Best practices to avoid trade secret theft

For companies taking a long-term view of protecting their intellectual property rights, trade secrets may offer an appealing alternative to a patent-based approach. Each option comes with its own tradeoffs. A patent provides its owner with an enforceable monopoly on the patented innovation, but only for a limited time, after which the owner will lose any special right to the invention or method disclosed in the patent. This is often the best option, especially for innovations which could soon become obsolete, or which are likely to be discovered by other parties. On the other hand, trade secrets have no expiry date, and the owner retains an exclusive right as long as the innovation can be kept secret from other parties. There is also no need to register trade secrets with the authorities in order to gain protection, whereas patents are only awarded after an application process that is often lengthy, complicated, and expensive. But trade secrets have their downsides as well, most notably that another party which independently arrives at the same discovery has every right to make use of it.

Although trade secrets might be a more suitable long-term strategy than patents for many companies, they are often overlooked or poorly understood, and many companies which rely on trade secrets may not be taking adequate steps to protect them. In some cases the lack of sufficient protective steps may even mean that the innovation in question will not meet the legal definition of a trade secret, and will not be protected as one under the law. This can be seen by looking at the way trade secrets are defined under Taiwanese law.

An innovation must meet the following three criteria to be considered a trade secret under Taiwan’s Trade Secrets Act:

(1)   It must not be known to persons generally involved in the field.

(2)   It must have economic value, actual or potential, due to its secretive nature.

(3)   Its owner must have taken reasonable measures to maintain its secrecy.

The first two requirements may seem obvious. It is the third requirement that can create problems for a company trying to protect its trade secrets. Due to the requirement imposed by the third part of the definition, a company which has not taken “reasonable measures” to maintain secrecy does not have a trade secret at all, and its innovation will not be protected by the Trade Secrets Act. So what would constitute a “reasonable measure” in this context?

Many companies may not have considered whether their protective measures would be considered reasonable under the Trade Secrets Act, and these same companies may unfortunately fall short when putting protective measures in place. In many cases the only step taken to protect a trade secret will be the use of a non-disclosure agreement (NDA). While an NDA is certainly a good idea, there are additional, relatively easy steps that can be taken to increase protection. This is where best practices come into play. These could include any or all of the following:

  • Ensuring that the trade secret is protected using adequate, demonstrable security measures.
  • Using password protection on computers and electronic files containing information pertaining to the trade secret.
  • Protecting access to the premises with measures such as card-based entry, a front desk with receptionists controlling access to the office, etc.
  • Having a clear, written internal policy for trade secret protection, including regular training sessions or workshops to ensure that all employees are aware of proper procedures.
  • Taking measures to prevent employees from compromising security by downloading unauthorized software, bringing sensitive documents home with them, or using personal USB drives and other storage devices, etc.

This list is by no means exhaustive, and in fact there is no list of requirements for meeting the definition of “reasonable measures”.[1] That said, failure to implement any measures of this kind could be used as evidence to show that the protected information was never a trade secret to begin with, having failed to meet the third requirement under the law that there must be “reasonable measures to maintain its secrecy.” Clearly an NDA is not always going to be enough.

There is another major benefit to implementing best practices: aside from just meeting the legal standard of having “reasonable measures” in place, such best practices could also prove to be indispensable tools for proving that theft of trade secrets has indeed occurred when an alleged breach being considered by a court. For example, password protection for electronic files also brings the possibility of tracking exactly who had access to the relevant information and when. Records of this kind could make all the difference when trying to prove that a specific individual engaged in trade secrets theft. And simply allowing all employees to have unmonitored, unfettered access to trade secrets could make it virtually impossible to prove who might have leaked the information.

One important exception to all of the foregoing which should be mentioned: for foreign nationals doing business in Taiwan with trade secrets in play, there is a further issue that the Trade Secrets Act relies on reciprocity when it comes to protection of a foreign party’s trade secrets. In particular, consider the following at Article 15:

A foreign national’s trade secret(s) will not receive protection in the R.O.C., if the foreign national’s home country has not signed a bilateral trade secrets protection treaty or agreement with the R.O.C., or does not provide protection to trade secrets owned by R.O.C. nationals according to the laws and regulations of the foreign national’s home country.

In other words: if you are a foreign national, all of your attempts at best practices may be in vain if your home jurisdiction does not have a bilateral trade secrets agreement with Taiwan, or does not protect the trade secrets of Taiwanese nationals. In such a situation, your trade secrets will not be protected in Taiwan, even if you take all the proper precautions outlined above.[2] For this reason, it is recommended that foreign nationals in particular seek out legal advice when using trade secrets in Taiwan. There may be other options to consider in this situation, but they would need to be determined on a case-by-case basis with the advice of a lawyer.

Clearly, trade secrets protection can present difficult problems. But by taking simple precautions, and by hiring legal specialists to formulate an appropriate regime of trade secrets protection for your company, major disasters can be avoided. And when it comes to issues involving trade secrets protection, preventing bad outcomes before they arise is inevitably safer, less stressful, and above all cheaper than dealing with a trade secrets breach after the fact.

For more information about trade secrets protection and other intellectual property matters in Taiwan, please contact Christine Chen at

Legal intern Wolf Cho contributed to this article.

[1] For an example of this, see 104年度智訴字第14號, in which the court held that reasonable protective measures had been implemented, including the use of confidentiality agreements, the use of document shredders, and a system of graded levels of confidentiality for internal documents, with corresponding restrictions to access.

[2] See, for example, 96年度抗字第1641號 (Interlocutory Appeal), in which the Taiwan High Court stated that the appellant’s status as a British Virgin Islands company combined with the absence of any reciprocal arrangement for trade secrets protection between Taiwan and the British Virgin Islands meant that the appellant’s trade secrets would not be afforded protection in Taiwan.

WP represents a third of the world’s biggest brands for the third consecutive year

Interbrand has released its 100 Best Global Brands list for 2018. Winkler Partners represents a third of the brands that made the list for this year, and half of the top ten.

Technology brands such as Google (2nd), whose value increased 10% year on year, and Amazon (3rd), whose rose 56%, show that increasingly, the brands with the most value are associated with the online world. The most valuable brand in the world for the 6th consecutive year is Apple, which saw a 16% rise in its brand value over 2017, while Spotify (92nd), a streaming music service provider from Sweden, made it into the list for the first time. Four other brands that made their inaugural entry in the list include French fashion house Chanel (23rd), French cognac brand Hennessy (98th), Japanese consumer electronics and gaming company Nintendo (99th) and Japanese automotive manufacturer Subaru (100th).

Winkler Partners currently represents 30 of these top global brands of 2018, a slight decrease from 32 in 2017, 35 in 2016, and an increase from 25 in 2015, and just 18 in 2010. Brands that we have worked with are active in many fields, including fashion, software, hardware, consumer goods, ecommerce, beverages and media.

The full list of Best Global Brands 2018 can be found here.

Mass layoffs in Taiwan: Additional insights for employers

As we mentioned in our previous article, “Mass layoffs in Taiwan: A guide for employers”, when an employer needs to dismiss a certain amount of its Taiwan workforce over a defined period of time, it must comply with the provisions of the Act for Worker Protection of Mass Redundancy (the “MRA”). Any employer who does not follow the procedures under the MRA may be subject to administrative fines of up to NT$500,000. As a follow-up to that article, we provide below some additional insight regarding the mass layoff process based on our recent experience of handling such cases.

Required notification and calculation of the notice period

An employer seeking to implement a mass layoff plan (a “Plan”) shall notify the relevant authorities/agencies or personnel at least 60 days prior to the proposed termination date. However, in addition to the procedures required by the MRA, an employer shall provide 10 to 30 days of advance notice to individual terminated employees based on their years of service, pursuant to the Labor Standards Act (the “LSA”).

An employer shall also notify the local labor authority and public employment services institution at least 10 days prior to the proposed termination date, according to the Employment Service Act (the “ESA”). The calculation for determining when the termination report should be submitted is slightly different than that for the 60-day notification period mentioned above in that the first day is the date the termination takes effect. If the last date in that period, the date requiring submission, is a holiday, it would automatically carry over to the next day. For example, if employees are scheduled to be terminated on 20 February, the first date to start the calculation of the 10 days would be 21 February. In general, the last day for the employer to submit the report should be 12 February; however, if that day is a Sunday, the employer may complete the submission no later than Monday, 13 February.

Submission of required documents and negotiations

The Plan shall provide detailed information regarding the layoff and relevant evidence, such as financial statements, to justify the layoffs. This evidence may also be provided after the initial submission of the Plan. If employers cannot produce such evidence, they may provide a written explanation instead.

If an agreement is not reached by the employer and the employees within 10 days from the day that notification has been given, the relevant local labor authority will invite both sides to form a negotiation committee in order to finalize the terms of the Plan. In our experience, this 10-day period is not a hard and fast rule (at least for the Taipei City Government). In circumstances in which the employer can provide written evidence that it has been trying to negotiate with the terminated employees, intervention by the labor authority is less likely. In practice, such evidence is usually in the form of meeting minutes. The minutes submitted in the final stage, once negotiations have concluded, must be sufficient to prove that both parties have reached a mutual agreement and should contain an acknowledgement that the terminated employees have agreed to the formula used to calculate their severance package. Each employee must sign the minutes to show his/her express consent to their content. An attendance sheet bearing the signatures of the representative of the employer and all employees is also required.

Employment counseling for terminated employees

After the Plan is filed with the local labor authorities, the public employment services institution will ask the employer if the terminated employees require employment counseling. This is a procedural inquiry made of every company subject to mass redundancy and is not compulsory. It offers the terminated employees a chance to better understand Taiwan’s employment counseling resources. The process involves an informational session at the company’s offices, during which the presenters introduce employment resources, such as counseling services, employment insurance, channels for job hunting, and others. They also hold a Q&A session to respond to employee’s questions regarding issues related to unemployment benefits and other services.

Employer’s post-termination obligations

Employers shall issue involuntary termination certificates. Service certificates may also need to be provided if the terminated employees ask for them. The involuntary termination certificate is required for employees looking to register for job placement, apply for unemployment benefits, and obtain vocational training. The service certificate lists the employee’s job title, their years of service, the nature of the job, and their salary. Please note that employers may not record any negative information regarding the employee on the service certificate.

Tips for negotiating with terminated employees

The employers may terminate employees at the end of the 60-day notice period under the MRA, provided that the laid-off employees are all issued statutory entitlements under the LSA and Labor Pension Act (the “LPA”). The MRA merely imposes an obligation on employers to negotiate the severance package with the employees; there is no punishment for employers who are unable to ultimately reach a better deal with the employees. Employers should however be reminded that unhappy employees may challenge the termination’s legal basis through official complaint, mediation or even bring a suit.

To avoid such risks, employers can of course offer a more generous severance package than that mandated by the LSA and LPA if they believe that their legal basis for the layoff is not strong enough or if they wish to facilitate a more efficient mass layoff process and reduce the risk of future disputes arising. However, as the MRA does not require the employer to provide the employees with a better deal when a mass redundancy occurs, it is important for the employer to acknowledge that it’s not wise to show all of their cards at the very beginning of the negotiations. In our experience, such a move leads to deadlock and requires much more effort to reach a settlement with the employees.

For more information on Taiwan employment matters, please contact Christine Chen at or on +886 (0) 2 2311 8307.

2017 Data protection enforcement decisions by Taiwan’s Financial Supervisory Commission

Taiwan’s Financial Supervisory Commission (the “FSC”) continues to be the only regulatory agency in Taiwan that regularly publishes its data protection enforcement decisions. This update summarizes the FSC’s 2017 data protection decisions. Please see this feature from last year that explains Taiwan’s data protection regulatory regime and discusses the FSC’s 16 decisions between 2012 and 2016.

The FSC issued 13 data protection enforcement decisions in 2017 after issuing seven such decisions in 2016 and none in 2015. All 13 of the 2017 decisions were against insurance businesses, and 11 of these decisions imposed fines ranging from NT$300,000 (c. US$10,000) to NT$700,000 (c. US$23,000). It should be noted that most of the decisions also included violations of Taiwan’s Insurance Act in addition to data protection violations. As a result, the fines include penalties for violations of not only the Insurance Act, but also Taiwan’s Personal Information Protection Act (“PIPA”) without a breakdown. The decisions also included orders to remedy the violations. Typically, the FSC gave the insurance businesses one to three months to remedy.

Eleven of the 13 decisions involved failures to implement appropriate security measures to protect personal information under Article 27(1) of the PIPA. More specifically, the FSC repeatedly cited insurance businesses for violations of its standards for appropriate security measures at financial institutions. These standards are set out in the Financial Supervisory Commission’s Regulations Governing Security Measures for Personal Information Files at Designated Non-Public Agencies (the “FSC Security Measures Regulations”).[1]

For example, an insurance brokerage was cited for the following violations:

  1. Failure to establish a security auditing mechanism for personal information (FSC Security Measures Regulations §13); and
  2. Failure to establish a record keeping mechanism for deletion of personal information and cessation of processing or use of personal information (FSC Security Measures Regulations §14(2)).

The FSC’s almost exclusive focus on security measures in 2017 contrasts with enforcement decisions from 2012-2016 where decisions were more evenly divided between data breaches, notice/consent failures, and inadequate security measures.[2]

This focus on appropriate security measures is consistent with the approach of other Taiwanese regulators in the past year or so. For example, the Ministry of Economic Affairs’ Investment Commission now sometimes requires foreign investors in sensitive industries to produce personal information security plans as part of the foreign investment approval process.

It is also worth mentioning that the FSC is far from alone in having issued regulations on personal information security standards. As of this writing, there are 34 such regulations issued by various sectorial regulators pursuant to Article 27(3) of the PIPA. Notable examples include personal information security standards for:

  1. Telecommunications enterprises, cable network operators, and television stations;
  2. Tourist hotels; and
  3. Power and gas companies.

Currently, these security standards are something of a regulatory blind spot for international businesses since very few have been translated into English.

[1] 金融監督管理委員會指定非公務機關個人資料檔案安全維護辦法

[2] In addition to the security measure enforcement decisions, there was also one data breach case involving negligent disclosure of insurance policy information to third parties as well as one inadequate notice case in 2017.

A year of sun

In August 2017 we installed solar panels on our rooftop in an effort to generate our own clean energy, offsetting the amount of energy we purchase from traditional, polluting sources. A year has passed since our Green Office team and the contractors made estimations on how much energy we could hope to generate, based on average sunshine hours in Taipei, the location of our roof and our continuing efforts at energy reduction in our offices. We predicted that the panels, covering 76 square meters, would generate 13,000 kilowatt hours of energy a year, equivalent to 18% of our total electricity usage.

In the year that’s passed, we actually generated 14,216 kilowatt hours, slightly above our original estimates. As anyone living in Taipei knows, we’ve had a very hot and sunny summer! The following screenshot is from our energy monitoring system, where we can see the amount of energy generated in real time. It goes without saying that the middle of the day is when we generate the most electricity, incidentally, when Taiwan’s energy demand is at its highest. We believe, therefore, that the installation of solar panels can help reduce the strain placed on the energy grid during peak demand and encourage other businesses and rooftop owners to look into the viability of installing their own solar panels.

So how does this generated electricity translate into usage? We calculated that based on a year’s worth of energy bills, the solar panels generated 24% of our total electricity usage during the past year. This was due in part to our energy reduction initiatives in our office (energy efficient lighting, computers set to sleep, air-conditioning used sparingly and set to 26-28C, turning lights off at lunchtime etc.), but also due to the amount of sun shining on the panels. 83% of the energy generated was used by us, with 17% sold back to the grid (energy generated at weekends when we’re not at work). We also calculated that installing the solar panels reduced our carbon footprint by 7867kg.

As you can see, installing solar panels has not only saved us money, but has reduced the amount of electricity we buy that was generated by environmentally unfriendly processes. We have also proved that Taipei is a viable location for solar panels. There are also government subsidies available to offset the installation costs, information of which can be found here.

For more information on our solar panels and other Green Office initiatives, please contact City Shen at

How the Company Act amendments will affect your Taiwan business

On 6 July, 2018, Taiwan’s legislature enacted 148 amendments to the Company Act (the “Act”). The effective date of the amended Act is 1 November 2018.

In this article, we highlight certain amendments which we expect to have a significant impact on our clients’ operations in Taiwan. We have organized these amendments into the following categories:

  1. Increased Flexibility in Equity Fundraising and Related Shareholder Arrangements;
  2. Relaxed Corporate Governance Formalities;
  3. Enhanced Substantive Shareholder Protections;
  4. More Appropriate Treatment of Foreign Companies;
  5. Increased Corporate Transparency;
  6. More Flexible Employee Equity Incentive Arrangements; and
  7. Increased Dividend Distribution Options.

1. Increased Flexibility in Equity Fundraising and Related Shareholder Arrangements

Prior to recent amendments, the Act posed a number of difficulties for companies engaged in equity financing. The Act previously contained a rule requiring a company to issue all of its existing authorized shares before it could authorize and issue new shares. This rule has been eliminated making it procedurally easier for companies to issue new equity capital.

The amended Act has also expanded the types of equity shares that may be issued. Private companies may now issue preferred shares with special voting, veto, and other control rights. A private company will now also be able to issue shares without par value, provided that all of the company’s shares are issued without par value.

In a related amendment, the new Act allows for further individual tailoring of corporate control by permitting voting agreements and voting trusts among shareholders. It is important to note that the amended Act clearly permits restrictive voting arrangements with respect to the election of directors and supervisors as well as voting arrangements concerning certain other company matters. This amendment was a direct legislative response to the majority view in Taiwan’s courts that voting agreements among shareholders regarding elections of directors and supervisors were unenforceable except in the limited case of a closed company.

2. Relaxed Corporate Governance Formalities

The amended Act eliminates a number of cumbersome corporate governance formalities and simplifies others. As amended, the Act does not require wholly owned, incorporated subsidiaries to appoint a minimum of three directors. Now, one director will suffice. Additionally, wholly owned subsidiaries are no longer required to have supervisors.

Corporate governance meetings have also been simplified. Shareholder meetings of a private company may be held by video conference in lieu of a physical meeting, provided that the company’s articles of incorporation expressly permit such video conference meetings. Private company boards may also pass written resolutions in lieu of holding meetings, provided that (i) written board resolutions are expressly permitted by the company’s articles of incorporation and (ii) all directors have agreed to the use of such written resolutions. We expect these meeting-related changes to be particularly welcomed by the many international businesses with wholly owned, incorporated subsidiaries in Taiwan.

3. Enhanced Substantive Shareholder Protections

While reducing some of the more ineffectual corporate formalities, the new Act introduces improvements in substantive shareholder protection. The amended Act permits a majority of shareholders to call a shareholders meeting with three months’ advance notice. Previously, shareholder meetings had to be called by the board unless the shareholders had received approval from the company’s relevant regulator to call a shareholders meeting directly.

Rules for shareholder meeting notices have also changed. The types of matters which must be explicitly set forth and explained in a shareholder meeting notice in order to be properly brought before shareholders for discussion or resolution at a meeting was expanded in the revised Act to include matters relating to (i) capital reductions; (ii) going private transactions; (iii) waiver of certain director non-compete obligations; and (iv) capitalization of profits and capital surpluses. Such measures are intended to prevent management from introducing unexpected meeting agenda items and otherwise concealing the nature of the business to be transacted at shareholder meetings.

4. More Appropriate Treatment of Foreign Companies

One of the more important features of the amended Act is the elimination of the recognition system for foreign companies. So long as a foreign company has been duly established in its home jurisdiction, such company now automatically has legal personhood in Taiwan without the need to make a special application for recognition from the Taiwan government. This amendment has the very practical and beneficial result that all properly established foreign companies will be recognized in Taiwan, thus eliminating the personal risk and liability that a representative of an unrecognized foreign company would incur if he or she were to act on behalf of an unrecognized foreign company.

The amended Act creates another benefit specifically for foreign companies. While foreign companies are still required to register Chinese names, they may now also register a name in a foreign language and enjoy certain exclusive rights to the use of that name in Taiwan. We strongly encourage all foreign companies operating in Taiwan to register their foreign language name after the amendments come into force.

5. Increased Corporate Transparency

In an effort to increase corporate transparency, the revised Act prohibits the issuance of bearer shares. Existing bearer shares may remain in circulation; however, when any holder of bearer shares exercises its rights with respect thereto, the issuing corporation must exchange such shares for registered shares. In addition, the amended Act requires corporations to make annual reports of major shareholders (defined as a shareholder holding 10% or more of a corporation’s outstanding shares), directors, and officers. Corporations must also file to update such reports within 15 days of any change.

We note that a controversial requirement to report ultimate beneficial owners was not included in the revised Act. We continue to watch this particular issue with interest.

6. More Flexible Employee Equity Incentive Arrangements

The new Act improves the ability of companies to create and manage an employee equity incentive plan. The amendments allow companies to repurchase previously issued shares and use the resulting treasury shares as employee equity compensation. Private companies may also now directly issue new restricted shares to employees.

The amended Act introduces further flexibility with respect to which employees can be included in equity incentive plans. Under the new Act, a company’s articles of incorporation may provide that existing incentives such as warrants and subscription rights can be issued to the employees of affiliated companies, including holding companies, subsidiaries, and other affiliates.

7. Increased Dividend Distribution Options

Another positive change found in the amended Act is the flexibility for a company to provide for annual, semi-annual, or quarterly dividend distributions in its articles of incorporation.

Overall, the changes made to the Company Act have reduced unnecessary corporate formalities while enhancing flexibility around shareholder and financing arrangements. While no date has been given, we expect most amendments will go into effect in early 2019. The new major shareholder reporting requirements may be implemented even earlier in light of an upcoming international anti-money laundering review scheduled for this fall.

If you have any questions as to how the amendments may affect your business in Taiwan, please contact Daniel Chen at and Gregory Buxton at

Associates Michael Fahey, Brian Yang and trainee lawyer Pei-hsu Wu contributed to this article.

Could Taiwan’s new regulatory sandbox spur innovation in its financial services industry?

The Financial Technology Development and Innovative Experimentation Act, passed by Taiwan’s Legislative Yuan in January of this year, aims to foster a positive environment for new and untested forms of financial technology, also known as “fintech.” The Act provides for the creation of a regulatory sandbox, following in the footsteps of the UK, Singapore, Australia, and Hong Kong. The sandbox would allow fintech startups a period of up to three years to develop and test out their products or services, while avoiding the risks associated with such development or endangering the rights and interests of financial consumers.

Thus far, two companies have submitted a complete application package to participate in the sandbox, but around 40 potential applicants have approached the competent authority designated by the Act, the Financial Supervisory Commission (FSC), with queries regarding the sandbox. Most of these are simply inquiring about the application requirements and process; however, over ten have received guidance from the FSC and will likely apply in the future. Applicants include companies engaging in a wide range of financial technology development, such as blockchain cross-border remittance technologies, P2P online lending platforms, investment robo-advisors, online insurance, cryptocurrency platforms, and others.

In this article, we provide a general overview on the Act, highlighting key provisions related to participation in the regulatory sandbox.

As mentioned above, the competent authority designated in the Act is the FSC, which is responsible for the creation of a unit dedicated to reviewing all applications, determining the effectiveness and feasibility of each innovative experimentation plan being applied for, and overseeing the progress of each plan once it has been approved.

Chapter II of the Act indicates the required documentation for applying to take part in the sandbox. This includes an application form, information regarding the individual, sole proprietorship or partnership, or legal person applying for the sandbox, and an innovative experimentation plan, which should illustrate the innovativeness of the technology, indicate the source of funds for the project, and potential risks and risk management mechanisms, among others. Supplemental documentation may also be requested by the FSC.

The FSC, in its review of an applicant’s filing package, will determine whether 1) the project involves financial businesses that require its permission, approval, or concession; 2) the project is innovative; 3) the project can increase the efficiency of financial services, reduce costs, or enhance the interests of financial consumers or enterprises; 4) potential risks have been assessed and response mechanisms have been prepared; and 5) protection measures and compensation for participants (those consumers that have chosen to take part in the experimentation) have been prepared. The review process may take up to 60 days, and may include adjusting the content of the plan being applied for, limiting the eligibility of participants, adding requirements, and exempting the plan from certain regulations. Any application that is approved by the FSC will be disclosed on its website, and this disclosure will include the applicant’s name, the duration and scope of the experimentation, the regulations that the project is exempted from, and other relevant information.

Once the experimentation by an approved applicant is underway, the FSC will continue to play a supervisory role, and maintains the right to periodically check the progress of any project. Furthermore, it has full discretion in revoking its approval of a project that it determines could be adverse to the market or to the interests of the participants, goes beyond the scope approved of by the FSC, or violates any additional requirements or obligations established by the FSC or any of the provisions of the Act. The length of the experimentation is limited to one year, but a six month extension may be applied for. In cases in which the experimentation involves amending existing laws, the duration may be extended up to three years, longer than that of other countries’ sandboxes.

The Act also contains a number of articles protecting participants in the sandbox, including ensuring that the financial product or service contract entered into by the applicant and participant is fair and drafted in good faith, and providing for a dispute resolution channel, in accordance with the Financial Consumer Protection Act.

The final section of the Act lists the specific regulations that experimentation approved by the FSC is exempt from. This includes provisions of the Banking Act, the Trust Enterprise Act, the Act Governing Electronic Payment Institutions, and the Securities and Exchange Act, among others. Nevertheless, sandbox applicants will not be exempt from the provisions of the Money Laundering Control Act, the Terrorism Financing Suppression Act, and other related laws and regulations.

Based on the success of other fintech sandbox schemes worldwide (90 percent of applicants participating in the first round of the UK’s version have gone on to market, for example), there are high hopes that such a system can foster much-needed innovation in Taiwan’s finance industry as well. As with similar regulations, knowledge of the application process, as well as of the relevant restrictions and exemptions once an application is approved, are essential to ensuring an applicant’s successful navigation of the sandbox.

For more information on Taiwan’s fintech regulations, please contact Christine Chen at

WP welcomes new associates

Winkler Partners recently welcomed new members to our legal and translation teams.

Brian Wang joins Winkler Partners from a well-known Taiwanese law firm where he focused on disputes involving intellectual property. At Winkler Partners, Brian will continue his work supporting clients in the protection of their intellectual property rights, bringing over 10 years experience to the field. He is a member of the Taipei Bar.

Oliver Wu rejoins our legal translation team. Oliver previously worked at Winkler Partners for nine years supporting clients with their legal translation needs. He returns to working with us after pursuing academic interests. Oliver has extensive experience translating legal and commercial documents, contracts and notarial certificates, among others.

Key points to know when engaging in civil disputes in Taiwan

Litigation in Taiwan can be costly and complex. Before filing a claim, potential foreign plaintiffs need to understand pre-filing steps such as attachment, demand letters, and payment orders as well as the formalities and evidentiary considerations involved after a decision to litigate has been made. Strategically, it is important to understand that filing a case and presenting one’s evidence is usually necessary before there is any possibility of settlement.


An attachment order may be applied for before filing litigation to ensure that the defendant’s assets are not improperly transferred, hidden, or disposed of. In order to obtain an attachment order, the plaintiff must prove to the court that there is a strong likelihood that the defendant would engage in such behavior. They must also post a bond of one-third of the attachment claim.

Demand letter

In Taiwan, as elsewhere, a potential litigant may send the counterparty a demand letter. This letter states the legal claim(s), demands restitution or compensation, and lists out the consequences of noncompliance. This letter is generally drafted by an attorney and sent as a ‘legal attest letter’. When a legal attest letter is sent, the post office will retain a certified original copy of the letter and record the date and time of delivery to the recipient.

The demand letter in the form of a legal attest letter is a key item of evidence for future litigation in cases where the remedy sought is rescission of a contract and a refund of the payment.

Payment order

If the counterparty has not paid or refuses to pay an outstanding debt, a creditor may move to have the court issue a payment order. Once the counterparty receives this official document, she has 20 days to object. An objection does not need to state any grounds, and once it has been made, the creditor’s motion for a payment order will automatically become a civil complaint. However, if the recipient of a payment order does not lawfully raise an objection within 20 days, the creditor may file a motion with the court to enforce the payment order as a final judgment against the counterparty’s assets. The official fee for issuance of a payment order is NT$500. Payment orders can be a faster and cheaper way to enforce the plaintiff’s monetary claims against the debtor’s assets.

Civil action

If an amicable settlement does not appear to be a possibility, the aggrieved party can move forward with filing a civil complaint. Key issues for a foreign litigant to be aware of include:

1) Document authentication

A Power of Attorney designating a foreign litigant’s legal counsel is frequently required to be notarized and legalized (authenticated) before being submitted to the court. Civil litigation in Taiwan requires a specific POA for each proceeding. Since there can be multiple proceedings, we recommend notarizing and legalizing (authenticating) these documents as soon as possible.

2) Security bond

A defendant may move the court to order a foreign litigant who does not have a domicile, residence, or office in Taiwan to put up a bond of roughly 4% of the total claim unless the foreign litigant possesses sufficient assets in Taiwan to cover court costs. This bond may be paid in the form of cash, bank guarantee, or a cash equivalent. The purpose of the bond is to ensure that the defendant can recover the court fees it pays during the civil action (especially in appellate proceedings) from the foreign plaintiff if the defendant ultimately prevails in the final judgment.

3) Translation

As Chinese is the official language of the courts in Taiwan, all documentation, such as agreements, correspondence, reports, and any other documentary evidence in a foreign language must be translated into Chinese for the court’s review. Given that the first instance for a civil action in Taiwan can take six months to two years to conclude, include several hearings, and require submission of many documents from the plaintiff, this could entail a significant amount of work and time if the wrong translator or translation house is chosen.

4) Evidence preservation order and absence of discovery

Taiwan does not have a full-fledged system of discovery as is the case in the US. However, preservation orders can function as a basic discovery device. A party that believes that the counter party is likely to spoliate evidence may move the court for an evidence preservation order. The motion for preservation order may be made before the civil action. Motions for evidence preservation orders are not frequently granted. In the absence of an evidence preservation order, a party may choose not to produce evidence detrimental to its interests. As a result, a plaintiff in Taiwan litigation is often in the position of having to produce all the evidence necessary to prove his or her case while the defendant can win even if he or she produces very little evidence. It is therefore very important to review the plaintiff’s evidence in advance before deciding whether or not to file litigation.


Settlement may be carried out through the courts, or through alternative dispute resolution such as mediation.

In the absence of discovery, a Taiwan defendant is unlikely to settle simply with receipt of a demand letter. Before deciding whether to settle a dispute, a local defendant would usually wait until the plaintiff produces its evidence to assess how much of a threat the plaintiff’s case poses to the defense. As a result, filing a civil action is usually necessary to create the proper conditions for a settlement. Settlement also becomes more likely after the judge discloses his or her preliminary evaluation of the evidence and arguments.

To learn more about civil litigation in Taiwan, please contact Christine Chen at and Daniel Chen at

To inquire about legal translation services, please contact

Taiwan enacts Cyber Security Management Act

Taiwan’s legislature enacted the Cyber Security Management Act (the “Act”) in early May 2018. The Act was published by the Presidential Office in June and will take force on a date to be announced by the Executive Yuan.

This introduction to the Act begins with a discussion of the background, policies and definitions in the general principles chapter of the Act. That discussion is followed by a brief look at the Act’s chapter on public agencies and a more detailed look at the chapter on the private sector focusing on critical infrastructure operators.

The objectives of the Act are to implement a national information security policy and to build a secure information environment to protect national security and the public’s welfare. Act §1. According to the Executive Yuan, there were 360 security incidents at Taiwanese public agencies in 2017. While most were less serious Level 1 and Level 2 incidents, 12 were Level 3 incidents.

The Act’s competent authority or regulator is the Executive Yuan. Act §2. The designation of a single regulator was made relatively late in the legislative process due to concerns that dispersed regulation of different sectors by sectorial authorities would be ineffective.[1] In practice, the Executive Yuan’s Department of Cyber Security will lead the Executive Yuan’s regulatory effort.

The Act’s key definitions include definitions of information systems, information security, information security incidents, and critical infrastructure. Act §3. These definitions closely track similar definitions in relevant U.S. law. For example, the Act defines information security as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure the confidentiality, integrity, and usability of information systems.” Act §(3)(1). This definition is a slightly simplified version of the definition of information security given in 44 U.S. Code §3542.

The Act defines critical infrastructure as “…a physical or virtual asset, system, or network in sectors to be periodically reviewed and announced by the competent authority where there is a likelihood that the cessation or diminishment of the asset, system, or network would have a serious impact on national security, the public interest, or the life and economic activities of citizens .”[2] Act §3(7). There have been concerns that this very broad definition of critical infrastructure might subject internet services such as social media or widely used messaging platforms to regulation under the Act.

Public Sector Information Security

Chapter II of the Act sets out the duties of public agencies to maintain the security of their information systems. Public agencies must put in place information security policies and appoint chief information security officers. Act §§10-11. They are also required to report information security incidents to any superior agency, if any, and the Executive Yuan. Act §14.

Private Sector Information Security

Regulation of the private sector is generally limited to designated critical infrastructure operators.[3] Act Chapter III §§16-18. To designate a private entity as a critical infrastructure operator subject to regulation under the Act, the operator’s sectorial regulator will consult with personnel from public agencies, private sector representatives, and experts. For example, the Ministry of Economic Affairs will designate which power plants are critical infrastructure in consultation with the public agencies, the private sector, and experts because the Ministry of Economic Affairs is the sectorial regulator for energy producers. Act §16(1).

Like public agencies, designated critical infrastructure operators will be required to implement information security policies. Act §16(2). Implementation of information security policies must be reported to the critical infrastructure operator’s sectorial regulator. Act §16(3). For example, a designated power plant would be required to report its information security policy to the Ministry of Economic Affairs.

A designated critical infrastructure operator’s sectorial regulator is required to audit the critical infrastructure operator’s implementation of its information security policy. Act §16(4). This audit requirement was introduced during the legislative process in response to the Executive Yuan’s original draft that controversially gave government agencies the power to conduct on-site inspections.

A designated critical infrastructure operator will also be required to file an improvement report in the event that a deficiency or need for improvement in its information security policy is identified. Act §16(5). Sectorial regulators are required to issue regulations governing information security policies as well as related auditing, reporting, and compliance requirements. Act §16(6).

Article 18 of the Act requires designated critical infrastructure operators to set up reporting and response mechanisms for security incidents. Act §18(1). In the event of a security incident, the critical infrastructure operator must first report the incident to its sectorial regulator and then file a separate post-incident improvement report regarding the security incident at a later date.[4] Act §§18(2)-(3). In turn, the sectorial regulator has a duty to report security incidents to the Executive Yuan. In the case of significant security incidents, the sectorial regulator is also required to send the critical infrastructure operator’s improvement report to the Executive Yuan. Act §18(3). The Executive Yuan or sectorial regulator has the power to announce significant security incidents and the response thereto to the public. Act §18(5).

Fines of NT$100,000 to NT$1 million (c. US$3,300 to US$33,000) can be imposed on designated critical infrastructure operators for the following categories of violations:

  1. violation of rules governing information security policies;
  2. failure to implement a reporting and response mechanism for security incidents; or
  3. failure to file reports on the investigation, handling, and remediation of security incidents or the filing of an incomplete security incident report. Act §20(1)(1)-(3).

Failure to report a security incident will result in a fine of NT$300,000 to NT$5 million and an order to report. This fine can be imposed multiple times if the critical infrastructure operator does not comply with the order to report. Act §21.

Like many Taiwanese laws, the Cyber Security Act sets out broad principles and leaves many of the key details to regulations issued by the regulator. As of this writing, the Executive Yuan’s Department of Cyber Security has drafted six regulations under the Act. Of these, four are relevant to designated critical infrastructure operators:

  1. The Cyber Security Act Enforcement Rules,
  2. The Regulations for Classification of Cyber Security Responsibility,
  3. The Regulations for Reporting and Responding to Cyber Security Incidents, and
  4. The Regulations for Inspecting Implementation Status of Special Non-official Agencies’ Cyber Security Maintenance Programs.

These draft regulations have been announced for public comment on the Executive Yuan’s online platform for public policy (in Chinese). The public comment period ends on 23 August 2018. The Department of Cyber Security has already revised the draft regulations once following a series of seminars held in April and May of this year for public agencies, critical infrastructure operators, and experts to provide preliminary commentary. The 7 May seminar in Taipei for potential critical infrastructure operators was of particular interest. A complete transcript (in Chinese) of the seminar may be found here along with transcripts of other seminars for experts and public agencies.

The Department of Cyber Security has indicated in the Taiwanese media that that Act will take effect in two phases. The Department expects that the Act will come into force for public agencies starting around 1 January 2019. It further expects to put the Act into force for private entities including designated critical infrastructure operators in June 2019.

[1] There is perception among experts in Taiwan that Taiwan’s dispersed regulatory model for data protection has hampered effective enforcement of the Personal Information Protection Act.

[2] This definition of critical infrastructure is quite similar to the one given in the US Code of Federal Regulations 31 C.F.R. § 800.208.

[3] The other ‘private sector’ entities subject to regulation under the Act are state enterprises and publicly funded foundations. Act §6.

[4] The reporting requirement is similar to that in Article 14 of the EU’s 2016 NIS Directive.