The Amendments to the Taiwan Personal Data Protection Act Were Adopted to Set Up a Dedicated Agency and Intensify the Punishment for Personal Data Leakage

June 2023

Elizabeth Pai and Hannah Kuo

To comply with the gist of 111-Xian-Pan-13 Constitutional Decision of the Constitutional Court, which requires the establishment of an independent supervisory mechanism for personal data protection.  In addition, to prevent fraud and unauthorized use of personal data by criminal rings after personal data leakage by businesses, the Executive Yuan Council adopted the Enhanced Measures to Prevent Non-governmental Agencies from Leaking Personal Data[1] in March this year and the draft Amendments[2] to three counter fraud laws, namely, the Money Laundering Control Act, the Securities Investment Trust and Consulting Act, and the Personal Data Protection Act, on April 13.  In particular, the Amendments to the Personal Data Protection Act cleared through three readings in the Legislative Yuan on May 16, 2023, were promulgated by the President on May 31, and Article 48 of penalties for violations of security maintenance obligations by non-government agencies came into force from the promulgation date, the implementation date of other clauses will be determined by the Executive Yuan.  The Amendments are highlighted below:

1. Establishment of an independent supervisory agency – Personal Data Protection Commission

Pursuant to the newly added Article 1-1 of the new law, the Personal Data Protection Act will be overseen by the newly established Personal Data Protection Commission as the dedicated competent authority.  The responsibilities of the original competent authorities such as the central competent authorities for specific industries, local city and county governments, and the National Development Council will all be transferred to the Personal Data Protection Commission.

2. Intensified penalties for personal data leakages

Under the amended Article 48 of the new law, the penalties for non-governmental agencies violating their security maintenance obligations are changed from “punishment only for failure to rectify within the required period” to “immediate punishment with a specified period for rectification.”  In addition, the maximum amount of fines is significantly increased.  A non-governmental agency that possesses personal data files but fails to adopt appropriate security measures or formulate a personal data file security maintenance plan will be fined NT$20,000 to NT$2,000,000, and will be required to rectify within a specified period.  In case of failure to rectify within the required period, such an agency will be fined NT$150,000 to NT$15,000,000 for each occurrence.  In the case of a serious violation, a fine of NT$150,000 to NT$15,000,000 will be imposed immediately along with a demand for rectification within a stated period.  Failure to rectify within the period will result in another penalty imposed on each occurrence.

After the passage of these Amendments, the newly established Personal Data Protection Commission will be responsible for the supervision under the Personal Data Protection Act and subsequent legal amendment issues, thereby strengthening the enforcement of the Act.  Relevant businesses should ensure that their operations comply with the provisions of the Personal Data Protection Act and take appropriate security measures to safeguard data security and avoid penalties.

For further details and analysis of the related content of the 111-Xian-Pan-13 Constitutional Decision of the Constitutional Court, please refer to our article titled The Secondary Use of the National Health Insurance Database Found Partially Unconstitutional in Taiwan Constitutional Court Decision.


[1] A proposal deliberated during the Executive Yuan Council; the Enhanced Measures to Prevent Non-governmental Agencies from Leaking Personal Data: URL: https://www.ey.gov.tw/Page/448DE008087A1971/85d891ac-0be6-4a29-b309-83f4a4951d09

Executive Yuan’s Newsletter titled The Prevention of Personal Data Leakage by Non-governmental Agencies; Premier Chen Remarked that Three Enhancement Strategies Should Be Implemented to Comprehensively Enhance the Personal Data Protection Capability of Operators: URL: https://www.ey.gov.tw/Page/9277F759E41CCD91/20466a66-3b95-40b8-80b3-e9833a4c3e30

[2] Update of the National Development Council.  The Three Counter Fraud Laws – the Draft Amendments to the Personal Data Protection Act by the Executive Yuan Council; URL: https://www.ndc.gov.tw/nc_14813_36809


The contents of all materials (Content) available on the website belong to and remain with Lee, Tsai & Partners. All rights are reserved by Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Lee, Tsai & Partners.

The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors’ opinions do not represent the position of Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Lee, Tsai & Partners.