Creating a New Standard for Data Privacy in Taiwan
Taiwan’s Personal Data Protection Act 2015 or the PDPA for short is a data privacy law that was passed in Taiwan in 2015. As one of many international data privacy laws that have been influenced by the European Unions General Data Protection Regulation or GPDR, the Government of Taiwan submitted an application for an adequacy decision pertaining to whether or not the PDPA is pursuant to the EU’s GPDR law. While the EU’s decision regarding this matter is still pending, the Government of Taiwan continues to evaluate whether or not additional provisions need to be added to the PDPA. Nevertheless, the PDPA establishes requirements for the collection and processing of personal data.
How are data controllers and processors defined under the PDPA?
In contrast to most data privacy policies around the world that use the terms data controllers, data processor, or some equal alternative data such as a database operator, the PDPA sets forth no specific terms as it relates to individuals or organizations who collect and process personal data. As such, the only distinction that is drawn as it applies to law is personal data that is collected and processed from “government agencies” and personal data that is collected and processed from “non-government agencies”. To this end, government agencies and non-government agencies are subject to two different sets of rules with respect to the collection and processing of personal data.
Conversely, the PDPA defines personal data to mean “names, dates of birth, ID Card numbers, passport numbers, characteristics, fingerprints, marital status, family, education, occupation, medical records, medical treatment, genetic information, sexual life, health examinations, criminal records, contact information, financial situation, social activities, and other information or data which may be used to identify a natural person, both directly and/or indirectly”. In terms of the scope and application of PDPA, the personal scope of the law applies to both government and non-government agencies, albeit at different levels. Generally speaking, government agencies are given more discretion with respect to the collection and processing of personal data.
However, while government agencies are afforded more flexibility as it relates to the law, they are also subject to stricter civil liabilities as it relates to non-compliance with the law. Moreover, under the territorial scope of the law, all data processing activities that take place within Taiwan are subject to the PDPA, while the law does not have any extra-territorial application in practice, despite the fact that such provisions are included in the law. Furthermore, the material scope of the law applies to all collection and processing of personal data within Taiwan, irrespective of whether this processing or collection is done via automatic or manual means. However, there are exceptions to this, such as when the data processing activities pertain to personal or family-related activities.
What are the requirements of government and non-government agencies under the PDPA?
While the ways in which the law is interpreted varies between government and non-government agencies, both parties are subject to a variety of data protection principles as it relates to the law. These principles include:
- Transparency– Both government and non-government agencies are responsible for notifying data subjects concerning various matters as it relates to data processing, including the identity of the agency, as well as the purposes for which personal data will be collected.
- Purpose limitation– Personal data may only be collected and processed in accordance with a specific purpose, and other purposes for which said personal data is to be processed must be pursuant to the PDPA.
- Data minimization– The PDPA stipulates that collection, processing, and dissemination of personal data shall not go beyond the for which said personal data was collected or processed.
- Proportionality– Under the PDPA, agencies are responsible for implementing organizational and technical security measures to ensure the proportionality of all personal data in their possession.
- Retention– The PDPA mandates that agencies delete personal data in their possession in instances where data subjects request that their personal data be deleted, or voluntarily.
- Accuracy of personal data– Under the PDPA, agencies are responsible for ensuring that all personal data in their possession is accurate, as well as providing data subjects with a means to correct their personal data if it has been found to be inaccurate.
What are the rights of data subjects under the PDPA?
Under the PDPA, data subjects are guaranteed the following as it relates to the protection of their personal data:
- The right to be informed of the purposes for data processing.
- The right to access their personal data, as well as check and review, said data.
- The right to rectify their personal data if it has been found to be inaccurate.
- The right to request that an agency cease the processing of their personal data.
- The right to request an agency for a copy of their personal data.
- The right to request that an agency delete their personal data.
- The right to object to the use of their personal data for marketing purposes.
In terms of the enforcement of the PDPA, the law also established the Enforcement Rules of the Personal Data Protection Act, or the Enforcement Rules for short. As such, under the Enforcement Rules of the PDPA, the following actions can lead to both administrative fines and criminal penalties:
- Illegally collecting, processing, or using personal data.
- Failing to obey a governmental order imposing restrictions on the international transfer of personal data.
- Illegally amending or deleting personal data files, or altering personal data files in any manner that would subsequently affect the accuracy of said files.
While the PDPA is very unique in the ways in which the law defines the parties involved in data processing activities, the law nevertheless provides data subjects within Taiwan with a comprehensive level of data protection. As the country has been and continues to be influenced by the EU’s General Data Protection Regulation or GDPR, the PDPA may be further amended in the future to provide even further protection. As such, data subjects within Taiwan can have the peace of mind that their government remains steadfast as it pertains to guaranteeing the citizens of their country the rights. to privacy and data protection