We hereby aim to analyze and research the role played by The Finnish Innovation Fund (“Sitra”) in boosting the national innovation ability and propose the characteristics of its organization and operation which may afford to facilitate the deliberation on Taiwan’s legal system. Sitra is an independent organization which is used to reporting to the Finnish Parliament directly, dedicated to funding activities to boost sustainable development as its ultimate goal and oriented toward the needs for social change. As of 2004, it promoted the fixed-term program. Until 2012, it, in turn, primarily engaged in 3-year program for ecological sustainable development and enhancement of society in 2012. The former aimed at the sustainable use of natural resources to develop new structures and business models and to boost the development of a bioeconomy and low-carbon society, while the latter aimed to create a more well-being-oriented public administrative environment to upgrade various public sectors’ leadership and decision-making ability to introduce nationals’ opinion to policies and the potential of building new business models and venture capital businesses[1].
1. Sitra Standing in Boosting of Finnish Innovation Policies
(1) Positive Impact from Support of Innovation R&D Activities by Public Sector
Utilization of public sector’s resources to facilitate and boost industrial innovation R&D ability is commonly applied in various countries in the world. Notwithstanding, the impact of the public sector’s investment of resources produced to the technical R&D and the entire society remains explorable[2]. Most studies still indicate positive impact, primarily as a result of the market failure. Some studies indicate that the impact of the public sector’s investment of resources may be observable at least from several points of view, including: 1. The direct output of the investment per se and the corresponding R&D investment potentially derived from investees; 2. R&D of outputs derived from the R&D investment, e.g., products, services and production methods, etc.; 3. direct impact derived from the R&D scope, e.g., development of a new business, or new business and service models, etc.; 4. impact to national and social economies, e.g., change of industrial structures and improvement of employment environment, etc. Most studies indicate that from the various points of view, the investment by public sector all produced positive impacts and, therefore, such investment is needed definitely[3]. The public sector may invest in R&D in diversified manners. Sitra invests in the “market” as an investor of corporate venture investment market, which plays a role different from the Finnish Funding Agency for Technology and Innovation (“Tekes”), which is more like a governmental subsidizer. Nevertheless, Finland’s characteristics reside in the combination of multiple funding and promotion models. Above all, due to the different behavior model, the role played by the former is also held different from those played by the general public sectors. This is why we choose the former as the subject to be studied herein.
Data source: Jari Hyvärinen & Anna-Maija Rautiainen, Measuring additionality and systemic impacts of public research and development funding – the case of TEKES, FINLAND, RESEARCH EVALUATION, 16(3), 205, 206 (2007).
Fig. 1 Phased Efforts of Resources Invested in R&D by Public Sector
(2) Two Sided f Role Played by Sitra in Boosting of Finnish Innovation Policies
Sitra has a very special position in Finland’s national innovation policies, as it not only helps successful implementation of the innovation policies but also acts an intermediary among the relevant entities. Sitra was founded in 1967 under supervision of the Bank of Finland before 1991, but was transformed into an independent foundation under the direction of the Finnish Parliament[4].
Though Sitra is a public foundation, its operation will not be intervened or restricted by the government. Sitra may initiate any innovation activities for its new organization or system, playing a role dedicated to funding technical R&D or promoting venture capital business. Meanwhile, Sitra also assumes some special function dedicated to decision-makers’ training and organizing decision-maker network to boost structural change. Therefore, Sitra may be identified as a special organization which may act flexibly and possess resources at the same time and, therefore, may initiate various innovation activities rapidly[5].
Sitra is authorized to boost the development of innovation activities in said flexible and characteristic manner in accordance with the Finland Innovation Fund Act (Laki Suomen itsenäisyyden juhlarahastosta). According to the Act, Finland established Sitra in 1967 and Sitra was under supervision of Bank of Finland (Article 1). Sitra was established in order to boost the stable growth of Finland’s economy via the national instrument’s support of R&D and education or other development instruments (Article 2). The policies which Sitra may adopt include loaning or funding, guarantee, marketable securities, participation in cooperative programs, partnership or equity investment (Article 3). If necessary, Sitra may collect the title of real estate or corporate shares (Article 7).
Data source: Finnish innovation system, Research.fi, http://www.research.fi/en/innovationsystem.html (last visited Mar. 15, 2013).
Fig. 2 Finnish Scientific Research Organization Chart
Sitra's innovation role has been evolved through two changes. Specifically, Sitra was primarily dedicated to funding technical R&D among the public sectors in Finland, and the funding model applied by Sitra prior to the changes initiated the technical R&D promotion by Tekes, which was established in 1983. The first change of Sitra took place in 1987. After that, Sitra turned to focus on the business development and venture capital invested in technology business and led the venture capital investment. Meanwhile, it became a partner of private investment funds and thereby boosted the growth of venture capital investments in Finland in 1990. In 2000, the second change of Sitra took place and Sitra’s organization orientation was changed again. It achieved the new goal for structural change step by step by boosting the experimental social innovation activities. Sitra believed that it should play the role contributing to procedural change and reducing systematic obstacles, e.g., various organizational or institutional deadlocks[6].
Among the innovation policies boosted by the Finnish Government, the support of Start-Ups via governmental power has always been the most important one. Therefore, the Finnish Government is used to playing a positive role in the process of developing the venture capital investment market. In 1967, the Government established a venture capital company named Sponsor Oy with the support from Bank of Finland, and Sponsor Oy was privatized after 1983. Finland Government also established Kera Innovation Fund (now known as Finnvera[7]) in 1971, which was dedicated to boosting the booming of Start-Ups in Finland jointly with Finnish Industry Investment Ltd. (“FII”) established by the Government in 1994, and Sitra, so as to make the “innovation” become the main development force of the country[8] .
Sitra plays a very important role in the foundation and development of venture capital market in Finland and is critical to the Finnish Venture Capital Association established in 1990. After Bank of Finland was under supervision of Finnish Parliament in 1991, Sitra became on the most important venture capital investors. Now, a large portion of private venture capital funds are provided by Sitra[9]. Since Sitra launched the new strategic program in 2004, it has turned to apply smaller sized strategic programs when investing young innovation companies, some of which involved venture capital investment. The mapping of young innovation entrepreneurs and angel investors started as of 1996[10].
In addition to being an important innovation R&D promoter in Finland, Sitra is also an excellent organization which is financially self-sufficient and tends to gain profit no less than that to be generated by a private enterprise. As an organization subordinated to the Finnish Parliament immediately, all of Sitra’s decisions are directly reported to the Parliament (public opinion). Chairman of Board, Board of Directors and supervisors of Sitra are all appointed by the Parliament directly[11]. Its working funds are generated from interest accruing from the Fund and investment income from the Fund, not tax revenue or budget prepared by the Government any longer. The total fund initially founded by Bank of Finland amounted to DEM100,000,000 (approximately EUR17,000,000), and was accumulated to DEM500,000,000 (approximately EUR84,000,000) from 1972 to 1992. After that, following the increase in market value, its nominal capital amounted to DEM1,400,000,000 (approximately EUR235,000,000) from 1993 to 2001. Obviously, Sitra generated high investment income. Until 2010, it has generated the investment income amounting to EUR697,000,000 .
In fact, Sitra’s concern about venture capital investment is identified as one of the important changes in Finland's national technical R&D polices after 1990[13]. Sitra is used to funding businesses in three manners, i.e., direct investment in domestic stock, investment in Finnish venture capital funds, and investment in international venture capital funds, primarily in four industries, technology, life science, regional cooperation and small-sized & medium-sized starts-up. Meanwhile, it also invests in venture capital funds for high-tech industries actively. In addition to innovation technology companies, technical service providers are also its invested subjects[14].
2. “Investment” Instrument Applied by Sitra to Boost Innovation Business
The Starts-Up funding activity conducted by Sitra is named PreSeed Program, including INTRO investors’ mapping platform dedicated to mapping 450 angel investment funds and entrepreneurs, LIKSA engaged in working with Tekes to funding new companies no more than EUR40,000 for purchase of consultation services (a half thereof funded by Tekes, and the other half funded by Sitra in the form of loan convertible to shares), DIILI service[15] dedicated to providing entrepreneurs with professional sale consultation resources to integrate the innovation activity (product thereof) and the market to remedy the deficit in the new company’s ability to sell[16].
The investment subjects are stated as following. Sitra has three investment subjects, namely, corporate investments, fund investments and project funding.
(1) Corporate investment
Sitra will not “fund” enterprises directly or provide the enterprises with services without consideration (small-sized and medium-sized enterprises are aided by other competent authorities), but invest in the businesses which are held able to develop positive effects to the society, e.g., health promotion, social problem solutions, utilization of energy and effective utilization of natural resources. Notwithstanding, in order to seek fair rate of return, Sitra is dedicated to making the investment (in various enterprises) by its professional management and technology, products or competitiveness of services, and ranging from EUR300,000 to EUR1,000,000 to acquire 10-30% of the ownership of the enterprises, namely equity investment or convertible funding. Sitra requires its investees to value corporate social responsibility and actively participate in social activities. It usually holds the shares from 4 years to 10 years, during which period it will participate the corporate operation actively (e.g., appointment of directors)[17].
(2) Fund investments
For fund investments[18], Sitra invests in more than 50 venture capital funds[19]. It invests in domestic venture capital fund market to promote the development of the market and help starts-up seek funding and create new business models, such as public-private partnerships. It invests in international venture capital funds to enhance the networking and solicit international funding, which may help Finnish enterprises access international trend information and adapt to the international market.
(3) Project funding
For project funding, Sitra provides the on-site information survey (supply of information and view critical to the program), analysis of business activities (analysis of future challenges and opportunities) and research & drafting of strategies (collection and integration of professional information and talents to help decision making), and commissioning of the program (to test new operating model by commissioning to deal with the challenge from social changes). Notwithstanding, please note that Sitra does not invest in academic study programs, research papers or business R&D programs[20].
(4) DIILI Investment Model Integrated With Investment Absorption
A Start-Up usually will not lack technologies (usually, it starts business by virtue of some advanced technology) or foresighted philosophy when it is founded initially, while it often lacks the key to success, the marketing ability. Sitra DIILI is dedicated to providing the professional international marketing service to help starts-up gain profit successfully. Owing to the fact that starts-up are usually founded by R&D personnel or research-oriented technicians, who are not specialized in marketing and usually retains no sufficient fund to employ marketing professionals, DILLI is engaged in providing dedicated marketing talents. Now, it employs about 85 marketing professionals and seeks to become a start-up partner by investing technical services.
Notwithstanding, in light of the characteristics of Sitra’s operation and profitability, some people indicate that it is more similar to a developer of an innovation system, rather than a neutral operator. Therefore, it is not unlikely to hinder some work development which might be less profitable (e.g., establishment of platform). Further, Sitra is used to developing some new investment projects or areas and then founding spin-off companies after developing the projects successfully. The way in which it operates seems to be non-compatible with the development of some industries which require permanent support from the public sector. The other issues, such as INTRO lacking transparency and Sitra's control over investment objectives likely to result in adverse choice, all arise from Sitra’s consideration to its own investment opportunities and profit at the same time of mapping. Therefore, some people consider that it should be necessary to move forward toward a more transparent structure or a non-income-oriented funding structure[21] . Given this, the influence of Sitra’s own income over upgrading of the national innovation ability when Sitra boosts starts-up to engage in innovation activities is always a concern remaining disputable in the Finnish innovation system.
3. Boosting of Balance in Regional Development and R&D Activities
In order to fulfill the objectives under Lisbon Treaty and to enable EU to become the most competitive region in the world, European Commission claims technical R&D as one of its main policies. Among other things, under the circumstance that the entire R&D competitiveness upgrading policy is always progressing sluggishly, Finland, a country with a population of 5,300,000, accounting for 1.1% of the population of 27 EU member states, was identified as the country with the No. 1 innovation R&D ability in the world by World Economic Forum in 2005. Therefore, the way in which it promotes innovation R&D policies catches the public eyes. Some studies also found that the close relationship between R&D and regional development policies of Finland resulted in the integration of regional policies and innovation policies, which were separated from each other initially, after 1990[22]. Finland has clearly defined the plan to exploit the domestic natural resources and human resources in a balanced and effective manner after World War II. At the very beginning, it expanded the balance of human resources to low-developed regions, in consideration of the geographical politics, but in turn, it achieved national balanced development by meeting the needs for a welfare society and mitigation of the rural-urban divide as time went by. The Finnish innovation policies which may resort to technical policies retroactively initially drove the R&D in the manners including upgrading of education degree, founding of Science and Technology Policy Council and Sitra, establishment of Academy of Finland (1970) and establishment of the technical policy scheme, et al.. Among other things, people saw the role played by Sitra in Finland’s knowledge-intensive society policy again. From 1991 to 1995, the Finnish Government officially included the regional competitiveness into the important policies. The National Industrial Policy for Finland in 1993 adopted the strategy focusing on the development based on competitive strength in the regional industrial communities[23].
Also, some studies indicated that in consideration of Finland’s poor financial and natural resources, its national innovation system should concentrate the resources on the R&D objectives which meet the requirements about scale and essence. Therefore, the “Social Innovation, Social and Economic Energy Re-building Learning Society” program boosted by Sitra as the primary promoter in 2002 defined the social innovation as “the reform and action plan to enhance the regulations of social functions (law and administration), politics and organizational structure”, namely reform of the mentality and cultural ability via social structural changes that results in social economic changes ultimately. Notwithstanding, the productivity innovation activity still relies on the interaction between the enterprises and society. Irrelevant with the Finnish Government’s powerful direction in technical R&D activities, in fact, more than two-thirds (69.1%) of the R&D investment was launched by private enterprises and even one-thirds launched by a single enterprise (i.e., Nokia) in Finland. At the very beginning of 2000, due to the impact of globalization to Finland’s innovation and regional policies, a lot of R&D activities were emigrated to the territories outside Finland[24]. Multiple disadvantageous factors initiated the launch of national resources to R&D again. The most successful example about the integration of regional and innovation policies in Finland is the Centres of Expertise Programme (CEP) boosted by it as of 1990. Until 1994, there have been 22 centres of expertise distributed throughout Finland. The centres were dedicated to integrating local universities, research institutions and enterprise for co-growth. The program to be implemented from 2007 to 2013 planned 21 centres of expertise (13 groups), aiming to promote the corporate sectors’ cooperation and innovation activities. CEP integrated local, regional and national resources and then focused on the businesses designated to be developed[25].
[1] Sitra, http://www.sitra.fi/en (last visited Mar. 10, 2013).
[2] Jari Hyvärinen & Anna-Maija Rautiainen, Measuring additionality and systemic impacts of public research and development funding – the case of TEKES, FINLAND, RESEARCH EVALUATION, 16(3), 205, 208 (2007).
[3] id. at 206-214.
[4] Charles Edquist, Tterttu Luukkonen & Markku Sotarauta, Broad-Based Innovation Policy, in EVALUATION OF THE FINNISH NATIONAL INNOVATION SYSTEM – FULL REPORT 11, 25 (Reinhilde Veugelers st al. eds., 2009).
[5] id.
[6] id.
[7] Finnvera is a company specialized in funding Start-Ups, and its business lines include loaning, guarantee, venture capital investment and export credit guarantee, etc. It is a state-run enterprise and Export Credit Agency (ECA) in Finland. Finnvera, http://annualreport2012.finnvera.fi/en/about-finnvera/finnvera-in-brief/ (last visited Mar. 10, 2013).
[8] Markku Maula, Gordon Murray & Mikko Jääskeläinen, MINISTRY OF TRADE AND INDUSTRY, Public Financing of Young Innovation Companies in Finland 32 (2006).
[9] id. at 33.
[10] id. at 41.
[11] Sitra, http://www.sitra.fi/en (last visited Mar. 10, 2013).
[12] Sitra, http://www.sitra.fi/en (last visited Mar. 10, 2013).
[13] The other two were engaged in boosting the regional R&D center and industrial-academy cooperative center programs. Please see Gabriela von Blankenfeld-Enkvist, Malin Brännback, Riitta Söderlund & Marin Petrov, ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT [OECD],OECD Case Study on Innovation: The Finnish Biotechnology Innovation System 15 (2004).
[14] id. at20.
[15] DIILI service provides sales expertise for SMEs, Sitra, http://www.sitra.fi/en/articles/2005/diili-service-provides-sales-expertise-smes-0 (last visited Mar. 10, 2013).
[16] Maula, Murray & Jääskeläinen, supra note 8 at 41-42.
[17] Corporate investments, Sitra, http://www.sitra.fi/en/corporate-investments (last visited Mar. 10, 2013).
[18] Fund investments, Sitra, http://www.sitra.fi/en/fund-investments (last visited Mar. 10, 2013).
[19] The venture capital funds referred to herein mean the pooled investment made by the owners of venture capital, while whether it exists in the form of fund or others is not discussed herein.
[20] Project funding, Sitra, http://www.sitra.fi/en/project-funding (last visited Mar. 10, 2013).
[21] Maula, Murray & Jääskeläinen, supra note 8 at 42.
[22] Jussi S. Jauhiainen, Regional and Innovation Policies in Finland – Towards Convergence and/or Mismatch? REGIONAL STUDIES, 42(7), 1031, 1032-1033 (2008).
[23] id. at 1036.
[24] id. at 1038.
[25] id. at 1038-1039.
Taiwan Has Passed “Statute of Human Biobank Management” to Maintain Privacy and Improve Medicine Industries Due to lack of regulations, divergent opinions abounded about the establishment of Biobanks and collection of human biological specimen. For example, a researcher in an academic research organization and a hospital-based physician collected biospecimens from native Taiwanese. Although they insisted that the collections were for research only, human rights groups, ethics researchers, and groups for natives´ benefits condemned the collections as an invasion of human rights. Consequently, the Taiwanese government recognized the need for Biobanks regulation. To investigate the relationship between disease and multiple factors and to proceed with possible prevention, The Legislative Yuan Social Welfare and Healthy Environment Committee has passed "the draft statute of human biobank management" through primary reviewing process on December 30, 2009 and subsequently passed through entire three-reading procedure on January 7, 2010. Therefore, the medical and research institute not only can set up optimal gene database for particular disease curing, but also can collect blood sample for database establishment, legally. However, the use of sample collections will be excluded from the use of judiciary purpose. In the light of to establish large scale biobank is going to face the fundamental human right issue, from the viewpoint of biobank management, it is essential not only to set up the strict ethics regulation for operational standard, but also to make the legal environment more complete. For instance, the Department of Health, Executive Yuan had committed the earlier planning of Taiwan biobank establishment to the Academic Sinica in 2006, and planned to collect bio-specimen by recruiting volunteers. However, it has been criticized by all circles that it might be considered violating the Constitution article 8 provision 1 front paragraph, and article 22 rules; moreover, it might also infringe the personal liberty or body information privacy. Therefore, the Executive Yuan has passed the draft statute of human biobank management which was drafted and reviewed by Department of Health during the 3152nd meeting, on July 16, 2009, to achieve the goal of protecting our nation’s privacy and promoting the development of medical science by management biomedical research affairs in more effective ways. Currently, the draft statute has been passed through the primary review procedure by the Legislative Yuan. About the draft statute, there are several important points as following: (1) Sample Definition: Types of collected sample include human somatic cell, tissues, body fluids, or other derivatives; (2) Biobank Establishment: It requires not only to be qualified and permitted, but also to set up the ethical reviewing mechanism to strengthen its management and application; (3)Sample Collection and Participant Protection: In accordance with the draft statute, bio-specimen collecting should respect the living ethics during the time and refer to the "Medical Law" article 64 provision 1; before sample collection, all related points of attention should be kept in written form , the participant should be notified accordingly, and samples can only be collected with the participant’s consent. Furthermore, regarding the restrained read right and setting up participants’ sample process way if there were death or lost of their capacity; (4) Biobank Management: The safety regulation, obligation of active notification, free to retreat, data destruction, confidentiality and obligation, and termination of operation handling are stipulated; and (5) Biobank Application: According to the new draft statute, that the biological data can’t be used for other purposes, for example, the use of inquisition result for the "Civil law", article 1063, provision 2, prosecution for denying the parent-child relationship law suit", or according to the "Criminal law", article 213, provision 6. This rule not only protects the participants’ body information and their privacy right, but also clearly defines application limits, as well as to set up the mechanism for inner control and avoid conflict of interests to prevent unnecessary disputes. Finally, the Department of Health noted that, as many medical researches has shown that the occurrence of diseases are mostly co-effected by various factors such as multiple genes and their living environment, rather than one single gene, developed countries have actively devoted to human biological sample collection for their national biobank establishment. The construction and usage of a large-scale human bank may bring up the critical issue such as privacy protection and ethical problems; however, to meet the equilibrium biomedical research promotion and citizen privacy issue will highly depend on the cooperation and trust between the public and private sectors. Taiwan Department of Health Announced the Human Biobanks Information Security Regulation The field of human biobanks will be governed by the Act of Human Biobanks (“Biobanks Act”) after its promulgation on February 3, 2010 in Taiwan. According to Article 13 of the Biobanks Act, a biobank owner should establish its directive rules based on the regulation of information security of biobanks announced by the competent authority. Thus the Department of Health announced the draft of the Human Biobanks Information Security Regulation (“Regulation”) for the due process requirement. According to the Biobanks Act, only the government institutes, medical institutes, academic institutes, and research institutes are competent to establish biobanks (Article 4). In terms of the collecting of organisms, the participants should be informed of the relevant matters by reasonable patterns, and the collecting of organisms may be conducted after obtaining the written consent of the participants (Article 6). The relative information including the organisms and its derivatives are not allowed to be used except for biological and medical research. After all the protection of biobanks relative information above, the most important thing is the safety regulations and directive rules of the database administration lest all the restrictions of biobanks owners and the use be in vain. The draft Regulation aims to strengthen the safety of biobanks database and assure the data, the systems, the equipments, and the web circumstances are safe for the sake of the participants’ rights. The significant aspects of the draft are described as below. At first, the regulation should refer to the ISO27001, ISO27002 and other official rules. Concerning the personnel management, the security assessment is required and the database management personnel and researchers may not serve concurrently. In case some tasks are outsourced, the contractor should be responsible for the information security; the nondisclosure agreement and auditing mechanism are required. The application system should update periodically including the anti-virus and firewall programs. The biobanks database should be separated physically form internet connection, including the prohibition of information transforming by email or any other patterns through internet. The authorizing protocol of access to the biobanks should be established and all log files should be preserved in a period. The system establishment and maintenance should avoid remote control. In case the database system is physically out of the owner’s control, the authorization of the officer in charge is required. If an information security accident occurred, the bionbanks owner should contact the competent authority immediately and inform the participants by adequate tunnel. The biobanks owner should establish annual security auditing program and the project auditing will be conducted subject to the necessity. To sum up, while the biobanks database security regulation is fully established, the biobanks owners will have the sufficient guidance in connection with the biobank information security to comply with in the future.
Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019)Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019) I. Brief Blockchain technology can solve the problem of trust between data demanders and data providers. In other words, in a centralized mode, data demanders can only choose to believe that the centralized platform will not contain the false information. However, in the decentralized mode, data isn’t controlled by one individual group or organization[1], data demanders can directly verify information such as data source, time, and authorization on the blockchain without worrying about the correctness and authenticity of the data. Take the “immutable” for example, it is conflict with the right to erase (also known as the right to be forgotten) in the GDPR.With encryption and one-time pad (OTP) technology, data subjects can make data off-chain storaged or modified at any time in a decentralized platform, so the problem that data on blockchain not meet the GDPR regulation has gradually faded away. II. What is GDPR? The purpose of the EU GDPR is to protect user’s data and to prevent large-scale online platforms or large enterprises from collecting or using user’s data without their permission. Violators will be punished by the EU with up to 20 million Euros (equal to 700 million NT dollars) or 4% of the worldwide annual revenue of the prior financial year. The aim is to promote free movement of personal data within the European Union, while maintaining adequate level of data protection. It is a technology-neutral law, any type of technology which is for processing personal data is applicable. So problem about whether the data on blockchain fits GDPR regulation has raise. Since the blockchain is decentralized, one of the original design goals is to avoid a large amount of centralized data being abused. Blockchain can be divided into permissioned blockchains and permissionless blockchains. The former can also be called “private chains” or “alliance chains” or “enterprise chains”, that means no one can join the blockchain without consent. The latter can also be called “public chains”, which means that anyone can participate on chain without obtaining consent. Sometimes, private chain is not completely decentralized. The demand for the use of blockchain has developed a hybrid of two types of blockchain, called “alliance chain”, which not only maintains the privacy of the private chain, but also maintains the characteristics of public chains. The information on the alliance chain will be open and transparent, and it is in conflict with the application of GDPR. III. How to GDPR apply to blockchain ? First, it should be determined whether the data on the blockchain is personal data protected by GDPR. Second, what is the relationship and respective responsibilities of the data subject, data controller, and data processor? Finally, we discuss the common technical characteristics of blockchain and how it is applicable to GDPR. 1. Data on the blockchain is personal data protected by GDPR? First of all, starting from the technical characteristics of the blockchain, blockchain technology is commonly decentralized, anonymous, immutable, trackable and encrypted. The other five major characteristics are immutability, authenticity, transparency, uniqueness, and collective consensus. Further, the blockchain is an open, decentralized ledger technology that can effectively verify and permanently store transactions between two parties, and can be proved. It is a distributed database, all users on the chain can access to the database and the history record, also can directly verify transaction records. Each nodes use peer-to-peer transmission for upload or transfer information without third-party intermediation, which is the unique “decentralization” feature of the blockchain. In addition, the node or any user on the chain has a unique and identifiable set of more than 30 alphanumeric addresses, but the user may choose to be anonymous or provide identification, which is also a feature of transparency with pseudonymity[2]; Data on blockchain is irreversibility of records. Once the transaction is recorded and updated on the chain, it is difficult to change and is permanently stored in the database, that is to say, it has the characteristics of “tamper-resistance”[3]. According to Article 4 (1) of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Therefore, if data subject cannot be identified by the personal data on the blockchain, that is an anonymous data, excluding the application of GDPR. (1) What is Anonymization? According to Opinion 05/2014 on Anonymization Techniques by Article 29 Data Protection Working Party of the European Union, “anonymization” is a technique applied to personal data in order to achieve irreversible de-identification[4]. And it also said the “Hash function” of blockchain is a pseudonymization technology, the personal data is possible to be re-identified. Therefore it’s not an “anonymization”, the data on the blockchain may still be the personal data stipulated by the GDPR. As the blockchain evolves, it will be possible to develop technologies that are not regulated by GDPR, such as part of the encryption process, which will be able to pass the court or European data protection authorities requirement of anonymization. There are also many compliance solutions which use technical in the industry, such as avoiding transaction data stored directly on the chain. 2. International data transmission Furthermore, in accordance with Article 3 of the GDPR, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.[5] In other words, GDPR applies only when the data on the blockchain is not anonymized, and involves the processing of personal data of EU citizens. 3. Identification of data controllers and data processors Therefore, if the encryption technology involves the public storage of EU citizens' personal data and passes it to a third-party controller, it may be identified as the “data controller” under Article 4 of GDPR, and all nodes and miners of the platform may be deemed as the “co-controller” of the data, and be assumed joint responsibility with the data controller by GDPR. For example, the parties can claim the right to delete data from the data controller. In addition, a blockchain operator may be identified as a “processor”, for example, Backend as a Service (BaaS) products, the third parties provide network infrastructure for users, and let users manage and store personal data. Such Cloud Services Companies provide online services on behalf of customers, do not act as “data controllers”. Some commentators believe that in the case of private chains or alliance chains, such as land records transmission, inter-bank customer information sharing, etc., compared to public chain applications: such as cryptocurrencies (Bitcoin for example), is not completely decentralized, and more likely to meet GDPR requirements[6]. For example, in the case of a private chain or alliance chain, it is a closed platform, which contains only a small number of trusted nodes, is more effective in complying with the GDPR rules. 4. Data subject claims In accordance with Article 17 of the GDPR, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay under some grounds. Off-chain storage technology can help the blockchain industry comply with GDPR rules, allowing offline storage of personal data, or allow trusted nodes to delete the private key of encrypted information, which leaving data that cannot be read and identified on the chain. If the data is in accordance with the definition of anonymization by GDPR, there is no room for GDPR to be applied. IV. Conclusion In summary, it’s seem that the application of blockchain to GDPR may include: (a) being difficulty to identified the data controllers and data processors after the data subject upload their data. (b) the nature of decentralized storage is transnational storage, and Whether the country where the node is located, is meets the “adequacy decision” of Article 45 of the GDPR. If it cannot be met, then it needs to consider whether it conforms to the transfers subject to appropriate safeguards of Article 46, or the derogations for specific situations of Article 49 of the GDPR. Reference: [1] How to Trade Cryptocurrency: A Guide for (Future) Millionaires, https://wikijob.com/trading/cryptocurrency/how-to-trade-cryptocurrency [2] DONNA K. HAMMAKER, HEALTH RECORDS AND THE LAW 392 (5TH ED. 2018). [3] Iansiti, Marco, and Karim R. Lakhani, The Truth about Blockchain, Harvard Business Review 95, no. 1 (January-February 2017): 118-125, available at https://hbr.org/2017/01/the-truth-about-blockchain [4] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (2014), https://www.pdpjournals.com/docs/88197.pdf [5] Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN [6] Queen Mary University of London, Are blockchains compatible with data privacy law? https://www.qmul.ac.uk/media/news/2018/hss/are-blockchains-compatible-with-data-privacy-law.html
Post Brexit – An Update on the United Kingdom Privacy RegimePost Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.
Suggestions for MOEA Trial Program of Voluntary Base Green Electricity FrameworkOn March 6, 2014, The Energy Bureau of Ministry of Economic Affairs has published a pre-announcement on a Trial Program of Voluntary Base Green Electricity Framework (hereafter the Trial Program) and consulted on public opinion. In light of the content of the Trial Program, STLI provide the following suggestions for future planning of related policy structure. The institution of green electricity as established by the Trial Program is one of the policies for promoting renewable energy. Despite its nature of a trial, it is suggested that a policy design with a more options will be beneficial to the promotion of renewable energy, in light of various measures that have been undertaken by different countries. According to the Trial Program, the planned price rate of the green electricity is set on the basis of the total sum that the electricity subsidy to be paid by the Renewable Energy Development Fund divided by the total sum of electricity generated reported by Tai Power Company. The Ministry of Economic Affairs will adjust the price rate of the green electricity on the base of both how many users subscribe to the green electricity and the price rate of international green electricity market rate and, then announce the price rate in October of each year if not otherwise designated. In addition, according to the planned Trial Program, the unit for the subscription of green electricity is 100 kW·h. It is further reported that the current planned price rate for green electricity is 1.06 NTD/ kW·h. And it shall be 3.95 NTD/ kW·h if adding up with the original price rate, with an 37% increase in price per kW·h. In terms of the existing content of the Trial Program, only single price rate will be offered during the trial period. In this regard, we take the view that it would be beneficial to take into account similar approaches that have been taken by other countries. In Germany, for instance, the furtherance of renewable energy is achieved by the obligatory charge(EEG Umlage)together with the voluntary green electricity program provided by the private electricity retail sectors. According to German Ministry of Economics and Energy (BMWi), the electricity price that the German public pays includes three parts: (1)the cost of the purchase and distribution of the electricity, including the margin of the electricity provider(2)regulated network fees, including those for the operation as well as for the measurement works of the meters(3)charges imposed by the government, including tax and the abovementioned obligatory charge for renewable energy(EEG Umlage), as prescribed by the Act on Renewable Energy (Gesetz für den Vorrang Erneuerbarer Energien, also known as Erneuerbare-Energien-Gesetz - EEG). In terms of how it is implemented on the ground, an example of the green electricity price menu program from the German electricity retail company, Vattenfall, is given in the following. In all price menu programs provided by Vattenfall in Berlin, for instance, 29.4% of the electricity comes from renewable energy as a result of the implementation of the Act on Renewable Energy. Asides from the abovementioned percentage as facilitated by the existing obligatory measures, the electricity retail companies in Germany further provide the price menus that are “greener”. For example, among the options provided by Vattenfall(Chart I), in terms of the 12-month program, one can choose the menu which consist of 39.4% of renewable energy, with the price of 0.2642 Euro/ kW·h(about 10.96 NTD/ kW·h). One can also opt for a menu of which the energy supply comes from 100% of renewable energy, with the price of 0.281 Euro/ kW·h(about 11.66 NTD/ kW·h) Chart I : Green Electricity Price Menus provided by Vattenfall in Berlin, Germany Percentage of Renewable Energy Supply Percentage of Renewable Energy Supply Electricity Price 12-month program 39.4% 0.2642 Euro/ kW·h(about 10.96 NTD/ kW·h) All renewable energy program 100% 0.281 Euro/ kW·h(about 11.66 NTD/ kW·h) Source:Vattenfall website, translated and reorganized by STLI, April 214. In addition, Australia also has similar programs on green electricity that is voluntary-base and with the goal of promoting renewable energy, reducing carbon emission, and transforming energy economy. Since 1997, the GreenPower in Australia is in charge of audition and certification of the retail companies and power plants on green electricity. The Australian model uses the certification mechanism conducted by independent third party, to ensure the green electricity purchased by end users in compliance with specific standards. As for the options for the price menu, take the programs of green electricity offered by the Australian retail company Origin Energy for example, user can choose 6 kinds of different programs, which are composed by renewable energy supply of respectively 10%, 20%, 25%, 50%, 75%, and 100%, at various price rates (shown in Chart II). Chart II Australian Green Electricity Programs provided by Origin Energy Percentage of renewable Energy Electricity Price per kW·h 0 0.268 AUD(About 7.52 NTD) 10% 0.274868 AUD(About 7.69 NTD) 20% 0.28006 AUD(About 7.84 NTD) 25% 0.28292 AUD(About 7.92 NTD) 50% 0.2838 AUD(About 7.95 NTD) 100% 0.2992 AUD(About 8.37 NTD) Source:Origin Energy website, translated and reorganized by STLI, April 214. Given the information above, it can thus be inferred that the international mechanism for the promotion of green electricity often include a variety of price menus, providing the user more options. Such as two difference programs offered by Vattenfall in Germany and six various rates for green electricity offered by Origin Energy in Australia. It is the suggestion of present brief that the Trial Program can reference these international examples and try to offer the users a greater flexibility in choosing the most suitable programs for themselves.