Taiwan’s Office of the President announced at the end of last year various amendments to Taiwan’s Personal Information Protection Act 2010 (PIPA). These amendments are the first since 2012 and appear intended, at least in part, to provide clarity on certain provisions left unresolved (and not fully implemented) from the previous 2012 amendments. The amendments are expected to become effective in a few months (mid-2016), although no specific date has yet been set.
While an effective date is pending, companies should keep in mind certain important parts of the amendments that may impact them. This includes clarifications in relation to whether companies must notify a data subject about its data practices if it collected the subject’s information from someone other than the individual. The amendments clarify that such notification is only necessary if the data is actually used. Notification must be given prior to the first use of relevant personal data.
In addition, companies should bear in mind that medical records are now treated as “sensitive personal data” that cannot be collected, processed, or used unless a specific exemption applies. This means that medical records will now be treated in the same way as personal information relating to medical treatment, genetic information, sex life, health examinations, and criminal records. Previously there had been concern regarding how to distinguish between medical records on one hand and information on medical treatment or health examinations on the other. While this appears to make the overall restriction broader, the amendment provides clarity on the scope while confirming that the written consent of the data subject will constitute a valid exemption for this purpose.
The Amendment also provides clarifications in respect of when the penalties, which include fines and imprisonment, for criminal offenses under Article 41 of PIPA will apply. The Amendment removes these sanctions for the relevant violation if it was not intended to result in unlawful gains for the infringer or a third party or cause harm to others.
TIP: Companies operating in Taiwan should ensure that their notification practices adhere to the amended requirements for information collected from someone other than the data subject and should check whether they request or use any personal data relating to medical conditions or treatment. If they engage in the latter, they should obtain written consent in relation to the collection, processing, and use of such personal data.