Navigating data sovereignty: Lessons for Taiwan
Governments are paying growing attention to the concept of data sovereignty. This poses challenges for countries like Taiwan, whose economies have been built around open digital trade.
While there is no universally understood concept of ‘data sovereignty’, it generally encapsulates the idea that a jurisdiction should be able to decide the values and laws that apply to the storage, processing, and transfers of data of their own residents and companies. For some countries these laws would prioritise values like the protection of personal privacy and intellectual property – while other countries might insist instead on the ability for government agencies to easily access data for surveillance and law enforcement purposes.
The data sovereignty debate is clearly relevant to Taiwan. The country has its own distinctive philosophy and values regarding data, which neither correlates fully to European ideas of data protection nor to authoritarian values of surveillance. In the health sector, government programs such as MyData illustrate a desire to integrate and maximise the value of public datasets. Surveys suggest that many Taiwanese may value public safety more than individual privacy. However, this does not necessarily correlate to acceptance of governments’ data gathering for very different purposes. For example, the use of data from Taiwan’s 1922 SMS contact tracing system by the police during Covid for criminal investigations, which was not anticipated by the health sector, triggered significant concerns about the government’s respect for personal privacy.
Countries are taking different approaches to trying to protect data sovereignty. Many are trying to comprehensively regulate how data originating from their jurisdiction is treated. The EU has passed a significant number of laws governing data in recent years, covering everything from data protection, digital competition, online safety, rules to promote free dataflows and data sharing within Europe, and a range of cybersecurity laws. Taiwan has adopted its own versions of many of these initiatives, such as the Personal Data Protection Act (PDPA).
However, regulating when data is processed onshore is not especially effective for most countries, including Taiwan, given the globalised nature of the internet and the widespread use of cross-border data flows. Most democratic countries – including both Taiwan and the EU – are reliant on US providers of software services which process data. Cloud computing has further increased most countries’ dependence on these US services. For example, 90% of the EU’s data is managed by US companies – largely the three hyperscalers of Amazon, Microsoft and Google. This dependency could grow further if, as seems likely, cloud computing becomes one of the key ‘chokepoints’ in the supply chain for artificial intelligence. This poses particular risks for Taiwan given the high levels of digitisation of public agencies – which implies increasing use of US cloud services – and the government’s focus on stoking domestic innovation and economic growth in artificial intelligence in the private sector.
The general fear about foreign dependencies in data has been escalating in recent years. Whistleblower Edward Snowden’s leaks revealed the scale with which US intelligence agencies were reviewing data of foreign nationals. More recently, many countries became concerned that technological decisions made by Apple and Google largely dictated how Covid contact tracing solutions could work. More generally, there is a growing perception that the US – regardless of the outcome of the next election – increasingly sees international relationships as transactional and, therefore, might be more willing to use technological dependencies as leverage.
Governments increasingly accept, then, that domestic legal protections for data are nearly meaningless unless they apply when data is stored or processed overseas. This is a particular problem when US laws conflict with local ones. For example, the US CLOUD Act may require US cloud computing firms to hand over data of foreign nationals to US law enforcement officials – whatever the laws of that foreign country might say.
Different countries take different approaches to this dilemma. Many countries have passed ‘blocking statutes’, which prohibit firms from complying with foreign authorities’ demands for data. But this conflict of laws puts firms in an impossible position – and provides little assurance that the home country’s legal standards will be followed.
A common approach is to require that data moved offshore must be subject to at least the same protections as it is locally. For example, Europe’s General Data Protection Regulation (GDPR) only allows personal data to be sent offshore if special measures are in place to protect the data or if it is being sent to a country which the European Commission has decided provides an adequate level of personal data protection in its domestic law. Taiwan’s PDPA takes a similar but more open approach. By default, cross-border data transfers are allowed, except where they are specifically prohibited, for example, where a substantial interest of Taiwan is at stake or the receiving country inadequately protects personal data. Taiwanese authorities have used this provision sparingly, primarily to prohibit certain sensitive data from being transferred to China.
An approach which imposes conditions on cross-border data flows can pressure a country’s major trade partners to respect that country’s regulation of data – boosting data sovereignty. However, this approach works far better for large countries or blocs rather than small ones. The EU has only been able to insist on such standards because of the size of its market, which represents about 20-30% of most large US tech firms’ revenues. Even then, there are limits: while the US government has gone to significant lengths to meet EU standards for data protection, the CLOUD Act remains a bugbear in the EU-US relationship. Furthermore, the US has been unwilling to enact a federal privacy law, without which it seems likely that European courts will (again) stop the free flow of data between the EU and the US (those arrangements have been struck down as illegal twice already). Smaller countries like Taiwan, particularly given its security dependence on the US, would have even less leverage in trying to persuade the US to adopt its own standards.
An increasingly popular alternative is for countries to use industrial policy to support local alternatives to the US cloud computing giants. However, these policies – such as the EU’s attempt to boost interoperability between European cloud computing firms – have hardly been successful. The US hyperscalers succeeded by creating cloud computing services as side-projects from their main business lines, giving them the freedom to spend a long time building up a customer base with low-profit margins and the ability to immediately serve global customers by reusing their existing infrastructure. Taiwan, too, lacks tech firms with the same advantages.
If these unilateral, regulatory-driven approaches are not suitable for Taiwan, how else might it pursue digital sovereignty?
The best option open to might be to focus less on unilateral standard-setting and more on supporting multilateral approaches to data standards for cross-border data transfers. A number of initiatives are developing to help support cross-border data transfers (often designed with values to accommodate a range of like-minded, democratic countries). These include the Regional Comprehensive Economic Partnership (RCEP), the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the G7’s Data Free Flow with Trust (DFFT) initiative, and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership.
While Taiwan may not be able to be a member of all of these initiatives, the Cross Border Privacy Rules Forum is an example of an initiative in which Taiwan is already a participant. The real test is whether these initiatives can offer a meaningful alternative to the EU GDPR standards. GDPR’s standards tend to be the most rigorous, and many countries are moving closer towards them to obtain or retain free dataflows with Europe, given its large market.
The biggest challenge to a more multilateral approach may be the US. At the WTO, the Biden administration recently withdrew its support for rules that support free cross-border data flows and prohibit national requirements for data localisation on the basis that it considered the rules to restrict domestic policy space, in particular the ability for the US to regulate its technology firms. In doing so, the US aligned with China and against many other democratic countries such as the EU members, the UK, Japan, Singapore, Australia and New Zealand. However, this decision has been widely criticised and harms the interests of America’s own tech giants. It seems likely in the long run that the US will return to championing the freer flow of data across borders, at least within democratic countries.
To help push this model, Taiwan would need dialogue with the US to try to ensure their policies take Europe’s interests into account. To help build leverage in any discussions, Taiwan should look to cooperate and coordinate with international partners like the UK. This could boost the case for a path forward which represents a balance between values like privacy, law enforcement, and health promotion. Taiwan must also double down on becoming an indispensable tech partner to other countries. Ensuring a degree of mutual dependency with trading partners – for example, countering US dominance in software and cloud computing with Taiwan’s strong position in high-end chip manufacturing – offers the best way to avoid partners ignoring its interests.
As technology becomes one of the fault lines in the growing US-China rivalry, large blocs like the EU seem determined to forge their way in areas like data regulation. Taiwan will not have the luxury of imposing its own unilateral standards worldwide as the EU is trying to do. But it can work with like-minded countries to help preserve the benefits of open digital trade.
Zach Meyers is assistant director of the Centre for European Reform, where he works on EU competition policy, particularly in the digital sector. Prior to joining the CER, Zach spent over ten years as a competition and regulatory lawyer in Australia, the US and the UK.