TAIWAN Law and Practice Contributed by: Che-Hung Chen, Doris Lu, Jakob Huang and Meng-Ying Lee, Chen & Lin Attorneys-at-Law
related to personal data protection man - agement; • the obligation for government agencies and non-government agencies to implement response measures, maintain records of incidents, and report personal data breaches, along with the revision of the conditions for notifying the affected parties; and • procedures for selecting and evaluating high- risk industries and non-government agencies related to personal data breaches, with provi - sions for prioritising administrative inspec - tions of these entities. The 2024 draft amendments are still subject to review and discussion by the authorities. The PDPA currently in effect is the PDPA (2023 Amended). Therefore, unless otherwise referred to the draft amendments, the PDPA referred to hereunder will be the PDPA (2023 Amended). The national system in respect of data protection adopts an “APEC-EU referential” approach. The meeting minutes of the Executive Yuan in con - nection with the approval to submit the draft bill of the PDPA to the Legislative Yuan addressed that the PDPA incorporates certain provisions under Directive 95/46/EC. As one of APEC’s member economies, Taiwan has executed the APEC Privacy Framework, which indicates nine principles in respect of privacy protection; the PDPA also incorporates the principles guided by the APEC Privacy Framework. In 2011, APEC developed the Cross-Border Privacy Rules (CBPR) system, under which companies trading within the member econo - mies develop their own internal business rules consistent with the APEC privacy principles to secure cross-border data privacy. Taiwan joined the CBPR system in December 2018, with the Institution for Information Industry applying to
be the Accountability Agent under the system. In June 2021, the Institute for Information Industry was recognised by APEC as the Accountability Agent for CBPR verification in Taiwan for domes - tic enterprises. Taiwan also joined the EU-led Joint Declaration on Privacy and the Protection of Personal Data in October 2022. The declaration is intended to foster international co-operation to promote high data protection and privacy standards. Taiwan’s inclusion will allow strengthening exchanges and co-operation with EU and Indo-Pacific countries. Furthermore, in seeking an “adequacy decision” from the European Commission, the Personal Data Protection Office has filed the evaluation reports required for GDPR adequacy status; the application is still under review and discussion. All major laws regulating privacy and personal data protection are at the national level. The rel - evant regulations at the sub-national level are solely relevant to the implementation of those national laws and regulations by the differ - ent functioning bureaus of local government. Additionally, certain competent authorities have established specific regulations requiring secu - rity and maintenance plans for the protection of personal data within the industries under their supervision. These regulations are applicable to each specific industry. 1.2 Regulators Since the amendments to the PDPA were passed, the PDPC will be the dedicated com - petent authority of the PDPA. Upon its official launch, the PDPC will integrate those enforce - ment powers and responsibilities (stated below) spread among the Ministry of Justice (MOJ), the National Development Council, central govern - ment authorities that supervise the business operation of non-government agencies, and
444 CHAMBERS.COM
Powered by FlippingBook