Taiwanese and Chinese regulatory authorities signed memoranda last November expanding mutual access to and the supervision of banking, insurance, and securities sectors. The memorandum became effective on January 16, 2010, and reflects planned financial market liberalizations between Taiwan and China. The memorandum—the latest in a series of unprecedented cross-strait deals brokered by Taiwan’s new administration paving the way for a binding Economic Cooperation Framework Agreement (ECFA) to lower long-standing barriers on a wide range of goods and services—should see a substantial increase in the collection and cross-border transfer of personal client data between the two countries.
Concerns have been raised over whether the personal data shared by Taiwanese banking, insurance, and securities firms with their Chinese counterparts will be adequately safeguarded from unauthorized disclosure and misuse. Part of this concern likely arises from the fact that trade and ECFA negotiations have been conducted behind closed doors and a substantive review of the financial and other sector-specific pacts therein by the public have not been possible to date. And part of the concern likely arises simply from the increased scrutiny afforded the issue of personal data protection over the last ten years. It will, however, be in the interests of both Taiwanese and Chinese companies to ensure that any personal data exchanged has been well protected.
Banking, insurance, and securities firms established in Taiwan fall under the Computer Processed Personal Data Protection Act – the fundamental legal framework for data protection in Taiwan. These firms must be licensed by Financial Supervisory Commission (FSC) to collect, process, and transfer personal data by computer. Approval must be obtained for the cross-border transmission of data – any cross-boarder transmission of the data through telecommunications systems (networks) including cable, terrestrial, optical or other electromagnetic communication networks. The application for the license must identify any cross-border transmission that will occur and who the direct recipient of that data will be. It must also set out a security and maintenance plan for the safety of personal data and provide a host of other required information. Firms currently licensed will, therefore, need to apply to amend their current registrations. And the FSC will have the opportunity to ensure adequate measures have been put in place to protect local consumers. The FSC may also restrict the cross-border transfer where major national interests are involved; where an international treaty or agreement specifies otherwise; where the nation receiving personal data lacks laws which fairly protect the rights and interests of the principal, thereby causing injury to the principal; or where international transmission and utilization of personal data are made through a circuitous means in order to evade the provisions of the Act. It would be very unlikely though to see the cross-border transmission to China be refused on these grounds at this stage.
Liability under the Act would fall on the entity governed by the Act and thus Taiwanese entities licensed under the Act will be liable for any unauthorized disclosure and misuse that occurs including that subsequent to a licensed cross-border transmission. Firms also face the prospect of potential criminal and civil liability under Taiwan’s Criminal Code and Civil Code.
The current Act, however, applies only to the collection, processing, and transfer personal data by computer and only to specified industries. A bill has been introduced whereby the Act would cover all data collection by any entity or individual. The amendments, however, have been stalled for several years at the Legislative Yuan. The main sticking point in the passage of the amendments has been just how severely violations of the Act should be punished and whether civil liability should be capped or not (it presently is).
The penalties under the current Act have been seen as inadequate, and likely are. The amendments seem unlikely to pass before the personal data of Taiwanese banking, insurance, and securities consumers starts flowing. Protection will, however, likely come from the fact that the liberalization of trade and closer political ties between Taiwan and China has come under increasing scrutiny from an ever-wary Taiwanese public. Parties on both sides of the Strait have a vested interest in ensuring that this next stage of closer commercial relations proceeds without giving the public cause to further question the proposed continued liberalization of trade and closer political ties.
A version of this article appears in the Computer Law and Security Review. For more information about this topic, please contact K. Mark Brown.Written March 1, 2010 By K. Mark Brown.