At the Cabinet's weekly meeting on Thursday, Premier Lai Ching-te directed government agencies to take appropriate measures in preparation for the European Union's General Data Protection Regulation (GDPR), a new data protection regime that is expected to have global implications.
Following a briefing by the National Development Council (NDC) on Taiwan's response to the GDPR, the premier said Taiwan and the EU enjoy close bilateral trade relations, with the EU being Taiwan's fifth largest trade partner and top source of foreign investments. Government agencies therefore should keep a keen eye on the latest developments, as the GDPR will affect all Taiwanese businesses operating in the EU and companies that have any dealings with European entities.
In today's digital economy, data is valuable as a market opportunity, said the premier, and the trends toward big data flows and resource sharing are irreversible. Taiwan should take action on data protection, as secure transfer of personal data is equally important in a globalized world.
The basic principles of Taiwan's Personal Information Protection Act and the EU's GDPR are similar in scope, said the premier, but rather than establish a stand-alone supervisory agency, the Personal Information Protection Act operates in a system of distributed authority. Following his remarks, the premier instructed the NDC to move quickly to consider the creation of a dedicated office for the protection of personal data.
The NDC said the GDPR will come into effect on Friday. Among its main points, the GDPR extends the scope of regulation to territories outside the EU, places greater responsibility on companies, provides data subjects with stronger rights protection, and prohibits cross-border transfer of personal data as a rule. Exceptions may only be made in certain cases, including where a company has taken appropriate safeguards in compliance with the regulations and has obtained express consent from the data subject. If a country or organization is deemed by the EU as offering an adequate level of data protection, that country or organization may also engage freely in cross-border transfer of personal data with the EU.
The NDC has set up an official webpage to help local businesses prepare for the impacts of the GDPR, while other government agencies are examining issues under their jurisdictions and providing business guidance and counseling. Taiwan will also discuss with the EU on how it determines an adequate level of protection.