Privacy & Cybersecurity Law Blog

On December 30, 2015, Taiwan’s Office of the President issued an order to promulgate certain amendments (the “Amendments”) to Taiwan’s Personal Data Protection Law (the “PDPL”). The Amendments revise 12 articles in the PDPL. The Amendments concern the collection and use of sensitive personal data, the form of consent for the collection and use of non-sensitive personal data, and the imposition of criminal liability for violations of certain provisions of the PDPL. The Amendments are expected to become effective in the first half of 2016 on a date to be determined by the Executive Yuan.

With respect to non-sensitive data, the Amendments remove the requirement that government agencies or private sector entities obtain written consent to collect, process or use non-sensitive personal data. In addition, the Amendments require that “special personal data” be collected, processed or used with the written consent of the data subject. Special personal data is equivalent to sensitive personal data and includes medical records, information on medical treatment, genetic information, sexual background, health examination information and criminal records. These changes align the consent requirements under the PDPL with practices in many other jurisdictions, including Hong Kong. In cases where special personal data has to be collected, processed or used to fulfill a legal obligation of a government agency or private sector entity, proper security measures must be taken before or after such collection, processing or use.

Violations of certain important provisions of the PDPL will be subject to a fixed-term of imprisonment for up to 5 years and a fine of up to NT$1,000,000 (approximately $30,000 USD). These criminal penalties will apply only where the violation occurred with the intention to secure illegal interests for oneself or a third party, or to infringe upon the interests of others. Negligent violations of such provisions will not be subject to criminal liability.