Emily Chueh
After the Computer-processed Personal Data Protection Law was promulgated for the first time on August 1, 1995, the first major amendments were promulgated on May 26, 2010, when the law was also renamed as the Personal Data Protection Law (hereinafter, the “Law”). The Law formally came into effect on October 1, 2012. However, Article 6 of the Law provides for the collection, processing and use of special data, and Article 54 stipulates that notification concerning the personal data not provided by third parties before the effective date of the Law shall be completed within one year after the effective date of the Law. However, since most members of the society believed that such two articles were too stringent and would have too much social impact on the citizens if they were implemented rashly, their implementation was postponed.
However, after several draft amendments, the Legislative Yuan adopted partial amendments to the Law by three readings, and the Law as amended was promulgated by the President via the Hua-Zhong-One-Yi-10400152861 Directive of December 30, 2015 and included the amendments and Articles 6 and 54, which began to go into effect. The highlights of the amendments include the finalized scope of “special data” as well as the principles and exceptions of the collection, processing and use of special data; the requirement that except for special data, the consent of persons concerned may be indicated by way of presumption with no need to obtain written consent; decriminalization of illegal use of personal data which is engaged without illegal intent; and relaxation of the notification period for indirectly collected personal data prior to the effective date of the Law.
After the partial amendments to the Law were promulgated on December 31, 2015, the Ministry of Justice promulgated the Enforcement Rules of the Personal Data Protection Law as amended (hereinafter, the “Enforcement Rules”) on March 2, 2016. The Executive Yuan also designated that the Law and the Enforcement Rules should go into effect on March 15, 2016. Currently, the Law as newly amended has become effective completely.
Highlights of the amendments:
1. Confirmation of the scope of “special data”
(1) Medical records are added as special data:
Article 6 of the original Law stipulated five types of personal data: namely, medical treatment, genes, sex life, health examination and criminal records, which were basically prohibited from collection, processing or use. However, the scope of personal data enumerated under Article 2 of the Law includes “medical records” and “medical treatment.” (Note 1: Article 2, Subparagraph 1 of the Law: “Personal data: the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical records, medical treatment, genetic information, sex life, health examination, criminal records, contact information, financial conditions, social activities and other data which may be used to identify a natural person, both directly and indirectly.”) Since medical records are by nature part of personal data pertaining to medical treatment, “medical records” are added, for avoidance of doubt, to the Law as amended as a type of special data, and basically should not be collected, processed or used like the existing five types of personal data.
(2) Addition of exceptions where special data may be collected, processed or used:
i. Article 6, Paragraph 1, Subparagraph 4 of the original Law provides: “Where it is necessary to perform statistical or other academic research, a government agency or an academic research institution collects, processes, or uses personal data through a specific procedure for the purpose of medical treatment, health, or crime prevention.” Special data of individuals may be exceptionally collected, processed. Paragraph 2 of the same article also provides that the scope, the rules for the scope, procedures and other matters that shall be followed by a government agency or academic institution in its collection, processing or use of personal data shall be prescribed by a central competent authority for specified business in conjunction with the Ministry of Justice.
However, it is often necessary for a government agency or academic institution to collect, process or use special personal data for purposes of medical treatment, health or crime prevention or due to the need to perform statistical or academic research. Therefore, it is additionally stipulated in these amendments that if an individual’s special data have been anonymized or if the manner in which the data are disclosed by the collector cannot possibly identify any specific individual, since personal privacy or rights cannot possibly be infringed, the collection, processing and use of an individual’s personal data may be exceptionally allowed under such circumstances pursuant to these amendments.
In addition, since the procedures for collecting, processing or using special data may be prescribed by a government agency in administrative rules, and an academic research institution may also be designated as a non-government agency by a central competent authority for specified business pursuant to Article 27, Paragraph 2 of the Law to formulate a personal data and file safety maintenance plan or disposal measures for personal data following business termination (Note 2: Article 27, Paragraph 2 of the Law: “The central competent authority in charge of specified industry may designate a non-government agency to formulate a personal data and file safety plan or the disposal measures for personal data after termination of business.”), it is not necessary to provide authorization to set the scope and procedures for collecting, processing or using such data. Therefore, Article 6, Paragraph 2 of the original Law was deleted in these amendments.
ii. Within the scope of assisting a government agency to carry out its legal duties or a non-government agency to perform its legal obligations and with appropriate security measures before and after the fact, special data of individuals may be collected, processed or used (Note 3: Article 6, Paragraph 1, Subparagraph 5 of the Law).
A government agency often needs to request other agencies to help provide personal data in carrying out its legal duties (compare Article 19, Paragraph 2, Subparagraph 4 of the Administrative Procedure Law). However, the provision of personal data by another agency is an act of using personal data and is not the legal duty of such agency. Therefore, an individual’s special data cannot be provided pursuant to Subparagraph 2 of the proviso of Article 6 of the Law. Therefore, within the scope of necessity to assist a government agency to carry out its legal duties or a non-government agency to fulfill its legal obligation, this subparagraph was added to provide the legal basis for the provision of personal data by other agencies.
iii. An individual’s special data for which the individual’s written consent is obtained and which do not exceed the scope of necessity for specific purposes or other legal restrictions on their collection, processing or use (Note 4: Article 6, Paragraph 1, Subparagraph 6 of the Law: “Where the individual concerned has consented in writing; unless such consent exceeds the necessary scope of the specific purpose; the collection, processing or use merely with the consent of the individual is prohibited by other laws; or such consent is against the individual’s will.”):
Pursuant to Judicial Interpretation No. 603, the Constitution protects “an individual’s independent control of the information privacy of his/her personal data.” An individual’s consent right over personal data is one of the fundamental rights protected by the Constitution. If the circumstances of an individual’s consent are completely excluded, this seriously limits the basic rights protected by the Constitution and does not meet the principle of proportionality under Article 23 of the Constitution. Therefore, it is additionally stipulated that except for other legal restrictions or for consent that goes against the volition of the individual, such as a government or non-government agency’s use of methods against the will of the individual, such as the use of its authority, violence or coercion, a government or non-government agency may collect the special data of individuals with their consent. However, since the special data of individuals are even more sensitive than ordinary personal data, this article also provides that the consent to the collection, processing and use of special personal data shall be given in writing for the sake of prudence.
iv. The notification obligation under Articles 8 and 9 of the Law shall apply mutatis mutandis to the collection, processing or use of personal data, and the provisions of Article 7 of the Law shall also apply mutatis mutandis to the written consent (Note 5: Article 6, Paragraph 2 of the Law: “The provisions of Articles 8 and 9 shall apply mutatis mutandis to the collection, processing or use of personal data under the preceding paragraph.”). Articles 8 and 9 of the Law provide that a government or non-government agency is required to inform the individuals concerned of specific matters when collecting personal data in accordance with Articles 15 and 19 of the Law. However, Articles 15 and 19 of the Law regulate the circumstances where a government or non-government agency collects and process ordinary data of individuals, which do not include special data. Therefore, Article 6, Paragraph 2 was added to the Law to stipulate that when collecting, processing or using special personal data of individuals, a government or non-government agency is required to follow Articles 8 and 9 of the Law in performing its statutory notification obligation. In addition, the requirement that Article 7, Paragraphs 1 and 2 of the Law apply mutatis mutandis to the consent given by an individual pursuant to this subparagraph is an indication of intent given by an individual after being notified of the matters required under the Law by a government or non-government agency.
2. Addition of the requirement that an individual’s consent under the Law is not limited to written consent (Note 6: Article 7 of the Law: “The consent set forth in Article 15, Subparagraph 2 and Article 19, Paragraph 1, Subparagraph 5 means an indication of intent made by an individual to give permission after being notified of the matters required under this Law by the data collector. The consent set forth in Article 16, Subparagraph 7 or Article 20, Paragraph 1, Subparagraph 6 means a separate indication of intent made by an individual after being specifically notified by the collector of other purposes of use beyond the originally specified purposes, scope of use and impact of his/her approval or disapproval on his/her rights and interests. When a government or non-government agency specifically notifies an individual of the matters required under the subparagraphs of Article 8, Paragraph 1, if the individual does not indicate his/her refusal and has provided his/her personal data, it shall be presumed that the individual has indicated his/her consent pursuant to Article 15, Subparagraph 2 and Article 19, Paragraph 1, Subparagraph 5. A collector shall assume the burden of proof to substantiate the fact associated with the consent of the individual within the meaning of this Law.”):
(1) After the Law was amended, the manners of “consent” given by individuals concerned are relaxed under Article 15, Subparagraph 2; Subparagraph 7 of the proviso of Article 16; Article 19, Paragraph 1, Subparagraph 5; and Subparagraph 6 of the proviso of Article 20, Paragraph 1 and are not limited to writing. Therefore, the wording “written consent” of Article 7, Paragraphs 1 and 2 of the Law concerning was deleted.
(2) To reduce the current administrative operation in practice that still requires separate consent from individuals concerned, it is additionally stipulated in these amendments that if a government or non-government agency has specifically informed individuals concerned of statutory matters that should be communicated while the individuals concerned do not expressly refuse the collection of their personal data and have provided their personal or data to the government agency or non-government agency, it shall be presumed that the individuals concerned have agreed to the collection or processing of their personal data by the government or non-government agency in accordance with Article 15 or Article 19 of the Law. However, in case of a dispute over whether an individual concerned has given the consent, since the absence of such consent is a passive matter and cannot be substantiated, the burden of proof should certainly be assumed by a government or non-government agency that asserts such consent has been given.
3. Addition of provisions concerning exemption of notification obligation (Note 7: Article 8, Paragraph 2, Subparagraph 6 of the Law: “The notification in the preceding paragraph may be exempt in any of the following circumstances: (6) Personal data are collected not for profits and the collection is not obviously unfavorable to the individuals concerned.”).
The Ministry of Justice pointed out in the amendment explanation that since the scope of personal data is very broad, when a government or non-government agency legally collects the personal data of an individual concerned not for profits and with no obvious unfavorable impact on the individual concerned, the notification obligation of the collector should be exempt to avoid adding too much cost for the legal collection by a collector.
4. Addition of the requirement that personal data shall be collected or processed by a non-government agency for specific purposes and specific circumstances should be met (Note 8: Article 19, Paragraph 1 of the Law: “Except for the data under Article 6, Paragraph 1, personal data shall be collected or processed by a non-government agency for specific purposes and shall meet any of the following circumstances:
1. There are specific legal requirements.
2. There is contractual or quasi-contractual relationship with the individual concerned and appropriate security measures have been adopted.
3. The individuals concerned have disclosed the personal data on their own or there are other personal data which have been legally disclosed.
4. An academic research institution needs to perform statistical or academic search based on public interest, and the data have been processed by the providers thereof or the manner in which the data are disclosed by the collector cannot possibly identify any specific individual.
5. The individuals concerned have given their consent.
6. This is necessary to further public interest.
7. Personal data are obtained from generally available sources, provided that this restriction shall not apply if there is any major interest more worthy of protection than an individual’s prohibition against the processing or use of such data.
8. There is no violation of the rights and interests of an individual concerned.”)
(1) The Ministry of Justice pointed out in the explanation for these amendments that when a non-government agency collects or process personal data out of “contractual or quasi-contractual relationship with an individual concerned,” the non-government agency is required to take appropriate security measures pursuant to Article 27, Paragraph 1 of the Law. Therefore, Article 19, Paragraph 1, Subparagraph 2 of the Law as amended provides that a non-government agency may collect or process the personal data of an individual concerned if it has contractual or quasi-contractual relationship with such individual and if appropriate security measures have been taken.
(2) In addition, as previously stated, an individual’s consent under the Law is no longer limited to written consent. Therefore, Article 19, Paragraph 1, Subparagraph 5 was amended to stipulate that a non-government agency may collect or process personal data of an individual concerned for specific objectives if the consent of the individual is obtained.
(3) In addition, Article 15, Subparagraph 3 of the Law provides that a government agency may legally collect and process the personal data of an individual concerned for specific objectives if there is no impairment to the rights and interests of the individual. However, a non-government agency cannot apply the same provision. As a result, a non-government agency in practice faces inconveniences and additional operating cost. For example, the data about an emergency contact of a new employee or customer cannot be obtained without the consent of such emergency contact, even though a company’s acquisition of the data about the emergency contact does not impair the rights and interests of such contact. Therefore, Article 19, Paragraph 1, Subparagraph 8 was added to the Law to stipulate that personal data of an individual concerned may be legally collected under circumstances where the rights and interests of such individual are not impaired.
5. Additional requirement that criminal liabilities under the Law shall be preconditioned by an illegal intent of an actor
If an actor violates relevant provisions of the Law not with an intent to pursue illegal interest for the actor or for any third party or to impair the interest of others, since the imputability is lower, civil damages and administrative penalties should be sufficient. Criminal punishment is imposed only when an actor violates the Law with an intent to pursue illegal interest for himself/herself or for a third party, which is more culpable. Therefore, Article 41 of the Law was amended so that criminal liability is imposed only when an actor has an illegal intent, and the criminal liability is increased from the previous imprisonment of up to two years to imprisonment of up to five years, and the maximum additional fine was increased from the previous NT$200,000 to NT$1 million (Note 9: Article 41 of the Law: “Any person attempting to pursue unlawful interest or impair the interest of others for himself/herself or for any third party in violation of Article 6, Paragraph 1, Article 15, Article 16, Article 19, Article 20, Paragraph 1 or any order or disposition issued by a central competent authority for specified business to an extent sufficient to injure others, imprisonment of up to five years will be imposed perhaps with an additional a fine of up to NT$1 million.”).
6. The amendments require that a collector who has obtained personal data from sources other than the individuals concerned and who seeks to process or use such personal data after the effective date of the Law as amended is required to notify the individuals concerned before such processing or use takes place.
When the Law was promulgated on May 26, 2010, its scope of application was expanded so that the collection, processing or use of personal data which was previously not governed by the Law is governed by the Law. Article 54 of the original Law provided that if personal data had been obtained from sources other than the individual concerned before the Law came into force, the individuals should be notified in accordance with Article 9 of the Law within one year after the effective date of the Law before the processing or use of such personal data was to be conducted. However, the requirement was put on hold due to the excessive impact of Article 54 of the original law. Article 54 as amended provides that a collector is obligated, after the effective date of the Law as amended, to notify the individuals concerned in accordance with Article 9 of the Law before their personal data are to be processed or used (Note 10: Article 54, Paragraph 1 of the Law: “For personal data not provided by the individuals concerned before the effective date of the Law as amended, which was promulgated on May 26, 2010, and processed or used after the effective date of the Law as amended on December 15, 2015, the individuals concerned shall be notified pursuant to Article 9 before the processing or use.”), and the collector may notify such individuals all at once before their personal data are to be used for the first time (Note 11: Article 54, Paragraph 2 of the Law: “The notification in the preceding paragraph may be conducted at the time of first use after the effective date of the Law as amended on the December 15, 2015.”).
7. Commentaries and analyses on these amendments
(1) Many years has elapsed since the Law was adopted. In practice, implementation of Article 6 of the Law was postponed temporarily due to the great controversies over special data such as medical records or medical treatment. In reality, however, a typical company which may collect special data about its employees for the sake of personnel management may result in inadequate protection of the individual concerned when it treats the special data collected in the past as ordinary data about the individuals in the absence of special legal requirements for special data. Consider the following example. In case of special purposes and contractual or quasi-contractual relationship with an individual concerned, a non-government agency may collect the personal data of the individual concerned in accordance with Article 19 of the Law with no need to obtain the consent of the individual. After these amendments, it is specifically stipulated that except as otherwise specifically provided under other laws or within the scope of necessity for a non-government agency to perform its legal obligations or under the statutory condition that individuals concerned have made the disclosure on their own, basically the written consent of the individuals concerned should be obtained before their personal data may be collected so that the individuals concerned are better protected.
(2) However, since Article 7, Paragraph 1 of the Law applies mutatis mutandis to Article 6, Paragraph 2 of the Law, the precondition for obtaining an individual’s indication of intent by a government or non-government agency is that the notification obligation under the Law should be performed. Therefore, if a collector obtains the written consent of an individual concerned to the collection of their special data while Article 8 of the Law is violated due to omissions in the notification matters, such individual’s indication of consent may be deemed invalid, making the collector unable to lawfully collect the personal data of such individual. Hence, this still requires special attention.
(3) In practice, legal restrictions are eased so that when an ordinary company or firm performs its notification obligation and the individuals concerned have also provided their personal data, it is presumed that the individuals concerned have given their consent under Article 19 or Article 20 of the Law. This is indeed beneficial to a collector since its administrative and operating cost can be reduced. However, to avoid future difficulties in substantiation, it is generally recommended that when a collector performs its notification obligation, it can still secure other written consent from individuals concerned with respect to the collection, processing or use of their personal data (Note 12: The Ministry of Justice issued an interpretation circular in the past to communicate that since a company’s notification obligation is different from an employee’s consent to the collection of his/her personal data, this is preferably handled separately in writing. Please refer to the Fa-Lu-Jue-10200655250 Circular, which states: “As for the circumstances where a company asks an employee to sign the consent form, this is merely conducted to obtain a record that reflects the employee is aware of the notification and has no bearing on the employee’s consent to the collection or processing of his/her personal data. In addition, if the company includes the notice and the consent form in the same written document without clear differentiation, the employees may be confused into giving all-encompassing consent. To avoid confusions to the employees, a company is advised to include the notification under Article 8 of the Law and the acquisition of the employee’s consent under Article 19 of the same law in separate written documents.”).