Law, Special Report

Preparing Taiwan’s Data Protection Agency

by on

The government is pushing to streamline data protection enforcement, align with international standards, and provide a unified point of contact for global businesses.

BY MICHAEL FAHEY AND BRIAN HSIEH

Responding to increased public concern surrounding data privacy, Taiwan hopes to have a new independent data protection authority in operation by August 2025. The formation of the new regulator, which will be known as the Personal Data Protection Commission (PDPC), parallels data protection governance in jurisdictions like Japan, South Korea, and the European Union, where one unified and independent agency oversees, enforces, and interprets the local data protection law. 

The new Commission should make it easier for international businesses to comply with Taiwan’s Personal Data Protection Act (PDPA) in ways that align with their global policies and practices. Businesses will have a single, professionalized point of contact in the government to work with in the future. 

Although Taiwan enacted a data protection law as far back as 1995, it has historically lacked a unified data protection authority to enforce it. Instead, the Act dispersed enforcement powers among various industry-specific regulators and local governments. This fragmented approach led to at least two major problems. 

First, some industry-specific regulators never developed the necessary specialized expertise in data protection. Second, legal practitioners have noticed a certain tension between the traditional role of industry-specific regulators as advocates for their sectors and their data protection duties. Quite naturally, the Tourism Administration wishes to promote the tourism industry, just as the Ministry of Economic Affairs wants manufacturers to do well. While Taiwanese government agencies vigorously investigate and enforce the law when there are violations, they also wish to avoid overly burdening their “constituents” with costly and burdensome data protection requirements.  

For many years, interpretation of the PDPA was handled by the Ministry of Justice before it shifted to the National Development Council in 2019 and finally the Preparatory Office of the Personal Data Protection Commission on January 1 this year. Over the past 25 years the courts have developed a considerable body of jurisprudence, although many of the cases involve petty personal disputes. Thousands of cases are on record involving issues arising from the Act. 

While the idea of establishing a dedicated data protection authority was discussed for many years, it became a matter of policy in May 2022 as part of the Executive Yuan’s National Human Rights Action Plan, which called for a data protection commission to protect digital rights and privacy. A few months later, Taiwan’s Constitutional Court held that the lack of an independent supervision mechanism under the Personal Data Protection Act (PDPA) and other relevant regulations raised concerns about unconstitutionality. The Constitutional Court ordered the competent authorities to address this issue by enacting new legislation or amending current statutes within three years. It clearly signaled its preference for an independent and unified data protection agency by approvingly citing international examples. 

Heeding its own Human Rights Action Plan, the Executive Yuan drafted a bill last year to amend the PDPA and authorize the creation of a PDPC as an independent agency. In turn, the legislature enacted the bill as proposed about one month later. Traditionally, data protection has not been a partisan issue. 

Preparatory office and plans 

It is standard practice in Taiwan for the executive branch to open a preparatory office when setting up a new agency. The PDPC Preparatory Office has 38 employees, and it is expected to grow to 89 people depending on its needs. The preparatory office is headed by a director, Frank Lee, who has had more than two decades of experience working on data protection issues at the Ministry of Justice and the National Development Council. 

Lee likens the Preparatory Office to a specialized construction team. With that in mind, the Preparatory Office’s mission is to plan the Commission, draft the necessary data protection legislation and regulations, and design data protection supervision, auditing, notification, and petition mechanisms. Another aspect of the Commission’s work that must be mapped out in advance is its mission to provide data protection training to cultivate data protection talent and develop an effective public education policy. 

During 2024, the Preparatory Office’s priority is to draft the Organic Act of the Personal Data Protection Commission. This legislation and related regulations will determine the number of commissioners and the organization of the Commission into various departments. Staffing levels will also be set in line with overall national policy. 

The Preparatory Office expects to send a draft Organic Act to the Executive Yuan this year for review. As of writing, legislators from all three major parties have proposed bills to amend the PDPA. These bills include proposals to double fines, address national security aspects of data protection, and impose new data breach notification requirements. While these bills have yet to be taken up by the committee, data protection is on the legislative agenda. It is reasonable to think that the Preparatory Office’s Organic Act bill can be enacted in time to meet the Constitutional Court’s deadline. 

The Preparatory Office says it welcomes feedback and recommendations from stakeholders – including the international business community – after the draft organic bill is posted to the Join platform for public comment.  

The Commission is envisioned as an independent deliberative body operating under the collegial system. As such, it will have a fixed number of appointed commissioners supported by an administrative staff of civil servants. 

The Commission will make decisions by consensus or, if necessary, a majority vote. Existing Taiwanese examples of independent deliberative agencies include the National Communications Commission (NCC), the Fair Trade Commission (FTC), the Taiwan Transportation Safety Board, and the Nuclear Safety Commission. While the NCC and FTC are both second-level agencies, the Board and the Commission are third-level. Whether the PDPC will be second or third level will be decided by the Executive Yuan. As a general matter, second-level agencies such as the NCC tend to have a higher public profile, while third-level agencies often have a more technical focus, as the examples of the Board and Commission suggest. 

In the view of the authors, the NCC and the FTC also provide important clues as to what kinds of experts might be appointed to serve as PDPC commissioners in the future. Both these offices have seven commissioners, six of which are best identified as former government officials or academics. In addition, the FTC has one lawyer, while the NCC has one commissioner from the business community. Notably, the two commissioners on the NCC with technical backgrounds have previously worked in government. 

Looking forward 

For the public, identity theft and fraud are the major concerns shaping their understanding of data protection. Unlike other countries, Taiwanese people are less concerned about the accumulation of vast troves of data by the state or private companies as a vague threat to freedom. For instance, there were few objections by the public to information collection and tracking during the pandemic. 

In general, the public is more concerned about financial harm from data breaches. While the number of fraud convictions has not increased significantly over the last three years, the number of money laundering offenses, often arising from the need to disguise fraudulent funds, has quadrupled. Businesses will need to be ready for more stringent law enforcement focused on organizational and technical measures that are required by the PDPA to be in place to prevent personal data from being used for fraudulent activities. 

The purpose of the PDPC is to protect the constitutional right to privacy while also “facilitating the reasonable use of data.” In general, Taiwan’s policy on personal data protection allows international data transfers but forbids them in specific limited circumstances. Director Lee emphasized that the Preparatory Office plans to research and consider best practices from various jurisdictions. The public will be given ample time to review and comment on proposals to amend Taiwan’s data protection law and ancillary regulations.  

Lee, the director of the Preparatory Office, notes that public awareness of data protection issues has increased over the past two decades. Taiwan’s early data protection law only regulated the government and specific industries, such as banking. In 2012, the scope of regulation expanded to cover all private-sector industries. But for several years, many business owners remained unaware that the use of the personal information they collected was restricted. 

Lee notes a conversation that he had more recently with a hotel manager about a request to review the hotel’s CCTV footage. He and the manager discussed the definition of personal data and how data subject rights, such as the right to data access. He says this interaction highlighted how management at many businesses is now more aware of the need to safeguard personal data than in the past. An important aspect of the PDPA’s work in the future will be publicizing what businesses must do to comply with data protection law and assisting them in training their employees. 

Lee says the new PDPC will likely propose amendments to the PDPA. These amendments will take into consideration data protection regulations in other jurisdictions globally. Approaches taken in EU member states, Japan, and South Korea have been influential in the past.  

Sector-specific and local regulators will continue to play an important role in practice in supporting the Commission’s work. For example, the PDPC will likely consult with the Financial Services Commission before enforcing actions against financial institutions since the FSC can share its professional knowledge and experience in supervising financial institutions. Nonetheless, the precise allocation of work between the PDPC and existing regulators is still being calibrated.  

While waiting for the PDPC to start work in 2025 or possibly a little later, businesses should take the opportunity to review internal data protection practices and raise awareness among employees. In the authors’ experience advising clients, practices conforming with the EU’s General Data Protection Regulation are a good benchmark but can’t simply be copied to fit the Taiwanese context.

Michael Fahey is an American lawyer admitted in California. Brian Hsieh is a partner at Formosa Transnational and is recognized as an expert on Taiwan data protection law. 

You might also like
To emphasize his local roots, Lu Xue Zheng arranged to hold the photo shoot for one of his new collections inside a traditional market. (Photo: Karren Kao)
Lifestyle, Special Report, Travel & Culture

The Hurdles Facing Fashion Designers

Law

Practical Tips for Working with Outside Counsel

Special Report

Taiwan’s Scam Artists Go Global

Special Report

Navigating the Snares of Custody Battles