AI Regulation Tracker / Legislation enacted
Taiwan amends its PDPA and creates an independent Personal Data Protection Commission
Taiwan passed a Personal Data Protection Act amendment and a law creating a standalone Personal Data Protection Commission. Any firm that processes personal data with AI now answers to a dedicated regulator with enforcement powers.
Taiwan has done what its privacy lawyers had asked for over a decade. It built a single, independent regulator for personal data. The Personal Data Protection Act amendment passed its third reading in the Legislative Yuan on June 17, 2025, and a companion statute, the Personal Data Protection Commission Organization Act, creates a standalone Personal Data Protection Commission (PDPC) to enforce it. The Executive Yuan had approved both drafts on March 27, 2025.
The change matters less for any single new rule and more for who now holds the power to make and enforce them. For years, responsibility for personal data in Taiwan sat with individual ministries and sector regulators, each governing the data inside its own patch. That worked poorly for a technology that ignores those boundaries. AI systems trained on personal data pull from many sources at once, and no single authority owned the whole picture. The PDPC is designed to close that gap.
What the commission is for
The PDPC is intended to complete what Taiwan previously lacked, an independent supervisory body with its own enforcement authority for the age of AI applications. That phrasing, drawn from the Executive Yuan's own description of the reform, is the point of the exercise. A framework law without a dedicated enforcer tends to sit unused. A commission with staff, a mandate, and the power to act does not.
For organizations, the practical shift is the arrival of one accountable regulator. A firm running AI on customer records, applicant data, or patient information no longer faces a diffuse set of overlapping authorities. It faces the PDPC.
That consolidation carries a second effect that firms should not miss. A dedicated commission tends to build institutional memory, publish reasoning, and act with a consistency that scattered ministry desks rarely achieve. Companies that have grown used to quiet, uneven enforcement of Taiwan's data law should plan for a more attentive and better-resourced counterpart. The reform also aligns Taiwan with the wider international pattern in which personal data sits under a single named authority rather than being treated as an afterthought inside sector rules.
The AI-specific guidance is still forming
The commission's remit is understood to include issuing data-minimization principles and guidance for AI use, the idea being that a system should collect and retain only the personal data it genuinely needs. That direction is consistent with how independent data authorities elsewhere have approached machine learning.
The specific content of that AI guidance is still developing and has not been published in final form. Professionals should treat the detailed AI rules as forthcoming rather than settled. What is settled is the institution and its authority. What that institution will require of an AI training pipeline, in operational terms, is the part to watch.
Data minimization, if it becomes the commission's operating principle, cuts against the instinct that drives much AI development, which is to gather as much data as possible and decide later what is useful. A regulator that asks a controller to justify each category of personal data it feeds a model, and to delete what it cannot justify, changes how teams design their pipelines from the start. Firms would be prudent to document the purpose behind each data field they train on, since that is the kind of record an independent commission is likely to ask for.
What it does not do
This reform does not, by itself, ban any AI use case or set out a schedule of AI-specific penalties. It is an institutional and enforcement change layered onto Taiwan's existing personal-data law, not a bespoke AI statute. Firms should not read it as a green light or as an immediate new compliance checklist. They should read it as the creation of the body that will write and enforce the checklist.
The cross-border angle
For a United States firm, the reform is a signal about interoperability. By building a GDPR-style independent data-protection authority, Taiwan moves closer to the model the European Union expects of jurisdictions it considers for adequacy, the status that eases cross-border data transfers. That is directly relevant to any company moving Taiwan-connected personal data across borders to train or operate AI, because an independent regulator is precisely the institution such transfer regimes look for. A US firm with operations, customers, or data flows touching Taiwan should expect a more capable and more visible counterpart on data matters than it dealt with before.
The immediate action is unglamorous and worth doing early. Know where your Taiwan-linked personal data lives, how your AI systems touch it, and who inside your organization owns that answer. The regulator now exists. Its detailed expectations will follow.
Frequently Asked Questions
What exactly did Taiwan change?
It amended the Personal Data Protection Act, which passed third reading on June 17, 2025, and enacted the Personal Data Protection Commission Organization Act to create a standalone Personal Data Protection Commission. The Executive Yuan approved both drafts on March 27, 2025.
Who is affected?
Any organization that processes personal data connected to Taiwan, including firms that build or deploy AI on personal data. Banks, insurers, healthcare providers, employers, and technology companies now answer to a single independent regulator rather than a patchwork of ministries.
Are there AI-specific rules in force now?
Not in final form. The commission's remit is understood to include data-minimization guidance for AI use, but the specific content of that guidance is still developing. Treat the detailed AI rules as forthcoming.
Why should a US firm care?
Taiwan is building a GDPR-style independent data-protection authority, which is relevant to European Union adequacy discussions and to cross-border data transfers for AI training. US firms handling Taiwan-linked personal data now face a dedicated regulator on those transfers.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.