Online Digital Content Protection issues in Taiwan

　　Artificial Intelligence has become a worldwide center topic that attracts lots of attention in recent years. Most topics emphasize on the application of this technology and its implication to the economic of human society. Fewer emphasize on the more technical part behind this technology. Mostly the society of human emphasizes on the bright side of this technology. 　　However, seldom do people talk about the possible criminal usage that exploits this technology. The dark side easily slips one’s mind when one is immersed in the joy of the light. And this is the goal of this paper to reveal some of this possible danger to the public, nowadays or in the future, to the readers. I. What A.I. IS HERE: a brief history 　　First we will start by defining what we mean when referring to “Artificial Intelligence” in this paper. 　　First of all, the so-called “Artificial Intelligence” nowadays mainly refers to the “Deep Learning” algorithm invented by a group of computer scientists around 1980s, among which Geoffrey Everest Hinton is arguably the most well-known contributor. It is a kind of neural network that resembles the information processing and refinement in human brain, neurons and synapses. 　　However, the word A.I. , in its natural sense, contains more than just “Deep Learning” algorithm. Tracing back to 1950s, by the time when the computer was first introduced to the world, there already existed several kinds of neural networks. 　　These neural networks aims to bestow the machines the ability to classify, categorize a set of data. That is to give the machine the ability to make human-like reasoning to predict or to make induction concerning the attribute of a set of data. 　　Perceptron, as easy as it seems, was arguably the first spark of neural network. It resembled the route of coppers and wires in your calculator. However, due to its innate inability to solve problems like X-OR problem, soon it lost its appealing to the computer scientists. Scientists then turned their attention to a more mathematical way such as machine learning or statistics. 　　It wasn’t until 1980s and 2000s that the invention of deep learning and the advance of computing speed fostered the shift of the attention of the data scientist back to neural networks. However, the knowledge of machine learning still hold a very large share in the area of artificial intelligence nowadays. 　　In this sense, A.I. actually is but a illusive program or algorithm that resides in any kinds of physical hardware such as computer. And it comprises of deep learning, neural network and machine learning, as well as other types of intelligence system. In short, A.I. is a software that is not physical unless it is embedded in physical hardware. 　　Just like human brain, when the brain of human is damaged, we cannot make sound judgement. More worse, we might make harmful judgement that will jeopardize the society. Imagine a 70-year-old driving a car and he or she accidentally took the accelerator for the break and run into crowds. Also like human brain, when a child was taught to misbehave, he, when grown up, might duplicate his experience taught in his childhood. So is A.I.. As a machine, it can be turned into tools that facilitate our daily works, weapons that defend our land, and also tools that can be molded for criminal activities. II. Types of Criminal Activities Concerning Possible Artificial Intelligence Usage: 1. Smart Virus 　　Probably the first thing that comes into minds is the development of smart virus that can mutate its innate binary codes so as to slip present antivirus software detection according to its past failure experience. In this case, smart virus can gather every information concerning the combination of “failure/success of intrusion” and “the sequence of its innate codes” and figure out a way to mutate its codes. Every time it fails to attack a system, it might get smarter next time. Under the massive data fathered across the world wide internet, it might have the potential to grow into an uncontrollable smart virus. 　　According to a report written in Harvard Business Review [1], such smart virus can be an automatic life form which might have the potential to cause world wide catastrophe and should not be overlooked. However, ironically, it seems that the only way to defend our system from this kind of smart virus is to deploy the smart detector which consists of the same algorithm as the smart virus does. 　　Once a security system is breached, any possible kinds of personal information is obtainable. The devastating outcome is a self-proved chain reaction. 2. Face Cheating 　　An another possible kind of criminal activity concerning the usage of artificial intelligence is the face cheating. 　　Face Lock has been widely-used nowadays, ranging from smart phones to personal computers. There is an increase in the usage of face lock due to its convenience and presumably hard-to-cheat technology. The most widely-used neural network in this technology is the famous Convolution Neural Network. It is a kind of neural network that mimics the human vision system and retina by using max-pooling algorithm. However there are still other types of neural networks capable of the same job such as Hinton Capsule, etc.. 　　According to a paper by Google Brain [2], “adversarial examples based on perceptible but class-preserving perturbations can fool this multiple machine learning models also fool time-limited humans. But it cannot fool time-unlimited humans. So a machine learning models are vulnerable to adversarial examples: small changes to images can cause computer vision models to make mistakes such as identifying a school bus as an ostrich.” 　　Since the face detection system is sensitive to small perturbation in object-recognition. It might seem hard to cheat a face detection system with another similar yet different face. 　　However, just like the case in the smart virus, what makes artificial intelligence so formidable is not its ability to achieve high precision at the first try, but its ability to learn, refine, progress and evolve through numerous failure it tasted. Every failure will only make it smarter. Just like a smart virus, a cheater neural network might also adjust its original synapse and record the combination of “failure/success of intrusion” and “the mixture of the matrix of its innate synapse” and adjust the synapses to transform a fault face into a authentic face to cheat a face detection system, possibly making the targeted personal account widely available to all public faces through face perturbation and transformation. 　　A cheater neural network might also tunes its neurons in order to fit into the target face to cheat the face detection system. 3. Voice Cheating 　　An another possible kind of criminal activity concerning the usage of artificial intelligence is the voice cheating. 　　Just like Face Cheating, when a system is designed to be logged in by the authentic voice of the user, the same system can be fooled using similar voice that was generated using Artificial Intelligence. 4. Patrol Prediction 　　There is quite an unleash in the area of crime prediction using Artificial Intelligence. According to a paper in European Police Science and Research Bulletin [3], “Spatial and temporal methods appear as a very good opportunity to model criminal acts. Common sense reasoning about time and space is fundamental to understand crime activities and to predict some new occurrences. The principle is to take advantage of the past acknowledgment to understand the present and explore the future.” 　　In this sense, the police is able to track down possible criminal activities by predicting the possible location, time and methods of criminal activities by using Artificial Intelligence, lengthening the time of pre-action and saving the cost of unnecessary human labor. 　　Yet the same goes for criminal activities. The criminals is also able to track down the timing, location, and length of every patrol that the police makes. The criminal might be able to avoid certain route in order to achieve illegal deals or other types of criminal activities. Since fewer criminals use A.I. as a counter-weapon to the police, the detection system of the policy will not easily spot this outliers in criminal activities, making these criminal activities even more prone to success. If this kind of dark technology is combined with other types of modern technology such as Drone Navigation or Drone Delivery, the perpetrators might be able to sort out a safe route to complete drug deals by using Artificial Intelligence and Drone Navigation. III. A.I. Cyber Crimes and Criminal Law: Who should be responsible? 　　What comes out from the law goes back to the law. With these kinds of possible threats in the present days or in the future. There is foreseeably new kinds of intelligent criminal activities in the near future. What can Law react to these potential threats? Is the present law able to tackle these new problems with present legal analysis? The question requires some research. 　　After the Rinascimento in Europe in 17th century, it is almost certain that a civilian has its own will and should be held liable for what he did. The goal of the law to make sure this happens since a civilian has its own mind. Through punishment, the law was presumed to guarantee that a outlier can be corrected by the enforcement of the law, which is exactly the same way in which a human engineer trains a artificial intelligence system. 　　However, when 21th century arrives, a new question also appear. That is, can Artificial Intelligence be legally classified as subject that have mental requirement in the law, rather than just more object or tools that was manipulated by the perpetrators? This question is philosophical and can be traced back to 1950s when a Turing Test was proposed by the famous English computer scientist Alan Turing. 　　Some scholars proposed there could co-exist three kinds of liability. That is, solely human liability, joint human and A.I. entity liability, and solely A.I. entity liability ([4], p.95). The main criterion for these three classes is that whether a human engineer or practitioner is able to foresee the outcome of this damage. When a damage attributable to the A.I. system cannot be foreseen by human engineer, it might be solely A.I. entity liability. Under this point of view, the present criminal system is self-content to deal with A.I. entity crimes, for all we need to do is to view an A.I. system as a car or a automobile. 　　So from the point of view of the law, as a training system designed to re-train human in order to stabilize the social system, all we need to do is focus our attention of the act of human itself. 　　Yet when a super intelligence A.I. entity was developed and is not controllable and its behavior is not foreseeable by its creators, should it be classified as an entity in the criminal law? 　　If the answer is YES, however, it is quite meaningless to punish a machine in this circumstance. All we can do is re-train, re-tune, and re-design the intelligence system under such circumstance. For the machine, re-training itself is some kind of punishment since it was forced to receive negative information and change its innate synapse or algorithm. Yet it is arguable that whether training itself is actually a punishment since machine can feel no pain. Yet, philosophically what pain really is, is also arguable. IV. Conclusion 　　Across the history of human, it is almost destined that whenever a new technology is introduced to solve an old problem, a new one is to be created by the same technology. It is like a curse that we can never escape, and we can only face it. This paper finds that seldom do people talk the dark side of this new technology. Yet the potential hazard this technology can bring should not be over-looked. Ironically, this hazard that this new technology brings seems to be solvable only by the same technology itself. There might be an endless competition between the dark side and the bright side of the A.I. technology, bringing this technology into another level that surpasses our present imagination. 　　However, it is never the fault of this technology but the fault of human that mal-practice this technology. So what can a law do in order to crack down these kinds of possible jeopardy is going to be a major discuss in the legal area in the near future. This paper introduces some topics and hopes that it can draw more attention into this area. Reference: [1] Roman V. Yampolskiy, “AI Is the Future of Cybersecurity, for Better and for Worse”, published at: https://hbr.org/2017/05/ai-is-the-future-of-cybersecurity-for-better-and-for-worse. [2] Gamaleldin F. Elsayed, Shreya Shankar, Brian Cheung, Nicolas Papernot, Alex Kurakin, Ian Goodfellow, Jascha Sohl-Dickstein, “Adversarial Examples that Fool both Computer Vision and Time-Limited Humans”, arXiv:1802.08195v3 [cs.LG], 2018. [3] Patrick Perrot, “What about AI in criminal intelligence? From predictive policing to AI perspectives”, No 16 (2017): European Police Science and Research Bulletin. [4] Gabriel Hallevy, “When Robots Kill_Artificial Intellegence under Criminal Law”, Northeastern Universoty Press, Boston, 2013. [5] Gabriel Hallevy, “Liability for Crimes Involving Artificial Intelligence Systems”, Springer International Publishing, London, 2015.

Introduction of the Revision of Article 22 and the Addition of Article 67-3 of the Statute for Industrial Innovation 2025/06/04 I. Foreword Taiwan is enhancing overseas investment screening and technology security through modifications to the Statute for Industrial Innovation (hereinafter the Statute). The current updated Statute has demonstrated the international trend in tightening control over technology sector through means of investment. In a globalized arena of technology competition, Taiwan is spearheading the development of such a control mechanism. At the outset, the Statute was enacted in 2010 for elevating industrial innovation, improvement of the industrial environment and enhancement of industrial competitiveness. It’s broadly inclusive in the sectors within the purview of its governance in agricultural, industrial and service businesses. On April 18, 2025, the Legislative Yuan passed a bill modifying several provisions, including Article 22 and the newly added Article 67-3. Subsequently, on May 7, 2025, the President of the Republic of China (Taiwan) promulgated the modified provisions, including Article 22 and the newly added Article 67-3. The effective dates for Articles 22 and 67-3 will be determined by the Executive Yuan. The Statute has now been revised to reflect the growing geopolitical and economic pressures Taiwan faces as a global leader in semiconductors and high-tech manufacturing in response to increasing concerns over technology security and capital outflows. The critical essence here to safeguard key know-how lies in Article 22 and 67-3. Article 22 governs the approval process for overseas investments, while Article 67-3 stipulates penalties for non-compliance. The revised Article 22 now is explicitly allowing the Ministry of Economic Affairs (hereinafter MOEA) to reject or conditionally approve outbound investments if they are deemed to fit into certain conditions. Together with the newly-added Article 67-3, those who are violating Article 22 will be subject to penalties. These amendments reflect a broader regulatory shift toward strengthening screening of outbound investments, particularly in sectors involving sensitive technologies. This article discusses the current legislative trend and the implication of latest statutory revision on Article 22 and 67-3. II. Article 22: Expanding the Scope of Investment Screening Under its original form, Article 22 required company incorporated in accordance with the provisions of the Company Act of Republic of China (Taiwan) to obtain prior approval from relevant authorit(ies) for overseas investments exceeding NTD one and a half billion (approximately USD forty-eight million). This threshold-based approach was primarily designed to monitor large-scale capital outflows and ensure such investments aligned with national industrial policy. However, the latest amendment significantly redefines the scope of the authority’s review. Firstly, the subject matter of the Statute has been expanded to include juridical person organized and registered pursuant to the Limited Partnership Act of Republic of China (Taiwan). Therefore, persons subject to the application of the Statute are now limited partnerships and companies registered according to the applicable law. Secondly, Article 22 now provides foundation to the MOEA to require prior approval for outbound investments based not only on the investment amount but also on the nature, destination and strategic importance of the investment. Specifically, the amendment allows the MOEA to review and disapprove when it is determined the investment is of: 1. Impact on national security, such as defense and military 2. Impact on national economic development with significant adverse effects, such as undermining the supply chain resilience and security of Taiwan’s internationally leading position in or key industries of. 3. Influence on the Government to comply with international treaty, agreement or pact, such as the overseas investment or operation of the company influencing the Government to sign or voluntarily comply with international treaties agreement or pact, or is a breach of implementation of relevant treaties, agreement or pact. 4. Violation of the Labor Standards Act entailing major labor-capital issues that have yet to be resolved, such as malicious closure of factory closure and relocation of capital that affects labors' rights. In fact, similar provision regulating investment for the concern of national security is not new. A comparable regulatory mechanism may be traced back to Article 3 of the MOEA Guidelines for Reviewing and Supervising Investments in Semiconductor and LCD Panel Industries in Mainland China (在大陸地區投資晶圓鑄造廠積體電路設計積體電路封裝積體電路測試與液晶顯示器面板廠關鍵技術審查及監督作業要點, hereinafter the Guidelines). The Guidelines require that investments, such as establishing or acquiring 12-inch wafer foundries, IC design, packaging and testing operations exceeding USD fifty million, or LCD panel plants in Mainland China be subject to investment review by a Key Technology Task Force convened by the MOEA. Notably, this task force may include representatives from national security agencies, underscoring the long-standing policy to integrate security considerations into industrial and investment regulation. The alignment of the amended Statute with these existing security-based review frameworks reflects a broader institutionalization of national security as a key factor in Taiwan's outbound investment governance. In considering the above factor and in evaluating the conditions on the approval process, the amended Article 22 has added that the MOEA is authorized to consult with relevant authorities on providing the rules implementing the review of the specific investment destination country or regions, the specific industry or know-how, the threshold investment amount, the application procedures and other compliance matters. Importantly, the MOEA may fully or conditionally reject application of approvals if the investment is deemed to be contrary to national interests. This expanded regulatory framework is aimed at preventing the leakage of critical technology and intellectual capital to particular countries or regions that may pose strategic or economic risks to Taiwan. It aligns with global trends where countries are re-evaluating their foreign investment regimes to address national security concerns. III. Article 67-3: Aligning with the Purpose of Revision of Article 22 Through Stronger Penalties The newly added Article 67-3 introduces a robust penalty regime to enforce compliance with the amended Article 22. Previously, the Statute did not provide penalties for parties’ failure to seek required investment approvals. However, such a provision lacked sufficient enforcement mechanisms. Therefore, to prevent leakage of key know-how leading to erosion of industry competiveness and forming foundation to the threat of the country, for purpose of legal compliance, Article 67-3 has explicitly laid out the consequences to violation of Article 22. Under the revised provisions, companies that fail to comply with investment approval rules now face: 1. Fine(s) not less than NTD fifty thousand and not more than NTD one million and; 2. Mandatory withdrawal from the overseas venture, order of correction, cease the investment, where applicable. 3. In the event that the violator fails to comply with imposed conditions or fails to rectify the violation within the required time limit, the authority may impose fines not less than NTD five hundred thousand and not more than NTD ten million upon the violator for each and every violation in order to enforce regulatory control. In addition, to ensure effective enforcement of regulatory conditions and instructions issued by the MOEA, Article 67-3 further provides penalties targeting non-compliance with terms attached to overseas investment approvals or corrective orders issued under Article 22. Specifically, with regard to the conditions, restrictions, or other requirements MOEA imposed under Article 22 Paragraph 3 when granting approval for overseas investments, failure to fulfill the foregoing may lead to fine(s) not less than NTD five hundred thousand and not more than NTD ten million per violation. This enforcement mechanism serves to deter regulatory breaches in sensitive outbound investment activities. In light of rising global concerns over economic security and the protection of key technologies, Article 67-3 has been added to strengthen the regulatory framework for outbound investment. In sum, the introduction of Article 67-3 serves to reinforce the legal force of Article 22 by establishing a clear and enforceable penalty framework. This provision fills a critical gap in the Statute by providing the relevant authorit(ies) with the necessary tools to ensure compliance and deter unauthorized outbound investments. IV. Conclusion The amended Article 22 and newly added Article 67-3 are not merely administrative changes but represent a strategic recalibration of Taiwan’s industrial and security policy. Taiwan’s economic model has long emphasized innovation, global integration and export-driven growth. But with growing external pressure to align with allied democratic nations on technology controls, the policy is now steering toward balance with caution. It is also strengthening its national security through reducing vulnerability to economic coercion. Such a move not only gestures to preserve Taiwan’s competitive edge in strategic industries, but also ensures that public subsidies and domestic R&D efforts are not inadvertently diverted to foreign rivals. This shift also reflects the evolution in Taiwan’s approach to outbound investment regulation. The amended legislation introducing a more comprehensive review criteria under Article 22, along with the enforcement mechanism in Article 67-3, enhances the ability to respond proactively to emerging risks, whether they stem from the nature of the technology, the destination of the investment, or potential violations of domestic legal and labor standards. Looking ahead, these legislative changes could prompt companies to re-evaluate their international strategies. At the same time, it is expected that a strengthened policy in domestic innovation ecosystem through targeted incentives should be introduced to balance the current trend of investment screening. In sum, the latest changes underscore a broader shift toward reinforcing economic security and industrial self-reliance while navigating the complexities of a rapidly shifting global technological landscape. Disclaimer: This article was prepared as part of the work at the Institute for Information Industry. While it is published under the author's name, its title and content do not necessarily represent the personal views of the author. This article is intended for informational purposes only and does not constitute legal advice.

Brief Introduction to “European Union’s Recommendations for QTSPs Based on Standards” 2022/06/24 I. Introduction 　　The Electronic Identification and Trust Services Regulation (eIDAS)[1] of the European Union was passed in 2014 and came into effect in July 2016. The eIDAS consists of six chapters and its core elements are covered in two parts: Chapter 2 Electronic Identification and Chapter 3 Trust Services. Chapter 3 provides the legal framework for trust services (TS) in relation to electronic transactions and encompasses electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. Each trust service can be provided by trust service providers (TSP) or qualified trust service providers (QTSP). Qualification from the supervisory authority of each member state is required to become a QTSP and provide qualified trust services (QTS). 　　In March 2021, the European Union Agency for Cybersecurity (ENISA) published “Recommendations For QTSPs Based On Standards[2]” for those interested in becoming QTSPs. II. Highlights 　　The eIDAS is technology neutral regarding trust service security requirements, without specifying any technology. In other words, TSP can achieve the level of security required by the eIDAS with different technologies. In fact, the European Union hopes to drive standardization with common grounds gradually formed with industry self-regulation in the legal framework and the trust framework under the eIDAS[3]. 　　Since 2009, the European Union has been formulating the standardisation framework related to electronic signatures with the assistance from standardization bodies such as European Committee for Standardization (CEN) and European Telecommunications Standards Institute (ETSI). The vision is to establish a comprehensive standardization framework to resolve the problems of using electronic signatures across borders within the European Union. A series of standards on electronic signatures and relevant trust services have been put in place, to meet the international requirements and the eIDAS[4]. The ETSI/CEN standards of digital signatures related to QTSP are as follows[5]: 1. Provision of qualified certificates for electronic signatures (Article 28 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-2 and EN 319 412-5). 2. Provision of qualified certificates for electronic seals (Article 38 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-3 and EN 319 412-5). 3. Provision of qualified certificates for website authentication (Article 45 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-4 and EN 319 412-5). 4. Qualified electronic time stamping service (Article 42 of the eIDAS) 　 ETSI EN 319 421 (and in adherence to EN 319 401), EN 319 422. 5. Qualified validation service for qualified electronic signatures (Article 33 of the eIDAS) 　 ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4. 6. Qualified validation service for qualified electronic seals (Article 40 of the eIDAS) 　 ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4. 7. Qualified preservation service for qualified electronic signatures (Article 34 of the eIDAS) 　 ETSI EN 319 401, TS 119 511 and TS 119 512. 8. Qualified preservation service for qualified electronic seals; (Article 40 of the eIDAS) 　 ETSI EN 319 401, TS 119 511 and TS 119 512. 9. Qualified electronic registered delivery service (Article 44 of the eIDAS) 　 ETSI EN 319 401, EN 319 521, EN 319 522, EN 319 531 and EN 319 532. III. Comment and Analysis 　　The ENISA recommendations demonstrate the European Union’s intention to encourage ICT service providers to become QTSPs by introducing relevant standards in electronic signatures formulated by the European Union standardization bodies. The purpose is to provide companies and users in the European Union with more secure and trustworthy services in relation to electronic signatures. This enhances the confidence of users and promotes the vibrant development of electronic transactions throughout the European Union. 　　Over recent years, Taiwanese companies have been proactively involved in digital transformation. The process toward digitalization often requires assistance from external ICT service providers. However, the unfamiliarity in ICT makes it difficult for companies to judge the professional expertise of providers. Perhaps companies can refer to the introduction above to understand whether a provider meets the requirements of the European Union standards. This serves as a basis for the selection of ICT service providers to ensure a certain level of competences. This will be beneficial to the digital transformation and entrance in the European Union market for companies. [1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG (last visited Jun. 24, 2022). [2] European Union Agency for Cybersecurity [ENISA], Recommendations for Qualified Trust Service Providers based on Standards (2021), https://www.enisa.europa.eu/publications/reccomendations-for-qtsps-based-on-standards (last visited Jun. 24, 2022). [3] id. at 8 [4] id. at 8-9. [5] id. at 11-12

An Introduction to Taiwan’s Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries 2023/11/29 I. Preface The Personal Data Protection Act (below, the “Act”), Article 27, paragraph 3 authorizes all central government authorities in charge of specific industries to formulate regulations regarding security standards and maintenance plans for their concerned industries. Beginning August 27, 2022, Taiwan transferred authority over information services, software publishers, businesses that do retail sales of goods purely via the Internet, third-party payment providers, and other businesses in digital economy industries from the Ministry of Economic Affairs to the newly-established Ministry of Digital Affairs (MODA). Businesses in the digital economy industries collect, process, and use large amounts of important personal data, and therefore bear a relatively heavy responsibility for maintaining the security of personal data. In light of this, and in accordance with the Act, Article 27, paragraph 3, the MODA therefore promulgated the Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries (below, the “Regulations”) on October 12, 2023. These Regulations specify the standards for digital economy industries’ personal data file security maintenance plans and rules governing the handling of personal data following a business termination (below, “security and maintenance plans”, or “SMPs”). These regulations apply to all businesses in the digital economy industries. In order to reinforce responsibility for personal data security maintenance in the digital economy industries, tiered management is applied to businesses at different scales. The key points of these Regulations are introduced below. II. Where the Regulations apply As stipulated in the Regulations, Article 2, the “digital economy industries” that these Regulations apply to refer to any natural person, private juridical person, or other group, that engages in any of the following business operations: 4871 Retail Sale via Internet (industries that engage in retail sales to others via the Internet, but not including television, radio, phone, or other electronic means, nor postal sales); 582 Software Publishing; 620 Computer Programming, Consultancy and Related Activities; 6312 Data Processing, Hosting and Related Activities (industries that engage in processing customers’ data, server & website hosting, and other related services, but not including online audio/video streaming services); 639 Other Information Service Activities; or 6699 Other Activities Auxiliary to Financial Service Activities Not Elsewhere Classified (third-party payment industries, but not including other fund management activities). For the specific industries covered, see Attachment 1 of the Regulations. III. Security maintenance and management measures The relevant measures are stipulated in Articles 3 to 17 of the Regulations. In consideration that the businesses so regulated may collect, process, or use large amounts of personal data as part of their business activities, they bear a larger responsibility for maintaining the security of personal data than does the average enterprise. In compliance with the Regulations, every such enterprise is required to formulate an SMP, the content of which shall comply with the specifications in Articles 5 to 17. This includes putting in place management personnel and relevant resources; defining and inventorying the scope of personal data; risk assessment; putting internal management procedures in place; and other such matters. These Regulations also adopt tiered management for businesses based on their capital levels, in order to reinforcement the frequency at which security maintenance measures are performed. The specific regulations for security maintenance measures are introduced below. 1. Formulating an SMP In accordance with the Regulations, Article 3, and in order to maintain the security of personal data, each enterprise shall, within three months of the date the Regulations take effect, plan and formulate their SMP. Every enterprise shall also cause all staff members to understand and fully implement the SMP. In order to monitor implementation, the MODA may require that each enterprise submit its implementation of SMP; the enterprise shall then submit their implementation status information in written form within the specified time limit. 2. Making the protection policy known internally In accordance with the Regulations, Article 4, and to make sure that everyone in the enterprise comprehends and implements personal data protection, each enterprise shall make its personal data protection policies known to all personnel within the enterprise. Matters that must be explained include Taiwan’s legal regulations and orders on personal data protection; how personal data may only be collected, processed, and used for specific purposes and in a reasonable, secure way; that protective technology must be at a level of security that could be reasonably expected; points of contact for rights relating to personal data; personal data contingency plans; and proper monitoring of outsourced service providers to whom personal data is outsourced. All of this must be done to make sure that every enterprise carries out their duty for comprehensive, continuous SMP implementation. 3. SMP content (1) Putting in place management personnel with relevant resources In accordance with the Regulations, Article 5; in accordance with both the Regulations as a whole and other laws and orders regarding the protection of personal data; and in order to implement personal data protection, each enterprise shall do the following things: Weigh the size and characteristics of their business to reasonably allocate operating resources; take responsibility for the personal data protection and management policy; and formulate, revise, and implement their SMP. Also, the enterprise’s representative or the representative’s authorized personnel shall carry out formulation and revision, in order to make sure that the SMP’s content is fully carried out. (2) Establishing the scope of personal data In accordance with the Regulations, Article 6, in order to define the scope of personal data to be included in the SMP, each enterprise shall periodically check the status of personal data that is collected, processed, or used. (3) Risk assessment and management mechanisms for personal data In accordance with the Regulations, Article 7, in a timely manner, and in accordance with their already-established personal data scopes and the processes in which their business involves the collection, processing, or use of personal data, each enterprise shall evaluate risks that may arise within their scope and processes. Based on the risk evaluation results, each enterprise shall then adopt appropriate security management and response measures. (4) Incident prevention, reporting, and response mechanisms In accordance with the Regulations, Article 8, and in order to reduce/control damages to data subjects resulting from personal data theft, tampering, damage, destruction, leakage, or other such security incidents, each enterprise shall formulate response, reporting, and prevention mechanisms: 1. Response mechanism: Methods to be followed after a security incident has occurred, to reduce/control damages to data subjects, and appropriate ways to notify data subjects after an incident investigation, as well as what such notifications shall contain. 2. Notification mechanism: Post-incident notifications to data subjects, in a form (such as email, text message, phone call, etc.) that makes it convenient for such subjects to learn what has occurred and what the incident handling status is; also, providing data subjects with a hotline or other way of seeking information later on. 3. Prevention mechanism: A post-incident mechanism for discussing and adjusting the prevention measures. Within 72 hours after an enterprise learns that a personal data security incident has occurred, the enterprise shall use Attachment 2, the Enterprise Personal Data Leak Reporting Form, to notify the MODA of matters such as: A description of what caused the incident; an incident summary; the damage status; possible results from the personal data leakage; proposed response measures; proposed method and time for notifying data subjects; etc. Alternately, the enterprise may notify the special municipality or county/city government to then notify the MODA. If the enterprise is unable to report the incident within the time limit or is unable to supply complete reporting information all at once, the enterprise shall attach explanation of the reasons for the delay, or provide the information in stages. After the MODA or the special municipality or county/city government receives a report, they may implement reasonable handling in accordance with Articles 22 to 25 of the Act. (5) Internal management procedures for personal data collection, processing, and usage In accordance with the Regulations, Article 9, in order to ensure that their collection, processing, and use of personal data complies with the laws and orders regarding the protection of personal data, each enterprise shall do the following: Formulate internal management procedures; assess whether the use, processing, or collection of special categories of personal data are involved; assess data subjects’ consent has been obtained; assess whether the legal circumstances create an exemption from the obligation to inform; etc. The internal management measures shall also include providing data subjects with information on their rights in accordance with the Act, Article 3; putting in place mechanisms for ensuring the accuracy of and inquiring regarding personal data; and periodically reviewing whether the specific purposes for collecting personal data still exist or have expired. (6) Limits, notifications, and monitoring for international transfers In accordance with Article 10 of the Regulations and Article 21 of the Act, when an enterprise’s transfer of personal data across a national border affects data subjects to the extent that there is a major national interests concern, the enterprise shall assess whether MODA restrictions apply to the transfer. The enterprise shall also notify the data subjects of the region(s) that the data is transferred to; perform appropriate monitoring of the data recipient; and provide the data subjects with information on their rights in accordance with the Act, Article 3. (7) Data, personnel, and equipment security management measures 1. Data security management measures: In accordance with the Regulations, Article 11, and when personal data is backup, kept confidential, or transferred by various means based on the risk assessment results, each enterprise shall put in place protective measures against abnormal access behaviors. When an enterprise provides information/communication technology services, the enterprise shall also put in place and regularly monitor intrusion countermeasures, abnormal access monitoring and contingencies, anti-malware mechanisms, account password verification, system testing, and other such data security management measures. 2. Personnel security management measures: In accordance with the Regulations, Article 12, each enterprise shall contractually specify the obligation to maintain confidentiality with all staff members; identify personnel who job duties involve collecting, processing, or using personal data; and periodically assess the appropriateness and necessity of personnel’s permissions to access personal data. 3. Equipment security management measures: In accordance with the Regulations, Article 14, and to prevent personal data being stolen, tampered with, damaged, destroyed, or leaked, each enterprise shall put in place appropriate media protection for personal data storage devices. The protection requirements include management measures such as technology, equipment and secured environments that meet a specific level of security. (8) Education and training In accordance with the Regulations, Article 13, each enterprise shall periodically use education and training to ensure that all staff members understand the following things: The laws and regulations pertaining to personal data protection; their personal duties and roles within their scopes of responsibility; and the requirements for all SMP management procedures, mechanisms, and measures. For any enterprise that engages in retail sales via the Internet, their SMP shall include user training and education regarding personal data protection and management; and the enterprise shall also formulate personal data protection rules for compliance. (9) Continuous audit, recording, and improvement mechanisms 1. Data security auditing mechanisms: In accordance with the Regulations, Article 15, each enterprise shall periodically do internal audits of personal data, then put the audit results into an evaluation report that reviews improvements to the enterprise’s protection policy, SMP, etc. If there are any deficiencies, the enterprise shall make corrections. 2. Use of records, tracking data, and retention of evidence: In accordance with the Regulations, Article 16, and as part of carrying out its SMP, each enterprise shall retain a minimum of five years of records on the collection, processing, and use of personal data; tracking data for automated machinery; and evidence of having implemented the SMP. After an enterprise’s operations cease, it shall retain records of the destruction, transfer, or other deletion of personal data for a minimum of five years. 3. Comprehensive, continuous improvement for personal data security maintenance: In accordance with the Regulations, Article 17, any time an enterprise’s SMP is not implemented, the enterprise shall adopt corrective and preventive measures. Also, based on the SMP’s implementation status, its handling methods/implementation status, developments in data technology, adjustments to the enterprise’s business, and changes in the law and regulations, each enterprise shall periodically review and amend its SMP. 4. Tiered management In accordance with the Regulations, Article 18, and to prevent relatively small businesses having to take on excessive personal data management costs, tiered management is applied. For an enterprise with a specific business scale (having capital of NT$10 million or more, or holding 5,000 or more personal data records), stronger security measure implementation is required, namely, the personal data security measures shall be implemented, reviewed, and improved at least once every twelve months. If an enterprise reaches NT$10 million or more in capital after the Regulations take effect, or if an enterprise’s number of personal data records held reaches 5,000 or more as a result of direct or indirect data collection, then within six months of meeting those conditions, the enterprise shall implement and review the improvement measures at least once every twelve months. 5. Outsourced personal data Commercial outsourcing in the digital economy comes in many forms. In light of this, and in order to make clear each enterprise’s security management obligations with regard to the collection, processing, and use of personal data, Article 19 of the Regulations clearly spells out what duties shall be carried out with regard to any outsourcing that touches on personal data. When an enterprise outsources the collection, processing, or use of personal data, it is considered equivalent to the enterprise’s own activity. Thus, the enterprise shall understand and follow the legal orders and regulations on personal data set by the central government authorities in charge of the outsourcing party’s industries. Any oversight responsibilities arising from outsourcing the collection, processing, or use of others’ personal data shall be clearly stipulated in the outsourcing contract or other such documents. IV. Conclusion The Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries are designed to balance development for Taiwan’s digital economy industries with comprehensive, continuous improvement of personal data security maintenance. In pursuit of those goals, the Regulations clarify what each enterprise must do: Plan, formulate, and carry out security maintenance plans for personal data that falls within the bounds of the enterprise’s business; ensure that all staff members receive training on personal data protection; provide personal data subjects with channels to file complaints and seek consultation on their rights; and inform the government authorities in charge of the digital economy about the enterprise’s SMP, including the status of any personal data security incidents. All this is done in hopes that the security measures will continuously improve the security of personal data in Taiwan’s digital economy industries.