The use of automated facial recognition technology and supervision mechanism in UK

The use of automated facial recognition technology and supervision mechanism in UK

I. Introduction

  Automatic facial recognition (AFR) technology has developed rapidly in recent years, and it can identify target people in a short time. The UK Home Office announced the "Biometrics Strategy" on June 28, 2018, saying that AFR technology will be introduced in the law enforcement, and the Home Office will also actively cooperate with other agencies to establish a new oversight and advisory board in order to maintain public trust. AFR technology can improve law enforcement work, but its use will increase the risk of intruding into individual liberty and privacy.

  This article focuses on the application of AFR technology proposed by the UK Home Office. The first part of this article describes the use of AFR technology by the police. The second part focuses on the supervision mechanism proposed by the Home Office in the Biometrics Strategy. However, because the use of AFR technology is still controversial, this article will sort out the key issues of follow-up development through the opinions of the public and private sectors. The overview of the discussion of AFR technology used by police agencies would be helpful for further policy formulation.

II. Overview of the strategy of AFR technology used by the UK police

  According to the Home Office’s Biometrics Strategy, the AFR technology will be used in law enforcement, passports and immigration and national security to protect the public and make these public services more efficient[1]. Since 2017 the UK police have worked with tech companies in testing the AFR technology, at public events like Notting Hill Carnival or big football matches[2].

  In practice, AFR technology is deployed with mobile or fixed camera systems. When a face image is captured through the camera, it is passed to the recognition software for identification in real time. Then, the AFR system will process if there is a ‘match’ and the alarm would solicit an operator’s attention to verify the match and execute the appropriate action[3]. For example, South Wales Police have used AFR system to compare images of people in crowds attending events with pre-determined watch lists of suspected mobile phone thieves[4]. In the future, the police may also compare potential suspects against images from closed-circuit television cameras (CCTV) or mobile phone footage for evidential and investigatory purposes[5].

  The AFR system may use as tools of crime prevention, more than as a form of crime detection[6]. However, the uses of AFR technology are seen as dangerous and intrusive by the UK public[7]. For one thing, it could cause serious harm to democracy and human rights if the police agency misuses AFR technology. For another, it could have a chilling effect on civil society and people may keep self-censoring lawful behavior under constant surveillance[8].

III. The supervision mechanism of AFR technology

  To maintaining public trust, there must be a supervision mechanism to oversight the use of AFR technology in law enforcement. The UK Home Office indicates that the use of AFR technology is governed by a number of codes of practice including Police and Criminal Evidence Act 1984, Surveillance Camera Code of Practice and the Information Commissioner’s Office (ICO)’s Code of Practice for surveillance cameras[9].

(I) Police and Criminal Evidence Act 1984

  The Police and Criminal Evidence Act (PACE) 1984 lays down police powers to obtain and use biometric data, such as collecting DNA and fingerprints from people arrested for a recordable offence. The PACE allows law enforcement agencies proceeding identification to find out people related to crime for criminal and national security purposes. Therefore, for the investigation, detection and prevention tasks related to crime and terrorist activities, the police can collect the facial image of the suspect, which can also be interpreted as the scope of authorization of the  PACE.

(II) Surveillance Camera Code of Practice

  The use of CCTV in public places has interfered with the rights of the people, so the Protection of Freedoms Act 2012 requires the establishment of an independent Surveillance Camera Commissioner (SCC) for supervision. The Surveillance Camera Code of Practice  proposed by the SCC sets out 12 principles for guiding the operation and use of surveillance camera systems. The 12 guiding principles are as follows[10]:

A. Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.

B. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.

C. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.

D. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.

E. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.

F. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.

G. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.

H. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.

I. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.

J. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.

K. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.

L. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

(III) ICO’s Code of Practice for surveillance cameras

  It must need to pay attention to the personal data and privacy protection during the use of surveillance camera systems and AFR technology. The ICO issued its Code of Practice for surveillance cameras under the Data Protection Act 1998 to explain the legal requirements operators of surveillance cameras. The key points of ICO’s Code of Practice for surveillance cameras are summarized as follows[11]:

A. The use time of the surveillance camera systems should be carefully evaluated and adjusted. It is recommended to regularly evaluate whether it is necessary and proportionate to continue using it.

B. A police force should ensure an effective administration of surveillance camera systems deciding who has responsibility for the control of personal information, what is to be recorded, how the information should be used and to whom it may be disclosed.

C. Recorded material should be stored in a safe way to ensure that personal information can be used effectively for its intended purpose. In addition, the information may be considered to be encrypted if necessary.

D. Disclosure of information from surveillance systems must be controlled and consistent with the purposes for which the system was established.

E. Individuals whose information is recoded have a right to be provided with that information or view that information. The ICO recommends that information must be provided promptly and within no longer than 40 calendar days of receiving a request.

F. The minimum and maximum retention periods of recoded material is not prescribed in the Data Protection Act 1998, but it should not be kept for longer than is necessary and should be the shortest period necessary to serve the purposes for which the system was established.

(IV) A new oversight and advisory board

  In addition to the aforementioned regulations and guidance, the UK Home Office mentioned that it will work closely with related authorities, including ICO, SCC, Biometrics Commissioner (BC), and Forensic Science Regulator (FSR) to establish a new oversight and advisory board to coordinate consideration of law enforcement’s use of facial images and facial recognition systems[12].

  To sum up, it is estimated that the use of AFR technology by law enforcement has been abided by existing regulations and guidance. Firstly, surveillance camera systems must be used on the purposes for which the system was established. Secondly, clear responsibility and accountability mechanisms should be ensured. Thirdly, individuals whose information is recoded have the right to request access to relevant information. In the future, the new oversight and advisory board will be asked to consider issues relating to law enforcement’s use of AFR technology with greater transparency.

IV. Follow-up key issues for the use of AFR technology

  Regarding to the UK Home Office’s Biometrics Strategy, members of independent agencies such as ICO, BC, SCC, as well as civil society, believe that there are still many deficiencies, the relevant discussions are summarized as follows:

(I) The necessity of using AFR technology

  Elizabeth Denham, ICO Commissioner, called for looking at the use of AFR technology carefully, because AFR is an intrusive technology and can increase the risk of intruding into our privacy. Therefore, for the use of AFR technology to be legal, the UK police must have clear evidence to demonstrate that the use of AFR technology in public space is effective in resolving the problem that it aims to address[13].

  The Home Office has pledged to undertake Data Protection Impact Assessments (DPIAs) before introducing AFR technology, including the purpose and legal basis, the framework applies to the organization using the biometrics, the necessity and proportionality and so on.

(II)The limitations of using facial image data

  The UK police can collect, process and use personal data based on the need for crime prevention, investigation and prosecution. In order to secure the use of biometric information, the BC was established under the Protection of Freedoms Act 2012. The mission of the BC is to regulate the use of biometric information, provide protection from disproportionate enforcement action, and limit the application of surveillance and counter-terrorism powers.

  However, the BC’s powers do not presently extend to other forms of biometric information other than DNA or fingerprints[14]. The BC has expressed concern that while the use of biometric data may well be in the public interest for law enforcement purposes and to support other government functions, the public benefit must be balanced against loss of privacy. Hence, legislation should be carried to decide that crucial question, instead of depending on the BC’s case feedback[15].

  Because biometric data is especially sensitive and most intrusive of individual privacy, it seems that a governance framework should be required and will make decisions of the use of facial images by the police.

(III) Database management and transparency

  For the application of AFR technology, the scope of biometric database is a dispute issue in the UK. It is worth mentioning that the British people feel distrust of the criminal database held by the police. When someone is arrested and detained by the police, the police will take photos of the suspect’s face. However, unlike fingerprints and DNA, even if the person is not sued, their facial images are not automatically deleted from the police biometric database[16].

  South Wales Police have used AFR technology to compare facial images of people in crowds attending major public events with pre-determined watch lists of suspected mobile phone thieves in the AFR field test. Although the watch lists are created for time-limited and specific purposes, the inclusion of suspects who could possibly be innocent people still causes public panic.

  Elizabeth Denham warned that there should be a transparency system about retaining facial images of those arrested but not charged for certain offences[17]. Therefore, in the future the UK Home Office may need to establish a transparent system of AFR biometric database and related supervision mechanism.

(IV) Accuracy and identification errors

  In addition to worrying about infringing personal privacy, the low accuracy of AFR technology is another reason many people oppose the use of AFR technology by police agencies. Silkie Carlo, director of Big Brother Watch, said the police must immediately stop using the AFR technology and avoid mistaking thousands of innocent citizens as criminals; Paul Wiles, Biometrics Commissioner, also called for legislation to manage AFR technology because of its accuracy is too low and the use of AFR technology should be tested and passed external peer review[18].

  In the Home Office’s Biometric Strategy, the scientific quality standards for AFR technology will be established jointly with the FSR, an independent agency under the Home Office. In other words, the Home Office plans to extend the existing forensics science regime to regulate AFR technology.

  Therefore, the FSR has worked with the SCC to develop standards relevant to digital forensics. The UK government has not yet seen specific standards for regulating the accuracy of AFR technology at the present stage.

V. Conclusion

  From the discussion of the public and private sectors in the UK, we can summarize some rules for the use of AFR technology. Firstly, before the application of AFR technology, it is necessary to complete the pre-assessment to ensure the benefits to the whole society. Secondly, there is the possibility of identifying errors in AFR technology. Therefore, in order to maintain the confidence and trust of the people, the relevant scientific standards should be set up first to test the system accuracy. Thirdly, the AFR system should be regarded as an assisting tool for police enforcement in the initial stage. In other words, the information analyzed by the AFR system should still be judged by law enforcement officials, and the police officers should take the responsibilities.

  In order to balance the protection of public interest and basic human rights, the use of biometric data in the AFR technology should be regulated by a special law other than the regulations of surveillance camera and data protection. The scope of the identification database is also a key point, and it may need legislators’ approval to collect and store the facial image data of innocent people. Last but not least, the use of the AFR system should be transparent and the victims of human rights violations can seek appeal.


[1] UK Home Office, Biometrics Strategy, Jun. 28, 2018, https://www.gov.uk/government/publications/home-office-biometrics-strategy (last visited Aug. 09, 2018), at 7.

[2] Big Brother Watch, FACE OFF CAMPAIGN: STOP THE MET POLICE USING AUTHORITARIAN FACIAL RECOGNITION CAMERAS, https://bigbrotherwatch.org.uk/all-campaigns/face-off-campaign/ (last visited Aug. 16, 2018).

[3] Lucas Introna & David Wood, Picturing algorithmic surveillance: the politics of facial recognition systems, Surveillance & Society, 2(2/3), 177-198 (2004).

[4] Supra note 1, at 12.

[5] Id, at 25.

[6] Michael Bromby, Computerised Facial Recognition Systems: The Surrounding Legal Problems (Sep. 2006)(LL.M Dissertation Faculty of Law University of Edinburgh), http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.197.7339&rep=rep1&type=pdf , at 3.

[7] Owen Bowcott, Police face legal action over use of facial recognition cameras, The Guardian, Jun. 14, 2018, https://www.theguardian.com/technology/2018/jun/14/police-face-legal-action-over-use-of-facial-recognition-cameras (last visited Aug. 09, 2018).

[8] Martha Spurrier, Facial recognition is not just useless. In police hands, it is dangerous, The Guardian, May 16, 2018, https://www.theguardian.com/commentisfree/2018/may/16/facial-recognition-useless-police-dangerous-met-inaccurate (last visited Aug. 17, 2018).

[9] Supra note 1, at 12.

[10] Surveillance Camera Commissioner, Surveillance camera code of practice, Oct. 28, 2014, https://www.gov.uk/government/publications/surveillance-camera-code-of-practice (last visited Aug. 17, 2018).

[11] UK Information Commissioner’s Office, In the picture: A data protection code of practice for surveillance cameras and personal information, Jun. 09, 2017, https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/cctv/ (last visited Aug. 10, 2018).

[12] Supra note 1, at 13.

[13] Elizabeth Denham, Blog: facial recognition technology and law enforcement, Information Commissioner's Office, May 14, 2018, https://ico.org.uk/about-the-ico/news-and-events/blog-facial-recognition-technology-and-law-enforcement/ (last visited Aug. 14, 2018).

[14] Monique Mann & Marcus Smith, Automated Facial Recognition Technology: Recent Developments and Approaches to Oversight, Automated Facial Recognition Technology, 10(1), 140 (2017).

[15] Biometrics Commissioner, Biometrics Commissioner’s response to the Home Office Biometrics Strategy, Jun. 28, 2018, https://www.gov.uk/government/news/biometrics-commissioners-response-to-the-home-office-biometrics-strategy (last visited Aug. 15, 2018).

[16] Supra note 2.

[17] Supra note 13.

[18] Jon Sharman, Metropolitan Police's facial recognition technology 98% inaccurate, figures show, INDEPENDENT, May 13, 2018, https://www.independent.co.uk/news/uk/home-news/met-police-facial-recognition-success-south-wales-trial-home-office-false-positive-a8345036.html (last visited Aug. 09, 2018).

Links
Download
※The use of automated facial recognition technology and supervision mechanism in UK,STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=105&tp=2&i=168&d=8347 (Date:2024/03/04)
Quote this paper
You may be interested
Brief Introduction to Taiwan Social Innovation Policies

Brief Introduction to Taiwan Social Innovation Policies 2021/09/13 1. Introduction   The Millennium Development Goals (MDGs)[1] set forth by the United Nations in 2000 are carried out primarily by nations and international organizations. Subsequently, the Sustainable Development Goals (SDGs) set forth by the United Nations in 2015 started to delegate the functions to organizations of all levels. Presently, there is a global awareness of the importance of balancing “economic growth”, “social progress”, and “environmental protection” simultaneously during development. In the above context, many similar concepts have arisen worldwide, including social/solidarity economy, social entrepreneurship and social enterprise, and social innovation.   Generally, social innovation aims to alter the interactions between various groups in society through innovative applications of technology or business models, and to find new ways to solve social problems through such alterations. In other words, the goal is to use innovative methods to solve social problems.The difference between social innovation and social enterprise is that social enterprise combines commercial power to achieve its social mission under a specific perspective, while social innovation creates social value through cooperation with and coordination among technology, resources, and communities under a diversified nature. 2. Overview of Taiwan Social Enterprise Policy   To integrate into the global community and assist in the development of domestic social innovation, Taiwan’s Executive Yuan launched the “Social Enterprise Action Plan” in 2014, which is the first policy initiative to support social enterprises (from 2014 to 2016).Under this policy initiative, through consulting with various ministries and applying methods such as “amending regulations”, “building platforms”, and “raising funds”, the initiative set to create an environment with favorable conditions for social innovation and start-ups. At this stage, the initiative was adopted under the principle of “administrative guidance before legislation” in order to encourage private enterprise development without excessive burden, and avoid regulations restricting the development of social enterprises, such as excessive definition of social enterprises. Moreover, for preserving the original types of these enterprises, this Action Plan did not limit the types of social enterprises to companies, non-profit organizations, or other specific types of organizations.   To sustain the purpose of the Social Enterprise Action Plan and to echo and reflect the 17 sustainable development goals proposed in SDGs by the United Nations, the Executive Yuan launched the “Social Innovation Action Plan” (effective from 2018 to 2022) in 2018 to establish a friendly development environment for social innovation and to develop diversified social innovation models through the concept of “openness, gathering, practicality, and sustainability”.In this Action Plan, “social innovation” referred to “social innovation organizations” that solve social problems through technology or innovative business models. The balancing of the three managerial goals of society, environment value, and profitability is the best demonstration of the concept of social innovation. 3. Government’s Relevant Social Enterprise Policy and Resources   The ministries of the Taiwan Government have been promoting relevant policies in accordance with the Social Innovation Action Plan issued by the Executive Yuan in 2018, such as the “Registration System for Social Innovation Enterprises” (counseling of social enterprises), the “Buying Power - Social Innovation Products and Services Procurement”, the “Social Innovation Platform” established by the Ministry of Economic Affairs, the “Social Innovation Manager Training Courses”, the “Promoting Social Innovation and Employment Opportunities” administered by the Ministry of Labor, and the “University Social Responsibility Program” published by the Ministry of Education. Among the above policies stands out the measures adopted by the Ministry of Economic Affairs, and a brief introduction of those policies are as follows: i. Social Innovation Platform   To connect all resources involved in social issues to promote social innovation development in Taiwan, the Ministry of Economic Affairs established the “Social Innovation Platform”.[2] With visibility through the Social Innovation Platform, it has become more efficient to search for targets in a public and transparent way and to assist with the input of resources originally belonging to different fields in order to expand social influence.   As a digital platform gathering “social innovation issues in Taiwan,” the Social Innovation Platform covers multiple and complete social innovation resources, which include the “SDGs Map” constructed on the Social Innovation Platform, by which we can better understand how county and city governments in Taiwan implement SDGs and Voluntary Local Review Reports, and which allow us to search the Social Innovation Database[3] and the registered organizations, by which citizens, enterprises, organizations, and even local governments concerned with local development can find their partners expediently as possible, establish service lines to proactively assist public or private entities with their needs/resources, and continue to enable the regional revitalization organizations, ministries, and enterprises to identify and put forward their needs for social innovation through the function of “Social Innovation Proposals”, which assist social innovation organizations with visibility while advancing cooperation and expanding social influence.   In addition, the “Event Page” was established on the Social Innovation Platform and offers functions, such as the publishing, searching, and sorting of events in four major dimensions with respect to social innovation organization, governments, enterprises, and citizens; and encourages citizens, social innovation organizations, enterprises, and governments to devote themselves via open participation to continuously expande the influence of the (Civic Technology) Social Innovation Platform. The “Corporate Social Responsibility Report” collects the corporate social responsibility reports, observes the distribution of resources for sustainable development by corporations in Taiwan, offers filtering functions by regions, keyword, popular rankings, and or SDGs types, and provides contact information and a download function for previous years’ reports, in order to effectively assist social innovation organizations to obtain a more precise understanding of the status quo, needs, and trends with respect to their development of respective products and services. Figure 1: SDGs Map Reference: Social Innovation Platform (https://si.taiwan.gov.tw/) Figure 2: Social Innovation Database Reference: Social Innovation Platform (https://si.taiwan.gov.tw/) Figure 3: Social Innovation Proposals Reference: Social Innovation Platform (https://si.taiwan.gov.tw/) Figure 4: Event Page Reference: Social Innovation Platform (https://si.taiwan.gov.tw/) Figure 5: Corporate Social Responsibility Report Reference: Social Innovation Platform (https://si.taiwan.gov.tw/) ii. Social Innovation Database   To encourage social innovation organizations to disclose their social missions, products and services, and to guide society to understand the content of social innovation, and to assist the administrative ministries to be able to utilize such information, the Ministry of Economic Affairs issued the “Principles of Registration of Social Innovation Organizations” to establish the “Social Innovation Database”.   Once a social innovation organization discloses the items, such as its social missions, business model, or social influence, it may obtain the relevant promotional assistance resources, including becoming a trade partner with Buying Power (Social Innovation Products and Services Procurement), receiving exclusive consultation and assistance from professionals for social innovation organizations, and becoming qualified to apply to entering into the Social Innovation Lab.Moreover, the Ministry of Economic Affairs is simultaneously consolidating, identifying, and designating the awards and grants offered by the various ministries, policies and measures in respect of investment, and financing and assistance, as resources made available to registered entities.   As of 25 May 2021, there were 658 registered social innovation organizations and 96 Social Innovation Partners (enterprises with CSR or ESG resources that recognize the cooperation with social innovation under the social innovation thinking model may be registered as a “Social Innovation Partner”).The public and enterprises can search for organizations registered in the Social Innovation Database through the above-said Social Innovation Platform, the search ability of which advances the exposure of and the opportunities for cooperation with social innovation organizations. Figure 6: Numbers of registered social innovation organizations and accumulated value of purchases under Buying Power Reference: Social Innovation Platform(https://si.taiwan.gov.tw/) iii. Buying Power - Social Innovation Products and Services Procurement   In order to continue increasing the awareness on social innovation organizations and related issues and promote responsible consumption and production in Taiwan, as well as to raise the attention of the commercial sector to the sustainability-driven procurement models, the Ministry of Economic Affairs held the first “Buying Power - Social Innovation Products and Services Procurement” event in 2017. Through the award system under the Buying Power, it continues to encourage the governments, state-owned enterprises, private enterprises, and organizations to take the lead in purchasing products or services from social innovation organizations, to provide the relevant resources so as to assist social innovation organizations to obtain resources and to explore business opportunities in the markets, to practice responsible consumption and production, and to promote innovative cooperation between all industries and commerce and social innovation organizations.   The aim of the implementation of the Buying Power is to encourage the central and local governments, state-owned enterprises, private enterprises, and non-governmental organizations to purchase products or services from organizations registered in the Social Innovation Database, while prizes will be awarded based on the purchase amounts accumulated during the calculation period. The winners can obtain priority in applying for membership in the Social Innovation Partner Group, with corresponding member services, in the future.   Under the Social Innovation Platform, both the amount of purchase awards and the number of applicants for special awards continue to increase.So far, purchases have accumulated to a value of more than NT$1.1 billion (see Figure 6), and more than 300 organizations have proactively participated. iv. Social Innovation Mark   In order to promote public awareness of social innovation, the Ministry of Economic Affairs has been charged with the commissioned task of promoting the Social Innovation Mark, and issued “ The Small and Medium Enterprise Administration of the Ministry of Economic Affairs Directions for Authorization of the Social Innovation Mark” as the standard for the authorization of the Social Innovation Mark. Social innovation organizations can use the Mark, through obtaining authorization, to hold Social Innovation Summits or other social innovation activities for promoting social innovation concepts.   In order to build the Mark as a conceptual symbol of social innovation, the Ministry of Economic Affairs has been using the Social Innovation Mark in connection with various social innovation activities, such as the Social Innovation Platform, the Buying Power, and the annual Social Innovation Summit. Taking the selection of sponsors of the Social Innovation Summit in 2022 as an example[4], only organizations that have obtained authorization of the Social Innovation Mark can use the Mark to hold the Social Innovation Summit. Figure 7: The Social Innovation Mark of the Small and Medium Enterprise Administration, Ministry of Economic Affairs IV. Conclusion   The “Organization for Economic Cooperation and Development” (OECD) regards social innovation as a new strategy for solving future social problems and as an important method for youth entrepreneurship and social enterprise development.Taiwan’s social innovation energy has entered a stage of expansion and development. Through the promotion of the “Social Innovation Action Plan,” the resources from the central and local governments are integrated to establish the Social Innovation Platform, the Social Innovation Database, the Social Innovation Lab, and the Social Innovation Mark. In addition, incentives such as the Buying Power have been created, manifesting the positive influence of Taiwan’s social innovation. [1] MDGs are put forward by the United Nations in 2000, and are also the goals requiring all the 191 member states and at least 22 international organizations of the United Nations to be committed to on their best endeavors, including: 1. eradicating extreme poverty and hunger, 2. applying universal primary education, 3. promoting gender equality and empowering women, 4. reducing child mortality rates, 5. improving maternal health, 6. combatting HIV/AIDS, malaria, and other diseases, 7. ensuring environmental sustainability, and 8. establishing a global partnership for development. [2] Please refer to the Social Innovation Platform: https://si.taiwan.gov.tw/. [3] Please refer to the Social Innovation Database: https://si.taiwan.gov.tw/Home/Org_list. [4] Please refer to the guidelines for the selection of sponsors of the 2022 Social Innovation Summit: https://www.moeasmea.gov.tw/files/6221/4753E497-B422-4303-A8D4-35AE0B4043A9

Post Brexit – An Update on the United Kingdom Privacy Regime

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10   After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2]   While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation   There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime.   The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO   The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application   Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries   On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’).   As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime.   If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing   Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions   The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties   The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion   The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.

The Institutionalization of the Taiwan Personal Data Protection Committee - Triumph of Digital Constitutionalism: A Legal Positivism Analysis

The Institutionalization of the Taiwan Personal Data Protection Committee - Triumph of Digital Constitutionalism: A Legal Positivism Analysis 2023/07/13 The Legislative Yuan recently passed an amendment to the Taiwan Personal Data Protection Act, which resulted in the institutionalization of the Taiwan Personal Data Protection Commission (hereunder the “PDPC”)[1]. This article aims to analyze the significance of this institutionalization from three different perspectives: legal positivism, digital constitutionalism, and Millian liberalism. By examining these frameworks, we can better understand the constitutional essence of sovereignty, the power dynamics among individuals, businesses, and governments, and the paradox of freedom that the PDPC addresses through governance and trust. I.Three Layers of Significance 1.Legal Positivism The institutionalization of the PDPC fully demonstrates the constitutional essence of sovereignty in the hands of citizens. Legal positivism emphasizes the importance of recognizing and obeying (the sovereign, of which it is obeyed by all but does not itself obey to anyone else, as Austin claims) laws that are enacted by legitimate authorities[2]. In this context, the institutionalization of the PDPC signifies the recognition of citizens' rights to control their personal data and the acknowledgment of the sovereign in protecting their privacy. It underscores the idea that the power to govern personal data rests with the individuals themselves, reinforcing the principles of legal positivism regarding sovereign Moreover, legal positivism recognizes the authority of the state in creating and enforcing laws. The institutionalization of the PDPC as a specialized commission with the power to regulate and enforce personal data protection laws represents the state's recognition of the need to address the challenges posed by the digital age. By investing the PDPC with the authority to oversee the proper handling and use of personal data, the state acknowledges its responsibility to protect the rights and interests of its citizens. 2.Digital Constitutionalism The institutionalization of the PDPC also rebalances the power structure among individuals, businesses, and governments in the digital realm[3]. Digital constitutionalism refers to the principles and norms that govern the relationship between individuals and the digital sphere, ensuring the protection of rights and liberties[4]. With the rise of technology and the increasing collection and use of personal data, individuals often find themselves at a disadvantage compared to powerful entities such as corporations and governments[5]. However, the PDPC acts as a regulatory body that safeguards individuals' interests, rectifying the power imbalances and promoting digital constitutionalism. By establishing clear rules and regulations regarding the collection, use, and transfer of personal data, the PDPC may set a framework that ensures the protection of individuals' privacy and data rights. It may enforce accountability among businesses and governments, holding them responsible for their data practices and creating a level playing field where individuals have a say in how their personal data is handled. 3.Millian Liberalism The need for the institutionalization of the PDPC embodies the paradox of freedom, as raised in John Stuart Mill’s “On Liberty”[6], where Mill recognizes that absolute freedom can lead to the infringement of others' rights and well-being. In this context, the institutionalization of the PDPC acknowledges the necessity of governance to mitigate the risks associated with personal data protection. In the digital age, the vast amount of personal data collected and processed by various entities raises concerns about privacy, security, and potential misuse. The institutionalization of the PDPC represents a commitment to address these concerns through responsible governance. By setting up rules, regulations, and enforcement mechanisms, the PDPC ensures that individuals' freedoms are preserved without compromising the rights and privacy of others. It strikes a delicate balance between individual autonomy and the broader social interest, shedding light on the paradox of freedom. II.Legal Positivism: Function and Authority of the PDPC 1.John Austin's Concept of Legal Positivism: Sovereignty, Punishment, Order To understand the function and authority of the PDPC, we turn to John Austin's concept of legal positivism. Austin posited that laws are commands issued by a sovereign authority and backed by sanctions[7]. Sovereignty entails the power to make and enforce laws within a given jurisdiction. In the case of the PDPC, its institutionalization by the Legislative Yuan reflects the recognition of its authority to create and enforce regulations concerning personal data protection. The PDPC, as an independent and specialized committee, possesses the necessary jurisdiction and competence to ensure compliance with the law, administer punishments for violations, and maintain order in the realm of personal data protection. 2.Dire Need for the Institutionalization of the PDPC There has been a dire need for the establishment of the PDPC following the Constitutional Court's decision in August 2022, holding that the government needed to establish a specific agency in charge of personal data-related issues[8]. This need reflects John Austin's concept of legal positivism, as it highlights the demand for a legitimate and authoritative body to regulate and oversee personal data protection. The PDPC's institutionalization serves as a response to the growing concerns surrounding data privacy, security breaches, and the increasing reliance on digital platforms. It signifies the de facto recognition of the need for a dedicated institution to safeguard the individual’s personal data rights, reinforcing the principles of legal positivism. Furthermore, the institutionalization of the PDPC demonstrates the responsiveness of the legislative branch to the evolving challenges posed by the digital age. The amendment to the Taiwan Personal Data Protection Act and the subsequent institutionalization of the PDPC are the outcomes of a democratic process, reflecting the will of the people and their desire for enhanced data protection measures. It signifies a commitment to uphold the rule of law and ensure the protection of citizens' rights in the face of emerging technologies and their impact on privacy. 3.Authority to Define Cross-Border Transfer of Personal Data Upon the establishment of the PDPC, it's authority to define what constitutes a cross-border transfer of personal data under Article 21 of the Personal Data Protection Act will then align with John Austin's theory on order. According to Austin, laws bring about order by regulating behavior and ensuring predictability in society. By granting the PDPC the power to determine cross-border data transfers, the legal framework brings clarity and consistency to the process. This promotes order by establishing clear guidelines and standards, reducing uncertainty, and enhancing the protection of personal data in the context of international data transfers. The PDPC's authority in this regard reflects the recognition of the need to regulate and monitor the cross-border transfer of personal data to protect individuals' privacy and prevent unauthorized use or abuse of their information. It ensures that the transfer of personal data across borders adheres to legal and ethical standards, contributing to the institutionalization of a comprehensive framework for cross-border data transfer. III.Conclusion In conclusion, the institutionalization of the Taiwan Personal Data Protection Committee represents the convergence of legal positivism, digital constitutionalism, and Millian liberalism. It signifies the recognition of citizens' sovereignty over their personal data, rebalances power dynamics in the digital realm, and addresses the paradox of freedom through responsible governance. By analyzing the PDPC's function and authority in the context of legal positivism, we understand its role as a regulatory body to maintain order and uphold the principles of legal positivism. The institutionalization of the PDPC serves as a milestone in Taiwan's commitment to protect individuals' personal data and safeguard the digital rights. In essence, the institutionalization of the Taiwan Personal Data Protection Committee represents a triumph of digital constitutionalism, where individuals' rights and interests are safeguarded, and power imbalances are rectified. It also embodies the recognition of the paradox of freedom and the need for responsible governance in the digital age in Taiwan. [1] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023). [2] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [3] Edoardo Celeste, Digital constitutionalism: how fundamental rights are turning digital, (2023): 13-36, https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 3, 2023). [4] GIOVANNI DE GREGORIO, DIGITAL CONSTITUTIONALISM IN EUROPE: REFRAMING RIGHTS AND POWERS IN THE ALGORITHMIC SOCIETY 218 (2022). [5] Celeste Edoardo, Digital constitutionalism: how fundamental rights are turning digital (2023), https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 13, 2023). [6]JOHN STUART MILL,On Liberty (1859), https://openlibrary-repo.ecampusontario.ca/jspui/bitstream/123456789/1310/1/On-Liberty-1645644599.pdf (last visited July 13, 2023). [7] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [8] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023).

Recommendation of the Regulations on the Legal and Effective Access to Taiwan’s Biological Resources

Preface Considering that, many countries and regional international organizations already set up ABS system, such as Andean Community, African Union, Association of Southeast Asia Nations (ASEAN), Australia, South Africa, and India, all are enthusiastic with the establishment of the regulations regarding the access management of biological resources and genetic resources. On the other hand, there are still many countries only use traditional and existing conservation-related regulations to manage the access of biological resources. Can Taiwan's regulations comply with the purposes and objects of CBD? Is there a need for Taiwan to set up specific regulations for the management of these access activities? This article plans to present Taiwan's regulations and review the effectiveness of the existing regulations from the aspect of enabling the legal and effective access to biological resources. A recommendation will be made on whether Taiwan should reinforce the management of the bio-resources access activities. Review and Recommendation of the Regulations on the Legal and Effective Access to Taiwan's Biological Rersearch Resources (1)Evaluate the Needs and Benefits before Establishing the Regulation of Access Rights When taking a look at the current development of the regulations on the access of biological resources internationally, we discover that some countries aggressively develop designated law for access, while some countries still adopt existing regulations to explain the access rights. Whether to choose a designated law or to adopt the existing law should depend on the needs of establishing access and benefit sharing system. Can the access and benefit sharing system benefit the functioning of bio-technological research and development activities that link closely to the biological resources? Can the system protect the interests of Taiwan's bio-research results? In Taiwan, in the bio-technology industry, Agri-biotech, Medical, or Chinese Herb Research & Development are the key fields of development. However, the biological resources they use for the researches are mainly supplied from abroad. Hence, the likelihood of violating international bio-piracy is higher. On the contrary, the incidence of international research houses searching for the biological resources from Taiwan is comparatively lower, so the possibility for them to violate Taiwan's bio-piracy is very low. To look at this issue from a different angle, if Taiwan establishes a separate management system for the access of biological resources, it is likely to add more restrictions to Taiwan's bio-tech R&D activities and impact the development of bio-industry. Also, under the new management system, international R&D teams will also be confined, if they wish to explore the biological resources, or conduct R&D and seek for co-operation activities in Taiwan. Not to mention that it is not a usual practice for international R&D teams to look for Taiwan's biological resources. A new management system will further reduce their level of interest in doing so. In the end, the international teams will then shift their focus of obtaining resources from other countries where the regulation on access is relatively less strict. Before Taiwan establishes the regulations on the legal and effective access to bio-research resources, the government should consider not only the practical elements of the principal on the fair and impartial sharing of the derived interests from bio-research resources, but also take account of its positive and negative impacts on the development of related bio-technological industries. Even if a country's regulation on the access and benefit sharing is thorough and comprehensive enough to protect the interests of bio-resource provider, it will, on the contrary, reduce the industry's interest in accessing the bio-resources. As a result, the development of bio-tech industry will be impacted and the resource provider will then be unable to receive any benefits. By then, the goal of establishing the regulation to benefit both the industry and resource provider will not be realized. To sum up, it is suggested to evaluate the suitability of establishing the management system for the access to biological resources through the cost-effect analysis first. And, further consider the necessity of setting up regulations by the access the economic benefits derived from the regulation for both resource provider and bio-tech industry. (2)The Feasibility of Managing the access to Bio-research Resources from existing Regulations As analysed in the previous paragraphs, the original intention of setting up the Wildlife Conservation Act, National Park Law, Forestry Act, Cultural Heritage Preservation Act, and Aboriginal Basic Act is to protect the environment and to conserve the ecology. However, if we utilize these traditional regulations properly, it can also partially help to manage the access to biological resources. When Taiwan's citizens wish to enter specific area, or to collect the biological resources within the area, they need to receive the permit from management authority, according to current regulations. Since these national parks, protection areas, preserved areas, or other controlled areas usually have the most comprehensive collections of valuable biological resources in a wide range of varieties, it is suggested to include the agreements of access and benefit sharing as the mandatory conditions when applying for the entrance permit. Therefore, the principal of benefit sharing from the access to biological resources can be assured. Furthermore, the current regulations already favour activities of accessing biological resources for academic research purpose. This practice also ties in with the international trend of separating the access application into two categories - academic and business. Australia's practice of access management can be a very good example of utilizing the existing regulations to control the access of resources. The management authority defines the guidelines of managing the entrance of control areas, research of resources, and the collection and access of resources. The authority also adds related agreements, such as PIC (Prior Informed Consent), MTA (Material Transfer Agreement), and benefit sharing into the existing guidelines of research permission. In terms of scope of management, the existing regulation does not cover all of Taiwan's bio-research resources. Luckily, the current environmental protection law regulates areas with the most resourceful resources or with the most distinctive and rare species. These are often the areas where the access management system is required. Therefore, to add new regulation for access management on top of the existing regulation is efficient method that utilizes the least administrative resources. This could be a feasible way for Taiwan to manage the access to biological resources. (3)Establish Specific Regulations to Cover the Details of the Scope of Derived Interests and the Items and Percentage of Funding Allocation In addition to the utilization of current regulations to control the access to biological resources, many countries establish specific regulations to manage the biological resources. If, after the robust economic analysis had been done, the country has come to an conclusion that it is only by establishing new regulations of access management the resources and derived interests of biological resources can be impartially shared, the CBD (Convention of Bio Diversity), the Bonn Guidelines, or the real implementation experiences of many countries can be an important guidance when establishing regulations. Taiwan has come up with the preliminary draft of Genetic Resources Act that covers the important aspects of international access guidelines. The draft indicates the definition and the scope of access activities, the process of access applications (for both business and academic purpose), the establishment of standardized or model MTA, the obligation of disclosing the sources of property rights (patents), and the establishment of bio-diversity fund. However, if we observe the regulation or drafts to the access management of the international agreements or each specific country, we can find that the degree of strictness varies and depends on the needs and situations. Generally speaking, these regulations usually do not cover some detailed but important aspects such as the scope of derived interests from biological resources, or the items and percentage of the allocation of bio-diversity fund. Under the regulation to the access to biological resources, in addition to the access fee charge, the impartial sharing of the derived interests is also an important issue. Therefore, to define the scope of interests is extremely important. Any interest that is out of the defined scope cannot be shared. The interest stated in the existing regulation generally refers to the biological resources or the derived business interests from genetic resources. Apart from describing the forms of interest such as money, non-money, or intellectual property rights, the description of actual contents or scope of the interests is minimal in the regulations. However, after realizing the importance of bio-diversity and the huge business potential, many countries have started to investigate the national and international bio-resources and develop a database system to systematically collect related bio-research information. The database comprised of bio-resources is extremely useful to the activities related to bio-tech developments. If the international bio-tech companies can access Taiwan's bio-resource database, it will save their travelling time to Taiwan. Also, the database might as well become a product that generates revenues. The only issue that needs further clarification is whether the revenue generated from the access of database should be classified as business interests, as defined in the regulations. As far as the bio-diversity fund is concerned, many countries only describe the need of setting up bio-diversity funds in a general manner in the regulations. But the definition of which kind of interests should be put into funds, the percentage of the funds, and the related details are not described. As a result, the applicants to the access of bio-resources or the owner of bio-resources cannot predict the amount of interests to be put into bio-diversity fund before they actually use the resources. This issue will definitely affect the development of access activities. To sum up, if Taiwan's government wishes to develop the specific regulations for the access of biological resources, it is advised to take the above mentioned issues into considerations for a more thoroughly described, and more effective regulations and related framework. Conclusion In recent years, it has been a global trend to establish the regulations of the access to and benefit sharing of bio-resources. The concept of benefit sharing is especially treated as a useful weapon for the developing countries to protect the interests of their abundant bio-research resources. However, as we are in the transition period of changing from free access to biological resources to controlled access, we are facing different regulations within one country as well as internationally. It will be a little bit disappointing for the academic research institution and the industry who relies on the biological resources to conduct bio-tech development if they do not see a clear principal direction to follow. The worse case is the violation of the regulation of the country who owns the bio-resources when the research institutions try to access, exchange, or prospect the biological resources without thorough understanding of related regulations. For some of Taiwan's leading fields in the bio-tech industry, such as Chinese and herbal medicine related products, agricultural products, horticultural products, and bio-tech products, since many resources are obtained from abroad, the incidence of violation of international regulation will increase, and the costs from complying the regulations will also increase. Therefore, not only the researcher but also the government have the responsibility to understand and educate the related people in Taiwan's bio-tech fields the status of international access management regulations and the methods of legally access the international bio-research resources. Currently in Taiwan, we did not establish specific law to manage the access to and benefit sharing of bio-resources. Comparing with the international standard, there is still room of improvement for Taiwan's regulatory protection to the provider of biological resources. However, we have to consider the necessity of doing so, and how to do the improvement. And Taiwan's government should resolve this issue. When we consider whether we should follow international trend to establish a specific law for access management, we should always go back to check the potential state interests we will receive and take this point into consideration. To define the interests, we should always cover the protection of biological resources, the development of bio-tech industry, and the administrative costs of government. Also the conservation of biological resources and the encouragement of bio-tech development should be also taken into consideration when the government is making decisions. In terms of establishing regulations for the access to biological resources and the benefit sharing, there are two possible solutions. The first solution is to utilize the existing regulations and add the key elements of access management into the scope of administrative management. The work is planned through the revision of related current procedures such as entrance control of controlled areas and the access of specific resources. The second solution is to establish new regulations for the access to biological resources. The first solution is relatively easier and quicker; while the second solution is considered to have a more comprehensive control of the issue. The government has the final judgement on which solution to take to generate a more effective management of Taiwan's biological resources.

TOP