Taiwan's Revised Personal Data Protection Act
The Age of Information Liability Begins
When they take effect next year, strict new stipulations will put virtually everyone in Taiwan at risk of unknowingly breaching the Personal Data Protection Act, with possible fines of up to NT$200 million.
The Age of Information Liability BeginsBy Benjamin Chiang
From CommonWealth Magazine (vol. 454 )
On April 27, Taiwan's Legislative Yuan passed revisions to the Personal Data Protection Act in its third reading. Consisting of 56 articles, the Act is expected to be formally enforced in the first half of next year. For companies and individuals that use the Internet, the revised law has created a legal minefield.
During the past months Irving H.C. Tai, general director of the Science & Technology Law Center of the Institute for Information Industry (III), has been a sought-after person. "Every day information security managers are coming to see me to ask what they can do to ensure information security," Tai says.
Courses about the Personal Data Protection Act held by III are all booked out. "The courses were fully reserved within seconds. We needed to change the registration system to be able to respond to the flood of registrations," says Tai.
Everyone Equally Liable
Before the latest revisions, the Personal Data Protection Act applied only to eight specific industries. But the revised Act applies to all industries and every individual.
For companies or the government, information security will no longer be strictly the business of their information departments once the Act is enforced. Instead, every single employee from the boss down will be liable. If a company or government agency engages in the illegal collection, processing or use of personal data, it is liable for monetary compensation for every single incident of personal data damage. A single injured party may claim up to NT$20,000 in monetary compensation for each incident. All parties involved, from the company or government agency to the person in charge and data processing employees, can be held liable.
Even more harrowingly, injured parties may file class-action suits. Under a single class-action suit, monetary compensation of up to NT$200 million can be claimed. Company owners may even face jail sentences of up to five years.
"This goes far beyond the scope of responsibility that a company could take, but it does not necessarily really prevent hackers," complains a prosecutor who did not want to be identified. Arguing that the Act is too strict, he fears that prosecutors will waste time investigating personal data leaks while no time will be left to go after the root of the problem – hackers and Internet fraudsters.
Even III, which regularly conducts online surveys, is reexamining its workflow controls for fear of loopholes in its information gathering process. "I have particularly asked our accounting chief whether III would be able to shoulder a NT$200 million compensation payment," Tai reveals.
En Ma, director of the Business Marketing Organization's Server Platform Business Group at Microsoft Taiwan, likens companies' current information security frameworks to a sandwich. The outer layers represent the customer, which are followed by a layer of hamburger meat – the personal data – and an inner core – the employees. "From the inside to the outside, an information security system must be in place, or else there will be leaks," Ma warns.
The Personal Data Protection Act directly impacts information security protection in many different industries. Companies are not only asked to ensure information security regarding their own operations, but also required to look after the information security capabilities of their suppliers and partners. For example, an online vendor may increase investment in its own information security, but since it cooperates with thousands of small shops, logistics companies and delivery services, personal data may get leaked if just a single company is sloppy with data protection.
"Large corporations have the resources to protect information security, but an online microbusiness with just a few employees usually does not have specialized IT personnel, yet is highly computerized. For them it is very hard to protect personal data well," warns Yi-Chih Wang, senior analyst with the Market Intelligence & Consulting Institute under III. Wang cautions that small- and medium-sized enterprises that do most of their business electronically need to pay particular attention to the possible fallout from the implementation of the revised Personal Data Protection Act.
An Emphasis on Notification Obligations
Another special feature of the revised Act are notification obligations. "Before a company collects information, it must clearly inform the consumer who they are, what the goal of the information gathering is, and for what period of time the information will be used," says Rhonda Chen, researcher with the Executive Yuan's Science & Technology Advisory Group and director of the National Information and Communication Security Taskforce office.
For instance, when consumers apply for co-branded credit cards issued by a financial group in cooperation with a department store, they often receive promotional materials from the issuers' subsidiaries, such as banks, insurance companies and other related businesses. This practice, known as cross-selling, involves repeatedly using the same set of customer data to push different products or services. But using personal data for other than the original purposes already amounts to a violation of the Personal Data Protection Act. The amended version stipulates that unless the customer has signaled his or her approval, "each piece of personal data can be used only for a single purpose and may not be cross-used by other departments of the business group," Tai points out. This means that every department within a company needs to establish its own customer databank that must not be used for cross-selling.
In the advent that customer information is leaked, the company needs to provide sufficient evidence to show that the leak was not intentional. Against this backdrop companies need to reexamine their data processing workflows.
"To clarify exactly how many hands the information passes through, access authorization needs to be established for everyone, and accurate, detailed records kept," says Rhonda Chen.
The Personal Data Protection Act will have as many implications for individual citizens as for corporations. But while companies still have information or legal departments that keep tabs on information security, ordinary people often unwittingly get into a legal minefield just with a single key stroke.
Posting an article or photo of someone else on the Internet or in a personal blog amounts to leaking personal data, if the person concerned has not given his or her approval. "Human flesh searches" – a growing phenomenon in China in which groups collectively investigate, expose and sometimes harass individuals perceived of wrongdoing – entail the unauthorized posting of private information on the Internet. While those who wage these campaigns claim to do so "in the name of justice," they are in fact violating the Personal Data Protection Act.
The enforcement of the amended Act is bound to thoroughly change companies' time-honored marketing models and the way we all use the Internet.
Translated from the Chinese by Susanne Ganz
Five Don'ts Under the Revised Personal Data Protection Act
1. Don't think leaks have nothing to do with you.
Don't think that personal data leaks are only the problem of corporations. Enterprises, managerial personnel, and employees that handle personal information can all be fined.
2. Don't carelessly discard personal information.
All materials carrying personal information need to be well protected. Even a single sheet of paper must be kept on file and must not be discarded in the recycling bin.
3. Don't skip authorization to save time.
Never skirt information security procedures for the sake of quick access. Companies and employees need to strictly observe the information access authorization system at different levels of the hierarchy. Don't skip necessary control procedures to get information quickly.
4. Don't carelessly engage in "human flesh searches."
Don't cavalierly engage in campaigns to expose others over the Internet. And don't reveal the contact information of others on the Internet.
5. Don't carelessly post articles or photos.
If the content of articles or photos posted on the Internet pertains to other persons, they must be notified and asked for prior approval.