Enhancing Personal Data Protection and Preventing Fraud Risks—Key Compliance Points for E-commerce in Taiwan

With the rapid rise of the e-commerce industry, consumers have become increasingly reliant on online transactions. However, this has also led to a surge in data leaks and fraud risks, raising public concerns about transaction security and privacy protection. As e-commerce platforms collect vast amounts of consumer data, they must not only ensure the security of their platforms but also establish comprehensive data management mechanisms to comply with Taiwan’s Personal Data Protection Act ( "PDPA" ) and related regulations. Doing so can mitigate the risks of data leakage and enhance consumer trust in their brand.

From a regulatory perspective, the PDPA imposes a duty on businesses to maintain the security of the personal data they hold. Article 27, Paragraph 1 of the PDPA and Article 12 of its Enforcement Rules require non-government agencies to adopt appropriate security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed. These security measures encompass both technical and organizational aspects, including assigning management personnel and resources, establishing risk assessment and management mechanisms, ensuring equipment security, and implementing data security audit mechanisms, etc. Given that businesses vary in scale, the Enforcement Rules also require businesses to implement proportionate data protection mechanisms based on their organizational scale and the volume of personal data they handle.

For e-commerce businesses, following the Ministry of Economic Affairs' past regulatory approach to the online retail industry and online retailing service platforms, the Ministry of Digital Affairs ( "MODA" ) issued the "Regulations Regarding the Security Maintenance and Administration of Personal Data Files in the Digital Economy Industry" (the "Regulations" ) on October 12, 2023, under the authorization of Article 27, Paragraph 3 of the PDPA. The Regulations require e-commerce businesses to formulate a security maintenance plan for personal data files and the method for processing personal data after the termination of business (the "security maintenance plan" ).^[1] To assist businesses in implementing the Security Maintenance Plan, the MODA has provided guidelines for implementing the Regulations for e-commerce businesses ( "Guideline" ) and a template for the security maintenance plan as references.

Oversight Mechanisms for Outsourced Data Processing: Pre-selection & Post-supervision
In practice, e-commerce businesses often outsource data processing tasks such as order handling, payment processing, and logistics management to third-party providers, including system vendors, payment processors, and logistics companies ( "consignees" ). However, inadequate supervision and control over these commissioning arrangements can become a major cause of data leakage. Under Article 19, Paragraph 2 of the Regulations, businesses that commission third parties with the collection, processing, or use of personal data must conduct proper oversight and explicitly define these requirements in contractual agreements or related documents. According to the Guideline and template of the security maintenance plan issued by MODA in December 2024, e-commerce businesses are advised to implement the following pre-selection and post-supervision measures to ensure that consignees comply with data protection regulations:

1. Pre-selection Oversight: Before selecting a consignee, businesses should establish appropriate selection procedures, incorporate supervision clauses into contracts, require consignees to obtain independent third-party certification, and mandate self-assessment reports in accordance with Article 12, Paragraph 2 of the PDPA Enforcement Rules.

2. Post-supervision: After engaging a consignee, businesses should enforce contractual oversight through methods such as on-site audits, document reviews, or independent third-party certifications. Additionally, they should retain records of contract amendments, supervision evidence, and self-assessment reports completed by consignees.

Recent Court Rulings: E-commerce Platforms' Obligation to Prevent Fraud
Taiwan courts have ruled that e-commerce businesses may be held civilly liable for damages when consumers fall victim to fraud due to data leakages and when businesses fail to demonstrate that they have implemented adequate security measures to protect personal data. A recent decision, Taipei High Administrative Court Judgement No. 112-Su-Zi-889, emphasized that businesses must evaluate the risks associated with their data collection, processing, and usage processes based on factors such as their scale, characteristics, and the nature and volume of personal data they handle. Accordingly, businesses should formulate and implement appropriate risk control measures, continuously review their effectiveness, and respond to suspected data leakages by implementing damage control measures, investigating incidents, notifying affected parties appropriately, and developing preventive mechanisms to avoid recurrence. The ruling also highlighted that combating fraudulent messages transmitted via telecommunications or the internet requires collaboration between public and private entities, with private businesses bearing responsibilities such as verifying the identity of message senders and blocking fraudulent or malicious messages. Furthermore, online auction platforms were specifically recognized as having an obligation to implement effective preventive, reporting, and response mechanisms against phishing fraud.
Based on this ruling, businesses that fail to adopt effective measures to prevent or mitigate fraud cases may still be deemed in violation of Article 27, Paragraph 1 of the PDPA and Article 12 of its Enforcement Rules. As a result, they may face penalties under Article 48, Paragraphs 2 or 3 of the PDPA.

Strengthening Data Security Management Standards for E-commerce Businesses
To combat and prevent telecommunications and online fraud, amendments to the PDPA in 2023 increased the maximum penalty for failing to implement appropriate security measures to NT$15 million. Judicial rulings also indicate that courts have adopted a high standard regarding the security measures that e-commerce businesses must take to fulfill their personal data protection obligations. Therefore, when developing a security maintenance plan, e-commerce businesses should not only reference MODA’s Guideline and templates but also tailor security measures based on their scale, the volume of data they handle, and associated risks. These measures should align with the principle of proportionality and ensure that their data management systems comply with both operational needs and legal requirements. Businesses should avoid treating the template as a minimum compliance standard; instead, it is recommended to establish more comprehensive data protection mechanisms to effectively mitigate legal risks.

[1] Introduction of the Regulations Regarding the Security Maintenance and Administration of Personal Data Files in the Digital Economy Industry (Taiwan) .