Taiwan Slowly Implementing Data Protection Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Yu-Tzu Chiu

Sept. 8 —To implement Taiwan's 2010 Personal Information Protection Act, several government agencies have announced draft regulations to help companies in different sectors of the economy they oversee better protect personal information, a Ministry of Justice (MOJ) official told Bloomberg BNA.

“Due to the lack of a national data protection authority, government units supervising different industries have to do this to guide enterprises,” Hsiu-lien Lin, director of the MOJ Department of Legal Affairs, said.

In addition, a trustmark program launched in 2011 has been used as a self-regulatory auditing system for many companies, but only a few companies have proceeded through the program to actually obtain the right to post a privacy trustmark on their websites.

The legislature is considering amendments to the country's framework data protection statute that would loosen some restrictions on the use of sensitive personal data and lessen the available penalties for violations of the law.

No Central Privacy Office 

“We'd proposed twice to the Cabinet for setting up a national data protection authority but received no positive response,” Lin said.

She added that governmental reorganization in recent years has left limited space for a new Cabinet-level unit to oversee data protection.

Taiwan's Personal Data Protection Act was passed by the country's legislature, the Legislative Yuan, in 2010 but didn't come into effect until 2012, when the MOJ promulgated an Enforcement Rule.

The law faced amendments, but even now not all provisions of the law have been activated.

Ching-Yi Liu, a professor of law at National Taiwan University, recently told a conference in Hong Kong hosted by the Asia Pacific Privacy Authorities forum that the statute is inefficient and ineffective because it draws on a mish-mash of European and U.S. approaches and attempts to adapt these to Taiwan's “Asian culture of privacy”.

Data Security Regulations 

In August, the Ministry of Finance announced draft regulations governing security protection for personal information files held by by Alcohol and Tobacco Enterprises and lottery institutions.

Also in August, the Ministry of Interior Affairs announced similar regulations for enterprises in mortuary services and in cross-border matching marriage services.

In July, the Ministry of Economic Affairs (MOEA) drafted similar measures for online retailers and online retail management platforms, as well as power and natural gas enterprises.

Earlier, similar regulations for electronic payment processing institutions, organizations contracted with the Financial Supervisory Commission and the bank transaction processing Taiwan Clearing House, which are supervised by the central bank, were also announced. The ministries of transportation, education, agriculture and others have also drafted and announced similar regulations.

Lin said the regulations serve as guidelines for affected enterprises and institutions when using personal information they have collected.

Officials at the MOEA's Science and Technology Law Institute (STLI) of the Institute for Information Industry said the regulations also serve a reminder for enterprises to take seriously the need to protect personal information.

Trust Mark Program 

For businesses willing to effectively improve their capacity to secure personal data in held in their archives, STLI in 2011 introduced the Taiwan Personal Information Protection and Administration System (TPIPAS) and the Data Privacy Protection Mark (DP Mark) trust mark system.

As of the end of August, only 17 Taiwan-based enterprises from a variety of industries have received permission to post the DP Mark on their websites. They include a consumer credit reporting company, a financial investment company, major online retail management platforms, wholesale companies and a convenience store chain.

“It's all about the cost of time and manpower. Many companies spent more than one year to fit itself into the system,” Ying-Hsi Chiu, a STLI director, told Bloomberg BNA.

Chiu said, since 2011, more than 3,500 managers from different industries had attended 23 workshops on TPIPAS.

Meanwhile, she said, 355 companies have run a self-evaluation program under TPIPAS to see what other efforts are needed in order to get the DP Mark.

“The potential of businesses has been seen. We've taken into account of some firms' suggestion that a certificate can be firstly issued if they completed certain major parts. Details about the change might be released later this year,” Chiu said.

In addition, she said, two companies had been approved by MOEA to help enterprises fit into the TPIPAS. Nine qualified consulting institutions have received approval for providing enterprises with personal data consulting services.

Enforcement Confusion 

It is a big challenge for certain companies, especially those in the financial sector, to become fully compliant with the Personal Data Protection Act, Simon M. Yu, an associate at Jones Day, in Taipei, told Bloomberg BNA.

“At least, the adoption of TPIPAS is a good start for companies to avoid violating the act,” he said.

In Taiwan, companies are still trying to clarify what they see as ambiguities in the framework law, Yu said. But at the same time court rulings carry the message that Taiwan strictly limits the use of personal information, he said.

In late 2014, as an example, a court ordered Taiwan Mobile Co. to give an affected consumer 500 Taiwanese New Dollars (TWD) ($15.33) in damages—the minimum allowable penalty—because an application called M+Messenger allowed the user to automatically identify and contact numbers belonging to other Taiwan Mobile customers, Yu said.

For Taiwan Mobile, which has filed an appeal, the ruling is confusing because the company sought to bring convenience to customers with the app by merely using existing data, Yu said.

“Similar commercial applications are common in other countries. But the ruling implies that enterprises in Taiwan should be extraordinarily cautious when using existing data in their archives,” he said.

Big Data Analytics 

Taiwan has moved to promote the use of big data analytics.

Yu said, in the era of big data, many countries have made efforts to harmonize policies regarding the protection of personal information and the promotion of big data.

Liu told Bloomberg BNA that in order to lower the risk of invading personal privacy in that big data effort, Taiwan should pay more attention to European Union efforts to update its data protection regime.

Some legal analysts in Taiwan have called for the application of proper de-identification of data as a way to help protect personal privacy, STLI's Chiu said.

Article 6 of the Personal Data Protection Act on “special” personal information—which requires additional consent and protection rules for its collection, processing and use—hasn't taken effect. The article specified medical and health treatment information, genetic and sexual life data and criminal record information as special personal information. According to the MOJ, “medical records” have now been added to the list.

The government is under pressure from insurance and pharmaceutical companies to loosen restrictions on the use of special personal information, Liu said.

The government is proposing amendments to the framework law to retain the requirement that individuals provide written consent before their special personal data are collected, processed and used but allow use in the public interest for government and academic research if the data are de-identified after being collected and processed.

Lin said the government proposal hasn't moved since it was introduced in the Legislative Yuan due to objections from the opposition Democratic Progressive Party, which is insisting that the written consent requirement not have any exception.

“Under the circumstance, it would create difficulties for prosecutors investigating criminal cases if they would have to obtain permission first from people with criminal records to collect such data,” she said.

Framework Law Amendments 

Other major points that would be revised under the government's proposed amendments include changes to Article 54, which stipulates that collectors of personal data should inform data subjects that their personal data have been collected within 12 months after the law is fully implemented, Lin said. The proposed revision would state that data collectors need only inform concerned individuals if their information is processed or used.

The proposed amendment also addresses Article 41 and Article 45 of the Personal Data Protection Act, which provide penalties of imprisonment of up to two years and fines of up to 200,000 TWD ($614.79). Those penalties, which have been criticized by some as being too burdensome, would be removed.

But individuals who profited from violations of the law would still be subjected to imprisonment of up to five years and fines of up to 1 million TWD ($30,777).

“It remains uncertain that when the revision of the Act will be finalized,” Lin said, adding that it is very unlikely to be done by the end of current legislative session, which ends early in 2016.

To contact the reporter on this story: Yu-Tzu Chiu in Taipei at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

The list of data protection regulations announced by government agencies with links to the individual regulations is available, in Chinese, at http://goo.gl/8vX74M.