Data Protection: Personal Information Protection Act Amended.

[2016/01/15]

The Personal Information Protection Act (PIPA) was last amended in 2010. But because fears were voiced from various quarters that the implementation of some provisions of the amended Act would have a serious negative impact, the application of two amended articles was suspended: Article 6, regarding the collection, processing and use of special types of personal information, and Article 54, regarding notification in respect of personal information provided by sources other than the party concerned, that was collected before the amended Act took effect. To address these issues, on 15 December 2015 the Legislative Yuan enacted new amendments to the PIPA. The date when they will take effect is to be set by the Executive Yuan. The main points of the amendments are as follows:
1. “Medical records” are brought within the scope of specially protected information: The new amendments add “medical records” to the special types of personal information protected under Article 6, in addition to the previously included categories of medical treatment, genetic information, sexual life, health examinations, and criminal records.
2. Protection of special types of personal information: The old Article 6 strictly prohibited the collection, processing and use of the special types of personal information mentioned above, except in certain defined circumstances, including where the information is voluntarily disclosed by the party concerned. This prohibition would have applied even if the party concerned had consented to the collection, processing or use of their information. In order to respect individuals’ right of self-determination regarding their own personal information, the amended Article 6 provides that these special types of personal information may be collected, processed or used with the written consent of the party concerned.
3. Consent for collection, processing and use of general personal information not limited to written consent: In response to the rapid development of the Internet and e-commerce, the wording under the old Act requiring “written consent” of the party concerned to be obtained for the collection, processing, or use of general personal information, is amended to “consent”; in other words, it is no longer necessary for consent to be given in written form. With the removal of the requirement for written consent, the burden of proof that the party concerned has in fact given “consent” must be borne by the data collector. But where a party has been given notice regarding their personal information as required under the Act, has not refused to provide such information, and has in fact provided such information, the party is presumed to have given consent.
4. Reduced criminal penalties: Where a breach of the PIPA is committed without the intention of achieving illicit gain for the perpetrator or for a third party, or of harming the interests of others, because in such cases the culpability of the perpetrator’s actions is relatively low, in principle it is sufficient for such cases to be handled by compensation through civil damages, or by administrative fine. Accordingly, the related criminal penalties are repealed.
5. No time limit for notification by indirect collectors: The old Article 54 required that if personal information not provided directly by the party concerned had been collected before the 2010 amendments took effect, the collector must give the required notice to the party concerned within one year after the amendments took effect. The new amendments remove this one-year time limit, so that the data collector need only give such notice to the party concerned before actually processing or using their personal information.