Food delivery platforms like Uber Eats, foodpanda, and Grab have quietly woven themselves into the fabric of daily urban life. The promise is simple, a hot meal at your door without the efforts of cooking. What users rarely see, however, is the vast data infrastructure humming beneath each transaction. 

Every order placed sets off a chain reaction: location data is captured, routes are calculated in real time, algorithms quietly profile consumer preferences, and systems scale dynamically to absorb surges in demand. The architecture of a food delivery platform is, in essence, a sophisticated data machine. 

To call them “apps” is to profoundly underestimate what they have become. These platforms now operate as de facto urban infrastructure, orchestrating city logistics, monitoring economic activity in real time, managing vast and precarious labor forces, and controlling the distribution channels through which millions of people access goods and services daily.

The foreign ownership of what has effectively become critical urban data infrastructure is a problem with which governments across Asia are only beginning to reckon. Taiwan presents a telling example. The dominant food delivery and mobility platforms operating in the country carry significant foreign investment, yet they collect granular data on the movement, preferences, and economic activity of millions of Taiwanese residents every day. 

As cross-strait tensions persist and data governance rises up the global policy agenda, the question of who owns, accesses, and ultimately controls this information demands serious scrutiny. Yet Taiwanese law does not presently recognize such platforms as critical infrastructure. Given Taiwan’s geopolitical exposure, that gap is one it can ill afford.

Taiwan’s Grab-foodpanda Acquisition: A Case Study of Vulnerability to Data Exposure

The recent acquisition of foodpanda by Grab serves as an instructive example. In March 2026, Grab announced the acquisition of foodpanda in Taiwan for $600 million in cash, marking its first expansion beyond Southeast Asia. Foodpanda’s operations span 21 cities in Taiwan and generated around $1.8 billion in gross merchandise value in 2025, embedding the platform deep into the rhythms of Taiwanese urban life. If the deal goes through, Grab will hold a market share of just over 50 percent, with Uber Eats as its only major competitor.

What makes this particularly significant is the transfer of data custodianship it entails. The migration of all users, merchants, and drivers to Grab’s platform is expected to be completed by early 2027, meaning the movement, consumption, and labor data of millions of Taiwanese will soon flow through a Singapore-headquartered superapp with a complex web of international investors.

Grab has a complex investor structure, which includes significant Chinese capital, deserving closer scrutiny. In 2017, Didi Chuxing, China’s dominant ride-hailing platform, led a $2 billion investment round into Grab alongside SoftBank, establishing a strategic foothold in Grab that persists to this day. More recently, the connections have deepened: a 2025 MoU with Huawei’s Petal Maps formalized a mapping data partnership; a strategic investment from Chinese autonomous driving firm WeRide followed months later; and in January 2026, Grab acquired Infermove, a Chinese AI robotics developer, to support its delivery operations.

Taken together, these linkages in themselves do not indicate undue influence or control. Grab is, after all, a publicly listed Singapore-headquartered company operating within established commercial and regulatory frameworks. Yet, the cumulative picture they paint is analytically significant. 

What is emerging is not a simple investor-investee relationship, but a layered technological architecture in which Chinese companies increasingly provide Grab’s core operational infrastructure. Huawei’s Petal Maps supplies the mapping layer, receiving real-time Southeast Asian urban data in return. WeRide, backed by China Development Bank, a direct state policy institution, provides the autonomous mobility layer. Infermove, nominally founded in California but with its R&D and manufacturing anchored in Beijing and Suzhou, supplies the last-mile robotics layer. Its delivery robots are already deeply integrated with Meituan, Alibaba’s Ele.me, and JD.com’s Dada, the backbone of China’s domestic urban logistics ecosystem.

No single partnership constitutes a smoking gun. However, in Taiwan’s case, the concern is less about data ownership but about data exposure – how data generated domestically may interact with systems, partners, or infrastructures beyond its regulatory reach. This distinction matters. Ownership is a legal question that existing corporate law can, in principle, address. Exposure is a structural question. It concerns the pathways through which data flows once a platform’s technology stack spans multiple jurisdictions, regulatory environments, and corporate relationships with varying degrees of transparency. 

As Grab scales into Taiwan and integrates mapping, autonomous mobility, and AI-driven logistics into a single operational platform, the boundaries between commercial data flows and strategically relevant information become progressively harder to delineate. The data generated by millions of Taiwanese users – their movement patterns, consumption habits, delivery addresses, and urban routines – would not sit in isolation. It enters a system whose component parts are built, trained, and in some cases funded by entities operating under legal frameworks that may compel cooperation with state authorities in ways that Taiwan’s own regulators have no visibility into, let alone jurisdiction over.

The deeper question this raises is whether Taiwan’s existing policy frameworks are equipped to govern platforms that have quietly assumed the characteristics of critical infrastructure, without ever being designated as such.

Addressing Taiwan’s Limits in Critical Infrastructure Regulations  

Taiwan’s approach to critical infrastructure protection is, in many respects, admirably serious. The passage of the Cybersecurity Management Act in 2018 established legal obligations for government agencies and critical infrastructure providers to maintain cybersecurity standards, and the framework has been progressively strengthened since. 

In May 2025, Taiwan launched the seventh phase of its National Cybersecurity Development Program, allocating NT$8.8 billion over four years toward countering intensifying cyber campaigns, expanding public-private coordination, and introducing AI tools for early threat detection. President Lai Ching-te has repeatedly framed cybersecurity as inseparable from national security, and the institutional architecture to match that rhetoric is gradually being built.

Yet, the framework contains a structural blind spot that the rise of platform services has exposed. Taiwan’s designated critical infrastructure spans eight fields: energy, water resources, telecommunications, transportation, banking and finance, emergency services, government systems, and high-tech parks. This taxonomy was designed for an era of fixed, identifiable infrastructure. It does not contemplate the possibility that a private platform coordinating food delivery, urban mobility, and last-mile logistics across 21 cities could constitute infrastructure of comparable strategic significance. 

Under the current Cybersecurity Management Act, companies not specifically designated as critical infrastructure providers carry no mandatory cybersecurity obligations. Grab and other similar apps, however deeply embedded in Taiwan’s urban life, fall entirely outside the formal oversight regime.

This is not a trivial gap. Consider what a disruption, voluntary or coerced, of Grab’s services in Taiwan would mean in a moment of crisis. The platform coordinates food delivery, urban mobility, merchant logistics, and gig labor across the country’s major cities. Its mapping data describes the real-time movement of people and goods in granular detail. If the deal goes through, its AI-logistics backbone would become the hidden plumbing of daily life for millions of Taiwan’s city dwellers. None of this is captured by a definition of critical infrastructure built around pipes, cables, and servers. The concept has not kept pace with the platforms.

This is a challenge Taiwan shares with many democracies, but Taiwan faces it with uniquely high stakes. Taiwan experiences the highest rate of cyber intrusions in the Indo-Pacific, with government networks averaging 2.4 million daily intrusion attempts in 2024, more than double the previous year. Beijing’s documented strategy of blending infrastructure targeting with economic pressure and disinformation means that the list of potential targets is not limited to government systems. Platforms that coordinate urban logistics, process payment data, and manage labor networks are potential vectors in their own right, and ones that Taiwan’s current framework has no institutional vocabulary to address.

Convenience Is Not Neutral

The Grab acquisition of foodpanda is, on its face, a straightforward commercial transition: a regional superapp expands into a new market, absorbs a profitable competitor, and competes for a share of Taiwan’s urban consumer economy. Regulators reviewed it through the lens they had available, competition law, and found no objection. Yet, the lens, not the transaction, is the problem.

To be clear: I am not arguing that Grab is an instrument of foreign interference, nor that its Chinese-linked technology partnerships constitute a deliberate design to harvest Taiwanese data for hostile purposes. The evidence does not support that conclusion. My argument is simply that Taiwan’s regulatory architecture was not built to ask these questions systematically. In the absence of the right frameworks, the right questions will continue not to be asked, regardless of which platform enters the market next, and under whose investment chain it operates.

The food delivery app on your phone is not just a convenience. It is a window into your city: its rhythms, its vulnerabilities, its people. Who looks through that window, and under what rules, is a question Taiwan can no longer defer. The question for Taipei is therefore not whether Grab specifically is trustworthy, but whether Taiwan’s regulatory architecture is capable of even asking the right questions about platforms of this kind – regardless of who owns them.