April 2025
Amendments to the Enforcement Rules of the Communication Security and Surveillance Act (Taiwan)
When the Telecommunications Management Act ("TMA") was enacted on May 31, 2019, Paragraph 4 of Article 9 and Paragraph 2 of Article 22 stipulated that both telecommunications enterprises and entities establishing public telecommunications networks ("PTN establishing entities") are obliged to assist in the enforcement of communication surveillance in accordance with the Communication Security and Surveillance Act ("CSSA"). However, due to the incomplete nature of the CSSA and its subordinate regulations at that time, only telecommunications enterprises were explicitly required to cooperate with communication surveillance, excluding other PTN establishing entities. This regulatory deficiency has given rise to inconsistencies in the scope of regulatory applicability.
To address this issue and implement the government's Anti-Fraud Strategy Guidelines, the Legislative Yuan passed amendments to the CSSA[1] on July 12, 2024. These amendments added Article 11-1, which establishes regulations for accessing network traffic records to support investigations into modern cybercrimes. Additionally, Articles 14 and 14-1 were revised to explicitly impose obligations on both telecommunications enterprises and PTN establishing entities to assist in the enforcement of communication surveillance, as well as to retain and assist in accessing subscriber data, communication records, and network traffic records.
To ensure compliant implementation of communication surveillance duties following the amendments, the Ministry of Justice amended the Enforcement Rules of the Communication Security and Surveillance Act ("Enforcement Rules") on February 8, 2025, providing clearer enforcement standards and operation procedures for surveillance agencies and telecommunications operators[2] . The main revisions in the Enforcement Rules are as follows:
1. Specification of Entities Subject to Obligations Regarding Communication Surveillance Assistance Enforcement:
Consistent with Paragraph 2 of Article 14 of the CSSA, PTN establishing entities are now explicitly identified as entities responsible for assisting in communication surveillance enforcement. This amendment closes a gap in regulatory applicability. (Articles 2, 7, 8, 13, 13-2, 15, 19, 21-23, 24, 26, and 32 of the Enforcement Rules)
2. Addition of Data Access Regulations:
Network traffic records are now categorized as accessible data, and new provisions have been introduced regarding the application for the reissuance of access warrants. (Articles 13-1 and 13-2 of the Enforcement Rules)
3. Revisions to the Operational Procedures for Telecommunications Operators’ Cooperation in Communication Surveillance Enforcement:
In response to the TMA and practical operational needs, the procedures governing telecommunications operators' cooperation in communication surveillance enforcement have been revised. Furthermore, if an operator's establishment plan, including software and hardware, established timelines, and costs pertaining to the necessary cooperation with communication surveillance enforcement cannot be agreed upon with the Investigation Bureau of the Ministry of Justice or the National Police Agency of the Ministry of the Interior, and in addition to the adjudication by the National Communications Commission ("NCC"), a supplementary coordination mechanism facilitated by the NCC has been instituted. This mechanism aims to enhance flexibility in dispute resolution. (Article 26 of the Enforcement Rules)
To address this issue and implement the government's Anti-Fraud Strategy Guidelines, the Legislative Yuan passed amendments to the CSSA[1] on July 12, 2024. These amendments added Article 11-1, which establishes regulations for accessing network traffic records to support investigations into modern cybercrimes. Additionally, Articles 14 and 14-1 were revised to explicitly impose obligations on both telecommunications enterprises and PTN establishing entities to assist in the enforcement of communication surveillance, as well as to retain and assist in accessing subscriber data, communication records, and network traffic records.
To ensure compliant implementation of communication surveillance duties following the amendments, the Ministry of Justice amended the Enforcement Rules of the Communication Security and Surveillance Act ("Enforcement Rules") on February 8, 2025, providing clearer enforcement standards and operation procedures for surveillance agencies and telecommunications operators[2] . The main revisions in the Enforcement Rules are as follows:
1. Specification of Entities Subject to Obligations Regarding Communication Surveillance Assistance Enforcement:
Consistent with Paragraph 2 of Article 14 of the CSSA, PTN establishing entities are now explicitly identified as entities responsible for assisting in communication surveillance enforcement. This amendment closes a gap in regulatory applicability. (Articles 2, 7, 8, 13, 13-2, 15, 19, 21-23, 24, 26, and 32 of the Enforcement Rules)
2. Addition of Data Access Regulations:
Network traffic records are now categorized as accessible data, and new provisions have been introduced regarding the application for the reissuance of access warrants. (Articles 13-1 and 13-2 of the Enforcement Rules)
3. Revisions to the Operational Procedures for Telecommunications Operators’ Cooperation in Communication Surveillance Enforcement:
In response to the TMA and practical operational needs, the procedures governing telecommunications operators' cooperation in communication surveillance enforcement have been revised. Furthermore, if an operator's establishment plan, including software and hardware, established timelines, and costs pertaining to the necessary cooperation with communication surveillance enforcement cannot be agreed upon with the Investigation Bureau of the Ministry of Justice or the National Police Agency of the Ministry of the Interior, and in addition to the adjudication by the National Communications Commission ("NCC"), a supplementary coordination mechanism facilitated by the NCC has been instituted. This mechanism aims to enhance flexibility in dispute resolution. (Article 26 of the Enforcement Rules)
[1] https://www.moj.gov.tw/2204/2645/181663/181665/218067/post (Last visited: 2025/03/19)
[2] In addition to the Enforcement Rules of the Communication Security and Surveillance Act, the Ministry of Justice also published the Regulations on the Management of Subscriber Data and the Regulations on the Management of Network Traffic Records in late December 2024. These regulations establish procedures for accessing subscriber data and network traffic records, as well as guidelines for data retention, destruction, supervision, auditing, and other related matters.
