In brief: e-Commerce in Taiwan

Legal and regulatory framework

How can the government’s attitude and approach to internet issues best be described?

On 11 November 2017, the Consumer Protection Committee of the Executive Yuan (ie, Taiwan’s cabinet) expressed the government's position towards digital business by announcing the Guidelines for Consumer Protection in the Context of Electronic Commerce (E-commerce Guidelines), which require that online transaction-related information, including payment methods or terms and conditions, as disclosed to the consumers, shall be sufficient, correct, clear and easy to understand. The E-commerce Guidelines also indicate the government’s current commitments in respect of internet issues are to ensure fair online transactions, encourage the sound developments of e-commerce and implement relevant responsibilities towards businesses and related organisations.

What legislation governs business on the internet?

In Taiwan, there are no general laws governing business on the Internet. From a Taiwan legal perspective, generally e-commerce is not treated differently from non-e-commerce businesses, and is equally subject to the same Taiwan laws and regulations, including the Taiwan Civil Code (specifically provisions governing contracts), and the Personal Data Protection Act (PDPA) to the extent personal data is involved.

Relevant specific legislations in respect of online business matters also include, without limitation:

• the Electronic Payment Institutions Act (E-payment Act), which governs electronic payment institutions and related services;
• the Consumer Protection Act (CPA), enacted to protect the interests of consumers; and
• the Electronic Signatures Act, which aims to encourage the use of electronic transactions, ensure the security of electronic transactions, and facilitate the development of e-government and electronic commerce.

Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?

Since there is no single set of regulations governing e-commerce, regulatory bodies concerned may vary in respect of different aspects of operations, business models and depending on the products, industries and regulations involved. For example, if a consumer purchases a cell phone via the internet, the purchase itself should be subject to the CPA; the advertisement of such product shall be governed by the CPA as well as the Fair Trade Act; the payment may be subject to the Banking Act, credit card-related regulations, the E-payment Act, etc, and the information concerning said consumer shall be subject to the PDPA; the Taiwan regulatory bodies of the aforementioned laws and regulations are the Fair Trade Commission (FTC), the Executive Yuan, Financial Supervisory Commission and National Development Council respectively.

What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions or disputes in cases where the defendant is resident or provides goods or services from outside the jurisdiction?

Generally speaking, the jurisdiction for internet-related transactions or disputes should depend on the agreement of the contractual parties, unless there exist any mandatory rules for the purposes of civil procedures. However, in case a Taiwanese customer is involved, we cannot rule out the possibility that the Taiwan court would still accept and review a case in order to protect the Taiwan consumer's rights and interests even if the parties have agreed to submit to the jurisdiction of foreign court in the terms and conditions entered into by the parties.

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

From the perspective of company establishment, there are no special regulatory or procedural requirements to establish a digital business in Taiwan compared to a brick-and-mortar business.

Contracting on the internet

Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?

Generally speaking, in Taiwan, contracts/agreements can be formed by way of meeting of minds and other elements such as offer and acceptance, and these can be expressed and evidenced by way of electronic records (eg, a party enters into a ‘click-wrap’ contract when they click the ‘I agree’ or ‘I accept’ button, which signals acceptance of the vendor's terms and conditions), unless otherwise provided by law (eg, requirements regarding 'execution', 'writing' and certain other requirements, depending on the types of contracts or agreements.

Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?

In general, there are no general laws that govern contracting on the Internet. However, the Consumer Protection Act (CPA, which provides for relevant protection mechanism for customers) would apply if the contract is for the consumption by a consumer. 

According to the CPA, subject to relevant conditions, restrictions and exceptions, online consumers are entitled to a seven-day ‘cooling-off period'. In other words, consumers can rescind the contract within seven days by returning the goods or sending a written notice, upon receipt of goods or services. Under such circumstances, the consumers are not required to state any reason or be responsible for any expense or cost. Also, to protect consumers, Taiwan’s regulators have been paying attention to certain specific types of goods, services and business models, and have promulgated certain templates for standardised contracts and/or provisions that shall or shall not be included in the Mandatory Provisions to be included in and Prohibitory Provisions of standardised contracts (Consumer Protection Provisions); therefore, B2C e-commerce operators should comply with such Consumer Protection Provisions to the extent applicable.

How does the law recognise or define digital or e-signatures?

Digital or e-signatures are governed by the Electronic Signature Act (ESA). Pursuant to the ESA, there are two types of electronic contracting that could address the relevant legal requirements of 'wet-ink execution (ie, by way of wet-ink signatures or chops)' or 'physical writing' under Taiwan law unless otherwise specified: digital signature (for wet-ink execution) and electronic document (for physical writing).

In the context of the ESA, digital signature is an electronic signature generated by the use of a mathematical algorithm or other means to create a certain string of digital data encrypted by the signatory’s private key that can be verified by a public key. On the other hand, documents may be executed in electronic form (ie, electronic document) once the following requirements are met:

• the consent of the counterparty has been obtained;
• the content of the documents can be displayed in its entirety;
• the content of the documents remains accessible for subsequent verification; and
• the use of electronic documents is not specifically excluded by other laws, regulations or public announcements of government agencies.

Specifically, under the ESA, if a digital signature is used, the contract must be evidenced by a certificate issued by a certification service provider in accordance with the requirements of the ESA. Such certificate service providers must refer to those that have been approved by the Ministry of Economic Affairs under the ESA.

Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?

Except for the data retention requirements under the Personal Data Protection Act and other laws and regulations (eg, accounting and tax-related laws and special requirements applicable to financial institutions) as well as the relevant requirements under the ESA for digital signature and electronic documents, there are no such requirements.  

Are any special remedies available for the breach of electronic contracts?

There are no remedies specifically available for the breach of electronic contracts (as opposed to non-electronic contracts).  

Security

What measures must be taken by companies or ISPs to guarantee the security of internet transactions? Is encryption mandatory?

According to the Mandatory and Prohibitory Provisions of Standard Contracts for Retail Industry and Other Online Transactions (promulgated for the purpose of consumer protection under the Consumer Protection Act (CPA)), business operators are required to establish a security mechanism that meets transaction needs and inform consumers of the security level of such mechanism. In addition, the E-commerce Guidelines also instruct businesses to take specific measures to guarantee transaction security, such as taking appropriate measures to protect payments and personal data transmitted to and stored in the database of the businesses.

For the purpose of personal data protection, the central competent authorities have the power to stipulate rules concerning a ‘security and maintenance plan for personal data files’ in the industry sectors under their supervision. For example, the central competent authority in charge of the online retail industry has stipulated such rules for this sector and requires relevant business operators to have in place relevant plans and measures for ensuring the security of personal data.

As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?

There are no such laws except for the provisions relating to digital signature under the Electronic Signature Act.

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

The E-payment Act governs the online payment sector in Taiwan. Under the amended E-payment Act that took effect on 1 July 2021, the scope of business of a new e-payment institution includes core businesses, and ancillary and derivative businesses. The core businesses under the E-payment Act are:

• collecting and making payments for real transactions as an agent,
• accepting deposits of funds as stored-value funds,
• small amount domestic and cross-border remittance services; and
• foreign exchange services relating to the core businesses.

The amended E-payment Act also permits qualified non-e-payment institutions to apply to become a cross-border remittance service provider exclusively for foreign workers in Taiwan. Detailed enforcement rules and regulations thereunder promulgated by the Financial Supervisory Commission (FSC) took effect on 1 July 2021.

Are there any rules or restrictions on the use of digital currencies?

From the perspective of the holders, there are no restrictions on the use of digital currencies except for those with the nature of securities (which are commonly called 'security tokens,' which shall encompass all of the following attributes of an investment: (1) funding provided by investors, (2) providing funding for a common enterprise or project, (3) investors expecting to receive profits, and (4) profits generated primarily from the efforts of the issuer or third parties, and their offerings are commonly called security token offerings). The issuance, transfer and use of security tokens shall be subject to the sets of regulations governing security token offering as set out by the FSC and the Taipei Exchange.

In respect of anti-money laundering, the Money Laundering Control Act (AML Act), which took effect on 7 November 2018, has included cryptocurrency platform operators in the regulatory scope of anti-money laundering. Meanwhile, the Executive Yuan (Taiwan’s cabinet) issued a ruling stating the scope of enterprises of 'virtual currency platforms and trading business’ under the AML Act, which includes, among others, the exchange between virtual currencies and New Taiwan dollars, foreign currencies, or currencies issued by Mainland China, Hong Kong or Macao, the exchange between virtual currencies, and transfer of virtual currencies. Furthermore, the FSC promulgated the Regulations Governing Anti-Money Laundering and Countering the Financing of Terrorism for Enterprises of Virtual Currency Platforms and Trading Business, which took effect on 1 July 2021, indicating that the designated operators of crypto-assets and exchanges are required to establish, among others, an internal control and audit mechanism, a procedure for reporting suspicious transactions, and the know-your-customer procedure.

Domain names

What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?

There are no specific procedures governing the licensing of domain names. 

The application procedures for registering '.tw' (ie, Taiwan) domain name(s) are as follows:

• choose the accredited registrars and finish registration of certain information;
• reply to the email to confirm the application;
• complete the payment process; and
• setting up the Domain Name System. It is possible to register a '.tw' domain name without being resident in Taiwan, subject to certain restrictions.

Do domain names confer any additional rights beyond the rights that naturally vest in the domain name?

A domain name does not confer any additional rights in general. For example, a domain name owner will not automatically have a registered trademark for such domain name unless the owner has applied for a trademark with such domain name pursuant to Taiwan’s Trademark Act. 

Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?

Under Taiwan Trademark Act, registration of a domain name that is identical or similar to a well-known third-party registered trademark may constitute a trademark infringement.

According to the Domain Name Dispute Resolution Rules (DNDR Rules) established by Taiwan Network Information Centre (TWNIC) for resolving disputes relating to domain names, in the event that the registrant’s domain name is identical or confusingly similar to a trademark, mark, personal name, business name, or other emblems of a third party, apart from taking legal actions, such party may file a complaint to the eligible domain name dispute resolution service provider (ie, a neutral body recognised by TWNIC, which are currently the Science & Technology Law Institute and the Taipei Bar Association) to determine whether such domain name will be cancelled or transferred.

How are domain name disputes resolved in your jurisdiction?

In local practice, TWNIC, a foundation formed under the supervision of the government, has established the DNDR Rules for resolving disputes relating to domain names. Pursuant to the DNDR Rules, a complainant may file with the eligible domain name dispute resolution service provider for resolving the dispute if (1) the registered domain name is identical or confusingly similar to a trademark, mark, personal name, business name or other emblems of the complainant, (2) the registrant has no rights or legitimate interests in the domain name and (3) the registrant has registered or used the domain name in bad faith.  Currently the Science and Technology Law Institute and the Taipei Bar Association are the eligible domain name dispute resolution service providers recognised by TWNIC. The aforementioned domain name dispute resolutions may only deal with the cases where the dispute concerns the domain names that contain Taiwan’s country code top-level domain such as '.tw.'

Advertising

What rules govern advertising on the internet?

Generally speaking, the laws and regulations applicable to advertising should also apply to advertising on the internet. The main laws include, among others, the Consumer Protection Act (CPA) and the Fair Trade Act (FTA) (and relevant enforcement rules, guidelines, etc).

Both the CPA and FTA adopt the concept of ‘truthful representations’ and ‘full disclosure’. For example, pursuant to the FTA, no enterprise shall make or use false or misleading representations or symbols in matters that are relevant to goods and sufficient to affect trading decisions, such as the price, quantity, quality, content, production process, production date, valid period, method of use, purpose of use, place of origin, manufacturer, place of manufacturing, processor, place of processing, etc.

For advertising on the Internet, the Fair Trade Commission (FTC) further promulgated the FTC’s Disposal Directions (Guidelines) on Online Advertisements, which specify certain types of false or misleading representations or symbols with respect to online advertisement (eg, the advertisement does not clearly specify time, methods of use, or types of online sweepstakes activities). A business operator violating such Disposal Directions would constitute a violation of the FTA.

How is online advertising defined? Could online editorial content be caught by the rules governing advertising?

Pursuant to the FTC’s Disposal Directions (Guidelines) on Online Advertisements promulgated by the FTC, online advertising refers to the actions, for the purposes of selling its products or services, that a business adopts to disseminate information, via the internet, with regard to the products or services in order to attract trading opportunities. In addition, advertisement refers to the conduct of disseminating messages or content of promotion by means of television and radio broadcasting, films, slides, newspapers, magazines, flyers, posters, signboards, arches, computers, facsimiles, electronic video, electronic voicemail or others, to the general public pursuant to the CPA.

As to online editorial content – in the event that a person or organisation other than the principal of the advertisement expresses opinions, trust, findings, or results of personal experiences with regard to certain goods or services via the internet, such conduct may still be subject to the CPA and FTC.

Are there rules against misleading online advertising?

Pursuant to the FTA, no enterprise shall make or use false or misleading representations or symbols in matters that are relevant to goods and sufficient to affect trading decisions. While not required under the law, in practice it is generally suggested that a business operator must be able to substantiate claims (eg, reports by independent and credible third parties, survey results from qualified market research companies or certificates from regional or national standards boards), and file and record all substantiation in the event that the authorities (eg, the FTC) request for copies. The above rules apply to all products and services, while there would be additional rules applying to industry-specific industries.

Are there any products or services that may not be advertised on the internet?

Products or services that may not be advertised on the internet are generally governed by sector-specific regulations. An example is the advertisements in respect of cosmetic products and drugs, which are restricted pursuant to the Handling Principle of Online Cosmetic Advertisements and Handling Principle of Online Drug Advertisements respectively.

What is the liability of content providers and parties that merely host the content, such as ISPs? Can any other parties be liable?

A content provider’s liabilities would depend on its actual act involved (eg, liabilities under Copyright Act for copyright infringement, liabilities for misleading advertising under the FTA and the CPA, liabilities for defamation under the Civil Code and the Criminal Code). 

As to the party hosting the content (eg, an ISP), whether it would be held liable for the content provider's act should depend on the relevant facts and the regulations or areas of law involved. For example:

• as to copyright, an ISP may be exempted from the liabilities if it satisfies all the conditions required for the 'safe harbour’ under the Copyright Act; and
• for misleading advertising, relevant Taiwan court precedents hold that an ISP may be deemed as an advertising medium and shall be subject to the FTA and the CPA, under which it may be jointly and severally liable with the violators in the event that it knows or should have known such advertisement to be misleading but fails to delete such advertisement.

Financial services

Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?

In general, regulations in respect of advertising and selling financial services products via the Internet are set out in the Fair Trade Act, Measures for Financial Services Industry Engaged in Advertising Business Recruitment and Business Promotion Activities, and the Financial Consumer Protection Act. In addition, considering the diversity and complexity of financial services products, industry-specific or product-specific regulations may apply. For example, a securities investment consulting enterprise may not use exaggerated or biased representations in advertising, public information meetings, or other promotional activities, and shall report every advertising campaign, public information meeting, or other promotional activities to the competent authority within 10 days of occurrence of the activity.

Defamation

Are ISPs liable for content displayed on their sites? How can ISPs limit or exclude liability?

ISPs may be held liable for copyright infringement with respect to the content displayed on their sites, depending on the relevant facts involved. However, an ISP may be exempted from the liabilities if it satisfies all the conditions required for the ‘safe harbour’ under the Copyright Act. The conditions include, among others:

• the ISP by contract, electronic transmission, automatic detective system or other means informs users of its copyright right protection policy, and takes concrete action to implement it;
• the ISP by contract, electronic transmission, automatic detective system or other means informs users that in the event of repeat alleged infringements up to three times the ISP shall terminate the service in whole or in part;
• the ISP publicly announces information regarding its contact person for receipt of notification documents; and
• the ISP accommodates and implements technical measures used to identify or protect copyrighted works approved by the Taiwan Intellectual Property Office.

Can an ISP shut down a web page containing defamatory material without court authorisation?

Generally, an ISP can shut down a web page containing defamatory material without court authorisation if it is permitted by the terms and conditions of use offered to and agreed by its users (which is common in local practice) or otherwise required by applicable law.

Intellectual property

Can a website owner link to third-party websites without permission?

Under the Taiwan Copyright Act, a website owner who shares the content of third-party websites by embedding the web link to said websites without actually reproducing such content would not be considered copyright infringement since no reproduction or public transmission by said website owner would be actually involved. Therefore, a permission to link to third-party websites may not be required in general. However, the website owner may be liable for copyright infringement if he or she knowingly embeds the link that has infringed copyright of any third parties (in which case, such website owner would be deemed to be in violation of the right to public transmission of the copyright owner).

Can a website owner use third-party content on its website without permission from the third-party content provider? Could the potential consequences be civil in nature as well as criminal or regulatory?

Generally, a website owner cannot use third-party content on its website without permission from a third-party content provider unless the use is considered a fair use under the Copyright Act. Unless otherwise provided for in the Copyright Act, for determining whether the exploitation of a work would be deemed a fair use, all circumstances and facts involved shall be taken into account, and in particular the following facts shall be noted as the basis for determination:

• the purposes and nature of the exploitation, including whether such exploitation is of a commercial nature or is for non-profit educational purposes;
• the nature of the work;
• the amount and substantiality of the portion exploited in relation to the work as a whole; and
• effect of the exploitation on the work's current and potential market value.

The use of third-party content on one’s website in violation of the Copyright Act may result in civil and/or criminal liabilities.

Can a website owner exploit the software used for a website by licensing the software to third parties?

Software is protected by Taiwan’s Copyright Act. The copyright owner of the software can exploit such software used for a website by licensing to third parties. But if the software used by a website owner is licensed by a third party, further exploitation of the software (including, but not limited to sub-licensing) shall depend on the terms and conditions of the initial licensing agreement entered into between the intellectual property owner and the website owner.

Are any liabilities incurred by links to third-party websites?

According to relevant announcements of the Taiwan Intellectual Property Office and Taiwan court precedents, a person sharing online content on another website by embedding links to such content without actually 'reproducing' the content would not be considered copyright infringement since no reproduction or public transmission by said person would be actually involved.  However, the person may be liable for copyright infringement if he or she knowingly embeds online content that has infringed third party copyright, in which case such person would be deemed in violation of the right to public transmission of the copyright owner pursuant to the Copyright Act.

Is video content online regulated in the same way as TV content or is there a separate regime?

Currently, the regimes for video content online and TV content are different and separate.

The National Communication Committee (NCC, Taiwan's authority responsible for regulating telecommunications and broadcasting services) does not regulate online video content as it does for TV.  However, the NCC has drafted the Internet Audiovisual Service Management Act (OTT TV Act), which may authorise certain regulations regarding online video content (eg, content should be rated, appropriate and effective protective measures should be taken, etc). However, the draft OTT TV Act is still under discussion, and whether this draft act will be passed by the Legislative Yuan (ie, the congress) is uncertain.

Do authorities have the power to carry out dawn raids and issue freezing injunctions in connection with IP infringement?

Under Taiwan law, only judges, prosecutors, judicial police officers, or judicial police are authorised to take search and seizure actions in accordance with the Code of Criminal Procedure. Generally, a search warrant issued by the competent court and signed by a judge is required for competent authorities to conduct a search or a seizure. Therefore, generally speaking, no dawn raids can be carried out unless criminal proceedings have been initiated with regard to the IP infringement.

From the perspective of civil remedies, depending on the circumstances and the facts involved, the infringed may apply for provisional remedies (provisional attachment, preliminary injunction, or injunction maintaining the temporary status quo) in connection with the intellectual property rights in accordance with the Intellectual Property Case Adjudication Act and Taiwan Code of Civil Procedure.

What civil remedies are available to IP owners? Do they include search orders and freezing injunctions?

The civil remedies available to IP owners may vary depending on the type of the IPR being infringed (ie, copyright, trademark, patent, etc). Generally, the civil remedies will include, but not be limited to, removal of infringement, damages, appropriate measures necessary for the restoration of IP owner's reputation (eg, indication of the author’s name or appellation, correction of content).

Depending on the circumstances and the facts involved, the IP owner may apply for provisional remedies (provisional attachment, preliminary injunction, or injunction maintaining the temporary status quo) in accordance with the Intellectual Property Case Adjudication Act and Taiwan Code of Civil Procedure; however, only in the case of criminal proceedings, a search warrant may be applied for in accordance with the Code of Criminal Procedure.

Data protection and privacy

How does the law in your jurisdiction define ‘personal data’?

According to the Personal Data Protection Act (PDPA) and the Enforcement Rules of the PDPA (Enforcement Rules), 'personal data' refers to a natural person’s name, date of birth, ID Card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, data concerning a person’s sex life, records of physical examination, criminal records, contact information, financial conditions, data concerning a person’s social activities and any other data that may be used to directly or indirectly identify a natural person. ‘Sensitive personal data’ refers to a natural person's medical records, healthcare, genetics, sex life, physical examination and criminal records, which should not be collected, processed or used unless otherwise specified by applicable laws.

Do parties involved in the processing of personal data, such as website owners, have to register with any regulator to process personal data?

Under the PDPA, there is no such registration system, nor a requirement regarding appointment of an in-house data protection officer so far.

Could data protection laws and regulatory powers apply to organisations or individuals resident outside of the jurisdiction?

Pursuant to article 51 of the PDPA, the PDPA would also apply to government and non-government entities when they collect, process or use the personal data of Taiwan individuals from offshore. However, according to a ruling issued by the Ministry of Justice in 2018, article 51 of the PDPA would apply only when the collector is a Taiwanese government entity or a Taiwanese non-government entity. Please note that this point of view is still subject to court test. In addition, we cannot rule out the possibility that collecting personal data via the internet may be challenged as collecting personal data ‘in Taiwan' and therefore, the PDPA shall apply.

The cross-border transfer of personal data constitutes ‘international transmission’ as defined in the PDPA, which is, in principle, permitted unless the competent authority issues any order to prohibit or restrict such transfer.

A foreign national is equally protected as a Taiwan citizen under the PDPA as long as he or she is within the territory of Taiwan.

Is personal data processed on the basis of customer consent or other grounds? What is the commonly adopted mechanism for obtaining customer consent or establishing the other grounds for processing?

Under the PDPA, unless otherwise specified, a non-governmental entity is generally required to give notice to (notice requirement) and obtain consent from (consent requirement) an individual before collecting, processing, or using personal data, subject to certain exemptions. In other words, obtaining the 'informed consent' from the data subject is generally required.

Although the PDPA provides for certain other legal bases for a non-governmental entity to collect or process personal data, obtaining the informed consent from the data subject is the most common and least controversial approach in practice.

May a party involved in the processing of personal data, such as a website provider, sell personal data to third parties, such as personal data about website users?

Selling personal data is prohibited under the PDPA and a non-governmental agency’s non-compliance may result in civil, criminal and administrative liabilities.

If a website owner is intending to profile its customer base to carry out targeted advertising on its website or other websites visited by its customers, is this regulated in your jurisdiction?

There are no specific requirements or restrictions applying to customer profiling or the use of cookies, while compliance with the PDPA (ie, obtaining informed consent) is required if collection, processing and use of personal data would be involved.

Does your jurisdiction have data breach notification or other cybersecurity laws specific to e-commerce?

In general, there are no cybersecurity laws specific to e-commerce. Pursuant to Taiwan’s Cyber Security Management Act, which is the first piece of cybersecurity-focused legislation in Taiwan, companies are required to comply with certain obligations (such as requirements for meeting a specific security level) only if they are designated by the Taiwan government as the ‘critical infrastructure providers’.

Under the PDPA, if any personal data is stolen, leaked, altered or otherwise infringed upon due to a violation of the PDPA by a government or non-governmental agency, the data subject shall be notified after the relevant facts have been clarified.

Although the PDPA does not generally require that data breaches be reported to the government authorities, the central competent authorities have the power to stipulate further rules concerning a ‘security and maintenance plan for personal data files’ in the industry sectors under their supervision. For example, the central competent authority in charge of the online retail industry has stipulated such rules for this sector and requires relevant business operators to report any incident that is material and may impact on the normal operations of the business or the interests of numerous data subjects.

What precautionary measures should be taken to avoid data breaches and ensure cybersecurity?

Under the PDPA, a non-governmental agency that possesses personal data shall implement proper security measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed and shall comply with the sector-specific security and maintenance plan for personal information files promulgated by central competent authorities.

Is cybersecurity insurance available and commonly purchased?

Although there are several types of cybersecurity insurance available in Taiwan, and the government has been promoting such insurance, as far as we know, they are not commonly used in local e-commercial practice.

Does your jurisdiction recognise or regulate the ‘right to be forgotten’?

Article 3 of the PDPA explicitly states that the data subject shall have the right to request for deletion of his or her personal data that were collected by a government or non-governmental agency.

What regulations and guidance are there for email and other distance marketing?

Compliance with the PDPA (ie, obtaining informed consent) is required if collection, processing and use of personal data would be involved.

What rights and remedies do individuals have in relation to the processing of their personal data? Are these rights limited to citizens or do they extend to foreign individuals?

Article 3 of the PDPA provides that a data subject can exercise certain rights with regard to his or her personal data by contacting the data collector in any manner – the right to supplement or correct his or her personal data, the right to demand the cessation of the collection, processing or use of his or her personal data, the right to delete his or her personal data, etc. A data subject may also seek damages against the data collector in case of such data collector’s violation of the PDPA.

Taxation

Is the sale of online products subject to taxation?

The sale of online products would be subject to Taiwan taxation if the sale is carried out in Taiwan (eg, through a Taiwan website). As to sale of online products through an offshore website, pursuant to Taiwan's Value-Added and Non-Value-Added Business Tax Act (VAT Act), foreign suppliers selling cross-border electronic services to domestic individual purchasers shall make relevant registration with the tax authority and pay Taiwan VAT. In addition, the sales amounts collected by foreign profit-seeking enterprises selling cross-border electronic service would be deemed as income sourced from Taiwan and thus be subject to Taiwan income tax. The prevailing income tax rate is generally 20 per cent on the net taxable income.

What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?

Taiwan tax laws do not specifically provide what tax liabilities would ensue from placing servers outside the jurisdiction of Taiwan or whether placing a server in Taiwan by a foreign company would expose that company to local taxes. However, Taiwan tax laws target entities that have income sourced from Taiwan or sell cross-border electronic service to domestic individual purchasers.

When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?

An offshore electronic services business entity selling electronic services to domestic individuals with an annual sales amount exceeding NT$480,000 shall apply to the competent taxation authority by itself or appoint a local tax-filing agent on its behalf to handle the taxation registration.

Regarding domestic Internet sales, a seller who sells goods or services over the Internet and whose monthly sales of goods do not exceed NT$80,000 (NT$40,000 for those who sell services) is temporarily exempted from tax registration. If the monthly sales amount exceeds NT$80,000 but does not reach NT$200,000, the tax will be levied on a quarterly basis (billed by the end of January, April, July and October of each year) at the rate of 1 per cent of the sales amount. If the monthly sales amount exceeds NT$200,000, a government uniform invoice (the standardised or uniform and mandatory type of invoice in Taiwan) should be used subject to certain exemptions, and subject to 5 per cent VAT.

If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?

Under the VAT Act, the amount of business tax payable or overpaid by a business entity will be the difference between the output tax in a tax period and the input tax in the same period. The amount of business tax returned by a business entity to a purchaser due to sales return of goods or rebates allowed shall be deducted from output tax in the tax period when the return or rebate occurs.

Taiwan tax laws do specifically address the transfer pricing-related issues where customers return goods to an onshore retail outlet of an offshore company set up to supply the goods. Whether any transfer-pricing problems might arise therefrom would depend on the relevant facts involved in each particular transaction, as well as the terms of the contract between the onshore retail outlet and the offshore company, etc.

Gambling

Is it permissible to operate an online betting or gaming business from the jurisdiction?

Generally, gambling is prohibited under Taiwan law, except for Public Welfare Lottery and Sports Lottery, which are specifically permitted under relevant laws and regulations. According to court decisions, an online gambling website still constitutes a ‘place of gambling’. Under Taiwan’s Criminal Code, anyone who operates an online gambling business with the intent to make a profit in Taiwan may be subject to criminal liabilities.

Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?

Pursuant to article 266 of the Criminal Code, from the perspective of the customers, only those who ‘gamble in a public place or a place open to the public’ (Public Requirement) would constitute a criminal offence. A Supreme Court decision that has been cited very often (Ref No. 107-Tai-Fei-Zi-174), held that gambling via the Internet with required login (ie, using a registered account and passwords) by customers is not an offence of gambling since such activity is not publicly accessible by other third parties (ie, failure to meet the Public Requirement).

However, in response to the controversies stirred up by the abovementioned Supreme Court decision, the Executive Yuan (ie, Taiwan’s cabinet) proposed a draft amendment to the Criminal Code in 2020, under which gambling through ‘telecommunication devices, electronic communications, the Internet or other comparable tools’ would be considered a criminal offence. However, the draft is still under discussion and whether this draft will be passed by the Legislative Yuan (ie, the congress) is uncertain.

Notwithstanding the above, since the Social Order Maintenance Act (SOMA) also regulates gambling activities and there is no Public Requirement in the SOMA, users of online casinos and betting websites would be in violation of said SOMA.

Outsourcing

What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?

Generally, unless otherwise restricted by sector-specific regulations (eg, outsourcing of financial institutions’ operations), outsourcing of a company’s services or functions is allowed and the rights and obligations of both parties shall depend on the outsourcing agreement between the parties and if the requirements under the PDPA are satisfied (such as with the consent of customers if their personal data will be used by the third-party outsourcing service provider).

With respect to a company’s use of the services rendered by a third party, the PDPA will be applicable if such company using the third-party service provider’s service will carry out the activities of collecting data from the data subjects, which would then be passed to a service provider for processing and use. Pursuant to the PDPA, such company may be held liable to its customers if the service provider does not comply with the PDPA.

What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, and do the rules apply to all employees within the jurisdiction?

Under Taiwan law, there are no specific rights of employees in connection with the outsourcing of a company’s services or functions. However, any contemplated dismissals or job transfers shall be subject to the labour law, including Taiwan’s Labour Standards Act, the Act for Worker Protection of Mass Redundancy and Personal Data Act (if the personal data of the employees will be used by the third-party outsourcing service provider), etc.

Online publishing

When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability? Is it required or advised to post any notices in this regard?

In Taiwan, there is no specific law regulating information provided by website providers. The liability of a website provider for mistakes in information and whether such liability can be avoided shall depend on the nature of such information (eg, if the information infringes the copyright of a third party, the website provider may be liable under Taiwan Copyright Act; if the information contains misinformation regarding communicable disease, the website provider may be liable under the Communicable Disease Control Act.

Generally, a website provider would not be responsible for reviewing or supervising the information provided by its users. However, pursuant to the Copyright Act and the draft Digital Communications Act, once receiving a notice stating that the content infringed their rights, the website provider shall immediately remove the infringing content and notify the provider of the content to avoid liabilities for infringements.

If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?

Under Taiwan law, databases are copyright-protected (provided that certain requirements shall be met, such as the selection and arrangement of materials of the database shall have a certain degree of creativity). The owner of the copyright has the right to stop other people from using or reproducing data from those databases.

Dispute resolution

Are there any specialist courts or other venues in your jurisdiction that deal with online/digital issues and disputes?

In Taiwan, there are no specialist courts or other venues established in accordance with applicable laws that specially deal with online or digital issues and disputes.

What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

From a Taiwan legal perspective, the method of alternative dispute resolution should depend on the agreement of the contractual parties, unless otherwise expressly provided by law. In local practice, although arbitration is sometimes specified in the terms and conditions for digital business, it seems to be more common to agree upon the dispute resolution by local courts. 

Pursuant to the Consumer Protection Act, when a consumer dispute arises, apart from bringing a lawsuit, the consumer may first file complaints to the business operator, consumer protection institutions, or consumer service centres. If the complaints are not properly handed, a request for mediation can be made with the consumer dispute mediation committee of local government.

Update and trends

Are there any emerging trends or hot topics in e-Commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-Commerce and internet-related business?

On 22 July 2020, the National Communication Committee (NCC) issued the draft OTT TV Act, which would generally allow OTT operators to register with the NCC on a voluntary basis. However, it also gives NCC the power to set a standard based on user figures, click rates, revenue, and influence in the market and publish a list of OTT platforms that will be obliged to register. The NCC explains that the draft law applies the concept of ‘catching the big fish, while letting the small ones go’. Furthermore, another area of the draft law that has come in for criticism from the industry is the requirement that OTT operators make periodic reports to the NCC regarding their revenue, user numbers, internet traffic and the status of users, among other data. The NCC also drafted the Digital Communications Act ((DCA), first proposed by the Executive Yuan in 2017) to better regulate digital platforms. Nonetheless, both the draft OTT TV Act and draft DCA are still under discussion and whether these two draft acts will be passed by the Legislative Yuan (ie, the congress) is uncertain.

Regarding data privacy, in recent years, legislators have repeatedly proposed to the Legislative Yuan the draft amendments to the Personal Data Protection Act to obtain the ‘adequacy decision’ from the EU authority concerning the GDPR. The proposed amendments include, but are not limited to, establishing a single government agency with responsibility for personal data protection matters, adopting the same restrictions on international transfers of personal data as those applicable under the GDPR, etc. Whether the draft amendments will be passed is uncertain.