Politics & Law
Privacy law in Taiwan
Taiwan’s personal data protection regimen: Essential approaches to prevent gaps in compliance
By John Eastwood, Wendy Chu and Nathan Snyder
Almost every business handles personal data in some way. Taiwan’s laws regarding the protection of personal data cover all of it. For example, just the act of having employees means you are already holding a lot of personal information.
The Taiwan Personal Data Protection Act (PDPA) defines “personal data” broadly to include “the name, date of birth, ID card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical records, medical treatment, genetic information, sexual life, health examinations, criminal records, contact information, financial condition, social activities and other information which may be used to identify a natural person, both directly and indirectly.” Even at the job-applicant phase, a prospective employee has already turned over a large amount of personal data, and since you might soon be paying them, you will know their financial condition.
The punishments for violating the PDPA can be severe, including heavy fines and prison sentences of up to five years. Taking care with handling data is absolutely important for any business.
General adoption of data protection: When the European Union implemented the General Data Protection Regulation (GDPR) in 2018, companies globally began to take data protection seriously and rushed to comply with GDPR rules. Compliance with the GDPR has become a central focus of concern in business, on the assumption that the GDPR remains the data-protection “gold standard”. Still, it is important to be reminded that individual countries, including Taiwan, sometimes have individual standards that are distinct from, or even stricter than, the GDPR, and each warrants a close look.
Crossover concerns: We have found that data protection touches upon many other areas of law. Lawyers across different practice areas have had to learn data-security issues. Our regulatory and employment teams work with it daily, and our due-diligence teams also must highlight data-related risks, both in terms of evaluating an M&A target company and in selecting which information must be reviewed. The field of intellectual property also overlaps with data protection, perhaps because IP practitioners spend a lot of time assisting clients to protect trade secrets. Anybody who has drafted a non-disclosure agreement has a pretty good sense of what is involved with the protection of somebody else’s info.
Data protection case examples:
In a published High Court case, a product supplier was found guilty of violating the PDPA. This supplier had established a group on a popular messaging app to conduct product sales. There were 70-80 members in that group, among whom was a retailer. The supplier became unhappy with the retailer because the retailer once failed to pay the supplier for an order. Following this, the supplier, without the consent of the retailer, unlawfully used the retailer’s personal data by posting a picture of a shipping order, which contained the retailer's name, address, and phone number, into the app’s group for all the members to see. This unlawful use of personal data damaged the retailer’s right to privacy. The retailer had previously been kicked out of the group, and was notified of the situation by a friend, and filed a complaint in court against the supplier. The supplier was found guilty of violating the PDPA because the reason for disclosing the retailer’s data was due to a business dispute, not out of any interest in preventing harm. Further, this disclosure of the shipping order was out of the normal purpose of such an order. The failure to correct the disclosure demonstrated an intention to damage the retailer in this context, and in fact damage to the retailer’s business occurred.
In a Taipei District Court case from 2021, a purchaser entered his personal data, including his email, name, birthday, and cell phone number on a virtual shopping website. After a few days, someone who claimed to be from the site called him and instructed him to remit some money related to his purchase. The caller convinced the purchaser that he was from the shopping site by showing his complete order information. Later, the site actually messaged the purchaser, reminding him that the website would never require a remittance under any circumstances. The purchaser suddenly realized that he had been defrauded and sued the website for failing to keep his personal data safe. The court ruled for the defendant website, concluding that the plaintiff purchaser failed to meet the burden of proving that it was actually due to a breach of the website that the fraudster obtained his data. Although the data holder avoided liability in this case, it nevertheless shows the kind of trouble that may arise when handling customer data.
In a Taipei District Court case from 2019, two salespeople changed jobs from one company to another. Upon discovering that these salespeople were calling their old customers from the second company, the first company accused them of violating the PDPA (and their employment contracts’ confidentiality clauses) by transferring customer data over to their new employer. In their defence, the salespeople asserted that the source of their calls was based on a client list provided by the second company. The court found the salespeople not guilty because the second company was able to find witnesses, mutual customers of the two companies, who testified that the second company had already been making contact with them prior to the salespeople changing employers. This meant that there were likely other sources of data besides the salespeople transferring customer lists from their old employer. By preventing a worse result, the second company showed the value for companies to retain careful records of whose data they are using, at what times, by which roles and for what purposes.
Consent is critical: The PDPA allows collection or processing of personal data where there is a contractual or quasi-contractual relationship between the collector and the individual -- e.g., the buying and selling of goods or the employing of the person as a worker. However, typically companies encounter some additional need relating to personal data they have collected, such as sharing the data with business partners, marketing consultants, accounting firms and other service providers. Many more functions can be done with personal data with advance consent from the individual than by relying on a contractual relationship alone. It is always best to get consent and clarify intentions at the start of the relationship with individuals, rather than to try to chase them down later to try to get their approval. For example, many companies provide a data-protection policy online with the opportunity for customers to click “OK” to indicate consent prior to ordering products or subscribing to a service online.
In cases where personal data had been collected under an older, outdated data-protection policy, companies often need to go back and seek consent for new data uses. If consent to the new terms is not given, then companies need to accept that.
Personal data rights: Although companies can do a lot with an individual’s consent, there are some things that cannot be waived. Individuals can always request:
to review their personal data
a copy of their data
supplements or corrections to their personal data
discontinuance of collection, processing, or use of their personal data; and
deletion of their personal data.
Companies are often unaware of these responsibilities, but the Taiwan PDPA requires that action be taken on these requests within as few as 15 days. It is always better to be safe than sorry, and create a procedure in advance to handle these requests.
Restricted categories: Taiwan’s PDPA provides additional protections for sensitive kinds of data. Data about medical records, medical treatment, genetic information, sexual life, health examination, and criminal records should not be collected or used, except with tight limitations. For example, exceptions include where the individual has made the information public, and where the individual has consented in writing. If the individual has consented, then of course there still needs to be a valid and specific purpose for the collection or use of this data.
Activity alerts: The fundamental principles of data protection are largely similar from jurisdiction to jurisdiction: keep individuals informed about how and by whom their data is collected and used, and ensure they know about and can easily enforce their rights. Data-protection laws frequently include notification requirements to accomplish these fundamental goals. Taiwan’s PDPA is no different. The PDPA notice requirement lists a few points that data collectors or users must disclose to individuals about the collection or use of their personal data:
1. The name of the collector or user;
2. The purpose(s) of collection;
3. The type of personal information collected or used;
4. The time periods, areas, and ways their personal data is used;
5. The individual’s rights and ways to exercise them;
6. How the individual may be affected if the individual chooses not to provide personal data;
The following situations may be exempted from the notice prescription:
1. When the collection of personal data is necessary for a government agency to perform official duties or a private entity to fulfil legal obligations;
2. When notice will impair a government agency in performing its official duties;
3. When notice will harm public interests;
4. When the data subject should have already known the contents of the notice;
5. When the collection of personal data is for non-profit purposes and clearly does not cause any detriment to the data subject.
When personal data is stolen, disclosed, altered, or infringed upon due to a violation of the PDPA, a breached company then needs to alert all affected persons after inspecting the breach to ascertain what happened, and formulate a response plan. The PDPA does not specify the means by which an alert must be delivered, but subjects must be alerted promptly. The PDPA’s Enforcement Rules at Article 22 states that the alert has to include the “facts pertaining to the data breach and the response measures already adopted” to address it.
Further responding to breaches: Article 18 of Taiwan’s Cyber Security Management Act (CSMA), which applies to critical infrastructure providers, government-owned enterprises, and government-endowed foundations, also requires that cyber-security incidents be reported to the central authority in charge of the relevant industry. Data handlers must properly respond to and make improvements after a cyber-security incident. Article 8 of the CSMA’s Enforcement Rules requires the report to the authorities to include:
1. Times of the occurrences or the awareness of the incidents and the completion of damage control or recovery operations.
2. The scope of the incidents and a damage assessment.
3. What damage control and recovery operations were implemented.
4. Any incident investigations and handling operations pursued.
5. A cause analysis of the incident.
6. Measures taken to prevent recurrences or similar incidents.
7. The estimated completion schedule and any follow-up mechanisms related to the above measures.
The Regulations on the Notifications and Response of Cyber Security Incidents set out additional requirements for the contents of CSMA alerts, including:
1. The entity where the incident occurred.
2. A description of the situation.
3. An assessment of the level of the incident (as categorized under the regulations).
5. An assessment of any requirements for external support.
Article 11 of these regulations requires regulated entities to alert the competent authority for their relevant industry about a cyber-security incident within one hour. Article 13 sets out timelines for damage control and recovery operations, depending on the level of the cyber-security incident. It is important for companies to consult data protection professionals about whether they are subject to CSMA regulations.
Local languages: Many companies want to know whether they must translate English-language data protection policies into local languages. This often depends on the industry sector and whose data is collected. Individuals submitting their data should be able to understand terms in order to give effective consent to them. The PDPA obliges data collectors to prove that they obtained consent, where relevant. Generally, if a website is already translated into local languages to reach different demographics, that is a good sign that a data-protection policy should be also translated. For employee data, translation depends on the needs of the workforce and the usual languages used for communicating about rights and obligations. Many companies will include personal-data provisions in their employment contracts or offer documents to make the company’s policies clear.
Taiwan’s PDPA and related laws impose some serious requirements for companies doing business in the country. Companies naturally want to ensure that their data-protection and breach-response policies and procedures are uniform across jurisdictions, but it is still important to have local counsel in each jurisdiction in which the company does business to review them for specific compliance. Response times, notices, consents, and other common issues can fall out of line with local requirements if a blanket approach is pursued carelessly. Where uniformity appears as the most efficient approach, complying with the most rigorous jurisdictions speeds the process along toward universal compliance. Consulting with effective local counsels remains a necessary step to determine which terms and which jurisdictions present the most rigorous approach.
John Eastwood is the managing partner of Eiger and works regularly with SMEs through to multinationals on data-protection compliance matters. Wendy Chu is a senior associate and Nate Snyder is an associate with Eiger, both working regularly on these issues.