Hong Shenhan pointed out that the upper limit of fines under the "Personal Data Law" should be based on the cost of protecting personal data or information security of an enterprise as a reference.

(file photo)

[Reporter Chen Zhengyu/Taipei Report] A series of major personal information leaks occurred in public and private sectors. The "Personal Data Protection Act" can only impose a fine of NT$200,000. The Executive Yuan will study and amend the law to increase the penalty.

In this regard, Hong Shenhan, a legislator of the Democratic Progressive Party, assessed that the cost of maintaining information security and personal data protection for a large database should be at least one million yuan. , the burden of proof and the threshold for litigation are too high, and there is no way to protect the public at all.

The current "Personal Information Law" clearly stipulates that illegal collection, processing, use or alteration of personal information, causing damage to others, shall be punished with a fixed-term imprisonment of not more than 2 years, criminal detention or a fine of not more than 200,000 yuan; if the intention is to make a profit, the sentence shall be not more than 5 years Fixed-term imprisonment and a fine of not more than 1 million yuan may be imposed.

If a civil servant violates the law by virtue of his position, opportunity or method, the penalty shall be increased to one-half.

Please read on...

In addition to the draft version of the Political Yuan that is under development, Hong Shenhan announced that experts and scholars will be invited to discuss and propose a revised version of the "Personal Information Law".

He said in an interview that the current upper limit of 200,000 yuan in fines is too low, and it is a "very blind" figure. It should be used as a reference for a company's cost of protecting personal data or information security. A large database may cost millions of yuan. , is the upper limit of fines also at the same level?

Otherwise, instead of spending a lot of money to improve information security, the industry should pay a fine that is not painful. In addition, digital services are now widely used, and personal information leaks can easily reach hundreds of thousands or millions, which is very considerable. The upper limit of fines should be reviewed.

In terms of the public sector, Hong Shenhan believes that the reason for the government's information security problems or leakage of personal information is negligence, victimization, intentional resale, or infiltration by hostile forces?

It is necessary to take stock of the entire protection system, including the specific practices of the "zero trust" mechanism, and each department should truthfully prepare information security budgets, rather than just requiring information personnel to attend classes.

"Government departments and operators that do not comply with the regulations can no longer be fined and then let go." Hong Shenhan quoted the EU's "General Data Protection Regulation" (GDPR) to explain that the part related to administrative penalties, if it violates the relevant controller And the accompanying obligations of the processor, the obligations of the certification body or the obligations of the regulatory agency, the maximum administrative penalty is 10 million euros, and if the enterprise violates it, the penalty is up to 2% of the global annual turnover of the previous fiscal year.

Hong Shenhan continued to point out that if the basic principles of personal data processing are violated, the rights of data subjects are not guaranteed, and personal data is illegally transferred across borders, the maximum administrative fine of 20 million euros will be imposed. 4% of global annual turnover for the fiscal year.