The Legislative Dilemma of Cross-Border Data Flows: Personal Data Protection, Digital Sovereignty, and Taiwan's Institutional Readiness for CPTPP Accession

Data is the strategic resource of the 21st century, and the cross-border flow of data is one of the most critical trade issues of the digital era. However, Taiwan's legal framework reveals a profound contradiction on this issue: on one hand, Taiwan positions itself as an export-oriented, highly digitally integrated open economy where the free flow of data is the lifeblood of its technology and financial services industries; on the other hand, Taiwan's current Personal Data Protection Act (PDPA) contains significant institutional gaps in regulating cross-border data transfers, failing to either effectively protect personal privacy or provide businesses with clear compliance guidance. More urgently, Taiwan's application to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) has made institutional readiness for the digital trade chapter a core issue in accession negotiations. This article employs legal precision and policy vision to systematically analyze Taiwan's priority issues and institutional choices in cross-border data flow legislative reform.

I. The Institutional Tension Between Data Localization and Free Flow

Global data governance currently exhibits two competing institutional paradigms: the "data sovereignty model" represented by China, which restricts cross-border transfers of certain data types through mandatory data localization requirements to ensure state control over data resources; and the "free flow model" represented by the United States and Japan, which advocates that data should flow freely across borders like goods and services, with restrictions imposed only in specific contexts of privacy protection and national security.^[1]

The European Union offers a third path — the "trust-based flow model" — which establishes a high-standard personal data protection framework through the GDPR and uses the "adequacy decision" mechanism to permit free data flows with jurisdictions that achieve equivalent levels of protection. The core logic of this model is that privacy protection and data flow are not zero-sum; adequate privacy protection is in fact the foundation for trustworthy cross-border data flows.

Taiwan's position within this tripartite institutional framework is extremely awkward: the substantive protection standards of its current PDPA fall short of GDPR strictness, while the procedural norms for cross-border transfers are too vague to demonstrate to trading partners that Taiwan has achieved a trustworthy level of protection. This institutional uncertainty can neither pass GDPR adequacy assessments nor satisfy the institutional requirements of the CPTPP digital trade chapter.^[2]

II. Gap Analysis Between the PDPA and GDPR Adequacy Recognition

There are several fundamental institutional gaps between Taiwan's PDPA (enacted in 2010, amended several times) and the GDPR, which constitute the core obstacles to Taiwan obtaining EU adequacy recognition.

Absence of an independent supervisory authority. The GDPR requires each member state to establish an independent data protection authority (DPA) with adequate investigative and enforcement powers, operating independently from government administration. Taiwan's current PDPA enforcement system is dispersed across various sector-specific competent authorities, lacking a unified independent supervisory body, resulting in severely insufficient enforcement capacity and consistency.^[3]

Incomplete data subject rights. The GDPR grants data subjects a comprehensive set of substantive rights including the right to erasure, data portability, and the right to object to automated decision-making. Taiwan's PDPA has notable gaps in regulating these emerging rights.

Unclear legal basis for cross-border transfers. GDPR Articles 44-49 establish a clear legitimacy framework for cross-border transfers — adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), among others. While Article 21 of Taiwan's PDPA imposes cross-border transfer restrictions, the authorization framework is ambiguous, leaving excessive discretion to competent authorities and lacking predictable compliance pathways, resulting in simultaneously high compliance costs and legal uncertainty for businesses.^[4]

III. Institutional Requirements of the CPTPP Digital Trade Chapter

CPTPP Chapter 14 (Electronic Commerce) is the most critical digital governance issue for Taiwan's accession preparation. Articles 14.11 ("Cross-Border Transfer of Information by Electronic Means") and 14.13 ("Location of Computing Facilities") directly address the prohibition on data localization, representing the greatest challenge to Taiwan's current legal framework.

Article 14.11 of the CPTPP requires parties to allow cross-border transfers of electronic information (including personal information), unless there is a legitimate public policy purpose, and restrictive measures must comply with proportionality principles and not constitute arbitrary discrimination or disguised trade restrictions. Article 14.13 requires parties not to mandate the use or location of computing facilities within their territory as a condition for providing or accessing services (i.e., prohibiting mandatory data localization).^[5]

Several of Taiwan's existing regulations — including cybersecurity norms for the financial industry, data management provisions for the telecommunications sector, and data storage requirements in certain government procurement regulations — may potentially conflict with the data localization prohibition obligations under CPTPP Article 14.13. Prior to accession negotiations, Taiwan needs to conduct a systematic CPTPP compliance review of existing regulations, identify potential non-conforming measures, and assess feasible paths for legislative amendments.

IV. Japan's DFFT Framework and the APEC CBPR System

Beyond the CPTPP institutional framework, Taiwan has two important multilateral mechanisms to actively leverage in aligning its data governance with international standards.

Japan's DFFT (Data Free Flow with Trust) framework was an initiative proposed by Shinzo Abe at the 2019 G20 Summit, with the core proposition that the free flow of data and the protection of privacy, security, and intellectual property are not in opposition — "trust" is the institutional foundation for sustainable free data flows. Japan has continuously promoted the institutionalization of DFFT across multilateral forums including the G7, G20, and WTO, and established the Institutional Arrangement for Partnership (IAP) for advancing DFFT during its hosting of the G7 in 2023. Taiwan's digital partnership with Japan has deepened rapidly in recent years, and Taiwan should actively seek to establish a bilateral data flow agreement with Japan under the DFFT framework, using substantive bilateral mechanisms to bridge multilateral alignment barriers.^[6]

The APEC Cross-Border Privacy Rules (CBPR) system is the most important cross-border data flow certification mechanism in the Asia-Pacific region, requiring certified enterprises to comply with the APEC Privacy Framework and undergo certification review by an Accountability Agent (AA). Taiwan has participated in the APEC CBPR system since 2013, but the number of certified enterprises remains quite limited, and the system's actual operational effectiveness needs strengthening. Taiwan should expand its efforts to promote CBPR certification and explore establishing an institutional link between CBPR certification and the legal basis for cross-border transfers under the PDPA, providing businesses with a clear compliance pathway.^[7]

V. Legislative Reform Recommendations: An Institutional Readiness Roadmap for CPTPP Accession

Based on the above analysis, this article proposes six priority actions for Taiwan's cross-border data flow legislative reform:

First, establish an independent Personal Data Protection Commission. This is the most fundamental and highest-priority institutional reform for the PDPA. An independent supervisory authority is not only a prerequisite for GDPR adequacy recognition but also the institutional foundation for demonstrating the credibility of Taiwan's personal data protection mechanism to CPTPP parties. The commission's design should ensure organizational, budgetary, and personnel independence from executive agencies, with adequate investigative, sanctioning, and international cooperation powers.^[8]

Second, amend the PDPA's cross-border transfer provisions to establish a clear legitimacy framework. Modeled after GDPR Articles 44-49, Taiwan should establish an adequacy decision mechanism (recognizing that other countries' protection levels are comparable to Taiwan's), a standard contractual clauses regime, and explicit provisions using APEC CBPR certification as a legal basis for cross-border transfers, substantially reducing compliance uncertainty for businesses.

Third, conduct a systematic CPTPP compliance review of existing regulations. Led by the Ministry of Justice and the Ministry of Digital Affairs, a systematic CPTPP Chapter 14 compliance review should be conducted on all existing regulations involving data storage, processing, or transfer requirements, establishing a "non-conforming measures inventory" and assessing optimal paths for legislative amendments, exemption applications, or commitment schedule entries.

Fourth, actively promote a Taiwan-Japan digital flow agreement. Under the DFFT framework, negotiate a bilateral "Trusted Free Data Flow Agreement" with Japan, establishing a bilateral adequacy mutual recognition mechanism and leveraging it as an important diplomatic tool for garnering support from other CPTPP parties.

Fifth, strengthen substantive participation in APEC CBPR. Increase resources dedicated to promoting CBPR certification, set annual targets for the number of certified enterprises, and actively participate in discussions on upgrading the CBPR framework — particularly the ongoing CBPR Global expansion initiative — to secure Taiwan's greater voice in Asia-Pacific data governance institution-building.^[9]

Sixth, establish a security exception list for government data flows. While opening cross-border data flows, establish a clear security exception list and handling protocols for specific categories such as critical infrastructure data, national security-sensitive data, and biometric data, ensuring that the baseline of digital sovereignty is not eroded by free trade commitments.^[10]

Legislative reform of cross-border data flows may appear on the surface to be a technical legal amendment project, but in substance it represents a core choice about Taiwan's sovereignty positioning and international integration strategy in the digital era. Taiwan cannot avoid this institutional decision — the question is only whether it will proactively lead reform and establish institutional advantages for accession negotiations, or passively respond to external pressure and make hasty institutional concessions under unfavorable negotiating conditions. The depth of institutional readiness determines the strength of Taiwan's bargaining position at the negotiation table.