Post Brexit – An Update on the United Kingdom Privacy Regime

Post Brexit – An Update on the United Kingdom Privacy Regime

2021/9/10

  After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)?

Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2]

  While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime.

This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders.

UK Privacy Legislation

  There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime.

  The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA.

ICO

  The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice.

Territorial Application

  Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4]

Transfers of Personal Data to Third Countries

  On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’).

  As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime.

  If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10]

Lawful Bases for Processing

  Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11]

  1. The data subject has given consent to the processing;
  2. The processing is necessary for the performance of a contract;
  3. The processing is necessary for compliance with a legal obligation;
  4. The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life;
  5. The processing is necessary for the performance of a public task;
  6. The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests.

Rights & Exemptions

  The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12]

Penalties

  The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16]

Conclusion

  The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe.

 

 

[1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final, https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf..

[2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311.

[3] Data Protection Act 2018, §115.

[4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3.

[5] supra note 1.

[6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50.

[7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47.

[8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021).

[10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021).

[11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021).

[12] Data Protection Act 2018, sch 2, part 6, para 27.

[13] id. at §157.

[14] id.

[15] id.

[16] id.

 

 

Links
Download
※Post Brexit – An Update on the United Kingdom Privacy Regime,STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=105&tp=2&i=168&d=8722 (Date:2024/02/27)
Quote this paper
You may be interested
Introducing and analyzing the Scope and Benefits of the Regulation「Statute for Upgrading Industries」in The Biotechnology Industry in Taiwan

The recent important regulation for supporting the biopharmaceutical industry in Taiwan has been the 「Statute for Upgrading Industries」 (hereinafter referred to as 「the Statute」).The main purpose of the Statue is for upgrading all industry for future economic development, so it applies to various industries, ranging from agriculture, industrial and service businesses. In other words, the Statute does not offer incentive measures to biopharmaceutical industry in particular, but focuses on promoting the industry development in general. Statute for Upgrading Industry and Related Regulations Generally speaking, the Statute has a widespread influence on industry development in Taiwan. The incentive measures provided in the Statute is complicated and covered other related regulations under its legal framework. Thus, the article will be taking a multi-facet perspective in discussing the how Statute relates to the biopharmaceutical industry. 1 、 Scope of Application According to Article 1 of the Statute, the term 「industries」 refers to agricultural, industrial and service businesses. Consequently, nearly all kinds of industries fall under this definition, and the Statute is applicable to all of them. Moreover, in order to promote the development and application of emerging technology as well as cultivating the recognized industry, the Statute provides much more favorable terms to these industries. These emerging and major strategic industries includes computer, communication and consumer electronics (3C), precise mechanics and automation, aerospace, biomedical and chemical production, green technology, material science, nanotechnology, security and other product or service recognized by the Executive Yuan. 2 、 Tax Benefits The Statute offers several types of tax benefits, so the industry could receive sufficient reward in every way it could, and promote a sound cycle in creating new values through these benefits. (1) Benefits for the purchase of automation equipment The said procured equipment and technology over NTD600, 000 may credit a certain percentage of the investment against the amount of profit-seeking enterprise income tax payable for the then current year. For the purchase of production technology, 5% may be credited. For the purchase of equipment, 7% may be credited. And any investment plan that includes the purchasing of equipment for automation can qualify for a low-interest preferential loan. Besides, for science-based industrial company imported overseas equipment that is not manufacture by local manufactures, from January 1, 2002, the imported equipment shall be exempted from import and business tax. And if the company is a bonded factory, the raw materials to be imported from abroad by it shall also be exempt from import duties and business tax. (2) Benefits for R&D expenditure Expenditure concurred for developing new products, improving production technology, or improving label-providing technology may credit 30%of the investment against the amount of profit-seeking enterprise income tax payable for the then current year. Research expenditures of the current year exceeding the average research expenditure for the past two years, the excess in research expenditure shall be 50% deductible. Instruments and equipments purchased by for exclusive R&D purpose, experimentation, or quality inspection may be accelerated to two years. At last, Biotech and New Pharmaceuticals Company engages in R&D activities, such as Contract research Organization (CRO), may credit 30% of the investment against the amount of profit-seeking enterprise income tax payable. (3) Personnel Training When a company trained staff and registered for business-related course, may credit 30% of the training cost against the amount of profit-seeking enterprise income tax payable for the then current year. Where training expenses for the current year exceeds the two-year average, 50% of the excess portion may be credited. (4) Benefit for Newly Emerging Strategic Industries Corporate shareholders invest in newly emerging strategic industries are entitled to select one of the following tax benefits: A profit seeking enterprise may credit up to 20% of the price paid for acquisition of such stock against the profit seeking enterprise income tax. An individual may credit up to 10%. As of January and once every year, there will be a 1% reduction of the price paid for acquisition of such stock against the consolidated income tax payable in the then current year. A company, within two years from the beginning date for payment of the stock price by its shareholders, selects, with the approval of its shareholder meeting, the application of an exemption from profit-seeking enterprise income tax and waives the shareholders investment credit against payable income tax as mentioned above. However, that once the selection is made, no changes shall be allowed. (5) Benefits for Investment in Equipment or Technology Used for Pollution Control To prevent our environment from further pollution, the Government offers tax benefits to reward companies in making improvements. Investment in equipment or technology used for pollution control may credit 7% of the equipment expenditure, and 5% of the expenditure on technology against the amount of profit-seeking enterprise income tax payable for the then current year. For any equipment that has been verified in use and specialized in air pollution control, noise pollution control, vibration control, water pollution control, environmental surveillance and waste disposal, shall be exempt from import duties and business tax. And for investment plans that planned implementation of energy saving systems can apply for a low interest loan. (6) Incentive for Operation Headquarter To encourage companies to utilize worldwide resources and set up international operation network, if they established operation headquarters within the territory of the Republic of China reaching a specific size and bringing about significant economic benefit, their following incomes shall be exempted from profit-seeking enterprise income tax: The income derived from provision of management services or R&D services. The royalty payment received under its investments to its affiliates abroad. The investment return and asset disposal received under its investment to its affiliates abroad. (7) Exchange of Technology for Stock Option The emerging-industrycompany recognized by government, upon adoption of a resolution by a majority voting of the directors present at a meeting of its board of directors attended by two-thirds of the directors of the company, may issue stock options to corporation or individual in exchange for authorization or transfer of patent and technologies. (8) Deferral of Taxes on the Exchange of Technology for Shares Taxes on income earned by investors from the acquisition of shares in emerging-industry companies in exchange for technology will be deferred for five years, on condition that the shares exchanged for technology amount to more than 20% of the company's total stock equity and that the number of persons who obtain shares in exchange for technology does not exceed five. 3 、 Technical Assistance and Capital Investment The rapid industry development has been closely tied to the infusion of funds. In addition to tax benefits, the Statute incorporates regulations especially for technical assistance and capital investment as below: (1) In order to introduce or transfer advanced technologies, technical organization formed with the contribution of government shall provide appropriate technical assistance as required. (2) In order to advance technologies, enhance R&D activities and further upgrade industries, the relevant central government authorities in charge of end enterprises may promote the implementation of industrial and technological projects by providing subsidies to such R&D projects. (3) In order to assist the start-up of domestic small-medium technological enterprises and the overall upgrading of the entire industries, guidance and assistance shall be provided for the development of venture capital enterprises.

The Institutionalization of the Taiwan Personal Data Protection Committee - Triumph of Digital Constitutionalism: A Legal Positivism Analysis

The Institutionalization of the Taiwan Personal Data Protection Committee - Triumph of Digital Constitutionalism: A Legal Positivism Analysis 2023/07/13 The Legislative Yuan recently passed an amendment to the Taiwan Personal Data Protection Act, which resulted in the institutionalization of the Taiwan Personal Data Protection Commission (hereunder the “PDPC”)[1]. This article aims to analyze the significance of this institutionalization from three different perspectives: legal positivism, digital constitutionalism, and Millian liberalism. By examining these frameworks, we can better understand the constitutional essence of sovereignty, the power dynamics among individuals, businesses, and governments, and the paradox of freedom that the PDPC addresses through governance and trust. I.Three Layers of Significance 1.Legal Positivism The institutionalization of the PDPC fully demonstrates the constitutional essence of sovereignty in the hands of citizens. Legal positivism emphasizes the importance of recognizing and obeying (the sovereign, of which it is obeyed by all but does not itself obey to anyone else, as Austin claims) laws that are enacted by legitimate authorities[2]. In this context, the institutionalization of the PDPC signifies the recognition of citizens' rights to control their personal data and the acknowledgment of the sovereign in protecting their privacy. It underscores the idea that the power to govern personal data rests with the individuals themselves, reinforcing the principles of legal positivism regarding sovereign Moreover, legal positivism recognizes the authority of the state in creating and enforcing laws. The institutionalization of the PDPC as a specialized commission with the power to regulate and enforce personal data protection laws represents the state's recognition of the need to address the challenges posed by the digital age. By investing the PDPC with the authority to oversee the proper handling and use of personal data, the state acknowledges its responsibility to protect the rights and interests of its citizens. 2.Digital Constitutionalism The institutionalization of the PDPC also rebalances the power structure among individuals, businesses, and governments in the digital realm[3]. Digital constitutionalism refers to the principles and norms that govern the relationship between individuals and the digital sphere, ensuring the protection of rights and liberties[4]. With the rise of technology and the increasing collection and use of personal data, individuals often find themselves at a disadvantage compared to powerful entities such as corporations and governments[5]. However, the PDPC acts as a regulatory body that safeguards individuals' interests, rectifying the power imbalances and promoting digital constitutionalism. By establishing clear rules and regulations regarding the collection, use, and transfer of personal data, the PDPC may set a framework that ensures the protection of individuals' privacy and data rights. It may enforce accountability among businesses and governments, holding them responsible for their data practices and creating a level playing field where individuals have a say in how their personal data is handled. 3.Millian Liberalism The need for the institutionalization of the PDPC embodies the paradox of freedom, as raised in John Stuart Mill’s “On Liberty”[6], where Mill recognizes that absolute freedom can lead to the infringement of others' rights and well-being. In this context, the institutionalization of the PDPC acknowledges the necessity of governance to mitigate the risks associated with personal data protection. In the digital age, the vast amount of personal data collected and processed by various entities raises concerns about privacy, security, and potential misuse. The institutionalization of the PDPC represents a commitment to address these concerns through responsible governance. By setting up rules, regulations, and enforcement mechanisms, the PDPC ensures that individuals' freedoms are preserved without compromising the rights and privacy of others. It strikes a delicate balance between individual autonomy and the broader social interest, shedding light on the paradox of freedom. II.Legal Positivism: Function and Authority of the PDPC 1.John Austin's Concept of Legal Positivism: Sovereignty, Punishment, Order To understand the function and authority of the PDPC, we turn to John Austin's concept of legal positivism. Austin posited that laws are commands issued by a sovereign authority and backed by sanctions[7]. Sovereignty entails the power to make and enforce laws within a given jurisdiction. In the case of the PDPC, its institutionalization by the Legislative Yuan reflects the recognition of its authority to create and enforce regulations concerning personal data protection. The PDPC, as an independent and specialized committee, possesses the necessary jurisdiction and competence to ensure compliance with the law, administer punishments for violations, and maintain order in the realm of personal data protection. 2.Dire Need for the Institutionalization of the PDPC There has been a dire need for the establishment of the PDPC following the Constitutional Court's decision in August 2022, holding that the government needed to establish a specific agency in charge of personal data-related issues[8]. This need reflects John Austin's concept of legal positivism, as it highlights the demand for a legitimate and authoritative body to regulate and oversee personal data protection. The PDPC's institutionalization serves as a response to the growing concerns surrounding data privacy, security breaches, and the increasing reliance on digital platforms. It signifies the de facto recognition of the need for a dedicated institution to safeguard the individual’s personal data rights, reinforcing the principles of legal positivism. Furthermore, the institutionalization of the PDPC demonstrates the responsiveness of the legislative branch to the evolving challenges posed by the digital age. The amendment to the Taiwan Personal Data Protection Act and the subsequent institutionalization of the PDPC are the outcomes of a democratic process, reflecting the will of the people and their desire for enhanced data protection measures. It signifies a commitment to uphold the rule of law and ensure the protection of citizens' rights in the face of emerging technologies and their impact on privacy. 3.Authority to Define Cross-Border Transfer of Personal Data Upon the establishment of the PDPC, it's authority to define what constitutes a cross-border transfer of personal data under Article 21 of the Personal Data Protection Act will then align with John Austin's theory on order. According to Austin, laws bring about order by regulating behavior and ensuring predictability in society. By granting the PDPC the power to determine cross-border data transfers, the legal framework brings clarity and consistency to the process. This promotes order by establishing clear guidelines and standards, reducing uncertainty, and enhancing the protection of personal data in the context of international data transfers. The PDPC's authority in this regard reflects the recognition of the need to regulate and monitor the cross-border transfer of personal data to protect individuals' privacy and prevent unauthorized use or abuse of their information. It ensures that the transfer of personal data across borders adheres to legal and ethical standards, contributing to the institutionalization of a comprehensive framework for cross-border data transfer. III.Conclusion In conclusion, the institutionalization of the Taiwan Personal Data Protection Committee represents the convergence of legal positivism, digital constitutionalism, and Millian liberalism. It signifies the recognition of citizens' sovereignty over their personal data, rebalances power dynamics in the digital realm, and addresses the paradox of freedom through responsible governance. By analyzing the PDPC's function and authority in the context of legal positivism, we understand its role as a regulatory body to maintain order and uphold the principles of legal positivism. The institutionalization of the PDPC serves as a milestone in Taiwan's commitment to protect individuals' personal data and safeguard the digital rights. In essence, the institutionalization of the Taiwan Personal Data Protection Committee represents a triumph of digital constitutionalism, where individuals' rights and interests are safeguarded, and power imbalances are rectified. It also embodies the recognition of the paradox of freedom and the need for responsible governance in the digital age in Taiwan. [1] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023). [2] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [3] Edoardo Celeste, Digital constitutionalism: how fundamental rights are turning digital, (2023): 13-36, https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 3, 2023). [4] GIOVANNI DE GREGORIO, DIGITAL CONSTITUTIONALISM IN EUROPE: REFRAMING RIGHTS AND POWERS IN THE ALGORITHMIC SOCIETY 218 (2022). [5] Celeste Edoardo, Digital constitutionalism: how fundamental rights are turning digital (2023), https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 13, 2023). [6]JOHN STUART MILL,On Liberty (1859), https://openlibrary-repo.ecampusontario.ca/jspui/bitstream/123456789/1310/1/On-Liberty-1645644599.pdf (last visited July 13, 2023). [7] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [8] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023).

Hard Law or Soft Law? –Global AI Regulation Developments and Regulatory Considerations

Hard Law or Soft Law? –Global AI Regulation Developments and Regulatory Considerations 2023/08/18 Since the launch of ChatGPT on November 30, 2022, the technology has been disrupting industries, shifting the way things used to work, bringing benefits but also problems. Several law suits were filed by artists, writers and voice actors in the US, claiming that the usage of copyright materials in training generative AI violates their copyright.[1] AI deepfake, hallucination and bias has also become the center of discussion, as the generation of fake news, false information, and biased decisions could deeply affect human rights and the society as a whole.[2] To retain the benefits of AI without causing damage to the society, regulators around the world have been accelerating their pace in establishing AI regulations. However, with the technology evolving at such speed and uncertainty, there is a lack of consensus on which regulation approach can effectively safeguard human rights while promoting innovation. This article will provide an overview of current AI regulation developments around the world, a preliminary analysis of the pros and cons of different regulation approaches, and point out some other elements that regulators should consider. I. An overview of the current AI regulation landscape around the world The EU has its lead in legislation, with its parliament adopting its position on the AI ACT in June 2023, heading into trilogue meetings that aim to reach an agreement by the end of this year.[3] China has also announced its draft National AI ACT, scheduled to enter its National People's Congress before the end of 2023.[4] It already has several administration rules in place, such as the 2021 regulation on recommendation algorithms, the 2022 rules for deep synthesis, and the 2023 draft rules on generative AI.[5] Some other countries have been taking a softer approach, preferring voluntary guidelines and testing schemes. The UK published its AI regulation plans in March, seeking views on its sectoral guideline-based pro-innovation regulation approach.[6] To minimize uncertainty for companies, it proposed a set of regulatory principles to ensure that government bodies develop guidelines in a consistent manner.[7] The US National Institute of Standards and Technology (NIST) released the AI Risk Management Framework in January[8], with a non-binding Blueprint for an AI Bill of Rights published in October 2022, providing guidance on the design and use of AI with a set of principles.[9] It is important to take note that some States have drafted regulations on specific subjects, such as New York City’s Final Regulations on Use of AI in Hiring and Promotion came into force in July 2023.[10] Singapore launched the world’s first AI testing framework and toolkit international pilot in May 2022, with the assistance of AWS, DBS Bank, Google, Meta, Microsoft, Singapore Airlines, etc. After a year of testing, it open-sourced the software toolkit in July 2023, to better develop the system.[11] There are also some countries still undecided on their regulation approach. Australia commenced a public consultation on its AI regulatory framework proposal in June[12], seeking views on its draft AI risk management approach.[13] Taiwan’s government announced in July 2023 to propose a draft AI basic law by September 2023, covering topics such as AI-related definition, privacy protections, data governance, risk management, ethical principles, and industrial promotion.[14] However, the plan was recently postponed, indicating a possible shift towards voluntary or mandatory government principles and guidance, before establishing the law.[15] II. Hard law or soft law? The pros and cons of different regulatory approaches One of the key advantages of hard law in AI regulation is its ability to provide binding legal obligations and legal enforcement mechanisms that ensure accountability and compliance.[16] Hard law also provides greater legal certainty, transparency and remedies for consumers and companies, which is especially important for smaller companies that do not have as many resources to influence and comply with fast-changing soft law.[17] However, the legislative process can be time-consuming, slower to update, and less agile.[18] This poses the risk of stifling innovation, as hard law inevitably cannot keep pace with the rapidly evolving AI technology.[19] In contrast, soft law represents a more flexible and adaptive approach to AI regulation. As the potential of AI still remains largely mysterious, government bodies can formulate principles and guidelines tailored to the regulatory needs of different industry sectors.[20] In addition, if there are adequate incentives in place for actors to comply, the cost of enforcement could be much lower than hard laws. Governments can also experiment with several different soft law approaches to test their effectiveness.[21] However, the voluntary nature of soft law and the lack of legal enforcement mechanisms could lead to inconsistent adoption and undermine the effectiveness of these guidelines, potentially leaving critical gaps in addressing AI's risks.[22] Additionally, in cases of AI-related harms, soft law could not offer effective protection on consumer rights and human rights, as there is no clear legal obligation to facilitate accountability and remedies.[23] Carlos Ignacio Gutierrez and Gary Marchant, faculty members at Arizona State University (ASU), analyzed 634 AI soft law programs against 100 criteria and found that two-thirds of the program lack enforcement mechanisms to deliver its anticipated AI governance goals. He pointed out that credible indirect enforcement mechanisms and a perception of legitimacy are two critical elements that could strengthen soft law’s effectiveness.[24] For example, to publish stem cell research in top academic journals, the author needs to demonstrate that the research complies with related research standards.[25] In addition, companies usually have a greater incentive to comply with private standards to avoid regulatory shifts towards hard laws with higher costs and constraints.[26] III. Other considerations Apart from understanding the strengths and limitations of soft law and hard law, it is important for governments to consider each country’s unique differences. For example, Singapore has always focused on voluntary approaches as it acknowledges that being a small country, close cooperation with the industry, research organizations, and other governments to formulate a strong AI governance practice is much more important than rushing into legislation.[27] For them, the flexibility and lower cost of soft regulation provide time to learn from industries to prevent forming rules that aren’t addressing real-world issues.[28] This process allows preparation for better legislation at a later stage. Japan has also shifted towards a softer approach to minimize legal compliance costs, as it recognizes its slower position in the AI race.[29] For them, the EU AI Act is aiming at regulating Giant Tech companies, rather than promoting innovation.[30] That is why Japan considers that hard law does not suit the industry development stage they’re currently in.[31] Therefore, they seek to address legal issues with current laws and draft relevant guidance.[32] IV. Conclusion As the global AI regulatory landscape continues to evolve, it is important for governments to consider the pros and cons of hard law and soft law, and also country-specific conditions in deciding what’s suitable for the country. Additionally, a regular review on the effectiveness and impact of their chosen regulatory approach on AI’s development and the society is recommended. [1] ChatGPT and Deepfake-Creating Apps: A Running List of Key AI-Lawsuits, TFL, https://www.thefashionlaw.com/from-chatgpt-to-deepfake-creating-apps-a-running-list-of-key-ai-lawsuits/ (last visited Aug 10, 2023); Protection for Voice Actors is Artificial in Today’s Artificial Intelligence World, The National Law Review, https://www.natlawreview.com/article/protection-voice-actors-artificial-today-s-artificial-intelligence-world (last visited Aug 10, 2023). [2] The politics of AI: ChatGPT and political bias, Brookings, https://www.brookings.edu/articles/the-politics-of-ai-chatgpt-and-political-bias/ (last visited Aug 10, 2023); Prospect of AI Producing News Articles Concerns Digital Experts, VOA, https://www.voanews.com/a/prospect-of-ai-producing-news-articles-concerns-digital-experts-/7202519.html (last visited Aug 10, 2023). [3] EU AI Act: first regulation on artificial intelligence, European Parliament, https://www.europarl.europa.eu/news/en/headlines/society/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence (last visited Aug 10, 2023). [4] 中國國務院發布立法計畫 年內審議AI法草案,經濟日報(2023/06/09),https://money.udn.com/money/story/5604/7223533 (last visited Aug 10, 2023). [5] id [6] A pro-innovation approach to AI regulation, GOV.UK, https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach/white-paper (last visited Aug 10, 2023). [7] id [8] AI RISK MANAGEMENT FRAMEWORK, NIST, https://www.nist.gov/itl/ai-risk-management-framework (last visited Aug 10, 2023). [9] The White House released an ‘AI Bill of Rights’, CNN, https://edition.cnn.com/2022/10/04/tech/ai-bill-of-rights/index.html (last visited Aug 10, 2023). [10] New York City Adopts Final Regulations on Use of AI in Hiring and Promotion, Extends Enforcement Date to July 5, 2023, Littler https://www.littler.com/publication-press/publication/new-york-city-adopts-final-regulations-use-ai-hiring-and-promotionv (last visited Aug 10, 2023). [11] IMDA, Fact sheet - Open-Sourcing of AI Verify and Set Up of AI Verify Foundation (2023), https://www.imda.gov.sg/-/media/imda/files/news-and-events/media-room/media-releases/2023/06/7-jun---ai-annoucements---annex-a.pdf (last visited Aug 10, 2023). [12] Supporting responsible AI: discussion paper, Australia Government Department of Industry, Science and Resources,https://consult.industry.gov.au/supporting-responsible-ai (last visited Aug 10, 2023). [13] Australian Government Department of Industry, Science and Resources, Safe and responsible AI in Australia (2023), https://storage.googleapis.com/converlens-au-industry/industry/p/prj2452c8e24d7a400c72429/public_assets/Safe-and-responsible-AI-in-Australia-discussion-paper.pdf (last visited Aug 10, 2023). [14] 張璦,中央通訊社,AI基本法草案聚焦隱私保護、應用合法性等7面向 擬設打假中心,https://www.cna.com.tw/news/ait/202307040329.aspx (最後瀏覽日:2023/08/10)。 [15] 蘇思云,中央通訊社,2023/08/01,鄭文燦:考量技術發展快應用廣 AI基本法延後提出,https://www.cna.com.tw/news/afe/202308010228.aspx (最後瀏覽日:2023/08/10)。 [16] supra, note 13, at 27. [17] id. [18] id., at 28. [19] Soft law as a complement to AI regulation, Brookings, https://www.brookings.edu/articles/soft-law-as-a-complement-to-ai-regulation/ (last visited Aug 10, 2023). [20] supra, note 5. [21] Gary Marchant, “Soft Law” Governance of Artificial Intelligence (2019), https://escholarship.org/uc/item/0jq252ks (last visited Aug 10, 2023). [22] How soft law is used in AI governance, Brookings,https://www.brookings.edu/articles/how-soft-law-is-used-in-ai-governance/ (last visited Aug 10, 2023). [23] supra, note 13, at 27. [24] Why Soft Law is the Best Way to Approach the Pacing Problem in AI, Carnegie Council for Ethics in International Affairs,https://www.carnegiecouncil.org/media/article/why-soft-law-is-the-best-way-to-approach-the-pacing-problem-in-ai (last visited Aug 10, 2023). [25] id. [26] id. [27] Singapore is not looking to regulate A.I. just yet, says the city-state’s authority, CNBC,https://www.cnbc.com/2023/06/19/singapore-is-not-looking-to-regulate-ai-just-yet-says-the-city-state.html#:~:text=Singapore%20is%20not%20rushing%20to,Media%20Development%20Authority%2C%20told%20CNBC (last visited Aug 10, 2023). [28] id. [29] Japan leaning toward softer AI rules than EU, official close to deliberations says, Reuters, https://www.reuters.com/technology/japan-leaning-toward-softer-ai-rules-than-eu-source-2023-07-03/ (last visited Aug 10, 2023). [30] id. [31] id. [32] id.

Experiences about opening data in private sector

Experiences about opening data in private sector Ⅰ. Introduction   Open data is the idea that data should be available freely for everyone to use and republish without restrictions from copyright, patents or other mechanisms of control. The concept of open data is not new; but a formalized definition is relatively new, and The Open Definition gives full details on the requirements for open data and content as follows:   Availability and access: the data must be available as a whole with no more than a reasonable reproduction cost, preferably by downloading over the internet. The data must also be available in a convenient and modifiable form.   Reuse and redistribution: the data must be provided under terms that permit reuse and redistribution including the intermixing with other datasets. The data shall be machine-readable.   Universal participation: everyone must be able to use, reuse and redistribute the data— which by means there should be no discrimination against fields of endeavor or against persons or groups. For example, “non-commercial” restrictions that would prevent “commercial” use, or restrictions of use for certain purposes are not allowed.   In order to be in tune with international developmental trends, Taiwan passed an executive resolution in favor of promoting Open Government Data in November 2012. Through the release of government data, open data has grown significantly in Taiwan and Taiwan has come out on top among 122 countries and areas in the 2015 and 2016 Global Open Data Index[1].   The result represented a major leap for Taiwan, however, progress is still to be made as most of the data are from the Government, and data from other territories, especially from private sector can rarely be seen. It is a pity that data from private sector has not being properly utilized and true value of such data still need to be revealed. The following research will place emphasis to enhance the value of private data and the strategies of boosting private sector to open their own data. Ⅱ. Why open private data   With the trend of Open Government Data recent years, countries are now starting to realize that Open Government Data is improving transparency, creating opportunities for social and commercial innovation, and opening the door to better engagement with citizens. But open data is not limited to Open Government Data. In fact, the private sector not only interacts with government data, but also produces a massive amount of data, much of which in need of utilized.   According to the G20 open data policy agenda made in 2014, the potential economic value of open data for Australia is up to AUD 64 billion per annum, and the potential value of open data from private sector is around AUD 34 billion per annum. Figure 1 Value of open data for Australia (AUD billion per annum) Source: McKinsey Global Institute   The purpose for opening data held by private entities and corporations is rooted in a broad recognition that private data has the potential to foster much public good. Openness of data for companies can translate into more efficient internal governance frameworks, enhanced feedback from workers and employees, improved traceability of supply chains, accountability to end consumers, and with better service and product delivery. Open Private Data is thus a true win-win for all with benefiting not only the governance but environmental and social gains.   At the same time, a variety of constraints, notably privacy and security, but also proprietary interests and data protectionism on the part of some companies—hold back this potential. Ⅲ. The cases of Open Private Data   Syngenta AG, a global Swiss agribusiness that produces agrochemicals and seeds, has established a solid foundation for reporting on progress that relies on independent data collection and validation, assurance by 3rd party assurance providers, and endorsement from its implementing partners. Through the website, Syngenta AG has shared their datasets for agricultural with efficiency indicators for 3600 farms for selected agro-ecological zones and market segments in 42 countries in Europe, Africa, Latin America, North America and Asia. Such datasets are precious but Syngenta AG share them for free only with a Non-Commercial license which means users may copy and redistribute the material in any medium or format freely but may not use the material for commercial purposes. Figure 2 Description and License for Open data of Syngenta AG Source: http://www.syngenta.com   Tokyo Metro is a rapid transit system in Tokyo, Japan has released information such as train location and delay times for all lines as open data. The company held an Open Data Utilization Competition from 12 September to 17 November, 2014 to promote development of an app using this data and continues to provide the data even after the competition ended. However, many restrictions such as non-commercial use, or app can only be used for Tokyo Metro lines has weakened the efficiency of open data, it is still valued as an initial step of open private data. Figure 3 DM of Tokyo Metro Open data Contest Source: https://developer.tokyometroapp.jp/ Ⅳ. How to enhance Open Private Data   Open Private Data is totally different from Open Government Data since “motivation” is vital for private institutions to release their own data. Unlike the government data can be disclosed and free to use via administrative order or legislation, all of the data controlled by private institutions can only be opened under their own will. The initiative for open data therefore shall focus on how to motivate private sectors releasing their own data-by ensuring profit and minimizing risks.   Originally, open data shall be available freely for everyone to use without any restrictions, and data owners may profit indirectly as users utilizing their data creating apps, etc. but not profit from open data itself. The income is unsteady and data owners therefore lose their interest to open data. As a countermeasure, it is suggested to make data chargeable though this may contradict to the definition of open data. When data owners can charge by usage or by time, the motivation of open data would arise when open data is directly profitable.   Data owners may also worry about many legal issues when releasing their own data. They may not care about whether profitable or not but afraid of being involved into litigation disputes such as intellectual property infringement, unfair competition, etc. It is very important for data owners to have a well protected authorization agreement when releasing data, but not all of them is able to afford the cost of making agreement for each data sharing. Therefore, a standard sample of contract that can be widely adopted plays a very important role for open private data.   A data sharing platform would be a solution to help data owners sharing their own data. It can not only provide a convenient way to collect profit from data sharing but help data owners avoiding legal risks with the platform’s standard agreement. All the data owners have to do is just to transfer their own data to the platform without concern since the platform would handle other affairs. Ⅴ. Conclusion   Actively engaging the private sector in the open data value-chain is considered an innovation imperative as it is highly related to the development of information economy. Although many works still need to be done such as identifying mechanisms for catalyzing private sector engagement, these works can be done by organizations such as the World Bank and the Centre for Open Data Enterprise. Private-public collaboration is also important when it comes to strengthening the global data infrastructure, and the benefits of open data are diverse and range from improved efficiency of public administrations to economic growth in the private sector. However, open private data is not the goal but merely a start for open data revolution. It is to add variation for other organizations and individuals to analyze to create innovations while individuals, private sectors, or government will benefit from that innovation and being encouraged to release much more data to strengthen this data circulation. [1] Global Open Data Index, https://index.okfn.org/place/(Last visited: May 15, 2017)

TOP