Blog

The Legislative Yuan passed the amendments to the Personal Data Protection Act: Penalties are raised and a dedicated competent authority is to be established

Given that numerous data breaches occur in recent years, the Legislative Yuan has passed the amendments to the Personal Data Protection Act (the “PDPA”) on May 16, 2023 so as to urge the non-government agencies, i.e. the private sectors, to input manpower, technique and funds for the purpose of fulfilling data protection obligation and to provide support to relevant enforcement authorities for combatting fraudsters. Two main points of these amendments are as follows: (1) raising the administrative penalties imposed against non-government agencies for violating the obligation of security and maintenance measures; and (2) designating the “Personal Data Protection Commission” as the dedicated competent authority of the PDPA.

The amendments to the PDPA modify the administrative sanction procedure and amount of administrative fines imposed against non-government agencies for violating the obligation of security and maintenance measures under Article 48 of the PDPA. The current Article 48 provides that the administrative authorities may order the non-government agency to rectify the violation within a specified period of time, and if the non-government agency fails to rectify, an administrative fine between NTD (the same hereinafter) 20,000 and 200,000 may be imposed. The amended Article 48 provides that in the event of violating the abovementioned obligation by non-government agency, the authority may impose the administrative fine against it immediately and concurrently order the non-government agency to rectify the violation, which means the authority could impose administrative fines directly without demanding rectification first. Further, the ceiling of administrative fine is raised and therefore the administrative fines will range from 20,000 to 2,000,000. In the event that the violation is a material violation or the non-government agency fails to rectify the violation within a time limit requested by the authority, the administrative fine is raised to not less than 150,000 and not more than 15,000,000.

On the other hand, there is no single dedicated competent authority under the current PDPA. The current PDPA is enforced by a decentralized approach, under which the enforcement is administered by the central relevant business authorities governing the business of the non-government agency involved and local governmental authority. Further, the National Development Council is in charge of providing uniform interpretations in relation to provisions of the PDPA. Article 1-1 is newly added to the amended PDPA and it provides that the “Personal Data Protection Commission” will act as a dedicated competent authority of the PDPA. Upon the establishment of the Personal Data Protection Commission, the authority and responsibility currently distributed to the central relevant business authorities, local governments, and National Development Council will be integrated to the Personal Data Protection Commission.

The Constitutional Court rendered its judgment No. 111-Sian-Pan-Zi-13 in August 2022, holding that the lack of an independent supervisory mechanism of the PDPA would lead to the insufficient protection to personal information privacy right and therefore it is potentially unconstitutional. The Constitutional Court required establishing relevant legal regime within three (3) years from the date of the decision announced so as to enhance the protection of information privacy right under Article 22 of the Constitution. The newly-added “Personal Data Protection Commission” will adopt a “dedicated supervisory system”, instead of the “decentralized system” under the current PDPA, which responds to the foregoing request of the Constitutional Court and also aligns with the global trend, e.g. that adopted by Europe, Japan and South Korea.

The Personal Data Protection Commission will be an independent agency under the Executive Yuan. It is reported that according to the Executive Yuan’s plan, the Executive Yuan will establish a preparatory office in August 2023. The main tasks of the preparatory office are enacting the organizational act of the Personal Data Protection Commission and proposing second phase of PDPA amendments with the aim of strengthening the personal data protection of government agencies. The organizational act of the Personal Data Protection Commission is estimated to be proposed to the Legislative Yuan for review next year. Once it is approved by the Legislative Yuan, the establishment of the Personal Data Protection Commission will be scheduled as soon as practicable in next year.

Please enter your information,and we will contact you soon. (Asterisk (*) are required)

The Legislative Yuan passed the amendments to the Personal Data Protection Act: Penalties are raised and a dedicated competent authority is to be established