The Data Protection Authority has the power to investigate complaints and cases, and to order the entity to present relevant information with regard to matters or to take other necessary measures in accordance with the Personal Data Protection Law (“PDPL”). In the event that an investigation reveals that the relevant information is in violation of the PDPL, the information may be confiscated. Imposition of administrative fines can be up to NTD 500,000 (approx. $15,873) per violation and can be imposed repeatedly until corrective measures are taken; these orders can be appealed to the administrative court. In addition, the authority has the power to order the suspension of collecting, processing and/or transfer of data, as well as the destruction of data and even publicize the name of the responsible person or entity; these orders can be appealed to the administrative courts.
Individuals can seek judicial remedies and damages for breach of the PDPL in accordance with the PDPL as well as the Civil Code.
Fines of up to NTD 1,000,000 ($31,746), detention and imprisonment of up to 5 years.
The responsible person within the violating non-public institution will also be subject to same administrative fines as the violating non-public institution unless he/she can prove that he/she performed his/her duties to prevent the violation.
Selected Enforcement Actions / General Comments
Some examples of recent enforcement actions in Taiwan:
- Right to be Forgotten:
In October 2014, a court judgment was rendered awarding a consumer civil damages in the amount of NT$26,000 (approximately US$850) in accordance with the Taiwan Civil Code and the PDPL recognizing a customer’s “right to be forgotten.”
The case involved one of Taiwan’s largest retailers of home improvement and construction products and services which regularly send out unsolicited advertisement emails to its store members. One of its members requested the store to delete his personal information from its mailing list. The store subsequently agreed to do so, yet it continued to send the complainant over 52 advertisement emails over a duration of 6 months after it had agreed to remove his email address from its mailing list.
The court held that this retailer violated the PDPA (Article 3 of the PDPL empowers an individual to request a store to delete his/her personal information from its system/database. Article 20(2) of the PDPL also stipulates that when an individual indicates his/her unwillingness to receive any marketing materials, the sending company shall immediately cease using said individual’s personal information in conducting its marketing activities) and relevant Civil Code provisions and imposed civil damages of NT$26,000.
However, another case rendered in January 2015 and the court rejected the plaintiff’s assertion of “right to be forgotten.” Thus, while the “right to be forgotten” can be considered a well known concept in Taiwan, how the courts would enforce this right should be closely followed.
- Scope of “personal data”:
In October 2014 a case involving M+Messenger (a mobile phone communication application which shows its users’ mobile phone carriers without users’ knowledge and/or prior consent) was brought to the Taipei District Court. In this case a consumer sued the creator of M+Messenger and its affiliate (the marketing subsidiary) claiming his cell phone carrier is considered his “personal data” (which can be used to identify a national person indirectly) and the creator of M+Messenger and its affiliate (the marketing subsidiary) breached his data privacy through unlawfully using his personal data outside the original scope of collection. Both the Taipei District Court and the appellate court found for the consumer recognizing a person’s cell phone carrier is considered his “personal data” and thus is cannot be collected, processed or used without complying with the PDPL requirements. In this case, the court awarded the consumer NT$500 (approximately US$16) thereupon. However, this case may have not been finalized.
- General comments:
- More and more Taiwanese consumers have the awareness of data protection and are willing to assert their rights with administrative authorities and/or in courts.
- Most government authorities and non-public institution have adopted or in the process of adopting their own data privacy protection measures to comply with the statutory requirements.
- Ever since the effective of the PDPL (in October 2012), more detailed rulings have been issued to deal with unclear issues, e.g., the Regulations for Co-Marketing Activities Conducted among Subsidiaries under the Same Financial Holding Company specified that the consumers are entitled to “opt-in” for the marketing activities and only the consumers’ names and addresses can be shared among the subsidiaries in the absence of the consumers’ prior written consent.