Data Privacy in Taiwan: PDPA, GDPR, and CCPA

Like many other nations, Taiwan has taken steps to provide its citizens with several data privacy protections. The Taiwanese government accomplished this by creating and subsequently enacting the Personal Data Protection Act

Text in the PDPA established several fundamental data privacy rights, outlined data collectors’ responsibilities, and included a penalty structure for entities that violate the act’s provisions.

The PDPA is a comprehensive act that establishes data privacy in Taiwan. But how exactly does it compare to other, more well-known legislation from around the globe?

Data Privacy Laws in the 21st Century: A Brief Timeline

Before we compare data privacy in Taiwan to other nations, it is essential to understand the history of data privacy laws.

Most data privacy initiatives can trace their roots to the 1995 Data Protection Directive. Commonly viewed as the “original” data privacy law, the 1995 European Union Data Protection Directive regulated the processing of personal information in EU member nations.

The EU realized the need for more robust data privacy legislation as the internet evolved. So, in 2012, the EU began exploring data privacy reform.

Efforts to protect data privacy in Taiwan were also well underway in 2012. These efforts led to the Personal Data Protection Act on January 2nd, 2013. In 2014, the EU voted to create a predecessor to the Data Protection Directive. This new set of data privacy regulations is named the General Data Protection Regulation (GDPR).

The PDPA’s “do not call” provisions came into force exactly one year after the act was established. However, its primary data protection laws became enforceable on July 2nd, 2014, making the PDPA the first modern set of data privacy provisions.

Europe’s GDPR would not receive final approval for another two years. However, its primary provisions were in force in 2018. That same year, the California Consumer Privacy Act (CCPA) was voted into law. The CCPA came into force in 2020.

Although the 2012 version of the PDPA laid the foundation for better data privacy in Taiwan, the Taiwanese government would make several significant improvements to the act in the coming years. The most notable revisions were passed in 2019 and came into full force on June 1st, 2022.

How the PDPA Stacks Up to Similar Provisions

The history of data privacy in Taiwan closely coincides with the development of similar acts in other nations. 

Many of these subsequent acts were modeled after the GDPR, as the latter is widely considered the most comprehensive set of data privacy laws. Some of the amendments to the PDPA closely resemble components of the GDPR as well.

Let’s examine how the PDPA compares to two of the most well-known data privacy acts, the GDPR and the CCPA.

PDPA vs. GDPR

Upon its release, the GDPR quickly caught the attention of data collectors and handlers due to its stiff penalty schedule. Organizations that commit “less severe violations” can incur fines as high as 10 million euros or up to 2% of global revenue for the previous fiscal year. Fine amounts double for organizations that commit major violations.

The PDPA’s penalty schedule is nearly as fierce. Violators can incur fines as high as 1 million Singapore Dollars (SGD) or 10% of in-country revenue. 

While 10% may seem quite steep, the PDPA bases this figure on an organization’s revenue in Taiwan. The GDPR makes 2% or 4% penalty calculations using a violator’s global revenue.

The GDPR and PDPA are nearly identical regarding the rights they provide citizens. Under both acts, citizens are guaranteed rights such as:

  • The right to data portability
  •  The right to opt-out
  •  The right to erasure/correction
  •  The right to be informed
  •  The right to access data

Both acts also use similar terms and definitions to identify key entities. Examples include “data processor,” “data controller,” “personal data,” and “sensitive data.”

Currently, the PDPA will offer similar levels of protection as the GDPR. However, it remains a question if the Taiwanese government will enforce data privacy in Taiwan as vehemently as the EU has done in member nations.

PDPA vs. CCPA

Data privacy concerns are mainly addressed at the state level in the United States. The most notable U.S. data privacy policy is the CCPA mentioned above. 

However, several other states have followed California’s lead and crafted their data privacy regulations. Examples include the Virginia Consumer Data Protection Act and the Colorado Privacy Act.

For this comparison, we will focus solely on the CCPA. Regarding penalty structures, the CCPA is less harsh on violators than the PDPA. Entities that violate the CCPA can incur per-violation fines as low as $2,500 or as high as $7,500. 

These fines are applied “per record,” which means that violators could incur a separate fee for every record or file not managed in compliance with the CCPA provisions.

In addition to being less harsh on violators, the CCPA has a narrower scope. The GDPR and PDPA apply to virtually any business collecting citizens’ data, but the CCPA only applies to select entities. Specifically, the CCPA applies to companies that meet one or more of the following criteria:

  • Deriving at least half of annual revenue selling personal data of Californians
  •  Selling, buying, or receiving personal data of 50,000+ California residents
  •  Generating more than $25 million in gross annual revenue

Regarding the rights it provides, the CCPA once again falls short compared to the PDPA. For example, the CCPA allows citizens to delete their personal information, opt out of data collection and non-discrimination, and know when their data is being collected. 

It does not provide the right to portability or the right to access, both of which are considered essential to optimizing data privacy.

Final Thoughts on Data Privacy in Taiwan

The PDPA has the potential to enhance data privacy in Taiwan significantly. It includes a strict penalty schedule, clearly defined expectations for data collectors/handlers, and a comprehensive list of citizens’ rights.

In light of these facts, businesses operating within Taiwan’s sphere of influence must familiarize themselves with the provisions of the PDPA. Doing so will help them remain in compliance and avoid potentially crippling monetary fines.