Taiwan's Approach to AI Governance

Impact of Government Organizational Reform to Scientific Research Legal System and Response Thereto (1) – For Example, The Finnish Innovation Fund (“SITRA”) I. Foreword 　　We hereby aim to analyze and research the role played by The Finnish Innovation Fund (“Sitra”) in boosting the national innovation ability and propose the characteristics of its organization and operation which may afford to facilitate the deliberation on Taiwan’s legal system. Sitra is an independent organization which is used to reporting to the Finnish Parliament directly, dedicated to funding activities to boost sustainable development as its ultimate goal and oriented toward the needs for social change. As of 2004, it promoted the fixed-term program. Until 2012, it, in turn, primarily engaged in 3-year program for ecological sustainable development and enhancement of society in 2012. The former aimed at the sustainable use of natural resources to develop new structures and business models and to boost the development of a bioeconomy and low-carbon society, while the latter aimed to create a more well-being-oriented public administrative environment to upgrade various public sectors’ leadership and decision-making ability to introduce nationals’ opinion to policies and the potential of building new business models and venture capital businesses[1]. II. Standing and Operating Instrument of Sitra 1. Sitra Standing in Boosting of Finnish Innovation Policies (1) Positive Impact from Support of Innovation R&D Activities by Public Sector 　　Utilization of public sector’s resources to facilitate and boost industrial innovation R&D ability is commonly applied in various countries in the world. Notwithstanding, the impact of the public sector’s investment of resources produced to the technical R&D and the entire society remains explorable[2]. Most studies still indicate positive impact, primarily as a result of the market failure. Some studies indicate that the impact of the public sector’s investment of resources may be observable at least from several points of view, including: 1. The direct output of the investment per se and the corresponding R&D investment potentially derived from investees; 2. R&D of outputs derived from the R&D investment, e.g., products, services and production methods, etc.; 3. direct impact derived from the R&D scope, e.g., development of a new business, or new business and service models, etc.; 4. impact to national and social economies, e.g., change of industrial structures and improvement of employment environment, etc. Most studies indicate that from the various points of view, the investment by public sector all produced positive impacts and, therefore, such investment is needed definitely[3]. The public sector may invest in R&D in diversified manners. Sitra invests in the “market” as an investor of corporate venture investment market, which plays a role different from the Finnish Funding Agency for Technology and Innovation (“Tekes”), which is more like a governmental subsidizer. Nevertheless, Finland’s characteristics reside in the combination of multiple funding and promotion models. Above all, due to the different behavior model, the role played by the former is also held different from those played by the general public sectors. This is why we choose the former as the subject to be studied herein. Data source: Jari Hyvärinen & Anna-Maija Rautiainen, Measuring additionality and systemic impacts of public research and development funding – the case of TEKES, FINLAND, RESEARCH EVALUATION, 16(3), 205, 206 (2007). Fig. 1　Phased Efforts of Resources Invested in R&D by Public Sector (2) Two Sided f Role Played by Sitra in Boosting of Finnish Innovation Policies 　　Sitra has a very special position in Finland’s national innovation policies, as it not only helps successful implementation of the innovation policies but also acts an intermediary among the relevant entities. Sitra was founded in 1967 under supervision of the Bank of Finland before 1991, but was transformed into an independent foundation under the direction of the Finnish Parliament[4]. 　　Though Sitra is a public foundation, its operation will not be intervened or restricted by the government. Sitra may initiate any innovation activities for its new organization or system, playing a role dedicated to funding technical R&D or promoting venture capital business. Meanwhile, Sitra also assumes some special function dedicated to decision-makers’ training and organizing decision-maker network to boost structural change. Therefore, Sitra may be identified as a special organization which may act flexibly and possess resources at the same time and, therefore, may initiate various innovation activities rapidly[5]. 　　Sitra is authorized to boost the development of innovation activities in said flexible and characteristic manner in accordance with the Finland Innovation Fund Act (Laki Suomen itsenäisyyden juhlarahastosta). According to the Act, Finland established Sitra in 1967 and Sitra was under supervision of Bank of Finland (Article 1). Sitra was established in order to boost the stable growth of Finland’s economy via the national instrument’s support of R&D and education or other development instruments (Article 2). The policies which Sitra may adopt include loaning or funding, guarantee, marketable securities, participation in cooperative programs, partnership or equity investment (Article 3). If necessary, Sitra may collect the title of real estate or corporate shares (Article 7). Data source: Finnish innovation system, Research.fi, http://www.research.fi/en/innovationsystem.html (last visited Mar. 15, 2013). Fig. 2　Finnish Scientific Research Organization Chart 　　Sitra's innovation role has been evolved through two changes. Specifically, Sitra was primarily dedicated to funding technical R&D among the public sectors in Finland, and the funding model applied by Sitra prior to the changes initiated the technical R&D promotion by Tekes, which was established in 1983. The first change of Sitra took place in 1987. After that, Sitra turned to focus on the business development and venture capital invested in technology business and led the venture capital investment. Meanwhile, it became a partner of private investment funds and thereby boosted the growth of venture capital investments in Finland in 1990. In 2000, the second change of Sitra took place and Sitra’s organization orientation was changed again. It achieved the new goal for structural change step by step by boosting the experimental social innovation activities. Sitra believed that it should play the role contributing to procedural change and reducing systematic obstacles, e.g., various organizational or institutional deadlocks[6]. 　　Among the innovation policies boosted by the Finnish Government, the support of Start-Ups via governmental power has always been the most important one. Therefore, the Finnish Government is used to playing a positive role in the process of developing the venture capital investment market. In 1967, the Government established a venture capital company named Sponsor Oy with the support from Bank of Finland, and Sponsor Oy was privatized after 1983. Finland Government also established Kera Innovation Fund (now known as Finnvera[7]) in 1971, which was dedicated to boosting the booming of Start-Ups in Finland jointly with Finnish Industry Investment Ltd. (“FII”) established by the Government in 1994, and Sitra, so as to make the “innovation” become the main development force of the country[8] . 　　Sitra plays a very important role in the foundation and development of venture capital market in Finland and is critical to the Finnish Venture Capital Association established in 1990. After Bank of Finland was under supervision of Finnish Parliament in 1991, Sitra became on the most important venture capital investors. Now, a large portion of private venture capital funds are provided by Sitra[9]. Since Sitra launched the new strategic program in 2004, it has turned to apply smaller sized strategic programs when investing young innovation companies, some of which involved venture capital investment. The mapping of young innovation entrepreneurs and angel investors started as of 1996[10]. 　　In addition to being an important innovation R&D promoter in Finland, Sitra is also an excellent organization which is financially self-sufficient and tends to gain profit no less than that to be generated by a private enterprise. As an organization subordinated to the Finnish Parliament immediately, all of Sitra’s decisions are directly reported to the Parliament (public opinion). Chairman of Board, Board of Directors and supervisors of Sitra are all appointed by the Parliament directly[11]. Its working funds are generated from interest accruing from the Fund and investment income from the Fund, not tax revenue or budget prepared by the Government any longer. The total fund initially founded by Bank of Finland amounted to DEM100,000,000 (approximately EUR17,000,000), and was accumulated to DEM500,000,000 (approximately EUR84,000,000) from 1972 to 1992. After that, following the increase in market value, its nominal capital amounted to DEM1,400,000,000 (approximately EUR235,000,000) from 1993 to 2001. Obviously, Sitra generated high investment income. Until 2010, it has generated the investment income amounting to EUR697,000,000 . 　　In fact, Sitra’s concern about venture capital investment is identified as one of the important changes in Finland's national technical R&D polices after 1990[13]. Sitra is used to funding businesses in three manners, i.e., direct investment in domestic stock, investment in Finnish venture capital funds, and investment in international venture capital funds, primarily in four industries, technology, life science, regional cooperation and small-sized & medium-sized starts-up. Meanwhile, it also invests in venture capital funds for high-tech industries actively. In addition to innovation technology companies, technical service providers are also its invested subjects[14]. 2. “Investment” Instrument Applied by Sitra to Boost Innovation Business 　　The Starts-Up funding activity conducted by Sitra is named PreSeed Program, including INTRO investors’ mapping platform dedicated to mapping 450 angel investment funds and entrepreneurs, LIKSA engaged in working with Tekes to funding new companies no more than EUR40,000 for purchase of consultation services (a half thereof funded by Tekes, and the other half funded by Sitra in the form of loan convertible to shares), DIILI service[15] dedicated to providing entrepreneurs with professional sale consultation resources to integrate the innovation activity (product thereof) and the market to remedy the deficit in the new company’s ability to sell[16]. 　　The investment subjects are stated as following. Sitra has three investment subjects, namely, corporate investments, fund investments and project funding. (1) Corporate investment 　　Sitra will not “fund” enterprises directly or provide the enterprises with services without consideration (small-sized and medium-sized enterprises are aided by other competent authorities), but invest in the businesses which are held able to develop positive effects to the society, e.g., health promotion, social problem solutions, utilization of energy and effective utilization of natural resources. Notwithstanding, in order to seek fair rate of return, Sitra is dedicated to making the investment (in various enterprises) by its professional management and technology, products or competitiveness of services, and ranging from EUR300,000 to EUR1,000,000 to acquire 10-30% of the ownership of the enterprises, namely equity investment or convertible funding. Sitra requires its investees to value corporate social responsibility and actively participate in social activities. It usually holds the shares from 4 years to 10 years, during which period it will participate the corporate operation actively (e.g., appointment of directors)[17]. (2) Fund investments 　　For fund investments[18], Sitra invests in more than 50 venture capital funds[19]. It invests in domestic venture capital fund market to promote the development of the market and help starts-up seek funding and create new business models, such as public-private partnerships. It invests in international venture capital funds to enhance the networking and solicit international funding, which may help Finnish enterprises access international trend information and adapt to the international market. (3) Project funding 　　For project funding, Sitra provides the on-site information survey (supply of information and view critical to the program), analysis of business activities (analysis of future challenges and opportunities) and research & drafting of strategies (collection and integration of professional information and talents to help decision making), and commissioning of the program (to test new operating model by commissioning to deal with the challenge from social changes). Notwithstanding, please note that Sitra does not invest in academic study programs, research papers or business R&D programs[20]. (4) DIILI Investment Model Integrated With Investment Absorption 　　A Start-Up usually will not lack technologies (usually, it starts business by virtue of some advanced technology) or foresighted philosophy when it is founded initially, while it often lacks the key to success, the marketing ability. Sitra DIILI is dedicated to providing the professional international marketing service to help starts-up gain profit successfully. Owing to the fact that starts-up are usually founded by R&D personnel or research-oriented technicians, who are not specialized in marketing and usually retains no sufficient fund to employ marketing professionals, DILLI is engaged in providing dedicated marketing talents. Now, it employs about 85 marketing professionals and seeks to become a start-up partner by investing technical services. 　　Notwithstanding, in light of the characteristics of Sitra’s operation and profitability, some people indicate that it is more similar to a developer of an innovation system, rather than a neutral operator. Therefore, it is not unlikely to hinder some work development which might be less profitable (e.g., establishment of platform). Further, Sitra is used to developing some new investment projects or areas and then founding spin-off companies after developing the projects successfully. The way in which it operates seems to be non-compatible with the development of some industries which require permanent support from the public sector. The other issues, such as INTRO lacking transparency and Sitra's control over investment objectives likely to result in adverse choice, all arise from Sitra’s consideration to its own investment opportunities and profit at the same time of mapping. Therefore, some people consider that it should be necessary to move forward toward a more transparent structure or a non-income-oriented funding structure[21] . Given this, the influence of Sitra’s own income over upgrading of the national innovation ability when Sitra boosts starts-up to engage in innovation activities is always a concern remaining disputable in the Finnish innovation system. 3. Boosting of Balance in Regional Development and R&D Activities 　　In order to fulfill the objectives under Lisbon Treaty and to enable EU to become the most competitive region in the world, European Commission claims technical R&D as one of its main policies. Among other things, under the circumstance that the entire R&D competitiveness upgrading policy is always progressing sluggishly, Finland, a country with a population of 5,300,000, accounting for 1.1% of the population of 27 EU member states, was identified as the country with the No. 1 innovation R&D ability in the world by World Economic Forum in 2005. Therefore, the way in which it promotes innovation R&D policies catches the public eyes. Some studies also found that the close relationship between R&D and regional development policies of Finland resulted in the integration of regional policies and innovation policies, which were separated from each other initially, after 1990[22]. Finland has clearly defined the plan to exploit the domestic natural resources and human resources in a balanced and effective manner after World War II. At the very beginning, it expanded the balance of human resources to low-developed regions, in consideration of the geographical politics, but in turn, it achieved national balanced development by meeting the needs for a welfare society and mitigation of the rural-urban divide as time went by. The Finnish innovation policies which may resort to technical policies retroactively initially drove the R&D in the manners including upgrading of education degree, founding of Science and Technology Policy Council and Sitra, establishment of Academy of Finland (1970) and establishment of the technical policy scheme, et al.. Among other things, people saw the role played by Sitra in Finland’s knowledge-intensive society policy again. From 1991 to 1995, the Finnish Government officially included the regional competitiveness into the important policies. The National Industrial Policy for Finland in 1993 adopted the strategy focusing on the development based on competitive strength in the regional industrial communities[23]. 　　Also, some studies indicated that in consideration of Finland’s poor financial and natural resources, its national innovation system should concentrate the resources on the R&D objectives which meet the requirements about scale and essence. Therefore, the “Social Innovation, Social and Economic Energy Re-building Learning Society” program boosted by Sitra as the primary promoter in 2002 defined the social innovation as “the reform and action plan to enhance the regulations of social functions (law and administration), politics and organizational structure”, namely reform of the mentality and cultural ability via social structural changes that results in social economic changes ultimately. Notwithstanding, the productivity innovation activity still relies on the interaction between the enterprises and society. Irrelevant with the Finnish Government’s powerful direction in technical R&D activities, in fact, more than two-thirds (69.1%) of the R&D investment was launched by private enterprises and even one-thirds launched by a single enterprise (i.e., Nokia) in Finland. At the very beginning of 2000, due to the impact of globalization to Finland’s innovation and regional policies, a lot of R&D activities were emigrated to the territories outside Finland[24]. Multiple disadvantageous factors initiated the launch of national resources to R&D again. The most successful example about the integration of regional and innovation policies in Finland is the Centres of Expertise Programme (CEP) boosted by it as of 1990. Until 1994, there have been 22 centres of expertise distributed throughout Finland. The centres were dedicated to integrating local universities, research institutions and enterprise for co-growth. The program to be implemented from 2007 to 2013 planned 21 centres of expertise (13 groups), aiming to promote the corporate sectors’ cooperation and innovation activities. CEP integrated local, regional and national resources and then focused on the businesses designated to be developed[25]. [1] Sitra, http://www.sitra.fi/en (last visited Mar. 10, 2013). [2] Jari Hyvärinen & Anna-Maija Rautiainen, Measuring additionality and systemic impacts of public research and development funding – the case of TEKES, FINLAND, RESEARCH EVALUATION, 16(3), 205, 208 (2007). [3] id. at 206-214. [4] Charles Edquist, Tterttu Luukkonen & Markku Sotarauta, Broad-Based Innovation Policy, in EVALUATION OF THE FINNISH NATIONAL INNOVATION SYSTEM – FULL REPORT 11, 25 (Reinhilde Veugelers st al. eds., 2009). [5] id. [6] id. [7] Finnvera is a company specialized in funding Start-Ups, and its business lines include loaning, guarantee, venture capital investment and export credit guarantee, etc. It is a state-run enterprise and Export Credit Agency (ECA) in Finland. Finnvera, http://annualreport2012.finnvera.fi/en/about-finnvera/finnvera-in-brief/ (last visited Mar. 10, 2013). [8] Markku Maula, Gordon Murray & Mikko Jääskeläinen, MINISTRY OF TRADE AND INDUSTRY, Public Financing of Young Innovation Companies in Finland 32 (2006). [9] id. at 33. [10] id. at 41. [11] Sitra, http://www.sitra.fi/en (last visited Mar. 10, 2013). [12] Sitra, http://www.sitra.fi/en (last visited Mar. 10, 2013). [13] The other two were engaged in boosting the regional R&D center and industrial-academy cooperative center programs. Please see Gabriela von Blankenfeld-Enkvist, Malin Brännback, Riitta Söderlund & Marin Petrov, ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT [OECD],OECD Case Study on Innovation: The Finnish Biotechnology Innovation System 15 (2004). [14] id. at20. [15] DIILI service provides sales expertise for SMEs, Sitra, http://www.sitra.fi/en/articles/2005/diili-service-provides-sales-expertise-smes-0 (last visited Mar. 10, 2013). [16] Maula, Murray & Jääskeläinen, supra note 8 at 41-42. [17] Corporate investments, Sitra, http://www.sitra.fi/en/corporate-investments (last visited Mar. 10, 2013). [18] Fund investments, Sitra, http://www.sitra.fi/en/fund-investments (last visited Mar. 10, 2013). [19] The venture capital funds referred to herein mean the pooled investment made by the owners of venture capital, while whether it exists in the form of fund or others is not discussed herein. [20] Project funding, Sitra, http://www.sitra.fi/en/project-funding (last visited Mar. 10, 2013). [21] Maula, Murray & Jääskeläinen, supra note 8 at 42. [22] Jussi S. Jauhiainen, Regional and Innovation Policies in Finland – Towards Convergence and/or Mismatch? REGIONAL STUDIES, 42(7), 1031, 1032-1033 (2008). [23] id. at 1036. [24] id. at 1038. [25] id. at 1038-1039.

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 　　After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] 　　While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation 　　There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. 　　The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO 　　The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application 　　Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries 　　On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). 　　As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. 　　If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing 　　Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions 　　The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties 　　The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion 　　The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.

I. Introduction The human genes database or human genome project, the product under the policy of biotechnology no matter in a developed or developing country, has been paid more attention by a government and an ordinary people gradually. The construction of human genes database or human genome project, which is not only related to a country’s innovation on biotechnology, but also concerns the promotion of a country’s medical quality, the construction of medical care system, and the advantages brought by the usage of bio-information stored in human genes database or from human genome project. However, even though every country has a high interest in setting up human genes database or performing human genome project, the issues concerning the purposes of related biotechnology policies, the distribution of advantages and risks and the management of bio-information, since each country has different recognition upon human genes database or human genome project and has varied standards of protecting human basic rights, there would be a totally difference upon planning biotechnology policies or forming the related systems. Right now, the countries that vigorously discuss human genes database or practice human genome project include England, Iceland, Norway, Sweden, Latvia and Estonia. Estonia, which is the country around the Baltic Sea, has planned to set up its own human genes database in order to draw attention from other advanced countries, to attract intelligent international researchers or research groups, and to be in the lead in the area of biotechnology. To sum up, the purpose of constructing Estonian human genes database was to collect the genes and health information of nearly 70% Estonia’s population and to encourage bio-research and promote medical quality. II. The Origin of Estonian Human Genes Database The construction of Estonian human genes database started from Estonian Genome Project (EGP). This project was advocated by the professor of biotechnology Andres Metspalu at Tartu University in Estonia, and he proposed the idea of setting up Estonian human genes database in 1999. The purposes of EGP not only tried to make the economy of Estonia shift from low-cost manufacturing and heavy industry to an advanced technological economy, but also attempted to draw other countries’ attention and to increase the opportunity of making international bio-researches, and then promoted the development of biotechnology and assisted in building the system of medical care in Estonia. EGP started from the agreement made between Estonian government and Eesti Geenikeskus (Estonian Genome Foundation) in March, 1999. Estonian Genome Foundation was a non-profit organization formed by Estonian scientists, doctors and politicians, and its original purposes were to support genes researches, assist in proceeding any project of biotechnology and to set up EGP. The original goals of constructing EGP were “(a) reaching a new level in health care, reduction of costs, and more effective health care, (b) improving knowledge of individuals, genotype-based risk assessment and preventive medicine, and helping the next generation, (c) increasing competitiveness of Estonia – developing infrastructure, investments into high-technology, well-paid jobs, and science intensive products and services, (d) [constructing] better management of health databases (phenotype/genotype database), (e) … [supporting]… economic development through improving gene technology that opens cooperation possibilities and creates synergy between different fields (e.g., gene technology, IT, agriculture, health care)”1. III. The Way of Constructing Estonian Human Genes Database In order to ensure that Estonian human genes database could be operated properly and reasonably in the perspectives of law, ethics and society in Estonia, the Estonian parliament followed the step of Iceland to enact “Human Genes Research Act” (HGRA) via a special legislative process to regulate its human genes database in 2000. HGRA not only authorizes the chief processor to manage Estonian human genes database, but also regulates the issues with regard to the procedure of donation, the maintenance and building of human genes database, the organization of making researches, the confidential identity of donator or patient, the discrimination of genes, and so on. Since the construction of Estonian human genes database might bring the conflicts of different points of view upon the database in Estonia, in order to “avoid fragmentation of societal solidarity and ensure public acceptability and respectability”2 , HGRA adopted international standards regulating a genes research to be a norm of maintaining and building the database. Those standards include UNESCO Universal Declaration on the Human Genome and Human Rights (1997) and the Council of Europe’s Convention on Human Rights and Biomedicine (1997). The purpose of enacting HGRA is mainly to encourage and promote genes researches in Estonia via building Estonian human genes database. By means of utilizing the bio-information stored in the database, it can generate “more exact and efficient drug development, new diagnostic tests, improved individualized treatment and determination of risks of the development of a disease in the future”3 . In order to achieve the above objectives, HGRA primarily puts emphasis on several aspects. Those aspects include providing stronger protection on confidential identity of donators or patients, caring for their privacy, ensuring their autonomy to make donations, and avoiding any possibility that discrimination may happen because of the disclosure of donators’ or patients’ genes information. 1.HERBERT GOTTWEIS & ALAN PETERSEN, BIOBANKS – GOVERNANCE IN COMPARATIVE PERSPECTIVE 59 (2008). 2.Andres Rannamae, Populations and Genetics – Legal and Socio-Ethical Perspectives, in Estonian Genome Porject – Large Scale Health Status Description and DNA Collection 18, 21 (Bartha Maria Knoppers et al. eds., 2003. 3.REMIGIUS N. NWABUEZE, BIOTECHNOLOGY AND THE CHALLENGE OF PROPERTY – PROPERTY RIGHTS IN DEAD BODIES, BODY PARTS, AND GENETIC INFORMATION, 163 (2007).

Preface Considering that, many countries and regional international organizations already set up ABS system, such as Andean Community, African Union, Association of Southeast Asia Nations (ASEAN), Australia, South Africa, and India, all are enthusiastic with the establishment of the regulations regarding the access management of biological resources and genetic resources. On the other hand, there are still many countries only use traditional and existing conservation-related regulations to manage the access of biological resources. Can Taiwan's regulations comply with the purposes and objects of CBD? Is there a need for Taiwan to set up specific regulations for the management of these access activities? This article plans to present Taiwan's regulations and review the effectiveness of the existing regulations from the aspect of enabling the legal and effective access to biological resources. A recommendation will be made on whether Taiwan should reinforce the management of the bio-resources access activities. Review and Recommendation of the Regulations on the Legal and Effective Access to Taiwan's Biological Rersearch Resources （1）Evaluate the Needs and Benefits before Establishing the Regulation of Access Rights When taking a look at the current development of the regulations on the access of biological resources internationally, we discover that some countries aggressively develop designated law for access, while some countries still adopt existing regulations to explain the access rights. Whether to choose a designated law or to adopt the existing law should depend on the needs of establishing access and benefit sharing system. Can the access and benefit sharing system benefit the functioning of bio-technological research and development activities that link closely to the biological resources? Can the system protect the interests of Taiwan's bio-research results? In Taiwan, in the bio-technology industry, Agri-biotech, Medical, or Chinese Herb Research & Development are the key fields of development. However, the biological resources they use for the researches are mainly supplied from abroad. Hence, the likelihood of violating international bio-piracy is higher. On the contrary, the incidence of international research houses searching for the biological resources from Taiwan is comparatively lower, so the possibility for them to violate Taiwan's bio-piracy is very low. To look at this issue from a different angle, if Taiwan establishes a separate management system for the access of biological resources, it is likely to add more restrictions to Taiwan's bio-tech R&D activities and impact the development of bio-industry. Also, under the new management system, international R&D teams will also be confined, if they wish to explore the biological resources, or conduct R&D and seek for co-operation activities in Taiwan. Not to mention that it is not a usual practice for international R&D teams to look for Taiwan's biological resources. A new management system will further reduce their level of interest in doing so. In the end, the international teams will then shift their focus of obtaining resources from other countries where the regulation on access is relatively less strict. Before Taiwan establishes the regulations on the legal and effective access to bio-research resources, the government should consider not only the practical elements of the principal on the fair and impartial sharing of the derived interests from bio-research resources, but also take account of its positive and negative impacts on the development of related bio-technological industries. Even if a country's regulation on the access and benefit sharing is thorough and comprehensive enough to protect the interests of bio-resource provider, it will, on the contrary, reduce the industry's interest in accessing the bio-resources. As a result, the development of bio-tech industry will be impacted and the resource provider will then be unable to receive any benefits. By then, the goal of establishing the regulation to benefit both the industry and resource provider will not be realized. To sum up, it is suggested to evaluate the suitability of establishing the management system for the access to biological resources through the cost-effect analysis first. And, further consider the necessity of setting up regulations by the access the economic benefits derived from the regulation for both resource provider and bio-tech industry. （2）The Feasibility of Managing the access to Bio-research Resources from existing Regulations As analysed in the previous paragraphs, the original intention of setting up the Wildlife Conservation Act, National Park Law, Forestry Act, Cultural Heritage Preservation Act, and Aboriginal Basic Act is to protect the environment and to conserve the ecology. However, if we utilize these traditional regulations properly, it can also partially help to manage the access to biological resources. When Taiwan's citizens wish to enter specific area, or to collect the biological resources within the area, they need to receive the permit from management authority, according to current regulations. Since these national parks, protection areas, preserved areas, or other controlled areas usually have the most comprehensive collections of valuable biological resources in a wide range of varieties, it is suggested to include the agreements of access and benefit sharing as the mandatory conditions when applying for the entrance permit. Therefore, the principal of benefit sharing from the access to biological resources can be assured. Furthermore, the current regulations already favour activities of accessing biological resources for academic research purpose. This practice also ties in with the international trend of separating the access application into two categories - academic and business. Australia's practice of access management can be a very good example of utilizing the existing regulations to control the access of resources. The management authority defines the guidelines of managing the entrance of control areas, research of resources, and the collection and access of resources. The authority also adds related agreements, such as PIC (Prior Informed Consent), MTA (Material Transfer Agreement), and benefit sharing into the existing guidelines of research permission. In terms of scope of management, the existing regulation does not cover all of Taiwan's bio-research resources. Luckily, the current environmental protection law regulates areas with the most resourceful resources or with the most distinctive and rare species. These are often the areas where the access management system is required. Therefore, to add new regulation for access management on top of the existing regulation is efficient method that utilizes the least administrative resources. This could be a feasible way for Taiwan to manage the access to biological resources. （3）Establish Specific Regulations to Cover the Details of the Scope of Derived Interests and the Items and Percentage of Funding Allocation In addition to the utilization of current regulations to control the access to biological resources, many countries establish specific regulations to manage the biological resources. If, after the robust economic analysis had been done, the country has come to an conclusion that it is only by establishing new regulations of access management the resources and derived interests of biological resources can be impartially shared, the CBD (Convention of Bio Diversity), the Bonn Guidelines, or the real implementation experiences of many countries can be an important guidance when establishing regulations. Taiwan has come up with the preliminary draft of Genetic Resources Act that covers the important aspects of international access guidelines. The draft indicates the definition and the scope of access activities, the process of access applications (for both business and academic purpose), the establishment of standardized or model MTA, the obligation of disclosing the sources of property rights (patents), and the establishment of bio-diversity fund. However, if we observe the regulation or drafts to the access management of the international agreements or each specific country, we can find that the degree of strictness varies and depends on the needs and situations. Generally speaking, these regulations usually do not cover some detailed but important aspects such as the scope of derived interests from biological resources, or the items and percentage of the allocation of bio-diversity fund. Under the regulation to the access to biological resources, in addition to the access fee charge, the impartial sharing of the derived interests is also an important issue. Therefore, to define the scope of interests is extremely important. Any interest that is out of the defined scope cannot be shared. The interest stated in the existing regulation generally refers to the biological resources or the derived business interests from genetic resources. Apart from describing the forms of interest such as money, non-money, or intellectual property rights, the description of actual contents or scope of the interests is minimal in the regulations. However, after realizing the importance of bio-diversity and the huge business potential, many countries have started to investigate the national and international bio-resources and develop a database system to systematically collect related bio-research information. The database comprised of bio-resources is extremely useful to the activities related to bio-tech developments. If the international bio-tech companies can access Taiwan's bio-resource database, it will save their travelling time to Taiwan. Also, the database might as well become a product that generates revenues. The only issue that needs further clarification is whether the revenue generated from the access of database should be classified as business interests, as defined in the regulations. As far as the bio-diversity fund is concerned, many countries only describe the need of setting up bio-diversity funds in a general manner in the regulations. But the definition of which kind of interests should be put into funds, the percentage of the funds, and the related details are not described. As a result, the applicants to the access of bio-resources or the owner of bio-resources cannot predict the amount of interests to be put into bio-diversity fund before they actually use the resources. This issue will definitely affect the development of access activities. To sum up, if Taiwan's government wishes to develop the specific regulations for the access of biological resources, it is advised to take the above mentioned issues into considerations for a more thoroughly described, and more effective regulations and related framework. Conclusion In recent years, it has been a global trend to establish the regulations of the access to and benefit sharing of bio-resources. The concept of benefit sharing is especially treated as a useful weapon for the developing countries to protect the interests of their abundant bio-research resources. However, as we are in the transition period of changing from free access to biological resources to controlled access, we are facing different regulations within one country as well as internationally. It will be a little bit disappointing for the academic research institution and the industry who relies on the biological resources to conduct bio-tech development if they do not see a clear principal direction to follow. The worse case is the violation of the regulation of the country who owns the bio-resources when the research institutions try to access, exchange, or prospect the biological resources without thorough understanding of related regulations. For some of Taiwan's leading fields in the bio-tech industry, such as Chinese and herbal medicine related products, agricultural products, horticultural products, and bio-tech products, since many resources are obtained from abroad, the incidence of violation of international regulation will increase, and the costs from complying the regulations will also increase. Therefore, not only the researcher but also the government have the responsibility to understand and educate the related people in Taiwan's bio-tech fields the status of international access management regulations and the methods of legally access the international bio-research resources. Currently in Taiwan, we did not establish specific law to manage the access to and benefit sharing of bio-resources. Comparing with the international standard, there is still room of improvement for Taiwan's regulatory protection to the provider of biological resources. However, we have to consider the necessity of doing so, and how to do the improvement. And Taiwan's government should resolve this issue. When we consider whether we should follow international trend to establish a specific law for access management, we should always go back to check the potential state interests we will receive and take this point into consideration. To define the interests, we should always cover the protection of biological resources, the development of bio-tech industry, and the administrative costs of government. Also the conservation of biological resources and the encouragement of bio-tech development should be also taken into consideration when the government is making decisions. In terms of establishing regulations for the access to biological resources and the benefit sharing, there are two possible solutions. The first solution is to utilize the existing regulations and add the key elements of access management into the scope of administrative management. The work is planned through the revision of related current procedures such as entrance control of controlled areas and the access of specific resources. The second solution is to establish new regulations for the access to biological resources. The first solution is relatively easier and quicker; while the second solution is considered to have a more comprehensive control of the issue. The government has the final judgement on which solution to take to generate a more effective management of Taiwan's biological resources.