Legislature Updates Privacy Act

by Mark Brown

In April 2010, Taiwan’s legislature approved extensive and long-awaited revisions to the 1995 Computer-Processed Personal Data Protection Act (hereafter, the CDPA). The effective date of the amended law, entitled the Personal Data Protection Act (hereafter, the DPA), has yet to be announced by the Executive Yuan. The DPA is not expected to come into force until sometime in 2011, however, so as to allow time for supporting enforcement rules to be drafted and for public and private entities and individuals to familiarize themselves with the new data protection regime. This article examines imminent changes to Taiwan’s data protection framework that are of particular relevance to the private sector.

Fundamental principles of the CDPA/DPA

Taiwan’s data protection regime is aimed at regulating the collection, processing and use of personal data and preventing harm to data subjects. A core principle of the regime is that the collection, processing and use of personal data should respect the rights and interests of the subject. Moreover, data should be handled in accordance with the principles of good faith and credibility so as not to exceed the scope of the “specific purpose” of the collection. Protections afforded the data subject include the right to review, copy, supplement, correct, request cessation of processing or use, and request deletion of his or her personal data – such rights may not be waived in advance or limited by agreement.

Key revisions under the DPA

Universal application of the law
The DPA extends application of the data protection regime to any individual, organization or enterprise that collects, processes or uses personal data. By contrast, the CPDA applies only to public agencies and private sector businesses, entities, groups or individuals within certain a limited range of specified sectors, such as financial, telecommunication and insurance.

Scope of data
“Personal data” under the DPA encompasses all data formats, not merely computer-processed personal data as stipulated in the CPDA. “Personal data” is defined in the CPDA as “a natural person’s name, date of birth, national identification number, special features, fingerprints, marital, family, education, occupation, health, medical history and financial status, social activities and other data which is sufficient to identify that person.” The DPA adds to that list a person’s passport number, genetic information, criminal record, sex life and contact information.

Obligations to inform
In most cases, when requesting personal data, the data controller must inform the data subject of certain details, including the specific purpose for collecting the data as well as the duration, location and method of use and any intended recipients of the data. For any personal data obtained from a source other than the data subject, the data collector must inform the subject of same prior to processing or using the personal data.
Like the CDPA, the DPA requires data controllers to implement reasonable measures to prevent unauthorized disclosure, loss, theft or damage of personal data. The DPA further requires data controllers to inform subjects of any loss, disclosure, theft or other infringement of their personal data.

Legitimate grounds to collect, process and use personal data
The collection, processing and use of personal data must be for specific purposes (as communicated to the data subject) and must meet one of several requirements to comply with the DPA, including being based on a contractual or semi-contractual relationship with the data subject, or by written consent provided by the subject.

The DPA abolishes the current registration and public announcement requirements for non-government data controllers as universal application of the DPA obviates the need for registration, and the use of obligations to inform replaces public announcement as a more direct and fair means of informing subjects of the intended purpose of collecting, processing or using their personal data.

Prohibited data
Certain types of personal data – medical information, genetic information, sexual life, health examination and criminal records – may not be collected, processed or used except under certain circumstances, including where the information has been made public in a legitimate way.

Use outside specified purpose
The use of personal data must be within the scope of the original specified purpose for collecting the data. In most cases, a data controller would need to obtain the data subject’s written informed consent to exceed this scope. There are exceptional circumstances listed in the DPA, however, including where such use prevents harm to the data subject or a third party.
If use outside the specified purpose is for marketing purposes, the data controller must at its own expense provide the data subject a means to “opt out”.

The DPA grants administrative authorities various means to sanction data controllers that violate the act. Authorities may prohibit the collection, processing or use of personal data, order the deletion of data, seize or destroy data collected illegally and publicly announce the details of the violation and identify the data collector. Authorities may also impose fines on offenders over and above such measures. It should be noted a company representative would be subject to the same fine imposed on a company for contravention of the DPA unless the representative can prove that he or she took measures to prevent the violation.

The PDPA increases criminal penalties and removes the “intent to profit” and “actual damage” thresholds required to establish criminal liability under the CDPA. Under the DPA, criminal liability is initiated where a data controller illegally collects, processes or uses personal data in a way that is likely to harm the data subject. Where such illegal activity is undertaken with intent to profit, offenders face more severe punishment of detention of up to five years and a fine of up to NTD1 million

Under the DPA, an injured party may claim actual and non-pecuniary damages. The maximum total damages that may be claimed under the DPA is NTD200 million, ten times that under the CDPA, for a breach arising from the same facts. An injured party may also claim measures to restore damage to their reputation. The DPA also allows for class action suits whereby 20 or more claimants may collectively bring suit through a foundation or public interest association.

A version of this article appears in the Computer Law and Security Review.  For more information about this topic, please contact K. Mark Brown.