TAIWAN Law and Practice Contributed by: Che-Hung Chen, Doris Lu, Jakob Huang and Meng-Ying Lee, Chen & Lin Attorneys-at-Law
1. Legal and Regulatory Framework 1.1 Overview of Data and Privacy- Related Laws The Personal Data Protection Act (PDPA) is the primary law regulating personal data protec - tion. It was first enacted in August 1995, as the Computer-Process Personal Data Act, and regu - lated government agencies and certain private sectors. The PDPA has been effective since 1 October 2012 and regulates any person – includ - ing government agencies and all private sector entities – who collects, processes or uses per - sonal data. Privacy and personal data protec - tion are related to the constitutional protection of privacy. In addition to the PDPA, the Legislative Yuan has also enacted certain special data protec - tion requirements in some sector-specific laws, such as: • the Insurance Act; • the Financial Holding Company Act; • the Banking Act; • the Human Biobank Management Act; • the Pharmaceutical Affairs Act; and • the National Sports Act. Furthermore, the Trade Secrets Act may apply if the trade secrets of an enterprise are involved. If an offence against computer security is involved, the criminal sanctions of the Criminal Code of the Republic of China may apply. If any national security issue is involved, the National Security Act may apply. On 16 May 2023, the Legislative Yuan passed amendments to the PDPA to urge non-govern - ment agencies (ie, the private sector) to input manpower, techniques and funds for the pur -
pose of fulfilling data protection obligations, and to provide support to relevant enforcement authorities for combating fraudsters. Two main points of the 2023 amendments are as follows: • raising the administrative penalties imposed against non-government agencies for violat - ing the obligation of security and mainte - nance measures; and • designating the Personal Data Protection Commission (PDPC) as the dedicated com - petent authority of the PDPA (the Preparatory Office of the PDPC was formed on 5 Decem - ber 2023, accordingly). On 20 December 2024, the Preparatory Office of the PDPC announced a draft amendment to the PDPA. The public consultation period end - ed on 10 January 2025, during which opinions from various sectors were received. The main purpose of this amendment is to align with the establishment of the PDPC and to grant the PDPC relevant enforcement powers, including administrative supervision over both govern - ment and non-government agencies, as well as co-operation mechanisms with other competent authorities with regard to supervision on non- government agencies. The main points of these amendments are as follows: • the establishment of a supervision mecha - nism for government agencies; • the requirement for government agencies or designated non-government agencies to: (a) appoint a Personal Data Protection Officer responsible for promoting and overseeing personal data protection mat - ters within the agency; and (b) appoint auditor(s) responsible for plan - ning and executing auditing activities
443 CHAMBERS.COM
Powered by FlippingBook