TAIWAN Law and Practice Contributed by: Jaclyn Tsai, Aaron Chen, Teresa Huang and Jaime Cheng, Lee, Tsai & Partners
2. Cloud and Edge Computing 2.1 Highly Regulated Industries and Data Protection Regulations on Cloud Computing and Edge Computing Currently, Taiwan does not have a single piece of legislation specifically addressing cloud comput - ing or edge computing. However, government agencies in certain industries have established rules for the use of cloud services. For example: Banking industry The Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation require banks using outsourced cloud services to: • establish policies for cloud service usage, implement appropriate risk management measures, and consider using multiple cloud service providers if applicable; • supervise cloud service providers, conduct necessary audits, and assume responsibil - ity for the services provided by cloud service providers; • protect client data transmitted to or stored with cloud service providers by implementing encryption measures; • retain full ownership of data processed by cloud service providers; and • comply with regulations governing the stor - age location. Further, the Guidelines for Financial Institutions Utilising Emerging Technologies, issued by the Bankers Association, further specifies security controls for banks using cloud services, includ - ing: • Data location requirements: Client data should, in principle, be processed and stored
in Taiwan. If such data is processed and stored overseas, banks must retain the right to designate the locations for processing and storage. The banks should also ensure that the data protection laws in those foreign locations are no less stringent than those in Taiwan. Furthermore, unless approved by the competent authority, critical client data must have backups retained within Taiwan. • Contingency plans: Banks must establish proper contingency plans to mitigate risks of service interruptions caused by cloud opera - tions. Healthcare industry The Regulations Governing the Production and Management of Electronic Medical Records by Medical Institutions require that medical institu - tions using cloud services or outsourcing their electronic medical record information system to service providers must establish the following control measures: • measures to avoid disruptions to medical operations; • mechanisms for transferring data back or to another cloud service provider upon cessa - tion or termination of the cloud service; • measures to ensure that the data storage locations are within Taiwan unless approved by the central competent authority; and • measures to ensure that only cloud service providers certified to comply with security standards recognised by the competent authority are engaged. Issues Related to Personal Data Protection The collection, processing or use of personal data via cloud computing must serve a specific purpose and have legitimate causes in accord - ance with the PDPA. In addition, the entities utilis - ing cloud service providers for activities directly
484 CHAMBERS.COM
Powered by FlippingBook