Legal Aspects and Liability Issues Concerning Autonomous Ships

Legal Aspects and Liability Issues Concerning Autonomous Ships

  All sectors of business and industry are transforming into digital society, and maritime sector is not out of the case. But the new thing is the remote control ships or fully automatics ships are becoming a reality.

  Remote control ships and autonomous ships will be a tool to reach safety, effectiveness, and economical goal. However, as it intends to take over human element in the maritime industry, the implement of remote control ships or autonomous ships brings new legal issues and liability considerations.

  This study aims to highlight some critical legal issues of autonomous ships to reader, but will not try to solve them or give clear answers.

I. The Approach of International Maritime Organization

  In order to solve issues from the deployment of autonomous ship, International Maritime Organization Maritime Safety Committee (MSC) has taken first steps to address autonomous ships. In the meeting of MSC 100, the committee approved the process of assessing IMO instruments to see how they may apply to ships with various degrees of autonomy.

  For each instrument related to maritime safety and security, and for each degree of autonomy, provisions will be identified when:

  • apply to MASS and prevent MASS operations; or
  • apply to MASS and do not prevent MASS operations and require no actions; or
  • apply to MASS and do not prevent MASS operations but may need to be amended or clarified, and/or may contain gaps; or
  • have no application to MASS operations.

  The degrees of autonomy identified for the purpose of the scoping exercise are:

  • Degree one: Ship with automated processes and decision support: Seafarers are on board to operate and control shipboard systems and functions. Some operations may be automated and at times be unsupervised but the seafarers on board are ready to take control.
  • Degree two: Remotely controlled ship with seafarers on board: The ship is controlled and operated from another location. Seafarers are available on board to take control and to operate the shipboard systems and functions.
  • Degree three: Remotely controlled ship without seafarers on board: The ship is controlled and operated from another location. There are no seafarers on board.
  • Degree four: Fully autonomous ship: The operating system of the ship is able to make decisions and determine actions by itself.

  The initial review of instruments under the purview of the Maritime Safety Committee will be conducted during the first half of 2019 by a number of volunteering Member States, with the support of interested international organizations. MSC working group is expected to meet in September 2019 to move forward with the process with the aim of completing the regulatory scoping exercise in 2020.

  The list of instruments to be covered in the MSC’s scoping exercise for MASS includes those covering safety (International Convention for the Safety of Life at Sea, SOLAS); collision regulations (The International Regulations for Preventing Collisions at Sea, COLREG); loading and stability (International Convention on Load Lines, Load Lines); training of seafarers and fishers (International Convention on Standards of Training, Certification and Watchkeeping for Seafarers, STCW); search and rescue (International Convention on Maritime Search and Rescue, SAR); tonnage measurement (International Convention on Tonnage Measurement of Ships, Tonnage Convention); Safe Containers (International Convention for Safe Containers, CSC); and special trade passenger ship instruments (Special Trade Passenger Ships Agreement, STP).

  IMO will also develop guidelines on MASS trial. The guideline include ensuring that such guidelines should be generic and goal-based, and taking a precautionary approach to ensuring the safe, secure and environmentally sound operation of MASS. Interested parties were invited to submit proposals to the next session of the Committee for the future development of the principles.

II. Other Legal issues concerning Autonomous Ships

  In March 2017, the (Comité Maritime International, CMI) Working Group on Unmanned Ships circulated a questionnaire. The questionnaire aimed to identify the nature and extent of potential obstacles in the current international legal framework to the introduction to (wholly or partly) unmanned ships. The questionnaire can be summarized into the following legal issues.

  1. The legal definition and registration of the remote control ship and autonomous ship

    The definition of remote control or autonomous ship is based on the purpose of each individual convention. Current international conventions regulating ships do not generally contain recognized definition of the “Ship” and “Vessel”.

    However, due to its geographical feature, countries tend to have different safety requirement for ships; therefore, even the definition of remote control or autonomous ships given by international regulations, may not be accepted by national register of ships.

    For example, according to the reply to the questionnaire from Argentina association of maritime law, Argentina Navigation Act prescribes that in order to register a ship in the Argentine Register, regulatory requirements regarding construction and seaworthiness must be fulfilled. However, there are no rules regarding the registration of remote control ships or autonomous ships, as current act are based on the existence of crew on board. The unmanned ships would not be registered by Argentina Registry of ships.

    At present, the fragmentation of the definition and registration of ships can affect the deployment and application of remote control ships or autonomous ships. Due to the feature of shipping, which is related to the global transportation network, the definition and registration issue had better be solved at international level by International Maritime Organization (IMO).

  2. Legal issue of the seafarer

    International Convention on Standard of Training Certification and Watchkeeping (STCW) 1978 sets minimum qualification standard for masters, officers and watch personnel on seagoing merchant ships and large yachts.

    In the sight of replacing human operator on board with machine, will the convention find no application to remotely controlled or autonomous unmanned ships?

    The research of CMI points out the maritime law associations of Finland, Panama and United State assume that the STCW convention would likely apply to shore-based personnel as well in excepted circumstances where there is no new specific legislation. And the British maritime law association states that regardless of whether STCW would apply to unmanned operation or not, it is clear that certain provisions on training and competence would not apply to shore-based controller and other personnel. Japanese maritime association also states that although the convention does not find application to a remotely controlled unmanned ship, certain rules requiring watchkeeping officers to be presented may nevertheless arguably be interpreted to render an unmanned ship in breach of STCW and to that extent be applicable to unmanned ships. Therefore the amendment of convention seems inevitable.

    Standing on the other side, the Institute of Marine Engineering Science & Technology recommended that pairing human with machine effectively to enhance human intelligence and performance rather than totally replacing human is an area that should not be overlooked. Even if the application of unmanned ships comes in reality, seafarer skill will still remain an essential component in the long term future of the shipping sector. The minimum qualification of masters, officers and watch personnel may not need to be changed.

    Human error has been used to create a blame culture towards the workforce at sea, and it also results from poor implementation/ introduction/ preparation for new technology. Many studies show that seafarers are worried about the impact of autonomous ships. If the development of autonomous ships means replacing all the human elements on ships, people who work in marine sector will not accept those novel technologies easily, and this won’t lead to a safer future of maritime industry.

  3. Safety requirement of the remote control ship and autonomous ship

    Rule 8 (a) and rule 5 of the international regulation for preventing collisions at sea, 1972(COLREGS) require the operation of ships to comply with the duty of “good seamanship”, “proper lookout”.

    These rules are based on the operation by human, thus, leading to the following two questions:

    (1) Would the operation of unmanned ship contrary to the duty of “good seamanship”?

    The duty of good seamanship emphasizes the importance of human experiences and judgments in the operation of a vessel, and the adaptability of responses provided by good seamanship. Whether an autonomous ship would be able to reach this level of adaptive judgment would depend on the sophistication of its autonomous system. According to CMI’s research, the maritime law associations of countries including Argentina, British, Canada, China, German, Japan and Panama emphasize the requirement that autonomous ship must be at least as safe as ships operated by a qualified crew.

    (2) Would the proper lookout sets in rule 5 satisfied by camera and aural censoring equipment?

    COLREG rule 5 has two vital elements. First, crew on the bridge should pay attention to everything, not just looking ahead out of the bridge windows but looking all around the vessel, using all senses and all personnel equipment. Second, use all information continuously to assess the situation your vessel is in and the risk of collision.

    In this context, if the sensors and transmission equipment are sufficient to enable an appraisal of the information received in a similar manner available as if the controller was on board, then Rule 5 should be considered satisfied.

    However, it is unlikely that fully autonomous ship could comply with rule 5. It depends on the sophistication of its autonomous system. If the technology is unlikely at present to provide as equivalent spatial awareness and appreciation of the vessel’s positon as there are human on board, then rule 5 would not be considered fulfilled.

  4. Liability

    Liability is an important issue which is frequently mentioned in the area of autonomous ship. According to the study of MUNIN in 2015, liability issue of autonomous ship might arise under the following situations:

    (1) Deviation

    Suppose a ship was navigating autonomously, and the deviation of the system caused collision damage, how might liability be apportioned between ship-owner and the manufacturers?

    According to the research of CMI, 10 maritime law associations stated that under its domestic law, the third party may have a claim against the manufactures. (British, Canada, China, Croatia, Dutch, French, Germany, Italy, Spain, Malta) They may do so in tort if negligence on the part of manufacturers can be proved and if this can be shown to be causative of the damage. In European Union, third parties may also claim under Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member State concerning liability for defective products.

    (2) Limitation of liability

    Article 1 of the 1976 convention on limitation of liability of owner of ships provides that ship-owner may limit their liability to all claims arising from any incident. The size of limitation is based upon the tonnage of the ship. Within the convention, the term ship-owner is held to include the ship’s owner, charterer, manager or operator.

    International conventions dealing with limitation of liability are phrased in neutral terms with regard to the presence of a master or crew; therefore, circumstances in which a ship has no person on board do not appear to undermine the operation of those conventions.

    (3) Bill of lading

    Bill of lading is a written document signed on behalf of the owner of ship in which goods are embarked, and the ship-owner acknowledges the receipt of the goods, and undertakes to deliver them at the end of voyage. Typically, the shipper will sign the bill of lading along with the owner of the cargo at the point that shipper takes carriage of the cargo in question. The bill of the lading will then be signed by the cargo’s recipient once it has reached its destination. In other words, the document accompanies the cargo all the time, and is signed by the owner, shipper and recipient. It will generally describe the nature and quantity of goods being shipped.

    A question arises as in the absence of a master or any crew on board the ship, how will the bill of lading be signed by ship’s master?

III. Conclusion

  The shipping industry is a rich, highly complex and diverse industry, which has a history of both triumph and tragedy in its adoption of technology. In light of the potential for the remote and autonomous ship, and for the sake of contributing to the assurance of safe and efficient operation, it is better to understand the impact on the industry. The taxonomy of automation between human and machine is vast and complex, especially in the sector of law.

  Therefore, before the system can reach fully autonomy and undertake independent, our law should be ready.

 

IV. Reference

 

[1] Comité Maritime International, Maritime Law for Umanned Ships, 2017, available at https://comitemaritime.org/work/unmanned-ships/ (last visited Dec. 25, 2018)

[2] MUNIN, D9.3: Quantitative Assessment, Oct. 10, 2015, available at http://www.unmanned-ship.org/munin/news-information/downloads-information-material/munin-papers/ (last visited Dec. 25, 2018)

[3] Martime Digitalisation & Communication, MSC 100 set to review MASS regulations, Oct. 23, 2018, available at https://www.marinemec.com/news/view,msc-100-set-to-review-mass-regulations_55609.htm (last visited Dec. 25, 2018)

[4] IMAREST, Autonomous Shipping-Putting the human back in the headline, April. 2018, available at https://www.imarest.org/policy-news/institute-news/item/4446-imarest-releases-report-on-the-human-impact-of-autonomous-ships (last visited Dec. 25, 2018)

[5] Danish Martime Authority, Analysis of regulatory barriers to the use of autonomous ships(Final Report), Dec. 2017, available at https://www.dma.dk/Documents/Publikationer/Analysis%20of%20Regulatory%20Barriers%20to%20the%20Use%20of%20Autonomous%20Ships.pdf (last visited Dec. 25, 2018)

Links
Download
※Legal Aspects and Liability Issues Concerning Autonomous Ships,STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=105&tp=2&i=170&d=8204 (Date:2024/05/19)
Quote this paper
You may be interested
A Brief Introduction to Taiwan’s Legislations to Promote Industrial Innovations of the Digital Economy

A Brief Introduction to Taiwan’s Legislations to Promote Industrial Innovations of the Digital Economy 2023/05/15 I. Background To encourage the development of digital industries in communications, information, cybersecurity, networking and communication, to centralize digital governance and digital infrastructure development and to assist in digital transformation of public and private sectors in Taiwan, the Ministry of Digital Affairs (“the MODA”) was created on August 27, 2022 to spearhead the national digital development policy, communications and digital resources; the development of digital technology use cases and the environment for innovations and talents; policies and regulations governing digital economy industries, national cybersecurity, the government’s digital services, open data and data governance, digital infrastructure, international exchange and cooperation and competence standards for the government’s professional personnel in IT and informational security. The Administration for Digital Industries (ADI) and the Administration for Cyber Security (ACS) have been established as the MODA’s subordinate agencies, to address challenges on all fronts in the digital wave. As the central competent authority on the industrial development of the digital economy, the MODA may subsidize, incentify or support innovative activities of digital economy industries in accordance with Paragraph 1, Article 9 of the Statute for Industrial Innovation and determine relevant matters in accordance with Paragraph 2 of the same article. Hence, the MODA promulgated the Subsidy, Reward and Assistance Regulations for Promoting Industry Innovation (“the Regulations”) on December 23, 2022, to encourage innovation and R&D on software, services, integration and application in telecommunications, information, cybersecurity, networking, and communication. The purpose is to enhance the industry environment and to boost the industry competitiveness. These Regulations serve as the MODA’s flagship efforts in promotion of industrial innovations and highlights Taiwan’s emphasis on digital economy industries. Below is a summary of the Regulations. II. Scope As stated in the overview described in Article 2, the Regulations aim to assist in the development of software products, digital services and infrastructure, system integration and vertical use cases in telecommunications, information, cybersecurity, networking and communication, so as to encourage innovations in digital economy industries such as ecommerce, digital contents, new types of digital services, communications and network deployment, to improve the industry environment and enhance the industry competitiveness. In sum, the “digital economy industries” mentioned in the Regulations refer to software, digital services or digital infrastructure sectors in telecommunications, information, cybersecurity, networking and communication. III. Policy measures According to Paragraph 1, Article 3 of the Regulations, the MODA or its subordinate agencies may provide subsidies, rewards and assistance to the activities in digital economy industries such as promotion of innovation or R&D, supply of technologies and support in upgrade. This may involve the encouragement of creation of innovation of R&D centers by companies; assistance to establishment of innovation or R&D institutions; fostering of cooperation among industries, academia and research organizations; promotion of corporate engagement in talent development at schools and development of human resources in industries; support to innovations by local industries; advocacy of corporate use of big data and the government’s open data; enhancement of communications network resilience and network infrastructure prevalence and other relevant matters. Moreover, the Regulations provide details of the policy measures for subsidies, rewards and support as follows: 1. Subsidies The relevant details are provided from Article 4 to Article 17 of the Regulations. (1) Eligibility According to Paragraph 1, Article 4 of the Regulations, subsidy recipients in principle shall be engaged in activities of digital economy industries, shall be either a sole proprietorship, partnership, limited partnership, or corporation registered in accordance with domestic laws or a natural person who is national of the R.O.C., a natural person from Hong Kong or Macau or a foreign national with permanent residency and has never been listed as a refusal account by any bank. Flexibility can be granted in accordance with Paragraph 2 of the same article. If required for the development of digital economy industries, the MODA or its subordinate agencies may establish separate eligibility criteria for subsidy recipients. However, such eligibility criteria only take effect via public announcement and publication on the Executive Yuan Gazette. Finally, according to Article 13 of the Regulations, no subsidy application may be submitted in event of violation of laws related to environmental protection, labor safety and health or food safety and hygiene during the most recent three years, as determined to be serious by central competent authority. (2) Subsidy limits According to Article 5 of the Regulations, different programs come with different ceilings measured in percentage. In principle, the subsidized amount shall not exceed 50% of the program budget if it is for promotion of industry innovation or R&D or encouragement of corporate use of big data and the government’s open data to develop and innovate commercial applications or service models. However, this does not apply to specific policy considerations or subsidy schemes above the budget and approved by the MODA or its subordinate agencies. For example, the subsidized amount shall not exceed 50% of the course fees for corporate engagement in talent development on campus or enhancement of talent resources for industries. However, this limit does not apply to subsidies to indigenous people, persons with disabilities, low-income households, or the special circumstances approved by the MODA or its subordinate agencies. Support schemes such as assistance to industrial technology and upgrade; encouragement of creation of innovation of R&D centers by companies; assistance to establishment of innovation or R&D institutions; fostering of cooperation among industries, academia and research organizations; support to innovations by local industries; enhancement of communications network resilience and network infrastructure prevalence and other projects shall be announced by the MODA or its subordinate agencies and published on the Executive Yuan Gazette. (3) Subsidy programs According to Articles 6 of the Regulations, there are no specific restrictions on subsidy categories, with two exceptions: (1) promotion of industry innovation or R&D – Subsidies are limited to six categories, i.e., innovation or R&D personnel expenses for approved projects; costs for consumables and raw materials; access and maintenance expenses for innovative or R&D equipment; introduction of intangible assets; commissioning and verification fees of research; and travel expenses. (2) advocacy of corporate use of big data and the government’s open data to develop and innovate commercial applications or service models or enhancement of communications network resilience and network infrastructure prevalence - Subsidies are limited to three categories, i.e., fees for commissioned services; training & education fees; and promotional campaign expenses. (4) Application submission According to Article 7 of the Regulations, an applicant should submit the application form, the project plan and relevant data to the MODA or its subordinate agencies. If the contents of the project plan or documents fail to meet requirements, the MODA or its subordinate agencies may request missing materials before a deadline of up to one month. The MODA or its subordinate agencies may not accept applications without missing materials supplied before deadlines. (5) Acceptance and review According to Article 8 of the Regulations, the MODA or its subordinate agencies shall convene review meetings to review applications, changes and irregularities in the execution of subsidy programs. Applicants may be asked to provide explanations or Personnel may be sent to conduct on-site inspections. If necessary, relevant authorities or institutions may be commissioned assist in financial reviews. Additionally, according to Article 9 of the Regulations, the period from document readiness by an applicant to notification of the completed review to the applicant may not exceed three months. This may be extended by one month if necessary. Finally, according to Article 17 of the Regulations, subsidized projects, subsidy recipients, approval dates, subsidized amounts (including cumulative amounts) and relevant information shall be announced on the websites of the MODA or its subordinate agencies each quarterly unless the disclosure should be restricted or is not provided according to Article 18 of the Freedom of Government Information Law. (6) Contract signing Once reviewed and approved, the applicant must sign the subsidy contract with the MODA or its subordinate agencies within the time period specified by Article 10 of the Regulations. Unless extension has been agreed by the MODA or its subordinate agencies, the approval of the application loses validity if a contract is not signed before the deadline. (7) Matters of adherence by subsidy recipients Once the subsidy contract has been signed, an applicant becomes a subsidy recipient under the Regulations and must abide by relevant terms and conditions. First, the recipient shall establish a separate account for subsidy funds and maintain a separate account book, according to Article 11 of the Regulations. All of the interest generated from the subsidy account and any balance remaining after the project completion shall be fully returned to the national treasury via the MODA or its subordinate agencies. Meanwhile, to examine whether there are any duplications of application, the use of subsidy funds and the effectiveness of project implementation, the MODA or its subordinate agencies may dispatch personnel or commission a fair and just organization to inspect the relevant documents, account books and status of project execution. The subsidy recipient shall not refuse such an examination, is obligated to respond and shall submit work reports and details about the use of funds by following the agreed-upon schedule. In event of breach, the disbursement of subsequent funds may be suspended, under the terms and conditions of the subsidy contract. Second, according to Article 12 of the Regulations, if a recipient fails to execute the subsidized project as planned or the project experiences a significant delay in progress, or there is an overly large gap between the project results and the business plan, or the project fails to pass the review, inspection or acceptance by the MODA or its subordinate agencies and no improvement has been made before the specified deadline, or there is a breach of the Regulations Governing Procurements for Scientific and Technological Research and Development if the subsidized amount exceeds 50% of the recipient’s procurement and it meets the threshold for public announcements under the Government Procurement Act, the MODA or its subordinate agencies may suspend the next disbursement in accordance with the terms and conditions of the subsidy contract, claw back the disbursed subsidy and even stop any subsidy to the recipient for one to five years, depending on the severity of the circumstances. Third, according to Article 14 of the Regulations, the MODA or its subordinate agencies must conduct a comprehensive assessment of effectiveness of subsidized projects and the recipient shall cooperate by providing data required for the assessment. Fourth, according to Article 16 of the Regulations and unless otherwise specified by laws, if the subsidized amount exceeds 50% of the total budget for a technology project, the ownership and utilization of R&D results shall comply with the Government Scientific and Technological Research and Development Results Ownership and Utilization Regulation. In event of breach by the recipient violates, the MODA or its subordinate agencies may terminate the subsidy contract and shall refuse to accept any subsidy application from the recipient for five years from the date of completion of the innovation or R&D. If the reason is attributable to the recipient, the subsidy contract shall be canceled and the subsidies shall be refunded. (8) Subsidy applications According to Article 17 of the Regulations, a subsidy applicant shall declare to the MODA or its subordinate agencies the following: 1) No significant default in the execution of any government-sponsored science and technology projects during the past five years. 2) No suspension currently in force as a result of disciplinary actions in relation to execution of a government-sponsored science and technology project. 3) No tax incentives, rewards or subsidies for the same matter under other laws granted to the same subsidized project. 4) No taxes owed during the past three years. However, individuals who apply for the subsidy under Subparagraph 5 or 6, Paragraph 1, Article 3 are exempted. 5) No violation of laws related to environmental protection, labor safety and health or food safety and hygiene or the People with Disabilities Rights Protection Act during the most recent three years, as determined to be serious by central competent authority. However, this does not apply to circumstances that occurred prior to the enforcement of the Statute. If the applicant refuses to declare the above, the MODA or its subordinate agencies may not accept the application. If any false statement is identified, the application may be rejected, or the subsidy may be withdrawn, the contract may be canceled and the disbursed funds shall be returned. 2. Rewards According to Paragraph 1 of Article 18 of the Regulations, the MODA or its subordinate agencies will announce reward programs for digital economy industries with details on recipients, eligibility criteria, evaluation standards, application procedures, approving agencies and other related matters. Moreover, reward applications are not accepted according to Paragraph 2 of Article 18 and the provisions of Article 13 and Article 15 shall apply mutatis mutandis. Article 17 regarding announcement of government information on subsidy applications shall also apply to reward applications. 3. Assistance Relevant rules are primarily prescribed from Article 19 to Article 21 of the Regulations. (1) Eligibility According to Paragraph 1 of Article 19 of the Regulations, the rules prescribed in Subparagraph 1, Paragraph 1 of Article 4 also apply to the eligibility criteria for assistance to digital economy industries. In other words, assistance recipients in principle shall engage in activities of digital economy industries, either a sole proprietorship, partnership, limited partnership, or corporation registered in accordance with domestic laws or a natural person who is national of the R.O.C., a natural person from Hong Kong or Macau or a foreign national with permanent residency and has never been listed as a refusal account by any bank. Flexibility can be granted outside the aforesaid limitations and in accordance with Paragraph 2 of Article 19. If required for the development of digital economy industries, the MODA or its subordinate agencies may establish separate eligibility criteria for assistance recipients via public announcement and publication on the Executive Yuan Gazette. (2) Oversight of commissioned organizations According to Article 20 of the Regulations, the MODA or its subordinate agencies may evaluate and assess the effectiveness of the assistance services provided by the commissioned organization(s) for recipients as an important basis for reviewing assistance projects. (3) Establishment of a single contact window The assistance unit may establish a single contact window to provide assistance and counseling services, according to Article 21 of the Regulations. 4. General provisions In addition to specific rules, the general provisions prescribed from Article 22 to Article 25 shall apply to subsidies, rewards or assistance provided by the MODA and its subordinate agencies. First, all the funds required for policy measures shall come from the budgets allocated by the MODA or its subordinate agencies, according to Article 25 of the Regulations. Second, the MODA or its subordinate agencies may commission a legal person or a group to handle the application acceptance, review, approval, inspection, subsidy disbursement and claw-back, rewards, assistance and other relevant matters, according to Article 22 of the Regulations. Furthermore, according to Article 23 of the Regulations, the incoming and outgoing of funds for subsidy, reward and assistance projects are managed as follows: 1) The same project applying for subsidies with two or more organizations should list the details of all expenses and the breakdowns and amounts of subsidies, rewards and assistance under application with each government agency. The subsidy, reward and assistance program shall be canceled and the disbursed funds shall be returned in event of concealment or false statements. 2) If the review by each government agency on the use of funds identifies poor results, utilization not consistent with the subsidy purposes, or inflated or dishonest numbers, the subsidy, reward or assistance recipient shall return the disbursed funds. Meanwhile, no subsidy shall be granted to the subsidy, reward or assistance recipient in question for one to five years, depending on the severity of circumstances. 3) If procurement is involved in the subsidy, reward or assistance budget, the subsidy, reward or assistance recipient shall adhere to the Government Procurement Act. 4) When reporting on expenses, the subsidy, reward or assistance recipient shall enumerate in detail the utilization of expenditures and the total amount of spendings. The same project subsidized by two or more organizations shall list the actual sum of subsidies, rewards and assistance. Finally, according to Article 24 of the Regulations, the approval, disbursement and reimbursement of subsidies, rewards and assistance are processed as follows: 1) Disbursement based on project progress: The number of instalments, the method, the amount (percentage) are specified in the contract by the MODA or its subordinate agencies, depending on the project and the timetable. 2) Reimbursement shall be based on the Management Guidelines for the Disposal of Government Expenditure Vouchers, the Matters of Attention Regarding Budget (Donation) Implementations by Central Government Agencies for Private Groups and Individuals and relevant contractual provisions. IV. Conclusions To accelerate the innovation and development of digital economy industries in Taiwan, the MODA has promogulated the Subsidy, Reward and Assistance Regulations for Promoting Industry Innovation in accordance with Paragraph 1, Article 9 of the Statute for Industrial Innovation. It is hoped that the subsidies, rewards and assistance provided by the MODA helps to enhance the competitiveness of digital economy industries and the effectiveness of the digital economy development in addition to the Statute. The Regulations set out detailed rules on policy measures e.g., subsidies, rewards, and assistance. Key matters such as eligible recipients, application procedures, review mechanisms, responsibilities and obligations are clearly defined but certain flexibility is reserved by exceptions. A contract-centric approach provides manoeuvrability in practice specific to project circumstances. It is hoped that the MODA and its subordinate agencies can utilize these Regulations once in force, to enhance the business environment of the digital economy industries and continue to drive industry innovations.

On the development of cyber insurance market: a legal aspect

1.Introduction Cyber insurance is one of the effective tools to transfer cyber and IT security risk and minimize potential financial losses. Take the example of Sony’s personal information security breach, Sony made a cyber insurance claim to mitigate the losses. In Taiwan, the cyber insurance market demand was driven by Taiwan’s Personal Information Protection Act (PIPA) which was passed in April 2010 and implemented in Oct 2012. According to PIPA, a non-government agency including the natural persons, juridical persons, or group shall be liable for the damages caused by their illegal collection, processing or using of personal information or other ways of infringement on the rights of the individual whose personal information was collected, processed or used. The non-government agency may thus pay each individual NT$500 to NT$20,000 and the total compensation amount in each case may be up to NT $200 million if there is no evidence for actual damage amount. However, the cyber insurance market does not prosper as expected one hand because of the absence of incentives of insurance companies to develop and promote the cyber-insurance products and on the other hand because of the unaffordable price that deters many companies from buying the insurance. Some countries have tried to identify the incentives and barriers for the cyber insurance market and have taken some measurements to kick start its development. In this paper, the barriers for the cyber insurance market were addressed and how American government promoted this market was mentioned. Finally, suggestions on how to stimulate the cyber insurance market growth were proposed for reference. 2.What is cyber insurance? Insurance means the parties concerned agree that one party pays a premium to the other party, and the other party is liable for pecuniary indemnification for damage caused by unforeseeable events or force majeure1. Thus, the cyber insurance means the parties concerned agree that one party pays a premium to the other party, and the other party is liable pecuniary indemnification for damage caused by cyber security breach. The cyber insurance usually covers the insured's losses (or costs) and his liabilities to the third party. For example, the insured was to be liable for the damages caused by the unlawful disclosure of identifiable personal information belonging to the third party resulted from the insured's negligence. 2Typically, cyber insurance covers penalties or regulatory fines for data breaches, litigation costs and compensation arising from civil suits filed by those whose rights are infringed, direct costs to notify those whose personal data was illegal collected, processed or used and so on. 3 3.What are the barriers for cyber insurance market? Per the report made by European Network and Information Security Agency in2012, the following issues have significant influence on incentives of insurers to design and provide cyber –insurance products, including uncertainty about the extent of risk and lack of robust actuarial data, uncertainty about what risk is being insured, fast-paced nature of the use of technology, little visibility on what constitutes effective measures, absence of insurer of last resort to re-insure catastrophic risks, and perception that existing insurance already covers cyber-risks 4. In Taiwan, insurance companies face the same issues as mentioned above when they tried to develop and promote the cyber-insurance products. However, what discourages the insurance and re-insurance companies from investing in the cyber-insurance market most is the lack of accurate information to figure out the costs associated with different information security risk and thus to price the cyber insurance contract precisely. Several cases involving personal data breach did happened after Taiwan’s PIPA became effective on Oct 1th 2012, but few verdicts have been made. It is not easy to master the direct costs or losses resulting from violation of PIPA, including penalties or fines from regulator,, compensation to the parties of the civil suit who claim their personal data were unlawfully collected, processed or used, litigation costs and so on. Otherwise, indirect costs or losses such as media costs, costs to regain reputation or trust of consumers, costs of deployment of proper technical measures to prevent the data breach from happening again etc. are difficult to calculate. Therefore, it is not easy to identify the costs of information security risk and thus to calculate the premium the insured has to pay precisely. The rapid development of technology also has a negative impact on the ability of the insurers to master the types of the information security risk which shall be insured and its costs. Accompanied with the convenience and efficiency of applying new technologies into the working environment, security issues arise, too. For example, the loss or theft of mobile or portable devices may result in data breaches. In 2012, an unencrypted laptop computer with personal information and other sensitive information of one of NASA's employees was stolen from his locked vehicle and this led to thousands of NASA's workers and contractors at risk. 5And, per the report made by a NASA inspector, similar data breaches had been resulted from the lost or theft of 48 NASA laptops and mobile computing devices between April 2009 and April 2011. 6 There is no singe formula which could guarantee 100% security, but some international organizations have promulgated best practices for information security management, such as ISO 2700x standards. 7In Taiwan, Bureau of Standards, Metrology and Inspection (BSMI) which belongs to the Ministry of Economic also consulted ISO standards and announced Chinese National Standards on information security. For example, BSMI consulted ISO 27001 “Information technology – Security techniques – Information security management systems – Requirements” and then promulgated CNS27001. Theoretically, if the company who tries to buy cyber insurance policy that covers data breaches and damages to customers' data privacy can show that it has adopted and do implement the suite of security management standards well, the premium could properly be reduced because such company shall face less security risk. 8 However, it is still not easy to price the cyber insurance contract rightly because of no enough data or evidence which could approve what constitutes effective information security measures as well as no impartial, controversial or standard formula to value intangible assets like personal or sensitive information. 9 Finally, the availability of re-insurance programs plays an important role in the cyber insurance market because insurers would appeal to such program as a strategy of risk management. The lack of solid and actual data as mentioned above would discourage re-insurers from providing insurance policies that covers the insured’s losses and liabilities. Therefore, insurers may not be keen to develop and offer cyber insurance products. 4.The USA experience on developing cyber insurance market 4.1Current market status Due to the increase of the number of data breaches, cyber attacks, and civil suits filed by those whose data were illegal disclosed to third parties, more and more enterprises recognize the importance of cyber and privacy risks and turning to cyber insurance to minimize the potential finical losses. 10 However, the increased government focus on cyber security also contributed to the rapidly growth of the cyber insurance market. 11 For example, US Department of Homeland Security has been aware of the benefits of the cyber insurance, including encouraging better information security management, reducing the finical losses that a company has to face due to the data breach and so on. 12 Compared to other lines of insurance, cyber insurance market is not mature yet and is small in USA. For example, the gross premiums for medical malpractice insurance are more than 10% of that for cyber insurance market. However, the cyber insurance market certainly appears to grow rapidly. Per the survey made by Corporate Board Member & FTI Consulting, 48% of corporate directors and 55% of general counsel take highly of the issue of data security. 13And, per the report made by Marsh, there are more and more companies buying cyber insurance to cover financial losses due to the data breach or cyber attack, and the number of Marsh’s US clients purchasing cyber insurance increased 33% in 2012 over 2011. 14 4.2What contributed to the growth of the cyber insurance market in USA? Some measurements taken by the government or regulatory intervention had impacts on the incentives of companies to carry cyber insurance. CF Disclosure Guidance published by U.S. Securities and Exchange Commission in Oct 2011 mentioned that except the operation and financial risks, public companies shall disclose the cyber security risks and cyber incidents for such risks and incidents may result in severe finical losses and thus have a board impact on their financial statements. 15 And, according to the guidance, appropriate disclosures may includes risk factors and this potential costs and consequences, cyber incidents experienced or expected and theirs costs and consequences, undetected risks related to cyber incidents, and the relevant insurance coverage. 16 Such disclosure requirements triggered the demands for the cyber insurance products because cyber insurance as an effective tool to transfer financial losses or damages could be an evidence that firms are managing cyber security risks well and properly. 17 The demand for cyber-insurance products may be created by government by means of requiring government contractors and subcontractors to purchase cyber insurance under Federal Acquisition Regulations (FAR) which mentions that contractors are required by law and FAR to provide insurance for certain types of perils 18. Also, in order to sustain the covered critical infrastructure (CCI) designation, the owner of such infrastructure may need to carry cyber insurance, too. 19 On the other hand, referring to Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 which requires those who provides Federal and non-Federal Government customers with a qualified/certificated anti-terrorism technologies shall obtain liability insurance of such types but the amount of such insurance shall be reasonable and will not distort the sales price of such technologies 20, the federal government tried to draw and enact legislation that provides limitations on cyber security liability 21. If it works, this could raise the incentive of insurers because amounts of potential financial losses which may be transferred to insurers are predictable. Besides, referring to Terrorism Risk Insurance Act of 2002 which established the terrorism insurance program to provide compensations to insurers who suffered the insured losses due to terrorist attacks 22, the federal government may increase the supply of cyber insurance products by means of providing compensations to insurers who suffered the insured losses due to cyber security breach or cyber attacks. 23 Otherwise, some experts and stakeholders did suggest the federal government implement reinsurance programs to develop cyber insurance programs. 24 Finally, to solve the problem of information asymmetry, the government tried to develop the legislation that could build a mechanism for information-sharing among private entities. 25 Also, it was recommended that the federal government may consider to allow insurance firms to establish an information-sharing database together so that insurers could accordingly develop better models to figure out cyber risks and price the cyber insurance contract accurately. 26 5.Suggestions and conclusion Compared to USA where 30-40 insurers offer cyber-insurance products and thus suggested that a more mature market exists 27, the cyber insurance market in Taiwan is still at the first stage of the product life cycle. Few insurers have introduced their cyber-insurance products covering the issues related to the personal information breach. Per the experience how US government developed the cyber insurance market, the following suggestion are made for reference. First, the government may consider requiring his contractors and subcontractors to carry cyber insurances. This could stimulate the demand for cyber insurance products as well as make cyber insurance prevail among private sector as an effective risk management tool. Second, the government may consider establishing re-insurance program to offer compensation to those who suffer the insured’s large losses and damages or impose limitations of the amount insured by law. However, it is undeniable that providing re-insurance program is not feasible as the government’s budget is not abundance. Finally, an information-sharing mechanism, including information on cyber attacks an cyber risks, may be helpful to solve the problem of information asymmetry. 1.Insurance Act §1 (R.O.C, 2012). 2.European Network and Information Security Agency, Incentives and barriers of the cyber insurance market in Europe , June 2012, at 8, http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/incentives-and-barriers-of-the-cyber-insurance-market-in-europe. 3.Ben Berkowitz, United States: insurance-cyber insurance, C.T.L.R. 2012, 18(7), N183. 4.Supra note2, at 19-25. 5.Mathew J. Schwartz, Stolen NASA laptop had unencrypted employee data , InformationWeek, November 15, 2012 11:17 AM, http://www.informationweek.com/security/attacks/stolen-nasa-laptop-had-unencrypted-emplo/240142160;Ben Weitzenkorn, Stolen NASA laptop prompts new security rules, TechNewsDaily , November 15 2012 11:35 AM, http://www.technewsdaily.com/15482-stolen-nasa-laptop.html. 6. Irene Klotz, Laptop with NASA workers' personal data is stolen, CAPE CANAVERAL, Nov 14, 2012 8:47pm, http://www.reuters.com/article/2012/11/15/us-space-nasa-security-idUSBRE8AE05F20121115. 7.The Government of the Hong Kong Special Administrative Region , An overview of information security standards, Feb 2008, at 2, http://www.infosec.gov.hk/english/technical/files/overview.pdf;Supra note2, at 21. 8.Supra note2, at 21-22. 9.Id. 10.Id. 11.Id. 12.U.S. Department of Homeland Security, Cyber security insurance workshop readout report, Nov 2012, at 1, http://www.dhs.gov/sites/default/files/publications/cybersecurity-insurance-read-out-report.pdf. 13.John E. Black Jr., Privacy liability and insurance developments in 2012, 16 No. 9 J. Internet L. 3, 12 (2013). 14.Marsh, Number of companies buying cyber insurance up by one-third in 2012, March 14, 2013, http://usa.marsh.com/NewsInsights/MarshPressReleases/ID/29878/Number-of-Companies-Buying-Cyber-Insurance-Up-by-One-Third-in-2012-Marsh.aspx. 15.U.S. Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2 Cybersecurity, October 13, 2011, http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 16.Id. 17.Supra note2, at 6.(last visited Dec. 31, 2012) 18.Federal Acquisition Regulations §28.301. 19.E. Paul Kanefsky, Insuring against cyber risks: congress and president Obama weigh in, March 2012, http://www.edwardswildman.com/newsstand/detail.aspx?news=2812. 20.Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 §864. 21.Supra note19. 22.Terrorism Risk Insurance Act of 2002 §103. 23.Supra note19. 24.Id. 25.Id. 26.Id. 27.Supra note2.

Brief Introduction to “European Union’s Recommendations for QTSPs Based on Standards”

Brief Introduction to “European Union’s Recommendations for QTSPs Based on Standards” 2022/06/24 I. Introduction   The Electronic Identification and Trust Services Regulation (eIDAS)[1] of the European Union was passed in 2014 and came into effect in July 2016. The eIDAS consists of six chapters and its core elements are covered in two parts: Chapter 2 Electronic Identification and Chapter 3 Trust Services. Chapter 3 provides the legal framework for trust services (TS) in relation to electronic transactions and encompasses electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. Each trust service can be provided by trust service providers (TSP) or qualified trust service providers (QTSP). Qualification from the supervisory authority of each member state is required to become a QTSP and provide qualified trust services (QTS).   In March 2021, the European Union Agency for Cybersecurity (ENISA) published “Recommendations For QTSPs Based On Standards[2]” for those interested in becoming QTSPs. II. Highlights   The eIDAS is technology neutral regarding trust service security requirements, without specifying any technology. In other words, TSP can achieve the level of security required by the eIDAS with different technologies. In fact, the European Union hopes to drive standardization with common grounds gradually formed with industry self-regulation in the legal framework and the trust framework under the eIDAS[3].   Since 2009, the European Union has been formulating the standardisation framework related to electronic signatures with the assistance from standardization bodies such as European Committee for Standardization (CEN) and European Telecommunications Standards Institute (ETSI). The vision is to establish a comprehensive standardization framework to resolve the problems of using electronic signatures across borders within the European Union. A series of standards on electronic signatures and relevant trust services have been put in place, to meet the international requirements and the eIDAS[4]. The ETSI/CEN standards of digital signatures related to QTSP are as follows[5]: 1. Provision of qualified certificates for electronic signatures (Article 28 of the eIDAS)   ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-2 and EN 319 412-5). 2. Provision of qualified certificates for electronic seals (Article 38 of the eIDAS)   ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-3 and EN 319 412-5). 3. Provision of qualified certificates for website authentication (Article 45 of the eIDAS)   ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-4 and EN 319 412-5). 4. Qualified electronic time stamping service (Article 42 of the eIDAS)   ETSI EN 319 421 (and in adherence to EN 319 401), EN 319 422. 5. Qualified validation service for qualified electronic signatures (Article 33 of the eIDAS)   ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4. 6. Qualified validation service for qualified electronic seals (Article 40 of the eIDAS)   ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4. 7. Qualified preservation service for qualified electronic signatures (Article 34 of the eIDAS)   ETSI EN 319 401, TS 119 511 and TS 119 512. 8. Qualified preservation service for qualified electronic seals; (Article 40 of the eIDAS)   ETSI EN 319 401, TS 119 511 and TS 119 512. 9. Qualified electronic registered delivery service (Article 44 of the eIDAS)   ETSI EN 319 401, EN 319 521, EN 319 522, EN 319 531 and EN 319 532. III. Comment and Analysis   The ENISA recommendations demonstrate the European Union’s intention to encourage ICT service providers to become QTSPs by introducing relevant standards in electronic signatures formulated by the European Union standardization bodies. The purpose is to provide companies and users in the European Union with more secure and trustworthy services in relation to electronic signatures. This enhances the confidence of users and promotes the vibrant development of electronic transactions throughout the European Union.   Over recent years, Taiwanese companies have been proactively involved in digital transformation. The process toward digitalization often requires assistance from external ICT service providers. However, the unfamiliarity in ICT makes it difficult for companies to judge the professional expertise of providers. Perhaps companies can refer to the introduction above to understand whether a provider meets the requirements of the European Union standards. This serves as a basis for the selection of ICT service providers to ensure a certain level of competences. This will be beneficial to the digital transformation and entrance in the European Union market for companies. [1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG (last visited Jun. 24, 2022). [2] European Union Agency for Cybersecurity [ENISA], Recommendations for Qualified Trust Service Providers based on Standards (2021), https://www.enisa.europa.eu/publications/reccomendations-for-qtsps-based-on-standards (last visited Jun. 24, 2022). [3] id. at 8 [4] id. at 8-9. [5] id. at 11-12

An Introduction to Taiwan’s Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries

An Introduction to Taiwan’s Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries 2023/11/29 I. Preface The Personal Data Protection Act (below, the “Act”), Article 27, paragraph 3 authorizes all central government authorities in charge of specific industries to formulate regulations regarding security standards and maintenance plans for their concerned industries. Beginning August 27, 2022, Taiwan transferred authority over information services, software publishers, businesses that do retail sales of goods purely via the Internet, third-party payment providers, and other businesses in digital economy industries from the Ministry of Economic Affairs to the newly-established Ministry of Digital Affairs (MODA). Businesses in the digital economy industries collect, process, and use large amounts of important personal data, and therefore bear a relatively heavy responsibility for maintaining the security of personal data. In light of this, and in accordance with the Act, Article 27, paragraph 3, the MODA therefore promulgated the Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries (below, the “Regulations”) on October 12, 2023. These Regulations specify the standards for digital economy industries’ personal data file security maintenance plans and rules governing the handling of personal data following a business termination (below, “security and maintenance plans”, or “SMPs”). These regulations apply to all businesses in the digital economy industries. In order to reinforce responsibility for personal data security maintenance in the digital economy industries, tiered management is applied to businesses at different scales. The key points of these Regulations are introduced below. II. Where the Regulations apply As stipulated in the Regulations, Article 2, the “digital economy industries” that these Regulations apply to refer to any natural person, private juridical person, or other group, that engages in any of the following business operations: 4871 Retail Sale via Internet (industries that engage in retail sales to others via the Internet, but not including television, radio, phone, or other electronic means, nor postal sales); 582 Software Publishing; 620 Computer Programming, Consultancy and Related Activities; 6312 Data Processing, Hosting and Related Activities (industries that engage in processing customers’ data, server & website hosting, and other related services, but not including online audio/video streaming services); 639 Other Information Service Activities; or 6699 Other Activities Auxiliary to Financial Service Activities Not Elsewhere Classified (third-party payment industries, but not including other fund management activities). For the specific industries covered, see Attachment 1 of the Regulations. III. Security maintenance and management measures The relevant measures are stipulated in Articles 3 to 17 of the Regulations. In consideration that the businesses so regulated may collect, process, or use large amounts of personal data as part of their business activities, they bear a larger responsibility for maintaining the security of personal data than does the average enterprise. In compliance with the Regulations, every such enterprise is required to formulate an SMP, the content of which shall comply with the specifications in Articles 5 to 17. This includes putting in place management personnel and relevant resources; defining and inventorying the scope of personal data; risk assessment; putting internal management procedures in place; and other such matters. These Regulations also adopt tiered management for businesses based on their capital levels, in order to reinforcement the frequency at which security maintenance measures are performed. The specific regulations for security maintenance measures are introduced below. 1. Formulating an SMP In accordance with the Regulations, Article 3, and in order to maintain the security of personal data, each enterprise shall, within three months of the date the Regulations take effect, plan and formulate their SMP. Every enterprise shall also cause all staff members to understand and fully implement the SMP. In order to monitor implementation, the MODA may require that each enterprise submit its implementation of SMP; the enterprise shall then submit their implementation status information in written form within the specified time limit. 2. Making the protection policy known internally In accordance with the Regulations, Article 4, and to make sure that everyone in the enterprise comprehends and implements personal data protection, each enterprise shall make its personal data protection policies known to all personnel within the enterprise. Matters that must be explained include Taiwan’s legal regulations and orders on personal data protection; how personal data may only be collected, processed, and used for specific purposes and in a reasonable, secure way; that protective technology must be at a level of security that could be reasonably expected; points of contact for rights relating to personal data; personal data contingency plans; and proper monitoring of outsourced service providers to whom personal data is outsourced. All of this must be done to make sure that every enterprise carries out their duty for comprehensive, continuous SMP implementation. 3. SMP content (1) Putting in place management personnel with relevant resources In accordance with the Regulations, Article 5; in accordance with both the Regulations as a whole and other laws and orders regarding the protection of personal data; and in order to implement personal data protection, each enterprise shall do the following things: Weigh the size and characteristics of their business to reasonably allocate operating resources; take responsibility for the personal data protection and management policy; and formulate, revise, and implement their SMP. Also, the enterprise’s representative or the representative’s authorized personnel shall carry out formulation and revision, in order to make sure that the SMP’s content is fully carried out. (2) Establishing the scope of personal data In accordance with the Regulations, Article 6, in order to define the scope of personal data to be included in the SMP, each enterprise shall periodically check the status of personal data that is collected, processed, or used. (3) Risk assessment and management mechanisms for personal data In accordance with the Regulations, Article 7, in a timely manner, and in accordance with their already-established personal data scopes and the processes in which their business involves the collection, processing, or use of personal data, each enterprise shall evaluate risks that may arise within their scope and processes. Based on the risk evaluation results, each enterprise shall then adopt appropriate security management and response measures. (4) Incident prevention, reporting, and response mechanisms In accordance with the Regulations, Article 8, and in order to reduce/control damages to data subjects resulting from personal data theft, tampering, damage, destruction, leakage, or other such security incidents, each enterprise shall formulate response, reporting, and prevention mechanisms: 1. Response mechanism: Methods to be followed after a security incident has occurred, to reduce/control damages to data subjects, and appropriate ways to notify data subjects after an incident investigation, as well as what such notifications shall contain. 2. Notification mechanism: Post-incident notifications to data subjects, in a form (such as email, text message, phone call, etc.) that makes it convenient for such subjects to learn what has occurred and what the incident handling status is; also, providing data subjects with a hotline or other way of seeking information later on. 3. Prevention mechanism: A post-incident mechanism for discussing and adjusting the prevention measures. Within 72 hours after an enterprise learns that a personal data security incident has occurred, the enterprise shall use Attachment 2, the Enterprise Personal Data Leak Reporting Form, to notify the MODA of matters such as: A description of what caused the incident; an incident summary; the damage status; possible results from the personal data leakage; proposed response measures; proposed method and time for notifying data subjects; etc. Alternately, the enterprise may notify the special municipality or county/city government to then notify the MODA. If the enterprise is unable to report the incident within the time limit or is unable to supply complete reporting information all at once, the enterprise shall attach explanation of the reasons for the delay, or provide the information in stages. After the MODA or the special municipality or county/city government receives a report, they may implement reasonable handling in accordance with Articles 22 to 25 of the Act. (5) Internal management procedures for personal data collection, processing, and usage In accordance with the Regulations, Article 9, in order to ensure that their collection, processing, and use of personal data complies with the laws and orders regarding the protection of personal data, each enterprise shall do the following: Formulate internal management procedures; assess whether the use, processing, or collection of special categories of personal data are involved; assess data subjects’ consent has been obtained; assess whether the legal circumstances create an exemption from the obligation to inform; etc. The internal management measures shall also include providing data subjects with information on their rights in accordance with the Act, Article 3; putting in place mechanisms for ensuring the accuracy of and inquiring regarding personal data; and periodically reviewing whether the specific purposes for collecting personal data still exist or have expired. (6) Limits, notifications, and monitoring for international transfers In accordance with Article 10 of the Regulations and Article 21 of the Act, when an enterprise’s transfer of personal data across a national border affects data subjects to the extent that there is a major national interests concern, the enterprise shall assess whether MODA restrictions apply to the transfer. The enterprise shall also notify the data subjects of the region(s) that the data is transferred to; perform appropriate monitoring of the data recipient; and provide the data subjects with information on their rights in accordance with the Act, Article 3. (7) Data, personnel, and equipment security management measures 1. Data security management measures: In accordance with the Regulations, Article 11, and when personal data is backup, kept confidential, or transferred by various means based on the risk assessment results, each enterprise shall put in place protective measures against abnormal access behaviors. When an enterprise provides information/communication technology services, the enterprise shall also put in place and regularly monitor intrusion countermeasures, abnormal access monitoring and contingencies, anti-malware mechanisms, account password verification, system testing, and other such data security management measures. 2. Personnel security management measures: In accordance with the Regulations, Article 12, each enterprise shall contractually specify the obligation to maintain confidentiality with all staff members; identify personnel who job duties involve collecting, processing, or using personal data; and periodically assess the appropriateness and necessity of personnel’s permissions to access personal data. 3. Equipment security management measures: In accordance with the Regulations, Article 14, and to prevent personal data being stolen, tampered with, damaged, destroyed, or leaked, each enterprise shall put in place appropriate media protection for personal data storage devices. The protection requirements include management measures such as technology, equipment and secured environments that meet a specific level of security. (8) Education and training In accordance with the Regulations, Article 13, each enterprise shall periodically use education and training to ensure that all staff members understand the following things: The laws and regulations pertaining to personal data protection; their personal duties and roles within their scopes of responsibility; and the requirements for all SMP management procedures, mechanisms, and measures. For any enterprise that engages in retail sales via the Internet, their SMP shall include user training and education regarding personal data protection and management; and the enterprise shall also formulate personal data protection rules for compliance. (9) Continuous audit, recording, and improvement mechanisms 1. Data security auditing mechanisms: In accordance with the Regulations, Article 15, each enterprise shall periodically do internal audits of personal data, then put the audit results into an evaluation report that reviews improvements to the enterprise’s protection policy, SMP, etc. If there are any deficiencies, the enterprise shall make corrections. 2. Use of records, tracking data, and retention of evidence: In accordance with the Regulations, Article 16, and as part of carrying out its SMP, each enterprise shall retain a minimum of five years of records on the collection, processing, and use of personal data; tracking data for automated machinery; and evidence of having implemented the SMP. After an enterprise’s operations cease, it shall retain records of the destruction, transfer, or other deletion of personal data for a minimum of five years. 3. Comprehensive, continuous improvement for personal data security maintenance: In accordance with the Regulations, Article 17, any time an enterprise’s SMP is not implemented, the enterprise shall adopt corrective and preventive measures. Also, based on the SMP’s implementation status, its handling methods/implementation status, developments in data technology, adjustments to the enterprise’s business, and changes in the law and regulations, each enterprise shall periodically review and amend its SMP. 4. Tiered management In accordance with the Regulations, Article 18, and to prevent relatively small businesses having to take on excessive personal data management costs, tiered management is applied. For an enterprise with a specific business scale (having capital of NT$10 million or more, or holding 5,000 or more personal data records), stronger security measure implementation is required, namely, the personal data security measures shall be implemented, reviewed, and improved at least once every twelve months. If an enterprise reaches NT$10 million or more in capital after the Regulations take effect, or if an enterprise’s number of personal data records held reaches 5,000 or more as a result of direct or indirect data collection, then within six months of meeting those conditions, the enterprise shall implement and review the improvement measures at least once every twelve months. 5. Outsourced personal data Commercial outsourcing in the digital economy comes in many forms. In light of this, and in order to make clear each enterprise’s security management obligations with regard to the collection, processing, and use of personal data, Article 19 of the Regulations clearly spells out what duties shall be carried out with regard to any outsourcing that touches on personal data. When an enterprise outsources the collection, processing, or use of personal data, it is considered equivalent to the enterprise’s own activity. Thus, the enterprise shall understand and follow the legal orders and regulations on personal data set by the central government authorities in charge of the outsourcing party’s industries. Any oversight responsibilities arising from outsourcing the collection, processing, or use of others’ personal data shall be clearly stipulated in the outsourcing contract or other such documents. IV. Conclusion The Regulations Regarding the Security Maintenance and Administration of Personal Information Files in in Digital Economy Industries are designed to balance development for Taiwan’s digital economy industries with comprehensive, continuous improvement of personal data security maintenance. In pursuit of those goals, the Regulations clarify what each enterprise must do: Plan, formulate, and carry out security maintenance plans for personal data that falls within the bounds of the enterprise’s business; ensure that all staff members receive training on personal data protection; provide personal data subjects with channels to file complaints and seek consultation on their rights; and inform the government authorities in charge of the digital economy about the enterprise’s SMP, including the status of any personal data security incidents. All this is done in hopes that the security measures will continuously improve the security of personal data in Taiwan’s digital economy industries.

TOP