Today, as big data analysis and AI applications become increasingly prevalent, many enterprises often hold a misconception: “I have already masked customers’ names and ID numbers or replaced them with codes, so this shouldn’t count as personal data, right?” Addressing this issue, Article 17 of the draft amendments to the “Enforcement Rules of the Personal Data Protection Act,” accompanying this legislative amendment, combines the spirit of Constitutional Court judgments to set a stricter definition. This article will analyze where this invisible “red line” lies.
1. Background of Amendment: The Constitutional Court’s Constitutional Reservation on “Big Data”
The amendment to the Enforcement Rules of the PDPA is primarily a response to Constitutional Court Judgment No. 13 of 2022 (the National Health Insurance Database Case). In that case, the Justices explicitly pointed out that with the advancement of modern information technology, even if data has been processed, objectively there remains the possibility of “indirectly identifying” specific persons by restoring codes or linking with other data. As long as such a possibility exists, the data still belongs to personal data protected by the Constitution and must be subject to strict legal regulation.
2. Analyzing the New Definition: What Constitutes “Unidentifiable”?
According to Article 17 of the draft amendments to the “Enforcement Rules of the Personal Data Protection Act,” the term “unable to identify specific data subjects” refers to personal data that, after processing, “using technological methods existing at the time, renders the personal data, based on its manner of presentation, at least unable to directly identify specific natural persons.”
Based on the above provisions, personal data can be divided into three levels in practice:
- Direct Identification: Such as names, ID numbers, etc.
- Pseudonymization: This is the area most commonly misunderstood by enterprises. For example, replacing a name with “User_001,” but the enterprise still retains a mapping table (Key) internally that can restore “User_001” to “John Doe.” According to the spirit of the new Act and the Judgment, pseudonymized data is still personal data, and its collection, processing, and use must still obtain the data subject’s consent or comply with statutory grounds (such as a contractual relationship).
- Anonymization: Refers to data that, after processing, is permanently and irreversibly unable to identify specific individuals, and cannot be restored through any means (including combining with other datasets). Only when this standard is met is the data considered “not personal data,” and enterprises are free to conduct commercial use or sales.
When enterprises conduct data analysis or cooperate with third parties (such as ad placement, data exchange), they must clarify whether the data in hand is “pseudonymized” or “anonymized.” If it is the former, please ensure there is a legal basis for use; otherwise, it constitutes illegal use of personal data.
3. Shift in Compliance Strategy: Dual Verification of Technology and Law
Facing the high standards set by the new Act for “unidentifiable,” simple data masking is no longer sufficient to avoid legal risks. When enterprises introduce so-called “Privacy Enhancing Technologies” (such as Differential Privacy, Federated Learning), they must realize that technology is only the means, and compliance is the goal.
Using high-tech tools does not automatically mean the data has completed “anonymization.” Enterprises must conduct a legal-level “De-identification Verification,” i.e., proving through professional assessment that under current technological levels, the data is “unable to identify” specific data subjects, before they can claim that the data is not bound by the PDPA.
Therefore, future data governance strategies should not rely solely on the IT department procuring software; instead, the legal department should intervene to conduct compliance reviews on data processing flows to ensure the legal foundation of data use.
4. Series Conclusion: From “Regulatory Compliance” to “Sustainable Trust”
Looking back at this column series, from the heavy fines in 2023 and the establishment of the independent agency in 2025 to the detailed norms for notification, security maintenance, and inspection in various draft subsidiary regulations, Taiwan’s personal data legal system has officially entered the “deep water zone.”
Facing this transformation, enterprises should not view it merely as a “compliance cost” but as a key component of “Data Governance” and “ESG Sustainable Operations.” Establishing a comprehensive personal data protection system not only avoids huge fines but also builds consumer trust, becoming a competitive advantage in the digital economy era.
Our firm relies on extensive experience in corporate personal data legal affairs and has assisted various industries in building compliance systems. If your company needs a professional partner on the road to data governance, please feel free to contact us at any time. Our team of professional lawyers will tailor robust compliance solutions for your enterprise.
Special Note: The draft subsidiary regulations mentioned in this article (such as the draft amendments to the Enforcement Rules, etc.) are pre-announcement versions released by the Preparatory Office of the Personal Data Protection Commission between January and February 2026. As of the time of writing, they are in the public comment phase, and the official provisions may be further adjusted based on feedback from various sectors. Readers are advised to stay updated on the latest regulatory developments.
