Data protection and cybersecurity are evolving areas of regulation in Asia. Here, experts shed light on emerging jurisprudence in the region’s top jurisdictions
We are now at a frustrating moment. COVID-19 cuts down the number of international trips, locks down many states and cities, keeps many of us at home, and drives more and more people online for work, life, and entertainment. Never before have we so warmly embraced internet-based businesses, never before have we exposed ourselves so thoroughly over the internet, and never before have we so seriously considered protecting our personal data and privacy information.
Businesses are also extraordinarily wary about the compliance risks of their use of personal data and online privacy regulations. There is the General Data Protection Regulation (GDPR) in the EU, with its traditional manufacturing giants, and there is the California Consumer Protection Act (CCPA) in California, the origin of the worldwide web and the base of many internet tycoons. What is there in China, with its history of imperial dynasties and, more recently, a test bed of innovative manufacturing technologies?
China has not enacted one law that comprehensively covers all aspects of data protection and will not do so. In December 2019, the Standing Committee of the National People’s Congress announced a 2020 legislative plan to draft a Personal Information Protection Law and a Data Security Law. This is mainly because China wants its data protection mechanism to protect both personal data and online privacy that is important to individual citizens, and the so-called important data that are of governmental interest. This dual-purpose approach was a conservative one in an era of globalization. However, it may not seem so conservative after all, given the current breakdown in globalization, as evidenced by rising populism in several major Western countries.
Under the current mechanism, the regulations and requirements on data protection are spread across various laws, as well as some recommended operational standards at the national level. More specifically, China’s data protection legal mechanisms are spread throughout the following four areas:
- General data security requirements, including the Cybersecurity Law (CSL) and its implementing regulations and standards;
- National secret data protection, including the Law on Guarding National Secrets and its implementing regulations and rules;
- Personal information protection, including the Civil Law, the Law on Protecting the Rights and Interests of Consumers, and relevant national standards; and
- Important data protection, including the regulations that are applicable within an industry or a region issued by the ministries or local governments.
Because of the dual-purpose nature of China’s data protection mechanism, China needs more than one regulator to govern both functions in its data protection scheme. The following five key regulators oversee data protection:
- The Cyberspace Administration of China (CAC), which leads the legislative efforts, and guides and co-ordinates law enforcement, among other regulators;
- The Ministry of Public Security (MPS), which is responsible for policing data protection crimes and network security violations;
- The State Administration for Market Regulation (SAMR), which supervises personal data protection-related activities in the market, such as the illegal invasion of consumers’ privacy;
- The Ministry of Industry and Information Technology (MIIT), which is responsible for data protection in telecommunications services; and
- Other ministries that oversee data protection compliance in the industries they respectively regulate.
Personal data and information
Principles of lawfulness, justification and necessity. The law generally requires network operators to engage in personal information-related business lawfully, with justifiable reasons and demonstrable necessity. The standards that determine lawfulness, with justification and necessity, can be found in several non-compulsory national standards released by the National Information Security Standardization Technical Committee (TC260), such as the Information Security Technology – Personal Information Security Specification.
Consent is a must. Under this principle, a network operator is required to announce its rules and policies on its collection and use of personal information, and to inform the personal information subjects of its purposes, means and scope of collection. Before any sensitive personal information is collected, a network operator must obtain the informed and explicit consent of the personal information subjects. Examples of sensitive personal information include human faces and bank accounts.
Requirements of whole lifecycle protection of personal information. The requirement to protect personal information covers its whole lifecycle, from collection to storage, to use, to processing, to sharing and transfer, until and including deletion and disposal. Some key requirements in each of the lifecycle phases are highlighted below:
Collection: Network operators must strictly comply with the principles of lawfulness, with justification, necessity and consent.
Use and process: Using and processing personal data must not exceed the scope of consents received before collection. When it is necessary to use and process personal data beyond the corresponding consents received, the network operators must obtain additional consents to the expanded scope. A noteworthy situation is data processing outsourcing, and a network operator must ensure that the above-mentioned requirement be strictly followed in its outsourced processing.
Storage: The storage of personal data is only allowed during the shortest period necessary to achieve the consented-to purpose. It is recommended that personal data be stored without identifying information, with personal identification indicators stored separately from the anonymous data. Encryption is recommended for the storage of sensitive personal data.
Share and transfer: Network operators must obtain additional consent before they share and transfer personal data to other entities. Network operators may also want to conduct security impact assessments before such sharing and transfer. During and after the sharing and transfer, network operators should clearly define the responsibilities and liabilities of the personal data recipients, and reasonably supervise the recipients’ performance.
Honoring the rights of the data subjects: Network operators must honour and respond to the requests of data subjects to withdraw their consent, correct or delete their personal data, request a copy of their data stored with network operators, and deregister their accounts with the network operators.
Unlike the protection of personal data, important data protection, the other purpose of China’s data protection mechanism, is still in its infancy. Only high-level references and principles have been established under the CSL, as well as some local regulations. The specialized regulation, the Administration Measures for Data Security (Draft Data Security Regulation), is still in draft form.
The localization requirement of important data protection largely remains a puzzle. Under the CSL, the Critical Infrastructure Institution Operator (CIIO) is obligated to localize the important data it collects and stores. The localization requirements include the local storage of such important data in China, and the transfer of such data cross-border only when necessary, and with a positive security assessment approval.
The CIIO is also required to backup and encrypt the important data in its processing. The Draft Data Security Regulation tries to provide considerably more detail than the CSL in implementing the localization requirements. However, neither the CSL nor the Draft Data Security Regulation give a clear clue or standard to determining the CIIO and the important data. Because of such vagueness in the above-mentioned basic law and regulation, several subsequent draft administrative regulations and rules have tried, confusingly, to expand the applicability of the localization requirements to other types of data, or to expand the definition of the CIIO. None of these efforts has yielded positive results.
A laudable approach is that several ministries and local governments have determined, or begun to determine, the important data of the industries or the regions that are within their jurisdiction. Examples of specifically identified important data include human genetic resources, population health information, geographic surveying information, personal credit information, and personal financial information. We anticipate that more and more industries and local governments will do the same to determine the characteristics of important data within their jurisdiction.
Recent hot regulatory topics
Apps. In 2019, in a noticeable development, several government agencies joined together to enforce the law against illegal app operations. The CAC, MIIT, MPS and SAMR jointly issued the “Announcement on the Implementation of Special Governance for the Illegal Collection and Use of Personal Information on Apps”. The crackdown ran throughout 2019, and particularly focused on improper privacy terms, incorrect descriptions of the scope of collection and use of personal information, and the collection of unnecessary personal data. The penalties imposed included public criticism, temporary shutdowns for correction, and permanent shutdowns.
In the meantime, a series of guidances and policies were released. Such guidances and policies require app operators to offer user-friendly privacy terms, inform users in sufficient detail of the correct scope and purpose of data collection, and obtain explicit consent before data collection.
Web crawler. A web crawler is a widely used technical tool for automatic data collection. However, there is substantial legal risk if the user of the tool fails to identify, intentionally ignores, or deliberately violates any restriction on, or prohibition against, the use of the tool by web service providers. Such illegal use of crawler is subject to administrative or even criminal liabilities.
Software development kit (SDK). The SDK provided by third parties may collect device information and user personal data without the knowledge of the users and the service providers. In a 2019 law enforcement action, an SDK was found to have caused many cases of personal data protection violations. Potential violations and damages through the use of SDKs has attracted legislative attention. The Draft Data Security Regulation requires network operators to impose specific data security requirements and responsibilities upon SDK providers.
To avoid the legal risks of SDKs, our recommended practice is to: (1) seek representations and warranties from the SDK providers for data protection compliance purposes; (2) carry out reasonable technical tests against SDKs or applications with SDKs; and (3) conduct real-time monitoring of the SDK, or the applications with SDKs, and timely cut off an SDK’s access to any personal data.
Face recognition. Face recognition and other similar biometric applications are widely used to identify or verify the identities of people. Under the law, the human face is a type of biometric data, which is sensitive personal data subject to strict protection. Personal biometric data are collected and used through mobile or other devices by operators controlling the devices. Improper collection and use of face images create substantial legal risks.
In 2019, Zao, a face-swapping app that allows users to imitate famous actors, raised privacy concerns in China. It was later discovered that, by accepting Zao’s user agreement, Zao users gave unintentional permission to Zao’s developers to collect and store users’ facial images, and to sell them to third parties without further consent.
The MIIT criticized Zao for such an aggressive practice, and requested that Zao change its user agreement to cure such a personal data security concern. This is also part of the reason that, on 25 June 2019, TC260, in its updated national standard, provided specifically for biometric data protection.
Blockchain. Blockchain is a secure and decentralized ledger that can help companies maintain secured transaction records. However, private blockchains are likely to collect and store personal data. Retailers, for example, can collect and store massive volumes of data about their customers and their preferences, as well as their purchase histories and payment habits and amounts.
The Provisions on the Administration of Blockchain Information Services, which took effect on 15 February 2019, impose information content safety management obligations on blockchain information service providers, and require them to establish and improve management rules for user registration, information review, emergency response, and safety protection.
Although there have been no published cases of personal data violation involving private blockchain users since the statutory obligations have been established, the next dispute or violation may be around the corner.
Data protection compliance strategy
There are different approaches to protecting personal data throughout the world. The US took a more liberal approach, holding that, while personal data are a personal interest that should be under the absolute control of the data subjects, data subjects should take the primary efforts and responsibility to protect themselves, and the government should only take secondary responsibility.
Under such an approach, advanced technologies permit most of the high-technology companies to treat personal data as the “free” gold in the “Wild West”. The CCPA emerged at this critical time in California, the home to many high-technology companies, to restore the balance of power over personal data use to the data subjects. However, such a liberal approach encourages the development of new technologies, some of which require lots of training and analytical data and represent the “new technology first” policy of the US.
The EU took a different approach, holding that personal data are a personal interest that should be under the absolute control of the data subjects, and that the aggregation of the personal data of all EU subjects constitutes a new form of valuable intangible assets that belongs to the EU Commission. Therefore, the EU works to ensure that such personal interests are well preserved and protected.
Following such a path, it is not surprising that so-called digital assets’ levies or taxes would be imposed to finance the protection efforts by the governments of such personal interests. Such a conservative approach is used by the EU, which possessed a comparatively disadvantaged technological capability to withstand the invasion by technology giants from the US.
China’s data protection mechanism is still evolving. The central government understands that a correct data protection approach will define the country’s future. From a historical and governmental structural perspective, China inclines more to data protection mechanisms that are similar to those under the GDPR. However, China also understands that fully copying the data protection mechanism of the GDPR may create disadvantages in the competition between its technology giants and their US opponents, particularly in the areas where large amounts of data determine the development of certain technology, such as artificial intelligence (AI).
As a result, China created a parallel structure for data protection purposes. On one hand, its personal data protection is much less restrictive than the GDPR to leave room for technology advancement and exploration, but balances this by being more restrictive in protecting the data; On the other hand, it tries to define the concepts of the CIIO and the important data to create barriers against potential invasion from more advanced technology possessors. Such an approach represents the Chinese characteristic in defining the competing interests between technology and personal privacy in its data protection mechanism.
High-level compliance tips
If you are a foreign technology company that can fully comply with the requirements of the GDPR, you very likely have complied with the personal data protection laws of China.
However, if you are a US company and do not have a GDPR compliance strategy in place, what you may need to do is identify the gap between your current US-based personal data protection policy and the personal data protection requirements in China, and fill such a gap. But if you are a CCPA-compliant US company, you may have complied, or may only need to take very few steps to comply with China’s personal data protection requirements.
Whether you are an EU or US company, what you need to do to comply with the important data protection requirements is watch closely the developments of the CIIO and important data protection regulation and analyse whether the data you collect in China could be determined as important data. If yes, you may need to develop a special compliance strategy to address the important data protection in China. If not, you should be happy with what you have in place for compliance.
Xinyao Zhao and Estella Wang also contributed to this article
GLOBAL LAW OFFICE
26/F, 5 Corporate Avenue,
150 Hubin Road, Huangpu District,
Shanghai 200021, China
Tel: +86 21 2310 9517
Fax: +86 21 2310 8299
All aspects of our lives, be they medicine, astronomy, finance, law, social life and almost everything else, are either driven by, or indirectly dependent on computers for propagation and existence. While computers have made our lives easy, they have also introduced new sets of challenges.
As Bill Gates, the founder of Microsoft, famously said: “The computer was born to solve problems that did not exist before.” Be that as it may, certain challenges emanating from dependence on computers can have an adverse effect on society, and society cannot be protected unless there is a strong and robust legal framework. This article aims to cover the statutes that currently govern cybersecurity and data privacy in India.
With the advent of digitalization in all sectors of life, the initial steps taken by the government were towards recognition of electronic records, and recognition and sanction of digital processes. In this regard, several existing laws were amended to meet new challenges arising from digitalization.
Nonetheless, the first major step taken towards cybersecurity in India was the enactment of the Information Technology Act, 2000 (IT Act). The jurisprudential development that followed, although very scant, did pave way for further evolution, and led to the Information Technology (Amendment) Act that was passed in 2008.
The IT Act broadly encompasses various cyber-offences and cyber-contraventions. Almost all the known activities that constitute a criminal offence relating to information technology are covered by the IT Act.
- Hacking. Although the IT Act does not give specific reference to hacking, section 43 of the IT Act provides that if any person accesses a computer, computer system or computer network without permission of the owner (sub-section a), or downloads, copies and extracts any data (sub-section b), or causes disruption of any system (sub-section e), such person will be liable to pay damages by way of compensation to the person affected. Section 66 of the IT Act further provides that the offences mentioned in section 43, which includes hacking, could attract imprisonment for a term of up to three years, or a fine of up to US$7,100, or both.
- Phishing. The IT Act does not specifically define phishing. However, sections 66C and 66D of the IT Act provide punishment for offences that are types of phishing. Section 66C provides that whoever, fraudulently or dishonestly, makes use of electronic signatures, passwords or any other unique identification features of any other person faces imprisonment for up to three years and a fine of up to US$1,300. Apart from the IT Act, section 419 of the Indian Penal Code, 1860, also provides similar punishment for cheating by impersonation.
- Malware/virus attacks. Under sub-section c of section 43 of the IT Act, if any person introduces any computer contaminant or computer virus to a computer resource without the owner’s permission, such person is liable to pay damages by way of compensation. Such acts also attract punishment under section 66 of the act.
- Cyber-terrorism. Cyber-terrorism was specifically covered in the IT Act by way of the amendments introduced in 2008, with the addition of the new section 66F. Under section 66F, if an offence is committed with an intent to threaten the unity, integrity, security or sovereignty of India, or to strike terror in people, or the conduct causes death or injuries to persons, damage to property or disruption of services and supplies essential to life, or adversely affects the critical information infrastructure, it would constitute cyber-terrorism and may attract imprisonment for life.
The field of information technology evolves rapidly, and with time, the Government of India continues to frame several rules and regulations to broaden the scope of the IT Act to keep pace with new challenges. Over time, the government has framed various rules, a few of which play a significant role in cybersecurity and data privacy:
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (SPDI rules);
- The Information Technology (Intermediaries Guidelines) Rules 2011;
- The Information Technology (Guidelines to Cyber Cafe) Rules 2011;
- The Information Technology (Electronic Service Delivery) Rules 2011;
- The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In rules); and
- The Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018.
Various IT rules enacted by the government have laid significant obligations on persons and organizations to ensure secured practices, and to report cybersecurity incidents. The above-mentioned CERT-In rules require individuals and corporate entities affected by any “cybersecurity incident” to report it to the Indian Computer Emergency Response Team (CERT-In). Cybersecurity incident means any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy.
CERT-In has been constituted to respond and co-ordinate an action during cybersecurity emergencies, and offer information to help improve cybersecurity.
No doubt the disputes arising from the IT Act will encounter deeper questions on technology that require special expertise to resolve. Thus, the IT Act provides for the appointment of special “adjudicating officers” for disputes arising from the act, and the decisions of those adjudicating officers are appealable again to an appellate tribunal specifically constituted under the act.
Under section 48(1) of the IT Act 2000, the Ministry of Electronics and Information Technology established the Cyber Regulations Appellate Tribunal (CRAT) in October 2006. The IT (Amendment) Act 2008 renamed the tribunal the Cyber Appellate Tribunal (CyAT). Pursuant to the IT Act, any person aggrieved by an order made by the Controller of Certifying Authorities, or by an adjudicating officer under this act, may prefer an appeal before the CyAT.
India has taken significant steps in ensuring the protection of personal data, and endeavours to bring its legal framework on par with the global course. One part of the rules and regulations aim to put an obligation on the organizations to ensure proper infrastructure and security to protect data coming into their possession. As per the SPDI rules, companies and organizations storing data such as financial, health, passwords, biometrics, etc., should have policies that contain technical, operational and physical security control measures commensurate to the information assets sought to be protected.
The other part of the rules defines what are personal data, and the policies that must be adhered towards data privacy and the disclosure of information. Rule 2(i) of the SPDI rules provides that personal information means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Rule 3 classifies certain information as sensitive data such as passwords, financial information, physical and mental health conditions, sexual orientations, biometrics, etc.
Under these rules, any corporate or person is required to explicitly disclose (on the website, or in any contract) the statements of its policies relating to personal data, the purpose of collection and usage of such information, the policy on the disclosure of information, and also reasonable security procedures adopted. These rules ensure that the personal data are secured and the person divulging such data knows the purport of the collection of such data, and whether the organization seeking such data ushers any confidence that it would be protected.
With growing complexities, the inadequacies of the existing law on data privacy were recognized. In August 2017, the need for a more robust law to protect personal data was recognized by the Supreme Court of India, in Justice KS Puttaswamy v Union of India. It explicitly recognized an individual’s fundamental right to privacy and the need for stronger protection of personal data.
It was closely followed by the release of the report and draft law by the Committee of Experts, chaired by Justice BN Srikrishna. A Data Protection Bill, 2019, is currently pending before India’s parliament, which is in line with the draft law of the Committee of Experts and also resonates with the 2018 EU General Data Protection Regulation (GDPR).
Given the dynamic nature of IT, the laws relating to it also undergo a continual process of evolution, at a faster pace than other laws. India’s government has recognized this dynamism and is continually reforming laws on information technology by widening the scope of the IT Act from time to time.
Recently, with the introduction of the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, and the Data Protection Bill, the government has recognized the importance of further fortifying the laws on data privacy, which is a positive direction to instil confidence in cross-border flow of information.
709/710 Tolstoy House
15-17 Tolstoy Marg
New Delhi – 110 001 India
Tel: +91 11 2371 6565
Fax: +91 11 2371 6556
Indonesia has the fastest-growing digital-based economy in Southeast Asia. This growth is expected to continue, as the government has been promoting the development of digital business and encouraging small and medium-sized enterprises (SMEs) to participate in the utilization of the internet and technology, embracing the era of “Industry 4.0”.
Information technology has played a significant role in the Indonesian economy, and the rapid growth of the digital industry has increased the necessity for more advanced and comprehensive cybersecurity and data protection rules.
In light of the rapid growth of digital technology, Indonesia has introduced a law that specifically regulates electronic information and transactions since 2008: Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 (EIT Law). This law establishes fundamental rules for the operation and involvement of electronic information and systems within a variety of contexts, including cybersecurity and personal data protection.
Nevertheless, Indonesian e-commerce platforms are not free from breaches of their internal databases, resulting in massive data leaks of compromised user data (usernames, e-mail addresses, phone numbers and encrypted passwords). These incidents have exposed the vulnerability of security in electronic systems, while Indonesia has increasingly turned to e-commerce as a significant support system for its economy. Therefore, the government policies and regulations have also tried to adapt with these technological developments and challenges.
The EIT Law and its implementation regulations, such as Government Regulation No. 71 of 2019 on the Provisions for Electronic Systems and Transactions, cover the general provisions on cybersecurity, which are expected to promote and accommodate reliance on electronic systems while maintaining the principle of neutral technology.The EIT Law requires electronic systems operators (ESOs) to provide systems in a reliable and secure manner, and take responsibility for their proper operation. Security aspects cover the protection of electronic systems physically and non-physically, and include the security of hardware and software, based on regulation No. 71. Further, this regulation requires ESOs to maintain and implement security procedures, facilities and systems to prevent and mitigate security threats and attacks.
Pursuant to the Minister of Communications and Informatics (MOCI) Regulation No. 4 of 2016 on Information Security Management Systems (regulation No. 4), the compliance requirement for information security management standards depends on the risk category of the electronic systems concerned. This regulation classifies the risk categories as: (1) strategic; (2) high; and (3) low.
Electronic systems categorized as strategic and high are required to implement ISO/IEC 27001 standards on information security, while electronic systems categorized as low must implement guidelines for an Information Security Index.
However, regulation No. 4 is expected to be updated in the future, as it still refers to a categorization of ESOs made in a predecessor of regulation No. 71: Government Regulation No. 82 of 2012 on the Provision of Electronic Systems and Transactions, which was revoked by regulation No. 71.
This determination of technical requirements for information security management, including the applicable Information Security Index, was initially assigned to the MOCI. However, the role has now been assigned to the Cyber and Crypto National Agency (Badan Siber dan Sandi Negara, or BSSN). It is anticipated that the BSSN will establish technical regulations on the requirements and compliance for information security in the future.
In addition to the BSSN, another institution that is authorized to handle cybersecurity matters is the Indonesia Security Incident Response Team at the Internet Infrastructure/Co-ordination Centre (ID-SIRTII), which was established by the MOCI in 2007. ID-SIRTII’s authority is focused on raising awareness on IT security, advanced monitoring, advanced detection, and advanced warning of threats in telecoms networks, especially the internet.
On criminal aspects, article 46 of the EIT Law stipulates that action considered a breach of cybersecurity will be punishable by imprisonment of up to eight years and/or a fine of up to IDR800 million (US$53,000).
Data and privacy protection are recognized under article 28G of the Indonesian Constitution as basic human rights. The article states that every person shall have the right to protection of his/herself, family, honour, dignity and property. To date, however, Indonesia has not issued a dedicated law on data and privacy protection, so the rules are still scattered across several sectoral laws and regulations.
However, the EIT Law, regulation No. 71, and regulation No. 20 are currently considered an umbrella for the management of personal data, and are applicable to the operation of electronic systems in any field of business.
These regulations emphasize the importance of obtaining consent for the use of information through electronic media that involve personal data, unless provided otherwise by the relevant laws and regulations.
The concept under the EIT Law that “protection of personal data is part of an individual’s privacy rights”, establishes the overarching principle of regulation No. 20, which emphasizes the need to obtain a data subject’s consent for the handling or management of personal data, and verification of personal data being handled as well as protection of a data subject’s rights over their personal data.
Regulation No. 20 requires ESOs to obtain a data subject’s consent for all stages of personal data handling, including the collection, processing, storage, dissemination, and deletion of personal data.
As per regulation No. 71, the government’s attempt to apply personal data protection rules that are based on more common standards indicates the heavy influence of the EU’s General Data Protection Regulation (GDPR), as can be seen from our analysis of the following:
- Article 14(1) of regulation No. 71 refers to the general principle of personal data protection (broadly similar to article 5 of the GDPR);
- Requirements for lawful personal data processing, which are based on a data subject’s consent to one or several purposes, and compliance with other requirements under article 6 of the GDPR, are considered the basis for the lawfulness of processing. However, instead of providing an exemption to the consent requirements, regulation No. 71 takes a different approach, where consent is still a mandatory requirement.
- Use of the term “personal data controller” (pengendali data pribadi) is directly from the GDPR. The only time this term appears in regulation No. 71, is in article 14, and there is no elaboration on the term. Further, in comparison with the GDPR, regulation No. 71 does not specifically differentiate between the terms “personal data controller” and “personal data processor”.
- Development of a general “right to be forgotten” was first established by the EIT Law, which requires an ESO to delete electronic information and/or an electronic document within its control, and which is no longer relevant, based upon a court order or at the request of the data subject, depending on whether the specific right being exercised is the Right to Delisting or the Right to Erasure.
The government is preparing a bill on personal data protection, which, in the authors’ view, and based on the latest draft, seems to take GDPR principles further. This can be viewed as an opportunity to increase the compatibility of Indonesian regulations with industry-wide standards. For example, differentiation between personal data controller and personal data processor is introduced, and the bill requires a faster timeframe for notification of a breach, (three days, compared with 14 days stipulated in regulation No. 20). However, there is no indication on when the bill will be enacted as law.
Taking into account recent cyberattacks on several digital platform companies, it is clear that data abuse is hugely attractive to criminals; cybercrime is inevitably a growing trend. Without prejudice to a series of preventive actions, the government and the private sector are expected to focus their attention more sharply on issues that relate to cybersecurity and data protection, as data is now considered an important asset of a company. It is therefore very much the case that awareness of the need to combat cybercrime and establish effective and efficient personal data protection will be critical areas of focus for both the government and the nation’s corporate sector.
Cybersecurity laws in Taiwan consist of various laws and regulations set out in different regimes. Although the Cyber Security Management Act (CSMA) was promulgated in 2018, it mainly establishes cybersecurity control mechanisms for governmental agencies and specific non-governmental agencies. Other related laws and regulations are of importance and may include, among others, the Criminal Code, Personal Data Protection Act (PDPA, and the new Anti-Infiltration Act.
The Criminal Code
The provisions regarding cybersecurity are set out in chapter 36 of the Criminal Code, “computer offences”. The conduct listed below is subject to criminal punishment, including, but not limited to, imprisonment and fines.
(1) Hacking into another’s computer (article 358 of the Criminal Code). If a person, by: (i) entering another’s account ID and password; (ii) breaking computer protection measures; or, (iii) taking advantage of a system loophole accesses another’s computer or related equipment without a justified reason, that conduct constitutes an offence under article 358 of the Criminal Code. The term “reason” may include the authorization of the relevant other, or a legal requirement.
(2) Illegal disposal of the electronic or magnetic record. If a person illegally obtains, deletes or alters the electronic or magnetic record of another’s computer or related equipment, that conduct may violate article 359 of the Criminal Code. The term “electronic or magnetic record” refers to “records for computer processing made through the use of electronic, magnetic, optical or other similar means”.
(3) Interference with the use of a computer or related equipment. If a person interferes with the use of a computer or related equipment of another person, and causes injury to the public or said other, that conduct may be in violation of article 362 of the Criminal Code.
Making computer programs to commit the offence specified in chapter 36 of the Criminal Code. If a person makes computer programs specifically for himself/herself or another, for the purpose of committing the offences of the above articles 358, 359 and 362, that conduct may be in violation of article 363 of the Criminal Code.
The Civil Code
There are no specific laws or regulations regarding the civil liability for cybersecurity violations in the Civil Code. However, if anyone, through hacking a computer of others, or by other means affecting cybersecurity, causes others to suffer loss or injury, the injured person/entity may claim compensation pursuant to article 184 of the Civil Code (torts) and other provisions, including, but not limited to, articles 18 (infringement of personal rights) and 195 (infringement of fame) in principle, and other related provisions as may be relevant to the particular circumstances.
Personal Data Protection Act
For the protection of personal data, the PDPA stipulates that governmental/non-governmental agencies must implement proper security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed. These provisions are not directly related to cybersecurity. However, personal data are currently collected, processed and transferred by utilizing the internet, and, as such, security measures may also be of assistance to enhance the overall effectiveness of cybersecurity measures.
The PDPA also stipulates that the central competent authority in charge of certain industries may designate and order certain non-governmental agencies (private entities) to establish so-called security and maintenance plans for the protection of personal data files, and to formulate and implement guidelines for the disposal of personal data following a business termination.
For example, Taiwan’s Finance Supervisory Commission has enacted the “security and maintenance plan for the protection of personal data files for non-governmental agencies as designated by the Financial Supervisory Commission”. Under these regulations, the non-governmental agencies that provide electronic commerce services must utilize the following information security measures, including: (1) verify identity; (2) conceal personal data; (3) secure encryption for transmission via the internet; (4) verify and confirm the processes for developing, going online and maintaining certain application systems; (5) establish and implement protection and supervision measures for personal data files and the databases; (6) formulate solutions to prevent external unauthorized access; and (7) formulate solutions and supervisions for illegal/abnormal access and use.
The CSMA was promulgated in Taiwan on 6 June 2018. Aside from the Criminal Act and the PDPA, the CSMA primarily regulates the governmental or specific non-governmental agency’s management of cybersecurity programmes for the construction of an environment to safeguard national cybersecurity. The competent authority of the CSMA is the Executive Yuan, which is the highest administrative central government authority in Taiwan. The Ministry of Economic Affairs has also published guidelines for companies in Taiwan to establish relevant cybersecurity mechanisms per the CSMA.
The application scope of the CSMA includes governmental agencies and specific non-governmental agencies. The specific non-governmental agencies include state-owned enterprises, government-endowed foundations, and “infrastructure providers”.
This is important, as infrastructure providers are expected to establish cybersecurity protection mechanisms to the extent required by the CSMA, to ensure that the relevant sensitive information will be secure, and will not be leaked to others with malicious intentions, so as to safeguard national security.
Infrastructure providers refer to those entities that maintain or provide critical infrastructure, either in whole or in part, as designated by the central authority in charge of the relevant industry, the designations of which are submitted to the competent authority for ratification.
Critical infrastructures include the suppliers for facilities in the fields of energy, water, telecommunications, finance, transportation, emergency medication, governmental agencies and high-tech parks.
Once suppliers are designated as being an infrastructure provider, they also bear the same obligations as government agencies to establish cybersecurity protection mechanisms to prevent any unexpected disclosure of sensitive information via the internet that could adversely affect national security.
The responsibility of governmental agencies and specific non-governmental agencies under the CSMA are categorized in three stages:
(1) Advance Planning. The CSMA requires governmental agencies or specific non-governmental agencies to establish “security and maintenance plans” and “reporting and responding mechanisms” in advance for personnel to implement accordingly. Agencies are also required to state the cybersecurity responsibility levels by considering the criteria on the importance, confidentiality and sensitivity of the business, the hierarchy of the agency, and the category, quantity and attributes of the information reserved or processed as well as the scale and attributes of the information and communication systems of the agencies.
(2) Maintenance. The agencies are required to provide reports periodically to the central government authority, and the authorities may conduct on-site due diligence checks per the CSMA. If any event affecting cybersecurity occurs, the agencies must report to the central government authority and take measures to control the loss, and to recover the operations per the mechanisms enacted by the central government authority.
(3) Post-event occurrence correction. After a cybersecurity event occurs, or at the time that the central government authorities find deficiencies in the cybersecurity control mechanism of the agencies, the organizations must make corrections to such deficiencies, and submit a report indicating the measures being taken to remedy the deficiencies. The agencies are required to track the implementation and efficacy of the remedial and correction measures to ensure that the deficiencies are comprehensively corrected.
The CSMA also requires the government to establish information sharing mechanisms as the threats to cybersecurity may come from various locales worldwide. The sharing of information between governmental and non-governmental agencies is encouraged in order to strengthen the cybersecurity network.
The information-sharing mechanisms established include the National-Information Sharing and Analysis Centre (N-ISAC), National-Computer Emergency Response Team (N-CERT), and the National-Security Operation Centre, (N-SOC).
The Anti-Infiltration Act
The Anti-Infiltration Act became effective in early January 2020, and prohibits people acting on the instruction of, or with the funding of, “infiltration sources” from engaging in illegal campaigning or lobbying, or from receiving illegal political donations as well as from disrupting the social order.
The background of the drafting and passage of the Anti-Infiltration Act is the recent local presidential election in Taiwan, as people in the island or abroad were generating so-called “fake news” on the internet in attempts to affect the results of election.
FORMOSA TRANSNATIONAL ATTORNEYS AT LAW
13/F, 136 Jen Ai Road, Sec. 3, Taipei
Tel: +886 2 2755 7366
Fax: +886 2 2755 6486