Taiwan passed the Personal Data Protection Act 2010 (PDPA) in April 2010, heralding huge changes to privacy law. It was intended to replace and enhance the data protection elements in the Computer-processed Personal Data Protection Act which covered the collection, processing and use (including the internal use and provision to third parties) of personal data by "regulated entities". Although the PDPA was passed by the legislator in 2010, it did not come into force until October 2012, due to several draconian articles and its extensive scope.
The PDPA applies to all companies, individuals and public organisations and is a milestone piece of legislation. For the purpose of this article, we look particularly at the way in which the PDPA affects "Private Entities" (defined as all individuals, private entities, organisations and groups collecting, processing or transmitting personal data). Exceptions are made where data is processed purely for personal or family activities and for image data collected in public venues or at public activities which is not linked to other personal data.
The PDPA covers the following issues:
Under the PDPA "personal data" means any information that is sufficient to directly or indirectly identify an individual, including but not limited to: ID, name, age, gender, size and weight.
Sensitive personal data
Sensitive Personal Data is defined under Article 6 of the PDPA as medical records, medical history, genetic records, sex life, health check results and criminal records of a data subject. Private Entities may not process Sensitive Personal Data, unless otherwise permitted under the PDPA (Article 6). The prohibition currently continues to apply even after obtaining the data subject's prior consent. This proved so controversial, particularly for hospitals and financial institutions, that Article 6 is awaiting amendment and is not yet in force.
The Cabinet proposed amendments to Article 6 in August 2012, with the intention of adding two exceptions to the prohibition on processing Sensitive Personal Data in cases where: the processing is carried out to safeguard public interest; or the prior written consent of the data subject has been obtained. At the time of writing, however, the proposed amendments have not been passed by the legislature.
Adequate notice in advance
To comply with the PDPA, the data subject must be provided with adequate notice before the Private Entity first collects personal data from him/her pursuant to Article 8 of the PDPA. The notice should contain the following information:
- the identity of the Private Entity that collects the data;
- the purpose of collection;
- the categories of personal data;
- how the collected personal data will be used (including the period of time during which it will be used, the region of use, and the parties to whom the data will be disclosed);
- the data subject's right to request:
- the checking and review of the collected data;
- a copy of the collected data;
- the supplementing or revision of the collected data;
- the cessation of collection, processing or use of the collected data;
- the deletion of the collected data, and
- consequences of any failure to provide the required personal data.
In addition, under Article 9 of the PDPA, if a Private Entity collects personal data that is not directly provided by the data subject, the Private Entity must notify the data subject of the sources of their personal data and the matters set out above before processing and using the personal data.
Purpose of processing
The collection and processing of personal data must be for specific purpose(s) and meet one of the following requirements:
- it complies with or is required by applicable law;
- the Private Entity has entered into a contract with the data subject, or is in contact or negotiation with the data subject for the purpose of preparing or negotiating a contact or transaction before entering into a contract, or for the purpose of exercising rights, performing an obligation or ensuring the completeness of the personal data after invalidation, cancellation, termination or rescission of a contract or performance of the obligations under the contract;
- the data subject disclosed the personal data or such personal data has been legally disclosed;
- it is necessary for a research institution to conduct statistical or academic research in the public interest, provided that the data is anonymised;
- written consent of the data subject has been obtained;
- the processing or use is in the public interest; or
- the personal data is obtained from publicly available sources; provided, however, that the processing or use of the personal data is not prohibited by the data subject and the data subject has no material interest worthy of protection (Article 19, PDPA).
Personal data may be used only for the purposes for which it has been collected subject to the following exceptions where:
- it is in accordance with law;
- it is to promote the public interest;
- it is to prevent harm to the person, freedom or property of the parties;
- it is to prevent harm to the rights and interests of other persons;
- it is necessary for a government agency or a research institution to conduct statistical or academic research in the public interest, provided that the data anonymised; or
- written consent of the data subject has been obtained (Article 20, PDPA).
Accuracy and deletion of the personal data
Private Entities must ensure personal data is accurate and kept up to date on their own initiative or upon a data subject's request. A Private Entity should, on its own initiative or upon a data subject's request, delete or stop processing or otherwise using the personal data collected when the originally intended purpose no longer exists, unless it is required to keep the personal data to comply with applicable law or the data subject has given written consent. (Article 11, PDPA).
The cross-border transfer of personal data constitutes an "international transmission". Under Article 21 of the PDPA, the competent authority may prohibit a Private Entity from making an international transmission of personal data if:
- it will prejudice any material national interest;
- it is prohibited or restricted under an international treaty or agreement;
- the country to which the personal data is to be transmitted does not have sound legal protection of personal data, thereby affecting the rights or interest of the data subject(s); or
- the purpose of transmitting personal data is to evade restrictions prescribed under the PDPA. (Article 24, PDPA)
Article 27 of the PDPA requires a Private Entity to adopt proper security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed. In addition, Article 12 of the Enforcement Rules of Personal Data Protection Act provided for under the PDPA, prescribes that security measures include:
- allocating management personnel and substantial resources;
- defining the scope of the personal data;
- a mechanism for managing and assessing risks regarding personal data;
- a mechanism for prevention, notification and handling of security breaches involving personal data;
- an internal procedure for the collection, processing and use of personal data;
- an internal procedure for proper management of technical information systems and the employees;
- providing training on data protection issues;
- management of equipment security;
- a mechanism for auditing information security;
- an internal procedure for preservation of records and policies regarding the use of personal data; and
- the integrated and continuing improvement in maintaining the security of personal data.
Private Entities must indemnify a data subject for any loss arising as a result of infringement of rights caused by its breach of the PDPA unless it can prove that the breach was neither deliberate nor caused by its negligence. If it is not easy or possible for the data subject to prove the actual damages suffered by him/her, the data subject may ask the court to calculate such damages in the range of NT$500 to 20,000 (approximately £10 to 400) depending on the circumstances of infringement. Private Entities in breach may face administrative fines of up to NT$500,000 (approximately £10,000) for each violation. Breach of certain provisions such those relating to the processing of sensitive personal data constitutes a criminal offence and, if the Private Entity violates the restrictions relating to the processing of sensitive personal data with an intent to make profits, such violation carries a maximum sentence of five years in prison in addition to or instead of fines of up to NT$1m (approximately £20,000).
A class action mechanism was introduced under the PDPA. Twenty or more individuals who have suffered losses due to breach of the PDPA by a Private Entity or a public entity may grant their litigation rights to a qualified association or foundation so that such association may bring a claim. Under a single class action, compensation of up to NT$200 million (around £4.4m) can be claimed (in addition to interest).
A number of authorities have responsibility for applying and enforcing the PDPA. The Ministry of Justice is responsible for the drafting and interpretation of the PDPA and can issue guidance and secondary legislation. In addition, sector regulators and local government have responsibilities for enforcement in their particular areas.
As well as the right to impose administrative sanctions for breach, the PDPA gives the competent authority of a Private Entity power to enter the office or operating place of the Private Entity, conduct investigations on site, hold in custody or copy those personal data or files that the competent authority may confiscate or that may serve as evidence. In addition, the competent authority may also order relevant individuals to cooperate, adopt suitable measures in order to achieve compliance, or to provide relevant evidential information.
Hsin Lan Hsu