Legal Update: Amendment to the Personal Data Protection Act

Due to the rampant rise of scams and fraud in recent years, the Executive Yuan has responded by publishing version 1.5 of the government’s next-generation anti-fraud strategy guidelines. The guidelines make strengthening the obligation of industries to maintain data security an important measure to preventing fraud, which will be done by reducing incidents of personal data leaks by non-governmental agencies. To support this, the Legislative Yuan passed an amendment to certain articles of the Personal Data Protection Act (the “PDPA”) on 16 May 2023, with two major amendments aimed at preventing fraud.

Amends the type of penalties that can be issued to non-governmental agencies for violating data security maintenance measures and imposes heavier fines

Under the old law, if a non-governmental agency retained personal data files but failed to implement appropriate security measures to prevent the theft, alteration, damage, loss, or leak of personal data, or failed to establish a personal data file security maintenance plan or a method for processing personal data after the termination of business, then the non-government agency would be penalized if they did not correct the violation within the specified time under Article 48 of the PDPA. The amendment to the PDPA imposes heavier fines and mandates corrective action within a specified time. The maximum fine is raised to between TWD20,000 and TWD2,000,000, and for serious offenses, fines can be issued from between TWD150,000 and TWD15,000,000. For those that fail to correct the violation within the specified time, fines of between TWD150,000 and TWD15,000,000 are imposed per violation. Other procedural matters, such as failure to fulfill notification obligations or requests to maintain data accuracy, are subject to the original penalty methods and fine amounts under Article 48, paragraph 1 of the PDPA, with distinctions made based on the severity of the violation.

The Personal Data Protection Commission is the competent authority for the PDPA

In addition to combating fraud, the amendment also re-organizes the relevant competent authority to enhance and promote the protection and integrated use of personal data. Under the old law, the PDPA adopted a decentralized approach, where, depending on the nature of the business in question, it would be supervised by either the relevant regulating department or local government. Following the amendment, oversight of the PDPA will transition from a decentralized to centralized system; the Personal Data Protection Commission (the “PDPC”) will be the competent central authority.

According to the intention of the Constitutional Court Judgment No. 111-Xian-Pan-13, the nature of the PDPC should be as an independent supervisory organization. The reason for this is to enhance the legitimacy and credibility of personal data collection and rely on independent oversight to ensure that personal data is not misused or leaked, especially when an individual no longer has direct control over their data. The Constitutional Court said that there is legislative discretion to decide whether the oversight mechanism should be established through a central independent supervisory organization or by setting up independent supervisory organizations for respective professional fields.

According to the legislative reasoning, since the PDPA’s supervisory powers are broad, complex and involve public administration, the amendment adds Article 1-1, which establishes the PDPC as the competent central authority. Moreover, in accordance with the Constitutional Court’s judgment that requires relevant agencies to establish mechanisms for independent oversight, the central independent organization will set up organizational laws according to the Basic Code Governing Central Administrative Agencies Organizations.

However, setting up an independent agency in accordance with Article 4, paragraph 1, subparagraph 2 of the Basic Code Governing Central Administrative Agencies Organizations requires the enactment of organizational laws, which is a lengthy process. The preparatory regulations were temporarily enacted in August 2023, and the preparatory office was formally established on 5 December 2023, with the remit to handle matters related to the overall planning, coordination, and promotion of the PDPC. This includes drafting the organizational regulations for the PDPC; formulating, interpreting, and coordinating amendments to the PDPA; planning for the supervising, inspecting, reporting, and petitioning related to personal data protection of government and non-government agencies; planning, promoting, and executing education, advocacy, and talent cultivation related to personal data protection; analyzing, evaluating, developing, exchanging, and promoting personal data protection-related technologies and application models; researching, tracking, investigating, and gaining statistics on domestic and foreign personal data protection laws, policies, and implementation; planning and promoting international cooperation, participation, exchange in personal data protection affairs; and other matters related to the establishment of the PDPC. However, after the organizational laws and the second phase of the amendments are sent to the Legislative Yuan for review, the PDPC is expected to be formally established in August 2025.

This is a translation of the original article in Chinese, which can be found here.

For more information on data protection matters in Taiwan, please contact Christine Chen at cchen@winklerpartners.com.

Written on 4 March 2024 by Christine Chen and Tzu-Hsuan Chuang.

Translated on 26 March 2024 by George Bobyk.