Taiwan���s Privacy Regulator Proposes New Notification, Reporting and Response Requirements in Data Breach

Taiwan���s new regulator for personal data protection currently in the process of being established, the Preparatory Office of the Personal Data Protection Commission (���PDPC���) proposes draft regulations imposing new notification, reporting and response requirements when data breaches occur (the ���Draft���). These proposed new notification, reporting and response requirements apply to both public and private sector entities.

The Draft requires governmental and non-governmental entities that become aware of any theft, alteration, damage, loss, or leakage of personal data (���Data Breach���) in their possession (���Data Collector���) to notify the affected data subject in an appropriate manner, individually, within 72 hours of becoming aware. The notification shall include (i) the timing and facts of the Data Breach, (ii) the affected personal data category, (iii) the adopted countermeasures, and (iv) the contact information of the Data Collector and available remedies or consulting channel. However, the Draft provides that if any of the following circumstances apply, the Data Collector may take into consideration technical feasibility and the protection of affected data subjects��� privacy, make the notification via Internet, news media or other appropriate public disclosure means, and the public disclosure period shall be for at least 30 consecutive days:

(i) the Data Collector is unable to notify the affected data subjects individually in an appropriate manner due to lack of contact information of the affected data subjects, or such contact information is missing or non-identifiable,

(ii) the Data Breach did not involve sensitive personal data defined by the Personal Data Protection Act (���PDPA���), and appropriate safeguards have been put in place for the affected personal data, ensuring that unauthorized parties cannot access its contents, or

(iii) the manner of notifying affected data subjects individually is too costly and would affect the operations of the Data Collector.

In the event that the Data Collector has justifications for failing to notify the affected data subjects within the 72-hour statutory period, it is required to specify the reason of such failure to the PDPC and rectify such failure within 72 hours of the grounds for failure to notify having ceased to exist.

The Draft further requires the Data Collector to report Data Breaches falling within any of the following categories (���Significant Data Breach���) to the PDPC via the manner designated by the PDPC within 72 hours of becoming aware:

(i) the Data Breach involves sensitive personal data defined by the PDPA,

(ii) the affected information and communication system has 10,000 records of personal data or more, or

(iii) the number of the affected personal data records amounts to 100 or more.

The report shall include the following information:

(i) the name of the Data Collector,

(ii) the timing and location of such Significant Data Breach,

(iii) Data Collector���s awareness time and source of such Significant Data Breach,

(iv) the cause and type of such Significant Data Breach,

(v) the categories, estimated volume and extent of the damage of the affected personal data,

(vi) the manner and content of the data subject notification,

(vii) the adopted countermeasures to such Significant Data Breach, and

(viii) other relevant matters.

Where the Data Collector is unable, for any reason, to report the Significant Data Breach in the manner specified by the PDPC, it shall report the Significant Data Breach to the PDPC by other appropriate means within the 72-hour statutory timeframe, and shall note the reasons for being unable to report in the manner specified by the PDPC.

Where, due to natural disasters, incidents or other force majeure events, the Data Collector is unable to make the report to the PDPC within the 72-hour statutory period, it shall submit a supplementary report to the PDPC within 48 hours of the cessation of the impediment and shall state the reasons for the failure to report within the 72-hour statutory period.

Where a data processor (i.e., a party entrusted by the Data Collector to collect, process, or use personal data on its behalf) becomes aware of a Data Breach, such awareness shall be deemed constructive knowledge by the Data Collector. Upon becoming aware of a Data Breach, the data processor shall immediately notify the Data Collector and maintain a written record of such notification.

In addition, the Data Collector is required to take into consideration the cause of the Data Breach, the number of the affected data subjects, the categories and number of personal data records, and the potential risks, adopt the following immediate and effective countermeasures after becoming aware of the Data Breach:

(i) investigate the source/route of the leak and implement isolation or blocking measures;

(ii) review access permissions and block unauthorized/abnormal access routes;

(iii) retrieve the personal data files that were sent in error; request the receiving party to delete or eliminate the personal data files that were sent in error;

(iv) request search engine operators to delete personal data that has been made public, or to take measures to remove such data from public view; or/and

(v) other immediate and effective countermeasures to prevent the Data Breach from escalating.

Upon becoming aware of a Data Breach, the Data Collector is required to make a record of such Data Breach in writing or electronically; such record shall include the following matters:

(i) the timing and location of such Data Breach;

(ii) Data Collector���s awareness time and source of such Data Breach;

(iii) the cause of such Data Breach, the number of the affected data subjects, and the categories and the volume of the affected personal data;

(iv) circumstances regarding the data subject notification;

(v) circumstances regarding the Significant Data Breach report;

(vi) adopted immediate and effective countermeasures to prevent further damage, and subsequent follow-up measures;

(vii) the impact of such Data Breach;

(viii) the methods, process, results and relevant supporting documentation of the investigation of the Data Breach; and

(ix) where there has been a failure of complying with the requirements set forth herein and the PDPC has ordered rectification within a specified timeframe, the process of implementing the rectification measures and relevant supporting documentation.

The above records shall be retained for at least 5 years from the day following the date on which the Data Breach was discovered. However, where other laws or regulations stipulate a longer retention period, those provisions shall apply.

The PDPC had previously consulted the Draft with the public and is now reviewing the comments from the public. The PDPC may have amendments to the Draft based on the comments from the public. The timeline for finalization and implementing the Draft remains uncertain at this stage.

Contact

This publication is intended to highlight selected legal developments and not to be comprehensive nor to provide legal advice. If you have any questions on issues reported here or if you have any issues you would like to see covered in future editions, please contact the editors: Robert C. Lee, at +886-2-8725-6601, rclee@yangminglaw.com Dannie Liu, at +886-2-8725-6605, dannieliu@yangminglaw.com If you are interested in subscribing or unsubscribing to any of our newsletters, please click here.