In the past, when a cybersecurity incident occurred in an enterprise, the most common defense strategy for legal departments was to argue: “According to Article 12 of the old Act, notification is required only when personal data is infringed ‘due to a violation of this Act.’ We are currently investigating whether there was a violation, or confirming the causal link between the hacker attack and any violation on our part.” Such delaying tactics based on “clarifying legal liability,” using “presence of negligence” as a shield against initiating notification procedures, will become completely ineffective following the 2025 amendment.
Article 12 of the new “Personal Data Protection Act” introduces a critical change: the removal of the prerequisite “violation of this Act.” This means that the trigger for the notification obligation no longer depends on whether the enterprise was “negligent” or “illegal,” but on the objective fact of whether a personal data incident “occurred.” This amendment transforms passive notification into a mandatory dual obligation and introduces the international standard of a “72-hour reporting mechanism.” This article will analyze this compliance challenge that is a race against time.
1. Return to Objective Facts: “Violation of Law” is No Longer a Prerequisite
First, enterprises must rebuild their understanding of incident reporting. Paragraph 1, Article 12 of the new Act explicitly stipulates that as long as the personal data held suffers from “theft, alteration, damage, destruction, or leakage,” it constitutes a reportable personal data incident.
The focus of this amendment lies in “decoupling liability from facts”:
- Triggered by Objective Occurrence: In the past, enterprises often refused to report on the grounds that “I am a victim of a hacker attack, and I myself have not violated the PDPA.” However, in the future, after the new Act comes into effect, as long as an incident occurs, even if the enterprise believes it has done everything perfectly and has not violated security maintenance regulations, the reporting procedure must still be initiated immediately.
- No Hiding Place for Ransomware: Common Ransomware attacks causing data to be encrypted and locked (destruction) or changed (alteration) might have been argued by enterprises in the past as not being a “leak” and not caused by the enterprise’s violation of the law, thus not reported. Under the new framework, such incidents infringing on data availability and integrity are objectively reportable incidents.
Therefore, corporate legal counsels and CISOs must review internal incident response flows, removing the judgment of “legal attributability” from the reporting decision-making process and adopting “objective facts” as the sole initiation standard.
2. Dual Obligations: “Notify” the Data Subject, “Report” to the Competent Authority
The new Act clearly divides post-incident responsibilities into two parallel lines of obligation, with distinct purposes and targets:
- Notify the Data Subject: According to Paragraph 1, Article 12 of the new Act, upon becoming aware of an incident, the data subject (e.g., customers, employees) should be notified in an appropriate manner. The purpose is to alert the data subject (e.g., to change passwords immediately, cancel credit cards) so they can safeguard their own rights.
- Report to the Competent Authority: According to Paragraph 2, Article 12 of the new Act and Article 3 of the draft “Regulations on Notification, Reporting, and Response to Personal Data Incidents,” reporting to the competent authority (PDPC) is mandatory when specific thresholds are met. This is to allow the supervisory authority to grasp the situation and intervene for investigation or assistance as appropriate.
3. The Golden 72 Hours: A Pressure Test Where Every Second Counts
The most stressful aspect for enterprises is undoubtedly the time limit. According to Articles 2 and 3 of the draft “Regulations on Notification, Reporting, and Response to Personal Data Incidents,” the deadline for both notifying the data subject and reporting to the competent authority is “within 72 hours of becoming aware.”
These 72 hours are not just business hours but include holidays. Within these short three days, the enterprise must complete a preliminary investigation, confirm the scope of impact, activate response measures, and fill out a reporting form containing 8 major items such as the cause of occurrence, damage status, and response measures.
What if the enterprise really cannot make it in time? The draft allows that in cases of “justifiable cause” (such as natural disasters or technical inability to immediately ascertain facts), the enterprise may first explain the reason to the competent authority and supplement the notification or report within 72 hours after the cause ceases to exist. However, the enterprise must still react immediately and cannot delay without cause.
4. What if Contact is Impossible? The “Public Announcement” Exception
If a large-scale personal data incident occurs, it may be difficult to notify hundreds of thousands of members individually, or the contact information itself may have been lost. Article 2 of the draft provides flexibility: when there are circumstances such as “contact information is unidentifiable” or “excessive cost affecting operations,” enterprises may notify via public means such as the internet (e.g., website announcement) or news media, and must keep it public for at least 30 consecutive days.
Although this method reduces the administrative burden, public announcements often trigger greater media attention and public relations crises. When choosing the method of notification, enterprises must carefully weigh legal compliance against reputational risk.
5. Recommendation: Drill Now
72 hours pass in a flash. Our firm strongly recommends that enterprises do not wait until an incident occurs to start flipping through the laws. You should establish a “Standard Operating Procedure (SOP) for Personal Data Incident Emergency Response” and create reporting templates now. At the moment a security alert is triggered, the legal, information security, and public relations departments must be able to operate in sync immediately to meet compliance requirements within the golden time and minimize damage.
Our firm possesses extensive experience in corporate personal data legal affairs and compliance implementation. If your company has any needs regarding establishing emergency response SOPs, drafting reporting templates, or conducting simulation drills, please feel free to contact us at any time. Our team of professional lawyers will provide you with tailored solutions.
Special Note: The draft subsidiary regulations mentioned in this article (such as the Regulations on Security Maintenance, Regulations on Incident Notification, etc.) are pre-announcement versions released by the Preparatory Office of the Personal Data Protection Commission between January and February 2026. As of the time of writing, they are in the public comment phase, and the official provisions may be further adjusted based on feedback from various sectors. Readers are advised to stay updated on the latest regulatory developments.
