Cybersecurity regulations comparison > China | India | Indonesia

China is increasingly emphasising government sovereignty on cyberspace and data, rapidly evolving its cybersecurity and data regime, enacting numerous rules and policies, and formulating national standards for cybersecurity and data protection. Privacy rights and security principles are rooted in the PRC Constitution, Civil Code and National Security Law, grounded in three established pillars of law: the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL).


Vincent Wang, Global Law Office
Vincent Wang
Global Law Office in Shanghai
Tel: +86 21 2310 9518
Email: [email protected]

Among those three pillar laws, the CSL is fundamental to cyberspace sovereignty, establishing the overall security framework. The DSL aims to protect the security of processed data, and PIPL is dedicated to regulating personal information processing.

The DSL and PIPL both claim extraterritorial power to protect data and personal information processed by infrastructure protected by the CSL. The DSL will punish any data processing outside the PRC if detrimental to national security or public interest, or the lawful rights and interests of any Chinese citizen or entity. Similarly, processing personal information outside the PRC for offering products or services to individuals or assessing the behaviour of individuals in the PRC needs to comply with the PIPL.


Businesses in China should also comply with specialised rules in specific industries and local data regulations. Continual efforts by various industrial regulators and local governments address cybersecurity, especially in medical and health, finance, automobile, and internet information services (such as algorithm recommendation services) locally and nationally.


The Cyberspace Administration of China (CAC) recently released long-awaited findings of a cybersecurity review against ride-hailing giant DiDi, resulting in a USD1.2 billion fine. The review was initiated before the revised Measures on Cyberspace Security Review came into effect on 15 February.

Since that revision, the scope of cybersecurity review has extended to specifically apply to network platform operators seeking overseas listing while processing personal information of more than a million users.

The review also applies to the procurement of network products or services by operators of critical information infrastructure, or data processing by operators of network platform operators, if national security is, or is likely to be, impacted.

Among those three circumstances triggering review, data processing by network operators is the most difficult to self-determine, as there is no explicit legal guidance about relevant factors. Seemingly, any big platform processing a large volume or various types of data may be subject to review.

To be safe, either don’t run a large network platform, or if you do, voluntarily apply for a cybersecurity review to receive notice of no further action. Otherwise, face a similar risk to huge academic research database China National Knowledge Infrastructure (CNKI), currently under review for national security reasons.


Multi-level protection requirements on information systems and networks are also updated under the CSL. Under the multi-level protection scheme (MLPS) regime, network application operators should assess their network applications and associated risks, with each application assigned a “security level” based on its nature, importance and severity of potential impact if compromised.

Levels range from one to five, and the higher the level, the more stringent the security requirements the operator should adopt. Subject to the security level, operators are required to get their network application assessments filed or assessed by the public security authority, and adopt appropriate security measures.


Zhao Xinyao, Global Law Office
Zhao Xinyao
Global Law Office in Shanghai
Tel: +86 21 2310 9516
Email: [email protected]

To safeguard data sovereignty, the CSL imposes data localisation requirements on critical information infrastructure operators. The DSL and PIPL stipulate that any request by a foreign judicial body or law enforcement authority for the provision of data or personal information stored in China is subject to prior approval by competent authorities.

The CAC Security Assessment Measures of Cross-border Data Transfer, which came into effect on 1 September, allow data processors a six-month transition period to comply. Previously, the CAC issued the draft Provision on the Standard Contract for Personal Information Cross-border Transfer, similar to the EU’s standard contractual clauses (SCCs). The National Information Security Standardisation Technical Committee (TC260) also released the Practice Guidelines for Cybersecurity Standards – Specification for the Security Certification of Personal Information Cross-Border Processing Activities, introducing a certification framework for cross-border data processing.

According to the measures, a CAC-led mandatory security assessment will be triggered under statutory situations prescribed in the CAC Security Assessment Measures of Cross-border Data Transfer.

By contrast, the security certification is expected to address frequent personal information transfers among subsidiaries or affiliates of the same corporate group, while the SCC will be the main tool for cross-border data transfers without needing prior CAC approval. However, given the low thresholds for security assessment, it likely will become the pervasive means to transfer cross-border data.


The DSL establishes a general requirement on data classification management and protection according to the importance of data to the national economy, national security, public interest and society, as well as the potential degree of harm in case of a security breach. A core data is the highest of the three-tier system, subject to strictest protection and expected to be determined by central government agencies.

Important data is in the mid-range. Industrial regulatory authorities and local governments will respectively define important data in various industries and administrative regions, and processors will follow the definition catalogue to determine the scope of their important data. But for now, there is only a draft national standard on important data identification, along with a preliminarily administrative regulation defining it in the auto industry, and a draft regulation in the industrial and information technology sectors. It may take a while for all core data and important data to be identified nationwide.


Estella Wang, Global Law Office
Estella Wang
Junior associate
Global Law Office in Shanghai
Tel: +86 21 2310 9519
Email: [email protected]

The PIPL provides comprehensive protection covering the entire processing cycle of personal information, requiring processors to take appropriate measures to ensure safety and imposing stricter requirements on processing sensitive information. Processors are required to obtain a lawful basis before processing any personal information, including a consent of data subjects and a variety of other lawful bases. They are also required to follow the principles of legality, legitimacy, necessity and good faith, comply with legal requirements, and retain relevant records to demonstrate compliance, or defend potential claims.

In addition, the PIPL grants data subjects comprehensive rights, both substantive and procedural, over their personal information, such as the right to know, decide, have portability and complain.


The pillar laws impose harsh criminal, administrative and civil liabilities against cybersecurity and privacy violations. For example, under the PIPL, illegal gains may be confiscated, with fines ranging from RMB1 million (USD142,000) to RMB50 million, or 5% of annual business turnover. The person directly in charge and other directly liable persons can be fined up to RMB1 million. The record-breaking DiDi fine is the most recent example. A draft proposal to amend the CSL with even steeper penalties was released for public comment on 14 September. Chinese prosecutors and courts are clearly more active over personal information protection and data-related crimes in civil and criminal cases.


The government believes the digital economy and data assets will be the next key competition area in the world, and is prioritising building, maintaining and defending sovereignty in cyberspace.

It can be reasonably expected that the development trend in the next three to five years will very likely present:

  • CSL enforcement, with MLPS 2.0 implementation, will be strengthened to establish a solid and secure base for cyberspace sovereignty;
  • DSL development, through data categorisation and classification, will be completed and fully implemented in all industries and administrative regions; and
  • The PIPL will continue to be localised by more judiciary enforcement against foreign entities, subject to the law.

The above trends and developments of the cyberspace security laws determine that there will be more administrative punishments, judicial review and extraterritorial enforcement efforts in the coming years. Therefore, multinational companies in China and offshore entities remotely interacting with China should keep a close watch on the legal, administrative and judicial developments and understand timely and clearly the relevant underlining statement of the development by working with qualified local counsels and making proper adjustments in its business operation for compliance purposes.

Global Law Office Logo

35 & 36/F Shanghai One ICC, No.999
Middle Huai Hai Road, Xuhui District
Shanghai, 200031, China
Tel: +86 21 2310 8288
Email: [email protected]

Several pieces of legislation, rules and sector-specific regulations govern India’s legal, regulatory and institutional framework for cybersecurity, promoting maintenance of security standards, defining cybercrimes and requiring incident reporting.


Nehaa Chaudhari, Ikigai Law
Nehaa Chaudhari
Ikigai Law in Bengaluru
Email: [email protected]

The Information Technology (IT) Act, 2000, is the primary legislation dealing with cybersecurity, data protection and cybercrime.

Its key features are:

  • Granting statutory recognition and protection to electronic transactions and communications;
  • Aiming to safeguard electronic data, information and records;
    Aiming to prevent unauthorised or unlawful use of computer systems; and
  • Identifying activities such as hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft as punishable offences.

Rules and regulations framed under the IT Act regulate different aspects of cybersecurity as follows:

  • Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (2013 rules), established the Computer Emergency Response Team (CERT-In) as the administrative agency responsible for collecting, analysing and disseminating information on cybersecurity incidents, and taking emergency response measures. These rules also put in place obligations on intermediaries and service providers to report cybersecurity incidents to the CERT-In.
  • Directions on information security practices, procedure, prevention, response and reporting of cyber incidents for a safe and trusted internet, issued in 2022 by the CERT-In, add to and modify existing cybersecurity incident reporting obligations under the 2013 rules.
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules) require companies that process, collect, store or transfer sensitive personal data or information to implement reasonable security practices and procedures.
  • The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code Rules, 2021) require intermediaries to implement reasonable security practices and procedures to secure their computer resources and information, maintaining safe harbour protections. Intermediaries are also mandated to report cybersecurity incidents to the CERT-In.
  • Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, oblige companies that have protected systems – as defined under the IT Act – to put in place specific information security measures.

Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860, which punishes offences committed in cyberspace (such as defamation, cheating, criminal intimidation and obscenity), and the Companies (Management and Administration) Rules 2014 which require companies to ensure that electronic records and systems are secure from unauthorised access and tampering. There are also sector-specific rules issued by regulators and agencies, including the Reserve Bank of India, the Insurance Regulatory and Development Authority of India, the Department of Telecommunications, the Securities Exchange Board of India, the National Health Authority of India, among others, which mandate cybersecurity standards to be maintained by their regulated entities

Cybersecurity of critical information infrastructure (CII) – defined as any computer resource that can have a debilitating impact on national security, the economy, public health or safety if incapacitated or destroyed – is regulated by guidelines issued by the National Critical Information Infrastructure Protection Centre (NCIIPC).

Under the IT Act, the government may notify any computer resource that affects the facility of CII to be a protected system, prescribing cybersecurity obligations for companies handling protected systems. Designated CII sectors include transport, telecoms, banking and finance, power, energy and e-governance. Within these sectors, the appropriate authority can notify certain computer systems as protected systems. Sectoral regulators and agencies, including the Central Electricity Authority, have also formulated rules and guidelines on cybersecurity and CII.


Vijayant Singh, Ikigai Law
Vijayant Singh
Senior associate
Ikigai Law in New Delhi
Email: [email protected]

Since cybersecurity is a cross-cutting issue, India has a complex inter-ministerial and inter-departmental institutional framework for cybersecurity, with several ministries, departments and agencies performing key functions. For instance, the Ministry for Electronics and Information Technology (MeitY) deals with policy relating to IT, electronics and the internet, including cyber laws. It set up the CERT-In as a nodal agency for co-ordination and handling of cyber incident response activities.

The Ministry of Home Affairs looks at internal security, including cybersecurity. For this purpose, it has set up the cyber and information security division, comprising a cybercrime wing, cybersecurity wing and monitoring unit. To combat cybercrime, it also established the Indian Cyber Crime Co-ordination Centre in 2018. The NCIIPC, the nodal agency for CII, is set up under the National Security Adviser. The National Cyber Security Co-ordinator is the nodal officer for cybersecurity, functioning under the Prime Minister’s Office and co-ordinating with various agencies at federal level.


At the federal level, the IT Act places security obligations on organisations handling sensitive personal data. These are laid out in SPDI rules requiring companies to institute managerial, technical, operational and physical security control measures. The rules are also subject to ISO/IEC 27001 international standards on information security management, with body corporates subject to audit checks by an independent government-approved auditor at least once a year, or as and when they significantly upgrade processes and computer resources.

Sectoral regulators and nodal agencies also prescribe security measures. The Reserve Bank of India prescribes standards for banks, including setting a mechanism for dealing with and reporting incidents, cyber crisis management, and arrangements for continuous surveillance of systems and the protection of customer information. It also mandates banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards.

A similar framework is applicable to non-banking finance companies. The Securities Exchange Board of India requires stock exchanges, depositories and clearing corporations to follow standards such as ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.


The 2013 rules require organisations to report incidents to the CERT-In within a reasonable time. Incidents include denial of service attacks, phishing and ransomware incidents, website defacements, and targeted scanning of networks or websites.

Anand Krishnan, Ikigai Law
Anand Krishnan
Senior associate
Ikigai Law in New Delhi
Email: [email protected]

In April 2022, the CERT-In issued a new directive modifying obligations under the 2013 rules, including requirements to report cybersecurity incidents within six hours, syncing system clocks to the time provided by government servers, maintaining security logs in India, and storing additional customer information. The IT Rules 2021 also require intermediaries to notify the CERT-In of security breaches as part of their due diligence obligations.

Various sector-specific reporting obligations also apply. For instance, in the financial services sector, every bank is required to report incidents within two to six hours of detection. Similarly, insurance companies must report cybersecurity incidents to the Insurance Regulatory and Development Authority within 48 hours of detection. Telecom licensees are required to establish a facility for monitoring intrusions, attacks and frauds on their technical facilities, and to provide reports of such incidents to the Department of Telecommunication.


Traditional criminal actions such as theft, fraud, forgery, defamation and mischief – all of which are covered under the Indian Penal Code, 1860 – might be included in cybercrimes. The IT Act addresses modern offences such as tampering, hacking, publishing obscene information, unauthorised access to protected systems, breach of confidentiality and privacy, and publishing false digital signature certificates. Sending threatening messages by email, defamatory messages by email, forgery of electronic records, cyber fraud, email spoofing, web-jacking and email abuse are also punishable offences.


The federal government, through the National Cyber Security Co-ordinator, is formulating a new national cybersecurity strategy. This aims to address certain gaps in India’s cybersecurity framework and enhance the country’s overall cybersecurity posture.

The government is also considering revamping the IT Act to align with advances in the global and domestic digital and technology environment. This may change the existing cybercrime, incident reporting, and security measures and standards framework.

Ikigai Law Logo

New Delhi | Bengaluru
Email: [email protected]

Various Indonesian government agencies and businesses are considering an emerging futuristic technology called the metaverse, a portmanteau of “meta” (meaning beyond) and “universe”, which promises to dramatically advance social connectivity via the internet, boosting virtual 3-D experiences from tourism and cultural exploration to interactive banking, consumer sales, office communication, education and daily life.

Danar Sunartoputra, Melli Darsa & Co
Danar Sunartoputra
Melli Darsa & Co in Jakarta
Tel: +62 815 9728 113
Email: [email protected]

One especially controversial aspect of this gradual convergence of digital and physical worlds, however, is its requirement for the collection of biometric data used as personal identification to bring out the individual’s natural character in this virtual metaverse. But the acquisition of biometric data is a sensitive issue, given its inherent vulnerability to potential threats, while Indonesia’s regulatory framework is limited with personal data protection and safeguarding against cyberattacks.

In this article, the authors discuss the existing framework and long-awaited Law No. 27 of 2022 on Personal Data Protection Law (PDP Law) recently came into force in Indonesia, and whether a more specific regulation on biometric data is needed in anticipation of the metaverse evolution.


The pandemic encouraged many enterprises to reconsider how to carry out their businesses more effectively. Not surprisingly, many turned online using digital meeting platforms such as video-conferencing, webinars and many other forms of internet communication. However, despite certain clear benefits, these also had limitations that are considered somewhat confining compared to more flexible experiences in the real world. Hence the metaverse emerged, bridging the metaphysical gap to answer those problems, offering real-life experiences in a virtual world through a replica of the physical realm where parties can more effectively socialise, attend meetings and participate in events through avatars representing themselves without a physical presence.

In Indonesia, as elsewhere, this metaverse provides many opportunities to improve and encourage the national economy and stakeholders have already begun to explore this virtual world to advance their business activities. Bank Rakyat Indonesia, one of the largest state-owned banks, has signed a memorandum of understanding to develop a metaverse ecosystem. This could, for example, provide new experiences and opportunities for customers to access virtual banking services. At the same time, although there would be costs in development, metaverse businesses could also reduce the cost of building physical offices.

Meanwhile, Indonesia’s Minister of Tourism and Creative Economy recently signed a collaborative plan to launch the “WonderVerse”, a metaverse platform to promote Indonesian tourism globally, with virtual space for local businesses to market their products virtually.

The metaverse is still emerging and evolving, and is far from the finished article. Development is at an early stage and even tech companies competing to create optimum ecosystems are still only forming a picture of what the completed metaverse will look like. While there are many ways to participate in the virtual world, one sensitive drawback already is uniformity of access. Submitting various kinds of data required to register user profiles, including biometric data, to ensure only authorised parties can access the system.


Indra Allen, Melli Darsa & Co
Indra Allen
Melli Darsa & Co in Jakarta
Tel: +62 811 1071 678
[email protected]

Indonesia’s original legislation that slightly concerns biometric data is Law No. 23 (2006) on citizenship administration, which was amended by Law No. 24 in 2013. This describes various kinds of personal data that must be protected, such as fingerprints and the iris of the eye, which are both types of biometric data. However, the law does not specifically define and provide up-to-date protection for biometric data. Until recently, there has been no regulation specifying biometric data, not even Law No. 11 (2008) on Electronic Information and Transaction, amended by Law No. 11 in 2016.

The recent PDP Law is the most important law regulating personal data with more significant, stringent and integrated protection. It classifies personal data into general and specific data, and biometric data as specific personal data, in a similar way the EU General Data Protection Regulation classifies biometric data as “sensitive”.

The PDP Law defines biometric data as relating to an individual’s physical, physiological or behavioural characteristics that can identify their uniqueness, such as facial recognition or dactyloscopy (fingerprint) data. It also explains the uniqueness and/or characteristics of a person that must be maintained and cared for, including but not limited to fingerprint records, eye retina scans and DNA samples.


Daniel Aryo Radityo, Melli Darsa & Co
Daniel Aryo Radityo
Senior Associate
Melli Darsa & Co in Jakarta
Tel: +62 813 1771 8778
Email: [email protected]

Although biometric data for identification is considered more secure than the password-based method, it remains very sensitive and high-risk, potentially exposing someone’s profile and characteristics vulnerable to cyber threats. There are many ways to hack biometric data, whether via cyberattack through an IT system or simply insider threats due to the level of access, and many other possibilities. For example, a high-resolution digital photo could be used to manipulate a face recognition system.

Articles 27 and 28 of the PDP Law legally require personal data controllers to perform personal data processing only in a limited and specific manner that is legally valid and transparent. This means that collection of personal data must be limited in accordance with its purpose of processing and explicitly determined at the time of collection.

Processing must be conducted in accordance with the applicable laws and regulations, and data subjects should be fully aware of how their personal data will be processed. In addition, article 34 emphasises that personal data controllers must also assess the impact on personal data protection if the data processing is considered high-risk to the subject.

Under article 58, the government takes the role of implementing the protection of personal data in accordance with the law through the establishment of a data protection institution that will be directly appointed by (and responsible to) the president. This institution will be mandated to carry out the formulation and stipulation of policies and strategies for personal data protection, supervision, administrative law enforcement, and facilitating dispute resolution outside the courts.

In short, the PDP Law formulates far more significant policies than before, where corporations will be subject among other things to hefty fines of up to 2% of annual income or revenue for failure to notify the data subject and authority on a data breach within 72 hours. While some may argue the 2% fine is considered low for large corporations, given the sensitive nature of biometric data, businesses should anticipate and be ready for this very short notification period compared to the previous 14 days’ notice.


The metaverse might indeed be one of the answers to strengthening the digital economy in Indonesia. However, alongside increasingly advanced technology today, cyberattacks are not expected to stop. Biometric data, as an integral part of the metaverse, is and always will be very sensitive and high-risk information that needs special attention. The PDP Law is seen to have set more specific regulations for biometric data protection, where the processing must be carried out strictly and in a very limited manner. As the world expects the use of more advanced technology will continue to evolve in today’s business landscape, it will be interesting to see how the current laws and regulations effectively stand at the forefront, as guardians at the gate.

While the PDP Law mandates the establishment of an authority governing data protection, it also remains to be seen whether such an authority will be fully independent. It may be worth considering establishing an independent biometric data monitoring function, with the highest standard of supervisory functions, regulating standards for the acquisition, processing, supervision and destruction of biometric data to prevent future cyber threats.

Finally, it is also important that law enforcers have sufficient capability and capacity (including advanced technical support) to ensure that any violations of personal data protection are investigated and punished in accordance with the law to create a formidably strong deterrent effect, since it is almost impossible to undo the damage once personal data are unlawfully leaked.

Melli Darsa & Co Logo

Indonesian member law firm of PwC global network
World Trade Center III
Jl Jenderal Sudirman Kavling 29-31, Kuningan
South Jakarta – 12920, Indonesia
Tel: +62 21 521 2901
Email: [email protected]

Websites of major Taiwanese government agencies and large companies frequently face cyberattacks and, in response, the Executive Yuan (cabinet) has just established a brand new agency overseeing and regulating cybersecurity, the Ministry of Digital Affairs (MoDA).

Commencing operations on 27 August, the MoDA also oversees overall digital developments including e-commerce, electronic signatures, e-government and data governance, among others.


Tseng Ken-Ying, Lee and Li
Tseng Ken-Ying
Lee and Li
Tel: +886 2 2763 8000 ext. 2179
Email: [email protected]

The Cybersecurity Management Act is the primary legislation governing cybersecurity in Taiwan. But the act only applies to government agencies and specific non-government agencies including critical infrastructure providers, state-owned businesses and government-sponsored foundations.

Other than specific cybersecurity requirements applicable to specific industry sectors such as financial institutions or telecommunications operators, there are no cybersecurity requirements generally applicable to all non-government entities.

All agencies subject to the act must establish and implement their own cybersecurity maintenance plans according to their cybersecurity responsibility levels, and set up a reporting and response mechanism for cybersecurity incidents.

Cybersecurity incidents must be reported within one hour of discovery, and all measures for damage control or recovery must be completed within 36 to 72 hours of discovery, depending on the severity level.

The act further authorises central competent authorities in charge of the relevant industries to promulgate regulatory guidelines on cybersecurity matters for specific non-government agencies under their supervision, in which relevant requirements under ISO/IEC 27001 international standards on information security management are referred to and recommended.

To strengthen cybersecurity safeguards, the Executive Yuan also stipulated guidelines restricting government agencies, public schools, state-owned businesses and administrative legal persons from using information and communications technology products that may endanger national cybersecurity. Government agencies are also required to urge critical infrastructure providers and government-sponsored foundations under their supervision to comply with the guidelines.

Under points 3 and 4 of the guidelines, the Executive Yuan may announce a list of banned brands of information and communications technology products and services that relevant entities shall not procure or use.

Following a recent hacking incident involving electronic signage, the Ministry of Economic Affairs promulgated guidelines on the cybersecurity management of on-premises electronic signage that prohibit electronic signage from using any Chinese-developed software and require that business operators avoid using Chinese-made electronic signage.


Vick Chien, Lee and Li
Vick Chien
Associate partner
Lee and Li
Tel: +886 2 2763 8000 ext. 2214
Email: [email protected]

Different cybercrime acts violate different Taiwanese laws, mainly including but not limited to the following:

  • Articles 358 to 362 of the Criminal Code prohibit certain types of cybercrime such as: hacking into someone else’s computer and/or ancillary equipment without justification; obtaining, deleting or altering any electromagnetic records stored in the computer and/or ancillary equipment without justification (such as phishing); interfering with someone else’s computer and/or ancillary equipment without justification by using any computer program or other electromagnetic technology (such as denial-of-service attacks or malware); and creating any computer program specifically to commit these offences.
  • Other relevant articles in the code are: article 210 (offence of forgery); articles 309 to 313 (offences against reputation and credit); article 315 or article 318-1 (offences against privacy); article 339-3 (offence of fraudulence); article 346 (offence of extortion); and article 352 (offence of destruction and damage of property).
  • Articles 41 and 42 of the Personal Data Protection Act, meanwhile, address the offence of personal data infringement; articles 92 and 93 of the Copyright Act counter copyright infringement; article 56 of the Telecommunications Act outlaws unauthorised access or use of another person’s telecoms facilities; and article 24 of the Communication Security and Surveillance Act outlaws illegal communication surveillance.

Any activity that adversely affects or threatens cybersecurity may be deemed as constituting one or more criminal offences, as listed above, depending on the actual facts concerning such activity.

The criminal offences apply to conduct and/or persons, or place of cybercrime, within the territory of Taiwan, and Taiwan courts have jurisdiction.


Winona Chen, Lee and Li
Winona Chen
Associate partner
Lee and Li
Tel: +886 2 2763 8000 ext. 2328
Email: [email protected]

The Personal Data Protection Act is the general statute regulating the collection, processing and use of personal data in Taiwan.

On data breach notification, article 12 of the act stipulates that if there is an incident under which personal data is stolen, disclosed, altered or infringed, the data controller is required to notify the affected data subjects in an appropriate manner after investigating the incident.

As for data security obligations, paragraph 1, article 27 of the act requires data controllers to have appropriate measures in place to prevent personal data from being stolen, altered, damaged, destroyed, lost or disclosed.

Paragraph 2, article 12 of the enforcement rules of the act further provides certain technical and organisational measures that data controllers may consider adopting based on the principle of proportionality, i.e., based on the quality and quantity of the personal data involved.

Strictly speaking, neither the PDPA nor its enforcement rules mandatorily require data controllers to have certain security measures in place. It is up to a data controller’s discretion whether to adopt a specific security measure.

Nonetheless, according to paragraph 2, article 27 of the act, the central competent authorities may designate one or more industry sectors under their supervision, and require them to set up a security maintenance plan for personal data files.

To urge ministries and commissions to implement supervision of non-government agencies under their watch, the Executive Yuan has convened and hosted regular collaborative meetings since 2020.

A meeting resolution dated 3 February 2021, to ensure consistent reporting and the timeline for data breaches, explicitly required ministries and commissions to amend their existing data protection regulations for specific industry sectors under their supervision, thereby requiring non-government agencies to report data breaches to central competent authorities within 72 hours, by using reporting forms provided.

In August 2021, the Executive Yuan further stipulated collaborative practice guidelines on the implementation of personal data protection that required ministries and commissions to amend their existing data protection regulations for specific industry sectors under their supervision, thereby requiring non-government agencies using IT systems to collect, process or use personal data to adopt additional measures to ensure information security.

The guidelines also required ministries and commissions to review the necessity of stipulating new data protection regulations for specific industry sectors under their supervision regularly, taking into consideration the scale of non-government agencies, the quantity or nature of personal data they retain, the potential impact on data subjects as a result of data breach, the frequency of cross-border data transfer, and other factors.


Sam Huang, Lee and Li
Sam Huang
Senior attorney
Lee and Li
Tel: +886 2 2763 8000 ext. 2360
Email: [email protected]

In Taiwan, directors bear a fiduciary duty to the company and will be held liable if they breach this duty. But a company’s failure to prevent, mitigate, manage or respond to a cybersecurity incident may not necessarily conclude that its directors have breached their fiduciary duty.

Rather, it would depend on whether the incident should have been reported to the board of directors, and whether the board would be required to take any action.

On the other hand, Taiwan law does not require a company to appoint a chief information security officer (CISO), except in specific industry sectors such as financial institutions.

However, the Financial Supervisory Commission now requires the following companies listed on the Taiwan Stock Exchange (TWSE) or the Taipei Exchange (TPEx) to designate a CISO, responsible for implementing information security policy and establish a department with at least an officer and two staff members dedicated to information security before 31 December 2022: Companies with paid-in capital of NTD10 billion (USD325.2 million) or more; those constituting the TWSE Taiwan 50 Index at the end of the previous year; and companies mainly conducting e-commerce.

Other TWSE or TPEx listed companies are given more leeway, requiring them to have a CISO with at least one staff member dedicated to information security before 31 December 2023 unless they have sustained losses in the past three years, or their net value per share is lower than the par value per share.

Lee and Li Logo

8/F No.555, Sec. 4, Zhongxiao E. Rd.
Taipei – 11072, Taiwan
Tel: +886 2 2763 8000
Email: [email protected]