A Brief Analysis of Taiwan’s PDPA Amendment: Towards Independent Oversight and the Challenges of AI Governance

I. Core Amendments and Background

On March 27, 2025, the Executive Yuan announced the draft Organizational Act of the Personal Data Protection Commission and draft amendments to parts of the Personal Data Protection Act. This was stated as an effort to “establish a comprehensive independent supervisory mechanism with robust enforcement powers, and to institute data governance for the era of pervasive Artificial Intelligence (AI).” These proposed changes represent what could be the most substantial revisions to the PDPA since its initial enactment. This article aims to analyze the substance of these amendments, compare them against relevant international legal norms, examine the current trajectory of the revisions, and assess the extent to which the stated goal of “data governance for the era of pervasive AI application” is realized.

The central objective of this amendment is to establish an independent supervisory framework for personal data protection, as mandated by a judgment of the Constitutional Court 2022. This primarily concerns the institutional structure and mandate of the Personal Data Protection Commission (PDPC), the system for supervising government agencies, the personal data breach notification mechanism, and transitional supervisory arrangements for non-governmental entities. A significant focus of the amendments is the strengthening of the breach notification mechanism and the introduction of a new Chapter III-1, entitled “Administrative Supervision,” which for the first time creates a comprehensive oversight framework for government agencies.

The draft amendments establish a multi-tiered supervisory architecture for government agencies. This includes an internal Data Protection Officer (DPO) system, a system of supervision and audit by higher-level authorities, and the audit and inspection powers vested in the PDPC as an independent body. Government agencies will be required to submit annual reports to their superior or competent authorities detailing the implementation of personal data protection management and to conduct supervisory audits of their subordinate agencies. The PDPC, for its part, will be empowered to conduct regular or ad hoc audits of government agencies and, upon identifying violations, may order corrective measures within a specified timeframe, with the potential to publicize the agency’s name and the details of the violation in serious cases (a slightly more lenient approach than for non-governmental agencies, where the responsible person can also be publicized upon violation, §25 I(4)).

II. The Role of the Data Protection Officer (DPO)

The role of the Data Protection Officer (DPO) is a common feature in the legislative frameworks of major countries worldwide. For example, the European Union’s General Data Protection Regulation (GDPR) mandates the appointment of DPOs for public authorities and certain non-governmental entities that meet specific criteria. These regulations typically require DPOs to possess expert knowledge of data protection law and practices, with responsibilities including providing advice on regulatory compliance, monitoring internal processes, and serving as a contact point with supervisory authorities. Notably, many jurisdictions extend DPO requirements beyond public bodies to non-governmental organizations whose core activities involve large-scale monitoring of personal data or that exceed a certain operational scale. Singapore, for instance, requires all “organizations” to designate a DPO. The PDPC’s intention to create a dedicated role, drawing on international practices, to bridge the gap between policy and implementation and ensure responsible handling of personal data by all organizations (even if currently limited to government agencies) is quite evident.

IV. Significant Changes to the Personal Data Breach Notification System

Draft Article 12 introduces substantial enhancements to the personal data breach notification system, representing a key highlight of this amendment. The existing law only stipulates that government and non-government agencies, in the event of personal data being divulged due to a “violation of this Act,” “shall, after investigation, notify the data subjects in an appropriate manner.” However, it lacked a clear obligation to notify the competent authority and provided no penalties for non-compliance, resulting in a low willingness to report breaches in practice. After all, non-reporting incurred no liability, while reporting could lead to claims for damages and penalties. Consequently, apart from large, well-established operators, few rational actors were inclined to notify data subjects of incidents as required by law.

The newly amended Article 12 not only revises the trigger for notifying data subjects from “personal data being stolen due to a violation of this Act” to “becoming aware that the personal data they hold has been stolen, altered, damaged, destroyed, lost, or divulged,” explicitly stating that notification “shall” be given to data subjects. Paragraph 2 further adds a reporting obligation, requiring government agencies to report incidents meeting certain criteria to the competent authority and their superior authority, while non-government agencies must report to the competent authority. Paragraph 3 further mandates the adoption of immediate and effective response measures and the preservation of records, and Paragraph 4 authorizes the competent authority to establish relevant regulations.

In conjunction with the new penalties introduced in Paragraph 2 of Article 48, non-government agencies that violate the notification obligation, emergency response measures, or record-keeping requirements will face direct fines ranging from NT$20,000 to NT$200,000, without the need for a prior order for rectification within a specified period. This direct penalty mechanism significantly increases the cost of failing to report breaches, potentially changing the previous tendency towards non-reporting (where non-reporting had no penalties, while reporting could lead to administrative sanctions and claims for damages from data subjects).

Compared to the regulations in other major jurisdictions, this amendment still has room for improvement. For instance, Article 33 of the GDPR clearly stipulates that data controllers must, in principle, notify the supervisory authority within 72 hours after becoming aware of a personal data breach; failure to do so in serious cases can result in fines of up to €20 million or 4% of the total worldwide annual turnover, whichever is higher. In contrast, while the Japanese Personal Information Protection Act (APPI) also only requires businesses to promptly notify the Personal Information Protection Commission (PPC) in the event of a data breach, subsequent guidelines specifically recommend reporting within 3-5 days and providing a detailed explanation within 30 days.

The current draft lacks specific reporting timeframes, which may be a deliberate omission to allow the PDPC room for operationalization through administrative orders. It is anticipated that the PDPC will provide concrete guidelines for businesses to refer to and comply with after the amendment is passed.

V. Supervision of Non-Governmental Agencies

Draft Articles 22 to 26 introduce substantial modifications to the supervisory mechanisms for non-governmental agencies. Article 22 explicitly outlines the competent authority’s inspection powers over non-governmental agencies, adding clear prerequisites for initiating inspections, including “suspected violation of this Act” or “deemed necessary to review their implementation of this Act.” It also authorizes the competent authority to establish relevant regulations regarding inspection procedures. Articles 23 and 24 govern the handling of seized or copied materials and the data subject’s right to object. Article 25 grants the competent authority the power to impose sanctions on non-compliant non-governmental agencies, including prohibiting the collection, processing, or use of personal data, ordering the deletion of files, confiscating or ordering the destruction of illegally collected personal data, and publicizing the details of the violation. Article 26 stipulates that the inspection results may be publicized if no violation is found. As the existing PDPA already contains these supervisory norms for non-governmental agencies, these articles largely reflect adjustments made to accommodate the establishment of the PDPC.

A particularly noteworthy point is the question of “who” will oversee the supervision of non-governmental agencies after the PDPC’s establishment. Will the PDPC have the capacity to fulfill its duties and audit the vast number of both governmental and non-governmental agencies? Given the sheer volume, operational complexity, and diversity of non-governmental agencies, the practical feasibility of this seems low. Consequently, Draft Article 51-1 retains the current legal framework where the competent industry authority, the county (city) government, and the PDPC jointly supervise non-governmental agencies. This transitional arrangement aims to avoid excessive disruption caused by a hasty shift in supervisory powers and will remain in place until six years after the PDPC’s establishment, after which the PDPC will assume unified jurisdiction over non-governmental agencies.

VI. Where is AI Application and Data Governance??

行Despite the Executive Yuan touting “data governance for the era of comprehensive AI application” as a key theme of this amendment, a close examination of the draft amendments reveals a rather tenuous connection to AI application and data governance. Reviewing the provisions, the amendments focus almost entirely on institutional setup and traditional personal data protection oversight, with a conspicuous absence of specific regulations addressing the unique characteristics of AI applications or dedicated clauses on AI data governance.

In fact, the personal data challenges posed by AI applications are distinct. If this amendment truly aimed at “data governance for the era of comprehensive AI application,” it should have at least considered the following aspects:

1. Specific regulations for automated decision-making and artificial intelligence systems.
2. Requirements for algorithmic transparency and explainability.
3. The legal basis and limitations for the use of AI training data.
4. The application of data minimization and privacy by design principles in AI systems.
5. Data governance frameworks and mechanisms for the allocation of responsibilities.

Issues such as the use of personal data in automated decision-making and model training, as well as personal data protection in AI-generated content, are all pertinent and necessitate corresponding regulations within the PDPA. However, these provisions are notably absent from the current draft amendments.

Furthermore, the current amendments make virtually no mention of the increasingly prominent issue of data governance. Data governance encompasses critical elements such as data quality management, data lifecycle management, and the assignment of data responsibilities, all of which are fundamental to ensuring the compliant operation of AI systems. While the draft amendments include pro

VII. Conclusion

The Executive Yuan has highlighted “AI” as a focal point in promoting this draft amendment. However, while the current revisions attempt to address the foundational task of establishing an independent supervisory mechanism as mandated by the Constitutional Court’s judgment, they notably lack a substantive connection to the deeper issues of AI application and data governance. If Taiwan truly intends to prepare for personal data protection in the age of AI, future legislative efforts or amendments specifically addressing the characteristics of AI will be necessary to fill the current regulatory void. After all, a robust personal data supervisory mechanism is only the first step; the real challenge lies in how to apply it to data governance within the AI environment.