding companies’ subsidiaries engaging in co-selling activities among themselves should apply to the FSC for prior approval and ensure that such activities will not harm the interests of customers. The subsidiaries of the financial holding company should comply with the provisions of the PDPA with regard to the joint collection, processing and use of the basic personal data and dealing or transaction records of customers.

In Taiwan, there are no general and primary rules regulating all types of online marketing. Nevertheless, for electronic marketing, the Consumer Protection Committee has promulgated guidance advising that enterprises collect and use consumers’ personal information in accordance with the law, and provide reasonable protective measures.

In addition to the PDPA, which plays a primary role in data privacy, in employment relationships, the relevant labour laws provide further rules. According to the Employment Service Act and its enforcement rules, when recruiting or hiring employees, an employer may only request “privacy data” that is necessary and related to the employment relationship, while respecting the employee’s rights. The information requested must be legitimate, necessary and reasonably related to specific economic needs or public interests. “Privacy data” includes physiological data (such as genetic testing, drug testing, HIV testing, etc), psychological data (such as psychological tests, lie detector tests, etc), and personal life information (such as credit records, criminal records, background checks, etc). However, the employer is prohibited from requesting personal information that is not relevant to employment, as well as from retaining the employee’s ID, work certificates or other documents not required for employment purposes. In other words, all requests must be strictly limited to information necessary for the employment process and aligned with legitimate economic purposes.

In practice, for the employment privacy issues (such as email monitoring, installing surveillance cameras in the workplace, recording employees’ activities within the office, or capturing their computer screen activities), Taiwan courts use the following standards to determine whether the measure is in violation of employees’ privacy rights:

• necessity of the purpose – whether the measure is implemented for a legitimate business purpose;
• proportionality of the method – whether the method used is appropriate and does not exceed what is necessary to achieve the legitimate business goal; and
• balancing of interests – using the least intrusive means to achieve the business objective.

By way of example, in cases involving email monitoring, certain court rulings have indicated that where a company has implemented an email policy clearly stating that employees’ emails may be monitored, or where employees have provided written consent to such monitoring, it is difficult to conclude that employees retain a reasonable expectation of privacy in those emails.

In M&A and asset transactions, privacy and data protection are critical considerations throughout the entire transaction lifecycle, from due diligence to post-closing integration. During the due diligence phase, existing privacy and data protection compliance should be reviewed regardless of whether the target operates in a data-rich industry, although data-intensive businesses are typically subject to heightened scrutiny due to more stringent and complex regulatory requirements. In certain industries, such as big data, data analytics or other emerging data-driven businesses, it is often fundamental to assess whether the relevant datasets constitute personal data and to evaluate how such data is collected, processed and utilised. In this context, it is also necessary to precisely identify the role played by the target, including whether it acts as a data collector, processor and/or controller, so as to precisely clarify the compliance status in all material aspects. Such assessments typically require close and co-ordinated collaboration between technical and legal teams.

In addition, the PDPA and related regulations govern change-of-control arrangements, data transfers and post-closing integration activities involving personal data. By way of example, where a proposed transaction involves the transfer of personal data, key matters to be considered and addressed include the categories of data involved, the destination of the transfer and the applicability of any required notices, consents and/or regulatory approvals etc.

For personal data, under the PDPA, “cross-border transfer” refers to the cross-border processing or use of it. In general, cross-border transfer of personal data is permitted, while the government authority in charge of the pertinent industry may, at its reasonable discretion, impose limitations on international data transfers if:

• they involve important national interests;
• a national treaty or agreement specifies otherwise;
• the country receiving the personal information lacks proper regulations towards the protection of personal information and it might harm the rights and interests of the data subject; or
• international transfers of personal information are made through an indirect method in which the provisions of the PDPA may not be applicable.

Pursuant to the above provision and relevant laws governing particular industries, certain authorities further promulgate and require certain data residency/data localisation requirements whose nature will impose certain restrictions on international data transfer. For example, the FSC promulgates certain data residency requirements for financial institutions.

In addition, certain authorities promulgate and impose restrictions in terms of which certain specific industries are prohibited from transferring data to a specific territory. For example, communications enterprises, social worker offices or human resource agencies are prohibited by respective governmental authorities in charge of the pertinent industry from transferring their subscribers’ or their clients’ personal data to China.

With respect to non-personal data, there is currently no unified or dedicated legislation in Taiwan that specifically governs the details of cross-border data transfers. However, consistent with the global trend toward strengthening the protection of national security and critical technologies, Taiwanese laws – including the National Security Act, the Trade Secrets Act and other relevant legislation – may apply to prevent the unlawful disclosure or leakage of such data to restricted territories, foreign hostile forces or any persons or entities controlled by them. Violations of these laws may give rise to severe criminal liability.

The relevant competent authority may promulgate sector-specific rules governing international data transfers for a specific industry. For example, as described in 5.1 Restrictions on International Data Transfers, the laws and regulations impose a localisation principle for customers’ finance records. If a financial institution wishes to outsource its data entry, processing and the output operations of an information system related to consumer finance business to an offshore service provider, it must submit the application with required materials, including the internal outsourcing guidance and board resolution which allows and approves such international transfer, and necessity analysis and corresponding rules and plan for subsequent management and emergency handling, etc, to the FSC for approval.

With respect to non-personal data, Taiwanese laws and regulations also impose certain management and control measures. In particular, prior approval from the Department of Investment Review of the Ministry of Economic Affairs is required where a Taiwanese individual or legal entity intends to transfer or license its technology, patents, know-how or other intellectual property, whether or not registered with the relevant authority, to a China individual or entity. Further, the amendments to the Industrial Innovation Statute, which came into effect on 7 May 2025, reflect the global trend toward enhanced protection of critical technologies and significantly strengthen the regulatory framework governing outbound investments by domestic companies. Under the amended regime, not only outbound investments meeting prescribed transaction value thresholds, but also investments involving designated countries or territories, or specified industries or technologies, are subject to prior approval by the competent authority. In conducting its review, the authority will assess, among other factors, the potential impact of the proposed investment on national security and economic development. Taken together, these regulations indicate that Taiwanese laws and regulations are evolving toward a more comprehensive and substantive framework for the protection of non-personal data, particularly from the perspective of technology and national security protection.

As stated in 5.1 Restrictions on International Data Transfers, international data transfers are in general permitted by the PDPA, while it leaves the room and flexibility to the relevant competent authority to impose restrictions at its discretion based on the regulation and management needs of the specific industry. Therefore, the relevant competent authority may still promulgate sector-specific rules governing data localisation for a specific industry. Please see 5.1 Restrictions on International Data Transfers and 5.2 Government Notifications and Approvals for details.

The current regulatory regime is silent as to whether remote access constitutes a “transfer” and the relevant authorities have not provided written interpretation for this matter, although it seems that this may be the case. This view relies on a boarder interpretation of the PDPA, under which an “international transfer” is defied to include cross-border “processing” or “use” of personal data.  If so characterised, the regulatory requirements applicable to cross-border transfers under the PDPA would correspondingly apply to scenarios involving remote access. In light of this evolving regulatory stance, cross-border enterprises are advised to closely monitor further developments on this issue and evaluate any potential impacts which might impact their global and cross-border data protection structure, designs and measures.

In Taiwan, cross-border disclosures or foreign discovery requests are subject to restrictions under the PDPA, when personal data is involved. Execution of foreign-court judgments in Taiwan typically requires going through procedures under Taiwan laws. Recognition of foreign judgments is governed under the Code of Civil Procedure, which requires proper jurisdiction, due process, public policy compliance and reciprocity.

Additionally, national security laws (eg, the National Security Act) may restrict cross-border disclosures or co-operation if the information relates to national security matters.

In addition to those described in 5.1 Restrictions on International Data Transfers to 5.3 Data Localisation Requirements, on 30 September 2025, the Ministry of Health and Welfare announced “the restriction on the international transfer of personal data by the wholesale and retail pharmaceutical industry to China, Hong Kong, and Macau”. It is stipulated that the wholesale and retail pharmaceutical industry shall not transfer the personal data it collects, processes and uses to China, Hong Kong and Macau unless an exception applies. This regulation will take effect on 1 October 2026 to govern specific pharmaceutical wholesale and retail operators and will extend to all pharmaceutical wholesale and retail operators from 1 October 2027.