Post Brexit – An Update on the United Kingdom Privacy Regime
2021/9/10
After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)?
Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2]
While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime.
This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders.
UK Privacy Legislation
There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime.
The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA.
ICO
The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice.
Territorial Application
Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4]
Transfers of Personal Data to Third Countries
On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’).
As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime.
If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10]
Lawful Bases for Processing
Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11]
Rights & Exemptions
The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12]
Penalties
The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16]
Conclusion
The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe.
[1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final, https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf..
[2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311.
[3] Data Protection Act 2018, §115.
[4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3.
[5] supra note 1.
[6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50.
[7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47.
[8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021).
[9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021).
[10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021).
[11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021).
[12] Data Protection Act 2018, sch 2, part 6, para 27.
[13] id. at §157.
[14] id.
[15] id.
[16] id.
I.Summary In 1995, the Computer-Processed Personal Data Protection Law was implemented in the Republic of China. With the constant development of information technology and the limitations in the application of the legislation, the design of the original legal system is no longer consistent with practical requirements. Considering the increasing number of incidents of personal data leaks, discussions were carried out over a long period of time and the new version of the Personal Information Protection Act was passed after three readings in April, 2010. The title of the law was changed to Personal Information Protection Act. The new system has been officially implemented since 1 October, 2012. The new Act not only revised the provisions of the law in a comprehensive way, but also significantly increased the obligations and responsibilities of enterprises. In terms of civil liability, the maximum amount of compensation for a single incident is 200 Million NTD. For domestic industries, how to effectively respond to the requirements under the Personal Information Protection Act and adopt proper corresponding measures to lower the risk has become a key task for enterprise operation. II. Main Points 1. Implementation of the Enforcement Rules of the Personal Information Protection Act Personal information protection can be said the most concerned issue in Taiwan recently. As a matter of fact, the Computer-Processed Personal Data Protection Law was established in Taiwan as early as August 1995. After more than 10 years of development, computer and information technology has evolved significantly, and many emerging business models such as E-commerce are extensively collecting personal data. It has become increasingly important to properly protect personal privacy. However, the previous Computer-Processed Personal Data Protection Law was only applicable to certain industries, i.e. the following 8 specific industries: the credit investigation business, hospital, school, telecommunication business, financial business, securities business, insurance business, and mass media. And other business was designated by the Ministry of Justice and the central government authorities in charge of concerned enterprises. In addition, the law only protected personal information that was processed by “computer or automatic equipment”. Personal information that was not computer processed was not included. There were clearly no sufficient regulations for the protection of personal data privacy and interest. There were numerous incidents of personal data leaks. Among the top 10 consumer news issued by the Consumer Protection Committee of the Executive Yuan in 2007, “incidents of personal data leaks through E-commerce and TV shopping” was on the top of the list. This provoked the Ministry of Justice and the Ministry of Economic Affairs to “jointly designate” the retail industry without physical boutique (including 3 transaction models: online shopping, catalogue shopping and TV shopping) to be governed by the Computer-Processed Personal Data Protection Law since 1 July 2010. To allow the provisions of the personal information protection legal system to meet the environment of rapid change, the Executive Yuan proposed a Draft Amendment to the Computer-Processed Personal Data Protection Law very early and changed the title to the Personal Information Protection Act. The draft was discussed many times in the Legislative Yuan. Personal Information Protection Act was finally passed after three readings in April 2010, which was officially published by the Office of the President on 26 May. Although the new law was passed in April 2010, to allow sufficient time for enterprises and the public to understand and comply the new law, the new version of the personal information protection law was not implemented on the date of publication. In accordance with Article 56 of the Act, the date of implementation was to be further established by the Executive Yuan. After discussions over a long period of time, the Executive Yuan decided for the Personal Information Protection Act to be officially implemented on 1 October 2012. However, the implementation of two articles is withheld: Article 6 of the Act about the principal prohibition against the collection, processing and use of special personal information and Article 54 about the obligation to notice the Party within one year for personal information indirectly acquired before the implementation of the new law. In terms of the personal data protection legal system, other than the most important Personal Data Protection Act, the enforcement rules established in accordance with the main law also play a key role. The previous Enforcement Rules of the Computer-Processed Personal Data Protection Law were published and implemented on 1 May, 1996. Considering that the Computer-Processed Personal Data Protection Law was amended in 2010 and that its title has been changed to the Personal Data Protection Act, the Ministry of Justice also followed the amended provisions under the new law and actively studied the Draft Amendment to the Enforcement Rules of the Computer-Processed Personal Data Protection Act. After it was confirmed that the new version of the Personal Data Protection Act would be officially launched on 1 October 2012, the Ministry of Justice announced officially the amended enforcement rules on 26 September, 2012. The title of the enforcement rules was also amended to the Enforcement Rules of the Personal Data Protection Act. The new version of personal data protection law and enforcement rules was thus officially launched, creating a brand new era for the promotion of personal data protection in Taiwan. II. Personal Data Administration System and Information Privacy Protection Charter Before the amendment to the Personal Data Protection Act was passed, the Legislative Yuan made a proposal to the government in June 2008 to promote a privacy administration and protection certification system in Taiwan, in reference to foreign practices. In August of the following year, the Strategic Review Board of the Executive Yuan passed a resolution to promote the E-Commerce Personal Data Administration and Information Security Action Plan. In December of the same year, approval was granted for the plan to be included in the key government promotion plans from 2010 to 2013. Based on this action plan, since October 2010, the Ministry of Economic Affairs has asked the Institution for Information Industry to execute an E-Commerce Personal Data Administration System Setup Plan. Since 2012, the E-Commerce Personal Data Administration System Promotion Plan and the Taiwan Personal Information Protection and Administration System (TPIPAS) have been established and promoted, with the objective of procuring enterprises to, while complying with the personal data protection legal system, properly protect consumers’ personal information through the establishment of an internal administration mechanism and ensuring that the introducing enterprises meet the requirements of the system. The issuance of the Data Privacy Protection Mark (dp.mark) was also used as an objective benchmark for consumers to judge the enterprise’s ability to maintain privacy. Regarding the introduction of the personal data administration system, enterprises should establish a content administration mechanism step by step in accordance with the Regulations for Taiwan Personal Information Protection and Administration System. Such system also serves as the review benchmark to decide whether domestic enterprises can acquire the Data Privacy Protection Mark (dp.mark). Since domestic enterprises did not have experience in establishing internal personal data administration system in the past, starting 2011, under the Taiwan Personal Information Protection and Administration System, enterprises received assistance in the training of system professionals such as Personal Data Administrators and Personal Data Internal Appraisers. Quality personal data administrators can help enterprises establish complete internal systems. Internal appraisers play the role of confirming whether the systems established by the enterprises are consistent with the system requirements. As of 2012, there are almost 100 enterprises in Taiwan that participate in the training of system staff and a total of 426 administrators and 131 internal appraisers. In terms of the introduction of TPIPAS, in additional to the establishment and introduction of administration systems by qualified administrators, enterprises can also seek assistance from external professional consulting institutions. Under the Taiwan Personal Information Protection and Administration System, applications for registration of consulting institutions became available in 2012. Qualified system consulting institutions are published on the system website. Today 9 qualified consulting institutions have completed their registrations, providing enterprises with personal data consulting services. After an enterprise completes the establishment of its internal administration system, it may file an application for certification under the Taiwan Personal Information Protection and Administration System. The certification process includes two steps: “written review” and “site review”. After the enterprise passing certification, it is qualified to use the Data Privacy Protection Mark (dp.mark). Today 7 domestic companies have passed TPIPAS certification and acquired the dp.mark: 7net, FamiPort, books.com.tw, LOTTE, GOHAPPY, PAYEASY and Sinya Digital, reinforcing the maintenance of consumer privacy information through the introduction of personal data administration system. III. Event Analysis The Taiwan Personal Information Protection and Administration System (TPIPAS) is a professional personal data administration system established based on the provisions of the latest version of the domestic Personal Data Protection Act, in reference to the latest requirements of personal data protection by international organizations and the experience of main countries in promoting personal data administration system. In accordance with the practical requirements to protect personal data by industries, TPIPAS converted professional legal conditions into an internal personal data administration procedure to effectively assist industries to establish a complete and proper personal data administration system and to comply with the requirements of personal data legislations. With the launch of the new version of the Personal Data Protection Act, introducing TPIPAS and acquiring dp.mark are the best strategies for enterprises to lower the risk from the personal data protection law and to upgrade internal personal data administration capability.
A Before and After Impact Comparison of Applying Statute for Industrial Innovation Article 23-1 Draft on Venture Capital Limited PartnershipsA Before and After Impact Comparison of Applying Statute for Industrial Innovation Article 23-1 Draft on Venture Capital Limited Partnerships I. Background Because the business models adopted by Industries, such as venture capital, film, stage performance and others, are intended to be temporary entities, and the existing business laws are not applicable for such industries,[1] the Legislature Yuan passed the “Limited Partnership Act” in June 2015,[2] for the purpose of encouraging capital injection into these industries. However, since the Act was passed, there are currently only nine limited partnerships listed on the Ministry of Economic Affairs' limited partnership information website. Among them, “Da-Zuo Limited Partnership (Germany) Taiwan Branch” and “Stober Antriebstechnik Limited Partnership (Germany) Taiwan Branch”, are branch companies established by foreign businesses, the remaining seven companies are audio video production and information service businesses. It is a pity that no venture capital company is adopting this format.[3] In fact, several foreign countries have set up supporting measures for their taxation systems targeting those business structures, such as limited partnerships. For example, the pass-through taxation method (or referred to as single entity taxation) is adopted by the United States, while Transparenzprinzip is used by Germany. These two taxation methods may have different names, but their core ideas are to pass the profits of a limited partnership to the earnings of partners.[4] However, following the adoption of the Limited Partnership Act in Taiwan, the Ministry of Finance issued an interpretation letter stating that because the current legal system confers an independent legal entity status to the business structure of a limited partnership, it should be treated as a profit-seeking business and taxed with Profit-Seeking Enterprise Income Tax.[5] Therefore, to actualize the legislative objective of encouraging innovative businesses organized under tenets of the Limited Partnership Act, the Executive Yuan presented a draft amendment for Article 23-1 of the Statute for Industrial Innovation (hereinafter referred to as the Draft), introducing the "Pass Through Taxation Principle" as adopted by several foreign countries. That is, a Limited Partnership will not be levied with the Profit-Seeking Enterprise Income Tax, but each partner will file income tax reports based on after-profit-gains from the partnership that are passed through to each partner. It is expected that the venture capital industry will now be encouraged to adopt the limited partnership structure, and thus increase investment capital in new ventures. II. The Pass Through Taxation Method is Applicable to Newly Established Venture Capital Limited Partnerships 1. The Requirements and Effects (1) The Requirements According to the provisions of Article 23-1 Paragraph 3 of the Draft, to be eligible for Pass Through Taxation, newly established venture capital limited partnerships must meet the following requirements: 1. The venture capital limited partnerships are established between January 1, 2017 and December 31, 2019. 2. Investment threshold of the total agreed capital contribution, total received capital contribution, and accumulated total capital contribution, within five years of the establishment of venture capital limited partnerships: Total Agreed Capital Contribution in the Limited Partnership Agreement Total Received Capital Contribution Accumulated Investment Amount for Start-up Companies The Year of Establishment 3 hundred million ✕ ✕ The Second Year ✕ ✕ The Third Year 1 hundred million ✕ The Fourth Year 2 hundred million Reaching 30 percent of the total received capital contribution of the year or 3 hundred million NT dollars. The Fifth Year 3 hundred million 3. The total amount, that an overseas company applies in capital and investments in actual business operations in Taiwan, reaches 50% of its total received capital contribution of that year. 4. In compliance with government policies. 5. Reviewed and approved by the central competent authority each year. (2) The Effects The effects of applying the provisions of Article 23-1 Paragraph 3 of the Draft are as follows: 1. Venture capital limited partnerships are exempt from the Profit-Seeking Enterprise Income Tax. 2. Taxation method for partners in a limited partnership after obtaining profit gains: (1) Pursuant to the Income Tax Act, Individual partners and for-profit business partners are taxed on their proportionally-calculated, distributed earnings. (2) Individual partners and foreign for-profit business partners are exempt from income tax on the stock earnings distributed by a limited partnership. 2. Benefit Analysis Before and After Applying Pass Through Taxation Method A domestic individual A, a domestic profit-making business B, and a foreign profit-making business C jointly form a venture capital limited partnership, One. The earnings distribution of the company One is 10%, 80% and 10% for A, B, and C partners, respectively. The calculated earnings of company One are one million (where eight hundred thousand are stock earnings, and two hundred thousand are non-stock earnings). How much income tax should be paid by the company One, and partners A, B, and C? (1) Pursuant to the Income Tax Act, before the amended draft: 1. One Venture Capital Limited Partnership Should pay Profit-Seeking Enterprise Income Tax = (NT$1,000,000 (earning) - NT$500,000[6])x12% (tax rate[7])=NT$60,000 2. Domestic Individual A Should file a comprehensive income report with business profit income =(NT$1,000,000-NT$60,000) x 10% (company One draft a voucher for net amount for A) + NT$60,000÷2×10% (deductible tax rate)= NT$97,000 Tax payable on profit earnings=NT$91,500×5%(tax rate)=NT$4,850 Actual income tax paid=NT$4,850 - NT$60,000÷2×10% (deductible tax rate) =NT$1,485 3. Domestic For-Profit Business B Pursuant to the provisions of Article 42 of the Income Tax Act, the net dividend or net income received by a profit-seeking company is not included in the income tax calculation. 4. Foreign For-Profit Business C Tax paid at its earning source=(NT$1,000,000 - NT$60,000) ×10% (earning distribution rate) ×20% (tax rate at earning source)=NT$18,800 (2) Applying Pass Through Taxation Method After Enacting the Amendment 1. One Venture Capital Limited Partnership No income tax. 2. Domestic Individual A Should pay tax=NT$800,000 (non-stock distributed earnings)×10% (earning distribution rate)×5% (comprehensive income tax rate)=NT$1,000 3. Domestic For-Profit Business B Pursuant to the provisions of Article 42 of the Income Tax Act, the net dividend or net income received by a profit-seeking company is not included in the income tax calculation. 4. Foreign For-Profit Business C Tax paid at its earning source=NT$800,000 (non-stock distributed earnings)×10%(earning distribution rate)×20% (tax rate at earning source)=NT$4,000 The aforementioned example shows that under the situation, where the earning distribution is the same and tax rate for the same taxation subject is the same, the newly-established venture capital limited partnerships and their shareholders enjoy a more favorable tax benefit with the adoption of pass through taxation method: Before the Amendment After the Amendment Venture Capital Limited Partnership NT$60,000 Excluded in calculation Shareholders Domestic Individual NT$1,850 NT$1,000 Domestic For-Profit Business Excluded in calculation Excluded in calculation Foreign For-Profit Business NT$18,800 NT$4,000 Sub-total NT$80,650 NT$5,000 III. Conclusion Compared to the corporate taxation, the application of the pass through taxation method allows for a significant reduction in tax burden. While developing Taiwan’s pass through tax scheme, the government referenced corporate taxation under the U.S. Internal Revenue Code (IRC), where companies that meet the conditions of Chapter S can adopt the “pass through” method, that is, pass the earnings to the owner, with the income of shareholders being the objects of taxation;[8] and studied the "Transparenzprinzip" adopted by the German taxation board for partnership style for-profit businesses. Following these legislative examples, where profits are identified as belonging to organization members,[9] the government legislation includes the adoption of the pass through taxation scheme for venture capital limited partnerships in the amended draft of Article 23-1 of the Statute for Industrial Innovation, so that the legislation is up to international standards and norms, while making an important breakthrough in the current income tax system. This is truly worthy of praise. [1] The Legislative Yuan Gazette, Vol. 104, No. 51, page 325. URL:http://misq.ly.gov.tw/MISQ//IQuery/misq5000Action.action [2] A View on the Limited Partnership in Taiwan, Cross-Strait Law Review, No. 54, Liao, Da-Ying, Page 42. [3] Ministry of Economic Affairs - Limited Partnership Registration Information URL: http://gcis.nat.gov.tw/lmpub/lms/dir.jsp?showgcislocation=true&agencycode=allbf [4] Same as annotate 2, pages 51-52. [5] Reference Letter of Interpretation dated December 18, 2015, Tai-Cai-Shui Zi No. 10400636640, the Ministry of Finance [6] First half of Paragraph 1 of Article 8 of the Income Basic Tax Act [7] Second half of Paragraph 1 of Article 8 of the Income Basic Tax Act [8] A Study on the Limited Partnership Act, Master’s degree thesis, College of Law, Soochow University, Wu, Tsung-Yeh, pages 95-96. [9] Reference annotate 2, pages 52.
Introduction to Taiwan’s Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical TrialsIntroduction to Taiwan’s Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials 2023/12/15 The development of digital tools such as the internet, apps, and wearable devices have meant major breakthroughs for clinical trials. These advances have the potential to reduce the frequency of trial subject visits, accelerate research timelines, and lower the costs of drug development. The COVID-19 pandemic has further accelerated the use of digital tools, prompting many countries to adopt decentralized measures that enable trial subjects to participate in clinical trials regardless of their physical location. In step with the transition into the post-pandemic era, the Taiwan Food and Drug Administration (TFDA) issued the Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials in June, 2023[1]. The Guidelines are intended to cover a wide array of decentralized measures; they aim to increase trial subjects’ willingness to participate in trials, reduce the need for in-person visits to clinical trial sites, enhance real-time data acquisition during trials, and enable clinic sponsors and contract research organizations to process data remotely. I. Key Points of Taiwan’s Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials The Guidelines cover primarily the following matters: General considerations for implementing decentralized measures; trial subject recruitment and electronic informed consent; delivery and provision of investigational medicinal products; remote monitoring of trial subject safety; trial subject reporting of adverse events; remote data monitoring; and information systems and electronic data collection/processing/storage. 1. General Considerations for Implementing Decentralized Measures (1) During clinical trial execution, a reduction in trial subject in-person visits may present challenges to medical observation. It is recommended that home visits for any given trial subject be conducted by the principal investigator, sub-investigator, or a single, consistent delegated study nurse. (2) Sponsors must carefully evaluate all of the trial design’s decentralization measures to ensure data integrity. (3) Sponsors must conduct risk assessments for each individual trial, and must confirm the rationality of choosing decentralized measures. These decentralized measures must also be incorporated into the protocol. (4) When electronically collecting data, sponsors must ensure information system reliability and data security. Artificial intelligence may be considered for use in decentralized clinical trials; sponsors must carefully evaluate such systems, especially when they touch on determinations for critical data or strategies. (5) As the design of decentralized clinical trials is to ensure equal access to healthcare services, it must provide patients with a variety of ways to participate in clinical trials. (6) When implementing any decentralized measures, it is essential to ensure that the principal investigator and sponsor adhere to the Regulations for Good Clinical Practice and bear their respective responsibilities for the trial. (7) The use of decentralized measures must be stated in the regulatory application, and the Checklist of Decentralized Elements in Medicinal Product Clinical Trials must be included in the submission. 2. Subject Recruitment and Electronic Informed Consent (1) Trial subject recruitment through social media or established databases may only be implemented after the Institutional Review Board reviews and approves of the recruitment methods and content. (2) Must comply with the Principles for Recruiting Clinical Trial Subjects in medicinal product trials, the Personal Data Protection Act, and other regulations. (3) Regarding clinical trial subject informed consent done through digital software or devices, if it complies with Article 4, Paragraph 2 of the Electronic Signatures Act, that is, if the content can be displayed in its entirety and continues to be accessible for subsequent reference, then so long as the trial subject agrees to do so, the signature may be done via a tablet or other electronic device. The storage of signed electronic Informed Consent Forms (eICF) must align with the aforementioned Principles and meet the competent authority’s access requirements. 3. Delivery and Provision of Investigational Medicinal Products (1) The method of delivering and providing investigational medicinal products and whether trial subjects can use them on their own at home depends to a high degree on the investigational medicinal product’s administration route and safety profile. (2) When investigational medicinal products are delivered and provided through decentralized measures to trial subjects, this must be documented in the protocol. The process of delivering and providing said products must also be clearly stated in the informed consent form; only after being explained to a trial subject by the trial team, and after the trial subject’s consent is obtained, may such decentralized measures be used. (3) Investigational products prescribed by the principal investigator/sub-investigator must be reviewed by a delegated pharmacist to confirm that the investigational products’ specific items, dosage, duration, total quantity, and labeling align with the trial design. The pharmacist must also review each trial subject’s medication history, to ensure there are no medication-related issues; only then, and only in a manner that ensures the investigational product’s quality and the subject’s privacy, may delegated and specifically-trained trial personnel provide the investigational product to the subject. (4) Compliance with relevant regulations such as the Pharmaceutical Affairs Act, Pharmacists Act, Regulations on Good Practices for Drug Dispensation, and Regulations for Good Clinical Practice is required. 4. Remote Monitoring of Subject Safety (1) Decentralized trial designs involve trial subjects performing relatively large numbers of trial-related procedures at home. The principal investigator must delegate trained, qualified personnel to perform tasks such as collecting blood samples, administering investigational products, conducting safety monitoring, doing adverse event tracking, etc. (2) If trial subjects receive protocol-prescribed testing at nearby medical facilities or laboratories rather than at the original trial site, these locations must be authorized by the trial sponsor and must have relevant laboratory certification; only then may they collect or analyze samples. Such locations must provide detailed records to the principal investigator, to be archived in the trial master file. (3) The trial protocol and schedule must clearly specify which visits must be conducted at the trial site; which can be conducted via phone calls, video calls, or home visits; which tests must be performed at nearby laboratories; and whether trial subjects have multiple or single options at each visit. 5. Subject Reporting of Adverse Events (1) If the trial uses a digital platform to enhance adverse event reporting, trial subjects must be able to report adverse events through the digital platform, such as via a mobile phone app; that is, the principal investigator must be able to immediately access such adverse event information. (2) The principal investigator must handle such reports using risk-based assessment methods. The principal investigator must validate the adverse event reporting platform’s effectiveness, and must develop procedures to identify potential duplicate reports. 6. Remote Data Monitoring (1) If a sponsor chooses to implement remote monitoring, it must perform a reasonability assessment to confirm the appropriateness of such monitoring and establish a remote monitoring plan. (2) The monitoring plan must include monitoring strategies, monitoring personnel responsibilities, monitoring methods, rationale for such implementation, and critical data and processes that must be monitored. It must also generate comprehensive monitoring reports for audit purposes. (3) The sponsor is responsible for ensuring the implementation of remote monitoring, and must conduct risk assessments regarding the implementation process’ data protection and information confidentiality. 7. Information Systems and Electronic Data Collection, Processing, and Storage (1) In accordance with the Regulations for Good Clinical Practice, data recorded in clinical trials must be trustworthy, reliable, and verifiable. (2) It must be ensured that all organizations participating in the clinical trial have a full picture of the data flow. It is recommended that the trial protocol and trial-related documents include data flow diagrams and additional explanations. (3) Define the types and scopes of subject personal data that will be collected, and ensure that every step in the process properly protects their data in accordance with the Personal Data Protection Act. II. A Comparison with Decentralized Trial Regulations in Other Countries Denmark became the first country in the world to release regulatory measures on decentralized trials, issuing the “Danish Medicines Agency’s Guidance on the Implementation of Decentralized Elements in Clinical Trials with Medicinal Products” in September 2021[2]. In December 2022, the European Union as a whole released its “Recommendation Paper on Decentralized Elements in Clinical Trials”[3]. The United States issued the draft “Decentralized Clinical Trials for Drugs, Biological Products, and Devices” document in May 2023[4]. The comparison in Table 1 shows that Taiwan’s guidelines a relatively similar in structure to those of Denmark and the EU; the US guidelines also cover medical device clinical trials. Table 1: Summary of Decentralized Clinical Trial Guidelines in Taiwan, Denmark, the European Union as a whole, and the United States Taiwan Denmark European Union as a whole United States What do the guidelines apply to? Medicinal products Medicinal products Medicinal products Medicinal products and medical devices Trial subject recruitment and electronic informed consent Covers informed consent process; informed consent interview; digital information sheet; trial subject consent form signing; etc. Covers informed consent process; informed consent interview; trial subject consent form signing; etc. Covers informed consent process; informed consent interview; digital information sheet; trial subject consent form signing; etc. Covers informed consent process; informed consent interview; etc. Delivery and provision of investigational medicinal products Delegated, specifically-trained trial personnel deliver and provide investigational medicinal products. The investigator or delegated personnel deliver and provide investigational medicinal products. The investigator, delegated personnel, or a third-party, Good Distribution Practice-compliant logistics provider deliver and provide investigational medicinal products. The principal investigator, delegated personnel, or a distributor deliver and provide investigational products. Remote monitoring of trial subject safety Trial subjects may do return visits at trial sites, via phone calls, via video calls, or via home visits, and may undergo testing at nearby laboratories. Trial subjects may do return visits at trial sites, via phone calls, via video calls, or via home visits, and may undergo testing at nearby laboratories. Trial subjects may do return visits at trial sites, via phone calls, via video calls, or via home visits. Trial subjects may do return visits at trial sites, via phone calls, via video calls, or via home visits, and may undergo testing at nearby laboratories. Trial subject reporting of adverse events Trial subjects may self-report adverse events through a digital platform. Trial subjects may self-report adverse events through a digital platform. Trial subjects may self-report adverse events through a digital platform. Trial subjects may self-report adverse events through a digital platform. Remote data monitoring The sponsor may conduct remote data monitoring. The sponsor may conduct remote data monitoring. The sponsor may conduct remote data monitoring (not permitted in some countries). The sponsor may conduct remote data monitoring. Information systems and electronic data collection, processing, and storage The recorded data must be credible, reliable, and verifiable. Requires an information system that is validated, secure, and user-friendly. The recorded data must be credible, reliable, and verifiable. Must ensure data reliability, security, privacy, and confidentiality. III. Conclusion The implementation of decentralized clinical trials must be approached with careful assessment of risks and rationality, with trial subject safety, rights, and well-being as top priorities. Since Taiwan’s Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials were just announced in June of this year, the status of decentralized clinical trial implementation is still pending industry feedback to confirm feasibility. The overall goal is to enhance and optimize the clinical trial environment in Taiwan. [1] 衛生福利部食品藥物管理署,〈藥品臨床試驗執行分散式措施指引〉,2023/6/12,https://www.fda.gov.tw/TC/siteListContent.aspx?sid=9354&id=43548(最後瀏覽日:2023/11/2)。 [2] [DMA] DANISH MEDICINES AGENCY, The Danish Medicines Agency’s guidance on the Implementation of decentralised elements in clinical trials with medicinal products (2021),https://laegemiddelstyrelsen.dk/en/news/2021/guidance-on-the-implementation-of-decentralised-elements-in-clinical-trials-with-medicinal-products-is-now-available/ (last visited Nov. 2, 2023). [3] [HMA] HEADS OF MEDICINES AGENCIES, [EC] EUROPEAN COMMISSION & [EMA] EUROPEAN MEDICINES AGENCY, Recommendation paper on decentralised elements in clinical trials (2022),https://health.ec.europa.eu/latest-updates/recommendation-paper-decentralised-elements-clinical-trials-2022-12-14_en (last visited Nov. 2, 2023). [4] [US FDA] US FOOD AND DRUG ADMINISTRATION, Decentralized Clinical Trials for Drugs, Biological Products, and Devices (draft, 2023),https://www.fda.gov/regulatory-information/search-fda-guidance-documents/decentralized-clinical-trials-drugs-biological-products-and-devices (last visited Nov. 2, 2023).
Introduction to the “Public Procurement for Startups” mechanismIntroduction to the “Public Procurement for Startups” mechanism I.Backgrounds According to the EU’s statistics, government procurement budget accounted for over 14% of GDP. And, according to the media report, the total amount of government procurement in Taiwan in 2017 accounted for nearly 8%. Therefore, the government’s procurement power has gradually become a policy tool for the government to promote the development of innovative products and services. In 2017, the Executive Yuan of the R.O.C.(Taiwan)announced a government procurement policy named “Government as Good Partners with Startups (政府成為新創好夥伴)”[1] to encourage government agencies and State-owned Enterprises to procure and adopt innovative goods or services provided by startups. This policy was subsequently implemented through an action plan named “Public Procurement for Startups”(新創採購)[2] by the Small and Medium Enterprise Administration(SMEA).The action plan mainly includes two important parts:One created the procurement process for startups to enter the government contracts market through inter-entities contracts. The other accelerated the collaboration of the government agencies and startups through empirical demonstration. II.Facilitating the procurement process for startups to enter the government market In order to help startups enter the government contracts market in a more efficient way, the SMEA conducts the procurement of inter-entity supply contracts with suppliers, especially startups, for the supply of innovative goods or services. An inter-entity supply contract[3] is a special contractual framework, under which the contracting entity on behalf of two or more other contracting parties signs a contract with suppliers and formulates the specifics and price of products or services provided through the public procurement process. Through the process of calling for tenders, price competition and so on, winning tenderers will be selected and listed on the Government E-Procurement System. This framework allows those contracting entities obtain orders and acquire products or services which they need in a more efficient way so it increases government agencies’ willingness to procure and use innovative products and services. From 2018, the SMEA started to undertake the survey of innovative products and services that government agencies usually needed and conducted the procurement of inter-entity supply contracts for two rounds every year. As a result, the SMEA plays an important role to bridge the demand and supply sides for innovative products or services by means of implementing the forth-mentioned survey and procurement process. Moreover, in order to explore more innovative products and services with high quality and suitable for government agencies and public institutions, the SMEA actively networked with various stakeholders, including incubators, accelerators, startups mentoring programs sponsored by private and public sectors and so on. Initially the items to be procured were categorized into four themes which were named the Smart Innovations, the Smart Eco, the Smart Healthcare, and the Smart Security. Later, in order to show the diversity of the innovation of startups which response well to various social issues, from 2019, the SMEA introduced two new theme solicitations titled the Smart Education and the Smart Agriculture to the inter-entities contracts. Those items included the power management systems, the AI automated recognition and image warning system, the chatbot for public service, unmanned flying vehicles, aerial photography services and so on. Take the popular AI image warning system as an example, the system is used by police officers to make instant evidence searching and image recording. Other government agencies apply the innovative system to the investigation of illegal logging and school safety surveillance. Moreover, the SMEA has also offered subsidy for local governments tobuy those items provided by startups. That is the coordinated supporting measure which allows startups the equal playing field to compete with large companies. The Subsidy scheme is based on the Guideline for Subsidies on Procurement of Innovative Products and Services[3] (approved by the Executive Yuan on March 29, 2018 and revised on Feb. 20, 2021). In the Guideline, “innovative products and services” refer to the products, technologies, labor, service flows or items and services rendered with creative activities through deploying scientific or technical means and a certain degree of innovations by startups with less than five years in operation. Such innovative products and services are displayed for the inter-entity supply contractual framework administered by the SMEA for government procurement. III.Accelerating the collaboration of the government agencies and startups through empirical demonstration To assist startups to prove their concepts or services, and become more familiar with the governemnrt’s needs, the SMEA also created a mechanism called the “Solving Governmental Problems by Star-up Innovation”(政府出題˙新創解題). It plans to collect government agencies’ needs, and then solicit innovative proposals from startups. After their proposals are accepted, startups will be given a grant up to one million NT dollars to conduct empirical studies on solution with government agencies for about half a year. Take the cooperation between the “Taoyuan Long Term Care Institute for Older People and the Biotech Startup” for example, a care system with sanitary aids was introduced to provide automatic detection, cleanup and dry services for the patients’discharges, thus saving 95% of cleaning time for caregivers. In the past, caregivers usually spent 4 hours on the average in inspecting old patients, cleaning and replacing their bedsheets as their busy daily routines. Inadequate caregivers makes it difficult to maintain the care quality. If the problem was not addressed immediately, it would make the life of old patients more difficult. IV.Achievements to date Since the promotion of the products and services of the startups and the launch of the “Public Procurement for Startups” program in 2018, 68 startups, with the SMEA’s assistance, have entered the government procurement contracts market, and more than 100 government agencies have adopted the innovative resolutions. With the encouragement for them in adopting and utilizing the fruits of the startups, it has generated more than NT$150 million in cooperative business opportunities. V.Conclusions While more and more startups are obtaining business opportunities from the favorable procurement process, constant innovation remains the key to success. As such, the SMEA has regularly visited the government agencies-buyers to obtain feedbacks from startups so as to adjust and optimize the innovative products or services. The SMEA has also regularly renewed the specifics and items of the procurement list every year to keep introducing and supplying high-quality products or services to the government agencies. [1] Policy for investment environment optimization for Startups(2017),available athttps://www.ndc.gov.tw/nc_27_28382.(last visited on July 30, 2021 ) [2] https://www.spp.org.tw/spp/(last visited on July 30, 2021 ) [3] Article 93 of Government Procurement Act:I An entity may execute an inter-entity supply contract with a supplier for the supply of property or services that are commonly needed by entities. II The regulations for a procurement of an inter-entity supply contract, the matters specified in the tender documentation and contract, applicable entities, and the related matters shall be prescribed by the responsible entity. [4] https://law.moea.gov.tw/LawContent.aspx?id=GL000555(last visited on July 30, 2021)