Lawmakers urge new Cabinet to establish data security agency

Taipei, Feb. 6 (CNA) Four ruling Democratic Progressive Party (DPP) lawmakers have urged the new Cabinet to set up an agency that is specifically dedicated to the protection of personal data in the wake of a potential data leak from a car-sharing platform's database.

The database of popular car rental and automobile/motorcycle-sharing services platform iRent, which contained the personal information of around 400,000 users, was found to be left unprotected and accessible by anyone who knew the IP address.

That meant that anyone who entered the database could access the names, mobile phone numbers, email addresses, home addresses, drivers' license photos, and partially redacted payment card details of the platform's customers, though it was unclear if there were any data breaches.

In the light of the leak, DPP lawmakers Lai Pin-yu (賴品妤), Liu Shih-fang (劉世芳), Hung Sun-han (洪申翰) and Chuang Ching-cheng (莊競程) said at a press conference Monday that an independent agency responsible for personal data protection needed to be established.

Lai said a problem existed because the responsibilities related to the Personal Data Protection Act are divided between numerous government agencies, with 20 second-tier agencies alone supervising non-public organizations.

It is common for agencies to avoid accountability for incidents involving the jurisdiction of multiple agencies, Lai said, but that could be corrected if the government were to set up the independent agency.

Liu, Hung and Chuang echoed Lai's sentiments, agreeing that the government's often sluggish response to personal data leakages and the lack of effective laws needed to be rectified.

In mid-January, the same four lawmakers criticized the government and the Ministry of Digital Affairs, which was set up in August 2022, for its lax response to data breaches at government agencies and state-run enterprises, and demanded that MODA do better.

Hung went so far as to ask at the time: "What was the point of establishing MODA and the Administration of Cyber Security?"

At Monday's press conference, the lawmakers asked MODA to shoulder more responsibility in supervising the information security of private institutions.

Speaking at the press conference, Cheng Ming-tsung (鄭明宗), the director of MODA's Department of Communications and Cyber Resilience, said personal data security issues were a major undertaking, but he pledged that MODA would get involved by proposing amendments to the Personal Data Protection Act.

Despite the existence of MODA, the lawmakers still pushed for the creation of a new agency, a responsibility given to the National Development Council (NDC).

NDC deputy chief Kao Shien-quey (高仙桂) said at the press conference that the NDC had designed the basic framework for a potential solution after studying international data security laws, without elaborating.

The DPP legislators were not the only lawmakers to call for a change in personal data security laws on Monday when New Power Party legislators raised questions about the security of Car-plus Auto Leasing Corp.'s database.

Legislator Chiu Hsien-chih (邱顯智), the party's chairman, said he recently received a tip that there were issues with the cloud storage settings of the popular car rental company.

Chiu also appealed to the government to create a branch in charge of data security.

In response to the concerns, Car-plus said it immediately turned off functions in its mobile application and inventoried its database, finding neither suspicious searches nor downloads.

The company said it also sent out email notifications on Feb. 3 to some 16,000 customers who were affected by the issue.