Amending the Personal Data Protection Act

Due to the rapid development of information technology, the Taiwanese legislature has amended many existing laws, such as the Criminal Code, the Copyright Act, the Trademark Act and the Personal Data Protection Act. As Taiwan has a civil law system, the courts have little discretion to create new laws. When facing legal issues that arise from online activity, the legislature has chosen to incorporate different legal issues into the existing codes and acts, rather than creating a new act to address online legal issues specifically.

On 27th April 2010 the Legislative Yuan passed a draft amendment of the Personal Data Protection Act to protect privacy and personal data in cyberspace. Although the act was promulgated on 26th May 2010, it has not yet become effective, as the scope of the act is broad and the government still needs time to draw up the subsidiary regulations and enforcement rules. However, on 12th April 2012 the government announced that some of the controversial articles of the act will be amended before it takes effect and that the effective date of the act will not be postponed indefinitely. Therefore, it is worthwhile to consider the changes that will be made by the act.

In general, the act strengthens an individual’s rights in connection with the disclosure, use and modification of his or her personal information. The act's scope of protection extends to all personal data in both electronic and written format. Under the act, 'personal data' includes a person’s medical history, genetic information, information regarding his or her sex life, health examinations, criminal record and contact information. Furthermore, the act explicitly prescribes that personal data includes “other data which is sufficient to ‘directly or indirectly’ identify that person” rather than “other data which is sufficient to identify that person”, as stipulated in the existing law.

The act applies to all legal entities, groups and individuals that conduct the specified acts in relation to the collection, processing and use of personal data, rather than only to certain industries, as in the existing law.

The inclusion of a new type of personal data – “sensitive personal data” – in the act has drawn much attention. Under the act, medical history, genetic information, information regarding sex life, health examinations and criminal records are classified as sensitive or special personal data. Such data is, like other personal data, protectable and can be collected, processed or used only under the strict conditions set out in the act.

The act defines the "written consent” to be obtained from the individual, and prescribes that the personal data controller must fulfil the notice obligation to ensure that the individual is fully informed before his or her data is collected, whether directly or indirectly. In the event of divulgence of personal data, the personal data controller must carry out an investigation and inform the individual of such disclosure so as to prevent further damages.

According to the act, those performing marketing activities with personal data must respect the relevant individual’s right of refusal when conducting the marketing activities for the first time. The inclusion of the right of refusal in the act is expected to protect an individual's right to information privacy more effectively.

As the act will apply to governmental as well as non-governmental institutions, more intensive administrative supervision will be required. One of the major amendments to the current law is to adjust the civil and criminal liabilities and the administrative penalty. According to the act, the maximum civil indemnity payable for any loss or damage caused by the inappropriate use of data has been increased to NT$200 million. In the event that the exact amount of loss or damage cannot be easily ascertained or calculated, the victim may ask the court to assess the indemnity (increased from NT$500 to NT$20,000) according to the degree of the infringement. Moreover, the option of initiating class action suits has been added to the act to facilitate the rectification process. Regarding criminal liability, any party with the intent to profit from unlawful acts shall be imprisoned for up to five years or fined up to NT$1 million, and a criminal prosecution may be instituted ex parte. With respect to the administrative penalty, the fine has been raised significantly by the act.

To resolve the issue of whether publishing group photos on a Facebook page or blog violates the act, the legislature has added a provision stating that personal data accessed during social or family activities is an exception and shall be subject to the Civil Code. The collection, processing or use of audio or video clips which are taken in public places or during open activities and which reveal no personal information, is also an exception permitted under the act, provided that there is clear intent of the lawful use of group photos.