A review of the essential regulations, plus some caution on dangers for the unwary.
Is your business handling personal data? Of course, it is. You don’t have to be an e-commerce giant, financial institution, or medical clinic to fall under Taiwan’s laws regarding the protection of personal information. Just the act of having employees means you’re already holding a lot of personal information.
The Taiwan Personal Data Protection Act (PDPA) defines “personal information” broadly to include “the name, date of birth, ID card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical records, medical treatment, genetic information, sexual life, health examinations, criminal records, contact information, financial condition, social activities and other information which may be used to identify a natural person, both directly and indirectly.”
Even at the job-applicant phase, prospective employees have already turned over their names and educational, work experience, and contact information. After they start work, you’ll definitely also have their date of birth and ID card number, and in order to pay them you will know their bank and account number.
Punishments for violating the PDPA can be severe, including heavy fines as well as prison sentences of up to five years. So getting this right is absolutely important for any business.
Mainstreaming of data protection: The European Union’s implementation of the General Data Protection Regulation (GDPR) in 2018 resulted in a seismic shift globally as companies and organizations rushed to comply with its strict rules. It has become one of the hottest topics in business, with companies scrambling to ensure that their privacy policies match up with it on the assumption that compliance with the GDPR is a “gold standard.” It’s important to note, however, that individual countries, including Taiwan, sometimes have their own distinct standards that may be even stricter, and warrant a closer look.
Some parallels: Because data protection touches upon so many other areas of law, in recent years many lawyers across different practice areas have had to learn the issues. Our firm’s regulatory and employment specialists work on them on a daily basis, and these days our corporate due-diligence teams also run into these issues all the time, both in terms of evaluating the risks of a target company and in reviewing the data involved in the case. There’s a huge amount of overlap between intellectual property law and data protection, especially since IP lawyers spend a lot of time helping clients implement effective trade-secrets protection programs. Anyone who has spent time drafting a non-disclosure agreement between two parties has a pretty good sense of what’s involved in assuring the protection of somebody else’s info.
Examples of data protection gone wrong:
• In a case a couple of years back, a multinational’s exit procedures for one of its Taiwan managers required him to turn over to corporate security in the U.S. his home personal computer and drives – devices that contained his tax filings, financial data, medical records, family photos, and many other highly personal materials. The multinational held onto the employee’s computer and drives for months of review, finally organizing a meeting at the offices of its local counsel in Taipei to return them.
At the meeting, they asked the former employee to sign an acknowledgement that he retroactively approved the fact that the company had made a complete copy of his drives and would be keeping the data indefinitely. The letter requesting the acknowledgement was issued on Taiwan company letterhead and under the name of the multinational’s Taiwan country manager, who apparently didn’t realize that copying the former employee’s personal information without permission could be a criminal offense.
Once we pointed out the obvious breach, the multinational’s counsel frantically demanded that we return the letter because it was their client’s “property.” We noted that it was a letter delivered successfully to its recipient. Within days of pointing out the potential PDPA prison terms for the multinational’s country manager, the other side came back to settle.
• Some adept consumers set up dedicated email accounts so that they can trace where their data goes. For example, someone named John B. Doe might sign up for a newsletter for ABC Corp. by submitting the newly-created email address “[email protected].” If anybody else uses the address to contact him, Doe knows that his data has been transferred without his permission. A few years ago, a case involving this kind of situation led to an immediate complaint. Clearly the kind of personality that sets up special accounts for each subscription is also the kind who is aware of his/her rights and will report any mistakes to the authorities.
• In a published High Court case in Taiwan, a product supplier was found guilty of violating the PDPA. This supplier had established a group on the messaging app LINE to conduct product sales. Among the 70-80 members of that group was a retailer with whom the supplier was upset because the retailer had previously failed to pay for an order. Without the consent of the retailer, the supplier then unlawfully used the retailer’s personal data by posting a picture of a shipping order containing the retailer’s name, address, and phone number on the LINE group for all the members to see.
This unlawful use of personal data violated the retailer’s right to privacy. The retailer, who had been removed from the Line group and was notified of the situation by a friend, filed a complaint in court against the supplier. The supplier was found guilty of violating the PDPA because the reason for disclosing the retailer’s data was due to a business dispute, not to protect a person from any harm. Further, this disclosure of the shipping order was outside the normal purpose of a shipping order. The failure to correct the disclosure demonstrated an intent to damage the retailer, and in fact damage to the retailer’s business occurred.
Consent is key: The PDPA takes into account the idea that the collection or processing of personal data generally presents no problem when a contractual or quasi-contractual relationship exists between the company and the individual – for example between buyer and seller or employee and employer. However, a company typically may need to share data with business partners, marketing consultants, accountants, and other related entities.
There’s a lot you can do with personal data as long as you get advance consent from the other party, and it is always best to do this at the start of the relationship rather than trying to chase them down later to get approval. For example, many companies provide a data-protection policy online with the opportunity for customers to click “OK” prior to ordering products or a subscription online.
In cases where personal data was collected under an older, outdated data-protection policy, companies often need to go back and seek consent. If consent to the new rules is not given, then companies need to accept that restriction on the use of the personal data.
Individual rights: Although companies can do a lot as long as they have the individual’s consent, there are some rights that cannot be waived. Individuals can always request:
- a review of their personal information
- a copy of their information
- the opportunity to supplement or correct their personal information
- cessation of the collection, processing, or use of their personal information; and
- deletion of their personal information.
Companies are often unaware of these responsibilities, but the Taiwan PDPA requires that action be taken on such requests within 15 or 30 days, depending on the type of request.
Enhanced rights: Taiwan’s PDPA provides additional protections for particularly sensitive information, stating that data concerning personal health, medical treatment, genetic background, sexual life, and criminal offenses should not be collected, processed, or used, except within fairly tight restrictions. Exceptions include situations in which the individual has made the information public on his/her own given consent in writing, or the information has already been published legally. Even if the subject of the individual data consents, there needs to be a valid specific purpose for collection of the data.
Notices: Data-protection fundamentals do not vary much from jurisdiction to jurisdiction. The basic principle is to keep individuals informed about the collection and use of their information, and ensure they know about and can easily enforce their rights. Laws about personal information are typically written with some notification requirement to accomplish these basic goals. Taiwan’s PDPA is no different. Its notice requirement lists a few points that must be disclosed to individuals about the collection of their personal information:
1. Name of the collector or user of the information;
2. Purpose(s) of collection;
3. Types of personal information collected or used;
4. Time period, area, target, and way of using the personal information;
5. The rights of the subject of the data and how to exercise them as prescribed in Article 3;
6. The impact on the subject’s rights and interests if he/she chooses not to provide the personal information.
The following situations may be exempted from the notification requirement prescribed in the preceding paragraph:
- When in accordance with the law;
- When the collection of personal information is necessary for a government agency to perform its official duties or a non-government agency to fulfill legal obligations;
- When the notice will impair a government agency in performing its official duties;
- When the notice will impair the public interest;
- When the subject should have already known the content of the notification;
- When the collection of personal information is for non-profit purposes and clearly does not cause any detriment to the subject.
Breaches: When the personal information is stolen, disclosed, altered, or infringed in other ways due to the violation of this law, a breached company needs to notify the affected persons after an investigation to ascertain the relevant facts. The law does not specify the means by which the notification has to be made, but it must be done promptly. Article 22 of the PDPA’s enforcement rules states that the notice has to include the “facts pertaining to the data breach and the response measures already adopted” to address it.
Article 18 of Taiwan’s Cyber Security Management Act (CSMA) also requires that cybersecurity incidents be reported to the central authority in charge of the relevant industry, followed by proper handling and improvement of cyber security. Article 8 of the CSMA’s enforcement rules requires the report to include:
1. Times of the occurrences of – or the awareness of occurrences of – the incidents, and the completion of damage control or recovery operations.
2. The scope of the incidents and the damage assessment.
3. The damage control and recovery operations.
4. Incident investigations and handling operations.
5. Analysis of the cause of the incident.
6. Measures regarding management, technology, manpower, or resources taken to prevent reoccurrences of such incidents.
7. Estimated completion schedule and follow-up mechanism of the measures mentioned in the preceding clause.
Article 3 of the Regulations on the Notifications and Response of Cyber Security Incidents sets out requirements for the content of the report. These include:
1. The agency where the incident occurred.
2. The time of occurrence or awareness.
3. A description of the situation.
4. Assessment of the severity of the breach.
5. Coping measures in response to the incident.
6. Assessment of the need for external support.
7. Other relevant items.
Article 11 of the above regulations provides that non-government agencies shall make the notification of the cyber security incident within one hour in the manner designated by the competent authority for their relevant industry. Article 13 sets out timelines for damage control and recovery operations, depending on the level of the cyber security incident.
Languages: Many companies want to know whether they must translate their English-language data protection policy into local languages. The answer depends on the industry sector and whose information is being collected. You want individuals submitting their data to be able to understand the nature of the consent they’re giving. Generally, if your site is already translated into local languages to better reach people, that’s an indication that your data-protection policy should also be translated.
For employees, it depends on your workforce and the usual languages used for communicating their rights and obligations. Many companies will include personal-data provisions in their employment contract or offer documentation to make the company’s policies clear to employees.
Taiwan’s PDPA and related laws have serious implications for companies doing business here. Multinationals naturally want to ensure that their data-protection policies and breach procedures are as uniform as possible across jurisdictions, but it can be quite important to have local counsel review those policies and procedures to make sure that response times, notices, consent procedures, and other issues are in line with local requirements. If uniformity is desired for efficiency purposes, then complying with the strictest jurisdictions (after confirming their identity with local counsel) is advisable. Many of our clients make sure that their overview of these issues is matched with analysis of the local specific requirements.
— John Eastwood is the managing partner of Eiger and regularly works with SMEs through to multinationals on data-protection compliance matters. Wendy Chu is a senior associate and Nate Snyder is an associate with Eiger, both working regularly on these issues.