Taiwan's revised Data Protection Act, which is not yet formally
effective, is the first privacy-specific statute in the APAC region to
contain an enforceable requirement to notify individuals of a data
breach incident. To date, no other privacy legislation in the Asia
region has imposed an enforceable legislative requirement to
communicate a data breach incident to individuals.
A few notable aspects of the legal obligations are as follows:
The relevant provision requires that, where a public or private sector
agency "violates any provision" of the Act, "such that personal data
is stolen, disclosed, altered or otherwise impaired," then "the
agency, after investigating shall notify the subjects by appropriate
means."
The requirement does not extend to every breach occurrence, only those
that constitute an actual violation of the Data Protection Act.
Certain aspects of the data breach provision remain unclear, such as
the extent to which organizations may delay the issuance of notices
while investigating an incident.
There does not appear to be any requirement to notify any supervisory
body of the breach incident. Indeed, the Data Protection Act does not
name any a single body with oversight over or enforcement
responsibility for the Data Protection Act. It appears that
enforcement has been left to individual industry ministries, as is the
case in Japan.
No comments:
Post a Comment