The Coverage and Policies of Critical Infrastructure Protection in U.S.

In light of the influence on social security of Internet-related crime, in 2007 Taiwan passed the amendment to the Communication Protection and Inspection Act (CPIA) to update the articles relating to the surveillance of Internet-related crimes. Moreover, the notification obligator clause was added to the Child and Adolescent Sex Trade Prevention ACT (CASTPA), and the penalty for copyright infringement over the Internet was prescribed in the Copyright Act in order to stop Internet-related crimes. 1. Amendment to the CPIA On 15 June 2007, the legislature of Taiwan passed the amendment to the CPIA which was promulgated by the President of Republic of China on 11 July 2007. The amendment mainly concerns the update of the power of issuing surveillance warrants, the scope of emergency surveillance, the supervisory agencies of relevant surveillance activities, and the evidence power of illegal surveillance. The amendment will be brought into force in five months. Currently, a surveillance warrant is issued (1) by the district prosecutor following an application made by the police or based on his authority for cases under investigation; and (2) by the judge based on his power for cases on trial. According to Article 5.2 of the amended CPIA, for cases under investigation, the district prosecutor should record the details of surveillance in writing following the applications made by the judiciary police or based on his authority and should state the reasons and submit relevant documents before applying to the jurisdiction court for the issue of the surveillance warrant. The district prosecutor should approve and reply to the applications made by the judiciary police within 2 hours. For cases of greater complexity, the approval and reply time may be extended for another 2 hours with the consent of the chief district prosecutor. After receiving an application for a surveillance warrant from the district prosecutor, the jurisdiction court should approve and reply to the application within 24 hours. For cases on trial, a surveillance warrant should be issued by the judge based on his authority. Also, the judge may give appropriate instructions for the surveillance in the warrant. Moreover, if an application for a surveillance warrant is rejected by the court, the district prosecutor should make no objection in any form. In other words, the power of issuing a surveillance warrant for cases under investigation has been transferred from the district prosecutor to the judge. Furthermore, the law-enforcement authorities are given the right to initiate an “emergency surveillance” before application during the investigation of serious criminal cases according to Article 6 of the CPIA. In an investigation of serious criminal cases involving obstruction of voting, kidnapping, offence of the President and Vice President Election and Recall Act, the judiciary police may request the district prosecutor to orally notify the implemental authorities of an emergency surveillance. However, the district prosecutor should report to the jurisdiction court to apply for a make-up issue of the surveillance warrant within 24 hours. The district prosecutor’s office should appoint a responsible district prosecutor or a head district prosecutor as the emergency contact for cases involving emergency surveillance. The court should also assign a special window to take charge of the applications for surveillance warrants made by the district prosecutor, and should issue a make-up surveillance warrant within 48 hours of the acceptance of the application. Should the make-up surveillance warrant not be issued within 48 hours, the emergency surveillance should be terminated immediately. The district prosecutor, the court of law and agencies taking charge of the country’s intelligence work are responsible for the supervision of surveillance. According on Articles 12 and 16 of the amended CPIA, regulations governing the period and supervision of surveillance are summarized as follows: (1) The period of surveillance should not exceed 30 days for serious and emergency cases involving endangering national security or social order and blackmailing as in Article 5 of the CPIA; or for cases involving obstruction of voting, kidnapping and offence of the President and Vice President Election and Recall Act as in Article 6 of the CPIA. The responsibility of supervision is the district prosecutor's office for cases under investigation and the court of law for cases on a trial. (2) The period of surveillance should not exceed 1 year for collecting information of foreign powers or offshore opposing powers as in Article 7 of the CPIA. Intelligence authorities should send agents to supervise the electronic surveillance equipment or to the supplier of surveillance equipment to supervise the conditions of surveillance. Should continual surveillance be needed, the implemental agency should submit concrete reasons to make a second application for surveillance two days before the end of the first surveillance period. However, the surveillance should be terminated immediately when the chief of the intelligence agency believes that it is no need to continue the surveillance before the end of the surveillance period. Lastly, the exclusivity of the evidence power of information collected from illegal surveillance is added to Articles 5, 6, 7 and 32 of the amended CPIA. According to Articles 5 and 6, should the surveillance involve severe offence of regulations, the information or evidence collected from the surveillance will not be accepted as evidence in a judiciary investigation, a trial or relevant procedure. Additionally, according to Articles 7 and 32, information or evidence collected from illegal surveillance will not be accepted as evidence in a judiciary investigation, a trial or relevant procedure. The severity of the offence should be determined by the judge based on individual cases. 2. Amendment to the CASTPA Child pornography is easily distributed because of the advancement of Internet communication; and the prepubescent pornography market is expanding as a result. The legislature of Taiwan thus passed on 15 June 2007 the amendment to the CASTPA that was promulgated by the President of Republic of China on 4 July 2007. In the amendment, neighborhood heads, ISPs and telecommunication system providers are the obligator of notification, and “possessors” of child pornography are to be penalized. According to the explanatory statement of the act, child pornography is the permanent record of the abuse of the victims. This will inflict continual damage on the victims. Moreover, child pornography is considered a “serious child exploitation” all over the world. Therefore, there is an international understanding to penalize the possession of child pornography. Before the amendment, Article 28 of the statue simply penalizes people distributing and selling child pornography in the form of disc, videotape and printing. Those deliberately distributing, broadcasting and/or selling child pornography in the form of pictures, videotape, film, disc, electronic signal or other form will be penalized by imprisonment for a term of less than 2 years and with a fine of under NT$2 million. [In the amendment,] those deliberately distributing, broadcasting and/or selling child pornography are penalized and imprisonment for a term of less than 3 years and with a fine of under NT$5 million. While child pornography inflicts continual damage on the victims, Article 28.3 has been added to statute. According to this new Article, those in possession without a proper reason of pictures, films, videotapes, discs, electromagnetic recordings and/or other articles containing sexual intercourses or acts of indecency by people under 18 are to be penalized. In this case, the “possession” of child pornography is penalized. The penalization falls into two stages: competent authorities of municipalities and local counties and cities may order the offender to receive guidance education for 2-10 hours if he/she is detected possessing child pornography without a proper reason for the first time; if offenders are detected for the second time or more, they will be fined NT$20000 to NT$200000. The amendment also refers to the legislation in Canada and the Netherland to reduce the scope of “proper reasons for possession” to scientific study, education and for medical treatment purposes in order to protect prepubescent children from sexual exploitation. Moreover, the amendment has expanded the scope of the notification obligator by including ISPs and telecommunication system providers as the notification obligator. While the Internet and mobile phones are widely used by the public and prepubescent children often receive pornographic information via the chat rooms on the Internet and SMS, this will cause many side effects on prepubescent children in the absence of appropriate management and protection. According to the statistics provided by the Ministry of the Interior, about 300 prepubescent children are sexually assaulted every year from online dating. According to The Garden of Hope Foundation, 40% of sex trade with prepubescent girls found in Taipei County during 2003-5 was conducted over the Internet, and it was 100% for prepubescent boys. It is thus clear that the Internet has become a platform for distributing child pornography. ISPs and telecommunication system providers are included as the notification obligator in Article 9 of the amended statute. Therefore, if they do not notify the authorities in the knowledge of child pornography, they will be fined NT$6000-NT$30000 according to Article 36 of the statue. Therefore, neighborhood heads, ISPs and telecommunication system providers must notify the local competent authorities or authorities specified in Article 6 of any prepubescent children who engage or probably engage in the sex trade in their knowledge. This is designed in order to strengthen the notification and prevention functions and to effectively stop those who deliberately use chat rooms on the Internet and SMS to engage in true sex trade in the disguise of online dating. Though the scope of notification obligation has been expanded in the amendment to the CASTPA to strengthen the notification and prevention mechanisms of prepubescent children sex trade and to define the notification obligations of the supplier and provider of SMS, network chat rooms, BBS, blogs and e-news services, many problems arise as a result. First, when telecommunication system providers have the obligation of notification, they also need to submit relevant evidence. However, this may involve the infringement of privacy of communication. If telecommunication system providers must not commit illegal surveillance, they are unable to acknowledge the contents of communication of consumers. In this case, how can they notify any crime? On the other hand, though information over the Internet is open to the public, it is a tough question for law enforcement officers to provide solid evidence proving that the administrator of online chat rooms and blogs has failed to perform his obligation of notification. 3. Amendment to the Copyright Act The online music downloading service debate has become a heated issue in recent years for the following reasons: “to select only the songs I like”, “comprehensive repertoires”, and “convenience”. According to the Online Music Downloading Survey by the Secure Online Shopping Association (SOSA), 85% consumers have tried the online music downloading service, thus giving rise to the comprehensive online music downloading software and services. However, to attract consumers with files containing unlicensed music, video or other files and charge users of such services, some ISPs provide computer programs or technologies, e.g. point-to-point (P2P), for users to exchange such outlawed materials and charge users for such services. Such acts of making profit from copyright infringement has inflicted disputes in copyright infringement. For example, the IFPI’s accusation in 2003 of Kuro, a P2P platform provider, is the first convicted case of P2P music downloading service in Taiwan. Though the software supplied by Kuro is a neutral technology which is not illegal, Kuro recruited members and charged them membership fees for allowing them to illegally downloading, exchanging and reproducing a large amount of unlicensed copyrighted materials with such software and the platform services it supplies. Kuro also advertised that consumers can download tens of thousands of the latest popular songs with the Kuro software and even encouraged members to download them. Therefore, the court decided that Kuro and its members who have practically downloaded copyrighted music illegally are guilty of copyright infringement. On the other hand, ezPeer, another P2P downloading platform provider, was not found guilty of copyright infringement because no law was practiced at that time to prohibit or restrict the use of P2P software. Also, as a transfer platform, ezPeer offers comprehensive functions and it is thus not a tool for committing crime. Even some users transfer or download unlicensed copyrighted materials with this tool, there is possibility for the non-liability reasonable use. Moreover, ISPs have no filtering obligations in the Copyright Act of the ROC. Therefore, even consumers may use the services for illegal activities, P2P service providers are not an accomplice. Therefore, to define the liabilities of P2P platform providers, the legislature of Taiwan passed on 14 June 2007 the amendment to the Copyright Act to include P2P software providers in governance of the act. In the future, platform providers will be prohibited by the Copyright Act from charging members for unlicensed activities. New objects of copyright infringement are added to the amendment, and the amendment includes the addition of Article 87.1.7, 87.1.2, and 97.1; and the revision of Article 93.4. According to Article 87.1.7, attempt to allow the public to openly transfer or reproduce works of others without prior consent or licensing from the owner is copyright infringement, and supply of computer programs and/or technologies that can be used for public transfer and/or reproduction of such for the purpose of making profits is deemed as copyright infringement. As the supplier of computer programs and/or technologies is the focus of this article, behaviors categorized based on this article must also meet the following requirements: (1) attempt to allow the public to download and/or transfer over the Internet copyrighted materials without prior consent or licensing of the copyright owner; (2) the act of supply of computer programs and/or technologies; (3) and making profits from such behaviors. In other words, the focus of the amendment is to prohibit providers by written law from supplying computer programs and/or technologies for users to transfer and/or exchange unlicensed music, video and/or other copyrighted materials and from charging users or making profits from such services. However, the amendment has adopted the principle of technology neutrality and specifies that P2P software providers will only be penalized when they have the act of making profit and the intention of copyright infringement in order not to prevent technological development and to save ISPs from breaking the law all the time. As the “intention” of copyright infringement is the criterion of judgment, Article 87.2 is added to the Copyright Act in the present amendment. According to this article, whether or not the doer instigates, guides or incites in advertisements or other active actions the public to use the computer programs and/or other technologies it supplies to commit copyright infringement is the criterion for determining the “intention” of copyright infringement. Also, the court will determine with severity whether or not the advertisements or other active actions are ready for instigating, guiding or inciting the public use the computer programs and/or other technologies the doer supplies to commit copyright infringement. In general, when providers offer services, such as web photo albums, BBS, instant messengers, auctions, web disks and online discussions, it is not their initial intention to supply software and/or technologies for users to illegally download and/or transfer the copyrighted materials of others, nor do they encourage, instigate, guide, incite and/or convince users to commit copyright infringement. Even such software can be used for transferring and/or distributing unlicensed copyrighted materials, providers must not be restricted, and it should be the users who take the liability of copyright infringement. After the enactment of the amendment, providers who make profit from supplying software for others to distribute unlicensed copyrighted materials and encourage users to exchange such materials with the software are to be penalized by imprisonment for a term of less than 2 years, community service, or fined, or penalty together with a find of under NT$500000 according to Article 93. Moreover, by adding Article 97.1, the competent authorities are entitled to order ISPs to shutdown or close the business when they are convicted for the abovementioned offences and refuse to stop such illegal acts after being determined for “severe copyright infringement” and “severely injury of the benefits of the copyright owner”. After this amendment of the Copyright Act, service providers can no longer use the excuse “we simply provide a service platform and have no right to check the behavior of consumers” as an escape of their liabilities. In fact, P2P service providers who charge users monthly fees for the P2P software, such as Kuro and ezPeer, have already signed licensing agreements with music companies before the enactment of this amendment. Therefore, the music they provide for users to download is no more unlicensed copyrighted materials. Therefore, the amendment has certain effect on improving copyright protection.

A Survey of Taiwanese Citizens' Awareness of Personal Data 2025/05/14 I.Preface Recent discussions have centered on personal data issues, such as corporate data breaches and recurring incidents of fraud. As a result, the security of personal data has received growing emphasis, prompting relevant authorities to issue public statements and advocate for legislative responses. To facilitate a deeper understanding of personal data awareness among the citizens of our nation, this study employed a questionnaire survey to assess basic knowledge of the Personal Data Protection Act and privacy regulations. It also examined levels of trust in entities that may hold personal data, including their types and usage contexts. The objective is to explore public attitudes toward such entities and to analyze the demographic factors influencing personal data awareness, thereby providing a reference for the future development of mechanisms to strengthen data literacy and enhance public trust. II.Research Objectives and Methodology By identifying demographic groups with lower awareness of personal data issues and helping them clarify relevant concepts, and promoting personal data certification for entities with lower levels of public trust, this study aims to reduce public concerns and build greater confidence. It also examines the characteristics of entities that positively influence individuals’ willingness to share personal data, with the goal of guiding such organizations in strengthening their data protection practices. Ultimately, these improvements are expected to enhance public trust and support the effective enforcement of personal data protection. The study employed a stratified random sampling method, with data collected via phone interviews. A total of 1,180 valid responses were obtained. The following sections present the key findings and offer recommendations based on the analysis. III.Raising Awareness and Clarifying Personal Data Concepts When assessing public understanding of basic personal data issues, responses showed a clear divide. While around 90% correctly answered questions about email account handling and the legal responsibilities of public sector agencies under the Personal Data Protection Act (PDPA), accuracy fell to around 10% for more complex scenarios. For example, many were unsure whether journalists covering car accidents need to notify involved individuals or whether telecom operators can transfer data to countries lacking equivalent PDPA protection. These results suggest that while some concepts are well understood, overall knowledge of the PDPA remains limited. Public understanding of sensitive personal data was also generally low. Except for medical records, recognition rates for other sensitive data types remained below 10%. On the other hand, many respondents mistakenly labeled general personal data as sensitive, showing both a lack of familiarity and a heightened sense of caution about data privacy among certain groups. Further analysis found elders, people with lower education and income, and those working in manual or domestic roles had a weaker grasp of what constitutes sensitive personal data. In contrast, individuals with higher education levels or professional roles tended to misclassify general data as sensitive, indicating stronger personal data protection awareness but also some confusion. Based on these findings, targeted awareness campaigns are recommended for groups with lower levels of understanding. These should not only clarify the definition of sensitive personal data but also address common misconceptions to help people develop a clearer and more accurate view of personal data protections under the PDPA. The study also found that people's answers could be used to identify patterns in their awareness. Correct answers indicated familiarity with personal data concepts, while incorrect ones often stemmed either from a lack of knowledge or from a more cautious and security-conscious mindset. Future research might explore this divide further to provide more specific policy recommendations. IV.Addressing Trust Gaps: Promoting Certification for Less-Trusted Entities In terms of public trust in different types of entities, medical institutions emerged as the most trusted. Trust levels varied by demographic group—women and elders, for example, had more confidence in academic institutions; people with lower incomes trusted health management centers or long-term care facilities more; and manual laborers and service workers were more likely to trust government agencies. In contrast, the least trusted entities were online shopping platforms, wearable device manufacturers, and health management tool providers. Even though online shopping is common, people still worry about how these platforms handle personal data. Similarly, despite the growing popularity of wearable health devices, skepticism about how these companies use data remains high. People aged 30–49, those with higher levels of education, and higher incomes were less likely to trust these companies. This supports earlier findings showing that these groups are more aware of personal data security issues. Therefore, efforts to improve trust should focus on less trusted entities and promote the adoption of personal data protection certifications. V.Building Trust through Personal Information Management System The study also looked at what specific organizational features increase public trust. These can be grouped into three categories: certification, type of entity, and size. The certification of personal data protection standards played a key role. Many people expressed more trust in entities that have earned formal personal data protection certifications, especially those bearing nationally recognized seals or certifications. Younger people, those with higher levels of education or income, professionals and students were especially likely to view certification as important. As for type of entity, most respondents expressed greater trust in domestic Taiwanese enterprises, and this preference was more pronounced among people with higher education. Meanwhile, companies linked to China or with Chinese investment backgrounds tended to be viewed with less trust. Interestingly, older respondents were less affected by organizational origin in their willingness to share personal data. When it came to size of the entity, over half of the respondents indicated they were more likely to trust larger companies. Younger, more educated, and higher-income individuals were especially inclined to trust larger entities. Occupations such as students, technical workers, administrative staff, and service workers also showed a similar tendency. To summarize, entities that are certified in personal data protection, are based in Taiwan, and are relatively large tend to earn greater public trust. Since an entity's type and size are often fixed, it is recommended that efforts focus on obtaining recognized personal data protection certifications. For entities currently lacking public trust or facing scrutiny, adopting standards like the Taiwan Personal Information Protection and Administration System (TPIPAS) and running public education campaigns may help to improve trust and meet the goals of personal data security and protection.

Response to Personal Data Security Incidents: Obligations of Third-Party Payment Service Providers under the Amended Personal Data Protection Act 2025/11/15 Third-party payment service providers (TPPs) play a central role in payment processing, identity verification, and transaction records; and consequently hold large volumes of important personal data. In recent years, frequent personal data security incidents related to domestic and international electronic payment services have led to increased vigilance from the competent authority regarding the personal data security maintenance of third-party payment services. At the same time, new amendments to the Personal Data Protection Act (PDPA) have strengthened personal data protection obligations. TPPs that fail to implement adequate protective measures may face legal liabilities and reputational risks. This article analyzes the new amendments to the PDPA. Drawing from the requirements of the Enforcement Rules of the Personal Data Protection Act (the Enforcement Rules) and the Regulations Regarding the Security Maintenance and Administration of Personal Information Files in Digital Economy Industry (數位經濟相關產業個人資料檔案安全維護管理辦法, Security Maintenance Regulations)[1], it outlines and explores the key considerations of TPPs’ major obligations in the event of a personal data security incident: reporting to the competent authority, notifying data subjects, implementing incident response measures, preventing personal data security incidents and cooperating with the competent authority’s inspections. I. Key PDPA Amendments Regarding Security Incidents Amendments to the PDPA recently passed the third reading by Taiwan’s Legislative Yuan[2] and were subsequently promulgated by the President on November 11, 2025[3]. These amendments vest regulatory authority in the Personal Data Protection Commission (個人資料保護委員會, PDPC) as the independent competent authority, strengthen personal data supervision and management in the public sector, and introduce several key changes to the data protection obligations of non-government agencies. Although the Executive Yuan has yet to designate an enforcement date for the new amendments[4], TPPs should prepare in advance. The following sections explain five key points from these amendments related to personal data security incidents. 1. Obligation to Report Personal Data Security Incidents and Notify Data Subjects Following the amendments, Article 12 of the PDPA clarifies the obligations to report and notify personal data security incidents. First, the timing for notifying data subjects has been adjusted from “after investigation and confirmation” to “immediately upon becoming aware of the incident.” Second, the amendments introduce a new statutory obligation to “report to the competent authority if a certain reporting threshold is met.” This reporting requirement previously existed only in the Enforcement Rules[5] and the Security Maintenance Regulations[6]. 2. Obligation to Implement Incident Response Measures and Retain Records In addition to promptly notifying data subjects and reporting to the competent authority, TPPs must take “immediate and effective incident response measures” to contain the incident and prevent further harm. Furthermore, TPPs are required to document the facts, impact, and incident response measures taken, and retain such records for inspection by the competent authority. 3. Obligation to Prevent Personal Data Security Incidents TPPs should establish comprehensive protective mechanisms to prevent personal data security incidents. Continuing the existing security maintenance obligations, the PDPA amendments relocate the provision of Article 27, Paragraph 1 of the old Act to Article 20-1, Paragraph 1, consolidating it as “matters required for security maintenance.” This revision reaffirms the TPPs' responsibility to maintain the security of personal data by adopting appropriate technical and organizational measures in accordance with relevant regulations. TPPs are also required to comply with the specific security maintenance matters prescribed in the Security Maintenance Regulations. They must implement internal security management and technical protection measures to effectively prevent the theft, alteration, destruction, loss, or leakage of the personal data they hold. 4. Obligation to Cooperate with Administrative Inspections To identify the cause of personal data security incidents and ensure the effective implementation of security maintenance measures, TPPs must cooperate with administrative inspections in addition to fulfilling their security maintenance obligations. Where the competent authority believes a TPP may have violated the PDPA, or deems it necessary to verify their compliance with the PDPA, TPPs must cooperate with the following inspection methods: (1) providing statements; (2) providing necessary documents, materials, items, or taking other cooperative measures; and (3) cooperating with on-site inspections, providing necessary explanations, cooperative measures, or relevant proof documents[7]. The competent authority may conduct ex officio on-site checks or document reviews, and TPPs must prepare supporting documentation and improvement plans to ensure incident response compliance and auditability. 5. Penalties and Transitional Period After the amendments take effect, if a TPP fails to notify data subjects, report to the competent authority, take incident response measures, preserve records; or, without justifiable reason, evades, obstructs, or refuses to cooperate with administrative inspections, the competent authority may, depending on the nature and severity of the violation, order rectification within a prescribed period or impose a fine up to NT$15 million[8]. Furthermore, these amendments establish a jurisdictional transition period. For certain supervisory and administrative matters concerning non-government agencies, that fall within the mandate of the PDPC, jurisdiction shall, for six years from the establishment of the PDPC and upon public notice by the Executive Yuan, remain with the respective central competent authorities[9]. Accordingly, during this transition period, the inspection of security maintenance matters and the enforcement of penalties for TPPs may still be conducted by the Ministry of Digital Development (MODA). TPPs must continue to comply with the Security Maintenance Regulations issued by the MODA. 6. Summary Integrating the amended PDPA, its Enforcement Rules, and the Security Maintenance Regulations, a TPP who becomes aware of a personal data security incident must notify data subjects, and the notification content must include the facts of the incident and the incident response measures taken. While the amended Article 12 emphasizes “immediacy” of notification upon awareness and requires incident response action to prevent further expansion, the full confirmation of incident response measures requires time in practice, which can create a timing conflict with the immediacy requirement. Therefore, until the PDPC stipulates the “content, method, timing, scope of reporting, incident response measures, record preservation, and other related matters”[10], and to balance legal compliance with data subject rights, it is recommended that TPPs adopt a “phased notification” approach: immediately notifying the data subject upon awareness to prompt protective measures (such as changing passwords or guarding against scams), and subsequently issuing a supplementary notification after the incident response measures have been implemented, detailing the countermeasures taken and the full scope of the incident. II. Four Key Steps for Responding to Personal Data Security Incidents In practice, when a personal data security incident occurs, TPPs must immediately activate their incident response procedures and implement relevant measures in accordance with the “Security and Maintenance Plan for the Protection of Personal Data Files and a Guideline On Disposing Personal Data Following Business Termination (個人資料檔案安全維護計畫及業務終止後個人資料處理方法, Security Maintenance Plan)” stipulated by their Security Maintenance Regulations. The aforementioned statutory obligations concerning notification, reporting, incident response, prevention, and cooperation with inspections may all be activated simultaneously upon the incident's occurrence. Following the enforcement of the PDPA amendments, TPPs bear simultaneous compliance obligations under the amended PDPA, its Enforcement Rules, and the Security Maintenance Regulations. The following four steps are therefore recommended: Step 1: Taking Immediate and Effective Incident Response Measures. TPPs must take immediate and effective incident response measures upon becoming aware of the incident to prevent further escalation. This is the first priority for responding to a data incident, aimed at damage control, and should be executed concurrently with the investigation of the incident cause and assessment of the scope of impact. Step 2: Obligation to Notify Data Subjects. Upon becoming aware of the incident, TPPs must promptly notify data subjects of the occurrence of the personal data security incident and the measures taken in response through appropriate means such as oral statement, written notice, telephone, text message, email, fax, electronic document, or any other means sufficient to ensure the data subject is informed or can reasonably become aware[11], and provide “a hotline or other appropriate channel for follow-up inquiries for data subjects to seek information”[12]. Furthermore, since some data subjects whose personal data is collected by TPPs are the end-consumers transacting with merchants, TPPs must ensure that, at the outset of their service processes, they clearly establish the legal basis and contact mechanisms that enable direct notification of data subjects (including consumers) in accordance with the privacy policy, service contract, or relevant notice documents, to ensure effective fulfillment of the notification obligation when an incident occurs. Step 3: Obligation to Report to the Competent Authority. This obligation is divided into two phases: before and after the amendments take effect. Before the amendments take effect, TPPs must comply with the current Security Maintenance Regulations and report to the Ministry of Digital Development (MODA). After the amendments take effect, TPPs will have the statutory obligation to report to the Personal Data Protection Commission (PDPC). Upon receiving a TPP’s report, the PDPC will in turn notify MODA. During the transition period, the reporting requirements stipulated in Article 8 of the existing Security Maintenance Regulations may continue to apply. Specifically, the reporting timeline is limited to ”completion within 72 hours of becoming aware of the incident,” and the incident must be judged based on the criterion of “endangers its normal operations or the rights and interests of a large number of data subjects.” These requirements remain the key substantive compliance standards at present. TPPs are advised to establish their internal reporting procedures in accordance with the regulations in force at the time of reporting and to closely monitor the effective date of the amendments and any further announcements issued by the PDPC. Step 4: Cooperating with Administrative Inspections and Retaining Records. TPPs must properly retain all relevant records from the incident response process for inspection by the competent authority. When cooperating with an administrative inspection, TPPs should not only prepare the root cause analysis report (documenting the relevant the facts, the impact, and the incident response measures taken) and supporting evidence for data subject notifications in a timely manner, but also be prepared to provide any additional documentation as required. If the competent authority requests a review of the implementation of the Security Maintenance Plan, TPPs are advised to provide the Plan along with documentation demonstrating the implementation of the required security maintenance measures. Doing so enables TPPs to substantiate their compliance efforts and incident response capabilities. III. Recommendations and Conclusion In summary, this article recommends that TPPs promptly review and refine their Security Maintenance Plan to ensure that their systems, procedures, and operational practices comply with applicable legal requirements. Concurrently, TPPs should establish clear incident reporting and incident response procedures, incorporating into their internal processes the immediate notification of data subjects, reporting to the competent authority, taking incident response measures, and preparing documentation for inspection. Given the enforcement trends following the amended provisions, only by implementing robust preventive measures and effective post-incident response capabilities can TPPs maintain regulatory compliance and preserve market trust amid the increasing frequency of personal data security incidents. [1]數位經濟相關產業個人資料檔案安全維護管理辦法，https://law.moda.gov.tw/LawContent.aspx?id=GL000090 （最後瀏覽日期︰2025/11/12）。 [2]〈立法院三讀通過「個人資料保護法」部分條文修正草案〉，個人資料保護委員會，https://www.pdpc.gov.tw/News_Content/20/1001/ （最後瀏覽日期︰2025/11/12）。 [3]總統令 華總一經字第11400114521號，中華民國總統府，https://www.president.gov.tw/Page/78 （最後瀏覽日期︰2025/11/12）。 [4]＜個人資料保護法部分條文修正案，業於今(114年11月11日)日經總統公布，本次修正條文施行日期將另由行政院定之＞，個人資料保護委員會，https://www.pdpc.gov.tw/News_Content/20/1010/ （最後瀏覽日期︰2025/11/12）。 [5]個人資料保護法施行細則第12條第2項第4款規定。 [6]數位經濟相關產業個人資料檔案安全維護管理辦法第8條第2項規定。 [7]個人資料保護法第22條第1項規定。 [8]個人資料保護法第47條至第50條規定。 [9]個人資料保護法第51-1條規定。 [10]個人資料保護法第12條第4項規定。 [11]個人資料保護法施行細則第22條規定。 [12]數位經濟相關產業個人資料檔案安全維護管理辦法第8條第1項第2款規定。

In the recent years, the tide of open movement has pushed vigorously from the open source software, open hardware and the recent open data. More and more countries have joined the global initiative of open government data in order to achieve the ultimate goal to promote the democratic governance. National government adopts open data policy to enhance the transparency, participation and collaboration of the citizen into the government operation. Meanwhile, fueled by the knowledge economy and the statistical analysis of the big data technology, open government data could work as the catalyst to individuals, industries and government agencies to transform data into potential knowledge-based services. Up to the end of 2013, there are around 77 countries have adopted the Open Government Data policy. Taiwanese government also declared to take part in the open data revolution. The government had officially launched the open data policy in 2012. In Resolution No. 3322, the Executive Yuan prescribes that open government data could enhance the transparency of the government; improve the quality of life of people; and meet the needs of the industry. Governmental agencies under the authority of the Executive Yuan shall to recognize the importance of the empowerment brought from open government data to the quality of the decision-making process and asked the agencies to implemented the policy from the perspectives of the user’s needs and applications, and also the consider to include machine readable format for the data. The Executive Yuan directed the Research, Development and Evaluation Commission (RDEC)（行政院研究發展考核委員會） to develop related principles and measures to support government agencies of the Executive Yuan to plan, execute and open up their data. At the same time, it also directed the Industrial Development Bureau（IDB）, Ministry of Economic Affairs (MOEA) （經濟部工業局）to develop responsive strategies to cope with the industrial development. Pursuant to the Resolution No. 3322 of the Executive Yuan, RDEC worked through the open government data related laws and regulations, proclaimed the “Open Government Data Operating Principle for Agencies of the Executive Yuan”（行政院及所屬各級機關政府資料開放作業原則）and the “Essential Requirements for Administrate Open Government Data Datasets” （政府資料開放資料集管理要項）in the early 2013. All government agencies of the Executive Yuan have to adopted the following 3 open government data steps："open up government data for public use”, “provide data free of charge subject to certain exemptions”, "automated systematic release and exchange data”, and work in with 4 open government focus strategies: “release data actively and by the priority in the field of daily necessity”, “develop the norm of open government data”, “promote the use of Data.gov.tw”, and “demonstrate and advocate open government data services”. Ministry of Economic Affairs (MOEA) （經濟部工業局）also provided grants ($9,200 NTD) to the open government data value-added applications and development. The open government data platform (data.gov.tw) was launched in July, 2013, as the official Taiwan government site providing public access and reuse of government data sets from 62 government agencies of the Executive Yuan, including the Ministry of Interior (MOI)（內政部）, Ministry of Foreign Affairs (MOFA)（外交部）, Ministry of Economic Affairs (MOEA)（經濟部）, Council for Economic Planning and Development (CEPD)（行政院經濟建設發展委員會）, Hakka Affairs Council (HAC)（客家委員會）, Water Resources Agency, Ministry of Economic Affairs (WRA) （經濟部水利署）, and 4 local governments. At the end of 2013, each government agency is required to release at least 55 data sets. In addition, the rising tide of private-sector (individual or enterprise) also aims to mine the gold in open government data. Act upon the National Information and Communication Initiative (NICI)（行政院國家資訊通信發展推動小組）in the consultation of the open government data policy, Taipei Computer Association (TCA)（台北市電腦同業工會）organized the “Open Data Alliance” (ODA)（Open Data聯盟）as a bridge between the information provide-side (public sectors) and the demand-side (private sectors), to communicate and coordinate the expectations and needs from communities (bottom-up) towards open government data. On Dec. 11, 2013, Taiwan took one more step in the global open data initiative. Open Data Alliance (ODA) and the Open Data Institute (ODI) in UK signed the memorandum of understanding (MOU) and announced the alliance established to promote and explore the potential opportunities of open data holds for the public, private and academic sectors. The engagement of ODA and ODI could bring another catalyst for the open movement in Taiwan to take one big step in the international community. According to a survey from ODA, the biggest challenge so far is the available data sets do not really meet the needs of the industry. And most of the feedback reflects the concerns in licensing, charge, frequency of updates, data formats and data quality. These voices echo the open government data issues encountered in many countries. There are still some obstacles with the applicable laws and regulations (for example, Charges and Fees Act, Personal Data Protection Act, Accoutability & Liability etc.) wait to be solved before both public and private sectors to go onto the next level of open data development.