Amendments to Articles 6-8, 11, 15, 16, 19, 20, 41, 45, 53, and 54 of Taiwan’s Personal Information Protection Act (“PIPA“) took force on 15 March 2016. The most important change is that Taiwan now has enhanced protection for special categories of sensitive data. At the same time, compliance with Taiwan’s data protection rules has been made easier by relaxing the consent requirement for ordinary personal data and reducing the risk of criminal liability for violations of the PIPA.
Sensitive Personal Data
The legislative rationale for enhanced protection of sensitive personal data is that “unregulated collection, processing, and use of certain types of personal data…[is likely to]… give rise to social disquiet and cause irreparable harm to the data subject.” PIPA §6 Legislative Comment (1). For purposes of this overview, processing will be used as a collective shorthand for the collection, processing, and using personal data although it should be kept in mind that the PIPA defines each of these acts separately. A data subject simply means the natural person who is identified by the personal data. PIPA §2.
Categories of Sensitive Data
Article 6 enumerates the following special categories of sensitive data:
- medical records,
- medical treatment [data],
- genetic data
- health examination results, and
- criminal records.
Precise definitions of these terms are given in the Enforcement Rules of the Personal Information Protection Act (the “Enforcement Rules“). For example, ‘sexuality’ means sexual orientation and practices. Enforcement Rules §4.
Processing these six categories of sensitive data is prohibited and subject to criminal and civil liability unless an exception applies.
The PIPA permits the following exceptions to the general prohibition on the processing of sensitive personal data:
- another law expressly permits processing,
- there is a statutory duty or obligation to process sensitive personal data,
- voluntary disclosure by the data subject or other lawful disclosure, or
- for purposes of medical, public health, and criminology research by government agencies or academic institutions
- assisting in a statutory duty or obligation to collect, process, or use the sensitive personal data, and
- valid written consent by the data subject. PIPA §§6(1)(1)-(6).
PIPA §6(1)(5) and §6(1)(6) are new exceptions. PIPA §6(1)(5) is best understood as complementing §6(1)(2). Under §6(1)(2), a public agency’s statutory authority and duties may make it necessary for the agency to process sensitive personal data. For example, municipal health authorities have a duty to assess the risk of domestic violence under §8(9) of the Domestic Violence Prevention Act. To carry out this duty, a municipal health authority may collect and process medical treatment records obtained from a hospital pursuant §6(1)(2). The hospital may assist the municipal health authority in carrying out this duty by providing the medical treatment records under §6(1)(5).
Sensitive data may now be processed with written consent from the data subject. Consent is not valid if the processing of the sensitive data exceeds the scope of the consented purpose or if obtained under duress. §6(1)(6) Written consent may be in the form of an electronic record. Enforcement Rules §14. With the addition of a consent exception for the processing of sensitive data, Taiwan’s rules for sensitive data are more consistent with those found in leading European jurisdictions such as Germany.
Ordinary Personal Data
Previously written consent was required to collect ordinary personal data. As of 15 March 2016, any “declaration of assent” to an initial processing of data is valid so long as the data subject has been informed of the purpose of the data processing and their rights under the PIPA. In other words, written, oral, or even implied consent to the initial processing of data is valid. PIPA §7(1).
Similarly, written consent is no longer required for processing data for a new purpose beyond the original purpose so long as the data subject has been informed of the new purpose and the possible consequences of not consenting. This consent must however be given in an independent declaration. PIPA §7(2).
Presumption of Consent
One of the most important new changes to the PIPA is the creation of a presumption of consent to an initial processing of data where:
- the data controller has informed the data subject of the purpose of the data processing and their rights under the PIPA
- the data subject does not reject the request to process the data subject’s personal data
- the data subject nonetheless provides their personal data to the data controller. PIPA §7(3).
No such presumption arises to extended processing of ordinary personal data beyond the scope of the initial purpose.
Although the relaxed consent requirements and the presumption of consent should make it easier for data controllers to comply with the PIPA, it should be noted that the burden of proof with respect to consent remains with the data controller at all times. §7(4)
Finally, criminal liability no longer attaches for processing personal data in violation of the PIPA where the data controller or processor merely has general intent with respect to the prohibited conduct. Previously, a data controller or processor who generally intended to collect, process, or use personal data in violation of the PIPA could face up to two years in prison. Now the data controller or processor must have a specific intent in the form of an unlawful purpose or to harm the rights and interests of another to trigger criminal liability (up to five years’ imprisonment).