Taiwan: TMT (3rd edition)

The In-House Lawyer Logo

This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in Taiwan.

This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/

  1. What is the regulatory regime for technology?

    The regulatory regime for technology in Taiwan is quite diversified. On the technology development policy, the Ministry of Science and Technology is the primary regulator in charge of the nation’s science and technology development and fostering projects in scientific and technological research pursuant to the Fundamental Science and Technology Act.

    On product or industrial regulations of the tech industries or businesses, these are mainly regulated under the statutes or regulations governing each different industrial sector, such as the telecommunications, bio-tech, agriculture, electronic consumer products, etc. Meanwhile, there are certain general statutes governing all tech industries universally, such as the Consumer Protection Act, the Personal Data Protection Act, the Fair Trade Act (the competition statute of Taiwan), etc.

  2. Are communications networks or services regulated?

    Yes, they are regulated. The Telecommunications Act (the “TA”) has been the main statute governing the traditional telecommunications industry since 1958. In response to the innovation of the communications industry, such as the development of 5G technology, a new statute, the Telecommunications Management Act (the “TMA”), was promulgated in June 2019, which will become effective in around 12 months and there will be a three-year transition period following the effective date. TMA will replace the TA after the transition period expires.

  3. If so, what activities are covered and what licences or authorisations are required?

    The TMA abolishes the existing licenses and permits system under the TA. Currently, the TA classified telecommunications operators into Type I and Type II operators. Type I operators are the operators that own and operate physical telecommunications facilities and networks, while Type II operators are those that provide telecommunications services by leasing the physical facilities and networks of the Type I operators. Under the TMA, the license and permit for Type I and Type II operators have been placed with a new “voluntary” registration system. A telecommunications operator will be “required” to apply for the registration with the National Communication Commission (the "NCC), if its provision of communications service involves the following activities:

    1. Conducting network inter-connection negotiation and applying for "procedure of arbitration" with the NCC (concerning network inter-connection);
    2. Applying with the NCC for radio frequency for commercial use;
    3. Applying with the NCC for "user identification codes" of publicly switched telecommunications or signal point codes; or
    4. Applying with the NCC for allocation of user numbers.

    A telecommunications operator does not conduct the above activities can voluntarily register itself with the NCC. Only when a telecommunications operator is registered with the NCC, it will be eligible to certain privileges that the TMA offers to telecommunications operators.

  4. Is there any specific regulator for the provisions of communications-related services?

    The NCC is the regulator in charge of regulating the provisions of communications-related services in relation to telecommunications technology. The provision of communications-related services via other type of technology, such as “instant messengers” is regulated by the IB.

  5. Are they independent of the government control?

    The company owns and controls most of physical telecommunications facilities, equipment, and, network within the territory of Taiwan is “Chunghwa Telecom Co., Ltd.”, which is still controlled by the Taiwan government with the government being its major shareholder. The other fixed network operators and mobile operators are privately owned and some of them are listed companies.

  6. Are platform providers (social media, content sharing, information search engines) regulated?

    Platform providers providing services in Taiwan shall comply with all general legal requirements under Taiwan law, including without limitation to laws and regulations with regard to consumer protection, personal data protection, competition, etc. Currently, there are no laws or statutes specifically drafted with the purpose of regulating the platforms. There have been one or two draft bills that may be regulating the digital platforms but they are still pending at the Legislative Yuan.

    Meanwhile, if a platform is engaging in certain business subject to sectorial regulations, they will need to comply with such regulations. For example, “Uber” has been regulated as a “transportation” business in Taiwan and the Taiwan government have been imposing unfriendly restrictions to Uber’s business model. For the sharing economy platforms delivering meals, such as Food Panda, Deliveroo, and Uber Eats, the regulator in charge of the “restaurant” business has been trying to regulate them as part of the food industry.

  7. If so, does the reach of the regulator extend outside your jurisdiction?

    The authority in charge of competition matters specifically declares that our competition law shall have extra-territorial effect. The tax authorities also require all “offshore” digital service providers to pay VAT and income tax in regard to the digital services that they provide to residents in Taiwan. The other authorities did not specifically declare or announce that whether their regulatory power shall be extended to outside of the jurisdiction of Taiwan but they may be contacting offshore platform providers for regulatory matters.

  8. Does a telecoms operator need to be domiciled in the country?

    Pursuant to the TA, a telecoms operator is required to obtain either a Type I operator license or a Type II operator license and therefore, it must establish a presence in Taiwan. Under the TMA, it is unclear as to whether a telecoms operator would still need to establish a presence in Taiwan as the TMA now allows voluntarily registration unless the operators conduct certain activities with regard to network inter-connection, telephone numbers allocation, and radio frequency assignment. Nevertheless, the Company Act of Taiwan requires a foreign company to establish a branch office in Taiwan if the foreign company will do business in Taiwan.

  9. Are there any restrictions on foreign ownership of telecoms operators?

    Yes, either under TA or TMA, the telecommunications operators owning and operating telecommunications facilities and networks for public telecommunications (such as those operating fixed-networks or mobile networks) will be subject to foreign ownership restrictions. The direct foreign ownership of such an operator shall not exceed 49% of the total outstanding shares and the total of the direct and indirect foreign ownership in it shall not exceed 60% of its total outstanding shares.

  10. Are there any regulations covering interconnection between operators?

    Yes, either under TA or TMA, interconnection is regulated. According to the TA and TMA, a telecommunications operator may request interconnection with another telecommunications operator and a telecommunications operator may not reject such request without justification, if the interconnection is technology feasible and the request is fair and reasonable. Please note that under the TMA, if a telecommunications operator will be conducting negotiation for interconnection, it must apply for telecommunications operator registration with the NCC.

  11. If so are these different for operators with market power?

    A "dominant market player ("DMP")" will bear more compliance obligations with regard to interconnection. According to the TMA, the NCC may order a DMP to be fair and reasonable and shall not discriminate against any other telecommunications operator when handling matters concerning interconnection and may even order a certain DMP to provide interconnection to other telecommunications operators. A DMP shall reach interconnection agreement with another telecommunications operator within three months following the interconnection request has been raised. If no agreement will be reached, either party may apply with the NCC for a determination and a DMP shall follow the determination of the NCC.

  12. What are the principal consumer protection regulations that apply specifically to telecoms services?

    Currently, telecommunications operators in Taiwan are required to stipulate "business regulations" under which the terms and conditions of their services, including the prices, shall be specified. The stipulation of the business regulations will be subject to the review of the NCC at the time when a telecom operator applies for the license. Thereafter, once the business regulations are amended, a prior report shall be filed with the NCC.

    Pursuant to the TMA, the standardized terms and conditions that a telecom operator will enter into with its consumers shall also comply with the requirements set forth under TMA and be approved by the NCC in advance.

    In addition, to protect the subscribers' rights and benefits, before a telecom operator terminates its service, it shall comply with certain requirements, such as prior approval from the NCC and prior notice to the subscribers.

  13. What legal protections are offered in relation to the creators of computer software?

    The Copyright Act would be the main protection that a creator of computer software can rely on for protection of their proprietary rights. It is possible to apply for patent registration in Taiwan for certain computing technology. Trade secret may also be an option for protection.

  14. Do you recognise specific intellectual property rights in respect of data/databases?

    Pursuant to Article 7 of the Copyright Act, “A compilation work is a work formed by the creative selection and arrangement of materials, and shall be protected as an independent work. Protection of a compilation work shall not affect the copyright in the work from which the material was selected and arranged. Databases will be deemed as a “compilation work”, if the arrangement of the data meets the above requirements.

  15. What key protections exist for personal data?

    The Personal Data Protection Act of Taiwan (the “PDPA”) adopts a regulatory framework similar to GDPR. The PDPA is a general law regulating the collection, processing and use of personal data in Taiwan. The PDPA defines “personal data” as a natural person’s name, date of birth, national identification number, passport number, physical appearance, fingerprint, marital status, family background, educational background, occupation, medical history, medical treatments, genetic data, sex life, health check results, criminal record, contact information, financial condition, social activities and any other information that may be used to directly or indirectly identify a natural person.

    The PDPA requires, among others, that a data owner’s collection and processing of personal data must be for specific purpose(s) and have at least one of the legal grounds prescribed under Article 19 of the PDPA. Moreover, under the PDPA, a data collector must inform the data subject of the following information at the time of collection: (i) the identity of the data collector; (ii) the purpose(s) for which his/her data is collected; (iii) the type of data collected; (iv) the term, place and method of use and the persons who may use the data; (v) the data subject’s rights in relation to his/her personal data under the PDPA; and (vi) the consequences of his/her failure to provide the required personal data.

  16. Are there restrictions on the transfer of personal data overseas?

    International transfer of personal data is in general permitted under the PDPA. Meanwhile, the PDPA authorizes central competent authorities to impose restrictions on cross-border transfer of personal data if:

    1. the transfer would prejudice any material national interest;
    2. the transfer is prohibited or restricted under an international treaty or agreement;
    3. the country to which the personal data are to be transferred does not afford sound legal protection of personal data, thereby affecting the interests of the data subjects; or
    4. the purpose of the transfer is to evade the restrictions under the PDPA.

    On September 25, 2012, the National Communications Commission (NCC) issued a blanket order prohibiting communications enterprises from transferring subscribers’ personal data to Mainland China on the grounds that data protection laws in Mainland China are still inadequate.

  17. What is the maximum fine that can be applied for breach of data protection laws?

    Pursuant to the PDPA, the maximum administrative fine is NTD500,000, in the case of violating certain important provisions under the PDPA, such as collecting and using personal data without a statutory ground, or violating the government's order on international transfer of personal data. The authority may impose administrative fine consecutively until corrective actions are taken.

  18. What additional protections have been implemented, over and above the GDPR requirements?

    In some perspective, the PDPA may be deemed as more rigid than the GDPR:

    1. The PDPA imposes liability on the Taiwan government agencies for any damages caused to the data subjects if a Taiwan government agency breaches the PDPA. That is, the Taiwan government agency would be held liable to Taiwan citizens for breach of the PDPA, even if the Taiwan government agency was not negligent.
    2. The PDPA still adopts formality requirements with regard to "consent" to be sought from the data subjects while GDPR does not. For example, to obtain consent from the data subjects with regard to collection and use of personal data, "written" consent must be obtained. To obtain a valid consent from data subjects, pursuant to the PDPA, the data controller will need to comply with its notification requirements by notifying the data subject the required matters as set forth under the PDPA, while pursuant to the GDPR, a data controller only needs to advise the data subject of the "purpose" of the collection in order to obtain a valid consent.
  19. Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?

    There are no statutes specifically drafted for regulation of "cloud-based services". To provide a cloud-based service in Taiwan, the service provider shall comply with all relevant laws in Taiwan, including the PDPA, consumer protection laws, etc. Meanwhile, please note that financial institutions, such as banks or insurance companies, are subject to strict regulations of the Financial Supervision Commission, and they are not freely to adopt cloud-based solution technology. As such, providing cloud-based services to financial institutions will be subject to strict regulation and approval requirements.

  20. Are there specific requirements for the validity of an electronic signature?

    According to Articles 4 and 9 of the Electronic Signatures Act (“ESAM”), unless there is a law, regulation, or public announcement made by the central competent authority specifically excluding the use of electronic records or electronic signatures, it is legally permitted to use electronic records or electronic signatures on the relevant documents as long as the counterparty’s consent has been obtained. On the other hand, where a law or regulation stipulates that a document shall be made in writing, it is also legally permitted for such document to be in the form of an electronic record, provided that (i) the content of such document can be completely stored and presented for further reference; and (ii) the counterparty’s consent has been obtained.

  21. In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?

    No. In the event of an outsourcing of IT services, the outsourcing supplier is merely providing the IT service to the company that hires the outsourcing supplier, and all employees, assets, or third party contracts will remain with the company and will not be transferred to the outsourcing supplier.

  22. If a software program which purports to be a form of A.I. malfunctions, who is liable?

    Based on the current legal framework of Taiwan, it would be the one that offers, sells, or licenses the software program (the “Software Provider”) to the market that shall be liable to the consumer who suffered losses or damages from the A.I. malfunctions, unless the Software Provider is able to establish the fact that the software program meets the “state of art” at the time when the program was introduced to the market. This person or entity may in turn to claim any service provider that participated in the development or completion of the software program to share such liabilities.

  23. What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?

    a) obligations as to the maintenance of cybersecurity; and

    On June 6, 2018, the very first cybersecurity legislation of Taiwan, the “Cybersecurity Management Act” (the “Cybersecurity Act”), has become an official statute of Taiwan. Pursuant to the Cybersecurity Act, government agencies, and the non-government agencies that provide "critical infrastructures" shall maintain cybersecurity, adopt certain cybersecurity measures, and report to the relevant authorities for any cybersecurity incidents, and work with the authorities to resolve such incidents. To our understanding, the Taiwan government has not completed the designation as to what shall be deemed as "critical infrastructures" thus far but it will be completed soon.

    b) the criminality of hacking/DDOS attacks?

    Pursuant to the Taiwan Criminal Code, hacking or DDOS attacks may trigger criminal liabilities of up to three-year imprisonment, detention, and/or criminal fines. The criminal penalties shall be increased up to one-half of the above if it is the computer system of the government that was attacked. The person who produces computer software for the others to conduct hacking/DDOS attacks may be subject to criminal penalties of up to 5 year imprisonment, detention, and/or criminal fines.

  24. What technology development will create the most legal change in your jurisdiction?

    It would be "artificial intelligence". Depending on the advance and development of the artificial intelligence technology, the legal system may need to be changed or even re-written during the process and phases of the development of artificial intelligence. Currently, the regulators are dealing with the legal issues raised and triggered by "fintech" and "autonomous driving technology or vehicles", and most of the regulations are newly stipulated and experimental. Once the technology advances into the stage where machine has the ability to make decision as a human need to do or thinks like a human in a more overall manner, the traditional legal system will need to be adjusted or reshaped.

  25. Which current legal provision/regime creates the greatest impediment to economic development/ commerce?

    It could be the traditional license and permit requirements imposing on various existing industries. When innovated technology/business model emerges, oftentimes the regulatory barriers lie in the traditional license and permit system. As the business of the traditional license/permit holders is at stake, the government often times will need to protect the benefits of the existing businesses and force the innovated or emerging new tech businesses to follow the "brick-and-mortar" rules to operate their new businesses, which often will suffocate industrial creativeness and innovation.

  26. Do you believe your legal system specifically encourages or hinders digital services?

    Although our legal system may not have specific barriers to hinder or block digital services, the interpretation of the existing laws and statutes tend to discourage innovated digital services. Many on-line digital service providers are facing compliance issues recently, including being required to obtain certain license or permit originally applicable to the “brick-and-mortar” businesses.

  27. To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?

    The Taiwan government has been preparing itself for the artificial intelligence era. The Ministry of Science and Technology launched many programs to equip our government and industries with the ability to adapt them in the new era. Meanwhile, each primary regulator of different industries have been studying and researching whether there shall be any regulatory amendments or changes in response to the upcoming article intelligence. Although some commentators deem that the progress has been slow, the Taiwan government has been on track on this trend.