Computers, Privacy & the Constitution

The New Personal Data Protection Act in Taiwan


Taiwan's new Personal Data Protection Act ("PDPA") became effective on October 1, 2012. Being called "the strictest personal data protection law in the world", the scope of the Act is broadened, nearly everyone in this country has been unknowingly breaking the law.

The law is so broad and all-encompassing – it protects any data (including photographs not obtained from a public source) deemed “sufficient to directly or indirectly identify a person” – that it is easy to be an inadvertent offender. Just passing someone’s business card to a third party without first getting his/her consent would be a violation. HR departments will need to exercise great caution on what information they gather on employees or job applicants and how long they retain data on those who have already left the company or were passed over for hiring. Businesses will have to be sure they do not use customer information for a purpose other than the one they originally stated – without taking steps to again gain the customer’s explicit consent. (e.g. collecting contact information for a lucky draw and then using it for a sales campaign).

To trike a balance between privacy protection and public interest, the use of such data must be within the scope of its specified purpose and have a justifiable connection with such specified purpose, unless certain exceptions are met. Firstly, for instance, a hospital can collect an individual’s Personal Data only for the purpose of medical care and not for any other purpose. Second, during legislation, there was a freedom of the press concern that media, political commentators or elected representatives would be required to seek the prior consent of individuals before collecting or publicizing information about them. However, this is no longer an issue, as the Act exempts mass media from being required to seek prior consent from individuals before publicizing information about them, if the information gathered and public reports are "for public interest purpose". Third, the Act also excludes Personal Data accessed during private and family activities and the posting of information or group photos or videos on the website of electronic social networks from the prior consent requirement, as long as the information or materials are acquired at "public places or open activities" and no other personal information is revealed. For example, taking pictures of individuals during public activities and posting them on blogs and other similar types of Web content without revealing other Personal Data is unlikely to be a violation. However, blog users will be dealt with under the Civil Code if they use others’ personal pictures without obtaining prior consent or if their posts or comments damage others’ reputations.

Enforcement Rules

Besides civil liability, conviction for violating the PDPA could potentially carry criminal penalties of up to five years’ imprisonment and NT$1 million in fines. In certain instances, the CEO of the violating company could be held personally responsible for the same amount in the form of an administrative fine, unless his/her obligation to seek to prevent the violation is proven to have been fulfilled.The Act has extensive provisions for offenses and ‘administrative fines’ against private sector agencies, which can be imposed by the central competent authority for a particular industry. Private sector agencies can alternatively be subjected to an administrative fine by the central competent authority for a particular industry. Finally, the filing of class action legal proceedings against parties who violate the law is permissible under the new Act.

Implications and Suggestions

There is some practical advice for staying on the right side of the law. Firstly, at the time of data collection, inform the person as to the name of the collector, the intended purpose, the type of data being collected, the time period and area in which the data will be used, the parties that will use the collected data, the way in which it will be used, and the impact on the person’s rights and interests if the data is not provided. Additionally,the individual must also be notified of his/her rights to review, copy, supplement, correct, and delete the data, as well as to stop the collector from collecting, processing, or using his/her information. Moreover, the communication does not have to be in writing, but since oral notification can be difficult to prove in case of a dispute, make sure to get written consent. Although most companies hope to use one single all-purpose consent form or letter, that is rarely feasible. Prepare multiple letters to cover different circumstances.

The Act promises much stronger data protection, and requires more vigilance by companies involved in transactions either with Taiwanese corporate partners or with Taiwanese consumers. As the law is well-intentioned, motivated by instances of data leaks and the profusion of scam operations, the scope of the legislation will prove to be so wide-ranging as to be unmanageable. Therefore, companies that control or process existing personal data should review how such data has been collected and whether a Subject’s consent has been obtained. If not, companies are advised to consider possible approaches to obtain consent or provide notifications, although details on how consent should be obtained still await further clarifications. The consciousness of privacy-security should be raised to avoid leak of personal data loss. It is referred from Protection of Personal Data Law that privacy information such as name, telephone number, ID number, and passport information should be protected. E-mail plays a more critical role to transmit information with the growth of electronic commerce. As a result, the companies should make extra effort to place e-mail security under control to prevent loss of personal data. Their experience will be of great value to later offer suggestions to the government on ways in which the law could be amended to make it more workable.  

It's interesting to observe how easily one can legislate to absurdity if there aren't strong free speech guarantees entrenched against legislative erosion. Obviously, without a strong basis for limiting the effect of such over-regulation through aggressive free speech doctrine, including overbreadth and similar rules to allow broad challenges by parties regardless of the constitutionality of the regulations as applied to them, "data protection" can be turned into a roving charter for government to suppress or punish any speech it desires.

Conceptually, one can benefit from this legislation by seeing how pointless this sort of engineering is: the legislator trying to operate this way has to regulate directly every transaction involving information about people, despite the overwhelming variety of contexts involved. The result is foolish formalism, which is either enforced to the breaking point or remodeled in practice by the introduction through some other social medium of all the flexibility subtracted by the "strictness" of the statute.

Someone wishing to explain why the ethics of privacy are ecological rather than transactional could hardly have a better negative illustration available.


Webs Webs

r4 - 14 Jan 2015 - 22:44:39 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM