New Version of Personal Information Protection Act and Personal Information Protection & Administration System

I.Summary

In 1995, the Computer-Processed Personal Data Protection Law was implemented in the Republic of China.  With the constant development of information technology and the limitations in the application of the legislation, the design of the original legal system is no longer consistent with practical requirements. Considering the increasing number of incidents of personal data leaks, discussions were carried out over a long period of time and the new version of the Personal Information Protection Act was passed after three readings in April, 2010. The title of the law was changed to Personal Information Protection Act. The new system has been officially implemented since 1 October, 2012. The new Act not only revised the provisions of the law in a comprehensive way, but also significantly increased the obligations and responsibilities of enterprises. In terms of civil liability, the maximum amount of compensation for a single incident is 200 Million NTD. For domestic industries, how to effectively respond to the requirements under the Personal Information Protection Act and adopt proper corresponding measures to lower the risk has become a key task for enterprise operation.

II. Main Points

1. Implementation of the Enforcement Rules of the Personal Information Protection Act

Personal information protection can be said the most concerned issue in Taiwan recently. As a matter of fact, the Computer-Processed Personal Data Protection Law was established in Taiwan as early as August 1995. After more than 10 years of development, computer and information technology has evolved significantly, and many emerging business models such as E-commerce are extensively collecting personal data. It has become increasingly important to properly protect personal privacy. However, the previous Computer-Processed Personal Data Protection Law was only applicable to certain industries, i.e. the following 8 specific industries: the credit investigation business, hospital, school, telecommunication business, financial business, securities business, insurance business, and mass media. And other business was  designated by the Ministry of Justice and the central government authorities in charge of concerned enterprises. In addition, the law only protected personal information that was processed by “computer or automatic equipment”.  Personal information that was not computer processed was not included.  There were clearly no sufficient regulations for the protection of personal data privacy and interest.

There were numerous incidents of personal data leaks. Among the top 10 consumer news issued by the Consumer Protection Committee of the Executive Yuan in 2007, “incidents of personal data leaks through E-commerce and TV shopping” was on the top of the list. This provoked the Ministry of Justice and the Ministry of Economic Affairs to “jointly designate” the retail industry without physical boutique (including 3 transaction models: online shopping, catalogue shopping and TV shopping) to be governed by the Computer-Processed Personal Data Protection Law since 1 July 2010.

To allow the provisions of the personal information protection legal system to meet the environment of rapid change, the Executive Yuan proposed a Draft Amendment to the Computer-Processed Personal Data Protection Law very early and changed the title to the Personal Information Protection Act. The draft was discussed many times in the Legislative Yuan. Personal Information Protection Act was finally passed after three readings in April 2010, which was officially published by the Office of the President on 26 May.

Although the new law was passed in April 2010, to allow sufficient time for enterprises and the public to understand and comply the new law, the new version of the personal information protection law was not implemented on the date of publication. In accordance with Article 56 of the Act, the date of implementation was to be further established by the Executive Yuan. After discussions over a long period of time, the Executive Yuan decided for the Personal Information Protection Act to be officially implemented on 1 October 2012. However, the implementation of two articles is withheld: Article 6 of the Act about the principal prohibition against the collection, processing and use of special personal information and Article 54 about the obligation to notice the Party within one year for personal information indirectly acquired before the implementation of the new law.

In terms of the personal data protection legal system, other than the most important Personal Data Protection Act, the enforcement rules established in accordance with the main law also play a key role. The previous Enforcement Rules of the Computer-Processed Personal Data Protection Law were published and implemented on 1 May, 1996. Considering that the Computer-Processed Personal Data Protection Law was amended in 2010 and that its title has been changed to the Personal Data Protection Act, the Ministry of Justice also followed the amended provisions under the new law and actively studied the Draft Amendment to the Enforcement Rules of the Computer-Processed Personal Data Protection Act. After it was confirmed that the new version of the Personal Data Protection Act would be officially launched on 1 October 2012, the Ministry of Justice announced officially the amended enforcement rules on 26 September, 2012. The title of the enforcement rules was also amended to the Enforcement Rules of the Personal Data Protection Act. The new version of personal data protection law and enforcement rules was thus officially launched, creating a brand new era for the promotion of personal data protection in Taiwan.

II. Personal Data Administration System and Information Privacy Protection Charter

Before the amendment to the Personal Data Protection Act was passed, the Legislative Yuan made a proposal to the government in June 2008 to promote a privacy administration and protection certification system in Taiwan, in reference to foreign practices. In August of the following year, the Strategic Review Board of the Executive Yuan passed a resolution to promote the E-Commerce Personal Data Administration and Information Security Action Plan. In December of the same year, approval was granted for the plan to be included in the key government promotion plans from 2010 to 2013.

Based on this action plan, since October 2010, the Ministry of Economic Affairs has asked the Institution for Information Industry to execute an E-Commerce Personal Data Administration System Setup Plan.  Since 2012, the E-Commerce Personal Data Administration System Promotion Plan and the Taiwan Personal Information Protection and Administration System (TPIPAS) have been established and promoted, with the objective of procuring enterprises to, while complying with the personal data protection legal system, properly protect consumers’ personal information through the establishment of an internal administration mechanism and ensuring that the introducing enterprises meet the requirements of the system. The issuance of the Data Privacy Protection Mark (dp.mark) was also used as an objective benchmark for consumers to judge the enterprise’s ability to maintain privacy.  

Regarding the introduction of the personal data administration system, enterprises should establish a content administration mechanism step by step in accordance with the Regulations for Taiwan Personal Information Protection and Administration System. Such system also serves as the review benchmark to decide whether domestic enterprises can acquire the Data Privacy Protection Mark (dp.mark). Since domestic enterprises did not have experience in establishing internal personal data administration system in the past, starting 2011, under the Taiwan Personal Information Protection and Administration System, enterprises received assistance in the training of system professionals such as Personal Data Administrators and Personal Data Internal Appraisers. Quality personal data administrators can help enterprises establish complete internal systems. Internal appraisers play the role of confirming whether the systems established by the enterprises are consistent with the system requirements. As of 2012, there are almost 100 enterprises in Taiwan that participate in the training of system staff and a total of 426 administrators and 131 internal appraisers.  In terms of the introduction of TPIPAS, in additional to the establishment and introduction of administration systems by qualified administrators, enterprises can also seek assistance from external professional consulting institutions. Under the Taiwan Personal Information Protection and Administration System, applications for registration of consulting institutions became available in 2012. Qualified system consulting institutions are published on the system website. Today 9 qualified consulting institutions have completed their registrations, providing enterprises with personal data consulting services.

After an enterprise completes the establishment of its internal administration system, it may file an application for certification under the Taiwan Personal Information Protection and Administration System.  The certification process includes two steps: “written review” and “site review”. After the enterprise passing certification, it is qualified to use the Data Privacy Protection Mark (dp.mark). Today 7 domestic companies have passed TPIPAS certification and acquired the dp.mark: 7net, FamiPort, books.com.tw, LOTTE, GOHAPPY, PAYEASY and Sinya Digital, reinforcing the maintenance of consumer privacy information through the introduction of personal data administration system.

III. Event Analysis

The Taiwan Personal Information Protection and Administration System (TPIPAS) is a professional personal data administration system established based on the provisions of the latest version of the domestic Personal Data Protection Act, in reference to the latest requirements of personal data protection by international organizations and the experience of main countries in promoting personal data administration system. In accordance with the practical requirements to protect personal data by industries, TPIPAS converted professional legal conditions into an internal personal data administration procedure to effectively assist industries to establish a complete and proper personal data administration system and to comply with the requirements of personal data legislations. With the launch of the new version of the Personal Data Protection Act, introducing TPIPAS and acquiring dp.mark are the best strategies for enterprises to lower the risk from the personal data protection law and to upgrade internal personal data administration capability.

※New Version of Personal Information Protection Act and Personal Information Protection & Administration System,STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=105&tp=2&i=168&d=6370 (Date:2024/07/18)
Quote this paper
You may be interested
Observing Recent Foreign Developments upon Bio-medicine、 Marketing Medical Devices、Technology Development Project and the Newest Litigation Trend Concerning the Joint Infringement of Method/Process Patents

1、Chinese REACH has put into shape, how about Taiwan REACH? - A Perspective of Chinese Measures on Environmental Management of New Chemical Substances Taiwan food industry has been struck by the government agency's disclosure that certain unfaithful manufacturers have mixed toxic chemicals into the food additives for the past 30 years, and the chemicals may seriously threaten public health. This event has not only shocked the confidence of the customers to the industry, but also drew public attention on the well-management and the safe use of chemicals. In order to manage the fast advancing and widely applicable chemical substance appropriately, the laws and regulations among the international jurisprudences in recent years tend to regulate unfamiliar chemicals as “new chemical substances” and leverage registration systems to follow their use and import. REACH is one the most successful models which has been implemented by European Union since 2006. China, one of our most important business partners, has also learned from the EU experience and implemented its amended " Measures on Environmental Management of New Chemical Substances" (also known as "Chinese REACH") last year. It is not only a necessity for our industry which has invested or is running a business in China to realize how this new regulation may influence their business as differently , but also for our authority concerned to observe how can our domestic law and regulation may connect to this international trend. Therefore, except for briefing the content of Chinese REACH, this article may also review those existing law and regulations in Taiwan and observe the law making movement taken by our authority. We expect that the comparison and observation in this article may be a reference for our authorities concerned to map out a better environment for new chemical management. 2、The study on Taiwanese businessmen Join the Bid Invitation and Bidding of Science and Technology Project China government invests great funds in their Science and Technology Project management system, containing most of innovated technology. It also creates the great business opportunity for domestic industry. China government builds up a Bid Invitation and Bidding Procedure in the original Science and Technology Project Regime recent years, in order to make the regime become more open and full of transparency. It also improves Regime to become more fairness and efficiency. Taiwan industry may try to apply for those Science and Technology Project, due to this attractive opportunity, but they should understand china's legal system before they really do that. This Article will introduce the "Bid Invitation and Bidding Law of the Peoples Republic of China", and the "Provisional Regulation on Bid Invitation and Bidding of Science and Technology Project", then clarify applied relationship between the "Bid Invitation and Bidding Law of the Peoples Republic of China", and "Government Procurement Law of the Peoples Republic of China". It also analyzes "Bid Invitation and Bidding Procedure", "Administration of Contract Performance Procedure", "Inspection and Acceptance Procedure", and "Protest and Complaint Procedure, providing complete legal observation and opinion for Taiwan industry finally. Keyword Bid Invitation and Bidding Law of the Peoples Republic of China; Government Procurement Law of the Peoples Republic of China; Provisional Regulation on Bid Invitation and Bidding of Science and Technology Project; Applying for Science and Technology Project Regime; Bid Invitation and Bidding Procedure; Administration of Contract Performance Procedure; Inspection and Acceptance Procedure; Protest and Complaint Procedure. 3、Comparing the Decisions of the United States Supreme Court regarding Preempting Marketing Medical Devices and Drugs from State Tort Litigations with the Decision of a Hypothetical Case in Taiwan The investment costs of complying with pertinent laws and regulations for manufacturing, marketing, and profiting from drugs and medical devices (abbreviated as MD) are far higher than the costs necessary for securing a market permit. The usage of MD products contains the risk of harming their users or the patients, who might sue the manufacturer for damages in the court based on tort law. To help reduce the risk of such litigation, the industry should be aware of the laws governing the state tort litigations and the preemption doctrine of the federal laws of the United States. This article collected four critical decisions by the United States Supreme Court to analyze the requirements of federal preemption from the state tort litigations in these cases. The article also analyzed the issues of preemption in our law system in a hypothetical case. These issues include the competing regulatory requirements of the laws and regulations on the drugs and MDs and the Drug Injury Relief Act versus the Civil Code and the Consumer Protection Law. The article concluded: 1. The pre-market-approval of MD in the United States is exempted from the state tort litigations; 2. Brand-name-drug manufacturers must proactively update the drug label regarding severe risks evidenced by the latest findings; 3. Generic-drug manufacturers are exempted from the product liability litigations and not required to comply with the aforementioned brand-name-drug manufacturers' obligation; 4. No preemption issues are involved in these kinds of product liability litigations in our country; 5. The judge of general court is not bound by the approval of marketing of drug and MD; 6. The judge of general court is not bound by the determination and verdict of the Drug Injury Relief Act. 4、Through Computer-Aided Detection Software, Comparing by Discussing and Analyzing the Regulatory Requirements for Marketing Medical Devices in the United States and in Taiwan Computer-Aided Detection (CADe) software systematically assists medical doctors to detect suspicious diseased site(s) inside patients' bodies, and it would help patients receive proper medical treatments as soon as possible. Only few of this type of medical device (MD) have been legally marketed either in the United States of America (USA) or in Taiwan. This is a novel MD, and the rules regulating it are still under development. Thus, it is valuable to investigate and discuss its regulations. To clarify the requirements of legally marketing the MD, this article not only collects and summarizes the latest draft guidance announced by the USA, but also compares and analyzes the similarities and differences between USA and Taiwan, and further explains the logics that USA applies to clarify and qualify CADe for marketing, so that the Department of Health (DOH) in Taiwan could use them as references. Meanwhile, the article collects the related requirements by the Administrative Procedure Act and by the Freedom of Government Information Law of our nation, and makes the following suggestions on MD regulations to the DOH: creating product code in the system of categorization, providing clearer definition of classification, and actively announcing the (abbreviated) marketing route that secures legal permission for each individual product. 5、A Discussion on the Recent Cases Concerning the Joint Infringement of Method/Process Patents in the U.S. and Japan In the era of internet and mobile communication, practices of a method patent concerning innovative service might often involve several entities, and sometimes the method patent can only be infringed jointly. Joint infringement of method/process patents is an issue needed to be addressed by patent law, since it is assumed that a method patent can only be directly infringed by one entity to perform all the steps disclosed in the patent. In the U.S., CAFC has established the "control or direction" standard to address the issue, but the standard has been criticized and it is under revision now. In Japan, there is no clearly-established standard to address the issue of joint infringement, but it seems that the entity that controls and benefits from the joint infringement might be held liable. Based on its discussion about the recent development in the U.S. and Japan, this article attempts to provide some suggestions for inventors of innovative service models to use patents to protect their inventions properly: they should try to avoid describing their inventions in the way of being practiced by multi-entities, they should try to claim both method and system/apparatus inventions, and they should try to predict the potential infringement of their patents in order to address the problem of how to prove the infringement.

Introducing and analyzing the Scope and Benefits of the Regulation「Statute for Upgrading Industries」in The Biotechnology Industry in Taiwan

The recent important regulation for supporting the biopharmaceutical industry in Taiwan has been the 「Statute for Upgrading Industries」 (hereinafter referred to as 「the Statute」).The main purpose of the Statue is for upgrading all industry for future economic development, so it applies to various industries, ranging from agriculture, industrial and service businesses. In other words, the Statute does not offer incentive measures to biopharmaceutical industry in particular, but focuses on promoting the industry development in general. Statute for Upgrading Industry and Related Regulations Generally speaking, the Statute has a widespread influence on industry development in Taiwan. The incentive measures provided in the Statute is complicated and covered other related regulations under its legal framework. Thus, the article will be taking a multi-facet perspective in discussing the how Statute relates to the biopharmaceutical industry. 1 、 Scope of Application According to Article 1 of the Statute, the term 「industries」 refers to agricultural, industrial and service businesses. Consequently, nearly all kinds of industries fall under this definition, and the Statute is applicable to all of them. Moreover, in order to promote the development and application of emerging technology as well as cultivating the recognized industry, the Statute provides much more favorable terms to these industries. These emerging and major strategic industries includes computer, communication and consumer electronics (3C), precise mechanics and automation, aerospace, biomedical and chemical production, green technology, material science, nanotechnology, security and other product or service recognized by the Executive Yuan. 2 、 Tax Benefits The Statute offers several types of tax benefits, so the industry could receive sufficient reward in every way it could, and promote a sound cycle in creating new values through these benefits. (1) Benefits for the purchase of automation equipment The said procured equipment and technology over NTD600, 000 may credit a certain percentage of the investment against the amount of profit-seeking enterprise income tax payable for the then current year. For the purchase of production technology, 5% may be credited. For the purchase of equipment, 7% may be credited. And any investment plan that includes the purchasing of equipment for automation can qualify for a low-interest preferential loan. Besides, for science-based industrial company imported overseas equipment that is not manufacture by local manufactures, from January 1, 2002, the imported equipment shall be exempted from import and business tax. And if the company is a bonded factory, the raw materials to be imported from abroad by it shall also be exempt from import duties and business tax. (2) Benefits for R&D expenditure Expenditure concurred for developing new products, improving production technology, or improving label-providing technology may credit 30%of the investment against the amount of profit-seeking enterprise income tax payable for the then current year. Research expenditures of the current year exceeding the average research expenditure for the past two years, the excess in research expenditure shall be 50% deductible. Instruments and equipments purchased by for exclusive R&D purpose, experimentation, or quality inspection may be accelerated to two years. At last, Biotech and New Pharmaceuticals Company engages in R&D activities, such as Contract research Organization (CRO), may credit 30% of the investment against the amount of profit-seeking enterprise income tax payable. (3) Personnel Training When a company trained staff and registered for business-related course, may credit 30% of the training cost against the amount of profit-seeking enterprise income tax payable for the then current year. Where training expenses for the current year exceeds the two-year average, 50% of the excess portion may be credited. (4) Benefit for Newly Emerging Strategic Industries Corporate shareholders invest in newly emerging strategic industries are entitled to select one of the following tax benefits: A profit seeking enterprise may credit up to 20% of the price paid for acquisition of such stock against the profit seeking enterprise income tax. An individual may credit up to 10%. As of January and once every year, there will be a 1% reduction of the price paid for acquisition of such stock against the consolidated income tax payable in the then current year. A company, within two years from the beginning date for payment of the stock price by its shareholders, selects, with the approval of its shareholder meeting, the application of an exemption from profit-seeking enterprise income tax and waives the shareholders investment credit against payable income tax as mentioned above. However, that once the selection is made, no changes shall be allowed. (5) Benefits for Investment in Equipment or Technology Used for Pollution Control To prevent our environment from further pollution, the Government offers tax benefits to reward companies in making improvements. Investment in equipment or technology used for pollution control may credit 7% of the equipment expenditure, and 5% of the expenditure on technology against the amount of profit-seeking enterprise income tax payable for the then current year. For any equipment that has been verified in use and specialized in air pollution control, noise pollution control, vibration control, water pollution control, environmental surveillance and waste disposal, shall be exempt from import duties and business tax. And for investment plans that planned implementation of energy saving systems can apply for a low interest loan. (6) Incentive for Operation Headquarter To encourage companies to utilize worldwide resources and set up international operation network, if they established operation headquarters within the territory of the Republic of China reaching a specific size and bringing about significant economic benefit, their following incomes shall be exempted from profit-seeking enterprise income tax: The income derived from provision of management services or R&D services. The royalty payment received under its investments to its affiliates abroad. The investment return and asset disposal received under its investment to its affiliates abroad. (7) Exchange of Technology for Stock Option The emerging-industrycompany recognized by government, upon adoption of a resolution by a majority voting of the directors present at a meeting of its board of directors attended by two-thirds of the directors of the company, may issue stock options to corporation or individual in exchange for authorization or transfer of patent and technologies. (8) Deferral of Taxes on the Exchange of Technology for Shares Taxes on income earned by investors from the acquisition of shares in emerging-industry companies in exchange for technology will be deferred for five years, on condition that the shares exchanged for technology amount to more than 20% of the company's total stock equity and that the number of persons who obtain shares in exchange for technology does not exceed five. 3 、 Technical Assistance and Capital Investment The rapid industry development has been closely tied to the infusion of funds. In addition to tax benefits, the Statute incorporates regulations especially for technical assistance and capital investment as below: (1) In order to introduce or transfer advanced technologies, technical organization formed with the contribution of government shall provide appropriate technical assistance as required. (2) In order to advance technologies, enhance R&D activities and further upgrade industries, the relevant central government authorities in charge of end enterprises may promote the implementation of industrial and technological projects by providing subsidies to such R&D projects. (3) In order to assist the start-up of domestic small-medium technological enterprises and the overall upgrading of the entire industries, guidance and assistance shall be provided for the development of venture capital enterprises.

Taiwan's Approach to AI Governance

Taiwan's Approach to AI Governance 2024/06/19 In an era where artificial intelligence (AI) reshapes every facet of life, governance plays a pivotal role in harnessing its benefits while mitigating associated risks. Taiwan, recognizing the dual-edged nature of AI, has embarked on a comprehensive strategy to ensure its development is both ethical and effective. This article delves into Taiwan's AI governance framework, exploring its strategic pillars, regulatory milestones, and future directions. I. Taiwan's AI Governance Vision: Taiwan AI Action Plan 2.0 Taiwan has long viewed AI as a transformative force that must be guided with a careful balance of innovation and regulation. With the advent of technologies capable of influencing democracy, privacy, and social stability, Taiwan's approach is rooted in human-centric values. The nation's strategy is aligned with global movements towards responsible AI, drawing lessons from international standards like those set by the European Union's Artificial Intelligence Act. The "Taiwan AI Action Plan 2.0" is the cornerstone of this strategy. It is a multi-faceted plan designed to boost Taiwan's AI capabilities through five key components: 1. Talent Development: Enhancing the quality and quantity of AI professionals while improving public AI literacy through targeted education and training initiatives. 2. Technological and Industrial Advancement: Focusing on critical AI technologies and applications to foster industrial growth and creating the Trustworthy AI Dialogue Engine (TAIDE) that communicates in Traditional Chinese. 3. Supportive Infrastructure: Establishing robust AI governance infrastructure to facilitate industry and governmental regulation, and to foster compliance with international standards. 4. International Collaboration: Expanding Taiwan's role in international AI forums, such as the Global Partnership on AI (GPAI), to collaborate on developing trustworthy AI practices. 5. Societal and Humanitarian Engagement: Utilizing AI to tackle pressing societal challenges like labor shortages, an aging population, and environmental sustainability. II. Guidance-before-legislation To facilitate a gradual adaptation to the evolving legal landscape of artificial intelligence and maintain flexibility in governance, Taiwan employs a "guidance-before-legislation" approach. This strategy prioritizes the rollout of non-binding guidelines as an initial step, allowing agencies to adjust before any formal legislation is enacted as needed. Taiwan adopts a proactive approach in AI governance, facilitated by the Executive Yuan. This method involves consistent inter-departmental collaborations to create a unified regulatory landscape. Each ministry is actively formulating and refining guidelines to address the specific challenges and opportunities presented by AI within their areas of responsibility, spanning finance, healthcare, transportation, and cultural sectors. III. Next step: Artificial Intelligence Basic Act The drafting of the "Basic Law on Artificial Intelligence," anticipated for legislative review in 2024, marks a significant step towards codifying Taiwan’s AI governance. Built on seven foundational principles—transparency, privacy, autonomy, fairness, cybersecurity, sustainable development, and accountability—this law will serve as the backbone for all AI-related activities and developments in Taiwan. By establishing rigorous standards and evaluation mechanisms, this law will not only govern but also guide the ethical deployment of AI technologies, ensuring that they are beneficial and safe for all. IV. Conclusion As AI continues to evolve, the need for robust governance frameworks becomes increasingly critical. Taiwan is setting a global standard for AI governance that is both ethical and effective. Through legislation, active international cooperation, and a steadfast commitment to human-centric values, Taiwan is shaping a future where AI technology not only thrives but also aligns seamlessly with societal norms and values.

Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019)

Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019) I. Brief   Blockchain technology can solve the problem of trust between data demanders and data providers. In other words, in a centralized mode, data demanders can only choose to believe that the centralized platform will not contain the false information. However, in the decentralized mode, data isn’t controlled by one individual group or organization[1], data demanders can directly verify information such as data source, time, and authorization on the blockchain without worrying about the correctness and authenticity of the data.   Take the “immutable” for example, it is conflict with the right to erase (also known as the right to be forgotten) in the GDPR.With encryption and one-time pad (OTP) technology, data subjects can make data off-chain storaged or modified at any time in a decentralized platform, so the problem that data on blockchain not meet the GDPR regulation has gradually faded away. II. What is GDPR?   The purpose of the EU GDPR is to protect user’s data and to prevent large-scale online platforms or large enterprises from collecting or using user’s data without their permission. Violators will be punished by the EU with up to 20 million Euros (equal to 700 million NT dollars) or 4% of the worldwide annual revenue of the prior financial year.   The aim is to promote free movement of personal data within the European Union, while maintaining adequate level of data protection. It is a technology-neutral law, any type of technology which is for processing personal data is applicable.   So problem about whether the data on blockchain fits GDPR regulation has raise. Since the blockchain is decentralized, one of the original design goals is to avoid a large amount of centralized data being abused.   Blockchain can be divided into permissioned blockchains and permissionless blockchains. The former can also be called “private chains” or “alliance chains” or “enterprise chains”, that means no one can join the blockchain without consent. The latter can also be called “public chains”, which means that anyone can participate on chain without obtaining consent.   Sometimes, private chain is not completely decentralized. The demand for the use of blockchain has developed a hybrid of two types of blockchain, called “alliance chain”, which not only maintains the privacy of the private chain, but also maintains the characteristics of public chains. The information on the alliance chain will be open and transparent, and it is in conflict with the application of GDPR. III. How to GDPR apply to blockchain ?   First, it should be determined whether the data on the blockchain is personal data protected by GDPR. Second, what is the relationship and respective responsibilities of the data subject, data controller, and data processor? Finally, we discuss the common technical characteristics of blockchain and how it is applicable to GDPR. 1. Data on the blockchain is personal data protected by GDPR?   First of all, starting from the technical characteristics of the blockchain, blockchain technology is commonly decentralized, anonymous, immutable, trackable and encrypted. The other five major characteristics are immutability, authenticity, transparency, uniqueness, and collective consensus.   Further, the blockchain is an open, decentralized ledger technology that can effectively verify and permanently store transactions between two parties, and can be proved.   It is a distributed database, all users on the chain can access to the database and the history record, also can directly verify transaction records. Each nodes use peer-to-peer transmission for upload or transfer information without third-party intermediation, which is the unique “decentralization” feature of the blockchain.   In addition, the node or any user on the chain has a unique and identifiable set of more than 30 alphanumeric addresses, but the user may choose to be anonymous or provide identification, which is also a feature of transparency with pseudonymity[2]; Data on blockchain is irreversibility of records. Once the transaction is recorded and updated on the chain, it is difficult to change and is permanently stored in the database, that is to say, it has the characteristics of “tamper-resistance”[3].   According to Article 4 (1) of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.   Therefore, if data subject cannot be identified by the personal data on the blockchain, that is an anonymous data, excluding the application of GDPR. (1) What is Anonymization?   According to Opinion 05/2014 on Anonymization Techniques by Article 29 Data Protection Working Party of the European Union, “anonymization” is a technique applied to personal data in order to achieve irreversible de-identification[4].   And it also said the “Hash function” of blockchain is a pseudonymization technology, the personal data is possible to be re-identified. Therefore it’s not an “anonymization”, the data on the blockchain may still be the personal data stipulated by the GDPR.   As the blockchain evolves, it will be possible to develop technologies that are not regulated by GDPR, such as part of the encryption process, which will be able to pass the court or European data protection authorities requirement of anonymization. There are also many compliance solutions which use technical in the industry, such as avoiding transaction data stored directly on the chain. 2. International data transmission   Furthermore, in accordance with Article 3 of the GDPR, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.[5]   In other words, GDPR applies only when the data on the blockchain is not anonymized, and involves the processing of personal data of EU citizens. 3. Identification of data controllers and data processors   Therefore, if the encryption technology involves the public storage of EU citizens' personal data and passes it to a third-party controller, it may be identified as the “data controller” under Article 4 of GDPR, and all nodes and miners of the platform may be deemed as the “co-controller” of the data, and be assumed joint responsibility with the data controller by GDPR. For example, the parties can claim the right to delete data from the data controller.   In addition, a blockchain operator may be identified as a “processor”, for example, Backend as a Service (BaaS) products, the third parties provide network infrastructure for users, and let users manage and store personal data. Such Cloud Services Companies provide online services on behalf of customers, do not act as “data controllers”. Some commentators believe that in the case of private chains or alliance chains, such as land records transmission, inter-bank customer information sharing, etc., compared to public chain applications: such as cryptocurrencies (Bitcoin for example), is not completely decentralized, and more likely to meet GDPR requirements[6]. For example, in the case of a private chain or alliance chain, it is a closed platform, which contains only a small number of trusted nodes, is more effective in complying with the GDPR rules. 4. Data subject claims   In accordance with Article 17 of the GDPR, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay under some grounds.   Off-chain storage technology can help the blockchain industry comply with GDPR rules, allowing offline storage of personal data, or allow trusted nodes to delete the private key of encrypted information, which leaving data that cannot be read and identified on the chain. If the data is in accordance with the definition of anonymization by GDPR, there is no room for GDPR to be applied. IV. Conclusion   In summary, it’s seem that the application of blockchain to GDPR may include: (a) being difficulty to identified the data controllers and data processors after the data subject upload their data. (b) the nature of decentralized storage is transnational storage, and Whether the country where the node is located, is meets the “adequacy decision” of Article 45 of the GDPR.   If it cannot be met, then it needs to consider whether it conforms to the transfers subject to appropriate safeguards of Article 46, or the derogations for specific situations of Article 49 of the GDPR. Reference: [1] How to Trade Cryptocurrency: A Guide for (Future) Millionaires, https://wikijob.com/trading/cryptocurrency/how-to-trade-cryptocurrency [2] DONNA K. HAMMAKER, HEALTH RECORDS AND THE LAW 392 (5TH ED. 2018). [3] Iansiti, Marco, and Karim R. Lakhani, The Truth about Blockchain, Harvard Business Review 95, no. 1 (January-February 2017): 118-125, available at https://hbr.org/2017/01/the-truth-about-blockchain [4] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (2014), https://www.pdpjournals.com/docs/88197.pdf [5] Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN [6] Queen Mary University of London, Are blockchains compatible with data privacy law? https://www.qmul.ac.uk/media/news/2018/hss/are-blockchains-compatible-with-data-privacy-law.html

TOP