Have you ever thought about the value of your personal data?
After procrastinating for years, the ruling and opposition camps have finally reached a consensus on a draft amendment to the Computer-Processed Personal Data Protection Law (電腦個人資料保護法). The amendment will drastically increase fines in a bid to put an end to frequent leaks of personal data.
The draft is an improvement on the law, but saying that the threat of a maximum fine of NT$1 billion (US$32.8 million) would stop all data leaks oversimplifies the obstacles to effective privacy protection.
The draft stipulates that those who violate privacy rights shall be prosecuted and that individuals whose rights are violated shall be compensated. This sounds reasonable enough, but privacy violations will not be resolved simply by issuing fines.
Compensation can only be made once a person’s rights have already been violated. If we do not stop the leak of private information at the source and monitor how private information is obtained, protected and used, the problem will never be solved, regardless of how high the compensation is.
This leads to the question of who should monitor the use of private data by governmental agencies and non-governmental organizations.
The draft, like the law, names the Ministry of Justice as the “coordination authority,” yet data privacy protection is a cross-ministerial and cross-disciplinary issue and would require that a specialized agency independent from the justice ministry take charge of the issue — including education about personal data protection, developing and implementing policies and meting out fines. This would be ensure the most efficient supervision.
The consequence of not having such an agency is that any coordination authority will only be able to take a passive approach to implementing personal data protection, making comprehensive and effective protection improbable.
Also, the strengthening of administrative monitoring proposed in the draft only refers to administrative checks by the central authority and does not provide comprehensive integration for cases of privacy violations of members of the public.
Civic groups have long criticized the legislation on privacy protection as weak, so the government’s move to amend the law is undoubtedly welcome.
In principle, the draft is working in the right direction, but the fact that the draft makes it possible to demand high compensation for privacy violations yet does not establish a special supervisory mechanism seems to imply that the government is shirking its responsibilities.
Moreover, the draft places restrictions on public welfare associations that seek to file lawsuits. It is difficult to see how members of the public will be able to seek help from either the government or non-governmental groups if they are victimized.
Although the government is specifying NT$1 billion as the maximum fine, it is unclear whether victims would really receive that amount and what channels for legal aid the public would have access to.
As it stands, the draft offers insufficient protection.
I suggest that the government move in the direction of a basic law for privacy protection that incorporates a wide range of fundamental principles as guidelines.
Lawmakers should give careful consideration to the issue and study legislation and the implementation of measures in other countries before passing a more comprehensive law.