In response to the serious problem of scams exploiting personal data leaks, the legislature, the Judicial Yuan and the Cabinet have decided to propose a draft amendment to the Computer-Processed Personal Data Protection Law (電腦個人資料保護法) that will increase the maximum fine for data leakage from NT$20 million (US$650,000) to NT$1 billion.
Citing examples of major data leaks by TV shopping channels, online bookstores and the Department of Health’s Centers for Disease Control, officials said if an amendment is enacted, similar cases would incur heavy penalties for offenders.
Legislators and the Ministry of Justice support the draft, believing that the public and the private sectors — which commonly utilize personal data — should bear a heavier responsibility to safeguard privacy.
The Judiciary Organic Laws and Statutes Committee of the Legislature will discuss the draft in detail on Monday.
According to regulations, the maximum compensation for personal data leakage is NT$20,000. The Cabinet’s draft increases the amount to NT$50,000, whereas proposals put forth by Chinese Nationalist Party (KMT) legislators including Hsieh Kuo-liang (謝國樑) recommend no maximum limit.
Currently, and as stated in the draft amendment, the maximum compensation per case per individual is NT$100,000, whereas the Ministry of Justice leans toward lowering the amount to NT$500.
The Judicial Yuan said that the problem of personal data leakage is serious but that large corporations may find a maximum fine of NT$50 million inconsequential. However, as unlimited fines may result in bankruptcies, they proposed NT$1 billion as a viable limit.
Article 29 of the draft states that the public is not responsible for providing evidence in seeking compensation, while non-governmental parties must prove leaks were unintentional and did not result from negligence to escape legal responsibility, whereas governmental bodies must bear “non-negligence responsibility.”
At the same time, Article 22 grants city and county governments the power to inspect and confiscate illegal personal data from businesses without going through legal investigative procedures.
As breaches of security and data-mining become more frequent, Ministry of Justice officials indicate that according to the draft amendment, governmental bodies can be relieved of responsibility in such instances only in the case of natural disasters such as earthquakes or other circumstances beyond their control — otherwise a breach would constitute “non-negligence responsibility.”
However, non-governmental parties need only prove that all available means have been sought in order to prevent a breach.
As for those subject to the draft amendment, officials describe the category as “all encompassing,” as it is not restricted to the current body of governmental divisions, private investigation agencies, hospitals and telecommunications companies.
Instead, all parties that digitally or manually process personal data fall under the jurisdiction of the draft.