20 July, 2007
Renewed Calls for Amendment of Computer Processed Personal Data Protection Act
The head of Taiwan’s Ministry of Justice recently urged the Legislative Yuan to pass proposed amendments to the Computer Processed Personal Data Protection Act to address the continued trade in and abuse of personal data. Taiwan currently has tough personal data and privacy protections compared to many nations but there is a growing consensus that the laws should be tightened further. The Act was promulgated in 1995 and has not been amended since.
The Act currently applies to the collection, processing , and use of personal data by computer by certain classes of public and private entities. "Processing" is defined as the recording, inputting, saving, editing, modifying, copying, searching, deleting, outputting, linking, or transmitting internally of the personal data."Use" means all uses of the collected personal data other than processing.
Under the Act, these entities must register and obtain a license from the competent authority. According to the registration rules issued by the competent authority, the term "entities" refers to companies/businesses that engage in specific activities in Taiwan, for example, telecommunication companies and there are eight designated industries that must comply with the Act. The Act restricts the use of personal data collected to those purposes specified for the business type by the competent authority and by the business’ specific registration. Use may only be made of the data outside of the specified purpose in a number of circumstances including where the written consent of the individual has been obtained.
The Civil Code and Criminal Code also both provide some protection with respect to the collection, use, and disclosure of personal data by entities and individuals. Under the Civil Code, a person who unlawfully infringes on the rights of another, whether intentionally or mistakenly, is liable to compensate that individual for any damage resulting from the infringement. There is also liability under the Civil Code for the injury to an individual’s privacy, reputation, or other legal interests. The Criminal Code may apply when disclosure of personal data has been made. The Criminal Code specifically prohibits the unauthorized disclosure and sale of personal secrets collected via computer without due cause.
The Executive Yuan introduced a bill in 2005 to amend the Computer Processed Personal Data Protection Act. The bill passed first reading but has been stalled at second reading since 2005. Interestingly, a number of legislators sought to have legislators as a whole exempt from complying with the amended Act on the grounds that it could prevent whistleblowers coming forward and these concerns in part have delayed its passage. The proposed amendments overall, however, generally reflect the current civil and criminal protections for personal data in Taiwan and aim to curb the growing misuse of personal data in Taiwan by broadening the definition of “data”, expanding the responsibilities to all the individuals and enterprises to protect such information, and strengthening penalty provisions for unlawful disclosure.
The scope of the amended Act will be broadened in that the definition of data will no longer be limited to "computer-processed " data and the regulatory regime will apply to all individuals and enterprises, not just government agencies and designated industries. The party collecting the data will be required to obtain an individual’s written consent, absent one of four other criteria being met, and the party must specifically identify itself, indicate the purpose of the data collection, and how the personal data will be used. Furthermore, the use of personal data must be within the scope of its “original specified purpose”. The Act does, however, permit certain uses of personal data outside the scope of its “original specified purpose”, for example, where national security or protection of a third party’s rights and interests are concerned.
The amended Act will also prohibit the collection, processing, and use of five kinds of personal data (medical information, genetic information, sexual life, health examination and criminal records) absent specified criteria being met by the party seeking the information. The registration and reporting requirements have, however, been removed. The party collecting the data must also use "appropriate" measures to keep the personal data from being disclosed to or stolen by third parties.
The penalties for the unlawful disclosure of personal data will be increased under the amended Act. Individuals or entities profiting from the collection, use, or sale of personal data contrary to the amended Act will face a term of imprisonment of up to five years (up from the current two years) and fines up to US$150,000 (up from the current US$1,200). Civil servants found to be in violation of the amended Act would face a term of imprisonment of up to seven and one-half years. The amendments also allow for victims to file class-action suits against parties violating the law.
Despite the calls from the Minister of Justice, it remains uncertain just when the proposed amendments will pass the Legislative Yuan.
