In late May, Taiwan’s Ministry of Digital Affairs released the results of its cybersecurity inspection of several Chinese application services. Among them, Amap, a navigation app that has sparked public debate in Taiwan over the past few months, was found to have the highest number of risk items. According to the ministry’s investigation and The Reporter’s own testing, Amap, which is affiliated with China’s Alibaba Group, was found to transmit personal data back to servers in China even when the app was closed.

In response to this issue, You-Hao Lai, Deputy Director of the Democratic Governance Program at the Research Institute for Democracy, Society and Emerging Technology (DSET), recently published an op-ed in The Reporter analyzing the personal data governance and democratic defense challenges revealed by the Amap cybersecurity controversy. Lai noted that Amap is not an isolated cybersecurity incident, but part of a broader data processing pattern commonly seen among Chinese digital services. The case highlights the risks of data outflow and authoritarian data governance posed by Chinese digital services, and the urgent need for Taiwan to strengthen its personal data protection framework and build a democratic defense mechanism that balances national security, information freedom, and the rule of law.

The op-ed builds on the analysis in DSET’s January report, “The Authoritarian Gaze: Chinaʼs Global Data Reach and the Systemic Risks to Democracy”, authored by Lai. After reviewing the privacy policies of ten Chinese generative AI services, the report found that Chinese digital services often create institutional channels through which user data can flow to China, including domestic data storage in China, intra-group data sharing, and compliance with government requests for data under Chinese law.

The article analyzes the distinctly party-state-dominated nature of China’s data governance system. Under China’s national security, intelligence, and data-related legal frameworks, the Chinese government may require companies under its jurisdiction to provide data on grounds such as security, intelligence, or counter-espionage. Once Chinese application services gain access to large amounts of user data, such data may be transformed into strategic intelligence assets accessible to the Chinese government.

Lai pointed out that the location data, device information, search records, and travel histories collected by Amap, when accumulated and cross-analyzed over time, could be sufficient to map individuals’ movements, lifestyles, and behavioral patterns, creating risks to privacy, personal safety, and intelligence infiltration for targeted individuals. More concerningly, when such data is used for group-level analysis and model training, it may also help external actors understand Taiwan’s traffic flows, activity patterns around critical infrastructure, movement patterns of people and logistics, and regional population aggregation patterns, thereby further affecting Taiwan’s overall territorial defense advantages.

Regarding shortcomings in the current legal framework, the op-ed notes that although the Ministry of Digital Affairs has designated Amap as a “product that endangers national cybersecurity” under the Cyber Security Management Act and banned its use by government agencies, the Act mainly applies to government bodies and certain critical infrastructure providers. It is therefore still insufficient to fully address the challenges posed by Amap’s circulation in the consumer market, where it can widely collect ordinary users’ data and transmit it to China. As a result, the key to institutional reform lies in overhauling the cross-border data transfer governance framework under the Personal Data Protection Act.

Lai argues that Taiwan should first clearly bring overseas Chinese digital service providers under the jurisdiction of the Personal Data Protection Act, so that foreign providers such as Amap at least bear basic obligations under Taiwan’s personal data protection laws, including consent for data collection and use, and data minimization. To avoid an overly broad regulatory scope, the op-ed suggests that Taiwan could refer to the EU’s approach and determine applicability based on whether a service clearly “targets Taiwan users.” In Amap’s case, its privacy policy explicitly covers Taiwan users and provides Chinese and Cantonese services, showing a clear intention to enter Taiwan’s consumer market. Regulators should no longer overlook its data governance responsibilities.

The op-ed further recommends that Taiwan establish, through legislative reform, a digital service “entry review” mechanism, making continued compliance with Taiwan’s laws a basic condition for operating in Taiwan. For service providers that collect sensitive data or data above a certain scale, Taiwan should establish a baseline obligation that, in principle, prohibits the transfer of Taiwan users’ data to China. For suppliers registered in China or substantively controlled by Chinese companies, their direct connection to an authoritarian legal jurisdiction means they should be subject to stricter requirements for data storage, processing, operations, maintenance, compliance, and audits, in order to demonstrate that they can effectively reduce personal data and cybersecurity risks.

For overseas providers that continue to violate the rules and refuse to cooperate, Lai also argues that Taiwan needs to establish third-party cooperation mechanisms and preserve the possibility of app removal as a last-resort measure. However, the article emphasizes that the use of such tools must strictly comply with legal reservation, due process, judicial remedies, and the principle of proportionality, so as to avoid excessive restrictions on the free flow of information that democratic societies value, even while defending against authoritarian infiltration.

Lai concluded that, in the face of techno-national security risks posed by Chinese digital services, democratic societies should not respond only through case-by-case bans. Instead, they should establish a governance framework grounded in constitutional democracy and the rule of law. Beyond institutional reform, citizens should also proactively review app permissions, read privacy policies, understand who provides the service, where data is stored, and with whom it is shared, and carefully assess whether to use high-risk information and communications technology products. Only by combining legal reform with civic awareness can Taiwan maintain the values of an open society while closing the democratic defense gap against digital authoritarian infiltration.