Data Privacy Enforcement in Taiwan, Macau, and China
Privacy Laws & Business International Report, Issue 117, 11-13, June 2012
6 Pages Posted: 28 Jul 2012
Date Written: May 14, 2012
Abstract
This article, the third in a series surveying significant recent examples of data privacy enforcement actions in Asia-Pacific jursisdictions, covers the Chinese-speaking Asian jurisdictions, other than Hong Kong: Taiwan and Macau SAR with general data privacy laws, plus the Peoples Republic of China where there has been significant enforcement under a variety of law laws.
In Taiwan the Computer Processed Personal Data Protection Act (CPPDPA) is still in force, as the new Personal Information Protection Act (PIPA) has not yet been brought into force. There were no significant examples of administrative enforcement actions by the responsible Ministries in 2011 under the current CPPDPA. Nor have there been any in the nearly 20 years that the Act has been in force. Enforcement of the Act has been haphazard and intermittent at best. The main reason has been that no single agency has the responsibility of enforcing the Act. In contrast, the new Personal Information Protection Act (PIPA) identifies the Ministry of Justice (MOJ) as the agency responsible for coordinating enforcement of the new Act. Despite the lack of Ministerial enforcement, there has been some enforcement via the Courts. Over the past 10 years, Taiwan’s high courts have decided about 30-40 civil claims for damages under the current Act. Only three were successful. The current Act also has criminal penalties, and during that 10 year period about 100 criminal cases under the Act have reached the high courts with convictions resulting in about sixty per cent of cases. Separate from the data protection law, there were important administrative enforcement action by Taiwan’s financial services super-regulator, the Financial Supervisory Commission (the FSC) in 2009 and 2010 against banks on privacy-related grounds. The article includes examples of the various successful enforcement actions.
Macau’s Office for Personal Data Protection (OPDP) has administered Personal Data Protection Act since 2007, and has very extensive powers. The article details the enforcement actions it took in 2011 and early 2012, notable for their greater use of concepts derived from European data protection law than other European jurisdictions, in relation to matters such as Google’s Streetview, government recording of complaint calls, disclosure of information about shoplifters and debtors, direct marketing, and mobile surveillance by the Security Police.
Although the Peoples Republic of China does not have a comprehensive data protection law, examples of privacy enforcement in China occur increasingly. Recent examples of Court decisions and prosecutions are under a diverse range of laws and rulings that result in privacy enforcement. The article gives examples of criminal prosecutions and a significant court ruling confirming the right of citizens to take action against government agencies for wrongful publication of personal information.
In all of the Chinese-speaking jurisdictions, privacy laws are being enforced, but in different ways. In Hong Kong (examined in the previous article), there is an enforcement but it is of limited effectiveness. In Macau, fines of modest size seem to be the norm for any breach of the legislation. In Taiwan, administrative enforcement by the financial regulator is resulting in substantial financial penalties for privacy breaches on a regular basis, based on the financial regulation law. In the Peoples Republic a wide variety of criminal enforcement measures are being used, with penalties often including jail terms, but complaints or civil actions by individuals are less prominent as yet.
Keywords: Asia, Taiwan, Macau, China, data protection, data privacy, privacy, enforcement
Suggested Citation: Suggested Citation