Introduction

On January 30th, 2026, the Legislative Yuan of Taiwan officially passed the amendment to the Pharmaceutical Affairs Act, marking a decisive milestone in the nation's pharmaceutical supply chain management. Triggered by lessons learned from the COVID-19 pandemic and exacerbated by recent geopolitical instabilities, this legislative enactment addresses the critical need for a more resilient drug supply system. This article analyzes the amendment's necessity, its key provisions, and its positive implications for crisis management.

The Necessity of Regulatory Reform

The fragility of global pharmaceutical supply chains has become a pressing national security concern. The previous legal framework primarily relied on passive notifications from manufacturers, which may be insufficient during rapid onset shortages caused by raw material deficits or international logistical disruptions. The government identified that to effectively stabilize drug supply, the competent authority requires a legal basis for proactive monitoring and flexible intervention. The passage of this amendment provides the necessary transition from a reactive posture to a preventative "early warning" system, ensuring the public’s right to health is not compromised by external market shocks.

Key Provisions of the Amendment

The newly passed amendment introduces three major mechanisms to bolster supply chain resilience:

1. Mandatory Reporting Mechanism

The amendment imposes a strict obligation on license holders of "essential medicines" to periodically report their manufacturing, import, and supply status to the central health authority. This data transparency is crucial for the government to assess stock levels dynamically.

2. Emergency Intervention Powers

In the event of a potential shortage, the authority is now empowered to publicly log the shortage and grant special approval for the manufacturing or importation of the drug or its substitutes, bypassing standard license restrictions. Furthermore, during major public health incidents, the authority can implement rationing measures, restricting the scope and quantity of drug supply to ensure equitable distribution.

3. Expanded Scope for Special Approval

The conditions for special drug approval have been broadened to explicitly include "response to major public health incidents," extending beyond the previous scope of solely emergency situations or lack of therapeutic alternatives.

Enhancing Crisis Response Capabilities

This amendment merits strong affirmation for significantly elevating Taiwan's crisis response capabilities. By codifying the power to bypass administrative hurdles (such as standard registration procedures) during emergencies, the government creates a "fast lane" for critical medicines. This flexibility, combined with the new mandatory reporting requirements, creates a closed-loop system of "monitoring-assessment-intervention." It strikes a necessary balance between market freedom and public welfare, ensuring that in times of crisis, the continuity of medical care remains the paramount legal priority.

Conclusion

The passage of the 2026 amendment to the Pharmaceutical Affairs Act represents a timely and sophisticated legislative evolution. It not only addresses immediate supply gaps but also constructs a long-term infrastructure for pharmaceutical resilience, safeguarding Taiwan's health security in an unpredictable global landscape.

The Preparatory Office of the Personal Data Protection Commission (PDPC) of Taiwan announced four draft regulations on January 22, 2026. Which are:

1. The draft Regulations for Personal Data Breach Notification, Reporting and Response.

2. The draft amendment on partial articles of Enforcement Rules of the Personal Data Protection Act.

3. The draft Regulations for the Duties, Occupational Qualifications and Training of the Personal Data Protection Officer and Related Personnel.

4. The draft Regulations Governing Security Maintenance and Management of Personal Data Files.

The four draft regulations will be posted on the PDPC's website until March 23, 2026, to receive public comments, while the effective dates remain to be determined. This article provides a summary of the draft "Regulations for Personal Data Breach Notification, Reporting and Response " and the draft "Regulations Governing Security Maintenance and Management of Personal Data Files", which focusing on imposing new obligations for non-government agencies.

The draft Regulations for Personal Data Breach Notification, Reporting and Response

The draft Regulations for Personal Data Breach Notification, Reporting and Response mainly stipulates the obligations for reporting and notifying personal data breaches.

Non-government agencies should report to the competent authority within 72 hours if experiencing situation such as data breach involving sensitive personal data, the amount of affected data reaches are more than 100 personal data records.

In certain situations, such as when the contact information of the data subjects is not available, or the breach does not involve sensitive personal data and appropriate security measures have already been taken. The notification can be made through news media or online announcements rather than to notify each individual data subject.

The draft Regulations Governing Security Maintenance and Management of Personal Data Files

The draft amendment to the "Regulations Governing Security Maintenance and Management of Personal Data Files" mainly focus on clarifying the calculation basis for the number of personal data, strengthening management requirements for sensitive personal data and regulating obligations for large non-government agencies.

1. Clarifying the calculation basis for the number of personal data.

The draft explicitly the calculation method for the number of personal data held by non-government agencies. The calculation is based on the sum of "the number of records held each single day, for each natural person, and for each specific purpose of collection." Defining the calculation method helps organizations accurately complete self-assessment and inventory work, determining their personal data scale and risk level.

2. Strengthening management requirements for sensitive personal data.

The draft also requires enterprises to adopt higher-level management measures for sensitive personal data, include media control for sensitive personal data, media destruction and protection mechanisms, backup management, data encryption, and transmission control mechanisms.

3. Regulating obligations for large non-government agencies.

The draft redefines "large non-government agencies" as non-government agencies with a capital exceeding 100 million New Taiwan Dollars (NTD) or with 200 or more employees, meanwhile holding 10,000 or more personal data records. These large non-government agencies are required to bear higher-level obligations.

The public announcement of these draft regulations will impose higher-level obligations on agencies for the protection of personal data once they come into effect. Organizations should be ready for the new system as early as possible to avoid violating regulations and being penalized.

In response to Constitutional Court Judgment No. 13 (2022), Taiwan has amended the Personal Data Protection Act (PDPA) to strengthen the legal foundation for an independent personal data supervisory authority.

Following the May 2023 amendment introducing Article 1-1 (not yet in effect), the Personal Data Protection Commission (PDPC) was designated as the competent authority for personal data protection. The PDPC’s Preparatory Office was established in December 2023, and the Commission will be formally constituted upon the passage of its Organizational Act.

Key Focus Areas of the Amendment

1. Centralized Enforcement by the PDPC

The PDPC will serve as the centralized authority for receiving personal data breach notifications and will promulgate baseline Regulations for the Security and Maintenance of Personal Information Files applicable to non-government agencies, unifying data security requirements previously dispersed across sector-specific regulations.

During the transition period, sectoral competent authorities may continue to issue security regulations, provided they are consistent with, or more stringent than, PDPC standards.

2. Enhanced Public-Sector Data Governance

Under amended Article 18, government agencies are required to designate a Data Protection Officer (DPO) and will be subject to the PDPC’s administrative inspection framework, strengthening institutional accountability and compliance oversight.

3. Six-Year Transition toward Centralized Supervision

After the PDPC is established, sectors without designated competent authorities will be prioritized for direct supervision, while regulated sectors will remain under existing authorities for up to six years. The PDPC will conduct biennial reviews in consultation with relevant authorities, with the goal of progressively consolidating supervisory powers.

Data Breach Notification and Reporting: Key Impact on Enterprises

For non-government agencies, the most significant practical impact arises from Article 12, which codifies personal data breach response obligations previously set out only in enforcement rules or sector-specific guidelines.

When a personal data breach occurs—defined as the theft, alteration, damage, destruction, or disclosure of personal data—enterprises must notify affected data subjects without delay. Where the incident qualifies as a reportable event under PDPC regulations, enterprises must also notify the competent authority.

Enterprises are required to retain documentation of breach notifications and reports for inspection, with detailed thresholds, timelines, and record-retention requirements to be specified by the PDPC through subordinate regulations.

To enhance enforcement, Article 48 introduces direct administrative fines. Violations of breach notification, reporting, response, or record-keeping obligations may result in fines ranging from NTD 20,000 to NTD 200,000, without a prior corrective order, reinforcing a shift toward proactive risk management.

Outlook

Enterprises that adopt a Personal Information Management System (PIMS), implement risk-based data protection frameworks, and establish effective breach notification and reporting mechanisms will be better positioned to mitigate regulatory risk and strengthen consumer trust. Accordingly, the amendment should be viewed not only as a compliance requirement, but also as an opportunity to elevate personal data protection as a core component of corporate governance.