Data Privacy in the GDPR Era

The European Union (EU)’s new data protection regime, the General Data Protection Regulation (GDPR), will come into force on May 25, with huge implications for how global businesses, including those in Taiwan, handle personal data. The GDPR, which succeeds the Data Protection Directive of 1995, aims to harmonize data-protection regulations across the EU. But the sweeping guidelines apply to any organization or business that has even the slightest connection with the EU, not just those located within its territory. It will apply not only to firms that market, sell, or otherwise trade with Europe, but also to those that hire Europeans.

Violating the restrictions could prove costly, with fines reaching as high as 20 million euros or 4% of total global revenues, whichever is higher.

John Eastwood, a partner with the Taipei law firm Eiger, describes the European approach as “a massive tightening of the rules on data protection.” Is Taiwan ready for engagement with the EU in the GDPR era?

Taiwan has looked abroad for best practices in personal data protection, and its Personal Information Protection Act (PIPA), passed in 1995 and subsequently amended in 2012 and again in 2015, incorporates core principles of the EU’s previous directive. As explained by Michael Fahey, a lawyer with Winkler Partners in Taipei, these principles include minimal collection of personal data, fair and lawful processing, provisions for deletion of data, protection of sensitive data, and mechanisms to opt out of direct marketing.

Complying with the GDPR will nevertheless challenge Taiwan’s government and enterprises. The Ministry of Justice Investigation Bureau (MJIB) is concerned that the GDPR will throw up further obstacles to cross-border law enforcement, on top of the massive issues created due to Taiwan’s lack of wide international recognition.

“We don’t have formal diplomatic ties with European countries, and when this new law is enacted, it will be more difficult for us to get information or get help from EU countries,” says Wu Fu-mei, acting director of the MJIB’s Information and Communication Security Division.

Taiwan does considerable business with the EU and its citizens. Taiwan sends nearly as much in exports to the EU (US$7.07 billion in the first quarter of this year or 8.9% of total exports), as it imports from the EU (US$7.64 billion in the first quarter, accounting for 10.4% of total imports), according to the Bureau of Foreign Trade. Taiwan likewise plays host to increasing numbers of tourists from the region, as well as visiting scholars and students. Ensuring smooth continuation of this healthy level of trade and exchanges will be a priority for the Taiwan authorities.

Taiwanese companies with close ties to the EU market, particularly those in the smartphone and notebook sectors, reportedly are concerned that the GDPR may have a big impact on their business, and many questions remained unanswered.

Would Taiwanese hardware and components makers be liable for network breaches that occurred involving their equipment? As Taiwan is looking to attract foreign talent to work in Taiwan, would hiring a European put a Taiwanese firm on the EU watchdog’s radar? What about Taiwanese firms that have investors from the EU or EU-based vendors?

The European Chamber of Commerce in Taiwan (ECCT) has hired the law firm of Tsar and Tsai, which is also an AmCham Taipei member, to prepare a guide to the new regulations to help local businesses understand exactly who will be affected and what affected firms will need to do – if anything – to comply with the new regulations.

Yet Winkler’s Fahey says that Taiwan will not be the law’s first targets.

“The first concern of the European regulators will not likely be Taiwan or Taiwanese companies but more likely the big internet firms and European firms,” he says. “However, anyone targeting the European market will eventually be impacted.”