Taiwan’s comprehensive one-piece Personal Data Protection Act (PDPA) is a milestone piece of legislation that paved the way for significant changes in privacy law. The PDPA applies to all public organizations, companies, and individuals regarding collecting, processing, use, and storage of all personally-identifying information. Personal and family use exceptions apply, as does image data if it was collected at public activities or in public venues.
Where some data privacy laws, such as China’s, name individual sources of personal data, Taiwan follows a more broad description. The PDPA applies to any information which could directly or indirectly identify an individual. This includes but is not limited to:
- ID card details
- Family members
- Marital status
- Educational history
- Medical records
- Genetic information
- Financial condition
- Social activities
Some rights of personal privacy may be waived in certain circumstances. Taiwan recognizes five privacy rights that can not be waived. These include:
- the right required to review the information
- the right to request the scan copy. Companies may be entitled to financial compensation for the creation of such a scan copy.
- the right to request supplemental or correction of the information
- the right to request the cessation of collecting, processing, or utilizing information first,
- and the right to request to delete such information.
Of the items considered personal data in Taiwan, six are regarded as sensitive information. Sensitive information includes:
- Medical records
- Sexual preference
- Genetic information
- Premium records
- Data pertaining to minor persons under the age of fourteen
The collection, processing, and utilization of sensitive information are prohibited under the PDPA except in the following six cases:
- If the data is needed to fulfill statutory obligation
- Where the data is required by law
- The individual has made a voluntary public disclosure
- Statistical or academic purposes
- If the disclosure is in the public interest
The recording, collection, processing, and utilization of personal data are permissible under contractual relationships, with individual consent, where required by law, or where data has been voluntarily and publicly disclosed. Public disclosure of data can include information shared on social media.
To legally obtain this information, it must be relevant to the matter’s scope, the individual must be notified, and consent must be obtained. Written permission is not necessary, but proof of consent is required.
Unlike stricter policies, such as those in China, cross-border data transfer to or from Taiwan is relatively straightforward. Across the 47 articles of the PDPA, only one regulates cross-border data transfer. Most data legally collected in Taiwan is free to be transferred outside the country.
Some exceptions apply, such as where such transfer would violate international treaties or agreements. Data may not be permitted to leave Taiwan if it will be processed, stored, or utilized in a country without adequate data protection policies. Transfers made in an attempt to circumvent Taiwanese data policies are also disallowed. Data transfers out of Taiwan involving telecommunications are subject to stricter regulation.
Data gathered in Taiwan is free to be transferred across the border if it adheres to the matter’s scope. The concerned parties must be informed and consent granted where required. The entities involved in processing, storing, collecting, and using personal information have adequate security to prevent data from being leaked.
The government of Taiwan reserves the right to prohibit the use, collection, processing, or storage of data if said activities violate the law. In data privacy law violation cases, consequences can include destruction of data, fines, or arrest.
Under the PDPA, non-governmental agencies must implement the proper security measures to protect personal data from theft, alteration, damage, destruction, or inappropriate disclosure. Security measures can include:
- Internal control processes
- Dedicated privacy-informed personnel
- Risk assessment protocols
- Technical security measures
- Proper privacy training
- Audit mechanisms
- On-site facility security
- Records of consent
- Fines and Penalties for Violation of Taiwan’s Data Privacy Laws
The fines for violating civil liability range from 500-20,000 TWD or 17-714 USD per incident. The maximum total penalty is 200 million TWD or 174,000 USD. The statute of limitation for civil action is two years from the incident, not from the time of its discovery.
Exploiting another person’s data for personal gain may be subject to imprisonment for up to five years and fines up to 1 million TWD or 35,700 USD.
If the government of Taiwan violates the PDPA, penalties may be imposed from 50,000 to 500,000 TWD, or 1700 to 17,000 USD.
To avoid violating the PDA and facing possible penalties, careful consideration must be paid to:
- Proper disclosure of Intent
- Proof of consent
- Adherence to the scope and Intent of the matter
This basic overview of the PDPA demonstrates its unique place in global data privacy laws. There are deeper nuances to explore – but this primer tells you everything you need to know to form a foundational understanding of the PDPA. Keep an eye out for the next piece in this series.