Lately, there are increasing instances of personal information entered for online services that have been exploited by scammers groups. This September, Taiwan Shilin District Court rendered the final judgment for Case 107-Jian-Shang-Zi No. 225, allowing victims suffering from such scams to claim for damage against the online business pursuant to Article 29 of the Personal Data Protection Act (“PDPA”).

‍

After a user utilized an online ticketing platform, the user received a call from a scammer alleging to be an employee of the online ticketing platform and that there had been errors made by the accounting personnel of the online platform in which repeated debits were made to the user's account. Therefore the user went to an ATM and follow the scammer's instruction to correct the said error. As a result, the user was tricked and wired a total of NT$257,892 to a bank account instructed by the scammer. The user then filed a claim for damage against the online business.

‍

Since multiple users had reported the online platform as a high-risk platform, and there have been tens of the same type of scamming incidents reported by numerous victims. Therefore, according to empirical law and logic principles, the Taiwan Shilin District Court considered that the user's personal information was leaked from the said online platform.

‍

Although the online business alleged that it had taken appropriate safety measures, the court determined that the certification and safety inspection report provided by the online business was produced after the incident, and should not be deemed as proof for prior safety measures. In addition, the scope of inspection of the report provided did not include all of the IPs used by the platform, and hence could not prove that the platform had taken adequate safety measures for data protection. Although the online business provided their internal data protection rules, they could not prove that such rules had been implemented. Moreover, the network and information security analysis performed by an IT company commissioned by the online business also indicated there are many loopholes in the online platform's internal and external risk control systems. Such report also proves that the online platform did not fully implement their relevant internal data protection rules. Therefore, the court held that the user could claim against the online business for damage pursuant to Article 29 of the PDPA.

‍

With respect to the amount of compensation, since the user was defrauded of NT$257,892, the court held that the online business, in addition to the aforesaid pecuniary damage, shall also compensate the user for non-pecuniary damage of NT$20,000 pursuant to Paragraph 2 of Article 29 of the PDPA. However, the court also considered that since such type of fraud is not uncommon and the user failed to be more alert, the court, therefore, has ruled that the user should be liable for 30% of the liability for negligence and the online business for 70% of the same. Calculating using this ratio and deducting the compensation of NT$15,000, which the user already received from the scammer, the court ordered that the online business shall compensate the user for NT$183,274.

‍

This judgment confirms that users suffering from data leak of an online platform may claim pecuniary and non-pecuniary damage against the online business pursuant to Article 29 of the PDPA. It also reminds online businesses to strengthen their security measures of user data protection to avoid liabilities. At the same time, users of online platforms should also be more alert to scams, or else they will also be liable for part of the damage.

‍