The Taiwanese Ministry of Justice recently concluded a public consultation on draft enforcement rules and proposed amendments to its primary data protection legislation, the Computer-Processed Personal Data Protection Act (“the Act”).
The amendments are reportedly far-reaching. If the amendments are approved, some key changes to the Act would be:
- The law would apply to the private as well as public sector. The law would have extraterritorial effect and would apply to entities outside Taiwan if the data of Taiwanese residents is collected.
- Class actions would be possible.
- Administrative fines would increase from a minimum of NT$10,000 to NT$100,000 (approx. EUR 2,430), and a maximum of NT$20,000 to NT$500,000 (approx. EUR 12,000).
- Fines could be imposed both on the company and on the individual person responsible for data protection compliance.
The amendments were to be finalised by the end of November 2011 and are expected to be sent to the Cabinet for approval this month. If approved, the new law, the “Personal Information Protection Act”, should come into force by November 2012.
Businesses established in Taiwan and non-Taiwanese businesses conducting business in Taiwan should consider undertaking a review of their personal data collecting procedures, technical & security measures, and other company data protection policies in preparation for the new data protection rules to ensure compliance. This is especially pertinent, given the more severe criminal sanctions proposed by the amendments of up to five years in prison, and increased fines of up to NT$1 million.