In the past three years alone, Taiwan’s “Personal Data Protection Act” (PDPA) has undergone two major amendments, leading many corporate legal counsels and business owners to ask: “Why amend it again so soon after the last one?” In fact, the objectives of these two amendments are distinctly different and progressive. If the 2023 amendment was an “emergency tourniquet” to address the storm of fraud (deterrence through heavy fines), then the 2025 amendment is a “structural transformation” to respond to constitutional requirements (establishing an independent supervisory system). This article will outline this critical evolutionary process of the law.
1. Phase One: The May 31, 2023 Amendment — “Heavy Fines” First
Looking back at the context of the 2023 amendment, it was primarily a response to the rampant fraud cases and frequent personal data leaks that created significant social pressure at the time. The focus of the amendment then was on “increasing penalties” and “announcing the change of the competent authority.”
According to the amended Article 48 at that time, if a non-government agency failed to implement appropriate security maintenance measures and failed to correct the issue within a specified period, or if the violation was severe, the maximum administrative fine was significantly increased from the original NT$200,000 to NT$15 million. This made enterprises feel the financial impact of data privacy violations for the first time, realizing it was no longer just an administrative cost that could be settled with a small fine. Additionally, Article 1-1 was added to explicitly designate the “Personal Data Protection Commission” (PDPC) as the competent authority for the first time, paving the way for subsequent independent supervision.
2. Phase Two: The November 11, 2025 Amendment — “Comprehensive Supervision” in Place
If the first phase was to “stop the bleeding,” the second phase is to “cure the root cause.” The Executive Yuan proposed the draft on March 27, 2025, which passed its third reading in the Legislative Yuan on October 17 of the same year and was officially promulgated on November 11. The core driving force behind this amendment came from Constitutional Court Judgment No. 13 of 2022 (the National Health Insurance Database Case), in which the Justices explicitly pointed out that the old law lacked an “independent supervisory mechanism.”
Therefore, the focus of the 2025 amendment lies in “empowering the PDPC with substantive supervisory authority” and “completing the supervisory mechanism for both public and private sectors.” The main changes are as follows:
- Establishing the Authority of the Independent Agency and Designing a “Transition Period” (Amending Art. 1-1, Art. 51-1): The new law establishes the PDPC as the independent supervisory authority. However, considering that the supervisory resources of the PDPC are not yet fully equipped in its early stages, legislators designed a specific “6-year transition mechanism.” Industries that currently do not have a clear competent authority will be directly supervised by the PDPC. Those with a clear existing competent authority (such as the financial industry) will temporarily maintain the status quo, subject to review every two years, to gradually achieve unified authority.
- Strengthening Notification Obligations (Amending Art. 12): The old law only required notifying the data subject after the facts were “ascertained.” The new law amends this to a stricter dual obligation of “notifying the data subject” and “reporting to the competent authority.” As soon as an enterprise becomes “aware” that a personal data incident (including theft, alteration, damage, loss, or leakage) has occurred, the notification procedure must be initiated. Enterprises are no longer allowed to delay on the grounds that they are “still conducting an internal investigation.”
- Adding Administrative Inspection Powers (Amending Art. 22): Under the old law, inspections often required a suspicion of violation to be initiated. The new law empowers the competent authority to proactively initiate administrative inspections whenever it “deems necessary” to review the enterprise’s compliance with the PDPA. Inspection powers include requiring the provision of data, entering premises for inspection, and even seizing or copying evidence. Enterprises must not evade, obstruct, or refuse such inspections without justifiable cause.
- Strengthening Public Sector Supervision (Amending Art. 18): A provision was added requiring government agencies to appoint a “Data Protection Officer,” concurrently held by appropriate personnel assigned by the head of the agency, to implement a culture of personal data protection through a “top-down” approach. Although this article directly regulates government agencies, it will serve as an important reference indicator for the future appointment of dedicated personnel in “large enterprises” within the private sector.
3. Conclusion: The New Normal of Corporate Compliance
Although the provisions of the new law were promulgated in November 2025, enterprises must note that the official enforcement date of the new law has not yet been determined. According to the Preparatory Office of the PDPC, since the formal establishment of the PDPC awaits the completion of the legislative process for the “Organic Act of the Personal Data Protection Commission,” the Executive Yuan will designate the enforcement date separately, pending the progress of the Organic Act’s deliberation and relevant administrative preparations (such as the formulation of subsidiary regulations).
However, the trajectory of amendments from 2023 to 2025 shows that the state’s attitude towards personal data protection has shifted from reactive “punishment of violations” to proactive “systematic supervision.” With the successive announcements of drafts for the common basic version of the “Regulations on Security Maintenance,” future compliance will be concretely implemented into details such as “72-hour notification” and “regular drills.” Enterprises that remain stuck in the mindset of the old law are extremely likely to be caught off guard once the new law comes into effect.
Our firm possesses extensive experience in corporate personal data legal affairs and compliance implementation. If your company has any questions regarding adapting to the new law, formulating security maintenance plans, or handling personal data and cybersecurity incidents, please feel free to contact us at any time. Our team of professional lawyers will provide you with tailored solutions.
Special Note: The draft subsidiary regulations mentioned in this article (such as the Regulations on Security Maintenance, Regulations on Incident Notification, etc.) are pre-announcement versions released by the Preparatory Office of the Personal Data Protection Commission between January and February 2026. As of the time of writing, they are in the public comment phase, and the official provisions may be further adjusted based on feedback from various sectors. Readers are advised to stay updated on the latest regulatory developments.
