Taiwan Planed Major Promoting Program for Biotechnology and Pharmaceutical Industry

Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019) I. Brief 　　Blockchain technology can solve the problem of trust between data demanders and data providers. In other words, in a centralized mode, data demanders can only choose to believe that the centralized platform will not contain the false information. However, in the decentralized mode, data isn’t controlled by one individual group or organization[1], data demanders can directly verify information such as data source, time, and authorization on the blockchain without worrying about the correctness and authenticity of the data. 　　Take the “immutable” for example, it is conflict with the right to erase (also known as the right to be forgotten) in the GDPR.With encryption and one-time pad (OTP) technology, data subjects can make data off-chain storaged or modified at any time in a decentralized platform, so the problem that data on blockchain not meet the GDPR regulation has gradually faded away. II. What is GDPR? 　　The purpose of the EU GDPR is to protect user’s data and to prevent large-scale online platforms or large enterprises from collecting or using user’s data without their permission. Violators will be punished by the EU with up to 20 million Euros (equal to 700 million NT dollars) or 4% of the worldwide annual revenue of the prior financial year. 　　The aim is to promote free movement of personal data within the European Union, while maintaining adequate level of data protection. It is a technology-neutral law, any type of technology which is for processing personal data is applicable. 　　So problem about whether the data on blockchain fits GDPR regulation has raise. Since the blockchain is decentralized, one of the original design goals is to avoid a large amount of centralized data being abused. 　　Blockchain can be divided into permissioned blockchains and permissionless blockchains. The former can also be called “private chains” or “alliance chains” or “enterprise chains”, that means no one can join the blockchain without consent. The latter can also be called “public chains”, which means that anyone can participate on chain without obtaining consent. 　　Sometimes, private chain is not completely decentralized. The demand for the use of blockchain has developed a hybrid of two types of blockchain, called “alliance chain”, which not only maintains the privacy of the private chain, but also maintains the characteristics of public chains. The information on the alliance chain will be open and transparent, and it is in conflict with the application of GDPR. III. How to GDPR apply to blockchain ? 　　First, it should be determined whether the data on the blockchain is personal data protected by GDPR. Second, what is the relationship and respective responsibilities of the data subject, data controller, and data processor? Finally, we discuss the common technical characteristics of blockchain and how it is applicable to GDPR. 1. Data on the blockchain is personal data protected by GDPR? 　　First of all, starting from the technical characteristics of the blockchain, blockchain technology is commonly decentralized, anonymous, immutable, trackable and encrypted. The other five major characteristics are immutability, authenticity, transparency, uniqueness, and collective consensus. 　　Further, the blockchain is an open, decentralized ledger technology that can effectively verify and permanently store transactions between two parties, and can be proved. 　　It is a distributed database, all users on the chain can access to the database and the history record, also can directly verify transaction records. Each nodes use peer-to-peer transmission for upload or transfer information without third-party intermediation, which is the unique “decentralization” feature of the blockchain. 　　In addition, the node or any user on the chain has a unique and identifiable set of more than 30 alphanumeric addresses, but the user may choose to be anonymous or provide identification, which is also a feature of transparency with pseudonymity[2]; Data on blockchain is irreversibility of records. Once the transaction is recorded and updated on the chain, it is difficult to change and is permanently stored in the database, that is to say, it has the characteristics of “tamper-resistance”[3]. 　　According to Article 4 (1) of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 　　Therefore, if data subject cannot be identified by the personal data on the blockchain, that is an anonymous data, excluding the application of GDPR. (1) What is Anonymization? 　　According to Opinion 05/2014 on Anonymization Techniques by Article 29 Data Protection Working Party of the European Union, “anonymization” is a technique applied to personal data in order to achieve irreversible de-identification[4]. 　　And it also said the “Hash function” of blockchain is a pseudonymization technology, the personal data is possible to be re-identified. Therefore it’s not an “anonymization”, the data on the blockchain may still be the personal data stipulated by the GDPR. 　　As the blockchain evolves, it will be possible to develop technologies that are not regulated by GDPR, such as part of the encryption process, which will be able to pass the court or European data protection authorities requirement of anonymization. There are also many compliance solutions which use technical in the industry, such as avoiding transaction data stored directly on the chain. 2. International data transmission 　　Furthermore, in accordance with Article 3 of the GDPR, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.[5] 　　In other words, GDPR applies only when the data on the blockchain is not anonymized, and involves the processing of personal data of EU citizens. 3. Identification of data controllers and data processors 　　Therefore, if the encryption technology involves the public storage of EU citizens' personal data and passes it to a third-party controller, it may be identified as the “data controller” under Article 4 of GDPR, and all nodes and miners of the platform may be deemed as the “co-controller” of the data, and be assumed joint responsibility with the data controller by GDPR. For example, the parties can claim the right to delete data from the data controller. 　　In addition, a blockchain operator may be identified as a “processor”, for example, Backend as a Service (BaaS) products, the third parties provide network infrastructure for users, and let users manage and store personal data. Such Cloud Services Companies provide online services on behalf of customers, do not act as “data controllers”. Some commentators believe that in the case of private chains or alliance chains, such as land records transmission, inter-bank customer information sharing, etc., compared to public chain applications: such as cryptocurrencies (Bitcoin for example), is not completely decentralized, and more likely to meet GDPR requirements[6]. For example, in the case of a private chain or alliance chain, it is a closed platform, which contains only a small number of trusted nodes, is more effective in complying with the GDPR rules. 4. Data subject claims 　　In accordance with Article 17 of the GDPR, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay under some grounds. 　　Off-chain storage technology can help the blockchain industry comply with GDPR rules, allowing offline storage of personal data, or allow trusted nodes to delete the private key of encrypted information, which leaving data that cannot be read and identified on the chain. If the data is in accordance with the definition of anonymization by GDPR, there is no room for GDPR to be applied. IV. Conclusion 　　In summary, it’s seem that the application of blockchain to GDPR may include: (a) being difficulty to identified the data controllers and data processors after the data subject upload their data. (b) the nature of decentralized storage is transnational storage, and Whether the country where the node is located, is meets the “adequacy decision” of Article 45 of the GDPR. 　　If it cannot be met, then it needs to consider whether it conforms to the transfers subject to appropriate safeguards of Article 46, or the derogations for specific situations of Article 49 of the GDPR. Reference: [1] How to Trade Cryptocurrency: A Guide for (Future) Millionaires, https://wikijob.com/trading/cryptocurrency/how-to-trade-cryptocurrency [2] DONNA K. HAMMAKER, HEALTH RECORDS AND THE LAW 392 (5TH ED. 2018). [3] Iansiti, Marco, and Karim R. Lakhani, The Truth about Blockchain, Harvard Business Review 95, no. 1 (January-February 2017): 118-125, available at https://hbr.org/2017/01/the-truth-about-blockchain [4] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (2014), https://www.pdpjournals.com/docs/88197.pdf [5] Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN [6] Queen Mary University of London, Are blockchains compatible with data privacy law? https://www.qmul.ac.uk/media/news/2018/hss/are-blockchains-compatible-with-data-privacy-law.html

A Before and After Impact Comparison of Applying Statute for Industrial Innovation Article 23-1 Draft on Venture Capital Limited Partnerships I. Background 　　Because the business models adopted by Industries, such as venture capital, film, stage performance and others, are intended to be temporary entities, and the existing business laws are not applicable for such industries,[1] the Legislature Yuan passed the “Limited Partnership Act” in June 2015,[2] for the purpose of encouraging capital injection into these industries. However, since the Act was passed, there are currently only nine limited partnerships listed on the Ministry of Economic Affairs' limited partnership information website. Among them, “Da-Zuo Limited Partnership (Germany) Taiwan Branch” and “Stober Antriebstechnik Limited Partnership (Germany) Taiwan Branch”, are branch companies established by foreign businesses, the remaining seven companies are audio video production and information service businesses. It is a pity that no venture capital company is adopting this format.[3] 　　In fact, several foreign countries have set up supporting measures for their taxation systems targeting those business structures, such as limited partnerships. For example, the pass-through taxation method (or referred to as single entity taxation) is adopted by the United States, while Transparenzprinzip is used by Germany. These two taxation methods may have different names, but their core ideas are to pass the profits of a limited partnership to the earnings of partners.[4] However, following the adoption of the Limited Partnership Act in Taiwan, the Ministry of Finance issued an interpretation letter stating that because the current legal system confers an independent legal entity status to the business structure of a limited partnership, it should be treated as a profit-seeking business and taxed with Profit-Seeking Enterprise Income Tax.[5] Therefore, to actualize the legislative objective of encouraging innovative businesses organized under tenets of the Limited Partnership Act, the Executive Yuan presented a draft amendment for Article 23-1 of the Statute for Industrial Innovation (hereinafter referred to as the Draft), introducing the "Pass Through Taxation Principle" as adopted by several foreign countries. That is, a Limited Partnership will not be levied with the Profit-Seeking Enterprise Income Tax, but each partner will file income tax reports based on after-profit-gains from the partnership that are passed through to each partner. It is expected that the venture capital industry will now be encouraged to adopt the limited partnership structure, and thus increase investment capital in new ventures. II. The Pass Through Taxation Method is Applicable to Newly Established Venture Capital Limited Partnerships 1. The Requirements and Effects 　　(1) The Requirements 　　According to the provisions of Article 23-1 Paragraph 3 of the Draft, to be eligible for Pass Through Taxation, newly established venture capital limited partnerships must meet the following requirements: 1. The venture capital limited partnerships are established between January 1, 2017 and December 31, 2019. 2. Investment threshold of the total agreed capital contribution, total received capital contribution, and accumulated total capital contribution, within five years of the establishment of venture capital limited partnerships: Total Agreed Capital Contribution in the Limited Partnership Agreement Total Received Capital Contribution Accumulated Investment Amount for Start-up Companies The Year of Establishment 3 hundred million ✕ ✕ The Second Year ✕ ✕ The Third Year 1 hundred million ✕ The Fourth Year 2 hundred million Reaching 30 percent of the total received capital contribution of the year or 3 hundred million NT dollars. The Fifth Year 3 hundred million 3. The total amount, that an overseas company applies in capital and investments in actual business operations in Taiwan, reaches 50% of its total received capital contribution of that year. 4. In compliance with government policies. 5. Reviewed and approved by the central competent authority each year. 　　(2) The Effects 　　The effects of applying the provisions of Article 23-1 Paragraph 3 of the Draft are as follows: 1. Venture capital limited partnerships are exempt from the Profit-Seeking Enterprise Income Tax. 2. Taxation method for partners in a limited partnership after obtaining profit gains: (1) Pursuant to the Income Tax Act, Individual partners and for-profit business partners are taxed on their proportionally-calculated, distributed earnings. (2) Individual partners and foreign for-profit business partners are exempt from income tax on the stock earnings distributed by a limited partnership. 2. Benefit Analysis Before and After Applying Pass Through Taxation Method 　　A domestic individual A, a domestic profit-making business B, and a foreign profit-making business C jointly form a venture capital limited partnership, One. The earnings distribution of the company One is 10%, 80% and 10% for A, B, and C partners, respectively. The calculated earnings of company One are one million (where eight hundred thousand are stock earnings, and two hundred thousand are non-stock earnings). How much income tax should be paid by the company One, and partners A, B, and C? 　　(1) Pursuant to the Income Tax Act, before the amended draft: 1. One Venture Capital Limited Partnership Should pay Profit-Seeking Enterprise Income Tax = (NT$1,000,000 (earning) - NT$500,000[6])x12% (tax rate[7])=NT$60,000 2. Domestic Individual A Should file a comprehensive income report with business profit income =(NT$1,000,000-NT$60,000) x 10% (company One draft a voucher for net amount for A) + NT$60,000÷2×10% (deductible tax rate)= NT$97,000 Tax payable on profit earnings＝NT$91,500×5%(tax rate)＝NT$4,850 Actual income tax paid＝NT$4,850 - NT$60,000÷2×10% (deductible tax rate) ＝NT$1,485 3. Domestic For-Profit Business B Pursuant to the provisions of Article 42 of the Income Tax Act, the net dividend or net income received by a profit-seeking company is not included in the income tax calculation. 4. Foreign For-Profit Business C Tax paid at its earning source＝(NT$1,000,000 - NT$60,000) ×10% (earning distribution rate) ×20% (tax rate at earning source)＝NT$18,800 　　(2) Applying Pass Through Taxation Method After Enacting the Amendment 1. One Venture Capital Limited Partnership No income tax. 2. Domestic Individual A Should pay tax＝NT$800,000 (non-stock distributed earnings)×10% (earning distribution rate)×5% (comprehensive income tax rate)＝NT$1,000 3. Domestic For-Profit Business B Pursuant to the provisions of Article 42 of the Income Tax Act, the net dividend or net income received by a profit-seeking company is not included in the income tax calculation. 4. Foreign For-Profit Business C Tax paid at its earning source＝NT$800,000 (non-stock distributed earnings)×10%(earning distribution rate)×20% (tax rate at earning source)＝NT$4,000 　　The aforementioned example shows that under the situation, where the earning distribution is the same and tax rate for the same taxation subject is the same, the newly-established venture capital limited partnerships and their shareholders enjoy a more favorable tax benefit with the adoption of pass through taxation method: Before the Amendment After the Amendment Venture Capital Limited Partnership NT$60,000 Excluded in calculation Shareholders Domestic Individual NT$1,850 NT$1,000 Domestic For-Profit Business Excluded in calculation Excluded in calculation Foreign For-Profit Business NT$18,800 NT$4,000 Sub-total NT$80,650 NT$5,000 III. Conclusion 　　Compared to the corporate taxation, the application of the pass through taxation method allows for a significant reduction in tax burden. While developing Taiwan’s pass through tax scheme, the government referenced corporate taxation under the U.S. Internal Revenue Code (IRC), where companies that meet the conditions of Chapter S can adopt the “pass through” method, that is, pass the earnings to the owner, with the income of shareholders being the objects of taxation;[8] and studied the "Transparenzprinzip" adopted by the German taxation board for partnership style for-profit businesses. Following these legislative examples, where profits are identified as belonging to organization members,[9] the government legislation includes the adoption of the pass through taxation scheme for venture capital limited partnerships in the amended draft of Article 23-1 of the Statute for Industrial Innovation, so that the legislation is up to international standards and norms, while making an important breakthrough in the current income tax system. This is truly worthy of praise. [1] The Legislative Yuan Gazette, Vol. 104, No. 51, page 325. URL:http://misq.ly.gov.tw/MISQ//IQuery/misq5000Action.action [2] A View on the Limited Partnership in Taiwan, Cross-Strait Law Review, No. 54, Liao, Da-Ying, Page 42. [3] Ministry of Economic Affairs - Limited Partnership Registration Information URL: http://gcis.nat.gov.tw/lmpub/lms/dir.jsp?showgcislocation=true&agencycode=allbf [4] Same as annotate 2, pages 51-52. [5] Reference Letter of Interpretation dated December 18, 2015, Tai-Cai-Shui Zi No. 10400636640, the Ministry of Finance [6] First half of Paragraph 1 of Article 8 of the Income Basic Tax Act [7] Second half of Paragraph 1 of Article 8 of the Income Basic Tax Act [8] A Study on the Limited Partnership Act, Master’s degree thesis, College of Law, Soochow University, Wu, Tsung-Yeh, pages 95-96. [9] Reference annotate 2, pages 52.

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 　　After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] 　　While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation 　　There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. 　　The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO 　　The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application 　　Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries 　　On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). 　　As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. 　　If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing 　　Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions 　　The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties 　　The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion 　　The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.

I. Introduction 　　When, Finland, this country comes to our minds, it is quite easy for us to associate with the prestigious cell-phone company “NOKIA”, and its unbeatable high technology communication industry. However, following the change of entire cell-phone industry, the rise of smart phone not only has an influence upon people’s communication and interaction, but also makes Finland, once monopolized the whole cell-phone industry, feel the threat and challenge coming from other new competitors in the smart phone industry. However, even though Finland’s cell-phone industry has encountered frustrations in recent years in global markets, the Finland government still poured many funds into the area of technology and innovation, and brought up the birth of “Angry Birds”, one of the most popular smart phone games in the world. The Finland government still keeps the tradition to encourage R&D, and wishes Finland’s industries could re-gain new energy and power on technology innovation, and indirectly reach another new competitive level. 　　According to the Statistics Finland, 46% Finland’s enterprises took innovative actions upon product manufacturing and the process of R&D during 2008-2010; also, the promotion of those actions not merely existed in enterprises, but directly continued to the aspect of marketing and manufacturing. No matter on product manufacturing, the process of R&D, the pattern of organization or product marketing, we can observe that enterprises or organizations make contributions upon innovative activities in different levels or procedures. In the assignment of Finland’s R&D budgets in 2012, which amounted to 200 million Euros, universities were assigned by 58 million Euros and occupied 29% R&D budgets. The Finland Tekes was assigned by 55 million Euros, and roughly occupied 27.5% R&D budgets. The Academy of Finland (AOF) was assigned by 32 million Euros, and occupied 16% R&D budges. The government’s sectors were assigned by 3 million Euros, and occupied 15.2% R&D budgets. Other technology R&D expenses were 2.1 million Euros, and roughly occupied 10.5% R&D. The affiliated teaching hospitals in universities were assigned by 0.36 million Euros, and occupied 1.8% R&D budgets. In this way, observing the information above, concerning the promotion of technology, the Finland government not only puts more focus upon R&D innovation, but also pays much attention on education quality of universities, and subsidizes various R&D activities. As to the Finland government’s assignment of budges, it can be referred to the chart below. 　　As a result of the fact that Finland promotes industries’ innovative activities, it not only made Finland win the first position in “Growth Competitiveness Index” published by the World Economic Forum (WEF) during 2000-2006, but also located the fourth position in 142 national economy in “The Global Competitiveness Report” published by WEF, preceded only by Swiss, Singapore and Sweden, even though facing unstable global economic situations and the European debt crisis. Hence, observing the reasons why Finland’s industries have so strong innovative power, it seems to be related to the Finland’s national technology administrative system, and is worthy to be researched. II. The Recent Situation of Finland’s Technology Administrative System A. Preface 　　Finland’s administrative system is semi-presidentialism, and its executive power is shared by the president and the Prime Minister; as to its legislative power, is shared by the Congress and the president. The president is the Finland’s leader, and he/she is elected by the Electoral College, and the Prime Minister is elected by the Congress members, and then appointed by the president. To sum up, comparing to the power owned by the Prime Minister and the president in the Finland’s administrative system, the Prime Minister has more power upon executive power. So, actually, Finland can be said that it is a semi-predisnetialism country, but trends to a cabinet system. 　　Finland technology administrative system can be divided into four parts, and the main agency in each part, based upon its authority, coordinates and cooperates with making, subsidizing, executing of Finland’s technology policies. The first part is the policy-making, and it is composed of the Congress, the Cabinet and the Research and Innovation Council; the second part is policy management and supervision, and it is leaded by the Ministry of Education and Culture, the Ministry of Employment and the Economy, and other Ministries; the third part is science program management and subsidy, and it is composed of the Academy of Finland (AOF), the National Technology Agency (Tekes), and the Finnish National Fund Research and Development (SITRA); the fourth part is policy-executing, and it is composed of universities, polytechnics, public-owned research institutions, private enterprises, and private research institutions. Concerning the framework of Finland’s technology administrative, it can be referred to below. B. The Agency of Finland’s Technology Policy Making and Management (A) The Agency of Finland’s Technology Policy Making 　　Finland’s technology policies are mainly made by the cabinet, and it means that the cabinet has responsibilities for the master plan, coordinated operation and fund-assignment of national technology policies. The cabinet has two councils, and those are the Economic Council and the Research and Innovation Council, and both of them are chaired by the Prime Minister. The Research and Innovation Council is reshuffled by the Science and Technology Policy Council (STPC) in 1978, and it changed name to the Research and Innovation Council in Jan. 2009. The major duties of the Research and Innovation Council include the assessment of country’s development, deals with the affairs regarding science, technology, innovative policy, human resource, and provides the government with aforementioned schedules and plans, deals with fund-assignment concerning public research development and innovative research, coordinates with all government’s activities upon the area of science, technology, and innovative policy, and executes the government’s other missions. 　　The Research and Innovation Council is an integration unit for Finland’s national technology policies, and it originally is a consulting agency between the cabinet and Ministries. However, in the actual operation, its scope of authority has already covered coordination function, and turns to direct to make all kinds of policies related to national science technology development. In addition, the consulting suggestions related to national scientific development policies made by the Research and Innovation Council for the cabinet and the heads of Ministries, the conclusion has to be made as a “Key Policy Report” in every three year. The Report has included “Science, Technology, Innovation” in 2006, “Review 2008” in 2008, and the newest “Research and Innovation Policy Guidelines for 2011-2015” in 2010. 　　Regarding the formation and duration of the Research and Innovation Council, its duration follows the government term. As for its formation, the Prime Minister is a chairman of the Research and Innovation Council, and the membership consists of the Minister of Education and Science, the Minister of Economy, the Minister of Finance and a maximum of six other ministers appointed by the Government. In addition to the Ministerial members, the Council shall comprise ten other members appointed by the Government for the parliamentary term. The Members must comprehensively represent expertise in research and innovation. The structure of Council includes the Council Secretariat, the Administrative Assistant, the Science and Education Subcommittee, and the Technology and Innovation Subcommittee. The Council has the Science and Education Subcommittee and the Technology and Innovation Subcommittee with preparatory tasks. There are chaired by the Ministry of Education and Science and by the Minister of Economy, respectively. The Council’s Secretariat consists of one full-time Secretary General and two full-time Chief Planning Officers. The clerical tasks are taken care of at the Ministry of Education and Culture. (B) The Agency of Finland’s Technology Policy Management 　　The Ministries mainly take the responsibility for Finland’s technology policy management, which includes the Ministry of Education and Culture, the Ministry of Employment and Economy, the Ministry of Social Affairs and Health, the Ministry of Agriculture and Forestry, the Ministry of Defense, the Ministry of Transport and Communication, the Ministry of Environment, the Ministry of Financial, and the Ministry of Justice. In the aforementioned Ministries, the Ministry of Education and Culture and the Ministry of Employment and Economy are mainly responsible for Finland national scientific technology development, and take charge of national scientific policy and national technical policy, respectively. The goal of national scientific policy is to promote fundamental scientific research and to build up related scientific infrastructures; at the same time, the authority of the Ministry of Education and Culture covers education and training, research infrastructures, fundamental research, applied research, technology development, and commercialization. The main direction of Finland’s national scientific policy is to make sure that scientific technology and innovative activities can be motivated aggressively in universities, and its objects are, first, to raise research funds and maintain research development in a specific ratio; second, to make sure that no matter on R&D institutions or R&D training, it will reach fundamental level upon funding or environment; third, to provide a research network for Finland, European Union and global research; fourth, to support the research related to industries or services based upon knowledge-innovation; fifth, to strengthen the cooperation between research initiators and users, and spread R&D results to find out the values of commercialization, and then create a new technology industry; sixth, to analyze the performance of national R&D system. 　　As for the Ministry of Employment and Economy, its major duties not only include labor, energy, regional development, marketing and consumer policy, but also takes responsibilities for Finland’s industry and technical policies, and provides industries and enterprises with a well development environment upon technology R&D. The business scope of the Ministry of Employment and Economy puts more focus on actual application of R&D results, it covers applied research of scientific technology, technology development, commercialization, and so on. The direction of Finland’s national technology policy is to strengthen the ability and creativity of industries’ technology development, and its objects are, first, to develop the new horizons of knowledge with national innovation system, and to provide knowledge-oriented products and services; second, to promote the efficiency of the government R&D funds; third, to provide cross-country R&D research networks, and support the priorities of technology policy by strengthening bilateral or multilateral cooperation; fourth, to raise and to broaden the efficiency of research discovery; fifth, to promote the regional development by technology; sixth, to evaluate the performance of technology policy; seventh, to increase the influence of R&D on technological change, innovation and society; eighth, to make sure that technology fundamental structure, national quality policy and technology safety system will be up to international standards. (C) The Agency of Finland’s Technology Policy Management and Subsidy 　　As to the agency of Finland’s technology policy management and subsidy, it is composed of the Academy of Finland (AOF), the National Technology Agency (Tekes), and the Finnish National Fund Research and Development (SITRA). The fund of AOF comes from the Ministry of Education and Culture; the fund of Tekes comes from the Ministry of Employment and Economy, and the fund of SITRA comes from independent public fund supervised by the Finland’s Congress. (D) The Agency of Finland’s Technology Plan Execution 　　As to the agency of Finland’s technology plan execution, it mainly belongs to the universities under Ministries, polytechnics, national technology research institutions, and other related research institutions. Under the Ministry of Education and Culture, the technology plans are executed by 16 universities, 25 polytechnics, and the Research Institute for the Language of Finland; under the Ministry of Employment and Economy, the technology plans are executed by the Technical Research Centre of Finland (VTT), the Geological Survey of Finnish, the National Consumer Research Centre; under the Ministry of Social Affairs and Health, the technology plans are executed by the National Institute for Health and Welfare, the Finnish Institute of Occupational Health, and University Central Hospitals; under the Ministry of Agriculture and Forestry, the technology plans are executed by the Finnish Forest Research Institute (Metla), the Finnish Geodetic Institute, and the Finnish Game and Fisheries Research Institute (RKTL); under the Ministry of Defense, the technology plans are executed by the Finnish Defense Forces’ Technical Research Centre (Pvtt); under the Ministry of Transport and Communications, the technology plans are executed by the Finnish Meteorological Institute; under the Ministry of Environment, the technology plans are executed by the Finnish Environment Institute (SYKE); under the Ministry of Financial, the technology plans are executed by the Government Institute for Economic Research (VATT). At last, under the Ministry of Justice, the technology plans are executed by the National Research Institute of Legal Policy.