Hot Topics in Asian Privacy Law

• John Eastwood
• Wendy Chu
• Nathan Snyder

The Taiwan legislature passed amendments to the Personal Data Protection Act (PDPA) on May 16, 2023, that will establish a new independent data protection agency, the Personal Data Protection Commission, and greatly increase the penalties for data breaches for non-government entities (i.e., companies and private individuals). Creation of a new data protection agency was mandated by a ruling from the Constitutional Court’s in August 2022 that it was unconstitutional to have no competent authority overseeing the enforcement of the PDPA. In particular, the major problems seemed to stem from the inability of the government to enforce upon itself – the case before the Constitutional Court involved the National Health Insurance Administration (NHIA) allowing select third parties to have access to its databases without appropriate consent. Shortly thereafter, a massive leak from Taiwan’s Ministry of Interior’s Household Registration system involving 23 million pieces of data emphasized the lack of accountability. In addition, fines for non-governmental entities failing to implement proper security measures have been increased to TWD 20,000-2 million (EUR 585-58,515 at current rates) and fines for failing to address the issue within the specified timeframe are subject to an additional fine of TWD 150,000-15 million (EUR 4,388– 438,841) based on severity of offense. It is anticipated that the preparatory office of the Personal Data Protection Commission will be established shortly.