Agenda

• Moderator:
  Huang, Yanfen, Chief Writer of Information Security, iThome Weekly
• Penelists:
  
  • Lin, Junhong, Leading Lawyer, Cogito Law Office
  • Tu, Yuyin, President of the Taiwan Association for Human Rights.
  • Yeh,Simon, Managing Partner of DaVinci Personal Data and High-Tech Law Firm
  • Howard Jyan, Executive Vice President, Deloitte Touche Tohmatsu Limited

**Presentation Download <Provided with the consent of the speaker>**

Meeting Minutes

There have been several large-scale personal data leaks in the country over the past few months, such as the national household registration data being sold on the dark market, illegal leakage of health insurance data by staff for over a decade, airline membership data of several celebrities being disclosed in an overseas forum, and more than 90,000 customer data being hacked from a local department store, just to name a few. The leakage of personal data seems to have become a norm in Taiwan, possibly because organizations lack awareness of information security or personal data protection.

The panel invites experts from various fields to discuss whether the current direction of the Personal Data Protection Act amendments is sufficient in response to recent major incidents. The discussion was moderated by Yanfen Huang (Information Security Chief Writer of iThome Weekly), and panelists include Junhong Lin (Leading Lawyer of Cogito Law Office), Dr. Yuyin Tu (Chairman of the Taiwan Association for Human Rights), Simon Yeh (Managing Partner of DaVinci Personal Data and High-Tech Law Firm), and Howard Jyan (Executive Vice President of Deloitte Taiwan).

Junhong Lin believes that the core of the data breach issue lies in the lack of incentives for business to establish a robust cybersecurity environment. He explains that, the focus of the amended Personal Information Protection Act was on “penalties for violations.” For example, article 48 of the Act has been revised regarding the penalties and limits for enterprises that violate their security maintenance obligations. The amendment now imposes immediate penalties while also requiring corrective measures, with an increased upper limit for fines ranging from a minimum of NT$20,000 to a maximum of NT$2,000,000. The penalties for persistent non-compliance have also been raised, with fines ranging from a minimum of NT$150,000 to a maximum of NT$15,000,000 per violation. The government’s approach is to increase penalties in order to make operators pay more attention to the issue of data breaches. However, for operators, the lack of incentives or resources provided by the government to establish a robust cybersecurity environment is a significant problem.

Lin also pointed out several unresolved issues in the current stage of the amendment, including the definition of “taking appropriate security measures to protect personal information from being leakage”. Additionally, issues such as incident reporting mechanisms, the correlation between damage compensation and data breaches, and strengthening corporate responsibility all require further resolution.

Dr. Yuyin Tu introduced the concept of “information security is not equal to privacy.” He considered privacy emphasizing individual data control rights, while information security is merely a necessary condition for safeguarding privacy.  He also mentioned that currently, there is no dedicated agency in the country responsible for personal information protection. In the early stages, the Ministry of Justice was the main authority for the Personal Information Protection Act, but now the National Development Council. However, the 2 agencies position themselves as “interpreting the law.” Different industries’ practices regarding personal information are still managed by different regulatory authorities. For example, the regulatory authority for financial matters is the Ministry of Finance, and for general companies, it falls under the jurisdiction of the Ministry of Economic Affairs. This fragmentation creates a problem of multiple agencies handling personal information matters, making it challenging to comprehensively consider how to establish the necessary framework for personal information protection.

Tu advocates for greater independence for the future dedicated agency responsible for Personal Information Protection Act. The current designed privacy independent agency is a third-level government body. In the scenario when the Ministry of Digital Affairs, which is a second-level body, may potentially be in conflict with the handling of people’s personal data privacy, it may not be easy for the privacy independent agency to exercise its independence when facing a higher-level agency. Other issues such as decision power, independence assurance will be key areas of concern for the future.

Simon Yeh mentioned that the most frightening aspect of a data breach for the public is the aftermath, as individuals often receive scam calls and subsequently fall into fraud traps, resulting in financial losses.  He further agreed that there is a lack of incentives for businesses to implement personal data protection, and that increasing penalties will encourage businesses to invest more in cybersecurity, thereby reducing the likelihood of data breaches. The recent case of a data breach in the shared-car company resulted in a light sentence of only NT$200,000, which is precisely the reason for the increased penalties in the current amendment.  Yeh also acknowledged the swift actions taken by the current governing authority in amending the law, and he believes that the remaining unresolved issues can be discussed and addressed individually through the establishment of a dedicated agency for personal information in the future. Furthermore, he share the same view that the independent dedicated agency should be a second-level government body.

Howard Jyan explained the current or future amendments to the Personal Information Protection Act cannot eliminate data breach incidents. Some have suggested amending the cybersecurity law to include entities that possess a certain amount of personal data. However, he disagrees with this viewpoint because it would grant the governing authority excessive authority, and the quantity of personal data cannot be used as an objective measure of importance. He believes that even a single data breach should be considered a severe incident because that personal data is crucial to the individuals involved, and its importance should not be undermined based on quantity.

Jyan further indicated that in order to solve the data breaches issues, it is necessary to identify the underlying problems, such as a lack of understanding and awareness of the law, difficulty in implementing relevant systems, a lack of appropriate professional knowledge, inadequate outsourcing management, and insufficient testing data. He cites data from the World Economic Forum, which shows a significant proportion of cybersecurity incidents being attributed to human error, which is a challenging problem for the law to address. Based on his experience, the common causes of cybersecurity incidents are often related to “management” issues, such as improper permission management, shared accounts, unpatched vulnerabilities, ineffective internal supervision mechanisms, inadequate job handover procedures, and a lack of oversight in deletion processes. He agrees that the law needs to be adjusted according to the objective environment, but the implementation and enforcement of the amended laws should be confirmed through audits.

In responding to the question whether the current amendment of the Personal Information Protection Act is sufficient, Lin believed that the government could provide further guidance to incentivize businesses to take more action. Tu stated that the current amendment is still somewhat insufficient, as the National Development Council has not adequately expressed its position and has been reluctant to publicly disclose the drafted proposals, which would allow for public discussion. The focus has only been on increasing penalties for personal information breaches.

Yeh believed that there is still a long way to go in amending the Personal Information Protection Act, and many issues are to be debated and resolved during the process of consensus-building. Jyan believed that the increased penalties in the current amendment will encourage businesses to take personal information breaches more seriously and prevent them. In conclusion, the moderator stated that as we promote the data economy, we must also prioritize data protection. Whether it’s anonymization or the use of database encryption tools, it should be done while ensuring the reasonable use of personal data.

Presentation Download

• Lin, Junhong, Leading Lawyer, Cogito Law Office Presentation Download
• Tu, Yuyin, President of the Taiwan Association for Human Rights. Presentation Download
• Yeh,Simon, Managing Partner of DaVinci Personal Data and High-Tech Law Firm Presentation Download