March 17, 2012

TAIWAN'S NEW DATA PROTECTION ACT

Professor Abu Bakar Munir

On April 27, 2010, the Taiwan legislature amended the old Computer Processed Personal Data Protection Act and enacted the new Personal Data Protection Act (PDPA). This new law is expected to enter into force by November 2012.
The PDPA applies to public and private sectors. However, in two “specific circumstances” the PDPA is not applicable; (1) when an individual collects, use or processes personal information in the course of personal activity of a domestic nature, (2) if the audio-visual information is collected, processed or used in public places or public activities and not associated with the other personal information.
Personal information is defined broadly to cover name, date of birth, I.D. Card number, passport number, marital status, family, education, occupation, contact information, social activities and other information which may be used to identify a natural person, both directly and indirectly. The concept of “sensitive data” is introduced.
All types of agencies are subject to the general obligations in articles 5-14, but there are also obligations specific to public agencies in articles 15-18 and to private agencies in articles 19-27. Article 3 of the PDPA provides for the rights of data subjects. The PDPA requires mandatory notification on data breach. Article 12 states that when the personal information is stolen, disclosed, altered or infringed in other ways due to the violation of this Law, the government agency or non-government agency should notify the affected individuals.

The PDPA does not provide for single oversight body and does not create a data protection authority. Enforcement is left to the Ministries responsible for each industry sector. The Act in chapter V provides for provisions on the criminal offences. Interestingly, like the Korean new law, the PDPA allows damages action as well as class action be taken companies and organisations.

1 comment: