【Expert’s Commentary Column of the Commercial Times】Penalties Was Raised for Businesses Violating Security and Maintenance Obligations of Personal Data Files

June 8, 2023

In order to strengthen the fight against fraud, the Executive Yuan passed the draft amendments to three anti-fraud laws in April of this year, including the draft amendments to the “Money Laundering Control Act,” the “Securities Investment Trust and Consulting Act,” and the “Personal Data Protection

Author

Author

Inorder to strengthen the fight against fraud, the Executive Yuan passed thedraft amendments to three anti-fraud laws in April of this year, including thedraft amendments to the “Money Laundering Control Act,” the “SecuritiesInvestment Trust and Consulting Act,” and the “Personal Data Protection Act”(hereinafter “PDPA”). Among the three, the amendments to PDPA were passed bythe Legislative Yuan on May 16. There are two key points of the amendments toPDPA:

1.     The amendments expressly state that the competent authority of the PDPAis the Personal Data Protection Commission (whose organization and authority willbe provided in another act). They are in line with the Constitutional Court’sjudgment 111-Xian-Pan-Zi No. 13, which requires that an independent supervisoryauthority should be established, solve the supervision issue in decentralizedmanagement under the current PDPA, and are also in line with internationaltrends.

2.     The amendment raises the penalties imposed on non-governmentalinstitutions for violation of personal data protection obligation and failureto formulate a relevant security protection plan: In this amendment to the PDPA,for enterprises that fail to take appropriate security measures with respect tothe personal data they hold and lead to the leakage of personal data, or failto formulate security and maintenance plans for personal data files or methods forhandling personal data after business termination, the penalty will be amendedfrom a fine of NT$20,000 to NT$200,000 for each failure to rectify thesituation by the deadline to a direct fine of NT$20,000 to NT$2,000,000 and adeadline for rectification, and for those situations where the breach ismaterial, an additional penalty of NT$150,000 to NT$15,000,000 may be imposed.In addition, in order to urge the violators of the above obligations to improvetheir personal data protection measures as soon as possible, the penalty forthose who fail to rectify the situation by the deadline will be increased from NT$150,000to NT$15,000,000.

Comparedto legislations related to penalty caps for personal data protectionobligations in other countries (for example, Japan’s penalty is equivalent toNT$20 million (100 million yen); Singapore’s penalty is 10% of the company's revenueor NT$20 million (1 million Singapore dollars); the EU’s penalty is 2% of thecompany's revenue or NT$300 million (10 million Euros)), this amendment is stillconsiderably behind. However, prior to this amendment, the Executive Yuan had alreadypassed the "Refined Measures for Preventing Personal Data Leakage ofNon-government Agencies" at a meeting on March 2 this year, requiring allministries and commissions to set up administrative inspection teams tostrengthen administrative inspections of high-risk businesses and to speed upinspections of major personal data breach cases that have recently attractedsocial attention. Conduct administrative investigations into personal dataleakage cases. It is foreseeable that in the future, the competent authoritywill supervise the enforcement of personal data protection in enterprises moreand more strictly.

Therefore,businesses should pay attention to and re-examine whether their currentpersonal data protection mechanism is appropriate. Regardless of whether theyare in an industry that should formulate security and maintenance plans forpersonal data files or methods for handling personal data after business termination,they should proactively formulate such plans and methods which include at leastthe following elements:

1.Establishing relevant responsible personnel (departments) and allocating considerableresources. 2. Defining the scope of personal data. 3. Risk assessment andmanagement mechanism for personal data. 4. Accident prevention, notification,and response mechanism. 5. Internal management procedures for the collection,processing, and utilization of personal data. 6. Equipment, data securitymanagement, personnel management, and audit mechanism. 7. Cognitive advocacyand educational training. 8. Preservation of necessary use records, track data,and evidence. 9. Regularly review and continuously improve the overall securityand maintenance plans based on the implementation status.

For questions regarding how businesses canformulate security and maintenance plans for personal data files or methods forhandling personal data after business termination if the business belongs tothe industries required to formulate such plans, one may refer to the “Regulationsfor the Security and Maintenance of Personal Information Files for the _____Industry” provided by the competent authority of such industry, or consultlegal professionals for assistance.

Thisarticle was published in the Expert’s Commentary Column of the CommercialTimes. https://view.ctee.com.tw/tax/50441.html