Taiwan Planed Major Promoting Program for Biotechnology and Pharmaceutical Industry

Reviews on Taiwan Constitutional Court's Judgment no. 13 of 2022 2022/11/24 I.Introduction 　　In 2012, the Taiwan Human Rights Promotion Association and other civil groups believe that the National Health Insurance Administration released the national health insurance database and other health insurance data for scholars to do research without consent, which may be unconstitutional and petitioned for constitutional interpretation. 　　Taiwan Human Rights Promotion Association believes that the state collects, processes, and utilizes personal data on a large scale with the "Personal Data Protection Law", but does not set up another law of conduct to control the exercise of state power, which has violated the principle of legal retention; the data is provided to third-party academic research for use, and the parties involved later Excessive restrictions on the right to withdraw go against the principle of proportionality. 　　The claimant criticized that depriving citizens of their prior consent and post-control rights to medical data is like forcing all citizens to unconditionally contribute data for use outside the purpose before they can use health insurance. The personal data law was originally established to "avoid the infringement of personality rights and promote the rational use of data", but in the insufficient and outdated design of the regulations, it cannot protect the privacy of citizens' information from infringement, and it is easy to open the door to the use of data for other purposes. 　　In addition, even if the health insurance data is de-identified, it is still "individual data" that can distinguish individuals, not "overall data." Health insurance data can be connected with other data of the Ministry of Health and Welfare, such as: physical and mental disability files, sexual assault notification files, etc., and you can also apply for bringing in external data or connecting with other agency data. Although Taiwan prohibits the export of original data, the risk of re-identification may also increase as the number of sources and types of data concatenated increases, as well as unspecified research purposes. 　　The constitutional court of Taiwan has made its judgment on the constitutionality of the personal data usage of National Health Insurance research database. The judgment, released on August 12, 2022, states that Article 6 of Personal Data Protection Act(PDPA), which asks“data pertaining to a natural person's medical records, healthcare, genetics, sex life, physical examination and criminal records shall not be collected, processed or used unless where it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject”does not violate Intelligible principle and Principle of proportionality. Therefore, PDPA does not invade people’s right to privacy and remains constitutional. 　　However, the judgment finds the absence of independent supervisory authority responsible for ensuring Taiwan institutions and bodies comply with data protection law, can be unconstitutional, putting personal data protection system on the borderline to failure. Accordingly, laws and regulations must be amended to protect people’s information privacy guaranteed by Article 22 of Constitution of the Republic of China (Taiwan). 　　In addition, the judgment also states it is unconstitutional that Articles 79 and 80 of National Health Insurance Law and other relevant laws lack clear provisions in terms of store, process, external transmission of Personal health insurance data held by Central Health Insurance Administration of the Ministry of Health and Welfare. 　　Finally, the Central Health Insurance Administration of the Ministry of Health and Welfare provides public agencies or academic research institutions with personal health insurance data for use outside the original purpose of collection. According to the overall observation of the relevant regulations, there is no relevant provision that the parties can request to “opt-out”; within this scope, it violates the intention of Article 22 of the Constitution to protect people's right to information privacy. II.Independent supervisory authority 　　According to Article 3 of Central Regulations and Standards Act, government agencies can be divided into independent agencies that can independently exercise their powers and operate autonomously, and non- independent agencies that must obey orders from their superiors. In Taiwan, the so-called "dedicated agency"(專責機關) does not fall into any type of agency defined by the Central Regulations and Standards Act. Dedicated agency should be interpreted as an agency that is responsible for a specific business and here is no other agency to share the business. 　　The European Union requires member states to set up independent regulatory agencies (refer to Articles 51 and 52 of General Data Protection Regulation (GDPR)). In General Data Protection Regulation and the adequacy reference guidelines, the specific requirements for personal data supervisory agencies are as follows: the country concerned should have one or more independent supervisory agencies; they should perform their duties completely independently and cannot seek or accept instructions; the supervisory agencies should have necessary and practicable powers, including the power of investigation; it should be considered whether its staff and budget can effectively assist its implementation. Therefore, in order to pass the EU's adequacy certification and implement the protection of people's privacy and information autonomy, major countries have set up independent supervisory agencies for personal data protection based on the GDPR standards. 　　According to this research, most countries have 5 to 10 commissioners that independently exercise their powers to supervise data exchange and personal data protection. In order to implement the powers and avoid unnecessary conflicts of interests among personnel, most of the commissioners are full-time professionals. Article 3 of Basic Code Governing Central Administrative Agencies Organizations defines independent agency as "A commission-type collegial organization that exercises its powers and functions independently without the supervision of other agencies, and operates autonomously unless otherwise stipulated." It is similar to Japan, South Korea, and the United States. III.Right to Opt-out 　　The judgment pointed out that the parties still have the right to control afterwards the personal information that is allowed to be collected, processed and used without the consent of the parties or that meets certain requirements. Although Article 11 of PDPA provides for certain parties to exercise the right to control afterwards, it does not cover all situations in which personal data is used, such as: legally collecting, processing or using correct personal data, and its specific purpose has not disappeared, In the event that the time limit has not yet expired, so the information autonomy of the party cannot be fully protected, the subject, cause, procedure, effect, etc. of the request for suspension of use should be clearly stipulated in the revised law, and exceptions are not allowed. 　　The United Kingdom is of great reference. In 2017, after the British Information Commissioner's Office (ICO) determined that the data sharing agreement between Google's artificial intelligence DeepMind and the British National Health Service (NHS) violated the British data protection law, the British Department of Health and Social Care proposed National data opt-out Directive in May, 2018. British health and social care-related institutions may refer to the National Data Opt-out Operational Policy Guidance Document published by the National Health Service in October to plan the mechanism for exercising patient's opt-out right. The guidance document mainly explains the overall policy on the exercise of the right to opt-out, as well as the specific implementation of suggested practices, such as opt-out response measures, methods of exercising the opt-out right, etc. 　　National Data Opt-out Operational Policy Guidance Document also includes exceptions and restrictions on the right to opt-out. The Document stipulates that exceptions may limit the right to Opt-out, including: the sharing of patient data, if it is based on the consent of the parties (consent), the prevention and control of infectious diseases (communicable disease and risks to public health), major public interests (overriding) Public interest), statutory obligations, or cooperation with judicial investigations (information required by law or court order), health and social care-related institutions may exceptionally restrict the exercise of the patient's right to withdraw. 　　What needs to be distinguished from the situation in Taiwan is that when the UK first collected public information and entered it into the NHS database, there was already a law authorizing the NHS to search and use personal information of the public. The right to choose to enter or not for the first time; and after their personal data has entered the NHS database, the law gives the public the right to opt-out. Therefore, the UK has given the public two opportunities to choose through the enactment of special laws to protect public's right to information autonomy. 　　At present, the secondary use of data in the health insurance database does not have a complete legal basis in Taiwan. At the beginning, the data was automatically sent in without asking for everyone’s consent, and there was no way to withdraw when it was used for other purposes, therefore it was s unconstitutional. Hence, in addition to thinking about what kind of provisions to add to the PDPA as a condition for "exception and non-request for cessation of use", whether to formulate a special law on secondary use is also worthy of consideration by the Taiwan government. IV.De-identification 　　According to the relevant regulations of PDPA, there is no definition of "de-identification", resulting in a conceptual gap in the connotation. In other words, what angle or standard should be used to judge that the processed data has reached the point where it is impossible to identify a specific person. In judicial practice, it has been pointed out that for "data recipients", if the data has been de-identified, the data will no longer be regulated by PDPA due to the loss of personal attributes, and it is even further believed that de-identification is not necessary. 　　However, the Judgment No. 13 of Constitutional Court, pointed out that through de-identification measures, ordinary people cannot identify a specific party without using additional information, which can be regarded as personal data of de-identification data. Therefore, the judge did not give an objective standard for de-identification, but believed that the purpose of data utilization and the risk of re-identification should be measured on a case-by-case basis, and a strict review of the constitutional principle of proportionality should be carried out. So far, it should be considered that the interpretation of the de-identification standard has been roughly finalized. V.Conclusions 　　The judge first explained that if personal information is processed, the type and nature of the data can still be objectively restored to indirectly identify the parties, no matter how simple or difficult the restoration process is, if the data is restored in a specific way, the parties can still be identified. personal information. Therefore, the independent control rights of the parties to such data are still protected by Article 22 of the Constitution. 　　Conversely, when the processed data objectively has no possibility to restore the identification of individuals, it loses the essence of personal data, and the parties concerned are no longer protected by Article 22 of the Constitution. 　　Based on this, the judge declared that according to Article 6, Item 1, Proviso, Clause 4 of the PDPA, the health insurance database has been processed so that the specific party cannot be identified, and it is used by public agencies or academic research institutions for medical and health purposes. Doing necessary statistical or academic research complies with the principles of legal clarity and proportionality, and does not violate the Constitution. 　　However, the judge believes that the current personal data law or other relevant regulations still lack an independent supervision mechanism for personal data protection, and the protection of personal information privacy is insufficient. In addition, important matters such as personal health insurance data can be stored, processed, and transmitted externally by the National Health Insurance Administration in a database; the subject, purpose, requirements, scope, and method of providing external use; and organizational and procedural supervision and protection mechanisms, etc. Articles 79 and 80 of the Health Insurance Law and other relevant laws lack clear provisions, so they are determined to be unconstitutional. 　　In the end, the judge found that the relevant laws and regulations lacked the provisions that the parties can request to stop using the data, whether it is the right of the parties to request to stop, or the procedures to be followed to stop the use, there is no relevant clear text, obviously the protection of information privacy is insufficient. Therefore, regarding unconstitutional issues, the Constitutional Court ordered the relevant agencies to amend the Health Insurance Law and related laws within 3 years, or formulate specific laws.

After the European Union's Artificial Intelligence Law, the draft of AI Basic Law is announced in Taiwan. 2024/09/19 Countries around the world are currently seeking to establish AI governance principles. The U.S. currently has only AI executive orders and state bills, and the European Union (EU) first AI law came into effect in August 2024. Taiwan has announced a draft of AI Basic Law for public comments on July 15, 2024, which, if passed by the Legislative Yuan, will become the world's second special legislation on AI. Taiwan's Coming AI Basic Law - Legislative Development and Progress With the successful conclusion of the 2024 Paris Olympics, AI technology has demonstrated its potential on the global stage, bringing new experiences to the public in varied areas, such as sport competition analysis, athlete training, and referee assisting, and showing that AI has also crossed over into the sports industry, in addition to its known applications in areas such as healthcare, finance, transportation, arts and culture fields. As AI will be apply in various industries, it may also bring new risks or impacts to individuals or society. Countries are seeking to establish guidelines and principles for AI governance. The EU’s Artificial Intelligence Act, which was announced to take effect in August 2024. Even in the AI pioneer, the U.S., there are currently only U.S. President’s AI Executive Orders and bills introduced by Congress or state governments. When Taiwan President Lai announced the promotion of the Island of Artificial Intelligence, Taiwan also had a draft of the AI Basic Law announced for public comments by the National Science and Technology Council (NSTC) on July 15, 2024, proposing the principles of basic values for the development of AI in Taiwan. What is the Basic Law in Taiwan? There are 11 basic laws/acts in Taiwan, including the Fundamental Science and Technology Act, and the Ocean Basic Act, etc. A basic law/act is a legislative model of principle, progress, or guideline for a specific important matter. The AI Basic Law serves as a declaration of policy integration, reveals the government's goals and principles, and regulates the executive branch without directly regulating the people, or deriving the rights for substantive claims. Why Taiwan need a Basic Law on Artificial Intelligence? AI is evolving rapidly, and its applications are spreading to a wider range of areas. If all sectors and administrations have different values, there will be no way for a country to develop AI. NSTC has announced a total of 18 articles in the draft, in Article 3 first set out 7 common principles, such as human autonomy, from the AI research and development to the final market application must comply with the basic values; and in the following provisions of Article 4 to declare that the government's 4 major promotional focuses. The most important provision is found in Article 17, which requires that government ministries should review and adjust the functions, businesses and regulations under their scope in accordance with the Basic Law, so as to enable the executive branch to accelerate its response to the changes brought about by AI, and to share a common set of values: the promotion of innovation while taking human rights into consideration. 7 basic principles The draft AI Basic Law in the announcement contains the following 7 basic principles: 1. Sustainable development and well-being: Social equity and environmental sustainability should be taken into account. Appropriate education and training should be provided to minimize the possible digital gap, so that people can adapt to the changes brought about by AI. 2. Human autonomy: It shall support human autonomy, respect for fundamental human rights and cultural values such as the right to personal integrity, and allow for human oversight, thereby implementing a human-based approach that upholds the rule of law and democratic values. 3. Privacy Protection and Data Governance: The privacy of personal data should be properly protected to avoid the risk of data leakage, and the principle of data minimization should be adopted; at the same time, the opening and reuse of non-sensitive data should be promoted. 4. Security and safety: In the process of AI research and development and application, security measures should be established to prevent security threats and attacks and to ensure the robustness and safety of the system. 5. Transparency and explainability: The output of AI should be appropriately disclosed or labeled to facilitate the assessment of possible risks and the understanding of the impact on related rights and interests, thereby enhancing the trustworthiness of AI. 6. Fairness and non-discrimination: In the process of AI research and development and application, the risks of bias and discrimination in algorithms should be avoided as much as possible, and should not lead to discriminatory results for specific groups. 7. Accountability: Ensure the assumption of corresponding responsibilities, including internal governance responsibilities and external social responsibilities. 4 key areas of promotion 1. Innovative Collaboration and Talent Cultivation: Ensuring the resources and talent needed for AI. 2. Risk management and application responsibility: Risks must be identified and managed before AI systems can be safely applied. 3. Protection of rights and access to data: People's basic rights, such as privacy, cannot be compromised. 4. Regulatory Adaptation and Business Review: Policies and regulations must be agile to keep pace with AI development. The AI Basic Law is paving the way for Taiwan's future opportunities and challenges. AI development requires sufficient resources, data and a friendly environment; to ensure the safe application of AI, it is necessary to first identify and plan for different possible risks, and the draft AI Basic Law has initially drawn a blueprint for the above innovative development and safe application. In the future, various government ministries will need to work together to keep up with the wave of AI innovation in terms of business and legal regulations for multiple fields and industries. It is believed that Taiwan can leverage the advantages in the semiconductor industry and talent resources to gain a favorable global strategic position for the development of AI, as well as to help achieve the goal of "AI for good" to enhance the well-being of Taiwan people through a sound legal environment.

3.Commission of Technology and Innovation (CTI) 　　The CTI is also an institution dedicated to boosting innovation in Switzerland. Established in 1943, it was known as the Commission for the Promotion of Scientific Research[1]. It was initially established for the purpose of boosting economy and raising the employment rate, and renamed after 1996. The CTI and SNSF are two major entities dedicated to funding scientific research in Switzerland, and the difference between both resides in that the CTI is dedicated to funding R&D of the application technology and industrial technology helpful to Switzerland’s economic development. 　　Upon enforcement of the amended RIPA 2011, the CTI was officially independent from the Federal Office for Professional Education and Technology (OEPT) and became an independent entity entitled to making decisions and subordinated to the Federal Department of Economic Affairs (FDEA) directly[2]. The CTI is subject to the council system, consisting of 65 professional members delegated from industrial, academic and research sectors. The members assume the office as a part time job. CTI members are entitled to making decisions on funding, utilization of resources and granting of CTI Start-up Label independently[3]. 　　The CTI primarily carries out the mission including promotion of R&D of industrial technology, enhancement of the market-orientation innovation process and delivery of R&D energy into the market to boost industrial innovation. For innovation, the CTI's core mission is categorized into[4]: (1)Funding technology R&D activities with market potential 　　The CTI invests considerable funds and resources in boosting the R&D of application technology and industrial technology. The CTI R&D Project is intended to fund private enterprises (particularly small-sized and medium-sized enterprises) to engage in R&D of innovation technology or product. The enterprises may propose their innovative ideas freely, and the CTI will decide whether the funds should be granted after assessing whether the ideas are innovative and potentially marketable[5]. 　　CTI’s funding is conditioned on the industrial and academic cooperation. Therefore, the enterprises must work with at least one research institution (including a university, university of science and technology, or ETH) in the R&D. Considering that small-sized and medium-sized enterprises usually do not own enough working funds, technology and human resources to commercialize creative ideas, the CTI R&D Project is intended to resolve the problem about insufficient R&D energy and funds of small- and medium-sized enterprises by delivering the research institutions’ plentiful research energy and granting the private enterprises which work with research institutions (including university, university of science and technology, or ETH) the fund. Notably, CTI’s funding is applicable to R&D expenses only, e.g., research personnel’s salary and expenditure in equipment & materials, and allocated to the research institutions directly. Meanwhile, in order to enhance private enterprises' launch into R&D projects and make them liable for the R&D success or failure, CTI’s funding will be no more than 50% of the total R&D budget and, therefore, the enterprises are entitled to a high degree of control right in the process of R&D. 　　The industrial types which the CTI R&D Project may apply to are not limited. Any innovative ideas with commercial potential may be proposed. For the time being, the key areas funded by CTI include the life science, engineering science, Nano technology and enabling sciences, etc.[6] It intends to keep Switzerland in the lead in these areas. As of 2011, in order to mitigate the impact of drastic CHF revaluation to the industries, the CTI launched its new R&D project, the CTI Voucher[7]. Given this, the CTI is not only an entity dedicated to funding but also plays an intermediary role in the industrial and academic sectors. Enterprises may submit proposals before finding any academic research institution partner. Upon preliminary examination of the proposals, the CTI will introduce competent academic research institutions to work with the enterprises in R&D, subject to the enterprises' R&D needs. After the cooperative partner is confirmed, CTI will grant the fund amounting to no more than CHF3,500,000 per application[8], provided that the funding shall be no more than 50% of the R&D project expenditure. 　　The CTI R&D Project not only boosts innovation but also raises private enterprises’ willingness to participate in the academic and industrial cooperation, thereby narrowing the gap between the supply & demand of innovation R&D in the industrial and academic sectors. Notably, the Project has achieved remarkable effect in driving private enterprises’ investment in technology R&D. According to statistical data, in 2011, the CTI solicited additional investment of CHF1.3 from a private enterprise by investing each CHF1[9]. This is also one of the important reasons why the Swiss innovation system always acts vigorously. Table 1 　2005-2011 Passing rate of application for R&D funding Year 2011 2010 2009 2008 2007 2006 2005 Quantity of applications 590 780 637 444 493 407 522 Quantity of funded applications 293 343 319 250 277 227 251 Pass rate 56% 44% 50% 56% 56% 56% 48% Data source: Prepared by the Study (2)Guiding high-tech start-up 　　Switzerland has learnt that high-tech start-ups are critical to the creation of high-quality employment and boosting of economic growth, and start-ups were able to commercialize the R&D results. Therefore, as of 2001, Switzerland successively launched the CTI Entrepreneurship and CTI Startup to promote entrepreneurship and cultivate high-tech start-ups. 1.CTI Entrepreneurship 　　The CTI Entrepreneurship was primarily implemented by the Venture Lab founded by CTI investment. The Venture Lab launched a series of entrepreneurship promotion and training courses, covering day workshops, five-day entrepreneurship intensive courses, and entrepreneurship courses available in universities. Each training course was reviewed by experts, and the experts would provide positive advice to attendants about innovative ideas and business models. Data source: Venture Lab Site Fig. 3 　Venture Lab Startup Program 2.CTI Startup 　　The CTI is dedicated to driving the economy by virtue of innovation as its priority mission. In order to cultivate the domestic start-ups with high growth potential in Switzerland, the CTI Startup project was launched in 1996[10] in order to provide entrepreneurs with the relevant guidance services. The project selected young entrepreneurs who provided innovative ideas, and guided them in the process of business start to work their innovative ideas and incorporate competitive start-ups. 　　In order to enable the funding and resources to be utilized effectively, the CTI Startup project enrolled entrepreneurs under very strict procedure, which may be categorized into four stages[11]: Data source: CTI Startup Site Fig. 4 　Startup Plan Flow Chart 　　In the first stage, the CTI would preliminarily examine whether the applicant’s idea was innovative and whether it was technologically feasible, and help the applicant register with the CTI Startup project. Upon registration, a more concrete professional examination would be conducted at the second stage. The scope of examination included the technology, market, feasibility and management team’s competence. After that, at the stage of professional guidance, each team would be assigned a professional “entrepreneurship mentor”, who would help the team develop further and optimize the enterprise’s strategy, flow and business model in the process of business start, and provide guidance and advice on the concrete business issues encountered by the start-up. The stage of professional guidance was intended to guide start-ups to acquire the CTI Startup Label, as the CTI Startup Label was granted subject to very strict examination procedure. For example, in 2012, the CTI Startup project accepted 78 applications for entrepreneurship guidance, but finally the CTI Startup Label was granted to 27 applications only[12]. Since 1996, a total of 296 start-ups have acquired the CTI Startup Label, and more than 86% thereof are still operating now[13]. Apparently, the CTI Startup Label represents the certification for innovation and on-going development competence; therefore, it is more favored by investors at the stage of fund raising. Table 2 　Execution of start-up plans for the latest three years Quantity of application Quantity of accepted application Quantity of CTI Label granted 2012 177 78 27 2011 160 80 26 2010 141 61 24 Data source: CTI Annual Report, prepared by the Study 　　Meanwhile, the “CTI Invest” platform was established to help start-up raise funds at the very beginning to help commercialize R&D results and cross the valley in the process of R&D innovation. The platform is a private non-business-making organization, a high-tech start-up fund raising platform co-established by CTI and Swiss investors[14]. It is engaged in increasing exposure of the start-ups and contact with investors by organizing activities, in order to help the start-ups acquire investment funds. (3)Facilitating transfer of knowledge and technology between the academic sector and industrial sector 　　KTT Support (Knowledge & Technology Transfer (KTT Support) is identified as another policy instrument dedicated to boosting innovation by the CTI. It is intended to facilitate the exchange of knowledge and technology between academic research institutions and private enterprises, in order to transfer and expand the innovation energy. 　　As of 2013, the CTI has launched a brand new KTT Support project targeting at small-sized and medium-sized enterprises. The new KTT Support project consisted of three factors, including National Thematic Networks (NTNs), Innovation Mentors, and Physical and web-based platforms. Upon the CTI’s strict evaluation and consideration, a total of 8 cooperative innovation subjects were identified in 2012, namely, carbon fiber composite materials, design idea innovation, surface innovation, food study, Swiss biotechnology, wood innovation, photonics and logistics network, etc.[15] One NTN would be established per subject. The CTI would fund these NTNs to support the establishment of liaison channels and cooperative relations between academic research institutions and industries and provide small- and medium-sized enterprises in Switzerland with more rapid and easy channel to access technologies to promote the exchange of knowledge and technology between both parties. Innovation Mentors were professionals retained by the CTI, primarily responsible for evaluating the small-sized and medium-sized enterprises’ need and chance for innovation R&D and helping the enterprises solicit competent academic research partners to engage in the transfer of technology. The third factor of KTT Support, Physical and web-based platforms, is intended to help academic research institutions and private enterprises establish physical liaison channels through organization of activities and installation of network communication platforms, to enable the information about knowledge and technology transfer to be more transparent and communicable widely. 　　In conclusion, the CTI has been dedicated to enhancing the link between scientific research and the industries and urging the industrial sector to involve and boost the R&D projects with market potential. The CTI’s business lines are all equipped with corresponding policy instruments to achieve the industrial-academic cooperation target and mitigate the gap between the industry and academic sectors in the innovation chain. The various CTI policy instruments may be applied in the following manner as identified in the following figure. Data source: CTI Annual Report 2011 Fig. 5 　Application of CTI Policy Instrument to Innovation Chain III. Swiss Technology R&D Budget Management and Allocation 　　The Swiss Federal Government has invested considerable expenditures in technology R&D. According to statistic data provided by Swiss Federal Statistical Office (FSO) and OECD, the Swiss research expenditures accounted for 2.37% of the Federal Government’s total expenditures, following the U.S.A. and South Korea (see Fig. 6). Meanwhile, the research expenditures of the Swiss Government grew from CHF2.777 billion in 2000 to CHF4.639 billion in 2010, an average yearly growth rate of 5.9% (see Fig. 7). It is clear that Switzerland highly values its technology R&D. Data source: FSO and OECD Fig. 6 Percentage of Research Expenditures in Various Country Governments’ Total Expenditures (2008) Data source: FSO and OECD Fig. 7 　Swiss Government Research Expenditures 2000-2010 1.Management of Swiss Technology R&D Budget 　　Swiss research expenditures are primarily allocated to the education, R&D and innovation areas, and play an important role in the Swiss innovation system. Therefore, a large part of the Swiss research expenditures are allocated to institutions of higher education, including ETH, universities, and UASs. The Swiss research expenditures are utilized by three hierarchies[16] (see Fig. 8): Government R&D funding agencies: The Swiss research budget is primarily executed by three agencies, including SERI, Federal Department of Economic Affairs, Education and Research, and Swiss Agency for Development and Cooperation (SDC). Intermediary R&D funding agencies: Including SNSC and CTI. Funding of R&D performing institutions: Including private enterprises, institutions of higher education and private non-profit-making business, et al. 　　Therefore, the Swiss Government research expenditures may be utilized by the Federal Government directly, or assigned to intermediary agencies, which will allocate the same to the R&D performing institutions. SERI will allocate the research expenditures to institutions of higher education and also hand a lot of the expenditures over to SNSF for consolidated funding to the basic science of R&D. Data source: FSO Fig. 8 　Swiss Research Fund Utilization Mechanism ~to be continued~ [1] ORGANIZATION FOR ECONNOMIC CO-OPERATION AND DEVELOPMENT [OECD], OECD Reviews of Innovation Policy: Switzerland 27 (2006). [2] As of January 1, 2013, the Federal Ministry of Economic Affairs was reorganized, and renamed into Federal Department of Economic Affairs, Education and Research (EAER). [3] The Commission for Technology and Innovation CTI, THE COMMISSION FOR TECHOLOGY AND INNOVATION CTI, http://www.kti.admin.ch/org/00079/index.html?lang=en (last visited Jun. 3, 2013). [4] Id. [5] CTI INVEST, Swiss Venture Guide 2012 (2012), at 44, http://www.cti-invest.ch/getattachment/7f901c03-0fe6-43b5-be47-6d05b6b84133/Full-Version.aspx (last visited Jun. 4, 2013). [6] CTI, CTI Activity Report 2012 14 (2013), available at http://www.kti.admin.ch/dokumentation/00077/index.html?lang=en&download=NHzLpZeg7t,lnp6I0NTU042l2Z6ln1ad1IZn4Z2qZpnO2Yuq2Z6gpJCDen16fmym162epYbg2c_JjKbNoKSn6A-- (last visited Jun. 3, 2013). [7] CTI Voucher, THE COMMISSION FOR TECHOLOGY AND INNOVATION CTI, http://www.kti.admin.ch/projektfoerderung/00025/00135/index.html?lang=en (last visited Jun. 3, 2013). [8] Id. [9] CTI, CTI Activity Report 2011 20 (2012), available at http://www.kti.admin.ch/dokumentation/00077/index.html?lang=en&download=NHzLpZeg7t,lnp6I0NTU042l2Z6ln1ad1IZn4Z2qZpnO2Yuq2Z6gpJCDeYR,gWym162epYbg2c_JjKbNoKSn6A--(last visited Jun. 3, 2013). [10] CTI Start-up Brings Science to Market, THE COMMISSION FOR TECHOLOGY AND INNOVATION CTI, http://www.ctistartup.ch/en/about/cti-start-/cti-start-up/ (last visited Jun. 5, 2013). [11] Id. [12] Supra note 8, at 45. [13] Id. [14] CTI Invest, http://www.cti-invest.ch/About/CTI-Invest.aspx (last visited Jun. 5, 2013). [15] KTT Support, CTI, http://www.kti.admin.ch/netzwerke/index.html?lang=en (last visited Jun.5, 2013). [16] Swiss Federal Statistics Office (SFO), Public Funding of Research in Switzerland 2000–2010 (2012), available at http://www.bfs.admin.ch/bfs/portal/en/index/themen/04/22/publ.Document.163273.pdf (last visited Jun. 20, 2013).

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 　　After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] 　　While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation 　　There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. 　　The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO 　　The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application 　　Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries 　　On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). 　　As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. 　　If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing 　　Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions 　　The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties 　　The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion 　　The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.