In the current underdeveloped digital rights landscape of Taiwan, the Personal Data Protection Act (“PDPA”) serves as a modest safeguard in an otherwise barren environment. While its scope remains insufficient to address the increasingly complex digital human rights challenges today, it nonetheless represents the only available legal recourse for Taiwanese citizens seeking judicial redress for data privacy violations. Over the years, both academia and civil society have extensively discussed the deficiencies of the existing PDPA and proposed improvements. It was not until the Constitutional Court’s Judgment Xian-Pan No. 13 of 2022 (the “Constitutional Judgment”) mandated the Executive Yuan to enact specific legislative amendments—particularly requiring the establishment of an independent supervisory body to oversee both public and private sector data practices—that a real opportunity for meaningful reform materialized.

However, the Draft Amendment to the PDPA (“Draft Amendment”), released by the Executive Yuan on December 20, 2024, falls far short of these expectations, once again disappointing civil society. In response, the Judicial Reform Foundation (“JRF”) issues the following statement:

The Draft Fails to Establish an Effective Accountability Mechanism for Government Agencies in Accordance with the Constitutional Judgment and Is Insufficient to Prevent and Address Data Breaches by the Government

A longstanding and fundamental flaw of Taiwan’s PDPA is the lack of a concrete accountability mechanism for public agencies. The issue is not solely the absence of an independent regulatory body; it also concerns the absence of an enforceable and effective legal framework for holding government agencies accountable. Addressing this shortcoming was a key objective behind the strategic litigation pursued by civil society, which ultimately resulted in a favorable Constitutional Judgment. The judgment’s directive to the Executive Yuan to amend the law is not merely a call to establish a nominally independent oversight body; rather, it mandates the creation of a truly empowered institution with robust enforcement mechanisms. If the Draft Amendment fails to meet this fundamental requirement, it risks being unconstitutional.

Since the Constitutional Judgment was issued, several high-profile data breaches involving government agencies have further underscored the urgency of reform. A particularly egregious example is the 2022 nationwide data breach, in which over 23 million household registration records were leaked, posing a severe and systematic infringement on individuals’ privacy rights. When the Executive Yuan released the previous draft amendment in May 2023, the JRF had already criticized the proposal for applying lenient standards to the government while failing to assume responsibility for official database breaches. Despite these clear warnings, the Draft Amendment remains woefully inadequate in addressing government accountability for data protection failures. It has not demonstrated the requisite commitment and resolve to rectify the PDPA’s glaring deficiencies in holding public agencies accountable, nor has it recognized the necessity of establishing a truly independent regulatory body with effective enforcement powers.
While the draft introduces a new chapter, “Chapter 3-1: Administrative Supervision,” and acknowledges in its legislative rationale the Constitutional Judgment’s mandate to strengthen oversight of the legality and credibility of government data processing, its actual provisions remain both conceptually and functionally inadequate to meet the expectations of the public and the Constitutional Court. Specifically, Chapter 3-1 consists of only four articles, three of which merely reiterate fundamental administrative procedures that government agencies should already be following— such as conducting internal audits, submitting corrective action reports when deficiencies are identified, providing explanations or making adjustments as required by the supervisory authority, and furnishing requested information or allowing on-site inspections in cases of potential non-compliance. The only provision that remotely addresses consequences for government agencies violating the PDPA (Article 21-4) limits penalties to the public disclosure of the agency’s name and misconduct, and only in cases of “serious violations.” Furthermore, disciplinary measures for responsible personnel are left to the discretion of the agency based on the severity of the violation. Such weak provisions are manifestly insufficient to satisfy the Constitutional Judgment’s mandate for enhanced oversight of government data processing practices.

The Introduction of a “Significant Harm” Threshold for Breach Notification Undermines the Protection of Individual Rights

Article 12, Paragraph 2 of the Draft Amendment introduces a new requirement that an incident must pose a “significant risk of harm” to the rights and interests of data subjects before triggering obligations to notify affected individuals and report the breach to the competent authority. This threshold is problematic for several reasons.

First, the determination of whether a harm is “significant” is inherently subjective and legally ambiguous, effectively allowing the responsible entity to unilaterally decide whether a breach warrants notification. Second, entities responsible for data breaches have a strong incentive to downplay the severity of incidents to avoid legal liability to affected individuals and the competent authority, thereby reducing the likelihood that affected individuals and regulatory authorities will be informed. This self-regulatory approach renders the notification requirement effectively meaningless.

While the legislative rationale claims to have referred to Japanese and South Korean data protection laws in adopting this threshold, it is important to note that neither Japan nor South Korea conditions breach notification obligations on the degree of harm caused. This justification is therefore misleading and inaccurate.

The legislative rationale further argues that a blanket notification requirement could divert resources away from addressing truly urgent and significant incidents. However, the duty to notify affected individuals and the duty to report to regulatory authorities serve distinct legal functions. Notifying affected individuals is a fundamental obligation that ensures individuals are aware of potential risks to their privacy and personal data security. Reporting to regulatory authorities, on the other hand, enables oversight bodies to investigate the causes of incidents, mandate remedial measures, and, if necessary, issue warnings to other institutions. The administrative burden associated with notifying affected individuals is significantly lower than that of reporting to regulatory authorities. Using administrative workload concerns as a justification for raising the threshold for both obligations unduly restricts individuals’ fundamental right to know when their personal data has been compromised. If the Executive Yuan wishes to refine the criteria for reporting obligations to regulatory authorities, it should do so by clearly defining the categories of incidents that warrant mandatory reporting rather than imposing a vague “significant harm” threshold.

The Executive Yuan Must Reconsider Its Approach to Ensure Meaningful Protection of Personal Data Rights

Despite having three years to implement the Constitutional Judgment’s mandate, the Executive Yuan only released its Draft Amendment on December 20, 2024, and further shortened the mandatory 60-day public consultation period to just 21 days—including only 14 working days after accounting for public holidays. This procedural deficiency severely limits the ability of civil society and legal experts to thoroughly review the draft and provide meaningful input.

The JRF has long advocated for stronger legal frameworks to safeguard personal data rights amid rapid digitalization and shifting power dynamics between public and private entities. Taiwan’s current digital regulatory environment lacks systematic and comprehensive legislation, as well as practical and enforceable governance mechanisms that enable citizens to assert their rights and seek redress for privacy violations. (For reference, the JRF has collaborated with legal and information technology experts to draft the “Digital Rights Act,” which aims to establish fundamental digital rights, delineate governmental obligations and powers, and institute proper legal procedures and remedies to prevent unjustified infringements on individual rights.)

The JRF urges the Executive Yuan to recognize and fulfill its constitutional obligation to enact meaningful reforms. It must not allow unconstitutional deficiencies to persist, nor should it continue neglecting the fundamental mechanisms necessary for protecting individual rights and ensuring accountability.