Research on Taiwan’s Policies of Innovative Industry Development in Recent Years (2015-2016)

The Tax Benefit of “Act for Establishment and Administration of Science Parks” and the Relational Norms for Innovation 　　“Act for Establishment and Administration of Science Parks” was promulgated in 1979, and was amended entirely in May 15, 2018, announced in June 6. The title was revised from “Act for Establishment and Administration of Science ‘Industrial’ Parks” to “Act for Establishment and Administration of Science Parks” (it would be called “the Act” in this article). It was a significant transition from traditional manufacture into technological innovation. 　　For encouraging different innovative technology enter into the science park, there is tax benefit in the Act. When the park enterprises import machines, equipment, material and so on from foreign country, the import duties, commodity tax, and business tax shall be exempted; moreover, when the park enterprises export products and services, it will have given favorable business and commodity tax free.[1] Furthermore, the park bureaus also exempt collection of land rent.[2] If they have approval for importing or exporting products, they do not need to apply for permission.[3] In the sub-law, there is also regulations of bonding operation.[4] To sum up, for applying the benefit of the act, enterprises approved for establishment in science parks still require to manufacture products. Such regulations are confined to industrial industry. Innovative companies dedicate in software, big data, or customer service, rarely gain benefits from taxation. 　　In other norms,[5] there are also tax deduction or exemption for developing innovative industries. Based on promoting innovation, the enterprises following the laws of environmental protection, laborers’ safety, food safety and sanitation,[6] or investing in brand-new smart machines for their own utilize,[7] or licensing their intellectual property rights,[8] can deduct from its taxable income. In addition, the research creators from academic or research institutions,[9] or employee,[10] can declare deferral of the income tax payable for the shares distributed. In order to assist new invested innovative enterprises,[11] there are also relational benefit of tax. For upgrading the biotech and new pharmaceuticals enterprises, when they invest in human resource training, research and development, they can have deductible corporate income tax payable.[12] There is also tax favored benefits for small and medium enterprises in using of land, experiment of research, technology stocks, retaining of surplus, and additional employees hiring.[13] The present norms of tax are not only limiting in space or products but also encouraging in “research”. In other word, in each steps of the research of innovation, the enterprises still need to manufacture products from their own technology, fund and human resources. If the government could encourage open innovation with favored taxation, it would strengthen the capability of research and development for innovative enterprises. 　　Supporting the innovation by taxation, the government can achieve the goal of scientific development more quickly and encourage them accepting guidance. “New York State Business Incubator and Innovation Hot Spot Support Act” can be an example, [14]the innovative enterprises accepting the guidance from incubators will have the benefit of tax on “personal income”, “sales and use” and “corporation franchise”. Moreover, focusing on key industries and exemplary cases, there are also the norms of tax exemption and tax abatement in China for promoting the development of technology.[15]The benefit of tax is not only in research but also in “the process of research”. 　　To sum up, the government of Taiwan provides the benefit of tax for advancing the competition of outcomes in market, and for propelling the development of innovation. In order to accelerate the efficiency of scientific research, the government could draw lessons from America and China for enacting the norms about the benefit of tax and the constitution of guidance. [1] The Act §23. [2] Id. §24. [3] Id. §25. [4] Regulations Governing the Bonding Operations in Science Parks. [5] Such as Act for Development of Small and Medium Enterprises, Statute for Industrial Innovation, Act for the Development of Biotech and New Pharmaceuticals Industry. [6] Statute for Industrial Innovation §10. [7] Id. §10-1. [8] Id. §12-1. [9] Id. §12-2. [10] Id. §19-1. [11] Id. §23-1, §23-2, §23-3. [12] Act for the Development of Biotech and New Pharmaceuticals Industry §5, §6, §7. [13] Act for Development of Small and Medium Enterprises Chapter 4: §33 to §36-3. [14] New York State Department of Taxation and Finance Taxpayer Guidance Division, New York State Business Incubator and Innovation Hot Spot Support Act, Technical Memorandum TSB-M-14(1)C, (1)I, (2)S, at 1-6 (March 7, 2014), URL：http://www.wnyincubators.com/content/Innovation%20Hot%20Spot%20Technical%20Memorandum.pdf (last visited：December 18, 2019). [15] Enterprise Income Tax Law of the People’s Republic of China Chapter 4 “Preferential Tax Treatments”: §25 to §36 (2008 revised).

A Preferred Model for Taiwan’s agency level AI risk categorization and management: A Cross-Jurisdictional Perspective 2025/09/15 Taiwan’s draft Artificial Intelligence Basic Law includes a provision allowing each government agency to establish its own risk-based AI management rules tailored to sector-specific regulatory needs[1]. To strike an effective balance between innovation and oversight, selecting an appropriate reference model is essential. After comparing major jurisdictions, this research argues that the United States Office of Management and Budget (OMB) Memorandum M-25-21—Accelerating Federal Use of AI through Innovation, Governance, and Public Trust[2]—offers the most balanced and practical approach for Taiwan’s agencies to refer to at this initial stage of developing AI regulation and promoting AI adoption. This article will first present an overview of the U.S. M-25-21 framework and its key features. It will then explain why the U.S. model is more suitable for Taiwan than those of other jurisdictions. Finally, it will conclude with recommendations for the government. I. Overview of the U.S. M-25-21 Framework Issued in April 2025 under Executive Order 14179, M-25-21 directs federal agencies to accelerate the adoption of artificial intelligence while maintaining a set of minimum safeguards. The memorandum identifies three priorities—innovation, governance, and public trust—and structures AI oversight around these principles. It requires every executive branch agency to designate a Chief AI Officer (CAIO), a senior official empowered to promote AI innovation, maintain a current inventory of AI use cases, and ensure that processes such as determining “high-impact” uses are in place. Rather than imposing a centralized management system, M-25-21 allows each agency to make context-sensitive determinations and to accept or waive risk management requirements. This approach recognizes that agencies vary widely in mission and capacity and are best positioned to understand the potential risks and benefits of AI within their own domains. The memorandum defines high-impact AI as systems whose outputs serve as a principal basis for decisions or actions with legal, material, binding, or significant rights and safety consequences. It offers a non-exhaustive list of presumed high-impact categories, including safety-critical functions of critical infrastructure, traffic management, patient diagnosis, blocking protected speech, and law enforcement applications. If an agency official determines that a specific AI use within these categories does not meet the high-impact definition, they must submit written documentation to notify the CAIO. By tying the definition to the effect of an AI system’s output rather than to a fixed sectoral list, M-25-21 provides a flexible method for identifying high-risk AI applications while preserving room for innovation. II. Key Features of the U.S. M-25-21 Framework A. Minimum Risk Management Practices To ensure protection without creating excessive barriers, M-25-21 specifies a set of minimum risk management practices that each agency must apply when using high-impact AI. Agencies are required to conduct pre-deployment testing under realistic conditions to confirm that AI systems perform as intended and to prepare appropriate risk mitigation plans. Even when agencies lack access to source code or training data, they are expected to use alternative testing methods—such as querying the AI service and observing its outputs—to assess performance and potential risks. Before deploying a high-impact AI system, agencies must complete an AI impact assessment. This assessment must explain the system’s intended purpose and expected benefits, analyze the quality and appropriateness of the data used, and evaluate potential impacts on privacy, civil rights, and civil liberties. It should also include a cost analysis, planned reassessment schedules and procedures, and comments highlighting potential concerns or gaps from an independent reviewer who was not involved in the system’s development. Importantly, the assessment must carry the signature of an accountable official who formally accepts the risk of deploying the AI system. Once deployed, agencies are expected to monitor AI systems continuously for performance drift, security vulnerabilities, or unforeseen adverse effects, and to implement appropriate mitigations and maintain documentation. Human oversight is equally essential: operators must receive specific training to interpret AI outputs, intervene when necessary, and use fail-safes or override mechanisms to minimize the risk of significant harm in high-impact situations. To protect the public, M-25-21 insists that individuals affected by AI-enabled decisions have access to timely human review and opportunities to appeal adverse outcomes. Appeals should not impose unnecessary burdens on individuals or the administration. Furthermore, agencies are expected to seek feedback from end users and the public to inform AI-related decision-making. These combined practices—testing, assessment, independent review, monitoring, human oversight, remedies, and feedback—form a balanced foundation for responsible AI use. The memorandum also requires agencies to safely discontinue any high-impact use cases that fail to comply with the minimum practices. B. Waiver System: Purpose and Conditions A distinctive feature of M-25-21 is its formal system for waivers from the minimum risk management practices. The waiver mechanism exists to reconcile two priorities: ensuring safety and rights protections on the one hand, and enabling innovation and rapid response on the other. Waivers may be considered when following a particular requirement would actually increase risks to safety or rights overall, or when compliance would create an unacceptable impediment to critical agency operations. For example, during a natural disaster or public health emergency, strict adherence to every procedural requirement might delay the deployment of an AI application that could save lives. In such situations, the CAIO may authorize a waiver to permit rapid deployment while still tracking and reassessing the use. Waivers for pilot programs are equally important for encouraging experimentation and innovation. They allow agencies to conduct small-scale, time-limited AI projects without implementing all minimum risk management practices, provided certain conditions are met: the pilot must be certified by the CAIO, centrally tracked, offer opt-in and opt-out options for individual participation, and apply minimum risk management practices where practicable. The memorandum imposes safeguards on this flexibility. Every waiver must be documented with a written determination explaining the reasoning, centrally tracked, and reassessed annually or whenever significant changes to the AI application’s conditions or context occur. CAIOs retain the power to revoke waivers at any time, and agencies must report any granted or revoked waiver to OMB annually and within 30 days of significant modifications. This approach maintains accountability while preventing rigid rules from becoming obstacles to effective governance. C. Disclosure Requirements for High-Impact Use and Waivers M-25-21 strongly emphasizes transparency as a pillar of public trust. Each agency must maintain an inventory of all AI use cases, submit it to OMB, and post a public version on the agency’s website. This inventory should be updated annually and, ideally, throughout the year to reflect the agency’s current use of AI. Transparency ensures that the public, civil society, and oversight bodies can understand where AI is influencing important government decisions without exposing sensitive or classified details. Similarly, agencies must publicly release summaries of each waiver or determination, including the justification, or explicitly indicate when no determinations or waivers are active. By making these summaries visible, the system builds confidence that waivers are granted for legitimate reasons. At the same time, OMB retains the authority to request detailed records concerning exception determinations within presumed high-impact categories. This combination of public disclosure and federal oversight helps maintain trust while safeguarding privacy, national security, and proprietary information. III. Why M-25-21 Stands Out for Taiwan’s AI Governance among Global Approaches Taiwan’s draft AI Basic Law envisions a decentralized system in which each agency determines its own risk classification and management practices[3]. The U.S. framework aligns closely with this philosophy. By empowering agencies to identify high-risk AI use cases tailored to their specific contexts, M-25-21 helps ensure that AI governance remains grounded in operational realities. At the same time, adopting M-25-21’s baseline practices, waiver safeguards, and disclosure requirements would provide consistency and public accountability across agencies. The combination of minimum risk management practices and transparent waiver use would encourage innovation while reassuring the public that any exceptions are justified, continuously monitored, and effectively controlled. Furthermore, embracing an approach that reflects emerging international consensus—particularly the emphasis on transparency in both U.S. and EU regimes—would position Taiwan to harmonize with global AI governance trends and strengthen its credibility in international markets. In contrast, the European Union’s AI Act predefines high-risk categories and mandates strict conformity assessments, CE Marking, and post-market monitoring[4]—an approach that is comprehensive but resource-intensive and may not suit all agencies equally. Australia’s ongoing discussions had been trending toward a similarly comprehensive model, but there has recently been backlash against this approach. Korea’s AI Basic Act[5] references high-risk AI only in broad terms and leaves most operational details undefined. M-25-21 strikes a middle ground, offering minimum yet concrete safeguards while preserving the flexibility agencies need to tailor governance to their specific domains. IV. Recommendations and Conclusion Based on this analysis, this research recommends that each agency designate a senior AI leader similar to a CAIO, maintain a public inventory of high-impact AI use cases, and publish summaries of waivers or determinations while safeguarding sensitive information. Agencies should also be encouraged to share AI resources and lessons learned to reduce duplication and strengthen governance maturity across government. Over time, these risk management practices can be refined in response to operational experience and evolving international standards. By adopting these principles, Taiwan can empower its agencies to innovate responsibly, protect citizens’ rights, and build public trust—ensuring that AI deployment across government remains both effective and aligned with global best practices. [1]〈政院通過「人工智慧基本法」草案 建構AI發展與應用良善環境 打造臺灣成為AI人工智慧島〉，行政院，https://www.ey.gov.tw/Page/9277F759E41CCD91/5d673d1e-f418-47dc-ab35-a06600f77f07（最後瀏覽日期︰2025/09/15）。 [2] United States Office of Management and Budget (OMB), M-25-21 Accelerating Federal Use of AI through Innovation, Governance, and Public Trust, https://www.whitehouse.gov/wp-content/uploads/2025/02/M-25-21-Accelerating-Federal-Use-of-AI-through-Innovation-Governance-and-Public-Trust.pdf (last visited Sept 15, 2025). [3] 蘇文彬，〈行政院通過AI基本法草案，將不設立AI專責機關〉，iThome，https://www.ithome.com.tw/news/170874（最後瀏覽日期︰2025/09/15）。 [4] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 (last visited Sept 15, 2025). [5] 인공지능발전과신뢰기반조성등에관한기본법안，https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EC%9D%B8%EA%B3%B5%EC%A7%80%EB%8A%A5%20%EB%B0 %9C%EC%A0%84%EA%B3%BC%20%EC%8B%A0%EB%A2%B0%20%EA%B8%B0%EB%B0%98%20%EC%A1%B0 %EC%84%B1%20%EB%93%B1%EC%97%90%20%EA%B4%80%ED%95%9C%20%EA%B8%B0%EB%B3%B8%EB%B2 %95/(20676,20250121) (last visited Sept 15, 2025).

Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019) I. Brief 　　Blockchain technology can solve the problem of trust between data demanders and data providers. In other words, in a centralized mode, data demanders can only choose to believe that the centralized platform will not contain the false information. However, in the decentralized mode, data isn’t controlled by one individual group or organization[1], data demanders can directly verify information such as data source, time, and authorization on the blockchain without worrying about the correctness and authenticity of the data. 　　Take the “immutable” for example, it is conflict with the right to erase (also known as the right to be forgotten) in the GDPR.With encryption and one-time pad (OTP) technology, data subjects can make data off-chain storaged or modified at any time in a decentralized platform, so the problem that data on blockchain not meet the GDPR regulation has gradually faded away. II. What is GDPR? 　　The purpose of the EU GDPR is to protect user’s data and to prevent large-scale online platforms or large enterprises from collecting or using user’s data without their permission. Violators will be punished by the EU with up to 20 million Euros (equal to 700 million NT dollars) or 4% of the worldwide annual revenue of the prior financial year. 　　The aim is to promote free movement of personal data within the European Union, while maintaining adequate level of data protection. It is a technology-neutral law, any type of technology which is for processing personal data is applicable. 　　So problem about whether the data on blockchain fits GDPR regulation has raise. Since the blockchain is decentralized, one of the original design goals is to avoid a large amount of centralized data being abused. 　　Blockchain can be divided into permissioned blockchains and permissionless blockchains. The former can also be called “private chains” or “alliance chains” or “enterprise chains”, that means no one can join the blockchain without consent. The latter can also be called “public chains”, which means that anyone can participate on chain without obtaining consent. 　　Sometimes, private chain is not completely decentralized. The demand for the use of blockchain has developed a hybrid of two types of blockchain, called “alliance chain”, which not only maintains the privacy of the private chain, but also maintains the characteristics of public chains. The information on the alliance chain will be open and transparent, and it is in conflict with the application of GDPR. III. How to GDPR apply to blockchain ? 　　First, it should be determined whether the data on the blockchain is personal data protected by GDPR. Second, what is the relationship and respective responsibilities of the data subject, data controller, and data processor? Finally, we discuss the common technical characteristics of blockchain and how it is applicable to GDPR. 1. Data on the blockchain is personal data protected by GDPR? 　　First of all, starting from the technical characteristics of the blockchain, blockchain technology is commonly decentralized, anonymous, immutable, trackable and encrypted. The other five major characteristics are immutability, authenticity, transparency, uniqueness, and collective consensus. 　　Further, the blockchain is an open, decentralized ledger technology that can effectively verify and permanently store transactions between two parties, and can be proved. 　　It is a distributed database, all users on the chain can access to the database and the history record, also can directly verify transaction records. Each nodes use peer-to-peer transmission for upload or transfer information without third-party intermediation, which is the unique “decentralization” feature of the blockchain. 　　In addition, the node or any user on the chain has a unique and identifiable set of more than 30 alphanumeric addresses, but the user may choose to be anonymous or provide identification, which is also a feature of transparency with pseudonymity[2]; Data on blockchain is irreversibility of records. Once the transaction is recorded and updated on the chain, it is difficult to change and is permanently stored in the database, that is to say, it has the characteristics of “tamper-resistance”[3]. 　　According to Article 4 (1) of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 　　Therefore, if data subject cannot be identified by the personal data on the blockchain, that is an anonymous data, excluding the application of GDPR. (1) What is Anonymization? 　　According to Opinion 05/2014 on Anonymization Techniques by Article 29 Data Protection Working Party of the European Union, “anonymization” is a technique applied to personal data in order to achieve irreversible de-identification[4]. 　　And it also said the “Hash function” of blockchain is a pseudonymization technology, the personal data is possible to be re-identified. Therefore it’s not an “anonymization”, the data on the blockchain may still be the personal data stipulated by the GDPR. 　　As the blockchain evolves, it will be possible to develop technologies that are not regulated by GDPR, such as part of the encryption process, which will be able to pass the court or European data protection authorities requirement of anonymization. There are also many compliance solutions which use technical in the industry, such as avoiding transaction data stored directly on the chain. 2. International data transmission 　　Furthermore, in accordance with Article 3 of the GDPR, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.[5] 　　In other words, GDPR applies only when the data on the blockchain is not anonymized, and involves the processing of personal data of EU citizens. 3. Identification of data controllers and data processors 　　Therefore, if the encryption technology involves the public storage of EU citizens' personal data and passes it to a third-party controller, it may be identified as the “data controller” under Article 4 of GDPR, and all nodes and miners of the platform may be deemed as the “co-controller” of the data, and be assumed joint responsibility with the data controller by GDPR. For example, the parties can claim the right to delete data from the data controller. 　　In addition, a blockchain operator may be identified as a “processor”, for example, Backend as a Service (BaaS) products, the third parties provide network infrastructure for users, and let users manage and store personal data. Such Cloud Services Companies provide online services on behalf of customers, do not act as “data controllers”. Some commentators believe that in the case of private chains or alliance chains, such as land records transmission, inter-bank customer information sharing, etc., compared to public chain applications: such as cryptocurrencies (Bitcoin for example), is not completely decentralized, and more likely to meet GDPR requirements[6]. For example, in the case of a private chain or alliance chain, it is a closed platform, which contains only a small number of trusted nodes, is more effective in complying with the GDPR rules. 4. Data subject claims 　　In accordance with Article 17 of the GDPR, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay under some grounds. 　　Off-chain storage technology can help the blockchain industry comply with GDPR rules, allowing offline storage of personal data, or allow trusted nodes to delete the private key of encrypted information, which leaving data that cannot be read and identified on the chain. If the data is in accordance with the definition of anonymization by GDPR, there is no room for GDPR to be applied. IV. Conclusion 　　In summary, it’s seem that the application of blockchain to GDPR may include: (a) being difficulty to identified the data controllers and data processors after the data subject upload their data. (b) the nature of decentralized storage is transnational storage, and Whether the country where the node is located, is meets the “adequacy decision” of Article 45 of the GDPR. 　　If it cannot be met, then it needs to consider whether it conforms to the transfers subject to appropriate safeguards of Article 46, or the derogations for specific situations of Article 49 of the GDPR. Reference: [1] How to Trade Cryptocurrency: A Guide for (Future) Millionaires, https://wikijob.com/trading/cryptocurrency/how-to-trade-cryptocurrency [2] DONNA K. HAMMAKER, HEALTH RECORDS AND THE LAW 392 (5TH ED. 2018). [3] Iansiti, Marco, and Karim R. Lakhani, The Truth about Blockchain, Harvard Business Review 95, no. 1 (January-February 2017): 118-125, available at https://hbr.org/2017/01/the-truth-about-blockchain [4] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (2014), https://www.pdpjournals.com/docs/88197.pdf [5] Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN [6] Queen Mary University of London, Are blockchains compatible with data privacy law? https://www.qmul.ac.uk/media/news/2018/hss/are-blockchains-compatible-with-data-privacy-law.html

Recognized that Research infrastructures (RIs) are at the centre of the knowledge triangle of research, education and innovation and play an increasingly important role in the advancement of knowledge and technology, the EU began to finance for the establishments of RIs by its Framework Programmes (FPs) since the start of FP2 of 1987. On the other hand, the EU also assigned the European Strategy Forum on Research Infrastructures (ESFRI) to develop a coherent and strategy-led approach to policy-making on RIs between Member States and to facilitate the better use and development of RIs at EU and international level. Based on those efforts, the European Commission understood that a major difficulty in setting up RIs between EU countries is the lack of an adequate legal framework allowing the creation of appropriate partnerships and proposed a legal framework for a European research infrastructure adapted to the needs of such facilities. The new legal framework for a European Research Infrastructure Consortium (ERIC) entered into force on 28 August 2009. An successfully-set-up ERIC will have the legal personality based on EU law, and can benefit from exemptions from VAT and excise duty in all EU Member States and may adopt its own procurement procedures to get rid of the EU's public procurement procedures. It is predicted that the Biobanking and Biomolecular Resources Research Infrastructure (BBMRI) will apply to become a BBMRI-ERIC in the near future. The EU also seeks to lead in Energy, Food and Biology through the reforms of ERICs to assist the high quality of activities of European scientists and attract the best researchers from around the world. Besides, in order to connect the knowledge triangle effectively, the European Commission also established the European Institute of Innovation and Technology (EIT) on March 2008. It hopes through the research development partnership network to gather all the advantages from the science and technology chains of multiple areas, and make an effort for the strategy of EU innovation development jointly；Meanwhile, extends its roadmap to the objectives and practices of the Knowledge and Innovation Communities (KICs) of the EIT. Contrast with the EU's advance, it is necessary to our government to concentrate and contemplate whether it is the time to reconsider if our existing legal instruments available to domestic research facilities and infrastructures are sufficient enough to reach our science and technology development goals.