On December 28, 2021, Legislative Yuan approved a proposal to establish the Ministry of Digital Development (hereinafter the “MDD”). On January 19, 2022, Taiwan's President Tsai Ing-wen (蔡英文) promulgated The Organic Act For the Ministry of Digital Development and related organic acts. The new MDD will be established under the Executive Yuan, expected in July 2022.

　　Creating a ministry of digital development was a significant policy and part of the President's campaign promise to develop Taiwan's digital transformation, digital economy, and cyber security. The newly developed Ministry will integrate five key areas previously handled by government agencies, including telecommunications, information, cyber security, the Internet, and communications.

　　The newly established MDD will be responsible for coordinating, drafting, and enforcing regulations for digital development and cyber security policy and strategic planning for the government resources required in digital development and the infrastructure needed to promote digital technology application and innovation development environment.

　　In addition, National Cyber Security Institute, Digital Industry Agency, and Cyber Security Agency will be established under the MDD to aid the MDD enforcement of responsibility.

　　The Organic Act for Ministry of Digital Development contains ten articles and the content of the essential points as follows:

1. To indicate the goals of establishing the MDD (Articles1).

2. To provide for the duties and functions of the MDD (Article 2).

3. To provide for the job grades and number of the MDD’s minister, deputy minister, and administrative deputy minister (Article 3).

4. To provide for the job grades and number of the MDD’s chief secretary (Article 4).

5. To provide for the subordinate agencies of the MDD and their business operation. The subordinate agencies include Digital Industry Agency and Cyber Security Agency. In addition, the Digital Industry Agency would be responsible for planning policies related to the digital economy industry. In addition, the Cyber Security Agency would be responsible for coordinating the overall cybersecurity to the administration of cybersecurity (Article 5).

6. To specify that qualification requirements applied for the heads of the Ministry’s first level officials as at least the associate professors (Article 6).

7. To specify that the MDD may employ professional personnel under the Statute For The Employment Of Contract-based Personnel (Article 7).

8. To specify that the various positions’ number and job grades of the MDD shall be stipulated by a personnel structure chart (Article 8).

9. To indicate the rights and benefits protection on personnel who undergo employment transfers in conjunction with the transformation of their agencies (Article 9).

10. To specify that the enforcement date of this Act shall be stipulated by the Executive Yuan (Article 10).

　　On February 10, 2022, Penalty Principles for Violations of the Personal Data Protection Act by Non-government Agencies and Responsible Persons (hereinafter the "Principle") took effect[1]. The National Development Council, the government agency responsible for interpreting the Personal Data Protection Act (hereinafter the "PDPA"), announced the Principle to provide a legal ground for the governments' supervision of non-governmental agencies.

　　The Announcement of the Principle can be traced back to the beginning of 2021 when the Executive Yuan declared to ensure effective implementation and enforcement of the PDPA. Later on April 23, 2021, the drafted Principle was endorsed in an Executive Yuan meeting. The primary purpose of the Principle is to require government authorities to adequately supervise non-government agencies in fulfilling data breach and personal information protection obligations under the PDPA.

　　Under Article 25(1)(4) of the PDPA, when a non-government agency contravenes the PDPA, the central government authorities or local government authorities may impose public reprimands, declare the nature of the breach, the name of the non-government agency, and its responsible persons other than the administrative fines. The Principle lists out the following circumstances that may be taken into account when setting public reprimands:

1. Circumstances and causes of data breaches

a. categories of personal information;
b. amount of personal information;
c. causes of the breach – whether intentional or by mistake;
d. duration of the breach;
e. risks on subject data rights.

2. Implementation of security measures

a. whether non-government agencies have implemented security measures stated under article 27 of the PDPA and article 12 of the Personal Data Protection Act (hereinafter the "Rules"). The PDPA says that security measures must be in place to protect personal information. The Rules flesh out a non-exhaustive list of security measures put in place, and they are as follows:

i. allocate management personnel and reasonable resources;
ii. define the scope of personal information;
iii. establish risk assessment and management mechanisms;
iv. establish data breach mechanisms;
v. establish procedures relating to the collection, processing, and use of personal information;
vi. manage personal details and personnel;
vii. education and training;
viii. manage the security of facilities;
ix. establish auditing mechanisms;
x. keep records, log files and relevant evidence;
xi. continuous improvement of personal data protection.

b. Whether there are prior data breaches.

3. Measures

a. taken by the non-government agency to minimize the effect on the subjects of data when aware of data breaches
b. whether the non-government agency has actively reported the data breach to central or local governments
c. whether the non-government agency has actively cooperated with central or local government authorities during the investigation of the data breach
d. whether the non-government agency has given appropriate notice to data subjects

4. Other circumstances

a. whether the non-government agency has complied with other penalties or corrective actions imposed by central or local government authorities in respect to the same data breach
b. whether the non-government agency has interests related to this data breach

　　In its explanatory memorandum, the National Development Council stated that the list of circumstances in the Principle echoes article 83(2) of the European Union General Data Protection Regulation, where supervisory authorities may take into account a list of events when determining whether to impose an administrative fine and the amount of the administrative penalty on a case by case basis[2].

Reference:
[1] 公布非公務機關及其負責人違反個人資料保護法情形之處分參考原則，https://zuhu.yunlin.gov.tw/News_Content.aspx?n=3636&sms=12339&s=370508。
[2] 公布非公務機關及其負責人違反個人資料保護法情形之處分參考原則總說明，https://zuhu.yunlin.gov.tw/News_Content.aspx?n=3636&sms=12339&s=370508。

　　On February 17, 2022, the Executive Yuan announced the draft amendments to some provisions of the National Security Act and the Act Governing Relations between the People of the Taiwan Area and the Mainland Area. Premier Su said that high-tech industries are the key to Taiwan's economic development. However, in recent years, the "red supply chain," through various means, has absorbed Taiwan's high-tech R&D talents, stealing the national core technologies and knowledge; or by investing in businesses in third places, evading existing legal norms to invest in or conduct business activities in China, and harm my country, endanger national security and economic interests. Therefore, the government proposed this draft amendment to protect the high-tech industry, prevent the outflow of core technologies, and strengthen legal management.

　　The critical points of the two draft amendments are as follows:

1. National Security Act

(1) Article 3: This article adds that no one shall engage in acts that infringe on the national core technology trade secrets to a foreign country, Mainland China, hostile foreign forces, or organizations under their substantial control. In addition, no one may intend to use the national core technology trade secrets in a foreign country and Mainland China and engage in acts that infringe these trade secrets.

(2) Article 8: This article adds criminal penalties for infringing on the national core technology trade secrets.

(3) Article 9: To protect the national core technology trade secrets during the investigation and strengthen the efficiency of the analysis, the prosecutor may issue an investigation confidentiality protective order under the provisions of the Trade Secrets Act when handling such cases and when deemed necessary.

(4) Article 10: The prosecutor issues an investigation secrecy order under Article 9 of the National Security Act, and the perpetrator shall be held criminally responsible for violating the secrecy order.

2. Act Governing Relations between the People of the Taiwan Area and the Mainland Area

(1) Article 9: To strengthen the protection measures for high-tech talents, for individuals, legal persons, or group members who are entrusted, subsidized, or invested by government agencies and have reached a certain standard and are engaged in the national core technology business of the country, the suspension of entrustment, subsidies or investment, or the resignation shall be regulated. Those who have not completed three years must obtain permission from the committee to travel to Mainland China. At the same time, when these personnel return to Taiwan, they are obliged to notify the agency that commissioned, subsidized, or contributed funds.

(2) Article 40-1: This article amends that when a profit-making enterprise in the Mainland Area invests in Taiwan through a third place, it shall first obtain permission from the competent authority and establish a branch or liaison office in the Taiwan Area before engaging in business activities in Taiwan. At the same time, if its department is operating in Taiwan, the relevant provisions of the Taiwan Company Act shall apply mutatis mutandis.

(3) Article 91: This article is amended in conjunction with Article 9 to add penalties for violations of relevant notification obligations.

(4) Article 93-1: People from Mainland China to invest in Taiwan must obtain permission from the competent authority. If the perpetrator provides his name to the mainland people to invest in Taiwan, the competent authority may impose a fine.

(5) Article 93-2: Profit-making enterprises in Mainland China, or profit-making enterprises investing in a third place, shall, in Principle, apply for permission from the competent authority before they can engage in business activities in Taiwan. For example, suppose the perpetrator provides his name to these for-profit enterprises to conduct business activities in Taiwan. In that case, the perpetrator may be punished in the form of fixed-term imprisonment or a fine.