Although third-party payment is already one of the most popular ways to do the payment online in many countries, for example, Alipay of China and Paypal of USA, third-party payment in Taiwan is just about to start. For these days, the legislation of third-party payment has become a highly debated issue. However, due to many reasons, the legislation of third-party payment eventually has not been realized. And in fact, the third-party payment in Taiwan is not mature yet. A third-party payment system in Taiwan is unable to deposit stored value in advance. This is one of the basic functions of third-party payment system abroad, such as Alipay in China and Paypal in USA. Mainly, what third-party payment provides in Taiwan is money transmission based on real trade.
Recently, third-party payment has a breakthrough development. According to the resolution of the meeting “Obstacles of using credit card in third party payment” held by Executive Yuan in September this year, Financial Supervisory Commission has made the commitment that the third party payment is allowed to be a “contracted merchant” under “Regulations Governing Institutions Engaging in Credit Card Business”, and personal entity or small business which is not provided with the qualification of “contracted merchant” are allowed to accept credit card payment though third party payment system. This is a very important progress in third-party payment in Taiwan. It means credit card payment is available for C2C transaction now. This will improve the safety of C2C transaction and reduce the quantity of fraud transaction. In other way, boost the prosperity of E-commerce.
In response to the Central Bank’s request, MOEA (Ministry of Economic Affairs) approved and announced the “Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction” on October 3rd, 2012. Any Data Processing Services Industry Performing Trans-border Internet Transaction would like to obtain the qualification as a mandatory under Article 8 of “Regulations Governing the Declaration of Foreign Exchange Receipts and Disbursements or Transactions”, should pass the evaluation according to the “Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction”, and get the compliance certification.
The “Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction” has set up several requirements for a business which would like to run the payment service for trans-border internet transaction. Mainly, basic requirements are as the followings.
1-2-1 The applying data processing service enterprise should be a limited company or a company limited by shares.
1-2-2 The applying data processing service enterprise should open a special purpose deposit account to deposit the entire transmitting amount received from consumers. And the transaction of this account should be only based on the consumers’ directions of money transmitting.
1-2-3 Users of the third-party payment service provided by the data processing service enterprise should register for the first time usage. And the user’s name, birth and ID number are required for registration. The applying data processing service enterprise has the liability to check the reality of the information provided.
1-2-4 The contract between the data processing service enterprise and the user should be in writing. If the contract is performed in electronic way, it should follow the requirement of “in writing” according to Article 4 of “Electronic Signatures Act”. In addition, the contract should contain the mandatory articles about foreign exchange declaration listed in the “Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction”.
1-2-5 The data processing service enterprise should be equipped with sound information security system and operating regulations, comply with “Personal Information Protection Act” and the related directives, join ECTSA (E-commerce Trust Security Alliance), and get the ISO27001 certificate or PCI-DSS validation.
1-2-6 The data processing service enterprise should keep detailed transaction information for at least 5 years.
1-2-7 The data processing service enterprise should set up money laundering prevention operating regulations, and provide money laundering prevention employee training annually.
Once MOEA receives the application, MOEA will set up a special team, which assembles legal professionals, information engineering experts and financial experts, to conduct the evaluation. The compliance certification of the evaluation will be valid for 5 years. During these 5 years, the data processing enterprise has the duty to accept the annual examination and non-timed examination by MOEA.
The nature of a third-party payment service is “service of payment collection and forwarding”. Generally, payment collection and forwarding refers to the transfer of a transaction payment performed by a third party in its role of assisting the buyer and the seller. The current practice in Taiwan of making payment to and collecting product from a convenient store pursuant to online transaction or of paying for product upon delivery by shipping company is a type of “payment collection and forwarding” business.
In a relationship of payment collection and forwarding service, the legal relationship between the buyer and the payment collector/forwarder is a “contract of mandate” under Article 528 of the Civil Code. Refer to Article 8 of the Regulations Government the Use of Uniform Invoices: “When a business entity is engaged to handle collection and payment on behalf of another party, if there is no difference between the amount collected and the amount paid, and the purchaser specified on the payment receipt voucher is the engaging party, then the business entity may deliver the voucher to the engaging party and is exempt both from issuing a uniform invoice and from including the payment as a sales amount.”. Article 18-2 of the Profit Seeking Enterprise Income Tax Audit Standard also has similar stipulations.
As to whether or not a contract of mandate is formed between the seller and the payment collector/forwarder, depends on the agreement between the parties. If it is agreed that the buyer has completed payment when the payment collector/forwarder receives the fund, then the payment collector/forwarder receives the fund on behalf of the seller and a contract of mandate is formed. Under the contract of mandate, the seller grants the payment collector/forwarder the right of agency and the right of processing. Generally speaking, it is deemed that when the buyer pays the fund to the payment collector/forwarder, the buyer has completed the obligation of payment. Therefore, both the buyer and the seller form a contract of mandate with the payment collector/forwarder and grant the right of agency under such contract of mandate.
Diagram 1 Three-party relationship diagram under collection/forwarding of transaction payment
Source: Prepared by author
The payment collector/forwarder under online transaction acts as the agent of the buyer and the seller at the same time with regard to the act of payment and collection. This constitutes the legal issue of “acting as agent for both parties” under Article 106 of the Civil Code. However, the payment collector/forwarder performs the contract of sale and purchase for the buyer and the seller. Therefore the exception provided under Article 106 of the Civil Code is applicable.
The important value of a third-party payment mechanism is that it provides a credit guarantee between the buyer and seller. Through a third-party payment organization, the buyer receives the merchandize and then sends an instruction to the third party payer for the price previously provided to the third party payer to be forwarded to the seller. Although the buyer and the seller cannot verify each other’s creditworthiness and the quality of the merchandize face-to-face, through third party payment, the buyer can be assured that the merchandize will be received after the price is paid. The buyer can even be assured that he/she will receive the merchandize that he/she is satisfied with. For example, in “Alipay”, the after shopping, the consumer pays the transaction price to Alipay. Only when the consumer replies with “production received” will Alipay forward the money to the seller.
So “third-party payment service” helps activate E-commerce and is especially helpful in C2C transactions. This is one of the important features that differentiate “third-party payment service” from “Internet banking”. Therefore, although the Central Bank of Mainland China introduced the function of “Super Internet Bank” in 2009, consolidating the consultation and account transfer systems of many banks, it is generally considered that this did not have a strong impact on the third-party payment service industry which is already flourishing in Mainland China, because it does not provide value-added services, such as a guarantee and delayed payment provided by third-party payment service. Although third-party payment service provides account transfer service, absorbing part of the functions of Internet banking, it also created new business opportunities for the banks. In reference to the experience of Mainland China, the tasks are divided between third-party payers and banks as follows:
Source: Xi-Song Zhang, Choice of Development Model for Third-Party Payment in China – From the Perspective of Full Intervention by Commercial Banks, Review by Xi’An University of Finance and Economics, Volume 22, Book 2, Page 46 (March 2009).
So the service provided by third-party payment and the service provided by Internet banking overlap to a certain degree. Both perform the function of fund transmission. However, instead of thinking that the two as competitors, it is better to think of them as a cooperative.
The feature of the above-described third-party payment is that the third party holds the property for the benefit for others until the satisfaction of certain conditions. A similar legal system in Taiwan is “trust”. In accordance with Article 1 of the Trust Act: “For the purposes of this Law, the term "trust" refers to the legal relationship in which the settler transfers or disposes of a right of property and causes the trustee to administer or dispose of the trust property according to the stated purposes of the trust for the benefit of a beneficiary or for a specified purpose.”. However, in accordance with Article 2 of the Trust Act, a trust must be done through a contract of trust. What is different from the contract of mandate formed under the payment collection/forwarding described above is that, in a contract of trust, the parties must specify the purpose of the trust in the contract. Otherwise, the contract of a trust is not formed. An exception is trust by declaration for the purpose of public interest under Article 71 of the Trust Act. Below we discuss the structure and feasibility of providing third-party payment service through trust.
3-2-1Third-Party Payer Acts as Trustee
When a third-party payer acts as the trustee of under the contract of trust and the buyer that pays the price under an Internet transaction designates it as the principal and the beneficiary, a trust for self benefit is formed. It is a trust with a purpose. The purpose of the trust is to transfer the price of sale and purchase. The seller is also the beneficiary. According to the “principle of identified beneficiary” under the laws of Taiwan as long as the beneficiary is identifiable, even though many transactions may be formed with many sellers after the buyer registers to use third-party payment service, a contract of trust can still be formed. However, in accordance with Article 2 of the Trust Act, unless the principal has reservations in the contract of trust, the termination of a trust for the benefit of others is subject to the consent of the beneficiary. So it is simpler to process under a trust for one’s own benefit.
Diagram 2 Diagram of trust relationship under third-party payment (where the third-party payer is the trustee)
Source: Prepared by author
To form a contract of trust, in accordance with Articles 9 to 12 of the Trust Act, the fund entrusted by the service user to the third party to be forwarded becomes trust property and can be effectively segregated from bankruptcy. If the trustee is bankrupt, the trust property will not be included in the bankruptcy property, and the creditors of the trustee cannot enforce upon the trust property, providing more protection for the user of third-party payment service. Also, in accordance with Article 24, the principal shall manage the trust property and the principal’s own property separately. A monetary trust can be managed by keeping separate accounts. So if a contract of trust is formed under a contract of third-party payment service, it can ensure proper accounting of trust property by the service provider. Also, in accordance with Paragraph 2, Article 9, property right acquired by the trustee through the management, disposal, loss, destruction or other event of the trust property remains part of the trust property. Therefore, proceeds received from the deposit by third-party payer with the bank of any fund before it is forwarded become part of trust property and belong to the buyer, i.e., the principal and beneficiary.
Certain doubts as to whether the Trust Enterprise Act is applicable to third-party payment service provider. In accordance with Article 2 of the Trust Enterprise Act, “trust enterprise” referred to in this Act means an organization approved by the competent authority in accordance with this Act to operate trust activities. There are 4 targets regulated by the Trust Enterprise Act: Trust companies that operate trust activities with approval by the competent authority, banks they also operate trust activities, securities investment trusts, investment consulting businesses and securities dealers that also operate trust activities and trust investment companies. A third-party payer is not a trust enterprise approved by the Banking Bureau of the Financial Supervisory Commission. Therefore, the contract of trust formed under third-party payment service is a general trust under civil law and is subject to supervision by the court in accordance with Article 60 of the Trust Act. The court may select an inspector and impose other necessary disposition by order pursuant to the petition for inspection on trust activities filed by an interested party or a prosecutor.
However, the court has a role of passive supervision and does not have the general authority of supervision and management by the Bureau of Banking. Third-party payment is a service provided to unidentified members of the society. Including third-party payers into the system of financial supervision for trust will provide better protection for interest of the general public. Also, in accordance with Article 34 of the Trust Act, trust enterprises have the obligation of provisioning compensation reserves. No such obligation is imposed under general civil-law trust. So if third-party payers are included as trust enterprises, better protection will be available to the consumers.
Also in accordance with Article 19 of the Trust Enterprise Act, a trust contract must be done in writing. In case of an electronic document, requirements under Article 4 of the Electronic Signature Act must be met: “the content of the information can be presented in its integrity and remains accessible for subsequent reference, with the consent of the other party”. Under third-party payment service, the third-party payer must make payment in accordance with the user’s instructions. So the trust that is formed is “a trust where the trustee does not have discretion over utilization of trust property”, as referred to under Paragraph 2, Article 7 of the Enforcement Rules for Trust Enterprise Act. It is also “a monetary trust under specific centralized management and utilization” under Article 8 of the Enforcement Rules for Trust Enterprise Act.
However, in accordance with Article 9 of the Trust Enterprise Act: “A trust enterprise's name shall indicate the word, ‘trust.’ This rule does not apply to an entity which conducts a trust business concurrently with the approval of the Competent Authority.” If the third party payer adds the word “trust” in the company name, it will create a difference from the scope of business of third-party payment service. So an approval from the competent authority, the Bureau of Banking of the Financial Supervisory Commission, allowing third party payers to also operate the trust activity, seems to be a better solution.
3-2-2Bank Acts as Trustee
As mentioned above, in a payment collection/forwarding relationship, the underlying legal relationship between the third-party payer and buyer is a “mandate”. Under a separate relationship of mandate, the buyer can grant the third-party payer the right of agency to sign a contract of trust with the bank on behalf of the buyer. The bank will act as the trustee and the buyer will act as the principal and beneficiary. The third-party payer will be the agent of the principal. Same as above, the beneficiary can also be the seller here.
Under the current structure of the Trust Act of Taiwan, almost all rights that can be exercised by a principal can also be exercised by a beneficiary, including the rights under Articles 23, 24, 32, 35 and 65. Therefore, it is more convenient for a bank, with the qualification of trust enterprise, to serve as the trustee. However, trust related fees may be payable to the bank, raising the cost of third-party payment service. The relevant cost will most likely be transferred to the user of third-party payment service. The third-party payment service fee is generally paid by the seller, i.e., the payee. Under the structure where the third-party payer acts as the trustee, the relationship between the third-party payer and the bank is solely one between a depositor and a depository account. Therefore the third-party service provider does not need to pay any fee to the bank. It may even receive interest from the deposit, constituting proceeds from trust property which belong to the principal. So if the bank acts as the trustee, the cost of transaction flow is higher. On the other hand, it may obstruct the development of the industry. However, it is more consistent with the model of trust management.
Diagram 3 Diagram of trust relationship under third-party payment (bank being the trustee)
Source: Prepared by author
There is currently no legal restriction against simple payment collection and forwarding. The contract of mandate under the Civil Code can process the tri-party legal relationship (buyer, seller and payment collector/forwarder). The transaction guarantee for third-party payment and the mechanism of custody and delayed payment of price can be processed with the structure of trust. As mentioned above, under the structure of a trust, the third-party payer can act as the trustee and the bank can act as the principal (at which time the third-party payer represents the principal and signs a contract of trust with the bank on behalf of the buyer). The formation of trust ensures account management, avoiding improper utilization of the transaction price under custody. When the third-party payer is the trustee, a general civil-code trust is formed, which is only subject to inspection by court pursuant to petition by interested party or the judge. The supervision and management are more relaxed. However, third-party payment serves an unidentified public of society and has an extensive impact. It is suggested that the competent authority, the Financial Supervisory Commission, allows third-party payers to also operate the business of trust and include third-party payers into the scope of financial supervision. When the bank acts as the trustee, the transaction cost is higher. However, the supervision and management of its business activities under the current legal system is more complete. Currently, a more feasible way is when the bank serves as the trustee and the third-party payer serves as the agent of the principal. In the long term, it can be studied to open up for third-party payers to also operate Internet transaction trust business, acting as the trustee.
Third-party payment replaces bank’s fund settlement function to a certain extent. Contrary to the traditional industry of payment collection and forwarding, third-party payment provides the convenience of fund collection/payment function and can fall prey to money laundering criminal activities. For the purpose of protecting the consumers and prevention of money laundering crimes, it is indeed necessary to include third-party payment into legislative management. The priority focus of such control is to require that the operator possesses a sound corporate structure and financial status. The requirement regarding capital is different depending on the country. The flexible requirement of capital amount in the EU can be used as a reference. For smaller operators with lower transaction volumes, a lower capital amount should be required under flexibility. In 2011, the Internet shopping market in China was 773.5 billion CNY. The amount of Internet payment was approximately 70 billion CNY. In 2011, the Internet shopping market in Taiwan was only 562.7 billion NT Dollars. If the minimum capital amount required of third-party payment operators in China is applied to third-party payment operators in Taiwan, it would not be reasonable. We can refer to the US method and ask operators to take out insurance to lower the risk and avoid market monopoly or oligopoly due to high capital amount barrier, blocking full competition. With the capital amount requirement, it is highly possible that the operators will increase the amount of transaction processed in accordance with the development of E-commerce, creating the necessity to increase the capital. It is best to choose the form of limited stock companies in order to answer to capital placement requirement swiftly.
Regarding the issue of money laundering prevention, third-party payment institutions are currently not the “financial institutions” under Article 5 of the Money Laundering Prevention Act of Taiwan. However, it should be a “payment tool” under Article 9, with only an obligation to freeze the payment account and cooperate with investigation as required by prosecutors. At the same time of developing third-party payment services, the Bureau of Investigation of the Ministry of Justice should also develop a money laundering prevention reporting system for third-party payment services. In reference to the US legal system, third-party payers should be included into the network of money laundering crime prevention of Taiwan for management. In addition, third-party payment services should be performed on real-name basis. The general public should be required to register and use third-party payment services with their true identities. As for verification of identity, the so-called KYC process, the banks’ KYC can be relied upon to a certain degree, such as comparison of account name information of the credit card holder or the deposit account. In reference to the legal system of different countries and the current financial legal system of Taiwan, third-party payment operators should have the obligation to maintain payment transaction information in order to facilitate criminal investigation.
To protect consumers, the rights and obligations between the consumers and the third-party payers should be specified in a written contract. If it is displayed in electronic form, the written requirement should be consistent with Article 4 of the Electronic Signature Act of Taiwan. In addition, the consumers’ funds should only be used in accordance with the consumers’ payment instructions. To avoid other uses by the operators, there should be a requirement to deposit into special bank accounts to provide clear trace of transaction history. In reference to Article 24 of the Trust Act, separate account management is required under trust. So if a trust is formed, then the requirement for special deposit account can be waived. Furthermore, to avoid insolvency by the operators, operators can be required to take out insurance and acquire full performance guarantee.
Prevention is better than a cure. We should take precautions about possible issues that may arise from third-party payment. In addition, clear rules of the game will encourage industry development.
On the other hand, with the new type of money flow payment activities in the Internet era, traditional financial industries should see it as a new opportunity of business development, and not a threat. What third-party payment system processes is information flow; the actual flow of funds is still dependent on the banking system. Internet payment operators are still dependent upon the finance industry to provide financial planning and new types of financial products (such as trust and insurance) in order to promote their business. Building a sound Internet payment system indeed requires contributions from the information industry, the finance industry and the legal industry.
In the recent years, the tide of open movement has pushed vigorously from the open source software, open hardware and the recent open data. More and more countries have joined the global initiative of open government data in order to achieve the ultimate goal to promote the democratic governance. National government adopts open data policy to enhance the transparency, participation and collaboration of the citizen into the government operation. Meanwhile, fueled by the knowledge economy and the statistical analysis of the big data technology, open government data could work as the catalyst to individuals, industries and government agencies to transform data into potential knowledge-based services. Up to the end of 2013, there are around 77 countries have adopted the Open Government Data policy. Taiwanese government also declared to take part in the open data revolution. The government had officially launched the open data policy in 2012. In Resolution No. 3322, the Executive Yuan prescribes that open government data could enhance the transparency of the government; improve the quality of life of people; and meet the needs of the industry. Governmental agencies under the authority of the Executive Yuan shall to recognize the importance of the empowerment brought from open government data to the quality of the decision-making process and asked the agencies to implemented the policy from the perspectives of the user’s needs and applications, and also the consider to include machine readable format for the data. The Executive Yuan directed the Research, Development and Evaluation Commission (RDEC)（行政院研究發展考核委員會） to develop related principles and measures to support government agencies of the Executive Yuan to plan, execute and open up their data. At the same time, it also directed the Industrial Development Bureau（IDB）, Ministry of Economic Affairs (MOEA) （經濟部工業局）to develop responsive strategies to cope with the industrial development. Pursuant to the Resolution No. 3322 of the Executive Yuan, RDEC worked through the open government data related laws and regulations, proclaimed the “Open Government Data Operating Principle for Agencies of the Executive Yuan”（行政院及所屬各級機關政府資料開放作業原則）and the “Essential Requirements for Administrate Open Government Data Datasets” （政府資料開放資料集管理要項）in the early 2013. All government agencies of the Executive Yuan have to adopted the following 3 open government data steps："open up government data for public use”, “provide data free of charge subject to certain exemptions”, "automated systematic release and exchange data”, and work in with 4 open government focus strategies: “release data actively and by the priority in the field of daily necessity”, “develop the norm of open government data”, “promote the use of Data.gov.tw”, and “demonstrate and advocate open government data services”. Ministry of Economic Affairs (MOEA) （經濟部工業局）also provided grants ($9,200 NTD) to the open government data value-added applications and development. The open government data platform (data.gov.tw) was launched in July, 2013, as the official Taiwan government site providing public access and reuse of government data sets from 62 government agencies of the Executive Yuan, including the Ministry of Interior (MOI)（內政部）, Ministry of Foreign Affairs (MOFA)（外交部）, Ministry of Economic Affairs (MOEA)（經濟部）, Council for Economic Planning and Development (CEPD)（行政院經濟建設發展委員會）, Hakka Affairs Council (HAC)（客家委員會）, Water Resources Agency, Ministry of Economic Affairs (WRA) （經濟部水利署）, and 4 local governments. At the end of 2013, each government agency is required to release at least 55 data sets. In addition, the rising tide of private-sector (individual or enterprise) also aims to mine the gold in open government data. Act upon the National Information and Communication Initiative (NICI)（行政院國家資訊通信發展推動小組）in the consultation of the open government data policy, Taipei Computer Association (TCA)（台北市電腦同業工會）organized the “Open Data Alliance” (ODA)（Open Data聯盟）as a bridge between the information provide-side (public sectors) and the demand-side (private sectors), to communicate and coordinate the expectations and needs from communities (bottom-up) towards open government data. On Dec. 11, 2013, Taiwan took one more step in the global open data initiative. Open Data Alliance (ODA) and the Open Data Institute (ODI) in UK signed the memorandum of understanding (MOU) and announced the alliance established to promote and explore the potential opportunities of open data holds for the public, private and academic sectors. The engagement of ODA and ODI could bring another catalyst for the open movement in Taiwan to take one big step in the international community. According to a survey from ODA, the biggest challenge so far is the available data sets do not really meet the needs of the industry. And most of the feedback reflects the concerns in licensing, charge, frequency of updates, data formats and data quality. These voices echo the open government data issues encountered in many countries. There are still some obstacles with the applicable laws and regulations (for example, Charges and Fees Act, Personal Data Protection Act, Accoutability & Liability etc.) wait to be solved before both public and private sectors to go onto the next level of open data development.Norms of Critical Infrastructure Protection in Japan
The approaches to promote critical infrastructure protection in Japan The approaches to promote critical infrastructure protection in Japan are illustrated below: 1. Coverage of Critical Information Infrastructure In the "Action Plan on Information Security Measures for Critical Infrastructure" promulgated by the Information Security Policy Council (ISPC) in 2005, critical infrastructure is defined as: Critical infrastructure which offers the highly irreplaceable service in a commercial way is necessary for people's normal lives and economic activities, and if the service is discontinued or the supply is deficient or not available, it will seriously influence people's lives and economic activities. Based on the definition of the action plan, the critical infrastructure contains: telecommunication systems, administration services of the government, finance, civil aviation, railway, logistics, power, gas, water, and medical services 2. Promoted Relevant Policies of The Past The issues regarding the CIIP are gradually being developed with the norm of information social security policy in Japan. Adopting the Action Plan of the Basic Guidelines Toward the Promotion of an Advanced Information and Telecommunications Society of 1998 proposed by the Japanese government in 1998 as a basis. The Japanese government keeps presenting polices of improvement for the relevant issues in order to acquire the stable development of telematics and telecommunications. Several years later, the Ministry of Economy, Trade, and Industry (METI) announced the Comprehensive Strategy on Information Security in 2003. The formulation of the strategy not only emphasizes the possible telematics-related risks and protection against threats that may be encountered in the information society, but it also enhances the level of information security to the level of national security and presents a comprehensive information security improvement program. Furthermore, the submission of the strategy has identified government’s responsibility in the development of information security Therefore, a division which is solely responsible for information security was established in the Cabinet Secretariat and is devoted to the development of it. In 2005, the Ministry of Economy, Trade, and Industry (METI) amended the Comprehensive Strategy on Information Security and announced the First National Strategy on Information Security based on the creation of a policy of a long-term information security task in Japan which is also the foundation for the policy of guidelines and action security concerning critical information infrastructure. This is in addition to being the most important basis for the policy of information security development. The strategy is different from the Comprehensive Strategy on Information Security in connotation. In the range of information security protection, it not only maintains information security from the perspective of the government; for instance, to divide the rights and duties on information security protection practices between the central government and the local government, and to strengthen the capacity of the government to solve emergencies such as cyber attacks, but it also tries to employ the public-private partnership on the CIIP issue to construct an extensive information security protection and to develop a Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR): one similar to the ISAC of America, to strengthen the information sharing and analysis of information security of all industry involved. According to the strategy, the METI established the Information Security Policy Council (ISPC) and the National Information Security Center (NISC) under the subordination of the Cabinet Secretariat in order to reach a goal of dependable society of information security.1 Finally, the information security policies more directly related with the CIIP are the Action Plan on Information Security Measures for Critical Infrastructure and the Standards for Information Security Measures for the Central Government Computer Systems, both of which regulate CI-related threats, information security standards, public-private partnership information sharing system, and the levels of information security standards between different governments and critical infrastructures, respectively. 3. Oraganization Framework Generally speaking, the Cabinet Secretariat is the main division of the CIIP and the information security for the Japanese government, while the ISPC and the NISC established under the Cabinet Secretariat in 2005 are the core organizations for the development of the CIIP policy. In addition, the National Policy Agency (NPA) and the Ministry of Internal Affairs and Communications (MIC) also played an important role in assisting the Cabinet Secretariat with critical infrastructure protection. The part of public-private partnership is covered by the CEPTOAR which takes the responsibility for information sharing and analysis of information security between the government and private organizations. 4. Notification System For critical infrastructure protection, Japan has set up a warning and notification system in addition to the emphasis on fundamental information security protection. With the concept of public-private partnership, various messages related with information security are analyzed and shared in order to prevent information security incidents from occurring. The network of notification system in Japan mainly consists of several organizations as listed below. (1) National Incident Response Team The National Incident Response Team (NIRT) which is the information security office under the Cabinet Secretariat in the organization framework belongs to the Computer Emergency Response Team (CERT)2 and is first in line in the government to handle internet emergencies. According to the Action Plan for Ensuring e-Government's IT Security, the NIRT which consists of 17 experts from the government and the private organizations is responsible to (1) accurately understand and analyze emergencies, (2) develop technical strategies to solve and rehabilitate emergencies to prevent incidents from reoccurrence, (3) provide other governmental organizations the assistance to solve the information security issue, (4) collect and analyze information or intelligence so that effective solutions and strategies may be provided when an incident happens, (5) provide the governmental organization with professional knowledge and information, and (6) enhance and improve all knowledge pertinent to information security. (2) Computer Emergency Response Team Coordination Center The Japan Computer Emergency Response Team Coordination Center (JPCERT/cc) is the first Computer Security Incident Response Team (CSIRT) established in Japan. It consists of internet service suppliers, security products/service suppliers, governmental agencies, and associations of industry & commerce. The JPCERT/CC is also a member of the Asia Pacific Computer Emergency Response Team (APCERT) and a member of the Forum of Incident Response and Security Teams (FIRST). It coordinates and integrates prevention measures pertinent to information security and is consistent with other CSIRTs. (3) Telecom Information Sharing and Analysis Center In Japan, besides the mechanism responsible to notify the government, which functions as a bridge for communication between it and all those outside of it, the mechanism of information sharing and notification is also established among industries to provide each with a channel for information exchange and consultation. In 2001, Japan established the Telecom Information Sharing and Analysis Center Japan (Telecom-ISAC Japan). In addition to real-time inspection for computer intrusion incidents and conducting information collection and analysis, the Telecom-ISAC Japan proposes to e-government many suggestions related with the Transact-SQL issue as well. The reasons for launching the Telecom-ISAC are to instantaneously detect a computer intrusion incident, and to instantaneously gather and analyze its information, and then exchange this with other telecom carriers and offer them relevant countermeasures for precaution; so that in can reach the goal of ensuring telecom security since it is an important infrastructure concerning social economy. (4) Cyber Force The reasons for launching the Cyber Force are to maintain the security to use the internet by regularly "patrolling" it, searching for evidence of internet crime, and to notify the critical infrastructure operators about any unusual internet use so as to prevent the occurrence of cyber terror attacks. The Cyber Force also assists operators to solve and diminish the damage and influences when an incident occurs. (5) Portal Site of National Police Agency The National Police Agency owns the portal site "@police". It exists to prevent large-scale cyber emergencies and to provide gathered information concerning information security to government. In addition to providing the techniques related with the safe use of computer networks, @police is also dedicated to educating internet users about the concept of information security and to increase security awareness. (6) Ministry of Economy, Trade and Industry Since 1990, the Ministry of Economy, Trade and Industry (METI) has cooperated with the JPCERT/CC and the Information Technology Promotion Agency (IPA) to provide reports on virus, intrusion, and the damage caused by them, to remind the public to pay attention. 5. Legal Norms The laws regarding critical infrastructure protection in Japan are illustrated as follows: (1) Unauthorized Computer Access Law of 1999 The Unauthorized Computer Access Law includes various conducts such as cyber intrusion, and data thefts, into the norms of criminal punishment to deter cyber crimes from spreading in order to ensure the safety of the critical information infrastructure. (2) Act on Electronic Signatures and Certification Business of 2000 With the formulation of the Act on Electronic Signatures and Certification Business, the smooth promotion of the electronic signature system is ensured and the circulation and process of electronic communication can be fostered further. (3) Basic Law on Formation of an Advanced Information and Telecommunication Network Society of 2001 Through the formulation of the Basic Law on Formation of an Advanced Information and Telecommunication Network Society, the legal basis to execute an information technology policy is enhanced, and the direction and job content for the government to execute this policy is explicitly stated. 1.http://www.nisc.go.jp/eng/pdf/national_strategy_001_eng.pdf(last accessed date: 2009/07/20). 2.http://www.nisc.go.jp/en/sisaku/h1310action.html(last accessed date: 2009/07/20).Research on the Introduction of Privacy Protection Management Mechanisms and Data Value-Added Services into Communications Enterprises in 2020
Research on the Introduction of Privacy Protection Management Mechanisms and Data Value-Added Services into Communications Enterprises in 2020 2021/12/09 I. Introduction The global economy is shifting away from traditional economic models towards an emerging digital era as technology advancement and new applications are introduced. The rapidly changing digital age has led to a gradual transformation in the way digital technology is used in the industry, thereby driving the overall growth of the global digital economy. The digital economy is driven by "data," and how data is used, its purpose, risks and regulation are all inextricably intertwined with industrial development and application, as is the case for the communications industry. As such, while the free circulation of data has become central to international free trade and economic operations, it is not only conducive to the promotion of transnational business and economic and trade interactions, but also fraught with worry and concern over how to ensure the protection and security of personal data and privacy. As a result, the issue of how to adapt the data risk control mechanism and related complementary measures so that they can be applied to the industry and comply with regulatory requirements has become a global reality that must be actively addressed. As far as Taiwan is concerned, when considering how to cope with industry needs, there is a pressing need to strike a balance between personal data and international regulatory requirements, and to expedite the legitimate utilization of personal data protection and data value-added service in the sector in an effort to facilitate the development of the digital economy. II. Recommendations on Data Governance and Innovative Application Planning. According to the aforementioned international data strategies and strategies for innovative data applications, the development of the data economy as a whole is driven by the formulation of overall superior policies, with a view to fully utilizing the potential value of data and building a vibrant ecosystem suited for innovative data applications. With the outbreak of COVID-19 this year, the application of data will be crucial in the post-pandemic era. It is also observed that data applications are gradually moving towards cross-boundary sharing and reuse, and empowerment of data subjects, and therefore, in light of the above observations and findings, we offer recommendations on data governance and innovative application planning. First, as for the establishment of a ministry and mechanism for data application and communication, since there is no single dedicated authority in Taiwan, and the formation of a ministry for science and technology development is now under intense discussion, data application may become an important function of the ministry, so we have to consider an authority for data application and communication. Further, there is currently no sandbox mechanism for data application in Taiwan. Reference should be made to the British data communication mechanism for providing legal advice and consultation sought on data application regulation. Second, with regard to the formulation of regulations and amendments to existing laws relating to data applications, the most noteworthy is the EU Data Governance Act 2021. Taiwan does not have a complete and appropriate legal framework for data application, except for the Freedom of Government Information Law, the Personal Data Protection Act (PDPA) and the relevant laws and regulations distributed in various fields, and the nation is currently seeking an adequacy decision from the EU, and therefore our PDPA needs to be amended accordingly, yet no progress has been made at this stage. Consequently, a comprehensive strategy should be developed by taking into account both the formulation of the basic data application regulations and the amendments to the current PDPA, in order to achieve long-term data governance and application and sharing. Lastly, in terms of the incorporation of the concept of data empowerment and the design of the mechanism, the international trend moves towards data empowerment to give data subjects more control over their data. The Financial Supervisory Commission (FSC) of Taiwan has also incorporated this idea in its open banking, so has the National Development Council’s (NDC) MyData program. As such, it is suggested that the government should provide guidelines or devise the relevant system, or even make reference to the Japanese data bank mechanism regarding the establishment of intermediaries to assist consumers in managing their data, which could be used as a reference for the design of the mechanism in the future. III. Accountability for and Management of Data Use in Enterprises Among the countries studied regulation of Singapore and Taiwan are similar and have adopted the development of digital economy as their main economic strategy, but Singapore has been more proactive than Taiwan in the design of the legal system to facilitate the use of data. Therefore, with regard to the control of data use in businesses by the competent authorities, this Project, by looking at the amendment to the Singaporean PDPA, aims to reinforce the regulation of the accountability system and the operation of the existing series of guidelines. From the changes in Singapore's PDPA, it can be observed that the competent authorities can refer to the practices of enterprises in the use of data. First of all, the existing regulations in Taiwan tend to have more about compliance than accountability, with emphasis being placed on data security maintenance and compliance with the PDPA. For instance, Taiwan’s “Regulations Governing Security Measures of the Personal Information File for Non-government Entities Designated by National Communications Commission” focus on following the law on the use of personal data. Nonetheless, the so-called accountability means that the competent authorities must oversee the implementation of data protection measures and policies of enterprises, not just pro forma compliance with the letter of the law. The second observation is that Singapore is quite proactive in addressing the need for data use in the development of its digital economy by making an exception to innovative uses regarding informed consent. The inclusion of data portability also represents a heightened control of the data subject. These amendments are all related to Singapore's policy of actively developing its smart nation initiative and signify a more proactive approach by the authorities in monitoring the use of data by businesses. Taiwan needs to be more open and precise in regulating the use of data for the development of its digital economy. Finally, there is increased flexibility in enforcement, as authorities can resolve disputes between subjects over data use more quickly through the introduction of mediation or other alternative dispute resolution (ADR) mechanisms. Meanwhile, the Personal Data Protection Commission (PDPC) has developed industry-specific consultation guidelines, recognizing that there may be specific issues for different industries. The PDPC noted that these guidelines are based on the partnerships, consultations and feedback associated with the relevant industries, and close collaboration with the industry's authorities of target businesses. IV. Conclusion Despite the lack of a dedicated authority for personal data protection, Taiwan can first build a cross-industry coordination and communication platform, and then collaborate across ministries to primary integrate standards in personal data protection to facilitate the needs of industrial innovation in the digital economy.Development Trend of Information Communication Technology Related Laws
In light of the influence on social security of Internet-related crime, in 2007 Taiwan passed the amendment to the Communication Protection and Inspection Act (CPIA) to update the articles relating to the surveillance of Internet-related crimes. Moreover, the notification obligator clause was added to the Child and Adolescent Sex Trade Prevention ACT (CASTPA), and the penalty for copyright infringement over the Internet was prescribed in the Copyright Act in order to stop Internet-related crimes. 1. Amendment to the CPIA On 15 June 2007, the legislature of Taiwan passed the amendment to the CPIA which was promulgated by the President of Republic of China on 11 July 2007. The amendment mainly concerns the update of the power of issuing surveillance warrants, the scope of emergency surveillance, the supervisory agencies of relevant surveillance activities, and the evidence power of illegal surveillance. The amendment will be brought into force in five months. Currently, a surveillance warrant is issued (1) by the district prosecutor following an application made by the police or based on his authority for cases under investigation; and (2) by the judge based on his power for cases on trial. According to Article 5.2 of the amended CPIA, for cases under investigation, the district prosecutor should record the details of surveillance in writing following the applications made by the judiciary police or based on his authority and should state the reasons and submit relevant documents before applying to the jurisdiction court for the issue of the surveillance warrant. The district prosecutor should approve and reply to the applications made by the judiciary police within 2 hours. For cases of greater complexity, the approval and reply time may be extended for another 2 hours with the consent of the chief district prosecutor. After receiving an application for a surveillance warrant from the district prosecutor, the jurisdiction court should approve and reply to the application within 24 hours. For cases on trial, a surveillance warrant should be issued by the judge based on his authority. Also, the judge may give appropriate instructions for the surveillance in the warrant. Moreover, if an application for a surveillance warrant is rejected by the court, the district prosecutor should make no objection in any form. In other words, the power of issuing a surveillance warrant for cases under investigation has been transferred from the district prosecutor to the judge. Furthermore, the law-enforcement authorities are given the right to initiate an “emergency surveillance” before application during the investigation of serious criminal cases according to Article 6 of the CPIA. In an investigation of serious criminal cases involving obstruction of voting, kidnapping, offence of the President and Vice President Election and Recall Act, the judiciary police may request the district prosecutor to orally notify the implemental authorities of an emergency surveillance. However, the district prosecutor should report to the jurisdiction court to apply for a make-up issue of the surveillance warrant within 24 hours. The district prosecutor’s office should appoint a responsible district prosecutor or a head district prosecutor as the emergency contact for cases involving emergency surveillance. The court should also assign a special window to take charge of the applications for surveillance warrants made by the district prosecutor, and should issue a make-up surveillance warrant within 48 hours of the acceptance of the application. Should the make-up surveillance warrant not be issued within 48 hours, the emergency surveillance should be terminated immediately. The district prosecutor, the court of law and agencies taking charge of the country’s intelligence work are responsible for the supervision of surveillance. According on Articles 12 and 16 of the amended CPIA, regulations governing the period and supervision of surveillance are summarized as follows: (1) The period of surveillance should not exceed 30 days for serious and emergency cases involving endangering national security or social order and blackmailing as in Article 5 of the CPIA; or for cases involving obstruction of voting, kidnapping and offence of the President and Vice President Election and Recall Act as in Article 6 of the CPIA. The responsibility of supervision is the district prosecutor's office for cases under investigation and the court of law for cases on a trial. (2) The period of surveillance should not exceed 1 year for collecting information of foreign powers or offshore opposing powers as in Article 7 of the CPIA. Intelligence authorities should send agents to supervise the electronic surveillance equipment or to the supplier of surveillance equipment to supervise the conditions of surveillance. Should continual surveillance be needed, the implemental agency should submit concrete reasons to make a second application for surveillance two days before the end of the first surveillance period. However, the surveillance should be terminated immediately when the chief of the intelligence agency believes that it is no need to continue the surveillance before the end of the surveillance period. Lastly, the exclusivity of the evidence power of information collected from illegal surveillance is added to Articles 5, 6, 7 and 32 of the amended CPIA. According to Articles 5 and 6, should the surveillance involve severe offence of regulations, the information or evidence collected from the surveillance will not be accepted as evidence in a judiciary investigation, a trial or relevant procedure. Additionally, according to Articles 7 and 32, information or evidence collected from illegal surveillance will not be accepted as evidence in a judiciary investigation, a trial or relevant procedure. The severity of the offence should be determined by the judge based on individual cases. 2. Amendment to the CASTPA Child pornography is easily distributed because of the advancement of Internet communication; and the prepubescent pornography market is expanding as a result. The legislature of Taiwan thus passed on 15 June 2007 the amendment to the CASTPA that was promulgated by the President of Republic of China on 4 July 2007. In the amendment, neighborhood heads, ISPs and telecommunication system providers are the obligator of notification, and “possessors” of child pornography are to be penalized. According to the explanatory statement of the act, child pornography is the permanent record of the abuse of the victims. This will inflict continual damage on the victims. Moreover, child pornography is considered a “serious child exploitation” all over the world. Therefore, there is an international understanding to penalize the possession of child pornography. Before the amendment, Article 28 of the statue simply penalizes people distributing and selling child pornography in the form of disc, videotape and printing. Those deliberately distributing, broadcasting and/or selling child pornography in the form of pictures, videotape, film, disc, electronic signal or other form will be penalized by imprisonment for a term of less than 2 years and with a fine of under NT$2 million. [In the amendment,] those deliberately distributing, broadcasting and/or selling child pornography are penalized and imprisonment for a term of less than 3 years and with a fine of under NT$5 million. While child pornography inflicts continual damage on the victims, Article 28.3 has been added to statute. According to this new Article, those in possession without a proper reason of pictures, films, videotapes, discs, electromagnetic recordings and/or other articles containing sexual intercourses or acts of indecency by people under 18 are to be penalized. In this case, the “possession” of child pornography is penalized. The penalization falls into two stages: competent authorities of municipalities and local counties and cities may order the offender to receive guidance education for 2-10 hours if he/she is detected possessing child pornography without a proper reason for the first time; if offenders are detected for the second time or more, they will be fined NT$20000 to NT$200000. The amendment also refers to the legislation in Canada and the Netherland to reduce the scope of “proper reasons for possession” to scientific study, education and for medical treatment purposes in order to protect prepubescent children from sexual exploitation. Moreover, the amendment has expanded the scope of the notification obligator by including ISPs and telecommunication system providers as the notification obligator. While the Internet and mobile phones are widely used by the public and prepubescent children often receive pornographic information via the chat rooms on the Internet and SMS, this will cause many side effects on prepubescent children in the absence of appropriate management and protection. According to the statistics provided by the Ministry of the Interior, about 300 prepubescent children are sexually assaulted every year from online dating. According to The Garden of Hope Foundation, 40% of sex trade with prepubescent girls found in Taipei County during 2003-5 was conducted over the Internet, and it was 100% for prepubescent boys. It is thus clear that the Internet has become a platform for distributing child pornography. ISPs and telecommunication system providers are included as the notification obligator in Article 9 of the amended statute. Therefore, if they do not notify the authorities in the knowledge of child pornography, they will be fined NT$6000-NT$30000 according to Article 36 of the statue. Therefore, neighborhood heads, ISPs and telecommunication system providers must notify the local competent authorities or authorities specified in Article 6 of any prepubescent children who engage or probably engage in the sex trade in their knowledge. This is designed in order to strengthen the notification and prevention functions and to effectively stop those who deliberately use chat rooms on the Internet and SMS to engage in true sex trade in the disguise of online dating. Though the scope of notification obligation has been expanded in the amendment to the CASTPA to strengthen the notification and prevention mechanisms of prepubescent children sex trade and to define the notification obligations of the supplier and provider of SMS, network chat rooms, BBS, blogs and e-news services, many problems arise as a result. First, when telecommunication system providers have the obligation of notification, they also need to submit relevant evidence. However, this may involve the infringement of privacy of communication. If telecommunication system providers must not commit illegal surveillance, they are unable to acknowledge the contents of communication of consumers. In this case, how can they notify any crime? On the other hand, though information over the Internet is open to the public, it is a tough question for law enforcement officers to provide solid evidence proving that the administrator of online chat rooms and blogs has failed to perform his obligation of notification. 3. Amendment to the Copyright Act The online music downloading service debate has become a heated issue in recent years for the following reasons: “to select only the songs I like”, “comprehensive repertoires”, and “convenience”. According to the Online Music Downloading Survey by the Secure Online Shopping Association (SOSA), 85% consumers have tried the online music downloading service, thus giving rise to the comprehensive online music downloading software and services. However, to attract consumers with files containing unlicensed music, video or other files and charge users of such services, some ISPs provide computer programs or technologies, e.g. point-to-point (P2P), for users to exchange such outlawed materials and charge users for such services. Such acts of making profit from copyright infringement has inflicted disputes in copyright infringement. For example, the IFPI’s accusation in 2003 of Kuro, a P2P platform provider, is the first convicted case of P2P music downloading service in Taiwan. Though the software supplied by Kuro is a neutral technology which is not illegal, Kuro recruited members and charged them membership fees for allowing them to illegally downloading, exchanging and reproducing a large amount of unlicensed copyrighted materials with such software and the platform services it supplies. Kuro also advertised that consumers can download tens of thousands of the latest popular songs with the Kuro software and even encouraged members to download them. Therefore, the court decided that Kuro and its members who have practically downloaded copyrighted music illegally are guilty of copyright infringement. On the other hand, ezPeer, another P2P downloading platform provider, was not found guilty of copyright infringement because no law was practiced at that time to prohibit or restrict the use of P2P software. Also, as a transfer platform, ezPeer offers comprehensive functions and it is thus not a tool for committing crime. Even some users transfer or download unlicensed copyrighted materials with this tool, there is possibility for the non-liability reasonable use. Moreover, ISPs have no filtering obligations in the Copyright Act of the ROC. Therefore, even consumers may use the services for illegal activities, P2P service providers are not an accomplice. Therefore, to define the liabilities of P2P platform providers, the legislature of Taiwan passed on 14 June 2007 the amendment to the Copyright Act to include P2P software providers in governance of the act. In the future, platform providers will be prohibited by the Copyright Act from charging members for unlicensed activities. New objects of copyright infringement are added to the amendment, and the amendment includes the addition of Article 87.1.7, 87.1.2, and 97.1; and the revision of Article 93.4. According to Article 87.1.7, attempt to allow the public to openly transfer or reproduce works of others without prior consent or licensing from the owner is copyright infringement, and supply of computer programs and/or technologies that can be used for public transfer and/or reproduction of such for the purpose of making profits is deemed as copyright infringement. As the supplier of computer programs and/or technologies is the focus of this article, behaviors categorized based on this article must also meet the following requirements: (1) attempt to allow the public to download and/or transfer over the Internet copyrighted materials without prior consent or licensing of the copyright owner; (2) the act of supply of computer programs and/or technologies; (3) and making profits from such behaviors. In other words, the focus of the amendment is to prohibit providers by written law from supplying computer programs and/or technologies for users to transfer and/or exchange unlicensed music, video and/or other copyrighted materials and from charging users or making profits from such services. However, the amendment has adopted the principle of technology neutrality and specifies that P2P software providers will only be penalized when they have the act of making profit and the intention of copyright infringement in order not to prevent technological development and to save ISPs from breaking the law all the time. As the “intention” of copyright infringement is the criterion of judgment, Article 87.2 is added to the Copyright Act in the present amendment. According to this article, whether or not the doer instigates, guides or incites in advertisements or other active actions the public to use the computer programs and/or other technologies it supplies to commit copyright infringement is the criterion for determining the “intention” of copyright infringement. Also, the court will determine with severity whether or not the advertisements or other active actions are ready for instigating, guiding or inciting the public use the computer programs and/or other technologies the doer supplies to commit copyright infringement. In general, when providers offer services, such as web photo albums, BBS, instant messengers, auctions, web disks and online discussions, it is not their initial intention to supply software and/or technologies for users to illegally download and/or transfer the copyrighted materials of others, nor do they encourage, instigate, guide, incite and/or convince users to commit copyright infringement. Even such software can be used for transferring and/or distributing unlicensed copyrighted materials, providers must not be restricted, and it should be the users who take the liability of copyright infringement. After the enactment of the amendment, providers who make profit from supplying software for others to distribute unlicensed copyrighted materials and encourage users to exchange such materials with the software are to be penalized by imprisonment for a term of less than 2 years, community service, or fined, or penalty together with a find of under NT$500000 according to Article 93. Moreover, by adding Article 97.1, the competent authorities are entitled to order ISPs to shutdown or close the business when they are convicted for the abovementioned offences and refuse to stop such illegal acts after being determined for “severe copyright infringement” and “severely injury of the benefits of the copyright owner”. After this amendment of the Copyright Act, service providers can no longer use the excuse “we simply provide a service platform and have no right to check the behavior of consumers” as an escape of their liabilities. In fact, P2P service providers who charge users monthly fees for the P2P software, such as Kuro and ezPeer, have already signed licensing agreements with music companies before the enactment of this amendment. Therefore, the music they provide for users to download is no more unlicensed copyrighted materials. Therefore, the amendment has certain effect on improving copyright protection.