Jane Tsai, Doris Hsu and Lilian Hsu
The economic rights holder may commission the Copyright Collective Management Organization (‘CMO’) as its proxy to exercise holdership rights via entering a managing agreement for the convenience of copyright management in today’s diverse and complex copyright usage, scope, and form. Thus, given the massive amount of critical personal data CMO collects and distributes for the economic rights holder in copyright management, if it neglects to establish pre-security plans and related follow-up contingency and review measures, such data and its holders’ rights and interests would be subject to unreasonable risks.
As the trustee of the economic rights holder, CMO bears the responsibility for the safety and maintenance of personal data. Accordingly, Taiwan’s Ministry of Economic Affairs announced on September 7, 2021—in accordance with the authorization under Paragraph 3, Article 27 of the Personal Data Protection Act—the pre-notice for drafting the CMO’s Personal Data Safety Maintenance Guide (‘Draft’). The soliciting period for written opinions is 60 days (ending on November 6, 2021). The key points and relevant advice are as follow:
1. Regulation Summary
(1) The CMO shall reasonably allocate its economic and human resources according to its scale of business to plan, formulate, execute, and amend the personal data security plan and audit system. (Article 2 to 3 of the Draft)
(2) The CMO shall assess relevant personal data risks and establish contingency and reporting mechanisms, lest the personal data are stolen, tampered with, damaged, lost, or leaked, and design a special copyright agency for follow-up administrative audits. (Article 4 of the Draft)
(3) Establish specific management measures; duty to inform; supervising duty when commissioning third parties to collect, process, or use personal data; compliance matters in an international transference of personal data; methods of exercising a data subject’s rights; and measures ensuring personal data accuracy. (Article 5 of the Draft)
(4) The CMO shall take into account factors such as the nature of a business and personal data storage, methods and tools for personal data transference, and the type and volume of personal data in implementing appropriate management measures for information, operation, and equipment safety. (Article 6 to 9 of the Draft)
(5) Establish clearly CMO’s performance in safety and maintenance of personal data, items to be recorded and stored, and the handling of personal data after the company ceases its operations. (Article 10 of the Draft)
(6) Establish clearly the “personal data infringement report and record form.” Such a form should be filled and reported to the special copyright agency whenever a safety incident threatens normal operations or a significant amount of holders’ (Annex of Draft)
2. Suggested precautions and response to regulations
There are 11 Articles under this Draft whose purpose is to establish detailed regulations regarding CMO’s maintenance and management of personal data that prevent the theft, tampering, damage, loss, or leaks of personal data during its processing. Such regulations include (1) demanding the CMO to fully establish a security and maintenance plan to reduce the risk of damage or loss of data from its inappropriate usage; (2) demanding the CMO to set up contingency and improvement measures in the event of a safety breach; and (3) demanding the CMO to take into account the nature and state of businesses and data in implementing managing measures for information, operation, and equipment safety. The Draft regulations cover primarily risks prevention and contingency responses; thus, the CMO shall establish protective and contingency measures and a self-assessment mechanism in response to related incidents according to the aforementioned regulations.