Norms of Critical Infrastructure Protection in Japan

The amendment of the Taiwanese Personal Data Protection Act 2025/05/28 On March 27, 2025, the Executive Yuan released and submitted a draft partial amendment of the Personal Data Protection Act to the Legislative Yuan. The amendment aims to comprehensively enhance personal data protection by constructing the foundation for an independent supervisory agency[1]. Taiwan’s Personal Data Protection Act- legislative progress Taiwan’s Personal Data Protection Act (PDPA) has been amended three times since its release in 1995. In May 2023, the latest amendment to the PDPA introduced Article 1-1, designating the Personal Information Protection Committee as the competent authority under the Act. This legislative development was made in light of the Taiwan Constitutional Court Judgment 111-Hsien-Pan-13 (2022) (Case on the National Health Insurance Research Database)[2], which held that, to ensure the protection of personal information and the constitutional right to privacy under Article 22, the establishment of an independent data protection mechanism is required. In accordance with Taiwan Constitutional Court Judgment 111-Hsien-Pan-13 (2022), the Personal Data Protection Commission (PDPC) must be established by August 2025. To facilitate this, the Preparatory Office of the Personal Data Protection Commission was established in December 2023. This office is mainly responsible for drafting and establishing the regulations and organizational framework required to establish the independent authority, including drafting the Organization Act of the PDPC and the amendments to the PDPA. To develop the regulatory framework for an independent authority, the Preparatory Office of the Personal Data Protection Commission has planned a two-stage amendment process. The first phase seeks to establish the legal foundation of the PDPC, while the second phase will address other substantive issues of personal data protection. For the first stage, the Preparatory Office of the Personal Data Protection Commission drafted the Organization Act of the Personal Information Protection Committee in accordance with Article 1-1 of the PDPA and revised partial provisions of PDPA to reflect the function and duties of the PDPC. The Draft of Partial Amendment to the Personal Data Protection Act The key points of the amendment of PDPA are to empower the commission with essential regulatory functions, to strengthen the regulatory oversight and management of personal data within public sectors, and to set up a transition period to transfer regulatory authority over the private sectors[3]. 1. Empower the commission with essential regulatory functions Due to the lack of a unified agency for receiving incident reports and the efficiency issues caused by the current decentralized legal enforcement, the amendment of PDPA designates the PDPC as the competent authority to receive the incident reports. Centralizing incident reporting under the PDPC facilitates a clearer understanding of the nature and status of related incidents. It also helps regulatory authorities to investigate and handle problems quickly. The rules for reporting data breach incidents are set out in Article 12 of the amended PDPA. According to Article 12 of the amended PDPA, both public sector and private sector entities are required to take appropriate actions and retain the records when a data breach occurs. In addition, public sector entities must report the incident to the PDPC and other relevant government agencies, while private sector entities are required to notify the incident to the PDPC, which will then inform its competent authority[4]. In terms of personal data security maintenance, the amended PDPA states that the competent authority is responsible for formulating regulations concerning security maintenance, governance mechanisms, protective measures, and other relevant matters[5]. Accordingly, PDPC, as the competent authority, will draft the Regulations Governing Security Maintenance and Administration to provide the legal basis for the conducting audits, inspections, and administrative sanctions[6]. 2. Strengthen the regulatory oversight and management of personal data within the public sector The amendment of PDPA designates the PDPC as the independent authority responsible for overseeing the overall personal data protection affairs, including supervision of public sectors. The PDPC is empowered to supervise the public sector entities regarding their compliance with personal data protection regulations. Therefore, the role of the Data Protection Officer (DPO) is introduced in Taiwan for the first time. Article 18 of the amended PDPA states that every public sector entity must appoint a DPO to promote and oversee matters related to personal data protection. This approach reinforces personal data protection from both internal and external perspectives[7]. In considering restructuring and resource allocation associated with introducing this new role, the DPO requirement in PDPA currently applies to the public sector entities. However, both the public and private sectors are required to designate specialists to be responsible for managing personal data protection and security affairs[8]. 3. Set up a transition period to transfer regulatory authority over the private sectors Under the current regulation framework, the supervision of personal data protection in the private sector is decentralized and supervised by different competent authorities. To address this gap, the amendment of PDPA clarifies that the PDPC will serve as the supervisory authority for these entities in the future. In terms of the private sector entities already under the supervision of specific competent authorities, supervisory arrangements will initially remain unchanged. However, to achieve regulatory consistency, the amendment introduced a six-year transitional period during which supervisory responsibility will be transferred to the PDPC. During this transition, the PDPC will collaborate with relevant agencies every 2 years to assess the implementation of the new framework of PDPC and the situation of supervision across the private sector[9]. The draft Organization Act of the Personal Data Protection Committee has also been released To complete the legal basis of PDPC, the draft Organization Act of the Personal Data Protection Committee (hereinafter referred to as the draft of the Organization Act) is released with the PDPA amendment. The draft of the Organization Act aims to formalize the PDPC as the independent central supervisory body. Additionally, it also clarifies the division of responsibilities among agencies on personal data-related matters. Once enacted, the PDPC will serve as Taiwan’s independent authority. According to the draft of the Organization Act, the PDPC is designed as a collegial system with 5-7 committee members, serving a term of 4 years, and members may be reappointed upon completion of their term[10]. As a central third-level agency, the committee members will exercise their powers independently. The draft of the Organization Act states that the PDPC is responsible for making the legislation and policies of personal data protection, the oversight of personal data protection, promoting and researching personal data-related technology, protecting cross-border transfer of personal data and the talent acquisition of personal data protection[11]. The draft of the Organization Act establishes the legal foundation for the PDPC, outlining its organization structure and core responsibilities. Additionally, it grants the PDPC the authority to supervise and enforce compliance with personal data protection regulations. Benefits of the legal reform of the Personal Data Protection Act and the next step The draft partial amendment to the Personal Data Protection Act, along with the draft Organization Act of the Personal Information Protection Committee, have been submitted to the Legislative Yuan for legislative review. This marks the first time that Taiwan has established an independent authority responsible for personal data protection. The PDPA amendment not only formalizes the legal status and authority of the Commission but also enhances the legitimacy and credibility of personal data collection and use. However, amendments to other substantial aspects of data protection will be introduced in the next phase. The Preparatory Office of the Personal Data Protection Commission has already initiated work on the second phase, which will focus on substantial personal data protection issues in the context of the digital era. Reference: [1]The Executive Yuan approved the draft Organizational Act of the Personal Data Protection Commission and the draft of partial amendments to the Personal Data Protection Act, aiming to establish a comprehensive independent supervisory mechanism and enforcement authority, and to build robust data governance for the era of comprehensive AI application., Executive Yuan, https://www.ey.gov.tw/Page/9277F759E41CCD91/747cda78-926f-4205-99b3-1a735fc1b97b (last visited May. 19, 2025). [2]Constitutional Court Judgment 111-Hsien-Pan-13 (2022) (Case on the National Health Insurance Research Database). [3]Establish an independent supervisory authority for personal data protection to strengthen personal data safeguards. The Executive Yuan approved the draft Organization Act of the Personal Data Protection Commission and the draft partial amendments to the Personal Data Protection Act., Preparatory Office of the Personal Data Protection Commission website, https://www.pdpc.gov.tw/News_Content/20/907/ (last visited May. 19, 2025). [4]Partial Amendment Draft to the Personal Data Protection Act, the 8th meeting of the 3rd session of the 11th Legislative Yuan, General Bill No.20, Executive Yuan Proposal No.11010550, Art. 12. [5]Id. Art 18, Art 20-1. [6]Supra note 3. [7]Id. Art.18. [8]Id. Art. 20-1. [9]Id. Art.51-1. [10]Draft of the Organization Act of the Personal Information Protection Committee, the 8th meeting of the 3rd session of the 11th Legislative Yuan, General Bill No.20, Executive Yuan Proposal No. 1101052, Art. 3.Draft of the Organization Act of the Personal Information Protection Committee, the 8th meeting of the 3rd session of the 11th Legislative Yuan, General Bill No.20, Executive Yuan Proposal No. 1101052, Art. 3. [11]Id. at Art. 2.

To establish a trusted foundation for sports data compliance, the Sports Data Altruism Service releases the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook 2024/05/15 I. Introduction The Sports Data Altruism Service aims to construct a blueprint for the development of sports and technology, to promote practical applications for sports scientific research results, to drive industry development, and to establish a sports data innovation ecosystem. This will be achieved through multi-ministerial/multi-agency value-added applications for sports data, multidisciplinary upgrading and transformation of sports technology, digital empowerment to establish a sports technology ecosystem, and public-private collaboration efforts. The Sports Data Altruism Service aims to build a legal compliance platform, and to reinforce the trust foundation for legally-compliant sports data operations, all while balancing privacy protection and public interest. In pursuit of these ends, the Sports Data Altruism Service draws upon international data governance practices and trends, as well as current industry practices. It aims to develop guidelines and regulations that consider the value of sports data applications and apply them to data legal compliance operations for sports venues. The Service is also intended to help operators in the sports field maintain personal data protections and reasonable use. Consequently, in August 2023, the Sports Data Altruism Service released the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook. For entities seeking to become Sports Data Altruism Service data providers, the Handbook explains the related regulations and provides important things to watch out for. II. Structure of the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook The Handbook is divided into three sections: A. Requirements for joining the Sports Data Altruism Service: Before starting with the Sports Data Altruism Service, users must read and agree to the service’s Privacy Policy, Terms of Service, Notification Regarding Personal Data Collection and Personal Data Provision Agreement, and other important platform information. The Privacy Policy explains how the platform collects, uses, and protects the information that users provide. If you wish to become a data provider or data user, the Terms of Service will explain what you need to comply with to do so. And if you decide to become a data provider or data user, you must register on this platform and must sign the "Notification and Letter of Consent for Collection, Processing, and Use of Personal Data" to state your agreement to provide your data to the platform. B. Personal data subject rights protection mechanism for sports venue operators (data providers): After becoming a Sports Data Altruism Service data provider, to lawfully obtain the personal sports data, the data provider must submit the Points of Note When Connecting to the Sports Data Altruism Service and Personal Sports Data Provision Agreement. This form, submitted in either paper or online format, must include a signature from the person whose personal sports data is to be used. When a data subject needs to correct their personal data or no longer wishes to provide their data to the Sports Data Altruism Service, the data provider must provide the Exercise of Data Subject Rights Application Form. After the data subject submits the application, the sports venue operator must verify whether the data has been processed to the extent that it cannot be used to identify a specific individual. In accordance with Article 4 of the Points of Note When Connecting to the "Notice of Connection to the Sports Data Altruism Service Platform and Consent Form for Provision of Personal Sports Data", data that can no longer identify specific data subjects is no longer considered personal data, and is not subject to exercising of data subject rights, nor is it subject to deletion of statistical or analytical results based on such data. If the data has not been anonymized, the operator must remove the data subject from the list uploaded to the platform and delete any unprocessed sports data. They must also retain records of the deletion and notify the data subject. Source: Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook Figure 1　Data Subject Rights Exercise Mechanism for Sports Venue Operators C. Data protection management process for sports venue operators (data providers): To assist sports venue operators in complying with personal data protection requirements, the Sports Data Altruism Service provides a personal data protection self-assessment tool. After an operator becomes a Sports Data Altruism Service data provider, they must assess their compliance with data protection laws by completing the Self-Assessment Form for Personal Data Protection in Collecting Public Sports Data by Sports Venue Operators (Data Providers). This helps operators understand the importance of personal data protection and establish a robust personal data protection management system, to achieve both data protection and reasonable usage. The Self-Assessment Form for Personal Data Protection in Collecting Public Sports Data by Sports Venue Operators (Data Providers) is designed in accordance with the regulations of the Personal Data Protection Act and its enforcement rules. It includes 20 assessments in 10 major categories. When filling out the self-assessment form, the operator must provide the name of the self-assessment venue, the name of the person filling out the form, and the date. The form has to be completed based on the personal characteristic data and sports data that is to be uploaded to the Sports Data Altruism Service. However, not every assessment is mandatory. The form requires considering the operator’s actual situation to review the current practices related to personal data protection and management, then conducting the self-assessment based on this. For more detailed information about the Sports Data Altruism Service Personal Data Assessment Legal Compliance Handbook, please visit the Sports Data Altruism Service website (https://www.data-sports.tw/#/SportData/Landing?redirect=%2FDashboard).

In the recent years, the tide of open movement has pushed vigorously from the open source software, open hardware and the recent open data. More and more countries have joined the global initiative of open government data in order to achieve the ultimate goal to promote the democratic governance. National government adopts open data policy to enhance the transparency, participation and collaboration of the citizen into the government operation. Meanwhile, fueled by the knowledge economy and the statistical analysis of the big data technology, open government data could work as the catalyst to individuals, industries and government agencies to transform data into potential knowledge-based services. Up to the end of 2013, there are around 77 countries have adopted the Open Government Data policy. Taiwanese government also declared to take part in the open data revolution. The government had officially launched the open data policy in 2012. In Resolution No. 3322, the Executive Yuan prescribes that open government data could enhance the transparency of the government; improve the quality of life of people; and meet the needs of the industry. Governmental agencies under the authority of the Executive Yuan shall to recognize the importance of the empowerment brought from open government data to the quality of the decision-making process and asked the agencies to implemented the policy from the perspectives of the user’s needs and applications, and also the consider to include machine readable format for the data. The Executive Yuan directed the Research, Development and Evaluation Commission (RDEC)（行政院研究發展考核委員會） to develop related principles and measures to support government agencies of the Executive Yuan to plan, execute and open up their data. At the same time, it also directed the Industrial Development Bureau（IDB）, Ministry of Economic Affairs (MOEA) （經濟部工業局）to develop responsive strategies to cope with the industrial development. Pursuant to the Resolution No. 3322 of the Executive Yuan, RDEC worked through the open government data related laws and regulations, proclaimed the “Open Government Data Operating Principle for Agencies of the Executive Yuan”（行政院及所屬各級機關政府資料開放作業原則）and the “Essential Requirements for Administrate Open Government Data Datasets” （政府資料開放資料集管理要項）in the early 2013. All government agencies of the Executive Yuan have to adopted the following 3 open government data steps："open up government data for public use”, “provide data free of charge subject to certain exemptions”, "automated systematic release and exchange data”, and work in with 4 open government focus strategies: “release data actively and by the priority in the field of daily necessity”, “develop the norm of open government data”, “promote the use of Data.gov.tw”, and “demonstrate and advocate open government data services”. Ministry of Economic Affairs (MOEA) （經濟部工業局）also provided grants ($9,200 NTD) to the open government data value-added applications and development. The open government data platform (data.gov.tw) was launched in July, 2013, as the official Taiwan government site providing public access and reuse of government data sets from 62 government agencies of the Executive Yuan, including the Ministry of Interior (MOI)（內政部）, Ministry of Foreign Affairs (MOFA)（外交部）, Ministry of Economic Affairs (MOEA)（經濟部）, Council for Economic Planning and Development (CEPD)（行政院經濟建設發展委員會）, Hakka Affairs Council (HAC)（客家委員會）, Water Resources Agency, Ministry of Economic Affairs (WRA) （經濟部水利署）, and 4 local governments. At the end of 2013, each government agency is required to release at least 55 data sets. In addition, the rising tide of private-sector (individual or enterprise) also aims to mine the gold in open government data. Act upon the National Information and Communication Initiative (NICI)（行政院國家資訊通信發展推動小組）in the consultation of the open government data policy, Taipei Computer Association (TCA)（台北市電腦同業工會）organized the “Open Data Alliance” (ODA)（Open Data聯盟）as a bridge between the information provide-side (public sectors) and the demand-side (private sectors), to communicate and coordinate the expectations and needs from communities (bottom-up) towards open government data. On Dec. 11, 2013, Taiwan took one more step in the global open data initiative. Open Data Alliance (ODA) and the Open Data Institute (ODI) in UK signed the memorandum of understanding (MOU) and announced the alliance established to promote and explore the potential opportunities of open data holds for the public, private and academic sectors. The engagement of ODA and ODI could bring another catalyst for the open movement in Taiwan to take one big step in the international community. According to a survey from ODA, the biggest challenge so far is the available data sets do not really meet the needs of the industry. And most of the feedback reflects the concerns in licensing, charge, frequency of updates, data formats and data quality. These voices echo the open government data issues encountered in many countries. There are still some obstacles with the applicable laws and regulations (for example, Charges and Fees Act, Personal Data Protection Act, Accoutability & Liability etc.) wait to be solved before both public and private sectors to go onto the next level of open data development.

A Survey of Taiwanese Citizens' Awareness of Personal Data 2025/05/14 I.Preface Recent discussions have centered on personal data issues, such as corporate data breaches and recurring incidents of fraud. As a result, the security of personal data has received growing emphasis, prompting relevant authorities to issue public statements and advocate for legislative responses. To facilitate a deeper understanding of personal data awareness among the citizens of our nation, this study employed a questionnaire survey to assess basic knowledge of the Personal Data Protection Act and privacy regulations. It also examined levels of trust in entities that may hold personal data, including their types and usage contexts. The objective is to explore public attitudes toward such entities and to analyze the demographic factors influencing personal data awareness, thereby providing a reference for the future development of mechanisms to strengthen data literacy and enhance public trust. II.Research Objectives and Methodology By identifying demographic groups with lower awareness of personal data issues and helping them clarify relevant concepts, and promoting personal data certification for entities with lower levels of public trust, this study aims to reduce public concerns and build greater confidence. It also examines the characteristics of entities that positively influence individuals’ willingness to share personal data, with the goal of guiding such organizations in strengthening their data protection practices. Ultimately, these improvements are expected to enhance public trust and support the effective enforcement of personal data protection. The study employed a stratified random sampling method, with data collected via phone interviews. A total of 1,180 valid responses were obtained. The following sections present the key findings and offer recommendations based on the analysis. III.Raising Awareness and Clarifying Personal Data Concepts When assessing public understanding of basic personal data issues, responses showed a clear divide. While around 90% correctly answered questions about email account handling and the legal responsibilities of public sector agencies under the Personal Data Protection Act (PDPA), accuracy fell to around 10% for more complex scenarios. For example, many were unsure whether journalists covering car accidents need to notify involved individuals or whether telecom operators can transfer data to countries lacking equivalent PDPA protection. These results suggest that while some concepts are well understood, overall knowledge of the PDPA remains limited. Public understanding of sensitive personal data was also generally low. Except for medical records, recognition rates for other sensitive data types remained below 10%. On the other hand, many respondents mistakenly labeled general personal data as sensitive, showing both a lack of familiarity and a heightened sense of caution about data privacy among certain groups. Further analysis found elders, people with lower education and income, and those working in manual or domestic roles had a weaker grasp of what constitutes sensitive personal data. In contrast, individuals with higher education levels or professional roles tended to misclassify general data as sensitive, indicating stronger personal data protection awareness but also some confusion. Based on these findings, targeted awareness campaigns are recommended for groups with lower levels of understanding. These should not only clarify the definition of sensitive personal data but also address common misconceptions to help people develop a clearer and more accurate view of personal data protections under the PDPA. The study also found that people's answers could be used to identify patterns in their awareness. Correct answers indicated familiarity with personal data concepts, while incorrect ones often stemmed either from a lack of knowledge or from a more cautious and security-conscious mindset. Future research might explore this divide further to provide more specific policy recommendations. IV.Addressing Trust Gaps: Promoting Certification for Less-Trusted Entities In terms of public trust in different types of entities, medical institutions emerged as the most trusted. Trust levels varied by demographic group—women and elders, for example, had more confidence in academic institutions; people with lower incomes trusted health management centers or long-term care facilities more; and manual laborers and service workers were more likely to trust government agencies. In contrast, the least trusted entities were online shopping platforms, wearable device manufacturers, and health management tool providers. Even though online shopping is common, people still worry about how these platforms handle personal data. Similarly, despite the growing popularity of wearable health devices, skepticism about how these companies use data remains high. People aged 30–49, those with higher levels of education, and higher incomes were less likely to trust these companies. This supports earlier findings showing that these groups are more aware of personal data security issues. Therefore, efforts to improve trust should focus on less trusted entities and promote the adoption of personal data protection certifications. V.Building Trust through Personal Information Management System The study also looked at what specific organizational features increase public trust. These can be grouped into three categories: certification, type of entity, and size. The certification of personal data protection standards played a key role. Many people expressed more trust in entities that have earned formal personal data protection certifications, especially those bearing nationally recognized seals or certifications. Younger people, those with higher levels of education or income, professionals and students were especially likely to view certification as important. As for type of entity, most respondents expressed greater trust in domestic Taiwanese enterprises, and this preference was more pronounced among people with higher education. Meanwhile, companies linked to China or with Chinese investment backgrounds tended to be viewed with less trust. Interestingly, older respondents were less affected by organizational origin in their willingness to share personal data. When it came to size of the entity, over half of the respondents indicated they were more likely to trust larger companies. Younger, more educated, and higher-income individuals were especially inclined to trust larger entities. Occupations such as students, technical workers, administrative staff, and service workers also showed a similar tendency. To summarize, entities that are certified in personal data protection, are based in Taiwan, and are relatively large tend to earn greater public trust. Since an entity's type and size are often fixed, it is recommended that efforts focus on obtaining recognized personal data protection certifications. For entities currently lacking public trust or facing scrutiny, adopting standards like the Taiwan Personal Information Protection and Administration System (TPIPAS) and running public education campaigns may help to improve trust and meet the goals of personal data security and protection.