Cybersecurity Comparative Guide

• Published date: 07 July 2020
• Subject Matter: Privacy, Technology, Privacy Protection, Security
• Law Firm: Lee And Li
• Author: Ms Ken-Ying Tseng

1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

In Taiwan, there are specific statutes covering 'cybersecurity' and 'data protection' respectively. With regard to cybercrime, while the Criminal Code sets out certain crimes and offences with regard to the use of computer equipment, the term 'cybercrime' is not explicitly spelled out in the Criminal Code.

Matters concerning cybersecurity are governed by the Cyber Security Management Act (CSMA) in Taiwan. The CSMA defines 'cybersecurity' as "such effort to prevent information and communication system or information from being unauthorized access, use, control, disclosure, damage, alteration, destruction or other infringement to assure the confidentiality, integrity and availability of information and system".

Personal data protection matters are governed by the Personal Data Protection Act (PDPA) in Taiwan. Under the PDPA, the term 'personal data' refers to a natural person's name, date of birth, ID card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, sex life data, records of physical examination, criminal records, contact information, financial conditions, social activity data and any other information that may be used to directly or indirectly identify that person. The PDPA imposes general obligations on all data controllers to protect the personal data that they hold. In order to obtain an adequacy decision from the European Union, the Taiwan government is contemplating revising the PDPA to incorporate the principles and mechanisms of the EU General Data Protection Regulation (GDPR) in the near future.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

Currently, there is no statute specifically drafted for the regulation of cyberspace in Taiwan. As stated in question 1.1:

• cybersecurity is regulated under the CSMA and the relevant enforcement rules, regulations and rulings;
• personal data protection matters are regulated under the PDPA and the relevant enforcement rules, regulations and rulings; and
• cybercrime is mostly subject to the Criminal Code.

On the other hand, the term 'Internet' appears in many statutes, regulations, rules and guidelines, given that this is now the world's most important communication tool. This term is included in many statutes as one of the mechanisms for notification, publication and communication.

The new Telecommunications Management Act will become effective on 1 July 2020 and will replace the current Telecommunications Act. Both acts have expanded their jurisdiction from traditional telecommunications businesses to internet-related matters by assuming the role of supervising the assignment and allocation of domain names and IP addresses. It is anticipated that the primary regulator of the Telecommunications Management Act, the National Communications Commission, will play an increasingly important role in regulating the Internet in the future.

Meanwhile, the Taiwan government is contemplating setting up a new ministry to regulate all digital-related matters in order to consolidate cross-ministry efforts to regulate the Internet and digital-related matters. The government may propose a new statute in relation to the regulation of cyberspace once the new ministry has been established

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

Cybersecurity: The CSMA regulates matters with regard to cybersecurity, including government agencies and providers of critical infrastructure. Financial instructions and healthcare providers such as hospitals are likely to be designated as critical infrastructure providers and subject to the CSMA.

National security: The National Security Act regulates general matters with regard to the protection of Taiwan's national security. There is no reference in this act to cybersecurity, personal data or cybercrime; but in general, it will apply to any national security matters in relation to cyberspace.

Financial services: The financial industry is subject to strict scrutiny by its primary regulator. There are many rules and guidelines on the information security measures that financial institutions must implement. Meanwhile, certain financial institutions are likely to be designated as critical infrastructure providers, in which case they will be subject to the security and reporting requirements under the CSMA.

Healthcare: The healthcare industry is also subject to strict scrutiny by its primary regulator. Hospitals are likely to be designated as critical infrastructure providers and be subject to the CSMA.

(b) Certain types of information (personal data, health information, financial information, classified information)?

Personal data: The protection of personal data is governed by the PDPA, including the protection of health-related personal information and financial-related personal information.

Health information: Certain medical records and health check information are classified as sensitive personal data, and the collection and use of such data are subject to strict restrictions under the PDPA. Meanwhile, pursuant to the relevant statutes governing healthcare professionals, patient information must be kept strictly confidential.

Financial information: Banking laws and other statutes governing the operation of financial institutions require such institutions to keep clients' data strictly confidential.

Classified information: Under the Criminal Code of Taiwan, breach of confidentiality obligations with regard to certain business secrets as stipulated under the law or a contract may incur criminal liability. Disclosing or compromising secret information with regard to national defence may also be subject to criminal sanctions.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

The relevant statutes do not include specific...