The amendment of the Taiwanese Personal Data Protection Act

In the recent years, the tide of open movement has pushed vigorously from the open source software, open hardware and the recent open data. More and more countries have joined the global initiative of open government data in order to achieve the ultimate goal to promote the democratic governance. National government adopts open data policy to enhance the transparency, participation and collaboration of the citizen into the government operation. Meanwhile, fueled by the knowledge economy and the statistical analysis of the big data technology, open government data could work as the catalyst to individuals, industries and government agencies to transform data into potential knowledge-based services. Up to the end of 2013, there are around 77 countries have adopted the Open Government Data policy. Taiwanese government also declared to take part in the open data revolution. The government had officially launched the open data policy in 2012. In Resolution No. 3322, the Executive Yuan prescribes that open government data could enhance the transparency of the government; improve the quality of life of people; and meet the needs of the industry. Governmental agencies under the authority of the Executive Yuan shall to recognize the importance of the empowerment brought from open government data to the quality of the decision-making process and asked the agencies to implemented the policy from the perspectives of the user’s needs and applications, and also the consider to include machine readable format for the data. The Executive Yuan directed the Research, Development and Evaluation Commission (RDEC)（行政院研究發展考核委員會） to develop related principles and measures to support government agencies of the Executive Yuan to plan, execute and open up their data. At the same time, it also directed the Industrial Development Bureau（IDB）, Ministry of Economic Affairs (MOEA) （經濟部工業局）to develop responsive strategies to cope with the industrial development. Pursuant to the Resolution No. 3322 of the Executive Yuan, RDEC worked through the open government data related laws and regulations, proclaimed the “Open Government Data Operating Principle for Agencies of the Executive Yuan”（行政院及所屬各級機關政府資料開放作業原則）and the “Essential Requirements for Administrate Open Government Data Datasets” （政府資料開放資料集管理要項）in the early 2013. All government agencies of the Executive Yuan have to adopted the following 3 open government data steps："open up government data for public use”, “provide data free of charge subject to certain exemptions”, "automated systematic release and exchange data”, and work in with 4 open government focus strategies: “release data actively and by the priority in the field of daily necessity”, “develop the norm of open government data”, “promote the use of Data.gov.tw”, and “demonstrate and advocate open government data services”. Ministry of Economic Affairs (MOEA) （經濟部工業局）also provided grants ($9,200 NTD) to the open government data value-added applications and development. The open government data platform (data.gov.tw) was launched in July, 2013, as the official Taiwan government site providing public access and reuse of government data sets from 62 government agencies of the Executive Yuan, including the Ministry of Interior (MOI)（內政部）, Ministry of Foreign Affairs (MOFA)（外交部）, Ministry of Economic Affairs (MOEA)（經濟部）, Council for Economic Planning and Development (CEPD)（行政院經濟建設發展委員會）, Hakka Affairs Council (HAC)（客家委員會）, Water Resources Agency, Ministry of Economic Affairs (WRA) （經濟部水利署）, and 4 local governments. At the end of 2013, each government agency is required to release at least 55 data sets. In addition, the rising tide of private-sector (individual or enterprise) also aims to mine the gold in open government data. Act upon the National Information and Communication Initiative (NICI)（行政院國家資訊通信發展推動小組）in the consultation of the open government data policy, Taipei Computer Association (TCA)（台北市電腦同業工會）organized the “Open Data Alliance” (ODA)（Open Data聯盟）as a bridge between the information provide-side (public sectors) and the demand-side (private sectors), to communicate and coordinate the expectations and needs from communities (bottom-up) towards open government data. On Dec. 11, 2013, Taiwan took one more step in the global open data initiative. Open Data Alliance (ODA) and the Open Data Institute (ODI) in UK signed the memorandum of understanding (MOU) and announced the alliance established to promote and explore the potential opportunities of open data holds for the public, private and academic sectors. The engagement of ODA and ODI could bring another catalyst for the open movement in Taiwan to take one big step in the international community. According to a survey from ODA, the biggest challenge so far is the available data sets do not really meet the needs of the industry. And most of the feedback reflects the concerns in licensing, charge, frequency of updates, data formats and data quality. These voices echo the open government data issues encountered in many countries. There are still some obstacles with the applicable laws and regulations (for example, Charges and Fees Act, Personal Data Protection Act, Accoutability & Liability etc.) wait to be solved before both public and private sectors to go onto the next level of open data development.

The Research on Cybersecurity Risks in 5G network: Perspectives on Global strategy I. The characteristics of 5G and cybersecurity threats 　　Compared to 4G, 5G adopts several new designs on the network architecture, such as software-defined networking (SDN), a baseband unit (BBU), logical disjunction, network function virtualization (NFV), and multi-access edge computing (MEC), to provide users with high-speed, low-latency and other quality services, as well as flexibility and expansibility to accommodate more emerging applications. 　　According to the three key usage scenarios (see Figure 1) defined by the International Telecommunication Union (ITU), enhanced mobile broadband access (eMBB) provides high-volume mobile broadband services such as AR/VR or ultra-high-definition video. Massive machine type communication (mMTC) provides large-scale IoT services. Ultra-reliability and low latency communication (uRLLC) can be used for services that require low-latency and high-reliability connections, including unmanned driving and industrial automation. 　　However, with 5G’s open, flexible and extensible design, as well as its coexistence with other 4G and 3G systems in the early stage of commercial operation, the cybersecurity threats facing 5G networks are more severe and diverse than the past mobile phone generations. At present, the known 5G cybersecurity threats mainly come from network functional components and connection interfaces among components, including the terminal device, access network, air interface, cloud virtualization, multi-access edge computing rental, core network, back-end/backbone network, roaming and external services, and so on. Source: ITU Figure　1Three key 5G scenarios by the ITU II. Cybersecurity strategy development in major countries 　　5G is not only one of the critical infrastructures, but also an important foundation for pursuing a digital nation, digital economy, the industrial 4.0, and for promoting industrial transformation for upgrading. However, different scenarios require different cybersecurity protection levels, which poses great challenges to both mobile network operators and service providers. 　　Therefore, the construction of favorable environment for 5G development, the promotion of relevant applications and the development of innovative services and so on, have become the priority of governance in the countries around the world. 1. European Union (EU) 　　Then European Commission President Jean-Claude Juncker noted in 2017 that “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks…Cyber-attacks know no borders and no one is immune,” indicating the EU's high priority in the cybersecurity field. 　　The "Digital Single Market," an important EU policy, lays the foundation for digital economy based on "cybersecurity, trust and privacy." In response to the loss of billions of euros a year in cyber attacks, the EU has taken a series of measures to safeguard and advance the development of the Digital Single Market. For the purposes of this strategy, the European Commission in 2018 came up with the policy of Resilience, Deterrence and Defence: Building strong cybersecurity for the EU,[1]with the aim of improving the level of cyber security, cyber resilience and trust in the EU, and in June 2019 passed the Cybersecurity Act [2] with two highlights described as follows: (1) Strengthen the authority of the European Union Agency for Network and Information Security (ENISA)(see Figure 2), increase the allocation of human and financial resources to ENISA, as well as the preparation for the work items related to the cybersecurity industry, and reinforce cyber security support for EU member states. (2) Establish the EU cybersecurity certification framework. [3] 　　In the European Union, where different cybersecurity certification schemes already exist, the absence of a common certification regime would increase the risk of fragmentation of the single market. For this reason, a set of technical requirements, standards and procedures are provided under this framework to assess whether information/communication products, services and processes are in compliance with security requirements. 　　The certification program includes product and service categories, information/communication security requirements (e.g. reference standards or technical specifications), types of assessment (e.g. self-assessment or third-party assessment), levels of security, and so on. All member states agree that certification not only facilitate cross-border business transactions, but also enable consumers to better understand the security of products and services. Source: Compiled from the ENISA websit Figure　2 ENISA organization and authority strengthening 2. the United States (U.S.) 　　In consideration of cyber security affairs in the country, the US Department of Homeland Security (DHS) in May 2018 unveiled the "Cybersecurity Strategy,"[4] which focused on the objectives and priorities of the U.S. government in future cybersecurity protection, identifying and managing national cybersecurity risks with the overall risk management approach, and addressing security threats to the country, critical infrastructures and private enterprises, as well as preventing cybercrimes. 　　Then the White House in September 2018 released the National Cyber Strategy of the United States of America, [5] based on the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [6] issued in May 2017, stating the strategy and position of the United States against the threat of cyber- attacks. The strategic goal aimed to, by safeguarding cybersecurity, protect the American people, the homeland, and the American way of life, to build a secure digital economic environment, to promote American prosperity, and strengthen cooperation with partners to deter malicious cyber attackers, so as to maintain peace and security, and continue to expand U.S. influence. 　　The department in July 2019 published the Digital Modernization Strategy [7] to announce its national defense strategy in the digital environment, including the use of cybersecurity, AI, cloud computing, blockchain and other technologies in information security protection to create a more secure, coordinated and efficient platform and improve the security of intelligence transmission and processing. 3. Canada 　　Public Safety Canada in June 2018 released the National Cyber Security Strategy, [8] with the vision of a sustainable, robust cybersecurity environment, innovation and prosperity. Through international cooperation and a domestic public-private partnership, the department has been working on three goals: 1. cyber security and resilience (to reduce cybercrime and ensure Internet privacy; 2. Internet innovation (to create a friendly environment for the development of cybersecurity startups); 3. government leadership and cooperation (to transfer government-owned cybersecurity knowledge to the private sector and set up a cybersecurity governance framework). 　　The Canadian government also attaches great importance to critical infrastructure. In May 2018, the National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure [9] was unveiled to facilitate information sharing between public and private partners through sharing and protecting intelligence, and implementing a full risk management approach. Moreover, Public Safety Canada in April 2019 issued a report called Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, which provided guidelines and suggestions for action on internal risks in critical infrastructure organizations.[10] 4. Singapore 　　The government of Singapore in 2018 promulgated the Cybersecurity Act, [11] which aimed to fulfill the vision of a Smart Nation by enacting and putting into effect cybersecurity regulations to achieve the goal of a resilient infrastructure and a more secure cyberspace, and to strengthen the protection of critical information infrastructure against cyber-attacks. The Cyber Security Agency of Singapore (CSA) was given the authority to prevent and respond to cybersecurity threats, and to set up a system for sharing security information, as well as a light-touch licensing system for cybersecurity service providers.[12] 　　The Government of Singapore has appointed a Commissioner of Cybersecurity responsible for promoting domestic cybersecurity policy. To safeguard Singaporeans from cybersecurity threats, [13] the government particularly laid down cybersecurity threat or incident response provisions in Chapter 4 of the Cybersecurity Act to empower the Commissioner of Cybersecurity to investigate cybersecurity threats and incidents, such as requiring the parties to the incidents to present statements in person or in writing, producing documents or provide information and so on.[14] 5. Australia 　　The Australian government in 2016 proposed a four-year "Australia's Cyber Security Strategy,"[15] which was expected to invest more than 230 million Australian dollars to strengthen Australia's cyber security capability and complete the following five aspects: national cyber partnership, strong cyber defenses, global responsibility and influence, growth and innovation, and a cyber smart nation. 　　As for the global responsibility and influence, the Australian government in 2017 announced the "Australia's International Cyber Engagement Strategy."[16] which aims to strengthen digital trade, to improve cybersecurity and to response to cybercrime through international cooperation; encourage innovative cybersecurity solutions; provide security advice and best practices, such as Essential Eight strategies[17] to mitigate cyber-attacks; establish the Pacific Cyber Security Operational Network (PaCSON) [18] with neighboring countries to develop regional cybersecurity capabilities; and advance the development of Australia's cybersecurity industry, nurture startups and attract foreign investment. III. Cybersecurity strategy to promote 5G in Taiwan 　　Since President Tsai Ing-wen took office in 2016, she declared that cybersecurity is directly linked to national security. In 2017, the Department of Cyber Security (DCS) under the Executive Yuan issued "National Cybersecurity Development Plan (2017-2020)," and in 2018 the "Cybersecurity Industry Development Action Plan (2018-2025)," in order to enhance the independence of Taiwan's cybersecurity industry, consolidate the nation’s cybersecurity defense line, improve its innovative thinking of cyber security, and further promote it to the international market. 　　To develop a favorable environment to promote 5G, the Executive Yuan on May 10, 2019 approved the “Taiwan 5G Action Plan (2019-2022),” [19] with a total investment about NT$20.466 billion over a four-year period. The plan aims to build a 5G application and industrial innovation environment, and reshape Taiwan's mobile communication industry ecosystem, with its content planned around five themes, including "promoting 5G vertical application field demonstration", "building 5G innovation and application development environment," "completing 5G technology core and cybersecurity protection capabilities," "planning to release 5G frequency spectrums in line with overall interests" and "adjusting laws and regulations to create favorable environment for 5G development," and to promote industrial upgrading and transformation, as well as create the next wave of economic prosperity in Taiwan. 　　Secure, robust and reliable 5G systems are sufficient and requisite conditions for building an innovation ecosystem in digital countries. The third theme of the "Taiwan 5G Action Plan" is to "complete 5G technology core and cybersecurity protection capabilities," which is intended to advance the integration of applied science and technology by establishing advantageous core technologies, set up a 5G technology and test platform, and increase the market competitiveness of 5G industry, while drafting the overall national policies on 5G cybersecurity, building the cybersecurity protection mechanism of 5G homemade products, strengthening 5G critical infrastructure and operational cybersecurity protection capabilities, and promoting domestic suppliers to enter the international 5G reliable supply chain. 　　In terms of strengthening 5G critical infrastructure and operational cybersecurity protection capacities, the NCC has planned a four-year (2019-2022) "5G Network Cybersecurity Protection and Related Regulations Preparation Plan." In coordination with a 5G license issue in 2020, the agency in 2019 added/amended the 5G cybersecurity provisions of the Regulations for Administration of Mobile Broadband Businesses, making it mandatory for the winning bidder of the 5G frequency spectrum to incorporate the cybersecurity protection concept into the system design for system construction. 　　Upon commercial operation of 5G, the NCC will audit from time to time the implementation of the cybersecurity maintenance plan by telecom operators, so as to ensure and reinforce the cybersecurity protection system of Taiwan's 5G telecom network, and create an opportunity for the development of 5G homemade products with cybersecurity protection capability. In addition, the NCC will also face up to the fact that 5G technology standards continue to evolve, and the operators have different construction schedules and heterogeneous mobile networks coexist. Therefore, relevant regulations will continue to be completed from 2020 to 2022, and examples will be verified through cybersecurity function testing laboratories to ensure that cybersecurity protection functions of 5G networks keep pace with the times. IV. Conclusion and Suggestion 　　As for emerging technologies, countries around the world are actively evaluating and constructing 5G systems and services. Taiwan boasts excellent industrial advantages in terms of semiconductors, ICT software and hardware, and high-quality talents, and thus makes a foundation for developing 5G. Furthermore, going with the importance of cybersecurity, it is necessary to pay more attention to planning and developing 5G cybersecurity technology. 　　It is clear that the development of cybersecurity is both a challenge and an opportunity for Taiwan. In order to implement the national policy objectives of "cybersecurity is national security" as well as "innovative economic development programs for a digital nation," and to response to the scientific and technological progress, and the demand for cybersecurity, key development direction is proposed to expedite the establishment of 5G cybersecurity protection. Reference: [1]Resilience, Deterrence and Defence: Building strong cybersecurity in Europe, European Commission, https://ec.europa.eu/digital-single-market/en/news/resilience-deterrence-and-defence-building-strong-cybersecurity-europe [2]The draft Regulation of The European Parliament And of The Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation(EU)526/2013, and on Information and Communication Technology cybersecurity certification(''Cybersecurity Act'') was published in September 2017 to expand the rights and obligations of ENISA, which would make ENISA the EU's cybersecurity and information competent authority and the authority for critical infrastructure (information) facilities after the passage of the Act. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2019.151.01.0015.01.ENG&toc=OJ:L:2019:151:TOC [3]The EU cybersecurity certification framework, European Commission, https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-certification-framework [4]Cybersecurity Strategy(2018), DHS, https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf [5]National Cyber Strategy of the United States of America(2018), The White House, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf [6]THE WHITE HOUSE, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, The White House, https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/ [7]DoD Digital Modernization Strategy, DoD, https://media.defense.gov/2019/Jul/12/2002156622/-1/-1/1/DOD-DIGITAL-MODERNIZATION-STRATEGY-2019.PDF [8]National Cybersecurity Strategy, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx [9]National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure, Public Safety Canada, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/pln-crtcl-nfrstrctr-2018-20/index-en.aspx#a02 The action plan is a three-year program under Canada's2010 National Strategy for Critical Infrastructure (National Strategy) starting in 2010 for all phases. [10]Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, Public Safety Canada, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/nhncng-crtcl-nfrstrctr/index-en.aspx [11]Cybersecurity Act 2018, Singapore Statutes Online, https://sso.agc.gov.sg/Acts-Supp/9-2018/ [12]Cybersecurity Act, CSA, https://www.csa.gov.sg/legislation/cybersecurity-act [13]Id. [14]Cybersecurity Act Explanatory Statement, https://www.csa.gov.sg/~/media/csa/cybersecurity_bill/cybersecurity%20act%20-%20explanatory%20statement.pdf [15]Australia’s Cybersecurity Strategy, https://cybersecuritystrategy.homeaffairs.gov.au/ What is the Government doing in cybersecurity, Ministers for the Department of Industry, Innovation and Science, https://www.industry.gov.au/data-and-publications/australias-tech-future/cyber-security/what-is-the-government-doing-in-cyber-security [16]Australia’s International Cyber Engagement Strategy, Department of Foreign Affairs and Trade,https://www.dfat.gov.au/sites/default/files/DFAT%20AICES_AccPDF.pdf [17]Essential Eight Explained, ACSC, https://www.cyber.gov.au/publications/essential-eight-explained [18]Pacific Cybersecurity Operational Network(PaCSON), https://dfat.gov.au/international-relations/themes/cyber-affairs/cyber-cooperation-program/Pages/pacific-cyber-security-operational-network-pacson.aspx Or Strengthening cybersecurity across the Pacific, ACSC, https://www.cyber.gov.au/news/pacific-islands PaCSON is comprised of 15 members, including Australia, Fiji, Marshall Islands, New Zealand, Papua New Guinea, Samoa, and Solomon Islands. [19]Taiwan 5G Action Plan, Executive Yuan,https://www.ey.gov.tw/Page/5A8A0CB5B41DA11E/087b4ed8-8c79-49f2-90c3-6fb22d740488

Response to Personal Data Security Incidents: Obligations of Third-Party Payment Service Providers under the Amended Personal Data Protection Act 2025/11/15 Third-party payment service providers (TPPs) play a central role in payment processing, identity verification, and transaction records; and consequently hold large volumes of important personal data. In recent years, frequent personal data security incidents related to domestic and international electronic payment services have led to increased vigilance from the competent authority regarding the personal data security maintenance of third-party payment services. At the same time, new amendments to the Personal Data Protection Act (PDPA) have strengthened personal data protection obligations. TPPs that fail to implement adequate protective measures may face legal liabilities and reputational risks. This article analyzes the new amendments to the PDPA. Drawing from the requirements of the Enforcement Rules of the Personal Data Protection Act (the Enforcement Rules) and the Regulations Regarding the Security Maintenance and Administration of Personal Information Files in Digital Economy Industry (數位經濟相關產業個人資料檔案安全維護管理辦法, Security Maintenance Regulations)[1], it outlines and explores the key considerations of TPPs’ major obligations in the event of a personal data security incident: reporting to the competent authority, notifying data subjects, implementing incident response measures, preventing personal data security incidents and cooperating with the competent authority’s inspections. I. Key PDPA Amendments Regarding Security Incidents Amendments to the PDPA recently passed the third reading by Taiwan’s Legislative Yuan[2] and were subsequently promulgated by the President on November 11, 2025[3]. These amendments vest regulatory authority in the Personal Data Protection Commission (個人資料保護委員會, PDPC) as the independent competent authority, strengthen personal data supervision and management in the public sector, and introduce several key changes to the data protection obligations of non-government agencies. Although the Executive Yuan has yet to designate an enforcement date for the new amendments[4], TPPs should prepare in advance. The following sections explain five key points from these amendments related to personal data security incidents. 1. Obligation to Report Personal Data Security Incidents and Notify Data Subjects Following the amendments, Article 12 of the PDPA clarifies the obligations to report and notify personal data security incidents. First, the timing for notifying data subjects has been adjusted from “after investigation and confirmation” to “immediately upon becoming aware of the incident.” Second, the amendments introduce a new statutory obligation to “report to the competent authority if a certain reporting threshold is met.” This reporting requirement previously existed only in the Enforcement Rules[5] and the Security Maintenance Regulations[6]. 2. Obligation to Implement Incident Response Measures and Retain Records In addition to promptly notifying data subjects and reporting to the competent authority, TPPs must take “immediate and effective incident response measures” to contain the incident and prevent further harm. Furthermore, TPPs are required to document the facts, impact, and incident response measures taken, and retain such records for inspection by the competent authority. 3. Obligation to Prevent Personal Data Security Incidents TPPs should establish comprehensive protective mechanisms to prevent personal data security incidents. Continuing the existing security maintenance obligations, the PDPA amendments relocate the provision of Article 27, Paragraph 1 of the old Act to Article 20-1, Paragraph 1, consolidating it as “matters required for security maintenance.” This revision reaffirms the TPPs' responsibility to maintain the security of personal data by adopting appropriate technical and organizational measures in accordance with relevant regulations. TPPs are also required to comply with the specific security maintenance matters prescribed in the Security Maintenance Regulations. They must implement internal security management and technical protection measures to effectively prevent the theft, alteration, destruction, loss, or leakage of the personal data they hold. 4. Obligation to Cooperate with Administrative Inspections To identify the cause of personal data security incidents and ensure the effective implementation of security maintenance measures, TPPs must cooperate with administrative inspections in addition to fulfilling their security maintenance obligations. Where the competent authority believes a TPP may have violated the PDPA, or deems it necessary to verify their compliance with the PDPA, TPPs must cooperate with the following inspection methods: (1) providing statements; (2) providing necessary documents, materials, items, or taking other cooperative measures; and (3) cooperating with on-site inspections, providing necessary explanations, cooperative measures, or relevant proof documents[7]. The competent authority may conduct ex officio on-site checks or document reviews, and TPPs must prepare supporting documentation and improvement plans to ensure incident response compliance and auditability. 5. Penalties and Transitional Period After the amendments take effect, if a TPP fails to notify data subjects, report to the competent authority, take incident response measures, preserve records; or, without justifiable reason, evades, obstructs, or refuses to cooperate with administrative inspections, the competent authority may, depending on the nature and severity of the violation, order rectification within a prescribed period or impose a fine up to NT$15 million[8]. Furthermore, these amendments establish a jurisdictional transition period. For certain supervisory and administrative matters concerning non-government agencies, that fall within the mandate of the PDPC, jurisdiction shall, for six years from the establishment of the PDPC and upon public notice by the Executive Yuan, remain with the respective central competent authorities[9]. Accordingly, during this transition period, the inspection of security maintenance matters and the enforcement of penalties for TPPs may still be conducted by the Ministry of Digital Development (MODA). TPPs must continue to comply with the Security Maintenance Regulations issued by the MODA. 6. Summary Integrating the amended PDPA, its Enforcement Rules, and the Security Maintenance Regulations, a TPP who becomes aware of a personal data security incident must notify data subjects, and the notification content must include the facts of the incident and the incident response measures taken. While the amended Article 12 emphasizes “immediacy” of notification upon awareness and requires incident response action to prevent further expansion, the full confirmation of incident response measures requires time in practice, which can create a timing conflict with the immediacy requirement. Therefore, until the PDPC stipulates the “content, method, timing, scope of reporting, incident response measures, record preservation, and other related matters”[10], and to balance legal compliance with data subject rights, it is recommended that TPPs adopt a “phased notification” approach: immediately notifying the data subject upon awareness to prompt protective measures (such as changing passwords or guarding against scams), and subsequently issuing a supplementary notification after the incident response measures have been implemented, detailing the countermeasures taken and the full scope of the incident. II. Four Key Steps for Responding to Personal Data Security Incidents In practice, when a personal data security incident occurs, TPPs must immediately activate their incident response procedures and implement relevant measures in accordance with the “Security and Maintenance Plan for the Protection of Personal Data Files and a Guideline On Disposing Personal Data Following Business Termination (個人資料檔案安全維護計畫及業務終止後個人資料處理方法, Security Maintenance Plan)” stipulated by their Security Maintenance Regulations. The aforementioned statutory obligations concerning notification, reporting, incident response, prevention, and cooperation with inspections may all be activated simultaneously upon the incident's occurrence. Following the enforcement of the PDPA amendments, TPPs bear simultaneous compliance obligations under the amended PDPA, its Enforcement Rules, and the Security Maintenance Regulations. The following four steps are therefore recommended: Step 1: Taking Immediate and Effective Incident Response Measures. TPPs must take immediate and effective incident response measures upon becoming aware of the incident to prevent further escalation. This is the first priority for responding to a data incident, aimed at damage control, and should be executed concurrently with the investigation of the incident cause and assessment of the scope of impact. Step 2: Obligation to Notify Data Subjects. Upon becoming aware of the incident, TPPs must promptly notify data subjects of the occurrence of the personal data security incident and the measures taken in response through appropriate means such as oral statement, written notice, telephone, text message, email, fax, electronic document, or any other means sufficient to ensure the data subject is informed or can reasonably become aware[11], and provide “a hotline or other appropriate channel for follow-up inquiries for data subjects to seek information”[12]. Furthermore, since some data subjects whose personal data is collected by TPPs are the end-consumers transacting with merchants, TPPs must ensure that, at the outset of their service processes, they clearly establish the legal basis and contact mechanisms that enable direct notification of data subjects (including consumers) in accordance with the privacy policy, service contract, or relevant notice documents, to ensure effective fulfillment of the notification obligation when an incident occurs. Step 3: Obligation to Report to the Competent Authority. This obligation is divided into two phases: before and after the amendments take effect. Before the amendments take effect, TPPs must comply with the current Security Maintenance Regulations and report to the Ministry of Digital Development (MODA). After the amendments take effect, TPPs will have the statutory obligation to report to the Personal Data Protection Commission (PDPC). Upon receiving a TPP’s report, the PDPC will in turn notify MODA. During the transition period, the reporting requirements stipulated in Article 8 of the existing Security Maintenance Regulations may continue to apply. Specifically, the reporting timeline is limited to ”completion within 72 hours of becoming aware of the incident,” and the incident must be judged based on the criterion of “endangers its normal operations or the rights and interests of a large number of data subjects.” These requirements remain the key substantive compliance standards at present. TPPs are advised to establish their internal reporting procedures in accordance with the regulations in force at the time of reporting and to closely monitor the effective date of the amendments and any further announcements issued by the PDPC. Step 4: Cooperating with Administrative Inspections and Retaining Records. TPPs must properly retain all relevant records from the incident response process for inspection by the competent authority. When cooperating with an administrative inspection, TPPs should not only prepare the root cause analysis report (documenting the relevant the facts, the impact, and the incident response measures taken) and supporting evidence for data subject notifications in a timely manner, but also be prepared to provide any additional documentation as required. If the competent authority requests a review of the implementation of the Security Maintenance Plan, TPPs are advised to provide the Plan along with documentation demonstrating the implementation of the required security maintenance measures. Doing so enables TPPs to substantiate their compliance efforts and incident response capabilities. III. Recommendations and Conclusion In summary, this article recommends that TPPs promptly review and refine their Security Maintenance Plan to ensure that their systems, procedures, and operational practices comply with applicable legal requirements. Concurrently, TPPs should establish clear incident reporting and incident response procedures, incorporating into their internal processes the immediate notification of data subjects, reporting to the competent authority, taking incident response measures, and preparing documentation for inspection. Given the enforcement trends following the amended provisions, only by implementing robust preventive measures and effective post-incident response capabilities can TPPs maintain regulatory compliance and preserve market trust amid the increasing frequency of personal data security incidents. [1]數位經濟相關產業個人資料檔案安全維護管理辦法，https://law.moda.gov.tw/LawContent.aspx?id=GL000090 （最後瀏覽日期︰2025/11/12）。 [2]〈立法院三讀通過「個人資料保護法」部分條文修正草案〉，個人資料保護委員會，https://www.pdpc.gov.tw/News_Content/20/1001/ （最後瀏覽日期︰2025/11/12）。 [3]總統令 華總一經字第11400114521號，中華民國總統府，https://www.president.gov.tw/Page/78 （最後瀏覽日期︰2025/11/12）。 [4]＜個人資料保護法部分條文修正案，業於今(114年11月11日)日經總統公布，本次修正條文施行日期將另由行政院定之＞，個人資料保護委員會，https://www.pdpc.gov.tw/News_Content/20/1010/ （最後瀏覽日期︰2025/11/12）。 [5]個人資料保護法施行細則第12條第2項第4款規定。 [6]數位經濟相關產業個人資料檔案安全維護管理辦法第8條第2項規定。 [7]個人資料保護法第22條第1項規定。 [8]個人資料保護法第47條至第50條規定。 [9]個人資料保護法第51-1條規定。 [10]個人資料保護法第12條第4項規定。 [11]個人資料保護法施行細則第22條規定。 [12]數位經濟相關產業個人資料檔案安全維護管理辦法第8條第1項第2款規定。

A Survey of Taiwanese Citizens' Awareness of Personal Data 2025/05/14 I.Preface Recent discussions have centered on personal data issues, such as corporate data breaches and recurring incidents of fraud. As a result, the security of personal data has received growing emphasis, prompting relevant authorities to issue public statements and advocate for legislative responses. To facilitate a deeper understanding of personal data awareness among the citizens of our nation, this study employed a questionnaire survey to assess basic knowledge of the Personal Data Protection Act and privacy regulations. It also examined levels of trust in entities that may hold personal data, including their types and usage contexts. The objective is to explore public attitudes toward such entities and to analyze the demographic factors influencing personal data awareness, thereby providing a reference for the future development of mechanisms to strengthen data literacy and enhance public trust. II.Research Objectives and Methodology By identifying demographic groups with lower awareness of personal data issues and helping them clarify relevant concepts, and promoting personal data certification for entities with lower levels of public trust, this study aims to reduce public concerns and build greater confidence. It also examines the characteristics of entities that positively influence individuals’ willingness to share personal data, with the goal of guiding such organizations in strengthening their data protection practices. Ultimately, these improvements are expected to enhance public trust and support the effective enforcement of personal data protection. The study employed a stratified random sampling method, with data collected via phone interviews. A total of 1,180 valid responses were obtained. The following sections present the key findings and offer recommendations based on the analysis. III.Raising Awareness and Clarifying Personal Data Concepts When assessing public understanding of basic personal data issues, responses showed a clear divide. While around 90% correctly answered questions about email account handling and the legal responsibilities of public sector agencies under the Personal Data Protection Act (PDPA), accuracy fell to around 10% for more complex scenarios. For example, many were unsure whether journalists covering car accidents need to notify involved individuals or whether telecom operators can transfer data to countries lacking equivalent PDPA protection. These results suggest that while some concepts are well understood, overall knowledge of the PDPA remains limited. Public understanding of sensitive personal data was also generally low. Except for medical records, recognition rates for other sensitive data types remained below 10%. On the other hand, many respondents mistakenly labeled general personal data as sensitive, showing both a lack of familiarity and a heightened sense of caution about data privacy among certain groups. Further analysis found elders, people with lower education and income, and those working in manual or domestic roles had a weaker grasp of what constitutes sensitive personal data. In contrast, individuals with higher education levels or professional roles tended to misclassify general data as sensitive, indicating stronger personal data protection awareness but also some confusion. Based on these findings, targeted awareness campaigns are recommended for groups with lower levels of understanding. These should not only clarify the definition of sensitive personal data but also address common misconceptions to help people develop a clearer and more accurate view of personal data protections under the PDPA. The study also found that people's answers could be used to identify patterns in their awareness. Correct answers indicated familiarity with personal data concepts, while incorrect ones often stemmed either from a lack of knowledge or from a more cautious and security-conscious mindset. Future research might explore this divide further to provide more specific policy recommendations. IV.Addressing Trust Gaps: Promoting Certification for Less-Trusted Entities In terms of public trust in different types of entities, medical institutions emerged as the most trusted. Trust levels varied by demographic group—women and elders, for example, had more confidence in academic institutions; people with lower incomes trusted health management centers or long-term care facilities more; and manual laborers and service workers were more likely to trust government agencies. In contrast, the least trusted entities were online shopping platforms, wearable device manufacturers, and health management tool providers. Even though online shopping is common, people still worry about how these platforms handle personal data. Similarly, despite the growing popularity of wearable health devices, skepticism about how these companies use data remains high. People aged 30–49, those with higher levels of education, and higher incomes were less likely to trust these companies. This supports earlier findings showing that these groups are more aware of personal data security issues. Therefore, efforts to improve trust should focus on less trusted entities and promote the adoption of personal data protection certifications. V.Building Trust through Personal Information Management System The study also looked at what specific organizational features increase public trust. These can be grouped into three categories: certification, type of entity, and size. The certification of personal data protection standards played a key role. Many people expressed more trust in entities that have earned formal personal data protection certifications, especially those bearing nationally recognized seals or certifications. Younger people, those with higher levels of education or income, professionals and students were especially likely to view certification as important. As for type of entity, most respondents expressed greater trust in domestic Taiwanese enterprises, and this preference was more pronounced among people with higher education. Meanwhile, companies linked to China or with Chinese investment backgrounds tended to be viewed with less trust. Interestingly, older respondents were less affected by organizational origin in their willingness to share personal data. When it came to size of the entity, over half of the respondents indicated they were more likely to trust larger companies. Younger, more educated, and higher-income individuals were especially inclined to trust larger entities. Occupations such as students, technical workers, administrative staff, and service workers also showed a similar tendency. To summarize, entities that are certified in personal data protection, are based in Taiwan, and are relatively large tend to earn greater public trust. Since an entity's type and size are often fixed, it is recommended that efforts focus on obtaining recognized personal data protection certifications. For entities currently lacking public trust or facing scrutiny, adopting standards like the Taiwan Personal Information Protection and Administration System (TPIPAS) and running public education campaigns may help to improve trust and meet the goals of personal data security and protection.