Pacific Money | Economy | Security | East Asia

Foreign-Invested Apps and Taiwan’s Cybersecurity Blind Spot

The data generated by millions of Taiwanese users – their movement patterns, consumption habits, and delivery addresses – is increasingly spread among numerous foreign investors, including companies from China.

Food delivery platforms like Uber Eats, foodpanda, and Grab have quietly woven themselves into the fabric of daily urban life. The promise is simple, a hot meal at your door without the efforts of cooking. What users rarely see, however, is the vast data infrastructure humming beneath each transaction. 

Every order placed sets off a chain reaction: location data is captured, routes are calculated in real time, algorithms quietly profile consumer preferences, and systems scale dynamically to absorb surges in demand. The architecture of a food delivery platform is, in essence, a sophisticated data machine. 

To call them “apps” is to profoundly underestimate what they have become. These platforms now operate as de facto urban infrastructure, orchestrating city logistics, monitoring economic activity in real time, managing vast and precarious labor forces, and controlling the distribution channels through which millions of people access goods and services daily.

The foreign ownership of what has effectively become critical urban data infrastructure is a problem with which governments across Asia are only beginning to reckon. Taiwan presents a telling example. The dominant food delivery and mobility platforms operating in the country carry significant foreign investment, yet they collect granular data on the movement, preferences, and economic activity of millions of Taiwanese residents every day. 

As cross-strait tensions persist and data governance rises up the global policy agenda, the question of who owns, accesses, and ultimately controls this information demands serious scrutiny. Yet Taiwanese law does not presently recognize such platforms as critical infrastructure. Given Taiwan’s geopolitical exposure, that gap is one it can ill afford.

Taiwan’s Grab-foodpanda Acquisition: A Case Study of Vulnerability to Data Exposure

The recent acquisition of foodpanda by Grab serves as an instructive example. In March 2026, Grab announced the acquisition of foodpanda in Taiwan for $600 million in cash, marking its first expansion beyond Southeast Asia. Foodpanda’s operations span 21 cities in Taiwan and generated around $1.8 billion in gross merchandise value in 2025, embedding the platform deep into the rhythms of Taiwanese urban life. If the deal goes through, Grab will hold a market share of just over 50 percent, with Uber Eats as its only major competitor.

What makes this particularly significant is the transfer of data custodianship it entails. The migration of all users, merchants, and drivers to Grab’s platform is expected to be completed by early 2027, meaning the movement, consumption, and labor data of millions of Taiwanese will soon flow through a Singapore-headquartered superapp with a complex web of international investors.

Grab has a complex investor structure, which includes significant Chinese capital, deserving closer scrutiny. In 2017, Didi Chuxing, China’s dominant ride-hailing platform, led a $2 billion investment round into Grab alongside SoftBank, establishing a strategic foothold in Grab that persists to this day. More recently, the connections have deepened: a 2025 MoU with Huawei’s Petal Maps formalized a mapping data partnership; a strategic investment from Chinese autonomous driving firm WeRide followed months later; and in January 2026, Grab acquired Infermove, a Chinese AI robotics developer, to support its delivery operations.

Taken together, these linkages in themselves do not indicate undue influence or control. Grab is, after all, a publicly listed Singapore-headquartered company operating within established commercial and regulatory frameworks. Yet, the cumulative picture they paint is analytically significant. 

What is emerging is not a simple investor-investee relationship, but a layered technological architecture in which Chinese companies increasingly provide Grab’s core operational infrastructure. Huawei’s Petal Maps supplies the mapping layer, receiving real-time Southeast Asian urban data in return. WeRide, backed by China Development Bank, a direct state policy institution, provides the autonomous mobility layer. Infermove, nominally founded in California but with its R&D and manufacturing anchored in Beijing and Suzhou, supplies the last-mile robotics layer. Its delivery robots are already deeply integrated with Meituan, Alibaba’s Ele.me, and JD.com’s Dada, the backbone of China’s domestic urban logistics ecosystem.

No single partnership constitutes a smoking gun. However, in Taiwan’s case, the concern is less about data ownership but about data exposure – how data generated domestically may interact with systems, partners, or infrastructures beyond its regulatory reach. This distinction matters. Ownership is a legal question that existing corporate law can, in principle, address. Exposure is a structural question. It concerns the pathways through which data flows once a platform’s technology stack spans multiple jurisdictions, regulatory environments, and corporate relationships with varying degrees of transparency. 

As Grab scales into Taiwan and integrates mapping, autonomous mobility, and AI-driven logistics into a single operational platform, the boundaries between commercial data flows and strategically relevant information become progressively harder to........

© The Diplomat