Taiwan Revises its Data Protection Act
Privacy Laws & Business International Report, Nos. 108 & 109, 2010-2011
9 Pages Posted: 24 Dec 2011 Last revised: 7 Feb 2012
Date Written: November 9, 2011
Abstract
Taiwan’s Computer Processed Personal Data Protection Act of 1995 was pioneering data protection legislation in Asia, but had many inherent defects. It had limited coverage, dealing generally with the public sector but only eight specified private sector areas. There was no single oversight body, enforcement being left to the Ministries responsible for each industry sector. Evidence of the enforcement or effectiveness of the Act is lacking, but commentators were of the opinion that the Act is ineffective.
The new Personal Data Protection Act enacted 26 May 2010 is in effect a new piece of legislation. It will not be brought into force until 2012 when the Enforcement Rules necessary for operation of some sections, are expected to be prescribed by the Executive Yuan. The Act is comprehensive in relation to both public and private sectors, and thus much more extensive than the previous Act in relation to the private sector. The revised Act still has no single oversight body, and does not create a data protection authority. Enforcement is left to the Ministries responsible for each industry sector. The obligations imposed by the Act have been considerably expanded, particularly those in relation to notice, and to sensitive data. Data exports (‘international transmission’) by private organisations (‘non-public agencies’) may be restricted by ‘the central competent authority for the relevant industry’ (A 21), but this is not an automatic prohibition on exports. The Act has the first example of an enforceable requirement to notify data subjects (but not the relevant authority) of data breaches enacted in Asian data protection legislation, although the data breach notification provisions in the 2011 Korean legislation is the first to come into force. However, the Taiwanese provision does not apply to all ‘data breaches,’ only to those where the company or government agency has breached a provision of the Act. Contraventions of the Act, where damage is caused to another person, can be punished by imprisonment up to two years or substantial fines. Potentially more important are the extensive provisions for damages actions, and for class action litigation (where ‘the rights of multiple subjects are injured by the same causal facts’) by representative organisations which have objectives of protecting personal data. While not as innovative as Korea’s new law, this Act does bring Taiwan up to many aspects of international standards.
Keywords: Taiwan, privacy, data protection, data privacy, personal information, legislation
Suggested Citation: Suggested Citation