Open Government Data in Taiwan

The amendment of the Taiwanese Personal Data Protection Act 2025/05/28 On March 27, 2025, the Executive Yuan released and submitted a draft partial amendment of the Personal Data Protection Act to the Legislative Yuan. The amendment aims to comprehensively enhance personal data protection by constructing the foundation for an independent supervisory agency[1]. Taiwan’s Personal Data Protection Act- legislative progress Taiwan’s Personal Data Protection Act (PDPA) has been amended three times since its release in 1995. In May 2023, the latest amendment to the PDPA introduced Article 1-1, designating the Personal Information Protection Committee as the competent authority under the Act. This legislative development was made in light of the Taiwan Constitutional Court Judgment 111-Hsien-Pan-13 (2022) (Case on the National Health Insurance Research Database)[2], which held that, to ensure the protection of personal information and the constitutional right to privacy under Article 22, the establishment of an independent data protection mechanism is required. In accordance with Taiwan Constitutional Court Judgment 111-Hsien-Pan-13 (2022), the Personal Data Protection Commission (PDPC) must be established by August 2025. To facilitate this, the Preparatory Office of the Personal Data Protection Commission was established in December 2023. This office is mainly responsible for drafting and establishing the regulations and organizational framework required to establish the independent authority, including drafting the Organization Act of the PDPC and the amendments to the PDPA. To develop the regulatory framework for an independent authority, the Preparatory Office of the Personal Data Protection Commission has planned a two-stage amendment process. The first phase seeks to establish the legal foundation of the PDPC, while the second phase will address other substantive issues of personal data protection. For the first stage, the Preparatory Office of the Personal Data Protection Commission drafted the Organization Act of the Personal Information Protection Committee in accordance with Article 1-1 of the PDPA and revised partial provisions of PDPA to reflect the function and duties of the PDPC. The Draft of Partial Amendment to the Personal Data Protection Act The key points of the amendment of PDPA are to empower the commission with essential regulatory functions, to strengthen the regulatory oversight and management of personal data within public sectors, and to set up a transition period to transfer regulatory authority over the private sectors[3]. 1. Empower the commission with essential regulatory functions Due to the lack of a unified agency for receiving incident reports and the efficiency issues caused by the current decentralized legal enforcement, the amendment of PDPA designates the PDPC as the competent authority to receive the incident reports. Centralizing incident reporting under the PDPC facilitates a clearer understanding of the nature and status of related incidents. It also helps regulatory authorities to investigate and handle problems quickly. The rules for reporting data breach incidents are set out in Article 12 of the amended PDPA. According to Article 12 of the amended PDPA, both public sector and private sector entities are required to take appropriate actions and retain the records when a data breach occurs. In addition, public sector entities must report the incident to the PDPC and other relevant government agencies, while private sector entities are required to notify the incident to the PDPC, which will then inform its competent authority[4]. In terms of personal data security maintenance, the amended PDPA states that the competent authority is responsible for formulating regulations concerning security maintenance, governance mechanisms, protective measures, and other relevant matters[5]. Accordingly, PDPC, as the competent authority, will draft the Regulations Governing Security Maintenance and Administration to provide the legal basis for the conducting audits, inspections, and administrative sanctions[6]. 2. Strengthen the regulatory oversight and management of personal data within the public sector The amendment of PDPA designates the PDPC as the independent authority responsible for overseeing the overall personal data protection affairs, including supervision of public sectors. The PDPC is empowered to supervise the public sector entities regarding their compliance with personal data protection regulations. Therefore, the role of the Data Protection Officer (DPO) is introduced in Taiwan for the first time. Article 18 of the amended PDPA states that every public sector entity must appoint a DPO to promote and oversee matters related to personal data protection. This approach reinforces personal data protection from both internal and external perspectives[7]. In considering restructuring and resource allocation associated with introducing this new role, the DPO requirement in PDPA currently applies to the public sector entities. However, both the public and private sectors are required to designate specialists to be responsible for managing personal data protection and security affairs[8]. 3. Set up a transition period to transfer regulatory authority over the private sectors Under the current regulation framework, the supervision of personal data protection in the private sector is decentralized and supervised by different competent authorities. To address this gap, the amendment of PDPA clarifies that the PDPC will serve as the supervisory authority for these entities in the future. In terms of the private sector entities already under the supervision of specific competent authorities, supervisory arrangements will initially remain unchanged. However, to achieve regulatory consistency, the amendment introduced a six-year transitional period during which supervisory responsibility will be transferred to the PDPC. During this transition, the PDPC will collaborate with relevant agencies every 2 years to assess the implementation of the new framework of PDPC and the situation of supervision across the private sector[9]. The draft Organization Act of the Personal Data Protection Committee has also been released To complete the legal basis of PDPC, the draft Organization Act of the Personal Data Protection Committee (hereinafter referred to as the draft of the Organization Act) is released with the PDPA amendment. The draft of the Organization Act aims to formalize the PDPC as the independent central supervisory body. Additionally, it also clarifies the division of responsibilities among agencies on personal data-related matters. Once enacted, the PDPC will serve as Taiwan’s independent authority. According to the draft of the Organization Act, the PDPC is designed as a collegial system with 5-7 committee members, serving a term of 4 years, and members may be reappointed upon completion of their term[10]. As a central third-level agency, the committee members will exercise their powers independently. The draft of the Organization Act states that the PDPC is responsible for making the legislation and policies of personal data protection, the oversight of personal data protection, promoting and researching personal data-related technology, protecting cross-border transfer of personal data and the talent acquisition of personal data protection[11]. The draft of the Organization Act establishes the legal foundation for the PDPC, outlining its organization structure and core responsibilities. Additionally, it grants the PDPC the authority to supervise and enforce compliance with personal data protection regulations. Benefits of the legal reform of the Personal Data Protection Act and the next step The draft partial amendment to the Personal Data Protection Act, along with the draft Organization Act of the Personal Information Protection Committee, have been submitted to the Legislative Yuan for legislative review. This marks the first time that Taiwan has established an independent authority responsible for personal data protection. The PDPA amendment not only formalizes the legal status and authority of the Commission but also enhances the legitimacy and credibility of personal data collection and use. However, amendments to other substantial aspects of data protection will be introduced in the next phase. The Preparatory Office of the Personal Data Protection Commission has already initiated work on the second phase, which will focus on substantial personal data protection issues in the context of the digital era. Reference: [1]The Executive Yuan approved the draft Organizational Act of the Personal Data Protection Commission and the draft of partial amendments to the Personal Data Protection Act, aiming to establish a comprehensive independent supervisory mechanism and enforcement authority, and to build robust data governance for the era of comprehensive AI application., Executive Yuan, https://www.ey.gov.tw/Page/9277F759E41CCD91/747cda78-926f-4205-99b3-1a735fc1b97b (last visited May. 19, 2025). [2]Constitutional Court Judgment 111-Hsien-Pan-13 (2022) (Case on the National Health Insurance Research Database). [3]Establish an independent supervisory authority for personal data protection to strengthen personal data safeguards. The Executive Yuan approved the draft Organization Act of the Personal Data Protection Commission and the draft partial amendments to the Personal Data Protection Act., Preparatory Office of the Personal Data Protection Commission website, https://www.pdpc.gov.tw/News_Content/20/907/ (last visited May. 19, 2025). [4]Partial Amendment Draft to the Personal Data Protection Act, the 8th meeting of the 3rd session of the 11th Legislative Yuan, General Bill No.20, Executive Yuan Proposal No.11010550, Art. 12. [5]Id. Art 18, Art 20-1. [6]Supra note 3. [7]Id. Art.18. [8]Id. Art. 20-1. [9]Id. Art.51-1. [10]Draft of the Organization Act of the Personal Information Protection Committee, the 8th meeting of the 3rd session of the 11th Legislative Yuan, General Bill No.20, Executive Yuan Proposal No. 1101052, Art. 3.Draft of the Organization Act of the Personal Information Protection Committee, the 8th meeting of the 3rd session of the 11th Legislative Yuan, General Bill No.20, Executive Yuan Proposal No. 1101052, Art. 3. [11]Id. at Art. 2.

Research on the Introduction of Privacy Protection Management Mechanisms and Data Value-Added Services into Communications Enterprises in 2020 2021/12/09 I. Introduction 　　The global economy is shifting away from traditional economic models towards an emerging digital era as technology advancement and new applications are introduced. The rapidly changing digital age has led to a gradual transformation in the way digital technology is used in the industry, thereby driving the overall growth of the global digital economy. The digital economy is driven by "data," and how data is used, its purpose, risks and regulation are all inextricably intertwined with industrial development and application, as is the case for the communications industry. 　　As such, while the free circulation of data has become central to international free trade and economic operations, it is not only conducive to the promotion of transnational business and economic and trade interactions, but also fraught with worry and concern over how to ensure the protection and security of personal data and privacy. As a result, the issue of how to adapt the data risk control mechanism and related complementary measures so that they can be applied to the industry and comply with regulatory requirements has become a global reality that must be actively addressed. As far as Taiwan is concerned, when considering how to cope with industry needs, there is a pressing need to strike a balance between personal data and international regulatory requirements, and to expedite the legitimate utilization of personal data protection and data value-added service in the sector in an effort to facilitate the development of the digital economy. II. Recommendations on Data Governance and Innovative 　　Application Planning. According to the aforementioned international data strategies and strategies for innovative data applications, the development of the data economy as a whole is driven by the formulation of overall superior policies, with a view to fully utilizing the potential value of data and building a vibrant ecosystem suited for innovative data applications. With the outbreak of COVID-19 this year, the application of data will be crucial in the post-pandemic era. It is also observed that data applications are gradually moving towards cross-boundary sharing and reuse, and empowerment of data subjects, and therefore, in light of the above observations and findings, we offer recommendations on data governance and innovative application planning. First, as for the establishment of a ministry and mechanism for data application and communication, since there is no single dedicated authority in Taiwan, and the formation of a ministry for science and technology development is now under intense discussion, data application may become an important function of the ministry, so we have to consider an authority for data application and communication. Further, there is currently no sandbox mechanism for data application in Taiwan. Reference should be made to the British data communication mechanism for providing legal advice and consultation sought on data application regulation. 　　Second, with regard to the formulation of regulations and amendments to existing laws relating to data applications, the most noteworthy is the EU Data Governance Act 2021. Taiwan does not have a complete and appropriate legal framework for data application, except for the Freedom of Government Information Law, the Personal Data Protection Act (PDPA) and the relevant laws and regulations distributed in various fields, and the nation is currently seeking an adequacy decision from the EU, and therefore our PDPA needs to be amended accordingly, yet no progress has been made at this stage. Consequently, a comprehensive strategy should be developed by taking into account both the formulation of the basic data application regulations and the amendments to the current PDPA, in order to achieve long-term data governance and application and sharing. 　　Lastly, in terms of the incorporation of the concept of data empowerment and the design of the mechanism, the international trend moves towards data empowerment to give data subjects more control over their data. The Financial Supervisory Commission (FSC) of Taiwan has also incorporated this idea in its open banking, so has the National Development Council’s (NDC) MyData program. As such, it is suggested that the government should provide guidelines or devise the relevant system, or even make reference to the Japanese data bank mechanism regarding the establishment of intermediaries to assist consumers in managing their data, which could be used as a reference for the design of the mechanism in the future. III. Accountability for and Management of Data Use in Enterprises 　　Among the countries studied regulation of Singapore and Taiwan are similar and have adopted the development of digital economy as their main economic strategy, but Singapore has been more proactive than Taiwan in the design of the legal system to facilitate the use of data. Therefore, with regard to the control of data use in businesses by the competent authorities, this Project, by looking at the amendment to the Singaporean PDPA, aims to reinforce the regulation of the accountability system and the operation of the existing series of guidelines. From the changes in Singapore's PDPA, it can be observed that the competent authorities can refer to the practices of enterprises in the use of data. 　　First of all, the existing regulations in Taiwan tend to have more about compliance than accountability, with emphasis being placed on data security maintenance and compliance with the PDPA. For instance, Taiwan’s “Regulations Governing Security Measures of the Personal Information File for Non-government Entities Designated by National Communications Commission” focus on following the law on the use of personal data. Nonetheless, the so-called accountability means that the competent authorities must oversee the implementation of data protection measures and policies of enterprises, not just pro forma compliance with the letter of the law. 　　The second observation is that Singapore is quite proactive in addressing the need for data use in the development of its digital economy by making an exception to innovative uses regarding informed consent. The inclusion of data portability also represents a heightened control of the data subject. These amendments are all related to Singapore's policy of actively developing its smart nation initiative and signify a more proactive approach by the authorities in monitoring the use of data by businesses. Taiwan needs to be more open and precise in regulating the use of data for the development of its digital economy. 　　Finally, there is increased flexibility in enforcement, as authorities can resolve disputes between subjects over data use more quickly through the introduction of mediation or other alternative dispute resolution (ADR) mechanisms. Meanwhile, the Personal Data Protection Commission (PDPC) has developed industry-specific consultation guidelines, recognizing that there may be specific issues for different industries. The PDPC noted that these guidelines are based on the partnerships, consultations and feedback associated with the relevant industries, and close collaboration with the industry's authorities of target businesses. IV. Conclusion 　　Despite the lack of a dedicated authority for personal data protection, Taiwan can first build a cross-industry coordination and communication platform, and then collaborate across ministries to primary integrate standards in personal data protection to facilitate the needs of industrial innovation in the digital economy.

The security facet of cyberspace along with a world filled with CPU-controlled household and everyday items can be examined from various angles. The concept of security also varies in accordance with different stages of national conditions and industrial development in different nations. As far as our nation is concerned, the definition of security industry is "an industry offering protection for human bodies, important infrastructure, information, financial system, as well as offering equipment to defend the security of national lands and the service"1 as initially defined by "Security Industry Program Office." Judging from the illustration of the definition, the security industry should be inter-disciplinary and integrative, which covers almost all walks of life and fields, such as high-tech industrial security management, traffic & transportation security management, fire control and prevention against natural calamities, disaster relief, information security management, security management in defense of national borders, and prevention of epidemics. After the staged mission, "e-Taiwan program", was accomplished in 2007, our government hoped to construct a good surrounding by creating a comfortable life from a user’s point-of-view. This was hoped to be achieved by using "the development of a high-quality internet society" as a main source by using innovative services, internet convergence, perceptive environment, security, trust, and human machine linkage. At the Economic Development Vision for 2015: First-Stage Three-Year Sprint Program (2007~2009) formulated by the Executive Yuan, wireless broadband, CPU computer-controlled items all have become part of our every day lives, and healthcare, along with the green industry are listed as the next emerging industries; whereby the development of relevant critical technologies is hoped to be promoted to create higher industrial values and commercial opportunities. However, from a digitally-controlled-life viewpoint, the issue concerned by all walks of life is no longer confined to the convenience and security of personal life but gradually turns to protection of security of a critical infrastructure (CI) run by using information technology. For instance, finance management, stock market, communication network, harbors and airports, high speed rail, R&D of important technology, science parks, water purification facilities, water supply facilities, power, and energy facilities. 2Because security involves resources related with people's most fundamental living needs and is the most elementary economic activity of the society, it is regarded as an important core objective to promote the modern social security system. Therefore, critical infrastructure protection requires more dependence on information and communication technology to maintain the stability of finance and communication, as well as the security of facilities related with supply and economy of all sorts of livelihoods in order to ensure regular operation. With the influence of information and communication technology on the application of critical infrastructure on the increase, the society has increasingly deepened its dependence on the security of our cyber world. The concept and connotation of information security also keep extending with it toward the aforementioned critical infrastructure protection planning, making critical information infrastructure protection (CIIP) and critical infrastructure protection (CIP) more inseparable in concept3 , and becomes an important goal of policy implementation to achieve the vision of a digital lifestyle which is secure for every nation. In recent years, considerable resources have been invested to complete an environment whereby a legal system of “smart lifestyle” is developed. However, what has been done for infrastructure protection continues to appear as not being comprehensive enough. This includes vague definitions, scattered regulations and policies, different protection measures taken by different authorities in charge, obvious differences in relevant risk management measures and in the magnitude of management planning of information security and so on. These problems all influence the formation of national policies and are the obstacles to the promotion of relevant industrial development. In view of this, the 2008/2009 International CIIP Handbook will be used as the cornerstone of research in this project. After the discussion on how critical infrastructure protection is done in America, Germany and Japan, the contents of norms of regulations and policies regarding critical infrastructure protection in our nation will be explored to make an in-depth analysis on the advantages and disadvantages of relevant norms. It is hoped to find out what is missing or omitted in the regulations and policies of our nation and to make relevant amendments. Suggestions will also be proposed so that the construction of a safe environment whereby the digital age of our nation can be expanded to assist the “smart lifestyle” to be developed further. 1.See http://tsii.org.tw/modules/tinyd0/index.php?id=14 (last visited May 24, 2009) 2.For "2008 International Conference on Homeland Security and Application of Technology in Taiwan ~ Critical Infrastructure Protection~", please visit http://www.tier.org.tw/cooperation/20081210.asp (last visit date: 05/17/2009). 3.For critical infrastructure protection, every nation has not only proceeded planning for physical facilities but put even more emphasis on protection jobs of critical information & communication infrastructure maintained via the information & communication technology. In the usage of relevant technical terms, the term "critical infrastructure" has also gradually been used to include the term "critical information & communication infrastructure". Elgin M. Brunner, Manuel Suter, Andreas Wenger, Victor Mauer, Myriam Dunn Cavelty, International CIIP Handbook 2008/2009, Center for Security Studies, ETH Zurich, 2008. 09, p. 37.

To establish a trusted foundation for sports data compliance, the Sports Data Altruism Service releases the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook 2024/05/15 I. Introduction The Sports Data Altruism Service aims to construct a blueprint for the development of sports and technology, to promote practical applications for sports scientific research results, to drive industry development, and to establish a sports data innovation ecosystem. This will be achieved through multi-ministerial/multi-agency value-added applications for sports data, multidisciplinary upgrading and transformation of sports technology, digital empowerment to establish a sports technology ecosystem, and public-private collaboration efforts. The Sports Data Altruism Service aims to build a legal compliance platform, and to reinforce the trust foundation for legally-compliant sports data operations, all while balancing privacy protection and public interest. In pursuit of these ends, the Sports Data Altruism Service draws upon international data governance practices and trends, as well as current industry practices. It aims to develop guidelines and regulations that consider the value of sports data applications and apply them to data legal compliance operations for sports venues. The Service is also intended to help operators in the sports field maintain personal data protections and reasonable use. Consequently, in August 2023, the Sports Data Altruism Service released the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook. For entities seeking to become Sports Data Altruism Service data providers, the Handbook explains the related regulations and provides important things to watch out for. II. Structure of the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook The Handbook is divided into three sections: A. Requirements for joining the Sports Data Altruism Service: Before starting with the Sports Data Altruism Service, users must read and agree to the service’s Privacy Policy, Terms of Service, Notification Regarding Personal Data Collection and Personal Data Provision Agreement, and other important platform information. The Privacy Policy explains how the platform collects, uses, and protects the information that users provide. If you wish to become a data provider or data user, the Terms of Service will explain what you need to comply with to do so. And if you decide to become a data provider or data user, you must register on this platform and must sign the "Notification and Letter of Consent for Collection, Processing, and Use of Personal Data" to state your agreement to provide your data to the platform. B. Personal data subject rights protection mechanism for sports venue operators (data providers): After becoming a Sports Data Altruism Service data provider, to lawfully obtain the personal sports data, the data provider must submit the Points of Note When Connecting to the Sports Data Altruism Service and Personal Sports Data Provision Agreement. This form, submitted in either paper or online format, must include a signature from the person whose personal sports data is to be used. When a data subject needs to correct their personal data or no longer wishes to provide their data to the Sports Data Altruism Service, the data provider must provide the Exercise of Data Subject Rights Application Form. After the data subject submits the application, the sports venue operator must verify whether the data has been processed to the extent that it cannot be used to identify a specific individual. In accordance with Article 4 of the Points of Note When Connecting to the "Notice of Connection to the Sports Data Altruism Service Platform and Consent Form for Provision of Personal Sports Data", data that can no longer identify specific data subjects is no longer considered personal data, and is not subject to exercising of data subject rights, nor is it subject to deletion of statistical or analytical results based on such data. If the data has not been anonymized, the operator must remove the data subject from the list uploaded to the platform and delete any unprocessed sports data. They must also retain records of the deletion and notify the data subject. Source: Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook Figure 1　Data Subject Rights Exercise Mechanism for Sports Venue Operators C. Data protection management process for sports venue operators (data providers): To assist sports venue operators in complying with personal data protection requirements, the Sports Data Altruism Service provides a personal data protection self-assessment tool. After an operator becomes a Sports Data Altruism Service data provider, they must assess their compliance with data protection laws by completing the Self-Assessment Form for Personal Data Protection in Collecting Public Sports Data by Sports Venue Operators (Data Providers). This helps operators understand the importance of personal data protection and establish a robust personal data protection management system, to achieve both data protection and reasonable usage. The Self-Assessment Form for Personal Data Protection in Collecting Public Sports Data by Sports Venue Operators (Data Providers) is designed in accordance with the regulations of the Personal Data Protection Act and its enforcement rules. It includes 20 assessments in 10 major categories. When filling out the self-assessment form, the operator must provide the name of the self-assessment venue, the name of the person filling out the form, and the date. The form has to be completed based on the personal characteristic data and sports data that is to be uploaded to the Sports Data Altruism Service. However, not every assessment is mandatory. The form requires considering the operator’s actual situation to review the current practices related to personal data protection and management, then conducting the self-assessment based on this. For more detailed information about the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook, please visit the Sports Data Altruism Service website (https://www.data-sports.tw/#/SportData/Landing?redirect=%2FDashboard).