I. Preface

The Personal Data Protection Act (below, the “Act”), Article 27, paragraph 3 authorizes all central government authorities in charge of specific industries to formulate regulations regarding security standards and maintenance plans for their concerned industries.

Beginning August 27, 2022, Taiwan transferred authority over information services, software publishers, businesses that do retail sales of goods purely via the Internet, third-party payment providers, and other businesses in digital economy industries from the Ministry of Economic Affairs to the newly-established Ministry of Digital Affairs (MODA). Businesses in the digital economy industries collect, process, and use large amounts of important personal data, and therefore bear a relatively heavy responsibility for maintaining the security of personal data. In light of this, and in accordance with the Act, Article 27, paragraph 3, the MODA therefore promulgated the Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries (below, the “Regulations”) on October 12, 2023. These Regulations specify the standards for digital economy industries’ personal data file security maintenance plans and rules governing the handling of personal data following a business termination (below, “security and maintenance plans”, or “SMPs”). These regulations apply to all businesses in the digital economy industries. In order to reinforce responsibility for personal data security maintenance in the digital economy industries, tiered management is applied to businesses at different scales. The key points of these Regulations are introduced below.

II. Where the Regulations apply

As stipulated in the Regulations, Article 2, the “digital economy industries” that these Regulations apply to refer to any natural person, private juridical person, or other group, that engages in any of the following business operations: 4871 Retail Sale via Internet (industries that engage in retail sales to others via the Internet, but not including television, radio, phone, or other electronic means, nor postal sales); 582 Software Publishing; 620 Computer Programming, Consultancy and Related Activities; 6312 Data Processing, Hosting and Related Activities (industries that engage in processing customers’ data, server & website hosting, and other related services, but not including online audio/video streaming services); 639 Other Information Service Activities; or 6699 Other Activities Auxiliary to Financial Service Activities Not Elsewhere Classified (third-party payment industries, but not including other fund management activities). For the specific industries covered, see Attachment 1 of the Regulations.

III. Security maintenance and management measures

The relevant measures are stipulated in Articles 3 to 17 of the Regulations. In consideration that the businesses so regulated may collect, process, or use large amounts of personal data as part of their business activities, they bear a larger responsibility for maintaining the security of personal data than does the average enterprise. In compliance with the Regulations, every such enterprise is required to formulate an SMP, the content of which shall comply with the specifications in Articles 5 to 17. This includes putting in place management personnel and relevant resources; defining and inventorying the scope of personal data; risk assessment; putting internal management procedures in place; and other such matters.

These Regulations also adopt tiered management for businesses based on their capital levels, in order to reinforcement the frequency at which security maintenance measures are performed. The specific regulations for security maintenance measures are introduced below.

1. Formulating an SMP: In accordance with the Regulations, Article 3, and in order to maintain the security of personal data, each enterprise shall, within three months of the date the Regulations take effect (the Regulations take effect on October 12, 2023), plan and formulate their SMP. Every enterprise shall also cause all staff members to understand and fully implement the SMP. In order to monitor implementation, the MODA may require that each enterprise submit its implementation of SMP; the enterprise shall then submit their implementation status information in written form within the specified time limit.

2. Making the protection policy known internally: In accordance with the Regulations, Article 4, and to make sure that everyone in the enterprise comprehends and implements personal data protection, each enterprise shall make its personal data protection policies known to all personnel within the enterprise. Matters that must be explained include Taiwan’s legal regulations and orders on personal data protection; how personal data may only be collected, processed, and used for specific purposes and in a reasonable, secure way; that protective technology must be at a level of security that could be reasonably expected; points of contact for rights relating to personal data; personal data contingency plans; and proper monitoring of outsourced service providers to whom personal data is outsourced. All of this must be done to make sure that every enterprise carries out their duty for comprehensive, continuous SMP implementation.

3.SMP content:

(1) Putting in place management personnel with relevant resources: In accordance with the Regulations, Article 5; in accordance with both the Regulations as a whole and other laws and orders regarding the protection of personal data; and in order to implement personal data protection, each enterprise shall do the following things: Weigh the size and characteristics of their business to reasonably allocate operating resources; take responsibility for the personal data protection and management policy; and formulate, revise, and implement their SMP. Also, the enterprise’s representative or the representative’s authorized personnel shall carry out formulation and revision, in order to make sure that the SMP’s content is fully carried out.

(2) Establishing the scope of personal data: In accordance with the Regulations, Article 6, in order to define the scope of personal data to be included in the SMP, each enterprise shall periodically check the status of personal data that is collected, processed, or used.

(3) Risk assessment and management mechanisms for personal data: In accordance with the Regulations, Article 7, in a timely manner, and in accordance with their already-established personal data scopes and the processes in which their business involves the collection, processing, or use of personal data, each enterprise shall evaluate risks that may arise within their scope and processes. Based on the risk evaluation results, each enterprise shall then adopt appropriate security management and response measures.

(4) Incident prevention, reporting, and response mechanisms: In accordance with the Regulations, Article 8, and in order to reduce/control damages to data subjects resulting from personal data theft, tampering, damage, destruction, leakage, or other such security incidents, each enterprise shall formulate response, reporting, and prevention mechanisms:

A. Response mechanism: Methods to be followed after a security incident has occurred, to reduce/control damages to data subjects, and appropriate ways to notify data subjects after an incident investigation, as well as what such notifications shall contain.

B. Notification mechanism: Post-incident notifications to data subjects, in a form (such as email, text message, phone call, etc.) that makes it convenient for such subjects to learn what has occurred and what the incident handling status is; also, providing data subjects with a hotline or other way of seeking information later on.

C. Prevention mechanism: A post-incident mechanism for discussing and adjusting the prevention measures.

Within 72 hours after an enterprise learns that a personal data security incident has occurred, the enterprise shall use Attachment 2, the Enterprise Personal Data Leak Reporting Form, to notify the MODA of matters such as: A description of what caused the incident; an incident summary; the damage status; possible results from the personal data leakage; proposed response measures; proposed method and time for notifying data subjects; etc. Alternately, the enterprise may notify the special municipality or county/city government to then notify the MODA. If the enterprise is unable to report the incident within the time limit or is unable to supply complete reporting information all at once, the enterprise shall attach explanation of the reasons for the delay, or provide the information in stages. After the MODA or the special municipality or county/city government receives a report, they may implement reasonable handling in accordance with Articles 22 to 25 of the Act.

(5) Internal management procedures for personal data collection, processing, and usage: In accordance with the Regulations, Article 9, in order to ensure that their collection, processing, and use of personal data complies with the laws and orders regarding the protection of personal data, each enterprise shall do the following: Formulate internal management procedures; assess whether the use, processing, or collection of special categories of personal data are involved; assess data subjects’ consent has been obtained; assess whether the legal circumstances create an exemption from the obligation to inform; etc. The internal management measures shall also include providing data subjects with information on their rights in accordance with the Act, Article 3; putting in place mechanisms for ensuring the accuracy of and inquiring regarding personal data; and periodically reviewing whether the specific purposes for collecting personal data still exist or have expired.

(6) Limits, notifications, and monitoring for international transfers: In accordance with Article 10 of the Regulations and Article 21 of the Act, when an enterprise’s transfer of personal data across a national border affects data subjects to the extent that there is a major national interests concern, the enterprise shall assess whether MODA restrictions apply to the transfer. The enterprise shall also notify the data subjects of the region(s) that the data is transferred to; perform appropriate monitoring of the data recipient; and provide the data subjects with information on their rights in accordance with the Act, Article 3.

(7) Data, personnel, and equipment security management measures:

A. Data security management measures: In accordance with the Regulations, Article 11, and when personal data is backup, kept confidential, or transferred by various means based on the risk assessment results, each enterprise shall put in place protective measures against abnormal access behaviors. When an enterprise provides information/communication technology services, the enterprise shall also put in place and regularly monitor intrusion countermeasures, abnormal access monitoring and contingencies, anti-malware mechanisms, account password verification, system testing, and other such data security management measures.

B. Personnel security management measures: In accordance with the Regulations, Article 12, each enterprise shall contractually specify the obligation to maintain confidentiality with all staff members; identify personnel who job duties involve collecting, processing, or using personal data; and periodically assess the appropriateness and necessity of personnel’s permissions to access personal data.

C. Equipment security management measures: In accordance with the Regulations, Article 14, and to prevent personal data being stolen, tampered with, damaged, destroyed, or leaked, each enterprise shall put in place appropriate media protection for personal data storage devices. The protection requirements include management measures such as technology, equipment and secured environments that meet a specific level of security.

(8) Education and training: In accordance with the Regulations, Article 13, each enterprise shall periodically use education and training to ensure that all staff members understand the following things: The laws and regulations pertaining to personal data protection; their personal duties and roles within their scopes of responsibility; and the requirements for all SMP management procedures, mechanisms, and measures. For any enterprise that engages in retail sales via the Internet, their SMP shall include user training and education regarding personal data protection and management; and the enterprise shall also formulate personal data protection rules for compliance.

(9) Continuous audit, recording, and improvement mechanisms:

A. Data security auditing mechanisms: In accordance with the Regulations, Article 15, each enterprise shall periodically do internal audits of personal data, then put the audit results into an evaluation report that reviews improvements to the enterprise’s protection policy, SMP, etc. If there are any deficiencies, the enterprise shall make corrections.

B. Use of records, tracking data, and retention of evidence: In accordance with the Regulations, Article 16, and as part of carrying out its SMP, each enterprise shall retain a minimum of five years of records on the collection, processing, and use of personal data; tracking data for automated machinery; and evidence of having implemented the SMP. After an enterprise’s operations cease, it shall retain records of the destruction, transfer, or other deletion of personal data for a minimum of five years.

C. Comprehensive, continuous improvement for personal data security maintenance: In accordance with the Regulations, Article 17, any time an enterprise’s SMP is not implemented, the enterprise shall adopt corrective and preventive measures. Also, based on the SMP’s implementation status, its handling methods/implementation status, developments in data technology, adjustments to the enterprise’s business, and changes in the law and regulations, each enterprise shall periodically review and amend its SMP.

4. Tiered management: In accordance with the Regulations, Article 18, and to prevent relatively small businesses having to take on excessive personal data management costs, tiered management is applied. For an enterprise with a specific business scale (having capital of NT$10 million or more, or holding 5,000 or more personal data records), stronger security measure implementation is required, namely, the personal data security measures shall be implemented, reviewed, and improved at least once every twelve months. If an enterprise reaches NT$10 million or more in capital after the Regulations take effect, or if an enterprise’s number of personal data records held reaches 5,000 or more as a result of direct or indirect data collection, then within six months of meeting those conditions, the enterprise shall implement and review the improvement measures at least once every twelve months.

5. Outsourced personal data: Commercial outsourcing in the digital economy comes in many forms. In light of this, and in order to make clear each enterprise’s security management obligations with regard to the collection, processing, and use of personal data, Article 19 of the Regulations clearly spells out what duties shall be carried out with regard to any outsourcing that touches on personal data. When an enterprise outsources the collection, processing, or use of personal data, it is considered equivalent to the enterprise’s own activity. Thus, the enterprise shall understand and follow the legal orders and regulations on personal data set by the central government authorities in charge of the outsourcing party’s industries. Any oversight responsibilities arising from outsourcing the collection, processing, or use of others’ personal data shall be clearly stipulated in the outsourcing contract or other such documents.

IV. Measures of Guidance by MODA

MODA has established reference guidelines for the industries to follow, and has organized a series of briefing sessions to assist industries related to digital economy in complying with the Regulations and guidelines. It also provides one-on-one counseling service for industries to get in-depth advice from experts concerning the establishment of personal data management systems. For the aforementioned guidelines, please visit https://moda.gov.tw/ADI/services/govinfo/a-directions/1403 .

V. Conclusion

The Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries are designed to balance development for Taiwan’s digital economy industries with comprehensive, continuous improvement of personal data security maintenance. In pursuit of those goals, the Regulations clarify what each enterprise must do: Plan, formulate, and carry out security maintenance plans for personal data that falls within the bounds of the enterprise’s business; ensure that all staff members receive training on personal data protection; provide personal data subjects with channels to file complaints and seek consultation on their rights; and inform the government authorities in charge of the digital economy about the enterprise’s SMP, including the status of any personal data security incidents. All this is done in hopes that the security measures will continuously improve the security of personal data in Taiwan’s digital economy industries.

In an era where artificial intelligence (AI) reshapes every facet of life, governance plays a pivotal role in harnessing its benefits while mitigating associated risks. Taiwan, recognizing the dual-edged nature of AI, has embarked on a comprehensive strategy to ensure its development is both ethical and effective. This article delves into Taiwan's AI governance framework, exploring its strategic pillars, regulatory milestones, and future directions.

I. Taiwan's AI Governance Vision: Taiwan AI Action Plan 2.0

Taiwan has long viewed AI as a transformative force that must be guided with a careful balance of innovation and regulation. With the advent of technologies capable of influencing democracy, privacy, and social stability, Taiwan's approach is rooted in human-centric values. The nation's strategy is aligned with global movements towards responsible AI, drawing lessons from international standards like those set by the European Union's Artificial Intelligence Act. The "Taiwan AI Action Plan 2.0" is the cornerstone of this strategy. It is a multi-faceted plan designed to boost Taiwan's AI capabilities through five key components:

1. Talent Development: Enhancing the quality and quantity of AI professionals while improving public AI literacy through targeted education and training initiatives.

2. Technological and Industrial Advancement: Focusing on critical AI technologies and applications to foster industrial growth and creating the Trustworthy AI Dialogue Engine (TAIDE) that communicates in Traditional Chinese.

3. Supportive Infrastructure: Establishing robust AI governance infrastructure to facilitate industry and governmental regulation, and to foster compliance with international standards.

4. International Collaboration: Expanding Taiwan's role in international AI forums, such as the Global Partnership on AI (GPAI), to collaborate on developing trustworthy AI practices.

5. Societal and Humanitarian Engagement: Utilizing AI to tackle pressing societal challenges like labor shortages, an aging population, and environmental sustainability.

II. Guidance-before-legislation

To facilitate a gradual adaptation to the evolving legal landscape of artificial intelligence and maintain flexibility in governance, Taiwan employs a "guidance-before-legislation" approach. This strategy prioritizes the rollout of non-binding guidelines as an initial step, allowing agencies to adjust before any formal legislation is enacted as needed.

Taiwan adopts a proactive approach in AI governance, facilitated by the Executive Yuan. This method involves consistent inter-departmental collaborations to create a unified regulatory landscape. Each ministry is actively formulating and refining guidelines to address the specific challenges and opportunities presented by AI within their areas of responsibility, spanning finance, healthcare, transportation, and cultural sectors.

III. Next step: Artificial Intelligence Basic Act

The drafting of the "Basic Law on Artificial Intelligence," anticipated for legislative review in 2024, marks a significant step towards codifying Taiwan’s AI governance. Built on seven foundational principles—transparency, privacy, autonomy, fairness, cybersecurity, sustainable development, and accountability—this law will serve as the backbone for all AI-related activities and developments in Taiwan. By establishing rigorous standards and evaluation mechanisms, this law will not only govern but also guide the ethical deployment of AI technologies, ensuring that they are beneficial and safe for all.

IV. Conclusion

As AI continues to evolve, the need for robust governance frameworks becomes increasingly critical. Taiwan is setting a global standard for AI governance that is both ethical and effective. Through legislation, active international cooperation, and a steadfast commitment to human-centric values, Taiwan is shaping a future where AI technology not only thrives but also aligns seamlessly with societal norms and values.

I. Preface

The Mandatory Provisions and Prohibitory Provisions to Be Included in the Standard Form Contract for Instant Messaging Application Services, which were formulated and promulgated on September 25, 2017, have come into force since May 1, 2018. As the central competent authority of this standard form contract regulation under the arrangement of the organizational restructuring of the Executive Yuan, the Ministry of Digital Affairs (moda) plans to conduct routine inspections annually by reviewing the services contract terms and privacy protection policies of the instant messaging application services, focusing on the ones that consumers often use in our domestic market, with a view to fully protecting the rights and interests of consumers while ensuring that service providers comply with the regulation. In addition, moda also holds review meetings where service providers can get advice on how to revise or optimize their service terms and privacy policies.

Therefore, moda conducts annual spot checks and reviews of the service terms and privacy policies of instant messaging service commonly used by domestic consumers. Additionally, moda organizes expert review committees and carry out subsequent guidance and improvements.

II. The Regulation

The term "instant messaging application services" referred to herein represents a closed communication service in which a trader's main service content is to offer consumers using computers, smart devices, or other electronic carriers to transmit sound, images, text, data, files, or other messages through the Internet for the purpose of engaging in one-to-one or one-to-many real-time messaging and conversations which are close type communication services. This shall not include e-mail, Internet chat rooms, electronic bulletin boards, or affiliated communication services provided by other Internet platforms.

PART I. Mandatory Provisions

1. Information of the trader

2. The name, representative, website, business address, telephone number, e-mail address, and customer service contact information of the trader.

3. Contract and Service Content

(1) On the official website, registration page or APP download page, the content, usage method, and specifications of software and hardware equipment required for the use of the service shall be stated.

(2) On the official website, registration page or APP, a warning text or warning mechanism shall be provided for the deletion or disappearance of information such as communication records, file transfer, friend lists, post contents or other value-added services.

(3) The content, price, payment method, purpose and period of use of the paid value-added service or product shall be stated at the place of purchase of the service (product).

4. Application and Use of Consumer Accounts

The application, maintenance and deletion of accounts shall contain the following information:

(1) The way to activate and use the account, password setting and security devices shall be provided for consumers to use this service.

(2) The manner in which the consumers cooperate in logging in to the service and confirming their personal data.

(3) Consumers shall properly keep their accounts, passwords or other necessary information.

(4) If it is agreed that if consumers delete their accounts, the right to use this service shall be terminated, the trader shall offer a confirmation of deletion and a warning mechanism at the same time when the consumers delete their accounts on their own initiative.

(5) If it is agreed that if consumers do not use the service for a specific period of time, their accounts shall be deleted. The trader shall, in addition to reminding consumers in advance through the terms of the official website, notify them of the deletion by means of official website announcements, text messages, emails, or push notifications, etc., and only after a certain period of time (at least fifteen days) has passed and consumers have not yet utilized the service, shall the trader delete their accounts and terminate the provision of the service.

(6) If the consumers' accounts are deleted and the trader has terminated the provision of this service, the trader shall, within thirty days after the consumers' application, refund the consumers' unused amount by cash, credit card, bill of exchange, or check sent by registered mail.

5. esponsibility for Security Maintenance

Traders shall indicate the following information regarding the management of consumer accounts and system security maintenance:

(1) The way to notify consumers when their accounts have been fraudulently used by others. The traders shall immediately stop the use of consumers' accounts after confirming that the accounts have been fraudulently used. Unless required by law or due to legitimate reasons, the traders shall resume the use of the accounts after notifying the consumers to apply for a change of passwords.

(2) When consumers' accounts are deleted due to replacement of end user device or unlawful intrusion, they may present relevant information to the traders to apply for assistance in restoring their accounts, pre-payments, or value-added service products purchased with payment.

(3) Traders shall maintain the security of their systems in line with what can reasonably be expected from the prevailing technological or professional standards, and prevent unlawful intrusion, obtaining, tampering, or destroying of consumers' records or personal data related to the use of the service; and in the event of any unlawful intrusion or damage to the system, they shall take reasonable measures to restore the system as soon as possible, and shall be held liable to compensate for the damages suffered by consumers.

6. Performance Guarantee Mechanisms

The traders shall provide consumers with the following performance guarantee mechanism, which shall be displayed in a conspicuous manner.

□ The trust account opened at __________ financial institution is for the exclusive use of the service. The term "exclusive use" refers to the use of the trust account by the traders to fulfill its obligation to deliver goods or provide services. The trust period is from the date of ____________ to the date of ____________ (at least one year).

□ A performance guarantee has been provided by __________ financial institution for the period from the date of ____________ to the date of ____________ (at least one year).

□ Other __________ (with the consent of the Ministry of Digital Affairs).

7. Handling of Service Suspension by the Trader

In order to maintain the software and hardware related to the service and suspend in whole or in part of the service, except for force majeure or emergency, the trader shall notify the consumers seven days prior to the suspension of the service by means of announcement on the official website, text message, e-mail or push notifications.

8. Reasons for Termination of the Contract or Cessation of Service

The trader may terminate the contract or cease the service under the following circumstances:

(1) There is evidence that the consumer's account is involved in money laundering, fraud, or other criminal activities or illegal use.

(2) The consumer has violated the terms and conditions of use of the service and has failed to make improvements after being notified to do so.

9. Dispute Handling

The trader shall set forth the complaint mechanism, handling procedures, telephone and e-mail address, and other relevant contact information for consumer complaints.

10. Changes in the Contract or Service Content

When the trader changes the contract or service content, the trader shall announce and notify the consumers in a manner agreed by both parties.

If the trader fails to make public announcement and notification in accordance with the preceding paragraph, the change of contract or service content shall be invalid.

If there is no contrary expression made by consumers within fifteen days after the notification as stated in the first paragraph shall be deemed to have accepted the change of contract or service content; if there is contrary expression, it shall be deemed to be the notification of termination of the contract.

PART II. Prohibitory Provisions

1. Prohibition of Abandoning the Review Period

It is prohibited to stipulate that consumers abandon the review period of the contract.

2. Exercise of Rights to Personal Data

It is prohibited to stipulate that consumers preemptively abandon or restrict the exercise of the following rights to personal data:

(1) the right to make an inquiry of and to review his/her personal data;

(2) the right to request a copy of his/her personal data;

(3) the right to supplement or correct his/her personal data;

(4) the right to demand the cessation of the collection, processing or use of his/her personal data; and

(5) the right to erase his/her personal data.

3. Utilization of Personal Data for Other Purposes

It is prohibited to stipulate the use of consumers' personal data beyond the scope necessary for the purpose of the contract, except as provided by law.

4. Prohibition of Unilateral Changes to Contracts or Services and Non-Objection Clauses

It is prohibited to stipulate that traders may unilaterally change the contract or service content and consumer non-objection clause without prior announcement and notice to consumers.

5. Exemption of traders from liability for compensation for arbitrary cancellation or termination of the contract

It is prohibited to stipulate that the traders may terminate or cancel the contract arbitrarily.

Traders shall not be preemptively exempted from the liability to pay compensation in the event of termination or cancellation of the contract.

6. Restrictions on Consumers' Right to Cancel or Terminate the Contracts

It is prohibited to stipulate the abandon or limit of the consumer's right to cancel or terminate the contract in accordance with the law.

7. Contractual Exclusion of Evidence

It is prohibited to stipulate that in case of disputes, only the electronic transaction information kept by the trader shall be used as the basis for determining the relevant facts.

8. Court of Jurisdiction

It is prohibited to stipulate exclusion of application of Article 47 of the Consumer Protection Act or Article 436-9 of the Code of Civil Procedure to the court of competent jurisdiction for Small-Claim Proceeding.