Database

Browse Database

TAIWAN

Since 1999

Pillar Domestic Data policies  |  Sub-pillar Requirement to allow the government to access personal data collected
Communications Security and Surveillance Act
For law enforcement agencies to access the content of communications, they need either interception warrants or access warrants approved by a court. However, in urgent situations or for specific crimes, the agencies may access the communications without a warrant as long as they obtain it within 24 hours after the surveillance under the Communications Security and Surveillance Act (Art. 11-1). According to a report of the Ministry of Justice, more than 90% of surveillance cases did not require the approval from a court. It is reported that the lack of judicial review over surveillance requests has been increasingly normalized.
Coverage Horizontal

TAIWAN

Reported in 2021

Pillar Domestic Data policies  |  Sub-pillar Requirement to allow the government to access personal data collected
Report of government access to personal data
It is reported that government units with certain investigative powers have gone directly to state agencies and private companies to request personal data without first receiving a court order or other oversight. For example, the Ministry of Economic Affairs between 2017 and 2018 had a 100 percent success rate in receiving information from the 1,112 requests it filed for personal information. Of these, 1,000 requests were to non-government agencies, including Chunghwa Telecom, Taiwan Mobile CO., and Yahoo! Taiwan Holdings Limited. Between 2015 and 2016, the Ministry of Finance submitted 350 requests with a 99.4 percent success rate. The Criminal Investigation Bureau also reportedly issued 565 requests to Facebook through this process, with a 52.9 percent success rate, between 2015 and 2016.
Coverage Horizontal

TAIWAN

Since 1995

Pillar Domestic Data policies  |  Sub-pillar Requirement to allow the government to access personal data collected
Personal Data Protection Act
Under Art. 22 of the Personal Data Protection Act (1995), the government may, when they deem necessary or suspect any possible violation of the Act, (a) inspect compliance with the security control measures, the guidelines on disposing personal data upon business termination, and the restrictions on cross-border transfers, or (b) conduct any other routine inspections by having their staff enter non-government agencies' premises upon presentation of their official identification documents and order relevant personnel at the non-government agencies.
In doing so, the government may retain or make duplications of the personal data or the files thereof that can be confiscated or be admitted as evidence. The owner, holder or keeper of such data or files that shall be confiscated or copied shall submit them to the authorities upon request. If the non-government agency refuses to submit or deliver the requested data or files or rejects the confiscation or duplication thereof without any legitimate reason, a compulsory enforcement that will do the least harm to the rights and interests of the non-government agency may be applied.
Coverage Horizontal

TAIWAN

Since 1995
Since 2018

Pillar Domestic Data policies  |  Sub-pillar Framework for data protection
Personal Data Protection Act

Cybersecurity Management Act
The Personal Data Protection Act was enacted in 1995. Personal data include any other information that may be used to directly or indirectly identify a natural person such as certain information collected as cookies (Article 3).

The Cybersecurity Management Act (2018) requires governmental and non-governmental agencies to adopt cybersecurity maintenance plans and report any cybersecurity incident to the relevant government authorities.
Coverage Horizontal

TAIWAN

Since June 2019
Since July 2020

Pillar Domestic Data policies  |  Sub-pillar Minimum period for data retention
Telecommunications Management Act

Regulations on Users of Telecommunications Businesses Inquiring Communication and Account Records
Art. 9 of the Telecommunications Management Act requires telecom enterprises to retain communications records such as the numbers of the sender and the recipient, time of communication, address, service type, mailbox or location information. The Regulations on Users of Telecommunications Businesses Inquiring Communication and Account Records were established in accordance with the stipulations of Paragraph 3, Art. 9 of the Telecommunications Management Act. Under Art. 4 of the Regulations, telecommunications enterprises must retain communication records and accounting records at least for one year.
Coverage Telecommunications sector

TAIWAN

Since September 2006, last amended in September 2019

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation
Art. 18 of the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation (Regulations) deals with conditions upon which a financial institution may outsource its operations to overseas service providers. The financial institution must obtain a confirmation letter from the financial authority of the country where the outsourced services are conducted agreeing to the outsourcing operations. A foreign bank branch in Taiwan, on top of the confirmation letter, shall obtain the letter of consent authorized by its head office or regional head office to the obtainment and use on data, security control and cooperation with the supervisory requirements in Taiwan.
If the financial institution cannot obtain the letter of confirmation from the foreign financial authority, it must submit the following documents to the Financial Supervisory Commission:
- A letter of consent from the service provider, agreeing that where necessary, a person designated by the financial institution may examine the outsourced items. The aforesaid designated person may also be assigned by the competent authority at the expense of the financial institution;
- The evaluation on internal control principles and operating procedure of the service provider;
- The legal opinion indicates the protection of customer data where the service provider is located is not below the condition in Taiwan;
- The financial statements of service provider audited and attested by a CPA for the most recent fiscal year;
- A statement issued by the service provider certifying that no violation on customer interests, personnel malpractice, information and technology security and other occurrences that impact sound business operation in the last three years.
Coverage Financial services

TAIWAN

N/A

Pillar Cross-border data policies  |  Sub-pillar Participation in trade agreements committing to open cross-border data flows
Lack of participation in agreements with binding commitments on data flows
Taiwan has not joined any agreement with binding commitments to open transfers of data across borders.
Coverage Horizontal

TAIWAN

Since August 1995, last amended in December 2015

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Personal Data Protection Act
Under Art. 21 of the Personal Data Protection Act (1995), the government may impose restrictions on a cross-border transfer of personal data by a non-government agency if (a) major national interests are involved, (b) an international treaty or agreement so stipulates, (c) the country receiving the data lacks proper regulations on protection of personal data and the data subjects' rights and interests may be consequently harmed, or (d) the transfer to a third country is carried out to circumvent the Act.
Coverage Horizontal

TAIWAN

N/A

Pillar Telecom infrastructure and competition  |  Sub-pillar Presence of independent telecom authority
Presence of an independent telecom authority
It is reported that the National Communications Commission, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.
Coverage Telecommunications sector

TAIWAN

Since September 2012

Pillar Cross-border data policies  |  Sub-pillar Ban to transfer and local processing requirement
Restriction Order for communication business operators to transfer personal data of other users to the mainland
In September 2012, the National Communications Commission issued the Restriction Order for communication business operators to transfer personal data of subscribers to the mainland China. The blanket order prohibits communications enterprises (i.e., telecom carriers and broadcasting operators) from transferring subscribers personal data to mainland China on the grounds that the personal data protection laws in mainland China are still inadequate.
Coverage Communications enterprises (i.e., telecom carriers and broadcasting operators)

TAIWAN

Since 2002

Pillar Telecom infrastructure and competition  |  Sub-pillar Signature of the WTO Telecom Reference Paper
WTO Telecom Reference Paper
Taiwan has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector

TAIWAN

N/A

Pillar Telecom infrastructure and competition  |  Sub-pillar Presence of shares owned by the government in telecom companies
Presence of shares owned by the government in the telecom sector
Chungwa Telecom, the largest network operator, used to be a state-owned enterprise but has been privatized in 2005. The government owns 35.29% of its shares. Taiwan Mobile is owned by private shareholders. For Far Eastone Telecommunications Co., Ltd, the government owns 3.24% of its shares. For Asia Pacific Telecom Co., Ltd., the government owns 6.86% of its shares.
Coverage Telecommunications sector

TAIWAN

N/A

Pillar Telecom infrastructure and competition  |  Sub-pillar Functional/accounting separation for operators with significant market power
Lack of mandatory functional separation for dominant network operators
Taiwan does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is mandated.
Coverage Telecommunications sector

TAIWAN

N/A

Pillar Telecom infrastructure and competition  |  Sub-pillar Passive infrastructure sharing obligation
Lack of obligation to share passive infrastructure
There is no obligation for passive infrastructure sharing in Taiwan to deliver telecom services to end users, and it is not practiced in the mobile sector and in the fixed sector based on commercial agreements.
Coverage Telecommunications sector

TAIWAN

Since June 2019
Since October 1958, last amended in December 2013

Pillar Telecom infrastructure and competition  |  Sub-pillar Maximum foreign equity share for investment in the telecommunication sector
Telecommunications Management Act

Telecommunications Act
According to Art. 36 of the Telecommunications Management Act (2020), a foreigner may not own more than 49% of the shares of a facility-based telecommunication company. Furthermore, a foreigner may not own more than 60% of such shares in the sum of direct and indirect shareholding (e.g., by setting up a Taiwanese company). This only applies to Type I telecom enterprises. According to Art. 11 of the Telecommunications Act, telecommunications enterprises are classified into Type I telecommunications enterprises, which install telecommunications line facilities and equipment in order to provide telecommunications services, and Type II telecommunications enterprises, which include all other telecom providers.
Coverage Telecommunications sector