This website uses cookies to improve your browsing experience. By continuing to use this website you agree to our use of cookies. For more information on our use of cookies, click here to review the Cookies Policy.。
In today’s digital economy and technological landscape, the cross-border transmission of personal data has become a fundamental aspect of operations. As a result, the integration and adherence to various jurisdictions’ regulations concerning cross-border transfers of personal data have grown increasingly important. Under the Personal Data Protection Act (“PDPA”) of Taiwan,cross-border transfers of personal data are, in principle, permitted; nonetheless, under certain circumstances, the central competent authorities in charge of the relevant industry sectors may impose restrictions thereon. In light of the impact on Taiwanese enterprises following the implementation of the EU General Data Protection Regulation (GDPR), the Taiwan government has actively pursued an adequacy decision from the EU and has been preparing draft amendments to the PDPA since 2018. While the government has not yet announced draft amendments for public comment, it is anticipated that the rules governing the international transmission of personal data under the PDPA will be revised in the future. To follow the world’s trend, it is likely that cross-border transfers of personal data will only be permitted under certain conditions outlined in the amended PDPA.
CBPR (Cross-Border Privacy Rules) is a data cross-border transfer system promoted by the APEC DESG (Digital Economy Steering Group) under the leadership of the United States, aimed at promoting the compliant and free flow of personal data through third-party certification. The Accountability Agent appointed by an APEC member economy would be responsible for verifying and certifying an enterprise’s or organization’s ability to provide appropriate protections for personal data. This would help reduce regulatory barriers to cross-border transfers of personal data. For instance, Section 10(1) of the Personal Data Protection Regulations 2021 in Singapore stipulates that before transferring personal data to a country or territory outside Singapore, the transferring organization must take appropriate steps to ascertain whether, and to ensure that, the recipient of personal data is bound by legally enforceable obligations to provide the transferred personal data a standard of protection that is at least comparable to the protection under the Personal Data Protection Act 2012 in Singapore. Pursuant to Section 12 of the Personal Data Protection Regulations 2021, if a recipient of personal data holds a certification under the APEC CBPR or PRP (Privacy Recognition for Processors) system, it will be deemed to have met the requirements set out in Section 10(1).
To help Taiwanese enterprises obtain CBPR certification, the Taiwan government successfully facilitated the Institute for Information Industry (III) to become an Accountability Agent for the APEC CBPR system in 2021. Furthermore, the Preparatory Office of the Personal Data Protection Commission (“PDPC”) was established on 5 December 2023. In addition to completing the enactment of the organic statute and officially establishing the PDPC by August 2025, the Preparatory Office’s tasks include advancing the amendments of the PDPA. To avoid potential disruptions in the future due to amendments to the PDPA, it is advisable for enterprises to assess and respond to the trend of international standards for cross-border transfers of personal data in advance.
