Due to the rapidly changing information environment and to improve the protection of personal data, on April 27 2010 the Personal Data Protection Act was passed. According to the act, the scope of protection extends to all personal data in both electronic and written format. Personal data includes medical history, generic information and information on sex life, health examinations, criminal records and other data which is sufficient to identify a person directly or indirectly. The act applies to all legal entities, groups and individuals that perform specified acts in relation to the collection, processing and use of personal data. Further, in order to meet the act's requirements, the data controller must obtain written consent from the data holder before collecting, processing and using personal data.
As it is difficult and impractical for personal data controllers in the online service industry to obtain written consent from every online service user, the articles in the act on written consent have caused substantial hardship to the industry in developing and operating various online services. In order to resolve disputes regarding written consent and other controversial articles of the act, on December 15 2015 the Legislative Yuan passed amendments to the act. The president promulgated the amendments on December 30 2015 and the Executive Yuan set the effective date as March 15 2016.
The amendments replace the term “where the written consent of a data holder has been obtained” with “where the consent of a data holder has been obtained”. Therefore, except for the collection, processing and use of sensitive personal data (ie, medical records, generic information and information on sex life, health examinations and criminal records), the data controller need not obtain written consent from the personal data holder before it collects, processes and uses personal data if it has notified the personal data holder according to the act and the holder provides the personal data to the data controller.
Another noteable amendment to the act is the repeal of certain types of criminal liability. Following the amendment, an offender who does not intend to profit from an unlawful action set out in the act faces no criminal liability. However, an offender who intends to profit from an unlawful act will face imprisonment for up to five years or a fine of up to NT$1 million, and a criminal prosecution may be instituted.
Although the amendment explicitly notes that the data controller bears the burden of proof regarding the personal data holder’s consent, after removal of the written consent requirement the data controller can easily prove the existence of consent. For example, the online service may add an "I agree” button to its website, which the user must click if it intends to accept the online service.
Since online services no longer need to collect written consent from users following the amendment, the changes to the law are expected to facilitate the development of e-commerce in Taiwan.
Yulan Kuo & Han-Wei Lin
This article first appeared in IAM. For further information please visit www.iam-media.com.