A Discussion on Corporate Data Governance Prompted by iRent’s Excessive Personal Data Collection and Usage Incident
On January 7, 2025, the Consumers’ Foundation held a press conference pointing out that iRent (Hotai Motor Co., Ltd.’s car rental division) collected excessive personal data in its rental terms and required consumers to agree to share personal data with affiliated companies, potentially violating the Personal Data Protection Act. The competent authority for car rental services, the Directorate General of Highways, dispatched personnel from the Taipei City Motor Vehicles Office to conduct an administrative inspection. They determined that the reasonableness and necessity of these terms were not clear and required iRent to improve. Hotai Motor Company also shut down the joint marketing data system function within the group. This is actually an unreasonable expectation that many large enterprises in the past have had—hoping to collect data once and apply it to all “affiliated companies.” Without an appropriate corporate data governance framework, common situations violating the Personal Data Protection Act emerge from service planning to data management architecture. Let’s first look at the United Daily News’s initial report on this incident:
2025-01-08 20:02 United Daily News / Reporter Zhou Xiang-Yun / Taipei Real-time Report
The Consumers’ Foundation yesterday pointed out that Hotai Motor’s iRent car rental terms collected excessive personal data, and the sharing and usage targets included affiliated companies and future partners, potentially involving illegality. The Directorate General of Highways’ Taipei City Motor Vehicles Office today dispatched personnel to Hotai Motor to conduct an administrative inspection. Although data sharing had obtained parties’ consent, its reasonableness and necessity were not clear. To avoid controversy, Hotai Motor committed to immediately shut down the joint marketing data system function within the group.
The Consumers’ Foundation stated yesterday that consumers renting iRent cars must accept Hotai Motor’s unilateral unfair terms, handing over personal data to multiple affiliated companies to share. They questioned that this behavior was not only domineering but also suspected of being illegal, calling on the competent authority, the Ministry of Transportation and Communications, to face up to the gray area of enterprises widely collecting consumer personal data and protect consumer rights.
The Directorate General of Highways’ Taipei City Motor Vehicles Office this morning, together with information technology, ethics, and outsourced information vendor Da Vinci Personal Data & High-Tech Law Firm and other related personnel, conducted an administrative inspection of Hotai Motor. Regarding Hotai Motor’s sharing of consumer personal data with affiliated companies for use, although parties’ consent had been obtained, its reasonableness and necessity were not clear. To avoid controversy, Hotai Motor committed to immediately shut down the function of uploading consumer personal data to the group’s joint marketing data system.
Why would there still be problems violating the Personal Data Protection Act even with parties’ consent, even written consent? That’s right, according to Article 19 of the Personal Data Protection Act, “A non-government agency’s collection or processing of personal data, except for the data prescribed in Paragraph 1 of Article 6, shall have a specific purpose and meet one of the following conditions: … 5. Consent is obtained from the party concerned.” In theory, although there are no contractual or similar contractual relationships between affiliated companies under Hotai Motor and iRent car rental service consumers, indeed “consent from the party concerned” is a legal way to obtain personal data. But we first need to note that besides obtaining parties’ consent, Article 19 has another requirement: “shall have a specific purpose.” If car rental services are provided by Hotai Motor Service Co., Ltd., then what is the “specific purpose” for other affiliated companies of Hotai Motor to obtain car rental service consumer personal data? According to news reports, if Hotai Motor shut down the joint marketing system, then this specific purpose should be “marketing.” If Hotai Motor Service Co., Ltd. also clearly stated this in iRent consumer car rental service terms, would it meet legal requirements?
Of course not. Article 5 of the Personal Data Protection Act stipulates: “The collection, processing, or use of personal data shall respect the rights of parties concerned and be conducted in good faith and credible methods. It shall not exceed the necessary scope of the specific purpose and shall have legitimate and reasonable relevance to the purpose of collection.” In other words, even if it formally appears to meet the requirements of Article 19 of the Personal Data Protection Act, this “marketing” specific purpose must still have legitimate and reasonable relevance. Does Hotai Motor Service Co., Ltd. providing iRent services have legitimate and reasonable relevance to conducting joint marketing with affiliated companies of the Hotai Group? Normal people can reasonably judge there is no legitimate and reasonable relevance. This is actually standard use beyond the original collection purpose. Consumers can even claim under Article 247-1 of the Civil Code that such standardized contract terms cause consumers significant disadvantage, are obviously unfair, and are invalid. Not to mention that excessive collection also fails to “respect parties’ rights” and is not conducted in “good faith and credible methods.” Violating Article 5 of the Personal Data Protection Act also constitutes illegal collection, processing, and use of personal data. Additionally, if consumers are required to fill in excessive personal data when applying for iRent services, it may also violate Article 5 of the Personal Data Protection Act due to lacking legitimate and reasonable relevance.
Why would such obviously illegal behavior violating the Personal Data Protection Act appear in a well-known enterprise like Hotai Motor? Basically, it’s due to lack of a corporate data governance framework. For example, which unit or supervisor should be responsible for this violation of the Personal Data Protection Act that appeared in this news event? If we look at Hotai Motor Service Co., Ltd., personnel responsible for service terms design at Hotai Motor Service Company must feel this is the entire group’s common expectation. They’re just cooperating by adding such terms to iRent car rental service terms that, although not very fair to consumers, consumers will still agree to in order to rent cars. What’s wrong with that? The Hotai Group collecting personal data from all affiliated company services and even placing them in the same database for joint marketing use—for the marketing department to obtain more first-hand personal data—is also for the collective interests of all group-affiliated companies. Can’t hold marketing department supervisors responsible, right? So who made the final decision back then? Possibly no one at all. Because everyone felt it was necessary, they naturally did it this way. So who should be responsible now?
Corporate data governance framework is very important in allocating authority and responsibility—with authority comes responsibility, and this authority and responsibility should correspondingly provide sufficient resources. Traditionally, when managing personal data, the PDCA management cycle is emphasized. From a management perspective, related units may also execute from planning. But not every unit has sufficient personal data training, and when individual service units plan personal data collection, processing, and use, they directly apply group overall interest thinking, lacking a cross-departmental mechanism to judge from the basic regulatory compliance requirement that corporate data must be “legal” from collection. In the data economy era, data is a very important corporate operational “resource,” but also an important corporate risk source that must be considered at the corporate governance level, because violating the Personal Data Protection Act is also a manifestation of poor corporate governance.
In fact, by searching Google with “iRent” + “personal data” as keywords, iRent experienced an incident in 2023 where up to 400,000 personal data records were leaked and was fined by the Directorate General of Highways. It was even discovered that iRent had no complete personal data file security maintenance plan at that time. See the following Central News Agency report:
[iRent Personal Data Leak of 400,000 Records Not Improved by Deadline, Directorate General of Highways Fines NT$200,000]
2023/2/9 10:01 (Updated 2/24 19:27)
(Central News Agency reporter Yu Xiao-Han, Taipei, February 9) After Hotai Motor’s iRent exposed a personal data leak, the Ministry of Transportation’s Directorate General of Highways said today that inspection found iRent leaked as many as 400,000 records—a serious situation. They fined NT$200,000 and required operators to implement Personal Data Protection Act regulations. If not improved, fines can be imposed repeatedly.
Foreign technology media TechCrunch reported on January 31 that a security researcher discovered a database on Hotai Motor’s cloud server without password protection. iRent customer names, phone numbers, email addresses, home addresses, driver’s license photos, and specially processed card payments could be viewed by anyone knowing the IP address.
If Hotai Motor had a reasonable data governance framework, they would have had the opportunity to discover that various news events are just the tip of the iceberg of lacking corporate data governance. Returning to this news event, what should be done now is not just settling this individual news dispute peacefully, but comprehensively examining whether Hotai Motor and affiliated companies still have such behaviors violating the Personal Data Protection Act. Then they should judge whether already collected data can be separated from its source (sometimes after mixing, it’s very difficult to separate again). If it can be separated, they should immediately stop illegal processing and usage. If it cannot be separated, how should this mixed legal and illegal data be handled? Are there appropriate remedies, etc.? Because for Hotai Motor rental company’s affiliated companies, or even the entire Hotai Group, it’s impossible that only iRent car rental service has this problem while other affiliated company services have no such problems. As long as any entity has conducted joint marketing, they all need to re-examine the legality of data usage. Whether competent authorities for Hotai Motor and affiliated companies’ other services, or the Personal Data Protection Commission (Preparatory Office), will take further action—let’s wait and see.
