Taiwan’s revised Data Protection Act, which is not yet formally effective, is the first privacy-specific statute in the APAC region to contain an enforceable requirement to notify individuals of a data breach incident.  To date, no other privacy legislation in the Asia region has imposed an enforceable legislative requirement to communicate a data breach incident to individuals.  

A few notable aspects of the legal obligations are as follows:

  • The relevant provision requires that, where a public or private sector agency “violates any provision” of the Act, “such that personal data is stolen, disclosed, altered or otherwise impaired,” then “the agency, after investigating shall notify the subjects by appropriate means.”
  • The requirement does not extend to every breach occurrence, only those that constitute an actual violation of the Data Protection Act. 
  • Certain aspects of the data breach provision remain unclear, such as the extent to which organizations may delay the issuance of notices while investigating an incident.
  • There does not appear to be any requirement to notify any supervisory body of the breach incident.  Indeed, the Data Protection Act does not name any a single body with oversight over or enforcement responsibility for the Data Protection Act.  It appears that enforcement has been left to individual industry ministries, as is the case in Japan.