Abstract

The EU adopted GDPR in 2016, which has entered into force in 2018. Because of its extraterritorial effects under Article 3, many states were beginning to focus on harmonizing their domestic laws with GDPR standard, for the expectation of obtaining the “Adequacy Decisions” based on Article 45 from the EU Commission. The ultimate purpose is to maintain the balance between the protection of the right to privacy and the demands of cross-border data transfer. However, the CJEU has delivered 2 judgements, Schrems I in 2016 and Schrems II in 2020, which set up the high legal review standards of granting the “Adequacy Decisions” to the third states, caused the shockwaves to the law of the data governance globally.

For the reason of the interdependence of the trade between Taiwan and the EU, and the industrial structure of small and medium-sized enterprises, there is no space for us to ignore the above-mentioned trends. Therefore, this article will use Schrems I, II judgements as the starting points, observing the new development of the “Adequacy Decisions” granted by the EU to South Korea and the US. The observations will lead this article to comment the “Draft of Organizational Act of the Personal Data Protection Commission” and “Draft of the Amendment of the Personal Data Protection Act” issued by the Executive Yuan on March 27, 2025. This article is expecting that Taiwan can obtain “Adequacy Decisions” from the EU early in order to decrease the cost of the legal compliance for the enterprises.

歐盟、GDPR、適足性認定、歐盟法院、隱私權、個人資料保護委員會、個人資料保護法
EU, GDPR, Adequacy Decisions, CJEU, Personal Data Protection Commission, Personal Data Protection Act