Under the Taiwan Personal Data (Information) Protection Act (PDPA), the PDPA will come into play when the subject data can identify a certain person. Referring to the EU Directive 95/46/EC, in the PDPA, personal data is identified in Item 1, Article 2 of the PDPA. Furthermore, the definition of ＂personally identifiable information＂ is explained in Article 3 of the Enforcement Rule of the PDPA. However, despite the carefully written defi nition, a handful of cases have revealed the lack of clarity on the concept of personal data. This essay proposes that personal data is personally identifi able as long as such data may connect to a certain person by anyone using all possible and reasonable means. This notion is supported by the Recital 26 of the EU Directive 95/46/EC and the Opinion 4/2007 on the Concept of Personal Data issued by the Article 29 Data Protection Working Party. The PDPA is rooted in the right to information privacy stipulated in Article 22 of the Taiwanese Constitution. The interpretation of personal data-whether the piece of personal information protected shall be perceived from the perspective of the data subject rather than the user of data (the privacy intruder). Therefore, as long as the underlying data are likely to connect to a certain person, such data shall be protected in the PDPA. As to the ability of the data user to use the data to identify a certain person, it is a matter of different degrees of risk to privacy invasion, not whether there will be a risk of privacy invasion.