Taiwan’s comprehensive one-piece Personal Data Protection Act (PDPA) is a milestone piece of legislation that paved the way for significant changes in privacy law. The PDPA applies to all public organizations, companies, and individuals regarding the collecting, processing, using, and storing of all personally-identifying information. Personal and family use exceptions apply, as does image data if it was collected at public activities or in public venues.
What is Personal Data Under Taiwanese Law?
Where some data privacy laws, such as China’s, name individual sources of personal data, Taiwan follows a broader description. The PDPA applies to any information which could directly or indirectly identify an individual. This includes but is not limited to the following:
- Name
- Birthdate
- ID card details
- Family members
- Marital status
- Educational history
- Medical records
- Occupation
- Genetic information
- Fingerprints
- Financial condition
- Social activities
Five Inalienable Rights of Data Privacy
Some rights of personal privacy may be waived in certain circumstances. However, Taiwan recognizes five privacy rights that can not be waived. These include:
- the right required to review the information
- the right to request a scan copy. Companies may be entitled to financial compensation for creating such a scan copy.
- the right to request supplemental or correction of the information
- the right to request the cessation of collecting, processing, or utilizing information first,
- and the right to request to delete such information.
Sensitive Information and Exceptions
Of the items considered personal data in Taiwan, six are categorized as sensitive information. Sensitive information includes:
- Medical records
- Healthcare
- Sexual preference
- Genetic information
- Premium records
- Data about minor persons under the age of fourteen
The collection, processing, and utilization of sensitive information are prohibited under the PDPA except in the following six cases:
- If the data is needed to fulfill the statutory obligation
- Where the data is required by law
- The individual has made a voluntary public disclosure
- For statistical or academic purposes
- If the disclosure is in the public interest
Recording, Collecting, Processing, and Utilizing in Taiwan
The recording, collection, processing, and utilization of personal data are permissible under contractual relationships, with individual consent, where required by law or where data has been voluntarily and publicly disclosed. Public disclosure of data can include information shared on social media.
To legally obtain this information, it must be relevant to the matter’s scope, the individual must be notified, and consent must be obtained. Written permission is not necessary, but proof of consent is required.
Cross-Border Data Transfer
Unlike stricter policies, such as those in China, cross-border data transfer to or from Taiwan is relatively straightforward. Across the 47 articles of the PDPA, only one regulates cross-border data transfer. As a result, most data legally collected in Taiwan can be transferred outside the country.
Some exceptions apply, such as where such transfer would violate international treaties or agreements. Data may only be permitted to leave Taiwan if it will be processed, stored, or utilized in a country with adequate data protection policies. Transfers made in an attempt to circumvent Taiwanese data policies are also disallowed. Data transfers out of Taiwan involving telecommunications are subject to stricter regulation.
Data gathered in Taiwan can be transferred across the border if it adheres to the matter’s scope. The concerned parties must be informed, and consent must be granted where required. The entities involved in processing, storing, collecting, and using personal information have adequate security to prevent data leaks.
The Scope of Government Authority
The government of Taiwan reserves the right to prohibit the use, collection, processing, or storage of data if said activities violate the law. Consequences of violating data privacy law include data destruction, fines, or arrest.
The Obligation of a Non-Governmental Agency
Under the PDPA, non-governmental agencies must implement the proper security measures to protect personal data from theft, alteration, damage, destruction, or inappropriate disclosure. Security measures can include:
- Internal control processes
- Dedicated privacy-informed personnel
- Risk assessment protocols
- Technical security measures
- Proper privacy training
- Audit mechanisms
- On-site facility security
- Records of consent
- Fines and Penalties for Violation of Taiwan’s Data Privacy Laws
Civil liability
The fines for violating civil liability range from 500-20,000 TWD or 17-714 USD per incident. The maximum total penalty is 200 million TWD or 174,000 USD. The statute of limitation for civil action is two years from the incident, not from the time of its discovery.
Criminal liability
Exploiting another person’s data for personal gain may be subject to imprisonment for up to five years and fines of up to 1 million TWD or 35,700 USD.
Administrative liability
If the government of Taiwan violates the PDPA, penalties may be imposed from 50,000 to 500,000 TWD or 1700 to 17,000 USD.
Taiwan Data Privacy Best Practices
To avoid violating the PDA and facing possible penalties, careful consideration must be paid to the following:
- Proper disclosure of Intent
- Proof of consent
- Adherence to the scope and Intent of the matter
This basic overview of the PDPA demonstrates its unique place in global data privacy laws. Of course, there are deeper nuances to explore – but this primer tells you everything you need to know to form a foundational understanding of the PDPA. Keep an eye out for the next piece in this series.
