Japanese Virtual Currency Transaction Law System – with “Payment Services Act” as the Core

A Brief Introduction to Taiwan’s Legislations to Promote Industrial Innovations of the Digital Economy 2023/05/15 I. Background To encourage the development of digital industries in communications, information, cybersecurity, networking and communication, to centralize digital governance and digital infrastructure development and to assist in digital transformation of public and private sectors in Taiwan, the Ministry of Digital Affairs (“the MODA”) was created on August 27, 2022 to spearhead the national digital development policy, communications and digital resources; the development of digital technology use cases and the environment for innovations and talents; policies and regulations governing digital economy industries, national cybersecurity, the government’s digital services, open data and data governance, digital infrastructure, international exchange and cooperation and competence standards for the government’s professional personnel in IT and informational security. The Administration for Digital Industries (ADI) and the Administration for Cyber Security (ACS) have been established as the MODA’s subordinate agencies, to address challenges on all fronts in the digital wave. As the central competent authority on the industrial development of the digital economy, the MODA may subsidize, incentify or support innovative activities of digital economy industries in accordance with Paragraph 1, Article 9 of the Statute for Industrial Innovation and determine relevant matters in accordance with Paragraph 2 of the same article. Hence, the MODA promulgated the Subsidy, Reward and Assistance Regulations for Promoting Industry Innovation (“the Regulations”) on December 23, 2022, to encourage innovation and R&D on software, services, integration and application in telecommunications, information, cybersecurity, networking, and communication. The purpose is to enhance the industry environment and to boost the industry competitiveness. These Regulations serve as the MODA’s flagship efforts in promotion of industrial innovations and highlights Taiwan’s emphasis on digital economy industries. Below is a summary of the Regulations. II. Scope As stated in the overview described in Article 2, the Regulations aim to assist in the development of software products, digital services and infrastructure, system integration and vertical use cases in telecommunications, information, cybersecurity, networking and communication, so as to encourage innovations in digital economy industries such as ecommerce, digital contents, new types of digital services, communications and network deployment, to improve the industry environment and enhance the industry competitiveness. In sum, the “digital economy industries” mentioned in the Regulations refer to software, digital services or digital infrastructure sectors in telecommunications, information, cybersecurity, networking and communication. III. Policy measures According to Paragraph 1, Article 3 of the Regulations, the MODA or its subordinate agencies may provide subsidies, rewards and assistance to the activities in digital economy industries such as promotion of innovation or R&D, supply of technologies and support in upgrade. This may involve the encouragement of creation of innovation of R&D centers by companies; assistance to establishment of innovation or R&D institutions; fostering of cooperation among industries, academia and research organizations; promotion of corporate engagement in talent development at schools and development of human resources in industries; support to innovations by local industries; advocacy of corporate use of big data and the government’s open data; enhancement of communications network resilience and network infrastructure prevalence and other relevant matters. Moreover, the Regulations provide details of the policy measures for subsidies, rewards and support as follows: 1. Subsidies The relevant details are provided from Article 4 to Article 17 of the Regulations. (1) Eligibility According to Paragraph 1, Article 4 of the Regulations, subsidy recipients in principle shall be engaged in activities of digital economy industries, shall be either a sole proprietorship, partnership, limited partnership, or corporation registered in accordance with domestic laws or a natural person who is national of the R.O.C., a natural person from Hong Kong or Macau or a foreign national with permanent residency and has never been listed as a refusal account by any bank. Flexibility can be granted in accordance with Paragraph 2 of the same article. If required for the development of digital economy industries, the MODA or its subordinate agencies may establish separate eligibility criteria for subsidy recipients. However, such eligibility criteria only take effect via public announcement and publication on the Executive Yuan Gazette. Finally, according to Article 13 of the Regulations, no subsidy application may be submitted in event of violation of laws related to environmental protection, labor safety and health or food safety and hygiene during the most recent three years, as determined to be serious by central competent authority. (2) Subsidy limits According to Article 5 of the Regulations, different programs come with different ceilings measured in percentage. In principle, the subsidized amount shall not exceed 50% of the program budget if it is for promotion of industry innovation or R&D or encouragement of corporate use of big data and the government’s open data to develop and innovate commercial applications or service models. However, this does not apply to specific policy considerations or subsidy schemes above the budget and approved by the MODA or its subordinate agencies. For example, the subsidized amount shall not exceed 50% of the course fees for corporate engagement in talent development on campus or enhancement of talent resources for industries. However, this limit does not apply to subsidies to indigenous people, persons with disabilities, low-income households, or the special circumstances approved by the MODA or its subordinate agencies. Support schemes such as assistance to industrial technology and upgrade; encouragement of creation of innovation of R&D centers by companies; assistance to establishment of innovation or R&D institutions; fostering of cooperation among industries, academia and research organizations; support to innovations by local industries; enhancement of communications network resilience and network infrastructure prevalence and other projects shall be announced by the MODA or its subordinate agencies and published on the Executive Yuan Gazette. (3) Subsidy programs According to Articles 6 of the Regulations, there are no specific restrictions on subsidy categories, with two exceptions: (1) promotion of industry innovation or R&D – Subsidies are limited to six categories, i.e., innovation or R&D personnel expenses for approved projects; costs for consumables and raw materials; access and maintenance expenses for innovative or R&D equipment; introduction of intangible assets; commissioning and verification fees of research; and travel expenses. (2) advocacy of corporate use of big data and the government’s open data to develop and innovate commercial applications or service models or enhancement of communications network resilience and network infrastructure prevalence - Subsidies are limited to three categories, i.e., fees for commissioned services; training & education fees; and promotional campaign expenses. (4) Application submission According to Article 7 of the Regulations, an applicant should submit the application form, the project plan and relevant data to the MODA or its subordinate agencies. If the contents of the project plan or documents fail to meet requirements, the MODA or its subordinate agencies may request missing materials before a deadline of up to one month. The MODA or its subordinate agencies may not accept applications without missing materials supplied before deadlines. (5) Acceptance and review According to Article 8 of the Regulations, the MODA or its subordinate agencies shall convene review meetings to review applications, changes and irregularities in the execution of subsidy programs. Applicants may be asked to provide explanations or Personnel may be sent to conduct on-site inspections. If necessary, relevant authorities or institutions may be commissioned assist in financial reviews. Additionally, according to Article 9 of the Regulations, the period from document readiness by an applicant to notification of the completed review to the applicant may not exceed three months. This may be extended by one month if necessary. Finally, according to Article 17 of the Regulations, subsidized projects, subsidy recipients, approval dates, subsidized amounts (including cumulative amounts) and relevant information shall be announced on the websites of the MODA or its subordinate agencies each quarterly unless the disclosure should be restricted or is not provided according to Article 18 of the Freedom of Government Information Law. (6) Contract signing Once reviewed and approved, the applicant must sign the subsidy contract with the MODA or its subordinate agencies within the time period specified by Article 10 of the Regulations. Unless extension has been agreed by the MODA or its subordinate agencies, the approval of the application loses validity if a contract is not signed before the deadline. (7) Matters of adherence by subsidy recipients Once the subsidy contract has been signed, an applicant becomes a subsidy recipient under the Regulations and must abide by relevant terms and conditions. First, the recipient shall establish a separate account for subsidy funds and maintain a separate account book, according to Article 11 of the Regulations. All of the interest generated from the subsidy account and any balance remaining after the project completion shall be fully returned to the national treasury via the MODA or its subordinate agencies. Meanwhile, to examine whether there are any duplications of application, the use of subsidy funds and the effectiveness of project implementation, the MODA or its subordinate agencies may dispatch personnel or commission a fair and just organization to inspect the relevant documents, account books and status of project execution. The subsidy recipient shall not refuse such an examination, is obligated to respond and shall submit work reports and details about the use of funds by following the agreed-upon schedule. In event of breach, the disbursement of subsequent funds may be suspended, under the terms and conditions of the subsidy contract. Second, according to Article 12 of the Regulations, if a recipient fails to execute the subsidized project as planned or the project experiences a significant delay in progress, or there is an overly large gap between the project results and the business plan, or the project fails to pass the review, inspection or acceptance by the MODA or its subordinate agencies and no improvement has been made before the specified deadline, or there is a breach of the Regulations Governing Procurements for Scientific and Technological Research and Development if the subsidized amount exceeds 50% of the recipient’s procurement and it meets the threshold for public announcements under the Government Procurement Act, the MODA or its subordinate agencies may suspend the next disbursement in accordance with the terms and conditions of the subsidy contract, claw back the disbursed subsidy and even stop any subsidy to the recipient for one to five years, depending on the severity of the circumstances. Third, according to Article 14 of the Regulations, the MODA or its subordinate agencies must conduct a comprehensive assessment of effectiveness of subsidized projects and the recipient shall cooperate by providing data required for the assessment. Fourth, according to Article 16 of the Regulations and unless otherwise specified by laws, if the subsidized amount exceeds 50% of the total budget for a technology project, the ownership and utilization of R&D results shall comply with the Government Scientific and Technological Research and Development Results Ownership and Utilization Regulation. In event of breach by the recipient violates, the MODA or its subordinate agencies may terminate the subsidy contract and shall refuse to accept any subsidy application from the recipient for five years from the date of completion of the innovation or R&D. If the reason is attributable to the recipient, the subsidy contract shall be canceled and the subsidies shall be refunded. (8) Subsidy applications According to Article 17 of the Regulations, a subsidy applicant shall declare to the MODA or its subordinate agencies the following: 1) No significant default in the execution of any government-sponsored science and technology projects during the past five years. 2) No suspension currently in force as a result of disciplinary actions in relation to execution of a government-sponsored science and technology project. 3) No tax incentives, rewards or subsidies for the same matter under other laws granted to the same subsidized project. 4) No taxes owed during the past three years. However, individuals who apply for the subsidy under Subparagraph 5 or 6, Paragraph 1, Article 3 are exempted. 5) No violation of laws related to environmental protection, labor safety and health or food safety and hygiene or the People with Disabilities Rights Protection Act during the most recent three years, as determined to be serious by central competent authority. However, this does not apply to circumstances that occurred prior to the enforcement of the Statute. If the applicant refuses to declare the above, the MODA or its subordinate agencies may not accept the application. If any false statement is identified, the application may be rejected, or the subsidy may be withdrawn, the contract may be canceled and the disbursed funds shall be returned. 2. Rewards According to Paragraph 1 of Article 18 of the Regulations, the MODA or its subordinate agencies will announce reward programs for digital economy industries with details on recipients, eligibility criteria, evaluation standards, application procedures, approving agencies and other related matters. Moreover, reward applications are not accepted according to Paragraph 2 of Article 18 and the provisions of Article 13 and Article 15 shall apply mutatis mutandis. Article 17 regarding announcement of government information on subsidy applications shall also apply to reward applications. 3. Assistance Relevant rules are primarily prescribed from Article 19 to Article 21 of the Regulations. (1) Eligibility According to Paragraph 1 of Article 19 of the Regulations, the rules prescribed in Subparagraph 1, Paragraph 1 of Article 4 also apply to the eligibility criteria for assistance to digital economy industries. In other words, assistance recipients in principle shall engage in activities of digital economy industries, either a sole proprietorship, partnership, limited partnership, or corporation registered in accordance with domestic laws or a natural person who is national of the R.O.C., a natural person from Hong Kong or Macau or a foreign national with permanent residency and has never been listed as a refusal account by any bank. Flexibility can be granted outside the aforesaid limitations and in accordance with Paragraph 2 of Article 19. If required for the development of digital economy industries, the MODA or its subordinate agencies may establish separate eligibility criteria for assistance recipients via public announcement and publication on the Executive Yuan Gazette. (2) Oversight of commissioned organizations According to Article 20 of the Regulations, the MODA or its subordinate agencies may evaluate and assess the effectiveness of the assistance services provided by the commissioned organization(s) for recipients as an important basis for reviewing assistance projects. (3) Establishment of a single contact window The assistance unit may establish a single contact window to provide assistance and counseling services, according to Article 21 of the Regulations. 4. General provisions In addition to specific rules, the general provisions prescribed from Article 22 to Article 25 shall apply to subsidies, rewards or assistance provided by the MODA and its subordinate agencies. First, all the funds required for policy measures shall come from the budgets allocated by the MODA or its subordinate agencies, according to Article 25 of the Regulations. Second, the MODA or its subordinate agencies may commission a legal person or a group to handle the application acceptance, review, approval, inspection, subsidy disbursement and claw-back, rewards, assistance and other relevant matters, according to Article 22 of the Regulations. Furthermore, according to Article 23 of the Regulations, the incoming and outgoing of funds for subsidy, reward and assistance projects are managed as follows: 1) The same project applying for subsidies with two or more organizations should list the details of all expenses and the breakdowns and amounts of subsidies, rewards and assistance under application with each government agency. The subsidy, reward and assistance program shall be canceled and the disbursed funds shall be returned in event of concealment or false statements. 2) If the review by each government agency on the use of funds identifies poor results, utilization not consistent with the subsidy purposes, or inflated or dishonest numbers, the subsidy, reward or assistance recipient shall return the disbursed funds. Meanwhile, no subsidy shall be granted to the subsidy, reward or assistance recipient in question for one to five years, depending on the severity of circumstances. 3) If procurement is involved in the subsidy, reward or assistance budget, the subsidy, reward or assistance recipient shall adhere to the Government Procurement Act. 4) When reporting on expenses, the subsidy, reward or assistance recipient shall enumerate in detail the utilization of expenditures and the total amount of spendings. The same project subsidized by two or more organizations shall list the actual sum of subsidies, rewards and assistance. Finally, according to Article 24 of the Regulations, the approval, disbursement and reimbursement of subsidies, rewards and assistance are processed as follows: 1) Disbursement based on project progress: The number of instalments, the method, the amount (percentage) are specified in the contract by the MODA or its subordinate agencies, depending on the project and the timetable. 2) Reimbursement shall be based on the Management Guidelines for the Disposal of Government Expenditure Vouchers, the Matters of Attention Regarding Budget (Donation) Implementations by Central Government Agencies for Private Groups and Individuals and relevant contractual provisions. IV. Conclusions To accelerate the innovation and development of digital economy industries in Taiwan, the MODA has promogulated the Subsidy, Reward and Assistance Regulations for Promoting Industry Innovation in accordance with Paragraph 1, Article 9 of the Statute for Industrial Innovation. It is hoped that the subsidies, rewards and assistance provided by the MODA helps to enhance the competitiveness of digital economy industries and the effectiveness of the digital economy development in addition to the Statute. The Regulations set out detailed rules on policy measures e.g., subsidies, rewards, and assistance. Key matters such as eligible recipients, application procedures, review mechanisms, responsibilities and obligations are clearly defined but certain flexibility is reserved by exceptions. A contract-centric approach provides manoeuvrability in practice specific to project circumstances. It is hoped that the MODA and its subordinate agencies can utilize these Regulations once in force, to enhance the business environment of the digital economy industries and continue to drive industry innovations.

Brief Introduction to “European Union’s Recommendations for QTSPs Based on Standards” 2022/06/24 I. Introduction 　　The Electronic Identification and Trust Services Regulation (eIDAS)[1] of the European Union was passed in 2014 and came into effect in July 2016. The eIDAS consists of six chapters and its core elements are covered in two parts: Chapter 2 Electronic Identification and Chapter 3 Trust Services. Chapter 3 provides the legal framework for trust services (TS) in relation to electronic transactions and encompasses electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. Each trust service can be provided by trust service providers (TSP) or qualified trust service providers (QTSP). Qualification from the supervisory authority of each member state is required to become a QTSP and provide qualified trust services (QTS). 　　In March 2021, the European Union Agency for Cybersecurity (ENISA) published “Recommendations For QTSPs Based On Standards[2]” for those interested in becoming QTSPs. II. Highlights 　　The eIDAS is technology neutral regarding trust service security requirements, without specifying any technology. In other words, TSP can achieve the level of security required by the eIDAS with different technologies. In fact, the European Union hopes to drive standardization with common grounds gradually formed with industry self-regulation in the legal framework and the trust framework under the eIDAS[3]. 　　Since 2009, the European Union has been formulating the standardisation framework related to electronic signatures with the assistance from standardization bodies such as European Committee for Standardization (CEN) and European Telecommunications Standards Institute (ETSI). The vision is to establish a comprehensive standardization framework to resolve the problems of using electronic signatures across borders within the European Union. A series of standards on electronic signatures and relevant trust services have been put in place, to meet the international requirements and the eIDAS[4]. The ETSI/CEN standards of digital signatures related to QTSP are as follows[5]: 1. Provision of qualified certificates for electronic signatures (Article 28 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-2 and EN 319 412-5). 2. Provision of qualified certificates for electronic seals (Article 38 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-3 and EN 319 412-5). 3. Provision of qualified certificates for website authentication (Article 45 of the eIDAS) 　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-4 and EN 319 412-5). 4. Qualified electronic time stamping service (Article 42 of the eIDAS) 　 ETSI EN 319 421 (and in adherence to EN 319 401), EN 319 422. 5. Qualified validation service for qualified electronic signatures (Article 33 of the eIDAS) 　 ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4. 6. Qualified validation service for qualified electronic seals (Article 40 of the eIDAS) 　 ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4. 7. Qualified preservation service for qualified electronic signatures (Article 34 of the eIDAS) 　 ETSI EN 319 401, TS 119 511 and TS 119 512. 8. Qualified preservation service for qualified electronic seals; (Article 40 of the eIDAS) 　 ETSI EN 319 401, TS 119 511 and TS 119 512. 9. Qualified electronic registered delivery service (Article 44 of the eIDAS) 　 ETSI EN 319 401, EN 319 521, EN 319 522, EN 319 531 and EN 319 532. III. Comment and Analysis 　　The ENISA recommendations demonstrate the European Union’s intention to encourage ICT service providers to become QTSPs by introducing relevant standards in electronic signatures formulated by the European Union standardization bodies. The purpose is to provide companies and users in the European Union with more secure and trustworthy services in relation to electronic signatures. This enhances the confidence of users and promotes the vibrant development of electronic transactions throughout the European Union. 　　Over recent years, Taiwanese companies have been proactively involved in digital transformation. The process toward digitalization often requires assistance from external ICT service providers. However, the unfamiliarity in ICT makes it difficult for companies to judge the professional expertise of providers. Perhaps companies can refer to the introduction above to understand whether a provider meets the requirements of the European Union standards. This serves as a basis for the selection of ICT service providers to ensure a certain level of competences. This will be beneficial to the digital transformation and entrance in the European Union market for companies. [1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG (last visited Jun. 24, 2022). [2] European Union Agency for Cybersecurity [ENISA], Recommendations for Qualified Trust Service Providers based on Standards (2021), https://www.enisa.europa.eu/publications/reccomendations-for-qtsps-based-on-standards (last visited Jun. 24, 2022). [3] id. at 8 [4] id. at 8-9. [5] id. at 11-12

An Introduction to Taiwan’s Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries 2023/11/29 I. Preface The Personal Data Protection Act (below, the “Act”), Article 27, paragraph 3 authorizes all central government authorities in charge of specific industries to formulate regulations regarding security standards and maintenance plans for their concerned industries. Beginning August 27, 2022, Taiwan transferred authority over information services, software publishers, businesses that do retail sales of goods purely via the Internet, third-party payment providers, and other businesses in digital economy industries from the Ministry of Economic Affairs to the newly-established Ministry of Digital Affairs (MODA). Businesses in the digital economy industries collect, process, and use large amounts of important personal data, and therefore bear a relatively heavy responsibility for maintaining the security of personal data. In light of this, and in accordance with the Act, Article 27, paragraph 3, the MODA therefore promulgated the Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries (below, the “Regulations”) on October 12, 2023. These Regulations specify the standards for digital economy industries’ personal data file security maintenance plans and rules governing the handling of personal data following a business termination (below, “security and maintenance plans”, or “SMPs”). These regulations apply to all businesses in the digital economy industries. In order to reinforce responsibility for personal data security maintenance in the digital economy industries, tiered management is applied to businesses at different scales. The key points of these Regulations are introduced below. II. Where the Regulations apply As stipulated in the Regulations, Article 2, the “digital economy industries” that these Regulations apply to refer to any natural person, private juridical person, or other group, that engages in any of the following business operations: 4871 Retail Sale via Internet (industries that engage in retail sales to others via the Internet, but not including television, radio, phone, or other electronic means, nor postal sales); 582 Software Publishing; 620 Computer Programming, Consultancy and Related Activities; 6312 Data Processing, Hosting and Related Activities (industries that engage in processing customers’ data, server & website hosting, and other related services, but not including online audio/video streaming services); 639 Other Information Service Activities; or 6699 Other Activities Auxiliary to Financial Service Activities Not Elsewhere Classified (third-party payment industries, but not including other fund management activities). For the specific industries covered, see Attachment 1 of the Regulations. III. Security maintenance and management measures The relevant measures are stipulated in Articles 3 to 17 of the Regulations. In consideration that the businesses so regulated may collect, process, or use large amounts of personal data as part of their business activities, they bear a larger responsibility for maintaining the security of personal data than does the average enterprise. In compliance with the Regulations, every such enterprise is required to formulate an SMP, the content of which shall comply with the specifications in Articles 5 to 17. This includes putting in place management personnel and relevant resources; defining and inventorying the scope of personal data; risk assessment; putting internal management procedures in place; and other such matters. These Regulations also adopt tiered management for businesses based on their capital levels, in order to reinforcement the frequency at which security maintenance measures are performed. The specific regulations for security maintenance measures are introduced below. 1. Formulating an SMP In accordance with the Regulations, Article 3, and in order to maintain the security of personal data, each enterprise shall, within three months of the date the Regulations take effect, plan and formulate their SMP. Every enterprise shall also cause all staff members to understand and fully implement the SMP. In order to monitor implementation, the MODA may require that each enterprise submit its implementation of SMP; the enterprise shall then submit their implementation status information in written form within the specified time limit. 2. Making the protection policy known internally In accordance with the Regulations, Article 4, and to make sure that everyone in the enterprise comprehends and implements personal data protection, each enterprise shall make its personal data protection policies known to all personnel within the enterprise. Matters that must be explained include Taiwan’s legal regulations and orders on personal data protection; how personal data may only be collected, processed, and used for specific purposes and in a reasonable, secure way; that protective technology must be at a level of security that could be reasonably expected; points of contact for rights relating to personal data; personal data contingency plans; and proper monitoring of outsourced service providers to whom personal data is outsourced. All of this must be done to make sure that every enterprise carries out their duty for comprehensive, continuous SMP implementation. 3. SMP content (1) Putting in place management personnel with relevant resources In accordance with the Regulations, Article 5; in accordance with both the Regulations as a whole and other laws and orders regarding the protection of personal data; and in order to implement personal data protection, each enterprise shall do the following things: Weigh the size and characteristics of their business to reasonably allocate operating resources; take responsibility for the personal data protection and management policy; and formulate, revise, and implement their SMP. Also, the enterprise’s representative or the representative’s authorized personnel shall carry out formulation and revision, in order to make sure that the SMP’s content is fully carried out. (2) Establishing the scope of personal data In accordance with the Regulations, Article 6, in order to define the scope of personal data to be included in the SMP, each enterprise shall periodically check the status of personal data that is collected, processed, or used. (3) Risk assessment and management mechanisms for personal data In accordance with the Regulations, Article 7, in a timely manner, and in accordance with their already-established personal data scopes and the processes in which their business involves the collection, processing, or use of personal data, each enterprise shall evaluate risks that may arise within their scope and processes. Based on the risk evaluation results, each enterprise shall then adopt appropriate security management and response measures. (4) Incident prevention, reporting, and response mechanisms In accordance with the Regulations, Article 8, and in order to reduce/control damages to data subjects resulting from personal data theft, tampering, damage, destruction, leakage, or other such security incidents, each enterprise shall formulate response, reporting, and prevention mechanisms: 1. Response mechanism: Methods to be followed after a security incident has occurred, to reduce/control damages to data subjects, and appropriate ways to notify data subjects after an incident investigation, as well as what such notifications shall contain. 2. Notification mechanism: Post-incident notifications to data subjects, in a form (such as email, text message, phone call, etc.) that makes it convenient for such subjects to learn what has occurred and what the incident handling status is; also, providing data subjects with a hotline or other way of seeking information later on. 3. Prevention mechanism: A post-incident mechanism for discussing and adjusting the prevention measures. Within 72 hours after an enterprise learns that a personal data security incident has occurred, the enterprise shall use Attachment 2, the Enterprise Personal Data Leak Reporting Form, to notify the MODA of matters such as: A description of what caused the incident; an incident summary; the damage status; possible results from the personal data leakage; proposed response measures; proposed method and time for notifying data subjects; etc. Alternately, the enterprise may notify the special municipality or county/city government to then notify the MODA. If the enterprise is unable to report the incident within the time limit or is unable to supply complete reporting information all at once, the enterprise shall attach explanation of the reasons for the delay, or provide the information in stages. After the MODA or the special municipality or county/city government receives a report, they may implement reasonable handling in accordance with Articles 22 to 25 of the Act. (5) Internal management procedures for personal data collection, processing, and usage In accordance with the Regulations, Article 9, in order to ensure that their collection, processing, and use of personal data complies with the laws and orders regarding the protection of personal data, each enterprise shall do the following: Formulate internal management procedures; assess whether the use, processing, or collection of special categories of personal data are involved; assess data subjects’ consent has been obtained; assess whether the legal circumstances create an exemption from the obligation to inform; etc. The internal management measures shall also include providing data subjects with information on their rights in accordance with the Act, Article 3; putting in place mechanisms for ensuring the accuracy of and inquiring regarding personal data; and periodically reviewing whether the specific purposes for collecting personal data still exist or have expired. (6) Limits, notifications, and monitoring for international transfers In accordance with Article 10 of the Regulations and Article 21 of the Act, when an enterprise’s transfer of personal data across a national border affects data subjects to the extent that there is a major national interests concern, the enterprise shall assess whether MODA restrictions apply to the transfer. The enterprise shall also notify the data subjects of the region(s) that the data is transferred to; perform appropriate monitoring of the data recipient; and provide the data subjects with information on their rights in accordance with the Act, Article 3. (7) Data, personnel, and equipment security management measures 1. Data security management measures: In accordance with the Regulations, Article 11, and when personal data is backup, kept confidential, or transferred by various means based on the risk assessment results, each enterprise shall put in place protective measures against abnormal access behaviors. When an enterprise provides information/communication technology services, the enterprise shall also put in place and regularly monitor intrusion countermeasures, abnormal access monitoring and contingencies, anti-malware mechanisms, account password verification, system testing, and other such data security management measures. 2. Personnel security management measures: In accordance with the Regulations, Article 12, each enterprise shall contractually specify the obligation to maintain confidentiality with all staff members; identify personnel who job duties involve collecting, processing, or using personal data; and periodically assess the appropriateness and necessity of personnel’s permissions to access personal data. 3. Equipment security management measures: In accordance with the Regulations, Article 14, and to prevent personal data being stolen, tampered with, damaged, destroyed, or leaked, each enterprise shall put in place appropriate media protection for personal data storage devices. The protection requirements include management measures such as technology, equipment and secured environments that meet a specific level of security. (8) Education and training In accordance with the Regulations, Article 13, each enterprise shall periodically use education and training to ensure that all staff members understand the following things: The laws and regulations pertaining to personal data protection; their personal duties and roles within their scopes of responsibility; and the requirements for all SMP management procedures, mechanisms, and measures. For any enterprise that engages in retail sales via the Internet, their SMP shall include user training and education regarding personal data protection and management; and the enterprise shall also formulate personal data protection rules for compliance. (9) Continuous audit, recording, and improvement mechanisms 1. Data security auditing mechanisms: In accordance with the Regulations, Article 15, each enterprise shall periodically do internal audits of personal data, then put the audit results into an evaluation report that reviews improvements to the enterprise’s protection policy, SMP, etc. If there are any deficiencies, the enterprise shall make corrections. 2. Use of records, tracking data, and retention of evidence: In accordance with the Regulations, Article 16, and as part of carrying out its SMP, each enterprise shall retain a minimum of five years of records on the collection, processing, and use of personal data; tracking data for automated machinery; and evidence of having implemented the SMP. After an enterprise’s operations cease, it shall retain records of the destruction, transfer, or other deletion of personal data for a minimum of five years. 3. Comprehensive, continuous improvement for personal data security maintenance: In accordance with the Regulations, Article 17, any time an enterprise’s SMP is not implemented, the enterprise shall adopt corrective and preventive measures. Also, based on the SMP’s implementation status, its handling methods/implementation status, developments in data technology, adjustments to the enterprise’s business, and changes in the law and regulations, each enterprise shall periodically review and amend its SMP. 4. Tiered management In accordance with the Regulations, Article 18, and to prevent relatively small businesses having to take on excessive personal data management costs, tiered management is applied. For an enterprise with a specific business scale (having capital of NT$10 million or more, or holding 5,000 or more personal data records), stronger security measure implementation is required, namely, the personal data security measures shall be implemented, reviewed, and improved at least once every twelve months. If an enterprise reaches NT$10 million or more in capital after the Regulations take effect, or if an enterprise’s number of personal data records held reaches 5,000 or more as a result of direct or indirect data collection, then within six months of meeting those conditions, the enterprise shall implement and review the improvement measures at least once every twelve months. 5. Outsourced personal data Commercial outsourcing in the digital economy comes in many forms. In light of this, and in order to make clear each enterprise’s security management obligations with regard to the collection, processing, and use of personal data, Article 19 of the Regulations clearly spells out what duties shall be carried out with regard to any outsourcing that touches on personal data. When an enterprise outsources the collection, processing, or use of personal data, it is considered equivalent to the enterprise’s own activity. Thus, the enterprise shall understand and follow the legal orders and regulations on personal data set by the central government authorities in charge of the outsourcing party’s industries. Any oversight responsibilities arising from outsourcing the collection, processing, or use of others’ personal data shall be clearly stipulated in the outsourcing contract or other such documents. IV. Conclusion The Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries are designed to balance development for Taiwan’s digital economy industries with comprehensive, continuous improvement of personal data security maintenance. In pursuit of those goals, the Regulations clarify what each enterprise must do: Plan, formulate, and carry out security maintenance plans for personal data that falls within the bounds of the enterprise’s business; ensure that all staff members receive training on personal data protection; provide personal data subjects with channels to file complaints and seek consultation on their rights; and inform the government authorities in charge of the digital economy about the enterprise’s SMP, including the status of any personal data security incidents. All this is done in hopes that the security measures will continuously improve the security of personal data in Taiwan’s digital economy industries.

By Ying-Hsi Chiu, Project Manager Science and Technology Law Center Institute for Information Industry Taiwan , Republic of China English Conference Paper of The 6 th PDMC International Seminar on Software and Digital Content IPR Protection in Digital Environment, Korea In recent years, there is a phenomenon that governments in various countries launched different programs or action plans to stimulate the development and use of digital content, with the hope to boost a new economy based upon this promising industry. The rise of digital content signifies the shift of economy from manufacture of physical items to high value intangibles. However, the nature of digital content such as easy-copy, low-cost and high-quality, render the new industry even more vulnerable to piracy. Furthermore the threats to lose profits and even the future of the whole industry pose a severe challenge to governments. In order to support digital content industry to continue thriving in a healthy and sound environment, proper legal protection and stringent enforcement measures, especially for on-line digital content, will definitely have a profound impact in the long run. Taiwan Government also put digital content as one of the most promising industries for the next generation. Human resources and financial supports have been allocated, and we have seen more and more talents and companies joining this industry. However, in the meanwhile, in addition to the continuous task on cracking down piracy, our Government has been working on amending relevant laws and regulations in order to provide a solid legal infrastructure for digital content industry. In this paper, I would like to introduce you the major achievements regarding our recent amendments of Copyright Law, Rating system for digital content and the draft of “Digital Content Industry Promotion Act”. Of course, two local peer to peer cases and other legislative proposals regarding ISP responsibility will also be discussed. A. the Impact of Copyright Law amendments in 2003 and 2004 on Digital Content With Taiwan 's accession to World Trade Organization, Taiwan is under the obligation to amend her domestic intellectual property laws to be in line with the minimum standards as required in TRIPs. Besides, the society of Taiwan , at the same time, is experiencing a knowledge-based revolution. Almost every kind of information is digitalized, but relevant laws offer little or inadequate legal protections which in turn arouse more piracy on internet and greatly reduce our confidence in internet creativity. Copyright Law is the existing law that has been confronted with the most impacts from the progress of scientific and technological development. Therefore, c opyright law has been amended successively in July 2003 and August 2004 so as to cope with the increasing application of digital science and technology. The key amendments that have profound impact on digital contents are summarized as follows: a. The Right of Temporary Reproduction 1: Whether “temporary reproduction” is a type of reproduction under copyright law has been a issue of discussion for years, and finally in 2003, the amendment gave an positive answer. Temporary reproduction of copyrighted works is deemed a type of reproduction, but is not protected under copyright law if the temporary reproduction is transient, incidental, an essential part of a technology process, and without independent economic significance, where solely for the purpose of lawful network relay transmission, or for the lawful use of a work. A “lawful network relay transmission” includes technically unavoidable phenomena of the computer or machine occurring in network browsing, caching, or other processes for enhancing transmission efficiency. For the above amendment,, the definition of "reproduction" was also amended to include the "direct, indirect, permanent and/or temporary reproduction activities" 2. b. The Right of Public Transmission 3 One of the most important amendments regarding the protection of digital content is the new article about “public transmission”. The term is defined as “to make available or communicate to the public the content of a work through sounds or images by wire or wireless network, or through other means of communication, including enabling the public to receive the content of such work by any of the above means at a time or place individually chosen by them.” The act of public transmission is characterized in its mode of operation by means of interactive computerized or Internet transmission which is different from the mode of operation of transmitting the contents of copyrighted works in a unilateral manner such as public oral transmission, public broadcasting, or public performance etc. To confer the new added definition of “public transmission” 4, the Article 3-1-7 regarding the definition of "public broadcast" 5 was also amended 6, so as to distinguish the operation modes of "public transmission" and "public broadcast" in order to avoid confusion while using these two different terms. c. Protection of Electronic Rights Management Information When copyright law confers the “public transmission” right to authors, the introduction of “Electronic Rights Management Information” will definitely facilitate the author to be easily accessed and encourage more exploitation of digital contents. The term " electronic rights management information" refers to the electronic information which is used to identify a copyrighted work, the title of the work, author, economic rights holder or person licensed thereby, and the period or conditions of exploitation of the work, including numbers or symbols that represent such information 7. Anyone who removes or alters the electronic rights management information without authorization shall be imposed civil liability for damages and criminal liability for sentence up to one year imprisonment, detention or fine. d. Technology Protection Measures 8 The term "technology protection measures", that is, the "anti-circumvention measures", means the equipments, devices, components, technology or other technological means employed by copyright owners to prohibit or restrict, in effective manner, others from accessing or utilizing his/her work without prior authorization. Anyone who disarms, destroys or by any other means circumvents the technological protection measures employed by the copyright owner shall be subject to civil liability for damages. The new amendment further specifies that any equipment, device, component, technology or information for disarming, destroying, or circumventing technological protection measures shall not, without legal authorization, be manufactured, imported, offered to the public for use, or offered in services to the public. Violation of this article shall be imposed criminal liability for sentence up to one year imprisonment, detention or fine. e. Specific Punishment for Use of Pirated Software 9 Before the 2004 amendment, the use of pirated software for commercial purposes shall be deemed an infringement of copyright only if the user has “actual knowledge” that he is using pirated software for that purpose. The application of this article, however, was controversial because it was difficult to prove that the user did have “actual knowledge” of the contended facts. Hence in the 2004 amendment, the requirement of “actual knowledge” was deleted, and therefore, as long as there is the fact of using pirated software, the user shall have no excuse to running away form civil liability for damages and criminal liability for sentence of up to two years imprisonment or detention, or in lieu thereof or in addition thereto, a fine of no more than five hundred thousand New Taiwan Dollars (hereinafter called NT Dollars). f. Increasing the magnitude of criminal liability for illegal optical disk copyright infringement Owing to the massive harmful power on digital content by illegal optical disks, the amendment increases the magnitude of criminal liability for illegal optical disk copyright infringement. A person who infringes on the economic rights of another person by means of reproducing a work onto an optical disk shall be subject to imprisonment ranging from six months to five years, and in addition thereto, may be fined ranging from five hundred thousand to five million NT Dollars. Besides, heavy criminal liability is also imposed on a person who distributes or with intent to distribute publicly displays or possesses a copy of optical disk knowing that it infringes on the economic rights shall be subject to imprisonment ranging from six months to three years and, in addition thereto, may be fined ranging from two hundred thousand to two million NT Dollars. Both offenses are actionable not upon complaint. B. Local P2P case analysis and possible solution No matter we accept it or not, Internet has changes our life style in many ways . People find that many real-life activities could now find their counterparts “on line”, which bring us not only convenience and exciting experiences, but sometimes also raise problems. Downloading on-line music has drawn much attention during recent years. This newly flourishing business model provides music lovers a wide range of selections on-line, through peer to peer technology at relatively low cost. However, this new business did not receive supports from record companies and music right holders. On the contrary, these P2P companies were accused of the main cause for the sharp drop in profits for the past few years. Although it is difficult to prove the direct relationship between lost of profits and the downloading services, we have seen many copyright infringement cases were brought to courts in the United States (Napster/Groster cases), Holland /Australia (Kazaa case) and Japan (MMO case) and the judgments, even with similar facts, were opposite! This situation just reflects the complexity of the whole issue and arouses more discussion on this topic. In August 2003, International Federation of the Phonographic Industry, Taiwan Branch (hereinafter referred to as IFPI Taiwan) brought complaints against two local P2P companies in Taipei and the courts also reached opposite judgments. It is the main purpose of this paper to discuss the two judgments and possible solution in the future. Before we start to discuss the two cases, I would like to take this opportunity to briefly clarify our copyright law liability system. Unlike American legal system, where liability for violation of copyright law is civil liability in nature, the legal responsibility for copyright infringement in Taiwan is criminal liability, and therefore, courts in Taiwan will apply stricter standard in deciding whether violation of copyright is intentional. a. ezPeer case This is the first P2P case in Taiwan and Taipei Shihlin District Court found in June 2005 that the defendant, ezPeer company, is not guilty of copyright violation charges for the following reasons: In the indictment, the prosecutor claimed that ezPeer provides on-line music downloading services through a “centralized P2P framwork”, so it is reasonable to conclude that ezPeer has “actural knowledge” about the fact of copyright infringement by its members. With such knowledge in mind, ezPeer still provides file-exchange services, and therefore, ezPeer is suspecious of violating copyright of the record companies. The Court, however, held that ezPeer is in fact a “decentralized P2P framwork”, and further held that it is not important to decide the type of P2P framework in this case because the original structure of P2P was not designed for the purpose of violating copyright. The Court maintained that the downloading and transmission of musical files by individual member might satisfay fair-use circumstances or other requirements for legal exploitation of the works. From the evidences submitted by the prosecutor, the Court is not able to ascertain if ezPeer is able to distinguish the legality of conducts acted by its members. Under such circumstances, the Court helded that it is also impossible to conclude that ezPeer is an accomplice in this case. Under present relevant laws, ezPeer is under no legal obligation to take active actions to provide special devices or measures to filter off the downloading and transmission of musical files that are suspecious of violating copyright law. Of course, ezPeer judement ignited another pro and con debate in Taiwan . It is interesting to note that the judgment of ezPeer case was rendered on the 30 th of June, 2005, only three days after the Groster judgment which was rendered on the 27 th of June 2005. We are not sure if the Groster judgment has any impact on the Kuro case, but as we will see below, the judgment of Kuro case is just totally opposite to ezPeer. b. Kuro case On the 9 th of September , 2005, Taipei District Court reached its judgment on Kuro case, and held that the defendant, providing unauthorized music downloading services for the purpose of making profits, is jointly responsible as conspiracy with its individual member for infringing plaintiff's copyright. The CEO and General Manager of Kuro were sentenced for three-years' imprisonment separately, and both were fined three million NT Dollars; the responsible person (chairman) of Kuro was sentenced for two-years' imprisonment and Kuro's member, Miss Chen, was also sentenced for four-months' imprisonment, which could be substituted by fine, and which also obtained a respite for three years. In addition to criminal action, IFPI also filed a civil lawsuit claiming for compensation, and this case finally reached a peaceful settlement on the 15 th of September, 2006. Kuro promised to pay IFPI Taiwan 3 millions and 5 hundred thousand NTD as compensation. A new company /will be incorporated to continue the legal music platform business. The members' list, brand name and the employees of Kuro will be transferred to the new company under a license agreement. In the future, the new company will provide downloading services not with P2P technology, but with streaming model, and the member fee will have a jump from the present 99 NTD/month to 150 NTD/month. A brief comparison can be made between the two local cases: Taipei Court found that when Kuro's server is under normal operation, and when Kuro's member would like to download a specific music file from another member, Kuro's server will provide IP address, route and establish connection in order to facilitate its member to conduct fast search and to download the music file; If the connection is interrupted during transmission, Kuro's server will automatically locate other member's IP to resume the transmission. The Court was convinced under these facts that Kuro was a “centralized P2P framework”. The Court further found that Kuro published a great deal of commercial advertisements on various media to increase its membership; Kuro also established “feed-back mechanism” on its own website to encourage the users to download music file. Given all these evidences, The court was convinced that Kuro, who had actual knowledge that the P2P technology it provided will be utilized by others as a tool to carry out criminal activities, should induce the general public to pay or buy its membership to infringe other's copyright in order to pursue its own commercial benefits. In doing so, the court held that Kuro has already foreseen that its member will use P2P technology to conduct unauthorized music downloading, the copyright holder's damages and the causation between the two, and the result of causing lost of profits on plaintiff is not against Kuro's intent. Therefore, Kuro must be responsible for violating copyright liability. We found that the supporting evidences really play important roles in helping the Court to reach its final judgment and that is one major reason why we have two cases with similar facts but having opposite results. The P2P issue, with the settlement between Kuro and IFPI Taiwan, is at rest for the time being, but efforts trying to have legislative solution are just begun. There was suggestion to amend Copyright Law to have a “compensation system” to solve the P2P problems. This proposal, however, did not receive much support among scholars and legislators. Recently another proposal was brought to our attention that our Copyright Law shall adopt a procedure similar to the one adopted in DMCA. This new proposal arouses another big issue: how should we regulate ISP? This issue has been in debate for years in Taiwan , and so far there is still no consensus on this point. As a matter of fact, ISP relates not only to copyright issues, privacy protection, anti-porn/violence for minors on internet are also important topics needed to address our concerns. So far, it is too early to comment the future of this new proposal, but we will keep close watch of its future development. From III's point of view, a single legislation encompassing all issues regarding ISP will be a better solution. C. Rating system for digital contents With the rapid advances of technology and the widespread use of computers, Internet has become an indispensable part in our daily lives. When we enjoy the convenience of having easy and quick access to almost all kinds of information, we are exposing ourselves, at the same time, to a world which is flooded with impoper or even indecent contents. Those contents deliver either wrongful or harmful messages to the viewers and sometimes cause negative impacts on their minds forever. This situation poses a quite serious problem especially for children and teenagers who are encouraged to acquaint themslves with the cyber space but do not equipped with proper knowledge and ability to distinguish healthy and useful contents from unhealthy and harmful ones. Hence, in addition to protectingof the right of digital content, while in the process of promoting digital content industry, setting clear rules to regulate content providers to protect minors are also very important. In order to insure the sound development of the physical and mental status of the minors, Article 27, Paragraph III of the “Children and Youth Welfare Act 10” requires that “the competent authority should publish rating regulations for publication 11, compouter software and internet content”. This is not to impose any restrictions on the freedom of speech on internet, but rather a protection measure by providing a basic reference for parents and the minors to decide which content is appropriate for them. a.Regulations of Internet Content Rating The “Regulations of Internet Content Rating” was first published by Government Information Office (hereinafter referred to as GIO) on the 26 th of April, 2004. The regulation provides a grace period of 18 months in order to avoid rushness and, therefore, the exact enforcement date was the 26 th of October, 2005. This Regulation was further amended in October 2005. The most important spirit of the Regulation is “self discipline” principle. According to the amended regulation, content providers shall classify the contents either “restricted” or “non-restricted” by themselves. Restricted contents providers are required by the Regulation to put a “restricted” label on the homepage or relevant web pages in a conspicuous manner. Before the amendment, the rating system was classified as “common for all”, “protected” (which means the content is not suitable for children under 6), “parents guide” (which means that the content is not suitable for children under 12; for the youth between 12 to 18, parents guide is needed) and “restricted” (not suitable for people under 18). So under the present classification, Internet content that is not rated as “restricted” may be viewed by children under guidance or under the discretion of parents, guardians or others taking care of them 12. In order to carry out the functions specified in the regulation, the “Taiwan Internet Content Rating Promotion Foundation 13” (hereinafter referred to as TICRF) was established by GIO on the 7 th of January, 2005 . This will facilitate the development of Internet-related industry while protecting freedom of speech online and regulate user behavior. b. Regulations of Computer Software Rating The “Regulations of Computer Software Rating” was published by Industry Development Bureau (hereinafter referred to as IDB) of Ministry of Economic affairs on the 6 th of July, 2006 and will be enforced on the 5 th of January of 2007. Following the Internet Content Rating Regulation, this regulation adopts the “self-discipline” principle, and “four tiers” rating classification. However, there a re some points to be noted: 1. The term “computer software” in this Regulation refers only to “computer games”, excluding other kinds of software like searching engine, data mining, tool or educational software. 2. Only the game software that can be played through “computer” shall be the subject under this regulation. Games played on other devices, such as mobile phone, PDA, television or other devices. As a result, video games do not fall within the definition of “computer game” under this regulation and, therefore, is not regulated so far. 3. The competent authority for the new Regulation is IDB. Not like GIO establishing a foundation under its donation, IDB will encourage the private sector to organize professional groups to provide consultation services regarding any question or misunderstanding arising from this regulation. Anyone who would like to challenge the rating label marked by the computer software providers, may also bring their cases to any of those professional groups for opinions. 5. The new Regulation requires that the computer software providers must put the label not only on the web page providing downloading services but also on the package in a conspicuous manner. It further requires that for “restricted” software, a warning sentence like “This software is intended for use for persons above 18” must be properly marked. D. The “Digital Content Industry Promotional Act” (Draft) a.To restore the copyright pledge recordation system As we have pointed out that copyright and other intangible assets are playing a more and more important role in the knowledge based economy. Therefore, the purposes of copyright law are no longer limited in protecting the rights of the authors, but are extended to facilitate the maximum exploitation of these works in order to manifest their potential economic values. As we all know that the most valuable assets for digital content companies are their intangibles, such as patents, copyrights or trademarks. In the early stage, those start-up companies might rely heavily on government's financial supports. However, when digital content companies are becoming more mature and try to make use of their intellectual properties as collateral to reach a loan agreement with the banks, they will find that the banks are not willing to accept these intangibles as collateral 14. The situation for copyright is even worse in Taiwan since our copyright competent authority no longer provides copyright recordation services to the public 15, and therefore, the banks are even less interested in accepting copyright as collateral because they are not able to estimate their risks with accuracy in any particular case when those important information regarding the “intangible collateral” is not available from any trustworthy government agency or private organization. In order to provide a formal channel of disclosure and to ignite the economic potential in intellectual properties in the future, our government is planning to restore the copyright pledge recordation system in the draft of “Digital Content Industry Promotional Act”, aiming that this will offer the digital content companies a better position to negotiate with the bank and other financial institutions for loan agreements. b. Exploitation of Work Whose Authorship is Unknown At a higher level of the panorama, Copyright Law encourages the exploitation of other's works in order to facilitate further idea exchange and culture development. However, such a privilege is granted by law only when the users obtain author's authorization in advance, except in some specified fair-use circumstances or using works which already in public domain. However, author's authorization is sometimes difficult or even impossible to obtain when the author's whereabouts is unknown 16. This is especially true in the internet environment when the flow of information is so fast and the amount of information is enormous. This situation undoubtedly creates a big hurdle for content users and impedes their willingness to continue creative activities on internet . In order to solve this problem and to reach full utilization of digital contents, our Government is planni ng to bring this licensing deadlock to an end by setting a procedure which allows the users to submit sufficient evidences to the copyright competent authority to prove that he/she has exhausted all possible means but still fail to locate the author. After reviewing all the documents and evidences, copyright competent authority will grant the authorization on a non-exclusive basis, and the user has to deposit the license fee as prescribed in the approval letter and then use the work in the manner as prescribed therein. Taiwan Government is hoping that in the internet era, authors are urged to exercise their rights granted under Copyright Law in a much more positive manner by using “electronic rights management information” to enable others to share authors' wisdom and to help the whole society to benefit from the wisdom-sharing process. Conclusion The whole world is facing a new digital era that nobody has ever experienced before, especially the Internet world. Traditional legal system is no longer enough to deal with problems related to the creativities of intangible assets. Members of modern society, need to find the best solution to irrigate and protect these digital fruits, and, at the same time, to resolve or prevent problems or expected harm from the development of digital content industry. To set up a new legal system along with various industrial policies is deemed a good solution to build up sound environment for the growth of digital industry. Challenges and hurdles will be confronting us every single day. They come to existence even faster than before. Their existences just send us clear messages that it is time to submit more proposals to promote digital industry, to create maximum profit to the digital society as a whole and to prevent harmful results from this trend of digital tide. We believe that Taiwan Government is now well prepared to face this new age and to overcome all the expected or unexpected challenges. Major changes of legal structure will be achieved step by step within the following years and it is expected that when cases relating to digital content are accumulated to certain amount , the consensus to solve those legal issues will become much clear. When we reach this point, our society will be more comfortable and confident in using and creating digital contents and the digital industry in Taiwan will be mature. 1. This amendment is made pursuant to Article 9 of the TRIPs which provides that every member of the WTO shall adhere to the provisions set out in Article 1 through Article 21 of the 1971 Berne Copyright Convention. Article 9 of the Berne Convention entitles the authors of the literary and art works protected by the Convention the exclusive right to licensing, in any manner or form, the reproduction of his/her copyrighted works. 2. The ROC Copyright Law Article 3-1-5 3. This amendment was made by making reference to Article 8 of the WCT and Article 10 and Article 14 of the "WPPT", and Article 2, and Article 2 –1 and 2-2 of the EU 2001 Copyright Directives 4. "Public transmission" means to make available or communicate to the public the of a work' content through sounds or images by wire or wireless network, or through other means of communication, including enabling the public to receive the content by any of the above means at a time or place individually chosen by them 5. "Public broadcast" means to communicate to the public the a work's content through sounds or images by means of transmission of information by a broadcasting system of wire, wireless, or other equipment, where such communication is for the purpose of direct listening reception or viewing reception by the public. This includes any communication, by transmission of information via a broadcasting system of wire, wireless, or other equipment, to the public of an original broadcast of sounds or images by any person other than the original broadcaster 6. The amendment was referenced to the provisions set out respectively in Article 8 of the WIPO Copyright Treaty (hereinafter referred to as "WCT") and Article 10 and Article 14 of "The WIPO Performance and Phonograms Treaty" (hereinafter referred to as "WPPT") 7. The ROC Copyright Law Article 3-1-17 , The definition of the term " electronic rights management information" was added with reference to the provisions set out respectively in Article 12 of the WCT, and Article 19 of the WPPT which requires all signatory countries to provide full protection and remedies to the integrity of electronic rights management information, Article 7 of the EU 2001 Copyright Directives, Article 1202 of the US Copyright Act, and Article 2-1-21 of the Japanese Copyright Law. 8. The ROC Copyright law Article 3-1-18 , this item was added in 2004 amendment. The definition of the term "technology protection measures" are added to the 2004 Copyright Law pursuant to in Article 11 of the WCT and Article 18 of the WPPT respectively, requiring the mandatory and adequate legal protection to the "anti-circumvention measures". And, the Article also makes reference to the relevant provisions provided in Article 6 of the EU 2001 Copyright Directives"; Article 1201 of the US Copyright Act; Article 20,1,20 of the Japanese Copyright Law; Article 18 of the "On-line Digital Contents Industry Development Act" and Article 30 of the "Computer Programs Protection Act" of Korea respectively. 9. The ROC Copyright Law Article 87-5 and 87-6 10. The Act was put in force on the 28th of May, 2003 11. ROC Government has already enacted rating regulations for publication (books, magazines, etc.) and movies/TV programs. 12. Many teachers and parents group are criticizing the new rating classification. They agree that it is sometimes difficult for the content providers to mark correct label for contents which are either “protected” or “parent guide”. However, they argue that it is irresponsible to shift the whole burden to parents who do not have enough profession or simply do not have time to do so. 13. For more detailed information, please visit TICRF's website at http://www.ticrf.org.tw/ 14. The conservative attitude of the banks and other financial institutions are understandable. First of all, the market for intangibles as collateral is just not mature for the time being, and we do not have enough experiences in the area of intangible assets evaluation. Secondly, banks are more familiar with traditional collateral, like lands, houses, etc. In fact, they are quite confused about how to deal with all these intangible assets in their hands. Thirdly, an effective mechanism for the withdrawal of banks and financial institutions from the market is still lacking, which greatly increases the risks for banks, and in turn, will render banks more hesitated to reach any loan agreement with digital content companies from the very beginning. 15. The Copyright Law of Republic of China was first promulgated in 1928. At that time, copyright protection would be obtained only if the author fulfilled the strict “registration” process. In 1985, Copyright Law was undergoing an overall review, and an internationally accepted principle that “copyright protection will be automatically obtained upon completion of the work” was adopted. However, copyright registration system was still maintained for voluntary application for registration and the issuance of copyright registration certificate. In 1992, a more loose “copyright recordation system” was adopted to replace the “copyright registration system” to avoid any confusion. In 1998, after many years' debates, copyright recordation system was finally abolished for the following reasons: 1). The existence of “copyright recordation system” always delivers wrong information to the public that copyright law still requires registration for protection of a work. So it would be better to abolish the recordation system to avoid any misunderstanding in the future. 2). In a copyright lawsuit, the courts, instead of conducting substantial fact-finding procedure to ascertain who the copyright holder is, very often require the party claiming copyright protection to submit copyright registration certificate or recordation transcript to prove that he/she is the copyright holder. In doing so, the spirit of copyright law was led to such a distortion that would render the public even more confused about the true meaning of copyright law. 3). Due to limited manpower in our copyright competent authority, services for applications either for copyright registration or recordation will consume a lot of administrative resources , and the crowding-out effect would have negative influence on the allocation of resources to other pending copyright issues or basic researches at hand. 16. This is termed “orphan works” by Professor Lawrence Lessig.