Cyber Security in Taiwan

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? Yes. The Personal Data Protection Act (PDPA) requires non public institutions to obtain the data subject’s prior written well informed consent in order to collect, process or use personal data, and they must have a predefined purpose for collecting such data. In principle and subject to certain exceptions, non public institutions must (i) have a predefined purpose, and (ii) meet certain requirements prescribed by the law in order to process personal data. Under the PDPA, public institutions may, but are not required to, obtain the data subject’s consent when they act within the scope of their official responsibility or when there is no likelihood of injury to the data subject’s rights and interests. A public or non public institution that collects personal data must provide data subjects with information about the organisation’s identity, the purposes for collecting personal data, third parties to which the organisation will disclose the personal data, the consequences of not providing consent, the rights of the data subject, how to make an inquiry or file a complaint, how to access/and or correct the data subject’s personal data, and the duration of the proposed processing. If an organisation is in violation of the PDPA, the competent authorities may take the following measures:

  • Prohibit the organisation from collecting, processing or using personal information;
  • Order the organisation to delete the personal information files already processed;
  • Confiscate or order the organisation to destroy the personal information illegally collected; and
  • Publicise the violation, the name of the non-compliant organisation and the name of the person in charge.

Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? Taiwan, a civil law jurisdiction, does not have common law pre trial procedures (including discovery). A victim of unauthorised use or access of personal data may initiate a lawsuit and request the court to investigate the relevant evidence (including information about who may have accessed the subject data without authority and/or how it was used) in the legal proceedings. Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? Rulings issued by Taiwan’s Ministry of Justice (MOJ, the competent authority over the PDPA) provide that information procured/produced during legal proceedings can be used within the scope of performing legal duties and in compliance with the specific purpose of collection. Therefore:

  • an attorney can use the transcript of a witness’s testimony made in a criminal case in another civil litigation (No. Fa-Lv-Zi-10203510680 issued by the MOJ on October 14, 2013);
  • the ID number of a debtor stated in a court judgment can be used in subsequent enforcement procedures (No. Yuan-Tai-Ting-Min-Yi-Zi-1030003167 issued by Judicial Yuan on January 29, 2014).

Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? As mentioned above, Taiwan does not have common law pre-trial procedures (including discovery). For results of the relevant investigation conducted by the court, a party concerned may apply to the court clerk for inspection of, copying of, or photographing the investigation documents included in the dossier, or for a written copy, photocopy, or excerpted copy thereof with expenses advanced. Where a third party files the above application with consent of the parties concerned, or with a preliminary showing of his/her legal interests concerned, the court may decide whether to grant approval for the application or not. However, if the documents in the dossier involve the privacy or business secret of the party concerned or a third person and a grant of the application will likely result in material harm to such person, the court may, on motion or on its own initiative, render a ruling to deny the application or to restrict the acts outlined in the two preceding paragraphs. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? If proceedings are stopped because the court in Taiwan has no jurisdiction, the complainant will need to initiate another lawsuit in the appropriate jurisdiction and be prevented from commencing proceedings on the same issue in the court of Taiwan again. However, if proceedings are stopped

  • not because the court in Taiwan lacks jurisdiction or because the plaintiff withdraws the suit;
  • in a manner which does not result in a final determination of the issues in the proceedings; and
  • with the consent of the other party concerned,

it will usually not prevent the plaintiff from commencing proceedings in this jurisdiction again. However, there may be an issue if proceedings are actively on foot in two jurisdictions at the same time which cover the same issues. Is there an obligation in your jurisdiction to hold personal information securely? Yes. Organisations are required to take steps to ensure that personal data in its possession and control is protected from unauthorised access and use, implement appropriate physical, technical and organisation security safeguards to protect personal data, and ensure that the level of security is in line with the amount, nature, and sensitivity of the personal data involved. Under the PDPA, public institutions must designate personnel who are exclusively responsible for data protection. Non public institutions must take appropriate measures to prevent personal data from being stolen, amended, destroyed or disclosed. Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? Yes. Under the PDPA, the central competent authority may restrict international transmission of personal data by non public institutions in any of the following circumstances:

  • Such transmission involves major national interest;
  • Such transmission is subject to special provisions of an international treaty or agreement;
  • The receiving country lacks proper laws and regulations that adequately protect personal data, and the rights and interests of a data subject are likely to be injured/damaged; or
  • Personal data is indirectly transmitted to a third country (area) to evade the application of the PDPA.

Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? Yes. Under the PDPA, public institutions and non public institutions have the obligation to notify the affected individuals by appropriate means in the event of a data security breach. Under the Enforcement Rules for the PDPA, the “appropriate means” shall mean any method which can deliver the message to the affected individuals, including oral or written notice, telephone, facsimile, or electronic transmission. However, in the event that costs may be substantial, public notice is allowable. The notice should contain how the data security was breached and the remedy already adopted. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? No. As of the date of this Guide, there is no generally applicable obligation to notify the authorities of a data breach under Taiwan law. Are there sector specific mandatory data breach notification obligations in your jurisdiction? Yes. According to the Regulations Governing the Personal Data Files Protection of the Non-public Institutions Designated by the Financial Supervisory Commission, in case of a material information security breach occurring in financial holding companies, banks, securities or futures enterprises, insurance companies, issuers of electronic stored value cards, other financial services providers designated by the Financial Supervisory Commission (FSC), and foundations supervised by the FSC, such entity shall notify the FSC of the information security breach. As of the date of this Guide, the FSC is the only competent authority imposing the sector specific mandatory data breach notification obligations; however, there may be other competent authorities imposing such obligations in the future if they deem it necessary.