Taiwan’s government has flagged Chinese streaming and social apps — including iQIYI, Bilibili, and Xiaohongshu — as high-risk data collection tools, but possesses limited legal instruments to restrict individual access. The National Communications Commission (NCC) barred local agents from carrying Chinese over-the-top (OTT) streaming services in 2019, with the Ministry of Economic Affairs tightening those rules in December 2020, yet neither measure prevents Taiwanese users from downloading and using the apps directly.
Crystal Ying-Fang Tu of Taiwan’s Institute for National Defense and Security Research (INDSR) says the platforms’ opaque data terms and embedded entertainment ecosystems make meaningful enforcement politically and technically difficult. The gap between what Taipei warns and what it can legally compel is the real story.
Taiwan’s regulators can name the threat. What they cannot easily do is stop it. On May 28, 2026, Taiwan’s government issued fresh public warnings about Chinese mobile apps collecting sensitive user data — but the legal architecture underpinning those warnings remains thin. The NCC’s 2019 order and the Ministry of Economic Affairs’ December 2020 regulatory amendment both targeted Chinese OTT operators working through Taiwanese intermediaries. Neither touches the individual who downloads iQIYI directly from an app store.
That distinction matters enormously. Crystal Ying-Fang Tu, assistant research fellow at INDSR, argues that apps like iQIYI and Bilibili do not function as standalone products — they represent entire entertainment ecosystems, complete with drama fandoms, livestreaming communities, and social identity, spanning multiple age groups across Taiwan. Banning a distribution agent does not dislodge an ecosystem.
Taiwan’s Personal Data Protection Act sets consent and purpose-limitation rules but offers no extraterritorial reach over how Chinese platforms process Taiwanese users’ data on servers in mainland China — where China’s 2017 National Intelligence Law can compel companies to hand data to state authorities on demand. The legal gap is not an oversight. It reflects a structural problem that no public advisory can close.
ALSO WORTH READING
What Taiwan has done — and where the rules stop
The NCC’s 2019 order directed telecom operators and broadcasters to stop carrying iQIYI and Tencent Video via local agents, citing national security and licensing concerns. Taiwan’s Ministry of Economic Affairs then amended regulations in December 2020 to bar Chinese OTT operators from providing services through any Taiwanese company or agent — a tightening that closed one commercial pathway while leaving direct consumer access entirely open.
Tu told TaiwanPlus that Chinese app terms and conditions are frequently designed to obscure what data is actually collected — either through deliberate complexity or vague categorisation. Device identifiers, IP addresses, location data, contact lists, browsing logs, and in-app behaviour are among the standard collection categories. For apps with interactive features, facial images and voice data are also common. Most users, Tu argues, have no practical way to know the full scope of access they have granted.
The jurisdictional ceiling is equally clear. Tu noted that pursuing formal legal action against Chinese platforms has proven difficult even in cases like Xiaohongshu, where public concern was significant. The government’s realistic goal, she said, is awareness-raising — not enforcement.
| Jurisdiction | Current framework | Scope | Key limitation |
|---|---|---|---|
| Taiwan | NCC broadcast/OTT licensing rules; Personal Data Protection Act | Bars Chinese OTT services via local agents; no direct consumer ban | No extraterritorial reach over offshore data processing |
| European Union | GDPR; Digital Services Act; Digital Markets Act (both in force 2024) | Applies to all large platforms including TikTok; fines up to 10% of global turnover | Enforcement proceedings slow; no outright ban on consumer use |
| United States | No TikTok on Government Devices Act (signed December 2022); OMB guidance (February 2023) | Removes TikTok from federal government devices; no nationwide consumer ban | Device-restriction model only; private use unrestricted |
| Australia | Government-device ban; general security and consumer law | TikTok banned on official devices; guidance classifies certain foreign apps as high-risk | No comprehensive platform-agnostic privacy regime |
The regulatory gap no one has solved
Taiwan is not alone in this bind, but its exposure is sharper than most. The European Union’s combination of GDPR, the Digital Services Act (DSA), and the Digital Markets Act (DMA) — all applying to large platforms from 2024 — creates a horizontal, platform-agnostic regime with teeth: fines of up to 6% of global annual turnover under the DSA and 10% under the DMA for non-compliance. The United States and Australia have both implemented government-device bans and issued high-risk classifications for certain foreign apps, but neither has a comprehensive consumer-facing framework either.
What distinguishes Taiwan is the cross-strait dimension. Paul Triolo, senior associate at the Center for Strategic and International Studies (CSIS), has noted that Taiwan views data flowing through Chinese platforms as part of a broader security challenge, but must balance that concern against maintaining an open digital economy. Kharis Templeman at Stanford’s Hoover Institution has argued that Taiwan’s problem stems from deep economic and cultural interdependence with mainland content — meaning regulators must focus on resilience rather than expecting clean separation.
Analysts at the Australian Strategic Policy Institute (ASPI) have described Taiwan as a test case for democratic societies that depend on yet mistrust Chinese digital infrastructure, noting that fragmented regulations leave significant exposure unless paired with stronger regional data-governance cooperation. The pattern across all jurisdictions is consistent: warnings are easy; enforceable platform obligations are not.
Watch for Taiwan’s Executive Yuan or NCC publishing draft amendments to the Personal Data Protection Act or new cross-border data transfer rules — expected within the 2025–2026 legislative term. If those amendments arrive, Taipei is moving from soft warnings toward hard regulation. If they do not, public advisories and piecemeal sectoral bans remain the ceiling.
Beyond the headline
The power behind it
Control over Chinese apps in Taiwan ultimately rests less with Taipei’s regulators than with Beijing’s legal and technical leverage over its own platforms. Chinese data and intelligence laws give mainland authorities latent access to information flowing through entertainment ecosystems Taiwanese users see as benign. That asymmetry means corporate product decisions in Beijing and political calculations in Zhongnanhai shape Taiwan’s digital exposure more than any guidance issued by Taipei’s ministries.
What isn’t being said
Much of the official discussion focuses on abstract “data” without confronting how cultural dependence on Chinese content narrows Taiwan’s room for manoeuvre. When users rely on mainland platforms for daily entertainment, fandom communities, and social identity, any hard restrictions risk domestic backlash that political leaders prefer to avoid. The unspoken reality is that soft-power addiction to these ecosystems may be as strategically consequential as the data they collect.
The reach
One under-appreciated actor in this story is the global advertising industry, which increasingly buys targeted campaigns across Chinese video and social apps to reach overseas Chinese-speaking audiences. That ad spend encourages platforms to deepen cross-border data integration and profiling, indirectly extending Beijing-linked data regimes into foreign markets. For Western media and brands, this creates a quiet dependence on metrics and audiences mediated by opaque Chinese systems.
Taiwan’s app security gap: what it means for you
With Taiwan lacking a comprehensive legal framework to regulate Chinese apps at the platform level, and with Beijing’s intelligence laws applying to data regardless of where it is collected, the exposure extends well beyond Taiwan’s borders.
-
Business travellers and executives
If you operate in Taiwan or with Taiwanese partners, assume that Chinese entertainment apps on any shared or personal device used in professional contexts create a data-exposure risk governed by Chinese law, not Taiwanese or European law. Review your organisation’s device policy before travel — the considerations around digital privacy and Chinese legal jurisdiction apply directly here. Corporate legal and compliance teams should audit whether any marketing or data partnerships touch Chinese platforms.
-
Western marketers and media buyers
Advertising campaigns targeting Chinese-speaking diaspora audiences through platforms like iQIYI or Bilibili may expose your brand’s audience data — and your campaign metrics — to systems operating under Chinese data law. EU GDPR standard contractual clauses do not resolve this exposure when the data is processed on mainland Chinese servers. Review your agency’s platform selection criteria against your data-transfer compliance obligations.
-
Policy watchers and investors
The signal to watch is whether Taiwan’s Executive Yuan or NCC publishes draft Personal Data Protection Act amendments before the end of the current legislative term. A move toward platform-agnostic obligations would represent a structural shift in how democratic governments in the Indo-Pacific manage Chinese digital infrastructure — with potential knock-on implications for how the EU benchmarks its own DSA enforcement against Chinese platforms. The European Commission’s Digital Services Act package is the closest existing model worth tracking for comparison.
FAQ
Can Taiwan legally ban Chinese apps like iQIYI or Bilibili for individual users?
Not under current law. Taiwan’s NCC can restrict Chinese OTT services from operating through local agents or broadcasters, but has no legal mechanism to prevent individuals from downloading or accessing apps directly. Taiwan’s Personal Data Protection Act does not provide extraterritorial authority over how Chinese platforms process user data on servers in mainland China.
What makes Chinese app data collection different from Western platforms?
Chinese platforms operate under China’s Data Security Law, Personal Information Protection Law, and the 2017 National Intelligence Law, which can compel companies to share data with state security agencies. Unlike EU-regulated platforms subject to GDPR consent and transfer rules, or US platforms under state privacy laws, Chinese apps face no equivalent obligation to resist government data requests.
Does using iQIYI or Bilibili outside Taiwan or China still carry data risks?
Yes. Global versions of these apps may route data through mainland Chinese servers, bringing that data within reach of Chinese intelligence law regardless of where the user is located. Western users — including those in the EU — have limited legal recourse if their data is accessed by Chinese authorities through this mechanism, as GDPR enforcement does not extend to Chinese government action.
What is Taiwan waiting for before tightening its app regulations?
Watch for draft amendments to Taiwan’s Personal Data Protection Act or new cross-border data transfer rules from the Executive Yuan or NCC, expected within the 2025–2026 legislative term. Analysts also point to EU DSA enforcement actions against Chinese platforms as a potential benchmark that could give Taiwanese regulators political and legal cover to impose stricter platform-level obligations.
What practical steps can ordinary users take to reduce their exposure?
Deny non-essential app permissions including contacts, precise location, and microphone access. Avoid linking accounts via Facebook or Google. Use a separate email address and weakly associated phone number for Chinese app accounts. The most effective measure is isolating these apps on a secondary device with no corporate data access and minimal personal information stored on it.
