TAIWAN Law and Practice Contributed by: Che-Hung Chen, Doris Lu, Jakob Huang and Meng-Ying Lee, Chen & Lin Attorneys-at-Law
1.4 Data Protection Fines in Practice Heaviest Penalty The FSC’s heaviest penalty ever imposed for a bank’s personal data breach was in 2023. In September 2022, the FSC received an anon - ymous tip-off alleging a cybersecurity breach at Shanghai Commercial & Savings Bank, Ltd, which led to the leakage of customer personal data. After an investigation, it was confirmed that the bank had leaked the names and ID card information of 14,000 customers. In November 2023, the FSC imposed a fine of TWD10 million on Shanghai Bank, marking the heaviest penalty ever imposed by the FSC for a bank’s personal data breach that year. According to the FSC, the following deficiencies were found in the bank’s customer data confidentiality and information security system, both in terms of internal control and operational aspects. • Failure to establish a comprehensive internal control system. (a) Failure to establish appropriate personal computer administrator rights regula - tions – the bank only clarified the policy on changing the personal computer administrator password every six months on 15 December 2022, after the incident. Prior to this, password changes were not regularly implemented, which exposed customer data to the risk of leakage. (b) Failure to establish comprehensive port - able device management regulations – personnel authorised to use portable devices were still able to take internal data offsite, and there were no appropri - ate access controls in place for reading the data, which undermines information security protection. • Failure to properly execute the internal control system.
2025. (The PDPC will prioritise the regulation of non-government agencies that do not have a clearly designated competent authority and gradually extend and include all other sectors whose data protection compliance is governed by competent business authorities). Neverthe - less, the enforcement of the PDPA is currently still administered by central relevant business government authorities and local government authorities, rather than by any single govern - ment authority. For current circumstances, it is difficult to obtain a full picture in respect of the enforcement status of different central and local government authorities, since they are not subject to mandatory public disclosure require - ments. Given the absence of sufficient avail - able public information, Taiwan does not have a proper basis upon which to note whether the enforcement is relatively aggressive or less so. However, based on the limited public information available, enforcement in respect of data protec - tion by the Financial Supervisory Commission (FSC), the competent authority of financial insti - tutions, will be relatively aggressive compared to other government authorities. Calculation of Administrative Fines Fines for violations of the PDPA range from TWD20,000 to TWD15 million. There are no further explicit unified standards for penalties regarding violation of the PDPA. Nevertheless, as a general rule for administrative control, the fines imposed by administrative authorities shall be in proportion to the degree of violation, and must not involve abuse of discretion or violate the principle of proportionality. The authorities may consider factors such as the circumstances of the violation and frequency of violations when determining the amount of the fine.
446 CHAMBERS.COM
Powered by FlippingBook