12 JULY 2018
The National Development Council (‘NDC’) announced, on 4 July 2018, the launch of the Personal Data Protection Office (‘PDP’). The main functions of the PDP include reviewing the Personal Information Protection Act 2010 (‘PIPA’) and coordinating the ministries involved in the current decentralised management of data protection, with a view to strengthening PIPA and the consistency of its implementation in order to improve the overall level of data protection in Taiwan.
Christine Chen and Daniel Chen, Partner and Associate at Winkler Partners respectively, told DataGuidance, ”The PDP is already providing guidance and resources, including translations of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) into Chinese to assist Taiwanese companies doing business in Europe to comply with the GDPR. Over the next few years, we expect the PDP to draft new amendments to PIPA that will adopt many GDPR principles, including more regulation of international data transfers […] Increased regulation will mean that international businesses will eventually need to make many changes to their existing practices to become compliant.”
While there is a link between the establishment of the PDP and obtaining an EU adequacy decision, it is not directly causal
One of the PDP’s tasks will be to cooperate with the relevant authorities and scholars in order to produce an assessment report on receiving an adequacy decision under the GDPR. In addition, the PDP intends to hold further talks with the EU once the report has been completed.
Nathan Kaiser, Partner at Eiger Law, told DataGuidance, ”While there is a link between the establishment of the PDP and obtaining an EU adequacy decision, it is not directly causal. Taiwan has always been ahead with data protection regulation, [for example] implementing PIPA in 2010, at a time when the state of data protection in Taiwan was clearly underdeveloped.”
The European Commission is currently undergoing discussions with other Asia-Pacific countries and in May 2018, the Minister of the NDC, Mei-ling Chen, visited the EU to discuss an adequacy decision under Article 45 of the GDPR.
Chen and Chen concluded, ”Taiwan’s unique political status may make it difficult for the EU to engage in the same kind of dialogues that it has had with South Korea and Japan, […] Taiwan has a long road to travel before it can obtain an adequacy decision. Major obstacles include Taiwan’s light regulation of international data transfers and relatively weak enforcement to date. Domestic interest groups will push back hard against what is likely to be perceived as a burdensome new regulatory regime with little upside for business. Taiwan does not have a significant number of major digital businesses that need to be able to transfer data from Europe. Also, Taiwan’s major ally, the US, may push back against Taiwanese efforts to adopt a GDPR style data protection regime. US businesses in Silicon Valley process large amounts of personal data from Taiwan and will not want to see international transfers regulated more than they already are.”
ANGELA POTTER Privacy Analyst