2012-04-23
Further Amendments to the Personal Data Protection Act
In response to the various controversies regarding the recently amended but not yet effective Personal Data Protection Act (Act), the Ministry of Justice (MOJ) submitted draft amendments to the Act to the Executive Yuan on 11 April 2012. The Executive Yuan to review the proposed amendments.
While it has been two years since the adoption of the first amendments, controversies surrounding Articles 6, 41 and 54 have caused delay in the enforcement of the amended Act. In order to ensure that the Act may regulate the subject matters effectively, the Executive Yuan requested MOJ to provide further amendment proposal in response to the various objections to certain provisions.
Article 6 of the Act stated that personal data related to medical treatments, genetic information, sexuality, health examinations and criminal records cannot be collected, processed or used unless certain conditions are first met. However, there is controversy regarding the use of medical records, for example, a patient would be prohibited from taking his own medical records from hospital A to hospital B. MOJ has proposed that the text be amended to allow the collection or use of such information for the public interest or upon written consent by the data subject.
According to Article 41, a person who violates Articles 6, 15, 16, 19, 20 or 21 and causes damage to others without an intention to profit will be subject to imprisonment of not more than two years or a fine of no more than NT$200,000, or both. This has been widely criticized as being excessive. MOJ thus has proposed that the relevant terms be deleted from the Act, and remedies under civil code, will be applied to redress such violations.
Finally, Article 54 requires that an entity collection personal data fulfill its notice duty under Article 9 within one year after the effective date of the amended Act. This has lead to strong objections from the public, and especially from financial service providers, because it would be hardly possible to notify all of their customers in such a short period of time. In response, MOJ has proposes that the notice duty within one year be removed from the Act. Instead such entities are only required to provide notification to the data subject prior to the use of his/her personal data.
Search
English