Information privacy is one of the most significant ethical issues of the information age. The advance of ICT has fostered free flow of information which has led to increasingly serious information security problem. Prior organization-level research has investigated the management of privacy concerns to avoid damage to firms and organizations. Few studies focus on the firm’s responsibility to safeguard information when facing changes in the institutional environment. Through an interpretative case study, this research analyzes the actors and issues that have appeared throughout the process of data protection legislation in Taiwan. The findings suggest that the data protection policy making in Taiwan has taken a parental pragmatic approach, leading to the ongoing hand in hand relationship between government and market. Online social norm view, technological view and information ethics view have been oversighted in the policy making process. I argue that IS researchers and IS managers need to move beyond an organizational view on information privacy, and play a more active role in participating in the public debate and discussion on privacy and data protection issues. I suggest the managerial responsibility for information liability should be taken seriously in forming a reasonable and appropriate institutional environment for a firm’s organizational privacy behaviour.