On 16 May 2023, the Legislative Yuan passed an amendment to the Personal Data Protection Act (PDPA) to establish an independent committee to regulate the PDPA affairs and increase the penalty under the PDPA. We summarize the amendment below:
(1)Establishing Personal Data Protection Committee (Article 1-1):
Article 1-1 of the PDPA was added to establish a Personal Data Protection Committee to be the independent competent authority in charge of personal data protection matters.
(2)Increasing Administrative Fine (Article 48):
Article 48 of the PDPA was amended to increase administrative fine. Specifically,
a. For any non-government agency who violates Paragraph 1, Article 27 (i.e., failure to implement proper security measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed), or fails to establish a security and maintenance plan for the protection of personal data files or a guideline on disposal of personal data following a business termination under Paragraph 2, Article 27, the maximum administrative fine is increased from NT$200,000 (approximately US$6,667) to NT$2,000,000 (approximately US$66,667) and it will be ordered to make rectifications within a prescribed period, failing which will face an administrative fine between NT$150,000 (approximately US$5,000) and NT$15,000,000 (approximately US$500,000) per violation.
b. Where any non-government agency violates Paragraph 1, Article 27, or fails to establish a security and maintenance plan for protection of personal data files or a guideline on disposal of personal data following a business termination under Paragraph 2, Article 27 and the violation is serious, the violator may be fined NT$150,000 (approximately US$5,000) to NT$15,000,000 (approximately US$500,000) directly and be ordered to make rectifications within a prescribed period. Failure to do so will be fined per violation.
Kang-Shen Liu