Data Privacy in Taiwan: Comparing the PDPA to the GDPR and CCPA

-

Like many other nations, Taiwan has taken steps to provide its citizens with several data privacy protections. The Taiwanese government accomplished this by creating and subsequently enacting the Personal Data Protection Act

Text in the PDPA established several basic data privacy rights, outlined the responsibilities of data collectors, and also included a penalty structure for entities that violate the provisions of the act.

The PDPA is a comprehensive act that establishes data privacy in Taiwan. But how exactly does it compare to some other, more well-known pieces of legislation from around the globe?

Data Privacy Laws in the 21st Century: A Brief Timeline

Before we compare data privacy in Taiwan to other nations, it is important to understand the history of data privacy laws.

Most data privacy initiatives can trace their roots to the 1995 Data Protection Directive. Commonly viewed as the “original” data privacy law, the 1995 European Union Data Protection Directive regulated the processing of personal information in EU member nations.

As the internet evolved, the EU realized the need for more robust data privacy legislation. In 2012, the EU began exploring data privacy reform.

Efforts to protect data privacy in Taiwan were also well underway in 2012. These efforts led to the Personal Data Protection Act on January 2nd, 2013. In 2014, the EU voted to create a predecessor to the Data Protection Directive. This new set of data privacy regulations was dubbed the General Data Protection Regulation (GDPR)

The PDPA’s “do not call” provisions came into force exactly one year after the act was established. Its primary data protection laws became enforceable on July 2nd, 2014, making the PDPA the first modern set of data privacy provisions.

Europe’s GDPR would not receive final approval for another two years. Its primary provisions were not in force until 2018. That same year, the California Consumer Privacy Act (CCPA) was voted into law. The CCPA came into force in 2020.

Although the 2012 version of the PDPA laid the foundation for better data privacy in Taiwan, the Taiwanese government would make several significant improvements to the act in the coming years. The most notable revisions were passed in 2019 and came into full force on June 1st, 2022.

How the PDPA Stacks Up to Similar Provisions

The history of data privacy in Taiwan closely coincides with the development of similar acts in other nations. 

Many of these subsequent acts were modeled after the GDPR, as the latter is widely considered the most comprehensive set of data privacy laws. Some of the amendments to the PDPA closely resemble components of the GDPR as well.

With that being said, let’s examine how the PDPA compares to two of the most well-known data privacy acts, the GDPR and the CCPA.

PDPA vs. GDPR

Upon its release, the GDPR quickly caught the attention of data collectors and handlers due to its stiff penalty schedule. Organizations that commit “less severe violations” can incur fines as high as 10 million euros or up to 2% of global revenue for the previous fiscal year. Fine amounts double for organizations that commit major violations.

The PDPA’s penalty schedule is nearly as fierce. Violators can incur fines as high as 1 million Singapore Dollars (SGD) or 10% of in-country revenue. 

While 10% may seem quite steep, the PDPA bases this figure on revenue that an organization generates within Taiwan. The GDPR makes its 2% or 4% penalty calculations using a violator’s global revenue.

Regarding the rights they provide citizens, the GDPR and PDPA are nearly identical. Under both acts, citizens are guaranteed rights such as:

  • The right to data portability
  • The right to opt-out
  • The right to erasure/correction
  • The right to be informed
  • The right to access data

Both acts also use similar terms and definitions to identify key entities. Examples include “data processor,” “data controller,” “personal data,” and “sensitive data.”

Currently, the PDPA will offer similar levels of protection as the GDPR. However, it remains to be seen if the Taiwanese government will enforce data privacy in Taiwan as vehemently as the EU has done in member nations.

PDPA vs. CCPA

In the United States, data privacy concerns are largely being addressed at the state level. The most notable U.S. data privacy policy is the aforementioned CCPA. 

However, several other states have followed California’s lead and crafted their own data privacy regulations. Examples include the Virginia Consumer Data Protection Act and the Colorado Privacy Act.

For this comparison, we will focus solely on the CCPA. In terms of penalty structures, the CCPA is not nearly as harsh on violators as the PDPA. Entities that violate the CCPA can incur per-violation fines as low as $2,500 or as high as $7,500. 

These fines are applied “per record,” which means that violators could incur a separate fee for every record or file not managed in compliance with the CCPA provisions.

In addition to being less harsh on violators, the CCPA has a narrower scope. Whereas the GDPR and PDPA apply to virtually any business that collects citizens’ data, the CCPA only applies to select entities. Specifically, the CCPA applies to businesses that meet one or more of the following criteria:

  • Deriving at least half of annual revenue selling personal data of Californians
  • Selling, buying, or receiving personal data of 50,000+ California residents
  • Generating more than $25 million in gross annual revenue

In terms of the rights it provides, the CCPA once again falls short when compared to the PDPA. The CCPA provides citizens with the right to delete their personal information, the right to opt out of data collection, the right to non-discrimination, and the right to know when their data is being collected. 

It does not provide the right to portability or right to access, both of which are considered essential to optimizing data privacy.

Final Thoughts on Data Privacy in Taiwan

The PDPA has the potential to significantly enhance data privacy in Taiwan. It includes a strict penalty schedule, clearly defined expectations for data collectors/handlers, and a comprehensive list of citizens’ rights.

In light of these facts, businesses operating within Taiwan’s sphere of influence must familiarize themselves with the provisions of the PDPA. Doing so will help them remain in compliance and avoid incurring potentially crippling monetary fines.