Newsletter
The Executive Yuan Approved the Draft of the "Personal Data Protection Commission Organizational Act" and the Draft Amendments to Certain Provisions of the "Personal Data Protection Act"
The Executive Yuan Approved the Draft of the "Personal Data Protection Commission Organizational Act" and the Draft Amendments to Certain Provisions of the "Personal Data Protection Act"
Ken-Ying Tseng/Roger Kai
In preparation of the establishment of the Personal Data Protection Commission (the "PDPC") by August 2025, the Executive Yuan approved the draft Organizational Act of the PDPC and the draft partial amendments (the "Draft Amendments") to the Personal Data Protection Act (the "PDPA") during its 3945th meeting on March 27, 2025 and will forward the same to the Legislative Yuan for review and further enactment. The draft Organizational Act of the PDPC primarily stipulates the composition of the PDPC, the qualifications of its commissioners, and the operation of the PDPC. The Draft Amendments mainly adjusts the text of the PDPA in addressing the PDPC's power and responsibilities after its establishment, enhances supervision of government agencies and adds provisions for the PDPC to coordinate and cooperate with various other central competent authorities and local governments in regulating the private sector. From the perspective of the private sector, the following potential changes are worth noting:
1. Reporting Data Breach Incidents to the Government
The existing PDPA does not specify whether data breaches should be reported to the government. The Draft Amendments expressly state that data breach incidents that meet certain reporting criteria must be reported to the government. Besides, the Draft Amendments explicitly require companies experiencing a breach to take immediate and effective contingency measures and maintain records. Specific details regarding the content, method, timeframe, and scope of such reports, as well as contingency measures and record-keeping, will be stipulated by the PDPC in the future. If businesses violate the obligation to report to the competent authority, the competent authority may impose fines.
2. Notification to Affected Data Subjects
The Draft Amendments continue to require a company to notify the affected data subjects once there is a data breach incident. However, a company will no longer be able to delay such notification on the grounds that the incident has not yet been inspected or that the company itself did not violate the PDPA in the occurrence of the incident. The Draft Amendments also authorize the competent authority to establish detailed regulations regarding the content, method, and deadline of such notifications.
3. Amendments to Administrative Inspection Regulations
The Draft Amendments supplement certain detailed procedures for administrative inspections, specifying that future administrative inspections will be initiated at the discretion of the PDPC, which will collaborate with central competent authorities and local agencies to conduct these inspections.
4. Division of Powers Among Competent Authorities
In the future, the PDPC will serve as the centralized regulatory body for the PDPA. The Draft Amendments add that the PDPC may request the Executive Yuan to announce certain private entities that, within six years after the establishment of the PDPC, shall still be regulated by their central sectoral regulators or municipal and county/city governments regarding certain matters under the PDPA. The central sectoral regulators will continue to establish the requirements of the personal data file security maintenance plans or methods for processing personal data applicable to such private entities and may set stricter rules.
5. Direct Administrative Litigation Against the PDPC’s Decisions
As the PDPC is an independent agency, it is not subject to the direction or supervision of any other agencies unless otherwise provided by law. Therefore, any objection to the administrative action taken by the PDPC under the PDPA shall be filed in the form of a law suit pursuant to the administrative litigation procedures.
The Draft Amendments adopted by the Executive Yuan include detailed provisions on the above matters. Our firm’s “Digital, TMT, and Data Privacy Practice Group” has extensive experience assisting companies in handling personal data protection issues. Should you require any assistance, please do not hesitate to contact our team of experts.