The Key Elements for Data Intermediaries to Deliver Their Promise

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 　　After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] 　　While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation 　　There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. 　　The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO 　　The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application 　　Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries 　　On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). 　　As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. 　　If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing 　　Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions 　　The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties 　　The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion 　　The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.

Introduction to Taiwan’s Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials 2023/12/15 The development of digital tools such as the internet, apps, and wearable devices have meant major breakthroughs for clinical trials. These advances have the potential to reduce the frequency of trial subject visits, accelerate research timelines, and lower the costs of drug development. The COVID-19 pandemic has further accelerated the use of digital tools, prompting many countries to adopt decentralized measures that enable trial subjects to participate in clinical trials regardless of their physical location. In step with the transition into the post-pandemic era, the Taiwan Food and Drug Administration (TFDA) issued the Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials in June, 2023[1]. The Guidelines are intended to cover a wide array of decentralized measures; they aim to increase trial subjects’ willingness to participate in trials, reduce the need for in-person visits to clinical trial sites, enhance real-time data acquisition during trials, and enable clinic sponsors and contract research organizations to process data remotely. I. Key Points of Taiwan’s Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials The Guidelines cover primarily the following matters: General considerations for implementing decentralized measures; trial subject recruitment and electronic informed consent; delivery and provision of investigational medicinal products; remote monitoring of trial subject safety; trial subject reporting of adverse events; remote data monitoring; and information systems and electronic data collection/processing/storage. 1. General Considerations for Implementing Decentralized Measures (1) During clinical trial execution, a reduction in trial subject in-person visits may present challenges to medical observation. It is recommended that home visits for any given trial subject be conducted by the principal investigator, sub-investigator, or a single, consistent delegated study nurse. (2) Sponsors must carefully evaluate all of the trial design’s decentralization measures to ensure data integrity. (3) Sponsors must conduct risk assessments for each individual trial, and must confirm the rationality of choosing decentralized measures. These decentralized measures must also be incorporated into the protocol. (4) When electronically collecting data, sponsors must ensure information system reliability and data security. Artificial intelligence may be considered for use in decentralized clinical trials; sponsors must carefully evaluate such systems, especially when they touch on determinations for critical data or strategies. (5) As the design of decentralized clinical trials is to ensure equal access to healthcare services, it must provide patients with a variety of ways to participate in clinical trials. (6) When implementing any decentralized measures, it is essential to ensure that the principal investigator and sponsor adhere to the Regulations for Good Clinical Practice and bear their respective responsibilities for the trial. (7) The use of decentralized measures must be stated in the regulatory application, and the Checklist of Decentralized Elements in Medicinal Product Clinical Trials must be included in the submission. 2. Subject Recruitment and Electronic Informed Consent (1) Trial subject recruitment through social media or established databases may only be implemented after the Institutional Review Board reviews and approves of the recruitment methods and content. (2) Must comply with the Principles for Recruiting Clinical Trial Subjects in medicinal product trials, the Personal Data Protection Act, and other regulations. (3) Regarding clinical trial subject informed consent done through digital software or devices, if it complies with Article 4, Paragraph 2 of the Electronic Signatures Act, that is, if the content can be displayed in its entirety and continues to be accessible for subsequent reference, then so long as the trial subject agrees to do so, the signature may be done via a tablet or other electronic device. The storage of signed electronic Informed Consent Forms (eICF) must align with the aforementioned Principles and meet the competent authority’s access requirements. 3. Delivery and Provision of Investigational Medicinal Products (1) The method of delivering and providing investigational medicinal products and whether trial subjects can use them on their own at home depends to a high degree on the investigational medicinal product’s administration route and safety profile. (2) When investigational medicinal products are delivered and provided through decentralized measures to trial subjects, this must be documented in the protocol. The process of delivering and providing said products must also be clearly stated in the informed consent form; only after being explained to a trial subject by the trial team, and after the trial subject’s consent is obtained, may such decentralized measures be used. (3) Investigational products prescribed by the principal investigator/sub-investigator must be reviewed by a delegated pharmacist to confirm that the investigational products’ specific items, dosage, duration, total quantity, and labeling align with the trial design. The pharmacist must also review each trial subject’s medication history, to ensure there are no medication-related issues; only then, and only in a manner that ensures the investigational product’s quality and the subject’s privacy, may delegated and specifically-trained trial personnel provide the investigational product to the subject. (4) Compliance with relevant regulations such as the Pharmaceutical Affairs Act, Pharmacists Act, Regulations on Good Practices for Drug Dispensation, and Regulations for Good Clinical Practice is required. 4. Remote Monitoring of Subject Safety (1) Decentralized trial designs involve trial subjects performing relatively large numbers of trial-related procedures at home. The principal investigator must delegate trained, qualified personnel to perform tasks such as collecting blood samples, administering investigational products, conducting safety monitoring, doing adverse event tracking, etc. (2) If trial subjects receive protocol-prescribed testing at nearby medical facilities or laboratories rather than at the original trial site, these locations must be authorized by the trial sponsor and must have relevant laboratory certification; only then may they collect or analyze samples. Such locations must provide detailed records to the principal investigator, to be archived in the trial master file. (3) The trial protocol and schedule must clearly specify which visits must be conducted at the trial site; which can be conducted via phone calls, video calls, or home visits; which tests must be performed at nearby laboratories; and whether trial subjects have multiple or single options at each visit. 5. Subject Reporting of Adverse Events (1) If the trial uses a digital platform to enhance adverse event reporting, trial subjects must be able to report adverse events through the digital platform, such as via a mobile phone app; that is, the principal investigator must be able to immediately access such adverse event information. (2) The principal investigator must handle such reports using risk-based assessment methods. The principal investigator must validate the adverse event reporting platform’s effectiveness, and must develop procedures to identify potential duplicate reports. 6. Remote Data Monitoring (1) If a sponsor chooses to implement remote monitoring, it must perform a reasonability assessment to confirm the appropriateness of such monitoring and establish a remote monitoring plan. (2) The monitoring plan must include monitoring strategies, monitoring personnel responsibilities, monitoring methods, rationale for such implementation, and critical data and processes that must be monitored. It must also generate comprehensive monitoring reports for audit purposes. (3) The sponsor is responsible for ensuring the implementation of remote monitoring, and must conduct risk assessments regarding the implementation process’ data protection and information confidentiality. 7. Information Systems and Electronic Data Collection, Processing, and Storage (1) In accordance with the Regulations for Good Clinical Practice, data recorded in clinical trials must be trustworthy, reliable, and verifiable. (2) It must be ensured that all organizations participating in the clinical trial have a full picture of the data flow. It is recommended that the trial protocol and trial-related documents include data flow diagrams and additional explanations. (3) Define the types and scopes of subject personal data that will be collected, and ensure that every step in the process properly protects their data in accordance with the Personal Data Protection Act. II. A Comparison with Decentralized Trial Regulations in Other Countries Denmark became the first country in the world to release regulatory measures on decentralized trials, issuing the “Danish Medicines Agency’s Guidance on the Implementation of Decentralized Elements in Clinical Trials with Medicinal Products” in September 2021[2]. In December 2022, the European Union as a whole released its “Recommendation Paper on Decentralized Elements in Clinical Trials”[3]. The United States issued the draft “Decentralized Clinical Trials for Drugs, Biological Products, and Devices” document in May 2023[4]. The comparison in Table 1 shows that Taiwan’s guidelines a relatively similar in structure to those of Denmark and the EU; the US guidelines also cover medical device clinical trials. Table 1: Summary of Decentralized Clinical Trial Guidelines in Taiwan, Denmark, the European Union as a whole, and the United States Taiwan Denmark European Union as a whole United States What do the guidelines apply to? Medicinal products Medicinal products Medicinal products Medicinal products and medical devices Trial subject recruitment and electronic informed consent Covers informed consent process; informed consent interview; digital information sheet; trial subject consent form signing; etc. Covers informed consent process; informed consent interview; trial subject consent form signing; etc. Covers informed consent process; informed consent interview; digital information sheet; trial subject consent form signing; etc. Covers informed consent process; informed consent interview; etc. Delivery and provision of investigational medicinal products Delegated, specifically-trained trial personnel deliver and provide investigational medicinal products. The investigator or delegated personnel deliver and provide investigational medicinal products. The investigator, delegated personnel, or a third-party, Good Distribution Practice-compliant logistics provider deliver and provide investigational medicinal products. The principal investigator, delegated personnel, or a distributor deliver and provide investigational products. Remote monitoring of trial subject safety Trial subjects may do return visits at trial sites, via phone calls, via video calls, or via home visits, and may undergo testing at nearby laboratories. Trial subjects may do return visits at trial sites, via phone calls, via video calls, or via home visits, and may undergo testing at nearby laboratories. Trial subjects may do return visits at trial sites, via phone calls, via video calls, or via home visits. Trial subjects may do return visits at trial sites, via phone calls, via video calls, or via home visits, and may undergo testing at nearby laboratories. Trial subject reporting of adverse events Trial subjects may self-report adverse events through a digital platform. Trial subjects may self-report adverse events through a digital platform. Trial subjects may self-report adverse events through a digital platform. Trial subjects may self-report adverse events through a digital platform. Remote data monitoring The sponsor may conduct remote data monitoring. The sponsor may conduct remote data monitoring. The sponsor may conduct remote data monitoring (not permitted in some countries). The sponsor may conduct remote data monitoring. Information systems and electronic data collection, processing, and storage The recorded data must be credible, reliable, and verifiable. Requires an information system that is validated, secure, and user-friendly. The recorded data must be credible, reliable, and verifiable. Must ensure data reliability, security, privacy, and confidentiality. III. Conclusion The implementation of decentralized clinical trials must be approached with careful assessment of risks and rationality, with trial subject safety, rights, and well-being as top priorities. Since Taiwan’s Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials were just announced in June of this year, the status of decentralized clinical trial implementation is still pending industry feedback to confirm feasibility. The overall goal is to enhance and optimize the clinical trial environment in Taiwan. [1] 衛生福利部食品藥物管理署，〈藥品臨床試驗執行分散式措施指引〉，2023/6/12，https://www.fda.gov.tw/TC/siteListContent.aspx?sid=9354&id=43548（最後瀏覽日：2023/11/2）。 [2] [DMA] DANISH MEDICINES AGENCY, The Danish Medicines Agency’s guidance on the Implementation of decentralised elements in clinical trials with medicinal products (2021),https://laegemiddelstyrelsen.dk/en/news/2021/guidance-on-the-implementation-of-decentralised-elements-in-clinical-trials-with-medicinal-products-is-now-available/ (last visited Nov. 2, 2023). [3] [HMA] HEADS OF MEDICINES AGENCIES, [EC] EUROPEAN COMMISSION & [EMA] EUROPEAN MEDICINES AGENCY, Recommendation paper on decentralised elements in clinical trials (2022),https://health.ec.europa.eu/latest-updates/recommendation-paper-decentralised-elements-clinical-trials-2022-12-14_en (last visited Nov. 2, 2023). [4] [US FDA] US FOOD AND DRUG ADMINISTRATION, Decentralized Clinical Trials for Drugs, Biological Products, and Devices (draft, 2023),https://www.fda.gov/regulatory-information/search-fda-guidance-documents/decentralized-clinical-trials-drugs-biological-products-and-devices (last visited Nov. 2, 2023).

The Institutionalization of the Taiwan Personal Data Protection Committee - Triumph of Digital Constitutionalism: A Legal Positivism Analysis 2023/07/13 The Legislative Yuan recently passed an amendment to the Taiwan Personal Data Protection Act, which resulted in the institutionalization of the Taiwan Personal Data Protection Commission (hereunder the “PDPC”)[1]. This article aims to analyze the significance of this institutionalization from three different perspectives: legal positivism, digital constitutionalism, and Millian liberalism. By examining these frameworks, we can better understand the constitutional essence of sovereignty, the power dynamics among individuals, businesses, and governments, and the paradox of freedom that the PDPC addresses through governance and trust. I.Three Layers of Significance 1.Legal Positivism The institutionalization of the PDPC fully demonstrates the constitutional essence of sovereignty in the hands of citizens. Legal positivism emphasizes the importance of recognizing and obeying (the sovereign, of which it is obeyed by all but does not itself obey to anyone else, as Austin claims) laws that are enacted by legitimate authorities[2]. In this context, the institutionalization of the PDPC signifies the recognition of citizens' rights to control their personal data and the acknowledgment of the sovereign in protecting their privacy. It underscores the idea that the power to govern personal data rests with the individuals themselves, reinforcing the principles of legal positivism regarding sovereign Moreover, legal positivism recognizes the authority of the state in creating and enforcing laws. The institutionalization of the PDPC as a specialized commission with the power to regulate and enforce personal data protection laws represents the state's recognition of the need to address the challenges posed by the digital age. By investing the PDPC with the authority to oversee the proper handling and use of personal data, the state acknowledges its responsibility to protect the rights and interests of its citizens. 2.Digital Constitutionalism The institutionalization of the PDPC also rebalances the power structure among individuals, businesses, and governments in the digital realm[3]. Digital constitutionalism refers to the principles and norms that govern the relationship between individuals and the digital sphere, ensuring the protection of rights and liberties[4]. With the rise of technology and the increasing collection and use of personal data, individuals often find themselves at a disadvantage compared to powerful entities such as corporations and governments[5]. However, the PDPC acts as a regulatory body that safeguards individuals' interests, rectifying the power imbalances and promoting digital constitutionalism. By establishing clear rules and regulations regarding the collection, use, and transfer of personal data, the PDPC may set a framework that ensures the protection of individuals' privacy and data rights. It may enforce accountability among businesses and governments, holding them responsible for their data practices and creating a level playing field where individuals have a say in how their personal data is handled. 3.Millian Liberalism The need for the institutionalization of the PDPC embodies the paradox of freedom, as raised in John Stuart Mill’s “On Liberty”[6], where Mill recognizes that absolute freedom can lead to the infringement of others' rights and well-being. In this context, the institutionalization of the PDPC acknowledges the necessity of governance to mitigate the risks associated with personal data protection. In the digital age, the vast amount of personal data collected and processed by various entities raises concerns about privacy, security, and potential misuse. The institutionalization of the PDPC represents a commitment to address these concerns through responsible governance. By setting up rules, regulations, and enforcement mechanisms, the PDPC ensures that individuals' freedoms are preserved without compromising the rights and privacy of others. It strikes a delicate balance between individual autonomy and the broader social interest, shedding light on the paradox of freedom. II.Legal Positivism: Function and Authority of the PDPC 1.John Austin's Concept of Legal Positivism: Sovereignty, Punishment, Order To understand the function and authority of the PDPC, we turn to John Austin's concept of legal positivism. Austin posited that laws are commands issued by a sovereign authority and backed by sanctions[7]. Sovereignty entails the power to make and enforce laws within a given jurisdiction. In the case of the PDPC, its institutionalization by the Legislative Yuan reflects the recognition of its authority to create and enforce regulations concerning personal data protection. The PDPC, as an independent and specialized committee, possesses the necessary jurisdiction and competence to ensure compliance with the law, administer punishments for violations, and maintain order in the realm of personal data protection. 2.Dire Need for the Institutionalization of the PDPC There has been a dire need for the establishment of the PDPC following the Constitutional Court's decision in August 2022, holding that the government needed to establish a specific agency in charge of personal data-related issues[8]. This need reflects John Austin's concept of legal positivism, as it highlights the demand for a legitimate and authoritative body to regulate and oversee personal data protection. The PDPC's institutionalization serves as a response to the growing concerns surrounding data privacy, security breaches, and the increasing reliance on digital platforms. It signifies the de facto recognition of the need for a dedicated institution to safeguard the individual’s personal data rights, reinforcing the principles of legal positivism. Furthermore, the institutionalization of the PDPC demonstrates the responsiveness of the legislative branch to the evolving challenges posed by the digital age. The amendment to the Taiwan Personal Data Protection Act and the subsequent institutionalization of the PDPC are the outcomes of a democratic process, reflecting the will of the people and their desire for enhanced data protection measures. It signifies a commitment to uphold the rule of law and ensure the protection of citizens' rights in the face of emerging technologies and their impact on privacy. 3.Authority to Define Cross-Border Transfer of Personal Data Upon the establishment of the PDPC, it's authority to define what constitutes a cross-border transfer of personal data under Article 21 of the Personal Data Protection Act will then align with John Austin's theory on order. According to Austin, laws bring about order by regulating behavior and ensuring predictability in society. By granting the PDPC the power to determine cross-border data transfers, the legal framework brings clarity and consistency to the process. This promotes order by establishing clear guidelines and standards, reducing uncertainty, and enhancing the protection of personal data in the context of international data transfers. The PDPC's authority in this regard reflects the recognition of the need to regulate and monitor the cross-border transfer of personal data to protect individuals' privacy and prevent unauthorized use or abuse of their information. It ensures that the transfer of personal data across borders adheres to legal and ethical standards, contributing to the institutionalization of a comprehensive framework for cross-border data transfer. III.Conclusion In conclusion, the institutionalization of the Taiwan Personal Data Protection Committee represents the convergence of legal positivism, digital constitutionalism, and Millian liberalism. It signifies the recognition of citizens' sovereignty over their personal data, rebalances power dynamics in the digital realm, and addresses the paradox of freedom through responsible governance. By analyzing the PDPC's function and authority in the context of legal positivism, we understand its role as a regulatory body to maintain order and uphold the principles of legal positivism. The institutionalization of the PDPC serves as a milestone in Taiwan's commitment to protect individuals' personal data and safeguard the digital rights. In essence, the institutionalization of the Taiwan Personal Data Protection Committee represents a triumph of digital constitutionalism, where individuals' rights and interests are safeguarded, and power imbalances are rectified. It also embodies the recognition of the paradox of freedom and the need for responsible governance in the digital age in Taiwan. [1] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023). [2] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [3] Edoardo Celeste, Digital constitutionalism: how fundamental rights are turning digital, (2023): 13-36, https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 3, 2023). [4] GIOVANNI DE GREGORIO, DIGITAL CONSTITUTIONALISM IN EUROPE: REFRAMING RIGHTS AND POWERS IN THE ALGORITHMIC SOCIETY 218 (2022). [5] Celeste Edoardo, Digital constitutionalism: how fundamental rights are turning digital (2023), https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 13, 2023). [6]JOHN STUART MILL,On Liberty (1859), https://openlibrary-repo.ecampusontario.ca/jspui/bitstream/123456789/1310/1/On-Liberty-1645644599.pdf (last visited July 13, 2023). [7] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [8] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023).

Research on Taiwan’s Policies of Innovative Industry Development in Recent Years (2015-2016) 1. “Five plus Two” Innovative Industries Policy 　　On June 15, 2016, Premier Lin Chuan met with a group of prominent business leaders to talk about a government project on five innovative industries, which aim to drive the next generation of businesses in R.O.C.. Subsequently the program was expanded to include “new agriculture” and the “circular economy” as the “+2.” The program was then broadened even further to include the Digital Economy and Cultural Innovation, with even Semiconductors and IC Design included, although the name of the policy remains 5+2. Speaking at the Third Wednesday Club in Taipei, Premier Lin said the industries require more investment to drive the next generation of industry growth momentum in R.O.C., create high-quality jobs, and upgrade the industrial competitiveness. Executive Yuan has selected the five innovative industries of Asia Silicon Valley, smart machinery, green energy, biotech & pharmaceutical industry, and national defense, which will be the core for pushing forward the next-generation industrial growth and improve overall environment by creating a cluster effect that links local and global industries, while simultaneously raising wages and stimulating employment. 　　Premier Lin said, regarding industrial competitiveness and investment issues the lackluster economy has stifled investment opportunities, and with limited government budgets, the private sector must play the larger role in investments. Regarding the “Five major Innovative Industries” project, Premier Lin said the National Development Council is currently drafting long-term plan to attract talent, create a thriving working environment, and infuse companies with more innovation, entrepreneurship and young workers. In addition, R.O.C. must also cultivate a strong software industry, without which it would be difficult to build a highly intelligent infrastructure. 　　The National Development Council said the program possess both the capacity of domestic demand and local characteristics, as the core for pushing forward the next-generation industrial growth. The government aims to promote a seamless synergy of investment, technology, and the talent, in order to develop innovative industrial clusters for furthering global linkage and nurturing international enterprises. In the meantime, the government also aims at achieving the enhancement of technology levels, balanced regional development, as well as realizing the benefits of job creation. 2. The Asia Silicon Valley Development Plan 　　In September 2016 the government approved the Asia Silicon Valley Development Plan, which connect Taiwan to global tech clusters and create new industries for the next generation. By harnessing advanced technological research and development results from around the world, the plan hopes to promote innovation and R&D for devices and applications of the internet of things (IoT), and upgrade Taiwan’s startup and entrepreneurship ecosystem. 　　The four implementation strategies are as follows: 　　(1) Building a comprehensive ecosystem to support innovation and entrepreneurship 　　(2) Connect with international research and development capabilities 　　(3) Create an IoT value chain 　　(4) Construct diversified test beds for smart products and services by establishing a quality internet environment 　　Taiwan’s first wave of industrial development was driven by continuous technological innovation, and the wave that followed saw the information industry become a major source of economic growth. 3. Global Hub for Smart Machinery 　　On July 21, 2016, Premier Lin Chuan said at a Cabinet meeting, the government aims to forge Taiwan into a global manufacturing hub for intelligent machinery and high-end equipment parts. Upgrading from precision machinery to intelligent machinery is the main goal of putting intelligent machinery industry into focal execution area expecting to create jobs and to maximize the production of production line as well as to forge central Taiwan into a global manufacturing hub for smart machinery. The Ministry of Economic draws up the Intelligent Machinery Promotion Program to establish the applications of the technology and capacity of services that fit the demand of the market. The program embodies two parts. The first is to accelerate the industrialization of intelligent machinery for building an ecosystem. The second is to improve intelligentization by means of introducing the intelligent machinery into the industries. 　　The execution policy of the Intelligent Machinery Promotion Program is to integrate the intelligent functions such as malfunctions predictions, accuracy compensation, and automatic parameter setting into the machinery industry so as to have the ability to render the whole solutions to the problem. Simultaneously, the program employs three strategies, which are connecting with the local industries, connecting with the future, and connecting with the world, to develop the mentioned vision and objectives. Especially, the way to execute the strategy of connecting with the local industries consists of integrating the capabilities of industry, research organization and the government. At the meantime, the government will encourage the applications of smart vehicles and unmanned aerial vehicles and train the talents as well. The thinking of connecting with the future lies in the goal of deepening the technologies, establishing systematic solutions, and providing a testing areas, which focus on the related applications such as aerospace, advanced semiconductor, smart transportation, green vehicles, energy industry, whole solutions between factories, intelligent man-machine coordination, and robots of machine vision combined with intelligent machinery applications. The government would strengthen the cross-cutting cooperation to develop machines for aerospace and integrate the system of industrial division to form a cluster in order to create Taiwanese IoT technology. Eventually, Taiwan will be able to connect with the world, enhance international cooperation, expand export trade and push industry moving toward the age of information and digital economy and break the edge of industry technology to make the industry feel the goodwill of the government. 4. Green energy innovations 　　The government’s “five plus two” innovative industries program includes a green energy industrial innovation plan passed October 27, 2016 that will focus on Taiwan’s green needs, spur extensive investments from within and outside the country, and increase quality employment opportunities while supporting the growth of green energy technologies and businesses. 　　The government is developing the Shalun Green Energy Science City. The hub’s core in Shalun will house a green energy technology research center as well as a demo site, providing facilities to develop research and development (R&D) capabilities and conduct the requisite certification and demonstration procedures. The joint research center for green energy technologies will integrate the efforts of domestic academic institutions, research institutes, state-run enterprises and industry to develop green energy technologies, focusing on four major functions: creating, conserving and storing energy, as well as system integration. Development strategies include systems integration and finding better ways to conserve, generate and store energy by promoting green energy infrastructure, expanding renewable energy capabilities and cooperating with large international firms. 　　The emergence of the green economy has prompted the government to build infrastructure that will lay the foundation for Taiwan’s green energy sector, transform the nation into a nuclear-free society, and spur industrial innovation. For innovative technology industries, green energy industries can drive domestic economic development by attracting more venture capital and creating more employment opportunities. 5. Biomedical Industry Innovation Program 　　To facilitate development of Taiwan’s biomedical industry, the government proposed a “biomedical industrial innovation promotion program” on November 10, 2016 to serve as the nation’s new blueprint for innovative biomedical research and development (R&D). To facilitate development of the biomedical industry, the government proposed a “biomedical industrial innovation promotion program”. The program centered on the theme of “local, global and future links,” “the biomedical industrial innovation promotion program” includes four action plans: 　　(1) Build a comprehensive ecosystem 　　To address a rapidly ageing global population, Taiwan will enhance the biomedical industry’s capacity for innovation by focusing on talent, capital, topic selection, intellectual property, laws and regulations, and resources. 　　(2) Integrate innovative business clusters 　　Established by the Ministry of Science and Technology and based in Hsinchu Biomedical Science Park, the center will serve as a government think tank on related issues. It is also tasked with initiating and advancing exchanges among local and foreign experts, overseeing project implementation, promoting investment and recruiting talents. Equally important, it will play a central role in integrating resources from other biomedical industry clusters around the country, including Nangang Software Park in Taipei City, Central Taiwan Science Park in Taichung City and Southern Science Park in Tainan City. 　　(3) Connect global market resources 　　Building on Taiwan’s advantages, promote M&A and strategic alliances, and employ buyout funds and syndicated loans to purchase high-potential small and medium-sized international pharmaceutical companies, medical supply companies, distributors and service providers. Use modern mosquito-borne disease control strategies as the foundation of diplomatic cooperation, and promote the development of Taiwan’s public health care and medical services in Southeast Asian countries. 　　(4) Promote specialized key industries 　　Promote niche precision medical services, foster clusters of world-class specialty clinics, and develop industries in the health and wellness sectors. 6. DIGITAL NATION AND INNOVATIVE ECONOMIC DEVELOPMENT PLAN 　　 On November 24, 2016, the Executive Yuan promote the Digital Nation and Innovative Economic Development Plan (2017-2025) (DIGI+ program), the plan’s main goals for 2025 are to grow R.O.C.’s digital economy to NT $ 6.5 trillion (US$205.9 billion), increase the digital lifestyle services penetration rate to 80 percent, speed up broadband connections to 2 Gbps, ensure citizens’ basic rights to have 25 Mbps broadband access, and put R.O.C. among the top 10 information technology nations worldwide. 　　 In addition to the industrial economy, the program can jump off bottlenecks in the past industrial development, and promote the current Internet of things, intelligent machinery, green energy, medical care and other key national industries, but also attaches great importance to strengthening the digital infrastructure construction, the development of equal active, as well as the creation of a service-oriented digital government. It is also hoped that through the construction of a sustainable and intelligent urban and rural area, the quality of life will be improved and the people will enjoy a wealthy and healthy life. Over the next 8 years, the government will spend more than NT $ 150 billion. 　　The plan contains several important development strategies: DIGI+Infrastructure: Build infrastructure conducive to digital innovation. DIGI+Talent: Cultivate digital innovation talent. DIGI+Industry: Support cross-industry transformation through digital innovation. DIGI+Rights: Make R.O.C. an advanced society that respects digital rights and supports open online communities. DIGI+Cities: Build smart cities through cooperation among central and local governments and the industrial, academic and research sectors. DIGI+Globalization: Boost R.O.C.’s standing in the global digital service economy. 　　The program aims to build a favorable environment for digital innovation and to create a friendly legal environment to complete the draft amendments to the Digital Communications Law and the Telecommunications Act as soon as possible, foster cross-domain digital talents and develop advanced digital technologies, To create a digital economy, digital government, network society, smart urban and rural and other national innovation ecological environment in order to achieve "the development of active network society, promote high value innovation economy, open up rich countries of the policy vision. 　　 In order to achieve the overall effectiveness of the DIGI + program, interdisciplinary, inter-ministerial, inter-departmental and inter-departmental efforts will be required to collaborate with the newly launched Digital National Innovation Economy (DIGI +) Promotion Team. 7. “NEW AGRICULTURE” PROMOTION PROJECT 　　 At a Cabinet meeting On December 08, 2016, Premier Lin Chuan underscored the importance of a new agricultural paradigm for Taiwan’s economic development, adding that new agriculture is an integral part of the “five plus two” industrial innovation projects proposed by President Tsai Ing-wen. The “new agriculture” promotion project uses innovation technology to bring value to agricultural, and build new agricultural paradigm, agricultural safety systems and promote agricultural marketing. This project also takes resources recycling and environmental sustainability into consideration to promote agricultural transformation, and build a robust new agricultural system. 　　This agricultural project is expected to increase food self-sufficiency rate to 40%, level up agricultural industry value by NT$43.4 billion, create 370,000 jobs and increase portion of total agricultural exports to new overseas markets to 57% by 2020. 　　This project contains three aspects: 　　First is “building new agricultural paradigm”: to protect farmers, agricultural development and ensure sustainability of the environment. 　　Second is “building agricultural safety systems”: Ensuring product safety and quality, and building a certification system which can be trust by the consumers and is consistent with international standards. 　　Last but not least is “leveling up agricultural marketing and promotions”: enhancing promotion, making the agricultural industry become profitable and sustainable. 　　Council of Agriculture’s initiatives also proposed 10 policies to leverage agricultural industry, not only just use the passive subsidies measure of the past. These policies including promoting environmentally friendly farming practices; giving farmers that are beneficial(green) to the land payments; stabilizing farmers’ incomes; increasing the competitiveness of the livestock and poultry industries; using agricultural resources sustainably; ensuring the safety of agricultural products; developing technological innovation; leveling up food security; increasing diversification of domestic and external marketing channels; and increasing agriculture industry added value. 　　 In this statutes report, Council of Agriculture said this project will accelerate reforms, create new agricultural models and safety systems, but also build a new sustainable paradigm of agricultural. Premier Lin Chuan also backed this “five plus two innovative industries” program and “new agriculture” project, and asked Council of Agriculture to reviewing the possible legal changes or amendment that may help to enhance the transformation of agricultural sector.