Cyber Law at Taiwan
Taiwan has developed a robust framework of cyber laws to address the growing challenges of cybersecurity, data protection, and cybercrime. This framework involves several key pieces of legislation and regulations, reflecting a comprehensive approach to digital governance.
Here's an overview of cyber law in Taiwan:
1. Cybersecurity Management Act (CSMA)
Primary Legislation: Promulgated in 2018 and effective since January 1, 2019, the CSMA is the primary legislation governing cybersecurity in Taiwan.
Scope: It mainly establishes cybersecurity control mechanisms for:
Government Agencies: All government entities are subject to the CSMA.
Specific Non-Government Agencies: This includes critical infrastructure providers (e.g., in energy, water, communications, finance, transportation), state-owned businesses, and government-sponsored foundations.
Key Requirements:
Cybersecurity Maintenance Plans: Agencies subject to the CSMA must establish and implement their own cybersecurity maintenance plans, tailored to their "cybersecurity responsibility levels" (categorized from A to E based on importance, confidentiality, and sensitivity of business, information, and scale).
Reporting and Response Mechanisms: They must set up robust mechanisms for reporting and responding to cybersecurity incidents.
Incident Reporting: Cybersecurity incidents must be reported promptly (e.g., within one hour of discovery for critical incidents).
Damage Control and Recovery: Measures for damage control and recovery must be completed within specific timeframes (e.g., 36 to 72 hours depending on severity).
Audits and Inspections: Agencies are subject to cybersecurity audits and inspections.
Restrictions on Certain Technologies: Guidelines may restrict government agencies from using information and communications technology products that could endanger national cybersecurity (e.g., prohibiting Chinese-developed software in some cases).
Sector-Specific Regulations: The CSMA also authorizes central competent authorities in charge of specific industries (e.g., financial institutions, telecommunications operators) to issue their own regulatory guidelines on cybersecurity for the non-government agencies under their supervision. These often incorporate international standards like ISO/IEC 27001.
2. Personal Data Protection Act (PDPA)
Principal Legislation: The PDPA is Taiwan's comprehensive data protection law, regulating the collection, processing, and use of personal data by both government agencies and private entities (including legal persons, organizations, and natural persons).
Evolution: Originally enacted in 1995 as the Computer-Processed Personal Data Act, it underwent significant amendments in 2010 (effective 2012) and again in May 2023. These amendments largely drew inspiration from the EU's data protection frameworks.
Key Principles and Requirements:
Consent: Generally, explicit and informed consent is required for the collection, processing, and use of personal data. The burden of proof for obtaining valid consent lies with the data collector. Separate consent is often needed for uses beyond the original purpose (e.g., marketing).
Data Security Obligations: Data controllers must implement appropriate security measures to prevent personal data from being stolen, altered, damaged, destroyed, lost, or disclosed.
Data Breach Notification: If personal data is stolen, disclosed, altered, or infringed, data controllers are required to notify affected data subjects in an appropriate manner after investigating the incident. Sector-specific regulations may also mandate notification to relevant authorities within specific timeframes.
Data Subject Rights: Individuals have rights including the right to access, rectify, and delete their personal data.
Cross-Border Data Transfers: The PDPA covers data transfers.
Independent Regulator: A significant amendment in May 2023 formally established the Personal Data Protection Commission (PDPC) as an independent supervisory body dedicated to enforcing the PDPA, addressing a previous lack of a single, centralized authority.
Penalties: Fines for violations of the PDPA can range significantly, from TWD 20,000 up to TWD 15 million.
3. Criminal Code (Articles 358-362)
The Criminal Code of Taiwan includes specific provisions that criminalize various forms of cybercrime. These generally target actions that illegally interfere with computer systems or electronic data.
Key Offences:
Hacking (Article 358): Unauthorized access to another's computer or related equipment by methods such as using account IDs/passwords without justification, bypassing security measures, or exploiting system loopholes.
Illegal Disposal of Electronic Records (Article 359): Illegally obtaining, deleting, or altering electromagnetic records stored in a computer or related equipment.
Interference with Computer Use (Article 360): Interfering with the proper functioning of computers or related equipment.
Illegal Production of Cybercrime Tools (Article 363): Manufacturing computer programs specifically for the purpose of committing the above-mentioned offenses.
Other Relevant Criminal Offences: Depending on the nature of the cyber activity, other articles of the Criminal Code can apply, such as those related to forgery, offenses against reputation and credit, offenses against privacy, fraud, extortion, and destruction of property.
4. Fraud Crime Hazard Prevention Act (FCHPA)
Enacted in July 2024, this new law primarily targets online fraud, particularly focusing on large online advertising platforms (like Google, Meta, Line, TikTok) that heavily advertise in Taiwan.
Obligations: It imposes new obligations on these platforms, including:
Stringent ad removal timelines for fraudulent ads.
Requiring information disclosure and identity verification for advertisers and sponsors.
Mandating a fraud prevention plan and annual transparency reports.
5. Other Relevant Laws and Regulations:
Anti-Infiltration Act (2020): While broader in scope, it can have implications for cybersecurity by prohibiting individuals acting under instruction or funding from "infiltration sources" from engaging in activities that disrupt social order, which could include cyber-attacks.
Digital Asset Anti-Money Laundering (AML) Rules (effective November 2024): These require all "virtual asset service providers" operating in Taiwan to establish a local company or branch office and complete AML registration, aiming to increase transparency and combat illicit activity in the digital asset industry.
Electronic Signatures Act: Governs the legal validity of electronic signatures and related digital authentication.
Sector-Specific Laws: Many sectors, like finance (Banking Act, Financial Holding Company Act), healthcare (Human Biobank Management Act, Pharmaceutical Affairs Act), and telecommunications, have their own specific regulations regarding data protection and cybersecurity relevant to their operations.
Taiwan continues to evolve its cyber legal framework to keep pace with technological advancements and emerging threats. For detailed advice on specific cyber law matters in Taiwan, it is always recommended to consult with local legal experts.
RELATED Blog
0 comments