Unlike the EU’s Directive on Privacy and Electronic Communications, Taiwan law does not stipulate that location data of a user’s terminal equipment may only be processed when they are made anonymous or with the consent of the user. Notwithstanding the foregoing, it does not mean that Taiwan law does not provide protection for location data. On the contrary, once location data is deemed as personal data or involving the privacy of individuals, the collection, processing and use of location data would be subject to the Personal Data Protection Act (“PDPA”), Civil Code and/or Criminal Code.

Generally speaking, a data controller cannot directly identify certain individuals by relying on the location data of a user’s terminal equipment (such as GPS data). However, if a data controller is in possession of or has access to other data and is able to identify certain individuals by comparing, combining, or connecting with other data, such location data would still be deemed as personal data under the PDPA. Under such circumstance, only when such collection or processing is necessary for serving a specific purpose and based on one of the statutory grounds as prescribed under the PDPA (e.g., a contractual relationship exists between the data controller and the data subjects, or informed consent is granted by the data subjects) may the data controller collect or process such location data. Moreover, the use of such location data shall not go beyond the necessary extent of collection purposes either. Otherwise, the data controller would face the relevant liabilities for illegal collection, processing or use of personal data.

In addition to the PDPA, pursuant to court precedents, an individual still has a reasonable expectation of privacy in a public space, and to the extent of Taiwan society’s common sense, he/she has the right to be free from persistent watching, monitoring, eavesdropping, approaching or other intrusion. GPS tracking devices not only allow users to persistently and precisely record an individual’s current location, moving route and speed, stay time and other types of data but they also enable the users to outline the individual’s daily routines and habits, which may infringe on the individual’s privacy significantly. If the individual thereby suffers from emotional distress, he/she may claim non-monetary damages based on the rules of tort law.

On the other hand, the Criminal Code prohibits any person from wiretapping or electronically eavesdropping on another person’s non-public activities, statements, or communications (“Non-Public Activities”) without any justification. Pursuant to the court precedents, most courts hold that the aforesaid “Non-Public Activities” include those private activities in a public space. As long as an individual’s subjective expectation of privacy regarding such activities seems reasonable under Taiwan society’s common sense and the place that the individual chooses or the equipment that he/she uses (such as cars or scooter helmets) can provide sufficient privacy protection for such activities, then they would be protected under the Criminal Code. GPS tracking devices allow long-term and intensive surveillance and recording of another person’s whereabouts. Under such surveillance, an individual’s expectation of privacy and the right to be left alone have been completely derailed, even if he/she seemingly stays alone, which has interfered with the individual’s freedom to shape his/her own life and shall be deemed an intrusion on another person’s Non-Public Activities.

Given that, in addition to civil damages and administrative penalties, any person involved in the illegal collection, processing or use of another person’s location data would also be penalized by criminal sanctions, before collecting, processing or using such data, data controllers shall ensure that there is a statutory ground for such collection, processing or use. If there is any doubt as to whether the processing or use of location data goes beyond the necessary extent of collection purposes, it is advisable for the data controller to obtain explicit consent from the data subjects for fear of incurring any liability or penalty.