2017 data protection enforcement decisions by Taiwan’s Financial Supervisory Commission

Taiwan’s Financial Supervisory Commission (the “FSC”) continues to be the only regulatory agency in Taiwan that regularly publishes its data protection enforcement decisions. This update summarizes the FSC’s 2017 data protection decisions. Please see this feature from last year that explains Taiwan’s data protection regulatory regime and discusses the FSC’s 16 decisions between 2012 and 2016.

The FSC issued 13 data protection enforcement decisions in 2017 after issuing seven such decisions in 2016 and none in 2015. All 13 of the 2017 decisions were against insurance businesses, and 11 of these decisions imposed fines ranging from NT$300,000 (c. US$10,000) to NT$700,000 (c. US$23,000). It should be noted that most of the decisions also included violations of Taiwan’s Insurance Act in addition to data protection violations. As a result, the fines include penalties for violations of not only the Insurance Act, but also Taiwan’s Personal Information Protection Act (“PIPA”) without a breakdown. The decisions also included orders to remedy the violations. Typically, the FSC gave the insurance businesses one to three months to remedy.

Eleven of the 13 decisions involved failures to implement appropriate security measures to protect personal information under Article 27(1) of the PIPA. More specifically, the FSC repeatedly cited insurance businesses for violations of its standards for appropriate security measures at financial institutions. These standards are set out in the Financial Supervisory Commission’s Regulations Governing Security Measures for Personal Information Files at Designated Non-Public Agencies (the “FSC Security Measures Regulations”).[1]

For example, an insurance brokerage was cited for the following violations:

  1. Failure to establish a security auditing mechanism for personal information (FSC Security Measures Regulations §13); and
  2. Failure to establish a record keeping mechanism for deletion of personal information and cessation of processing or use of personal information (FSC Security Measures Regulations §14(2)).

The FSC’s almost exclusive focus on security measures in 2017 contrasts with enforcement decisions from 2012-2016 where decisions were more evenly divided between data breaches, notice/consent failures, and inadequate security measures.[2]

This focus on appropriate security measures is consistent with the approach of other Taiwanese regulators in the past year or so. For example, the Ministry of Economic Affairs’ Investment Commission now sometimes requires foreign investors in sensitive industries to produce personal information security plans as part of the foreign investment approval process.

It is also worth mentioning that the FSC is far from alone in having issued regulations on personal information security standards. As of this writing, there are 34 such regulations issued by various sectorial regulators pursuant to Article 27(3) of the PIPA. Notable examples include personal information security standards for:

  1. Telecommunications enterprises, cable network operators, and television stations;
  2. Tourist hotels; and
  3. Power and gas companies.

Currently, these security standards are something of a regulatory blind spot for international businesses since very few have been translated into English.

[1] 金融監督管理委員會指定非公務機關個人資料檔案安全維護辦法
[2] In addition to the security measure enforcement decisions, there was also one data breach case involving negligent disclosure of insurance policy information to third parties as well as one inadequate notice case in 2017.

Written September 5, 2018 By Michael Fahey.