Under the Personal Data Protection Act 2010 (as amended in 2015) ('PDPA'), there is no single central government agency that is in charge of enforcing the PDPA. The regulatory agency in charge of each industry has the authority and power to enforce the PDPA, stipulate related requirements, and issue rulings on such matters specific to that industry. The Ministry of Justice ('MoJ') used to serve as an internal coordinator among government agencies to interpret the general rules under the PDPA. In July 2018, the NDC assumed such role of the MoJ and became responsible for obtaining the GDPR adequacy decision for Taiwan. The first submission was filed with the EU in December 2018. Thereafter, the NDC's special taskforce has been in regular communication with the EU either in meetings or conference calls. The first round of the Taiwan-EU consultation was completed in 2019 and the second round of consultation was expected to take place in 2020 with the aim to receive the adequacy decision in the same year. However, the relevant plans and schedules were delayed due to the COVID-19 pandemic.

For obtaining the adequacy decision, the NDC started the relevant work and drafting amendments to the PDPA in the second half of 2019. The proposed amendments were originally scheduled to be published for public comments in the middle of 2020 but the plan was postponed and the proposed amendments have not been published by the NDC thus far. In the meantime, certain legislators submitted several proposals at the Legislative Yuan to amend the PDPA but none of the draft bills have passed the legislative's review thus far.

Recently, the Taiwan Government resumed the relevant tasks to obtain the adequacy decision and took a series of actions. In December 2020, the Executive Yuan convened a meeting of regulatory agencies and government authorities for the establishment of an internal coordination taskforce ('the Collaborative Meeting') to coordinate the efforts of such agencies and authorities with regard to personal data security matters, for example, notification of data breach incidents. According to the Collaborative Meeting's resolution, dated 3 February 2021, to ensure a consistent process and timeline for reporting data breach incidents, the Executive Yuan requires regulatory agencies and government authorities to amend the respective personal data file security plans that they promulgated for their specific industry ('Data Security Regulations'), explicitly requiring each private sector to: (i) report data breach incidents to the competent authorities within 72 hours; and (ii) adopt specific security measures if a business requires and adopts IT to operate its business, for example, e-commerce businesses.

On 6 August 2020, the Executive Yuan convened another meeting of regulatory agencies and government authorities to discuss the restrictions on cross-border personal data transfers and instructed them to further amend their respective Data Security Regulations to require each private sector to check, before conducting any cross-border personal data transfer, if the Taiwan Government has issued any orders or rulings banning or restricting cross-border personal data transfers and to notify the data subjects of additional information with regard to cross-border personal data transfers. It is uncertain as to whether the Taiwan Government will issue further orders or rulings to ban or restrict cross-border personal data transfers. It is also worth monitoring how each regulatory agency will amend its Data Security Regulations.

According to the Open Government Agenda, adopted by the Taiwan Government, the NDC is considering amending the PDPA to: (i) include the right to object set forth under the GDPR; (ii) grant data subjects the right to request their digital footprints; (iii) introduce specific rules for data controllers to inform data subjects of any use beyond the specified purpose(s) of collection and of any decision made automatically via machine by using open data; (iv) further set forth detailed rules with regard to the notification obligations to data subjects in the event of a data breach; (v) allow data subjects to withdraw consent; and (vi) require data controllers to conduct a Privacy Impact Assessment, etc. In 2019, the NDC also contemplated amending the PDPA to: (i) adopt a cross-border data transfer mechanism similar to that under the GDPR; and (ii) specifically set forth that the PDPA shall have an extra-territorial effect regulating foreign data controllers or processors similar to what GDPR does.

It is anticipated that more regulations and rulings on personal data security will be issued by the end of 2021 and that the NDC will soon hold a public consultation on the proposed amendments to the PDPA.

Ken-Ying Tseng Partner
[email protected]
Lee and Li, Attorneys-at-Law, Taiwan