Multiple Regulations

Taiwan currently lacks a unified framework specifically regulating the digital market or digital services.

While the Executive Yuan of Taiwan launched the “Digital Nation and Innovative Economic Development Plan (DIGI+)” to promote digital economic development, Taiwan currently has yet to promulgate a single law governing the digital market or digital services. Regulations related to the digital economy may cross multiple laws covering multiple aspects. For example:

• Data sharing: Personal data collected, processed and transmitted in digital markets is subject to the Personal Data Protection Act (PDPA), the Guidelines for the Management of Personal Data File Security in the Digital Economy Industry, etc.
• Telecommunications: Key regulations include the Telecommunications Management Act (“TM Act”), the Unmanned Vehicle Technology Innovative Experimentation Act and the Cyber Security Management Act (“CSM Act”).
• Financial sector: The Financial Technology Development and Innovative Experimentation Act allows businesses to conduct innovative experiments under exemption from certain regulations. In addition, to address money laundering and fraudulent acts, the Taiwan government amended various laws. Please see ‘Challenges of adjusting existing regulations for digital goods and services’ below for more details.
• Competition law: Taiwan’s Fair Trade Act governs restrictive or unfair competition behaviours in the digital markets.

Challenges of Adjusting Existing Regulations for Digital Goods and Services

With the development of the digital economy, legal challenges have begun to emerge. Notable examples include:

• Personal data and privacy protection: The collection, processing and use of users’ specific data by digital service providers or platforms must comply with personal data rights and privacy protection.
• Fraud: Beyond common issues such as false advertising, the rise of artificial intelligence (AI) and virtual assets has led to an increase in fraudulent activities utilising digital methods. In response, the Legislative Yuan passed four major anti-fraud laws, ie, the Fraud Crime Hazard Prevention Act, amendments to the Code of Criminal Procedure, the Communication Security and Surveillance Act, and the Money Laundering Control Act.
• Regulatory adjustments for emerging technologies: Innovative business models and diverse digital goods or services often fall outside the scope of existing laws. Whether and how to regulate them are key challenges.
• Market order in the digital economy: The digital economy’s development often leads to market concentration, raising concerns about competitive market dynamics. In the context of competition law, market definition and assessing market power bring new challenges to agencies.

Overview

Taiwan has not yet introduced a unified tax act specifically addressing digital goods and services sold through online platforms. However, the current income tax and business tax framework applicable to traditional goods and services extends to digital transactions, with the Ministry of Finance (MOF) identifying taxable targets in the digital domain as follows:

• digital goods or services requiring online downloads, such as e-books and standardised software;
• services not requiring downloads, such as online games, advertisements and streaming services; and
• other services provided digitally, such as online booking for accommodation.

Taxation on cross-border transactions is more complex; thus, we discuss it below.

Taxation of Cross-Border Transactions

(a) Income tax: For cross-border transactions, determining the portion of income generated within Taiwan is critical for tax purposes. The MOF specifies income tax calculations based on the formula below:

Income (domestic source income) × Net Profit Ratio × Domestic Profit Contribution × Withholding Rate

• Income: Refers to “domestic source” income, which determines the scope of taxation. For example, for platform service providers, if one party involved in the transaction is a person located in Taiwan, the service fees collected are considered Taiwan-sourced income.
• Net Profit Ratio: Refers to the income remaining after deducting costs. If proof of actual costs cannot be provided, the standard profit ratio in the same industry as determined by MOF or a 30% net profit ratio applies, subject to the tax bureau’s discretion.
• Domestic Profit Contribution Ratio: Refers to the allocation of taxes based on the portion of profits attributable to activities within Taiwan. If all activities occur within Taiwan, a 100% contribution is assumed; otherwise, 50% applies.
• Withholding Rate: 20%.

(b) Business tax: To determine the scope of business that should be subject to Taiwan’s business tax, the MOF classifies cross-border sales of digital goods and services into six categories based on factors such as:

• whether the sales are conducted through digital platforms;
• whether the platforms collect payments on behalf of sellers; and
• the presence or absence of a “physical usage location” (eg, remote monitoring systems in buildings or physical equipment) or “non-physical usage” (eg, online video streaming or cloud software subscription services) and whether such physical usage location is in Taiwan.

Virtual Currency Transactions

The MOF announced plans to introduce tax regulations for virtual currency transactions by 2025, signalling an increased focus on this emerging sector.

Regulatory Compliance

Regulatory compliance is a major challenge for businesses.

• Tax audits and documentation: Income tax involved in the sales of digital goods and services requires the determination of costs (and by extension, the net profit). Businesses may need to provide detailed transaction records or supporting materials to justify the costs.
• Adapting to tax systems: Given the differences in tax systems across countries, businesses must understand Taiwan’s income and business tax regulations.
• Regulatory changes: Frequent updates to tax laws, such as the impending taxation of virtual assets, require businesses to monitor developments closely to avoid non-compliance.

Tax Implications for Digital Advertising Revenues

• Domestic entities: Domestic online platform operators providing advertising services must pay taxes in accordance with Taiwan’s Value-added and Non-value-added Business Tax Act and Income Tax Act.
• Foreign entities: Foreign digital platform operators providing advertising services in Taiwan are taxed based on the following income tax calculation formula for cross-border sales of digital goods and services as mentioned under ‘Taxation of Cross-Border Transactions’ in 1.2 Digital Economy Taxation:

Income × Net Profit Ratio × Domestic Profit Contribution × Withholding Rate

Ensuring Compliance With Tax Regulations

• Tax registration: Foreign e-commerce operators with annual sales exceeding TWD480,000 must complete tax registration in Taiwan.
• Issue electronic invoices: Foreign enterprises (without a fixed place of business in Taiwan) that sell digital services to individuals in Taiwan are required to issue electronic invoices to the buyers.
• Consult professionals: Businesses should actively seek professional tax advice to navigate uncertainties and ensure compliance with applicable laws and regulations.

Consumer Protection Act Governs Digital Goods and Services

The Consumer Protection Act is the primary law governing consumer protection in digital transactions. In addition, the E-Commerce Consumer Protection Guidelines, issued by the Executive Yuan’s Consumer Protection Committee, provide administrative guidance and outline best practices to help businesses comply with the legal requirements. Moreover, consumer information in transactions should also be protected under the PDPA.

Dispute Resolution

Under the Consumer Protection Act, when consumer disputes (including those involving digital products and services) arise, consumers may:

• file a civil lawsuit directly; or
• submit a complaint to the business (the business must properly handle the complaint within 15 days of submission). If the complaint is unresolved, consumers may escalate the issue to a consumer protection officer in local governments or apply for mediation through the Consumer Dispute Mediation Committee set up by local governments. If the complaint or mediation fails, the consumers may further proceed with a civil lawsuit.

Advisable Practices for Establishing Dispute Resolution Mechanisms

Businesses providing digital products or services may refer to the E-Commerce Consumer Protection Guidelines as a Best Practice for establishing dispute resolution mechanisms.

To ensure fair and transparent dispute resolution, the E-Commerce Consumer Protection Guidelines specify that:

• businesses are advised to establish internal mechanisms for handling consumer disputes;
• businesses are advised to provide external alternative dispute resolution mechanisms; and
• governments should encourage payment service providers to offer appropriate dispute resolution mechanisms and compensation systems.

The guidelines also recommend that businesses establish a consumer service centre or provide a dedicated consumer complaint hotline to handle consumer disputes and prioritise resolution through the Consumer Dispute Mediation Committee or by reaching a settlement between the parties.

Ensuring Compliance With Consumer Protection Standards

To align with relevant consumer protection standards, businesses are advised to implement and ensure the following:

• proper online information disclosure;
• payment security;
• fairness in standardised contracts;
• compliance with regulations on personal data collection and privacy policies; and
• establishment of consumer dispute resolution mechanisms.

The Impact on Taiwan’s Legal Landscape

Blockchain and cryptocurrency technology enable large-scale, timely and cross-border transfers of funds, thus promoting financial inclusion. However, they have also become instruments for illicit conducts or crimes.

To address these issues, the Taiwan government continues to strengthen regulations on anti-money laundering and fraud prevention, while progressively bringing Virtual Asset Service Providers (VASPs) under regulatory oversight and promoting industry self-regulation.

Legal Challenges and Opportunities of Blockchain and Cryptocurrency

Challenges

• The innovative business models make it challenging to apply existing or traditional regulations to operators’ products or services.
• The diverse nature of products and services makes it difficult for regulators to establish a single set of requirements that applies to different service providers.
• The cross-border nature of transactions makes it difficult for operators to determine the applicable governing law. It also poses significant challenges for law enforcement.

Opportunities

• On-chain transactions leave a trail of financial activity, which, when combined with cryptocurrency flow analysis tools, helps trace financial flows to tackle fraud or money-laundering.
• Blockchain promotes financial inclusion by offering faster, low-cost means of providing diverse payment, transfer and investment tools.

Regulation in Taiwan Governing VASPs

Taiwan adopts a progressive regulatory approach for VASPs. The Financial Supervisory Commission (FSC) first developed guidance principles and supported the establishment of self-regulatory codes to balance financial innovation and consumer protection, before introducing more stringent regulations.

With the above regulatory approach, 2024 was a particularly impactful year for the crypto industry in Taiwan. Key regulations in 2024 are as follows.

Implementation of the VASP registration regime

The Anti-Money Laundering Registration Regulations for VASP (“VASP Registration Regulation”) became effective on 30 November 2024. VASPs that have not completed AML registration as of 30 November 2024 are prohibited from providing virtual asset services. Non-compliance may result in penalties, including imprisonment of up to two years for individuals and/or fines up to TWD50 million for entities.

VASPs that completed AML declarations before 30 November 2024 must still apply for and complete their AML registration by 30 September 2025. VASPs that fail to do so will be prohibited from conducting virtual asset operations.

Differentiated legal compliance obligations for VASPs

Under the VASP Registration Regulation, VASPs are classified into five categories: Virtual Asset Exchangers, Virtual Asset Trading Platforms, Virtual Asset Transferors, Virtual Asset Custodians and Virtual Asset Underwriters. While the VASP Registration Regulation requires general compliance for all VASPs, differentiated legal obligations are provided based on the nature of their services. The key points include:

• VASPs must develop and announce rules for the virtual assets services they operate. For example, Virtual Asset Trading Platforms must establish review standards and procedures for listing or delisting virtual assets.
• VASPs must implement measures to protect customers’ assets when holding their funds or virtual assets.
• A customer complaint resolution procedure must be established.
• VASPs must ensure appropriate cybersecurity management.

VASPs’ anti-fraud obligations

Under the Fraud Crime Hazard Prevention Act announced in July 2024, VASPs are obligated to co-operate with law enforcement agencies in establishing a reporting system and freezing suspected funds or virtual assets for anti-fraud purposes. Violations of these obligations may result in a fine ranging from TWD200,000 to TWD2 million; in serious cases, the fine will be from TWD1 million to TWD10 million.

VASPs are obligated to join the VASP Association and comply with self-regulatory codes

The Taiwan VASP Association was officially established in June 2024. According to the VASP Registration Regulation, VASPs must join the VASP Association before operating virtual asset businesses, and adhere to the self-regulatory codes set forth by the VASP Association. The VASP Association has released seven self-regulatory codes, covering virtual asset listing/delisting reviews, customer protection and anti-money laundering.

The FSC has announced plans to submit a draft of a dedicated virtual asset law to the Executive Yuan by June 2025. Relevant businesses should closely monitor the latest regulatory developments.

Regulations on Cloud Computing and Edge Computing

Currently, Taiwan does not have a single piece of legislation specifically addressing cloud computing or edge computing. However, government agencies in certain industries have established rules for the use of cloud services. For example:

Banking industry

The Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation require banks using outsourced cloud services to:

• establish policies for cloud service usage, implement appropriate risk management measures, and consider using multiple cloud service providers if applicable;
• supervise cloud service providers, conduct necessary audits, and assume responsibility for the services provided by cloud service providers;
• protect client data transmitted to or stored with cloud service providers by implementing encryption measures;
• retain full ownership of data processed by cloud service providers; and
• comply with regulations governing the storage location.

Further, the Guidelines for Financial Institutions Utilising Emerging Technologies, issued by the Bankers Association, further specifies security controls for banks using cloud services, including:

• Data location requirements: Client data should, in principle, be processed and stored in Taiwan. If such data is processed and stored overseas, banks must retain the right to designate the locations for processing and storage. The banks should also ensure that the data protection laws in those foreign locations are no less stringent than those in Taiwan. Furthermore, unless approved by the competent authority, critical client data must have backups retained within Taiwan.
• Contingency plans: Banks must establish proper contingency plans to mitigate risks of service interruptions caused by cloud operations.

Healthcare industry

The Regulations Governing the Production and Management of Electronic Medical Records by Medical Institutions require that medical institutions using cloud services or outsourcing their electronic medical record information system to service providers must establish the following control measures:

• measures to avoid disruptions to medical operations;
• mechanisms for transferring data back or to another cloud service provider upon cessation or termination of the cloud service;
• measures to ensure that the data storage locations are within Taiwan unless approved by the central competent authority; and
• measures to ensure that only cloud service providers certified to comply with security standards recognised by the competent authority are engaged.

Issues Related to Personal Data Protection

The collection, processing or use of personal data via cloud computing must serve a specific purpose and have legitimate causes in accordance with the PDPA. In addition, the entities utilising cloud service providers for activities directly or indirectly involving the collection, processing and/or use of others’ personal data must notify individuals who provide their personal data of such collection, processing and/or use.

Cloud service providers entrusted to collect, process or use others’ personal data are required to comply with the same legal obligations as the entities that engage them (Article 4 of the PDPA). Moreover, the entrusting entities must supervise the cloud service providers and be responsible for any violation made by the cloud service providers (Article 8 of the Enforcement Rules of the PDPA). Such supervision measures include:

• defining the scope, categories, specific purposes and duration for the collection, processing or use of personal data;
• ensuring the implementation of adequate personal data security measures;
• knowing the subcontractors when subcontracting occurs;
• requiring timely notification of any violations of the PDPA and taking remedial measures; and
• ensuring that when the commission relationship ends or is terminated, personal data is returned or deleted.

Regulations on AI

Currently, Taiwan does not have a single act specifically addressing AI. It was not until 15 July 2024 that the National Science and Technology Council drafted the Artificial Intelligence Fundamental Act and sought public consultation. This draft is still pending approval by the Executive Yuan. Despite the lack of an overarching AI law, several sector-specific guidelines have been issued. For example:

• On 3 October 2023, the Executive Yuan released the Guidelines for the Use of Generative Artificial Intelligence (AI) by the Executive Yuan and its Subordinate Agencies, which provides guidance for civil servants when using generative AI.
• In June 2024, the FSC issued the Guidelines for Artificial Intelligence (AI) Applications in the Financial Industry, serving as a reference for financial institutions when using AI.

Legislation on Deepfake Technologies

Deepfake technology has been linked to criminal activities, particularly the creation of falsified sexual images, posing significant threats to personal privacy and dignity. To address these issues, Taiwan amended the Criminal Code on 7 January 2023, introducing a key provision, Article 319-4, to criminalise the creation of false sexual images using computer synthesis or other technological methods. Violators may be sentenced to up to five years of imprisonment. If the offence is committed with the intention to profit from such offence, the maximum sentence may increase to seven years of imprisonment.

Regulations on the Application of AI in Transportation

Taiwan has implemented laws governing the use of AI in transportation:

Unmanned Vehicles Technology Innovative Experimentation Act (2018)

This allows companies that wish to launch unmanned vehicles on the market to apply for approval from the competent authority to conduct innovative experiments beforehand. “Unmanned vehicle” refers to a driverless transport vehicle that may be an automobile, aircraft, ship or any combination of these items, which is operated through remote control or autonomous operation and is equipped with the sensing, positioning, monitoring, and decision-making and control technology. Currently, self-driving vehicles are not permitted for use outside designated experimental areas.

Civil Aviation Act (amended on 25 April 2018)

The amendments to this act introduced a specific chapter governing the use of drones, defined as an unmanned aerial vehicle, the flight control of which is operated by way of signal link through remote control device or by autopilot without human pilot on board, and any other kind of aircraft as announced by the Civil Aviation Administration. Any drone flight conducted in open spaces must comply with the Civil Aviation Act and its associated regulations.

Principles Revealed in the Draft of the Artificial Intelligence Fundamental Act

The draft Artificial Intelligence Fundamental Act outlines principles to guide AI development and application. While the draft only provides some high-level principles, it emphasises the promotion of the following key principles:

• sustainability and well-being;
• human autonomy;
• privacy protection and data governance;
• cybersecurity and safety;
• transparency and explainability;
• fairness and non-discrimination; and
• accountability.

Outline of Internet of Things Related Regulations

Taiwan currently does not have a unified law specifically addressing the Internet of Things (IoT). Instead, multiple laws and regulatory requirements managed by various authorities are involved, including the National Communications Commission (NCC) and the Ministry of Digital Affairs (MODA).

Public telecommunications networks

If communication among IoT devices requires the establishment of a telecommunications network to provide public communication, operators must comply with the following requirements:

Prior to launch

• apply to the NCC for network establishment in accordance with the TM Act and Regulations for Application and Examination of Public Telecommunications Network Establishment; and
• pass an inspection according to the Regulations for Examination of Public Telecommunications Networks before commencing operation.

After launch

• store communication and billing records in compliance with the TM Act; and
• support communication surveillance and provide access to communication records and user data, as required by the Communication Security and Surveillance Act.

Dedicated telecommunications networks

If communications among IoT devices are only operated through the radio frequency in a telecommunications network established for private use (“Dedicated Telecommunications Network”), the radio frequency is required to be approved by the MODA while the establishment of the Dedicated Telecommunications Network should obtain prior approval from the NCC under the Regulations Governing the Establishment and Use of Dedicated Telecommunications Networks.

Controlled radio-frequency devices

For IoT devices classified as controlled telecommunications radio-frequency devices, their manufacturers or importers must follow the requirements under the TM Act and the Administrative Regulations on Manufacturing, Import and Report of the Controlled Telecommunications Radio-Frequency Devices, and obtain prior approval before launching such devices.

Personal data protection requirements

If the collection, processing, or use of personal data are involved in the operation of IoT devices, operators should ensure compliance with the PDPA.

Self-Regulatory Rules for Financial Institutions Using IoT Devices

Financial institutions are required to follow relevant self-regulatory rules established by financial institutions associations. Please see ‘Financial Industry’ in 4.3 Data Sharing.

Deployment of IoT devices or technologies involves navigating a complex regulatory environment, as it often falls under the purview of multiple government authorities, each with its own regulations. Businesses must therefore identify the relevant authorities and ensure compliance with the regulations applicable to their respective industries.

Taiwan does not have a single regulation specifically governing IoT data sharing. Instead, specific industries are subject to IoT-related regulations or guidelines that govern sharing practices. For example:

Financial Industry

The following guidelines regulate IoT data sharing and security for financial institutions:

• Rules governing the Security Management of IoT Devices for Financial Institutions (issued by the Bankers Association)
• Operational Rules governing the Use of IoT Devices for Insurance Companies (issued by the Life Insurance and Non-Life Insurance Associations)

These rules require banks and insurance companies to ensure that IoT devices used have identity authentication mechanisms, use wireless networks with encryption protocols, and monitor access control and network connections of IoT devices.

Healthcare Industry

Under the CSM Act, the Ministry of Health and Welfare (MOHW) issued the Cybersecurity Standards for Information and Communication Systems in the Healthcare Sector. Hospitals designated as providers of critical healthcare infrastructure must (i) manage wireless networks and access control when using medical IoT devices and (ii) prohibit data exchanges between wireless network-connected devices and the hospital’s core network.

If IoT data sharing involves the transfer of personal data, it is subject to the PDPA. The collection, processing, and use of personal data must have a specific purpose and legitimate causes. If the transfer of IoT data includes sensitive personal data, such as medical records, healthcare information, genetic data, sex life, physical examination or criminal records, the PDPA imposes stricter regulations on its processing and use.

Audiovisual media services in Taiwan, including traditional radio and television (“broadcasting businesses”), are primarily governed by the Radio and Television Act, the Satellite Broadcasting Act, and the Cable Radio and Television Act (collectively, “the Broadcasting Acts”), with the NCC acting as their competent authority. As these acts were enacted prior to the emergence of video-sharing platforms and streaming platforms, such as Netflix, YouTube and Spotify, these modern services are currently outside their regulatory scope. Although the NCC proposed the Draft Digital Services Act in 2020 and the Draft Act Governing Internet Audiovisual Services in 2022 to address this regulatory gap, neither has been enacted to date.

Licensing Requirements

Broadcasting businesses are required to apply for licences from the NCC prior to offering broadcasting service in Taiwan.

• terrestrial-based broadcasting: 9 years
• cable broadcasting licences: 9 years
• satellite-based broadcasting licences: 6 years

Renewal applications must be submitted before the licence expires to avoid disruptions in service.

Fees for Licensing and Renewal

(a) terrestrial-based broadcasting:

• the initial licensing: TWD152,000; and
• renewals: (i) TWD10.15 million for television services, and (ii) TWD52,000 for radio services.

(b) cable broadcasting:

• the initial licensing: TWD150,000; and
• renewals: TWD10,000.

(c) satellite-based broadcasting:

• Licensing and renewal fees: TWD55,000.

Restrictions on Foreign Investment

Foreign investments in broadcasting businesses is highly regulated:

• Terrestrial-based broadcasting: Ownership is limited to Taiwanese nationals or entities, and non-nationals cannot serve as directors or supervisors of the company.
• Cable broadcasting: Total direct and indirect foreign investment must be less than 60% of the total shares, and direct foreign shareholding is limited to legal entities and is limited to 20% of the total shares issued. Further, the number of directors or supervisors with Taiwanese nationality must constitute at least two-thirds of the total.
• Satellite-based broadcasting: Foreign direct shareholding is capped at 50%.

Scope of Regulation Under the TM Act and Related Regulations

The TM Act and its related regulations form the primary regulatory framework for telecommunications services. The competent authority is, in principle, the NCC, although the MODA oversees specific tasks (such as the application and allocation of telecommunications resources).

Under the TM Act, “telecommunications services” refers to “services that provide public communication using public telecommunications networks”, specifically including mobile broadband services, international submarine cable circuit leasing services, domestic land cable circuit leasing services, satellite fixed communications services, etc.

The TM Act also regulates:

• the establishment and management of public telecommunications networks and Dedicated Telecommunications Networks; and
• the management of radio frequencies and radio-frequency equipment, as well as the management of telecommunications numbers and domain names.

Registration of Telecommunications Enterprises and Approval Mechanism for Public Telecommunications Network Establishment

Registration as a telecommunications enterprise is not mandatory for all providers of telecommunications services. Under the TM Act, registration is mandatory only if they:

• negotiate interconnection with other telecommunications enterprises or request a ruling for interconnection;
• apply for the allocation of radio frequencies other than those designated for special purposes under the TM Act;
• apply for the allocation of identification codes or signalling point codes for the establishment of public telecommunications networks; or
• apply for the allocation of user numbers.

All providers must apply to the NCC for approval to establish public telecommunications networks before offering telecommunications services and apply to the MODA if the services provided require the use of telecommunications resources such as radio frequencies. Please see ‘Public telecommunications networks’ in 4.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection for details.

Cybersecurity Requirements for Telecommunications Services

The TM Act requires telecommunications enterprises that establish public telecommunications networks using telecommunications resources, as well as other telecommunications enterprises announced by the competent authority, to stipulate and implement a cybersecurity maintenance plan, including but not limited to the scope of cybersecurity management, tiered handling methods and joint defence response measures for cybersecurity incidents.

Applicants for public telecommunications networks establishment must include in their network establishment plan a comprehensive layout and architecture diagram of cybersecurity detection and protection measures. The plan must also detail the brand, model, quantity, capacity, functionality, manufacturer’s company name and country of origin for relevant facilities, as well as the operational management and physical security planning of the network.

The MODA may designate all or part of a public telecommunications network as critical telecommunications infrastructure. For such designated critical telecommunications infrastructure, the operator must, within the specified timeframe, stipulate a Critical Telecommunications Infrastructure Protection Plan and implement it upon evaluation. The MODA has promulgated the Regulations for Administration on Designation and Protection of Critical Telecommunications Infrastructure to regulate this process.

Taiwan does not currently have a standalone piece of legislation specifically addressing net neutrality. However, relevant provisions in the TM Act are designed to protect consumer rights or promote fair market competition. Specific examples include:

(a) Prohibition on unjustifiable service refusal: Telecommunications enterprises may not, without legitimate reason, refuse requests for telecommunications services or the transmission of communications.

(b) Number portability and equal access services: To protect user rights and promote market competition, telecommunications enterprises providing services using user numbers must offer number portability services or equal access services.

(c) Interconnection obligations: Telecommunications enterprises, under the principles of technical feasibility and fairness, may not, without legitimate reason, refuse interconnection negotiations when requested by other telecommunications enterprises.

(d) Regulation of significant market power entities (“SMP Entities”): The NCC enforces asymmetric regulation on telecommunications enterprises identified as SMP Entities in specific telecommunications service markets, which may include requiring such SMP Entities to ensure that:

• their agreements on interconnection, network access components or the use of relevant telecommunications infrastructure comply with principles of fairness and reasonableness, prohibiting discriminatory treatment; and
• their pricing does not involve anti-competitive cross-subsidisation, price squeezing or other abuses of market dominance.

Please refer to 3 Artificial Intelligence and 4 Internet of Things for details of the legislative status of emerging technologies such as IoT and AI and their impact on the telecommunications industry.

After the Executive Yuan designated the 4.8-4.9 GHz band for private 5G network use, “assisting enterprise clients in building private 5G networks” has become a key business initiative actively pursued by major telecommunications enterprises. In response, the MODA has promulgated the Regulations Governing the Establishment and Use of Mobile Broadband Dedicated Telecommunications Networks as guidelines for enterprises.

(a) Cybersecurity and risk management: The competent authorities are expected to place greater emphasis on regulatory requirements to manage risks associated with the use of emerging technologies in various telecommunications scenarios. For instance, operators may be required to propose more targeted cybersecurity protection measures in their network establishment plans.

(b) Compliance considerations: As outlined above, although there is currently no specific legislation addressing the integration of emerging technologies by telecommunications enterprises, operators should still comply with the existing regulatory framework when adopting such technologies. Particular attention should be given to areas such as personal data protection, cybersecurity and intellectual property rights protection.

Legal Compliance Points for Technology Agreements

In practice, the types of technology agreements are diverse, including but not limited to technology licensing, technology transfer, commissioned development and technology co-operation. While Taiwan has not enacted laws specifically regulating technology agreements, there are many legal compliance points to be aware of during the negotiation or performance stages. The key points are as follows:

(a) Personal data protection: Compliance with the PDPA is crucial when collecting, processing or using personal data.

(b) Fair trade compliance: Agreements must comply with the Fair Trade Act to avoid anti-competitive practices or engaging in unfair competition, such as “discriminatory treatment of the licensee”, “exclusive grand-back licensing”, “package licensing” or “restricting the licensee’s implementation of technology”. The Fair Trade Commission has issued the “Principles for the Handling of Technology Licensing Agreements” for businesses to follow.

(c) Export control: Agreements involving the exportation of “Strategic High-Tech Commodities”, such as dual-use military and commercial products or goods on the technology export control list, or involving “goods that require an international import certificate or other related guarantees issued by Taiwan in accordance with the exporting country’s regulations”, require approval from the International Trade Administration of the Ministry of Economic Affairs.

(d) Investment or co-operation in China, Hong Kong or Macau: Agreements involving “investing or technology co-operation in Mainland China” or “investing or technology co-operation in Hong Kong or Macau” require approval from the Ministry of Economic Affairs under relevant regulations.

Sector-Specific Considerations

The competent authorities for specific industries have promulgated “Personal Data File Security Maintenance Plans or Methods for Handling Personal Data After Business Termination” for their respective industries and are empowered to restrict the international transmission of personal data by businesses under their jurisdiction. Current restrictions include:

• The NCC restricts “communication business operators” from transmitting personal data of their users to Mainland China.
• The Ministry of Labour restricts “manpower agency businesses” from transmitting personal data of parties involved to Mainland China.
• The MOHW restricts “social worker offices” from transmitting personal data of parties involved to Mainland China.

Many associations have established self-regulatory codes for the use of emerging technologies, such as the “Operational Guidelines for Financial Institutions Using Emerging Technologies”, “Principles for the Use of Emerging Technologies in the Insurance Industry” and the “Self-Regulatory Guidelines for Emerging Technology Cybersecurity in the Taiwan Securities Association”. Therefore, if the technology agreement involves the use of emerging technologies, businesses need to comply with the corresponding regulations according to their industry.

Key Points for Telecommunications Service Agreements

Under the TM Act, major telecommunications businesses recognised by the NCC, such as Chunghwa Telecom, must establish standard service contract terms that specify the rights and obligations with users, and submit them for approval before implementation. The contract terms should include but not limited to the following items:

• service area and content;
• service fees and conditions;
• performance guarantees for prepaid services;
• handling and fee deduction methods in the event of errors, delays, interruptions, or failure to deliver due to telecommunications network disruptions or blockages;
• restrictions and conditions regarding the collection, processing, and use of user personal data; and
• confirmation or cancellation mechanism for trial or promotional telecommunication services.

In addition, if a significant dispute arises regarding a telecommunications service agreement between telecommunications businesses, they may apply to the NCC for conciliation to resolve the dispute.

Considerations for Network Interconnection Agreements

According to the TM Act, “interconnection” refers to a “network connection between telecommunications enterprises so as to enable their respective subscribers to communicate with subscribers of the other telecommunications enterprises or receive services provided by the other telecommunications enterprises”. As mentioned in (c) in 6.2 Net Neutrality Regulations, telecommunications enterprises may not refuse to negotiate interconnection requests from other telecommunications enterprises.

As mentioned in 6.2 Net Neutrality Regulations, the NCC has adopted special regulatory measures for SMP Entities in specific telecommunications service markets. If an interconnection agreement cannot be reached, each party may apply to the NCC for a ruling.

Regulations on Electronic Signatures

The Electronic Signatures Act (ESA) is the primary legislation governing electronic records, electronic signatures, digital signatures and relevant certification authorities.

(a) Legal equivalency: According to the ESA, electronic records and electronic signatures that meet the requirements of the ESA are deemed functionally equivalent to physical documents and signatures.

(b) Digital signatures: A digital signature:

• must be capable of being verified by the public key and supported by a certificate issued by a certification authority; and
• is presumed as the signature or seal affixed in person if it is supported by a certificate issued by a certification authority which has been approved by the competent authority and the certificate is within the validity period and scope.

(c) Counterparty consent

• Consent from the counterparty is required to use electronic records or signatures.
• Consent may be implied if the counterparty is given an opportunity to object within a reasonable period and manner but does not do so after being informed it shall be presumed to have agreed to the use of electronic form if no objection is raised.

Regulations on Digital Identity

Taiwan does not currently have specific legislation governing digital identity. However, the government provides guidance on digital identity for certain industries. For instance, in the financial sector, the FSC issued the Guidelines for Conducting Digital Identity Authentication by Financial Services Enterprises to establish common and consistent application principles for digital identity authentication in the financial industry.

Legal Framework Governing Software and Online Gaming Industry

In Taiwan, the legal framework governing the software and online gaming industry primarily focuses on consumer dispute resolution and the protection of children and adolescents. Key regulations include:

(a) Game Software Rating Management Regulations;

(b) Mandatory and Prohibitory Provisions of Standard Form Contracts for Online Game Services (“Online Game Services Provisions”); and

(c) Mandatory and Prohibitory Provisions of Standard Form Contracts for Online Game Points (Cards) (“Online Game Points Provisions”).

To address consumer disputes, the Online Game Services Provisions stipulate that advertisements, promotional content, fee rate charts and game rules are considered integral parts of the contract between the gaming business and users. Users are also granted the right to withdraw from the contract within seven days after commencing the game, without providing a justifiable reason, and users may request a refund for unused prepaid game points without incurring any fees.

For protection of children and adolescents, the Game Software Rating Management Regulations require gaming businesses to assign ratings to their games based on content and include clear warnings and labels regarding game themes and risks.

The gaming industry in Taiwan also faces various intellectual property protection issue. Please refer to 9.3 Intellectual Property for details.

Legal Requirements for Games Providing In-Game Purchases, Loot Boxes and Gambling Elements

(a) Games providing in-game purchases: The Online Game Services Provisions require gaming businesses to clearly display payment methods and product or service information on their official website homepages, game login pages or purchase pages. Any fee adjustments must be announced at least 30 days prior to implementation. Additionally, prepaid game points purchased by users must not be subject to an expiration date.

(b) Games providing value-added services or products: When users purchase prepaid game points for value-added services or products, the Online Game Points Provisions require gaming businesses to provide performance guarantees to ensure the redeemability of the prepaid game points.

(c) Games providing loot boxes and gambling-like elements: For games offering loot boxes or similar elements, the Online Game Services Provisions require gaming businesses to disclose the event details, rewards and probabilities of winning. Additionally, a warning such as “This is a chance-based item; purchasing does not guarantee specific rewards” must be included. If the game involves gambling-like activities via telecommunications, electronic communications, the internet or similar methods, it may be deemed illegal and subject to criminal liability.

Legal Requirements for Age Ratings and Content Restrictions

The Game Software Rating Management Regulations also require gaming businesses to prominently display ratings labels, content descriptions and warnings on the product packaging, user’s guide, downloaded page, homepage or link to the game.

(a) Ratings labels: Games are categorised into five ratings based on their content, including elements such as sexual themes, violence, terror or drugs: Restricted (“R”, for users aged 18 and above), Parental Guidance 15 (“PG 15”, for users aged 15 and above), Parental Guidance 12 (“PG 12”, for users aged 12 and above), Protected (“P”, for users aged six and above) and General Public (“G”, suitable for all ages). Gaming businesses must complete the rating process before a game is launched and register the rating and related content with the MODA database.

(b) Content descriptions: If the game content involves certain scenarios, such as scenarios involving sex, violence, terror, tobacco and alcohol, drugs, improper use of language or anti-social behaviour, the content descriptions regarding the scenarios must be clearly indicated.

(c) Warnings: Gaming businesses must prominently display warning messages in Chinese, including but not limited to:

• General warnings: Messages such as “Pay attention to usage time” must be displayed to encourage responsible game play.
• Payment warnings: For games requiring prepaid game points or virtual items or tokens, clear warnings about payment details and any additional costs must be provided.
• Restricted game warnings: For R-rated games, a warning must be indicated that the game is only available for purchase or use by individuals aged 18 and above.

The gaming industry in Taiwan is regulated jointly by central and local government authorities. At the central level, the Administration for Digital Industries under the MODA serves as the primary regulator, while local governments are responsible for enforcing relevant regulations. If standard form contracts used by gaming businesses violate mandatory or prohibited provisions outlined in applicable regulations, regulatory bodies may require corrections within a specified timeframe under the Consumer Protection Act. Failure to comply within the deadline may result in fines, and persistent non-compliance could lead to repeated penalties.

In recent years, Taiwan has experienced a surge in fraud cases, with game point scams being a significant concern. To address this issue, the MODA has implemented anti-fraud measures for game points. These measures involve collaboration among game point card providers, game businesses, convenience stores and customer service providers to establish fraud prevention mechanisms and intercept fraudulent financial flows.

Copyright Protection for Game Businesses

Under Taiwan’s Copyright Act, works are classified into various categories, including but not limited to:

• oral and literary works;
• musical works;
• dramatic and choreographic works;
• artistic works;
• audiovisual works;
• sound recordings; and
• computer programs.

Taiwan courts have ruled that games often comprise multiple types of works, such as:

• Oral and literary works: Main storylines, dialogues, key characters, action moves, settings and item names may be protected.
• Artistic works: Character designs, props and scene illustrations are considered artistic works.
• Musical works: Sound effects are classified as musical works.

For these elements to receive copyright protection, they must reflect original human creativity, express the author’s individuality and not fall under exclusions provided by law.

However, game rules and user interfaces commonly used by users are not protected under the Copyright Act.

In cases of copyright infringement, copyright holders may:

• request the infringer to remove the infringement;
• claim compensation for damages; and/or
• require the infringer to publish all or part of the court’s judgment in newspapers or magazines at the infringer’s expense.

The common IP challenge faced by game developers in Taiwan is allegations of plagiarism between games. Courts typically evaluate two key factors to determine copyright infringement:

• Access: Whether the alleged infringer had a reasonable opportunity to access the original game.
• Substantial similarity: Whether the similarities between the two games are significant in scope or involve key elements of the original game.

If these criteria are satisfied and the use does not fall under fair use, the court may find that the defendant infringed upon the copyright of the original game.

Trade Mark Protection for Gaming Businesses

To prevent consumer confusion, gaming businesses may register trade marks for their game brands, titles, characters, backgrounds, items and designs pursuant to the Trade Mark Act. In addition, the Taiwan Intellectual Property Office has recommended that gaming businesses apply for trade mark registration for virtual goods and services.

In cases of potential trade mark infringement, the proprietor of a registered trade mark may take legal action to prevent such violations. For imported or exported goods suspected of infringing trade mark rights, the proprietor may file an application with customs to detain the goods. If infringement is confirmed, the trade mark owner has the right to demand the cessation of the infringement and seek compensation for damages incurred.

Intellectual Property Issues Surrounding UGC

User-generated content (UGC) may qualify for protection under the Copyright Act depending on its nature. However, UGC may also result in copyright or trade mark infringement if it involves unauthorised use of third-party intellectual property. Currently, Taiwan does not have specific legislation or judicial precedents addressing disputes arising from UGC in the gaming industry.

There is currently no specific law regulating social media in Taiwan; however, several regulations apply to social media operations in various contexts. Below is an overview of the key laws and challenges:

Anti-Fraud Measures

The Fraud Crime Hazard Prevention Act (FCHPA) requires specific online advertising platform operators to adopt necessary measures to prevent fraud. Key provisions include:

• Advertisements must not contain fraudulent content and must disclose the identity of advertising commissioners and funders.
• If deepfake technology or AI-generated personal images are used, this must also be disclosed.
• The identity of advertising commissioners and funders must be verified using digital signatures, rapid identity verification mechanisms, or other equivalent secure technologies or methods.
• An annual transparency report on fraud prevention must be published in an appropriate manner.
• When an online advertising platform operator becomes aware that the advertisements it publishes or promotes are fraudulent or are clearly related to fraudulent activities, it must:
1. actively remove, restrict the browsing of or stop broadcasting such advertisements or adopt other necessary actions; and/or
2. temporarily suspend services for a reasonable period to users publishing fraudulent advertisements or those significantly involving fraud.

Online advertising platform operators that fail to comply will be jointly liable with the advertising commissioner or funder for damages incurred by individuals misled by the fraudulent advertisements.

Personal Data Protection

Social media operators must comply with the PDPA when collecting, processing and utilising user data. If the social media operator conducts business involving data processing, it must also comply with “Regulations Regarding the Security Maintenance and Administration of Personal Data Files in Digital Economy Industry”. The key requirements are:

• Establishing and implementing a personal data security maintenance plan.
• Implementing appropriate data security management measures, such as encrypting files, backing up data and setting up firewalls.
• Conducting regular personal data protection education and training for employees.

If businesses wish to collect customers’ personal data and use the contact information such as phone numbers or emails to provide product information and promote sales for marketing, they must provide a method for individuals to decline marketing during the initial marketing contact. Once an individual expresses refusal to receive further marketing, the business must immediately cease using their personal data for such purposes.

Copyright Protection

Modern users enjoy sharing various types of content, such as text, images and videos, on social media. If such content is copyright-protected, the uploader or sharer may infringe on others’ copyrights, and the social media operator providing the service could also face legal risks for being deemed to be facilitating or participating in the infringement.

To balance the protection of copyright owners and the development of the internet industry, the Copyright Act provides safe harbour provisions. If specific requirements are met, online service providers offering social media services are exempt from liability for users’ copyright infringements. Common requirements for exemption, for example, are that online service providers must:

• Inform users of copyright protection measures through contracts, electronic transmission, automated detection systems or other means, and ensure these measures are effectively implemented. Users must also be informed that services may be terminated entirely or partially after three infringement incidents.
• Publicly announce contact details.
• Co-operate with copyright owners to implement universally recognised copyright protection or identification technologies approved by the competent authority.

In addition to the common requirements above, different types of online service providers must comply with other specific requirements for exemption.

The MODA is the competent authority for social media platforms conducting online advertising business. The MODA has the authority to designate specific platforms to be subject to the FCHPA, formulate obligations for fraud prevention, impose fines for non-compliance, and mandate corrective measures within a specified timeframe.

Recent enforcement actions by the MODA include, on 16 September 2024, designating Google, Line, Meta and TikTok as entities subject to the FCHPA. On 28 November 2024, the MODA announced that the above entities must, starting from 30 November 2024, restrict browsing, stop broadcasting or adopt other necessary actions regarding advertisements identified as fraudulent or clearly related to fraud within 24 hours of receiving a notification from competent authorities.