Newsletter
Executive Yuan required ministries and commissions to amend data protection regulations and impose more breach-reporting obligations on specific industry sectors under their supervision
Executive Yuan required ministries and commissions to amend data protection regulations and impose more breach-reporting obligations on specific industry sectors under their supervision
Currently, there is no dedicated authority responsible for data protection in Taiwan. The enforcement of the Taiwan Personal Data Protection Act (“PDPA”) is administered by the local government authorities and central competent authorities in charge of the relevant industries. Hence, the Executive Yuan has convened and hosted regular collaborative meetings for implementing personal data protection among ministries and commissions since December 22, 2020 (“Collaborative Meeting”). According to the Collaborative Meeting’s resolution dated February 3, 2021, in order to ensure a consistent reporting process and timeline for data breaches, the Executive Yuan requires the ministries and commissions to amend data protection regulations promulgated by them for specific industry sectors under their supervision (“Data Protection Regulations”), explicitly requiring non-government agencies to report data breaches to the central competent authorities within 72 hours by using reporting forms provided by the central competent authorities.
To urge ministries and commissions to implement the supervision and management of non-government agencies, the Executive Yuan further stipulated the Collaborative Practice Guidelines on the Implementation of Personal Data Protection by the Executive Yuan and its Subordinate Agencies (“Guidelines”) on August 11, 2021, which took effect on September 3, 2021. The Guidelines require ministries and commissions to amend their existing Data Protection Regulations and thereby require non-government agencies using IT systems to collect, process, or use personal data to adopt the following data security measures: (i) user identification and protection mechanisms; (ii) user-password hiding mechanisms; (iii) security and encryption mechanisms for online transmission of personal data; (iv) access control and monitoring measures of personal data files and databases; (v) measures for preventing external network intrusion; and (vi) monitoring and response mechanisms of unauthorized or abnormal behavior of users (Point 4 of the Guidelines). The Guidelines also require ministries and commissions to review the necessity of stipulating new Data Protection Regulations for specific industry sectors under their supervision on a regular basis by considering the scale of non-government agencies, the quantity or nature of personal data retained by non-government agencies, the potential impact on data subjects as a result of data breach, the frequency of cross-border transfer, etc. (Point 5 of the Guidelines). Furthermore, the Guidelines require ministries and commissions to report to the National Development Council (NDC), which is the competent authority in charge of interpreting the PDPA, within 72 hours after they are notified or become aware of data breach (Point 6 of the Guidelines).
As required by the Collaborative Meeting’s resolution dated February 2, 2021, ministries and commissions have published proposed amendments to their existing Data Protection Regulations for public comment one after another since late April 2021, explicitly requiring non-government agencies to report data breach within 72 hours. It is expected that ministries and commissions will further amend their existing Data Protection Regulations pursuant to the Guidelines in the near future, requiring business operators using IT systems to collect, process, or use personal data to adopt additional data security measures. Furthermore, given that the Executive Yuan requires ministries and commissions to explain any subsequent actions taken by them (including whether they have conducted audits and inspections) when reporting to the NDC in accordance with Point 6 of the Guidelines, the local government authorities and central competent authorities might initiate audits and inspections in accordance with Article 22 of the PDPA more often.
It is worth observing how the central competent authorities in charge of the relevant industries will stipulate or amend the relevant Data Protection Regulations. Meanwhile, business operators (especially those belonging to specific industry sectors for which the central competent authorities have promulgated the relevant Data Protection Regulations) should assess whether their current security measures are sufficient and conform to the central competent authorities’ strengthened standards for data protection. Should you have any questions or require any assistance, please do not hesitate to contact any member of our Digital, TMT and Data Privacy Practice Group.