📝 Conference Paper: You, Bo-Xiang (2023). Rescaling Privacy and Controls: Data Governance Regimes in The Cloud Service Industry. Presented at 2023 Taiwan Science, Technology & Society Association Annual Conference, Taipei, Taiwan: TWSTS, 2023-09.
This research examines how territorial imagination plays a role in grounding the global data governance regime in Taiwan, which involves multiple spatial expressions of digital sovereignty. Drawing from the theories in science and technology studies, political and legal geography, and political economy, I argue that (1) the conflicting government reform between trade-oriented liberalization and establishing the regulatory regime for data protection has resulted in slow progress and limited effectiveness in personal data protection; (2) the duality between aligning with international norms of data protection and restraining state intervention to avoid over-regulation urges the government to seek alternative measures in governing data flow; and, (3) with territorial imaginary at play, the performative interaction between the authority and enterprises articulate the flow of data across departments and jurisdictions. In this process, I identify two territorialization mechanisms: (1) de-territorializing personal data from personal privacy domains in the micro-level, and (2) re-territorializing it within the multi-layered and coherent data governance regime on the macro-level. Furthermore, I propose the concept of “interoperable sovereignty,” through which state enhances the interoperability of its data governance framework to promote the connectivity of the domestic digital economy. These results suggest us moving beyond the never-fulfilled promise of a borderless digital world but instead drawing attention to the multiple forms of power contestation in the digitals. This way, we may more precisely illustrate the clashes, friction, and integration between local trajectories and global digital governance.
Keywords: data sovereignty, global data governance, territoriality of data, interoperable sovereignty
To critically discern the role of the Taiwanese state in the tension between global data governance regimes and digital sovereignty agenda, I draw on the analytical concept of “imaginaries” from STS and legal studies with an additional focus on the spatial aspect. In this research framework, my conceptualization of imaginaries of data governance is built upon state’s sovereign exercises and corporate’s managerial arrangements for data protection investigation. Thus, it is necessary to contextualize these data governance practices within both the broader historical background and the prevailing bureaucratic and corporal conventions. The analysis of these efforts will be based on three types of qualitative methods from the following empirical sources:
Content Analysis
I conduct a content analysis of historical documents related to the Taiwanese government’s process of introducing data protection legislation. My materials include policy reports, legislative records, newspaper articles, and technical guidelines. These documents not only facilitate contextualizing the legal frameworks within Taiwan's political and economic development at the time but also allow for a critical examination of the territorial imaginaries of geopolitical and economic development embedded within them.
Individual And Focus-Group Interviews
To gain a clearer understanding of how data governance frameworks are technically implemented, the researcher conducted semi-structured interviews with IT engineers and legal experts responsible for ensuring data management compliance. These interviews analyzed how professionals interpret these regulations. Additionally, interviews were conducted with government officials responsible for data protection audits and technical experts entrusted with related tasks by the government. This approach aims to further explore how governmental and private sector understandings of data governance practice are coordinated or how they address potential conflicts.
Participatory Observation
As part of my research, I completed a nearly five-month internship (from Sep. 2023 to Jan. 2024) as a cloud architect at a cloud service company. During this internship, I was actively involved in designing and deploying information service architectures, which provided hands-on experience in information security and legal compliance related to personal data processing. In addition to observing activities within the company, I participated in several events focused on data governance. These events convened legal and technical experts from diverse industries, along with representatives from the public sector. Interactions with these professionals were incorporated into the study as a form of participatory observation. The collected materials included informal conversations with legal and technical personnel, observational notes from discussions and exercises on data governance issues, as well as personal insights and reflections derived from operational processes.
State-Led Data Protection and Regulatory Challenges
Taiwan's initial data protection laws emerged as a state-driven strategy to attract foreign investment and enhance regional competitiveness. Influenced by global trends, the government introduced the CPDPA (Computer-Processed Data Protection Act) to regulate data flows and mitigate risks such as fraud. However, strict regulatory measures faced significant challenges due to Taiwan's concurrent liberalization policies, which prioritized deregulation and reduced government intervention. The lack of administrative capacity and legal expertise further hindered the comprehensive implementation of data protection, making it a secondary concern for regulatory authorities.
Tensions Between State Transformation and Data Governance
The institutionalization of data protection in Taiwan reflects broader conflicts between developmental statehood and neoliberal reform. Effective state intervention could foster industry self-regulation and reduce administrative burdens, but weak legal frameworks and enforcement mechanisms led to skepticism from the private sector. Taiwan's transition from authoritarian rule to democracy further complicated regulatory efforts, as past human rights violations created public distrust, limiting the government's ability to enforce stringent data protection policies without resistance.
Regulatory Techniques and the Changing Role of the State
Data protection policies in Taiwan were shaped by an industrial development vision linked to regional economic integration. However, geopolitical constraints and evolving digital economies disrupted this vision, undermining the legitimacy of regulatory techniques. The government had to adapt its regulatory approach by reimagining data governance frameworks to align with the realities of the internet society. This shift required new intervention paradigms that balanced state control with market-driven regulatory strategies, reflecting Taiwan's broader struggle to redefine its role in global data governance.
Performative Territoriality and the Governance of Data Flow
The exercise of digital sovereignty does not solely rely on controlling data flows but on constructing territorial imaginaries through governance practices. Governments and corporations engage in performative interactions—through security certifications, compliance audits, and adequacy assessments—to maintain legitimacy in data governance. This process balances regulatory control with global data circulation norms, ensuring that data protection aligns with international standards while fostering an environment where personal data can function as an economic resource within a multi-layered, overlapping digital territory.
The Micro-Territoriality: Data Governance within Organizations
At the micro level, states shape the territorial boundaries of data protection by defining "individual privacy" and determining which data falls under regulatory oversight. However, private entities counteract this territorialization by employing techniques like encryption and statistical aggregation to de-territorialize data from privacy domains, extracting economic value from anonymized datasets. This interplay between regulation and corporate practice illustrates how data protection is both a legal framework and a territorial construct, where governance is performed through compliance tools such as system logs and de-identification technology, rather than direct state intervention.
The Macro-Territoriality: Sovereign and Corporate Data Regimes
On a macro scale, digital sovereignty extends beyond national borders through legal and technical frameworks that regulate cross-border data flows. Governments use certification systems (e.g., Taiwan’s TPIPAS) to establish regulatory adequacy and redefine territorial boundaries for data governance, making them flexible yet geopolitically significant. Meanwhile, corporations leverage legal instruments such as BCRs and SCCs to re-territorialize their control over data, ensuring compliance with multiple jurisdictions. This dual territorialization—by both states and businesses—creates a fluid and overlapping digital space where sovereignty is negotiated rather than strictly imposed.
