Newsletter
Personal Data Protection Act Amended
Personal Data Protection Act Amended
Given that there have been numerous data leaks and breaches recently, causing victims to be targeted by fraudsters, to urge non-government agencies to strengthen personal data protection, the amendments to the Personal Data Protection Act (“PDPA”) were passed by the Legislative Yuan on May 16, 2023. The main points of the amended PDPA are as follows:
1. The PDPC will act as the competent authority of the PDPA
In Taiwan, there is currently no independent supervisory authority dedicated to personal data protection matters. The enforcement of the PDPA is administered by the central competent authorities in charge of the relevant industries and local government authorities. Moreover, the National Development Commission (“NDC”) is responsible for establishing the Enforcement Rules of the PDPA and answering questions from government and non-government agencies regarding how to interpret and comply with the PDPA.
To solve the enforcement difficulties encountered due to the decentralized approach of management and establish an independent supervision mechanism for personal data protection, as required by the Constitutional Court’s judgment of August 12, 2022 (Ref. No. 111-Shien-Pan-13), Article 1-1 of the amended PDPA stipulates that the Personal Data Protection Commission (“PDPC”) will act as the competent authority of the PDPA and integrate those enforcement powers spread among the central competent authorities, the local government authorities, and the NDC from the date of establishment of the PDPC.
2. Penalties for personal data breaches raised
Currently, in the event of a personal data breach, the central competent authorities in charge of the relevant industries and local government authorities cannot impose an administrative fine immediately. They must first designate a time limit for the non-government agency failing to adopt appropriate security measures for personal data to rectify the failure. Only when the non-government agency does not rectify the failure within the time limit may they impose an administrative fine ranging from NT$20,000 to NT$200,000.
To urge non-government agencies suffering data breaches to improve their personal data protection as soon as possible, Paragraphs 2 and 3, Article 48 of the amended PDPA stipulate that if there is a data breach, the central competent authorities in charge of the relevant industries and local government authorities may impose an administrative fine ranging from NT$20,000 to NT$2,000,000 immediately, without needing to designate a time limit for the non-government agency to rectify the breach first. If the non-government agency fails to rectify the breach within such time limit or the breach is material, the aforesaid administrative fine can be raised to between NT$150,000 and NT$15,000,000.
Our Digital, TMT, and Data Privacy Practice Group has extensive experience in assisting enterprises with the prevention and response to data breaches. Should you require any assistance or have any questions regarding the amended PDPA, please do not hesitate to contact any member of our Digital, TMT, and Data Privacy Practice Group.