Taiwan has had data protection laws since the mid-1990s, but a new era in data protection began in October of 2012 when the Personal Information Protection Act of 2010 (the “PIPA”) took force.
Enforcement of the PIPA is dispersed. Instead of having a single data protection authority (DPA), central government regulators share responsibility for enforcing the PIPA along with local governments. In addition, the Ministry of Justice plays an important coordinating role and interprets the PIPA.
The only regulator that publishes its data protection enforcement decisions is the Financial Supervisory Commission (“FSC”). The FSC is Taiwan’s super-regulator for financial industries. In this role, it oversees securities and futures firms, banks, and insurers. FSC data protection enforcement decisions are thus an important source for understanding enforcement of the PIPA by Taiwan’s executive branch.
Enforcement Cases by the Numbers
The FSC has published 16 enforcement decisions since the PIPA took force in 2012. The number of enforcement decisions in each year has varied. For example, while seven decisions were issued in 2016, no decisions were issued in 2015. Between 2012 and 2014, the FSC issued an average of two or three FSC enforcement decisions each year.
The seven 2016 enforcement decisions included five enforcement decisions against insurance companies by the FSC Insurance Bureau and two decisions against banks by the FSC Banking Bureau. As of this writing (March 2017), the FSC has already issued two enforcement decisions. Both of the 2017 decisions have been against insurers.
Of the various FSC sub-agencies, the Insurance Bureau has been the most active in its PIPA enforcement. Eleven of the 16 FSC enforcement decisions since 2012 have been insurance cases while just five decisions have been banking cases. Thus two trends can be identified. The first is increasing overall enforcement activity by the FSC since 2016. The second is that the FSC is especially concerned about the collection, processing, and use of personal information by the insurance industry.
We anticipate that these trends will continue and expect to see an increasing number of PIPA enforcement cases issued by the FSC with a focus on the insurance industry.
Types of Enforcement Decisions
FSC Enforcement decisions since 2012 can be categorized into four types: data breach cases, failure to obtain consent cases, inadequate security cases, and cases involving failure to notify.
1. Data Breaches
Data breaches are the most common reason for enforcement decisions. In general, these cases have involved negligent disclosures of customer personal information. In some cases, the disclosures were caused by poorly designed or maintained internal control and internal audit mechanisms while in other cases there were procedural errors in the course of business. Examples of data breaches cases are briefly discussed below in reverse chronological order by the date of the enforcement decision.
10 January 2017: Nan Shan Life Insurance Co., Ltd. improperly mailed policyholder personal information to third parties in the course of mailing notices to policyholders. The FSC found that the personal information disclosures were caused by execution errors in Nan Shan’s computer system. This enforcement decision is notable because the FSC also found that the breach was material and penalized Nan Shan for failing to immediately report the breach. This is the only enforcement decision to date in Taiwan that addresses late reporting.
11 April 2016: A customer requested information about salary transfers to the customer’s account at Cathay United Bank. In its response to the customer’s request, Cathay United Bank’s Da’an Branch disclosed the personal information of another customer to the requesting customer.
22 August 2013: CTBC Bank committed an error in its internet banking operations that enabled any internet user to enter, browse, and obtain customer information stored in the bank’s internal index pages.
2. Failure to obtain consent
Enforcement decisions have also been made against financial enterprises who have violated the PIPA by providing personal information of customers for use by third parties without first obtaining the customers’ consent. This type of case is illustrated by the following enforcement decisions.
29 June 2016: Mega International Commercial Bank, without having obtained the consent of its customers, provided basic customer personal information to its affiliate Chung Kuo Insurance Company Limited to conduct telemarketing.
4 October 2013: A Nan Shan Life Insurance solicitor, without obtaining written permission from the policyholders, gave personal information of customers to a third party whom the solicitor had engaged to answer policyholders’ questions about a policy.
10 July 2013: A Chang Hwa Commercial Bank, Ltd. employee made a query to the Joint Credit Information Center about a customer’s credit information without having obtained the customer’s written consent.
3. Inadequate Security
Cases of this type include the following:
16 November 2016: PCA Life Assurance Co., Ltd. inadequately implemented its 2015 personal information inventory operations, resulting in failure to delete personal information before the expiration of the relevant retention period.
11 November 2016: Mercuries Life Insurance Co., Ltd. was penalized for having inadequate overall personal data protection measures and a lack of effective internal control mechanisms in conducting its information operations.
8 September 2016: A Fubon Life Insurance Co., Ltd. customer complaint handler failed to adopt appropriate security measures and failed to use encryption when sending photocopies of policyholder call-in card applications to personal email addresses.
4. Failure to notify
14 February 2017: Mercuries Life Insurance Co., Ltd. was penalized for failing to expressly inform data subjects of statutorily required matters when it collected personal information of customers through its official website on a web page it provided for customer email queries about insurance.
Under the PIPA, regulators are empowered to order private sector actors to remedy a violation of the PIPA. Failure to remedy the violation by a prescribed deadline will result in an administrative fine ranging from NT$20,000 (c. US$650) to NT$500,000 (c. US$16,300). However the FSC also has the power to fine financial businesses when they violate rules governing internal controls, and these fines are considerably higher than the fines that may be imposed under the PIPA. A notable feature of the FSC enforcement decisions is that when the FSC determines that a financial institution has violated the PIPA, it usually also finds that the same facts simultaneously constitute a violation of internal controls. As a result, the fines imposed in most FSC enforcement decisions are generally the higher fines for violation of internal controls.
In less serious cases, the administrative fine for a violation of internal controls in a data protection case is NT$600,000 (c. US$19,570). However higher fines are imposed in more serious cases. For example the FSC imposed a fine of NT$1.2 million (c. US$39,100) in the 2016 PCA Life Assurance case where PCA Life Assurance failed to delete personal information by the expiration of the retention period. Relatively high fines were also imposed in two cases involving external leaks of personal information: NT$3 million (c. US$97,830) in a 2014 case in which an ex-employee of Cathay United Bank had downloaded personal information of customers onto a private external storage device, and NT$4 million (c. US$130,400) in the 2013 CTBC Bank data breach case.
Typically, these fines for violations of internal controls are also accompanied with an order to remedy the PIPA violation by a prescribed deadline. In the majority of cases, a deadline of one month was set to remedy the PIPA violation. In a minority of more serious cases, a deadline ranging from seven to ten days was set.
To date, the FSC has imposed stand-alone PIPA fines in just three cases: the 2016 Mega International Commercial Bank decision, the 2013 Nan Shan Life Insurance decision, and the 2013 Chang Hwa Commercial Bank decision. The administrative fines imposed by these decisions were respectively: NT$50,000 (c.US$1,630), NT$20,000 (c. US$650), and NT$50,000 (c. US$1,630). All three of these cases fall in the category of providing a customer’s personal information for use by a third party without having obtained consent.
Taiwan’s Financial Supervisory Commission is actively enforcing violations of the PIPA with remedy orders and fines. While fines remain low by international standards, Taiwan’s media covers violations of data protection law extensively. As a result, members of the public and consumers are increasingly aware of their rights under the PIPA and are already highly sensitive to disclosures of personal information. This will put pressure on other regulators to follow the FSC’s lead and publish enforcement decisions. Ultimately Taiwan is likely to follow regional and international trends and replace dispersed enforcement with centralized enforcement by a unitary data protection authority.
For more information on data protection and privacy matters in Taiwan, please contact Christine Chen at firstname.lastname@example.org.Written April 5, 2017 By Christine Chen, Michael Fahey.