Impact of Government Organizational Reform to Research Legal System and Response Thereto (2) – Observation of the Swiss Research Innovation System

The Institutionalization of the Taiwan Personal Data Protection Committee - Triumph of Digital Constitutionalism: A Legal Positivism Analysis 2023/07/13 The Legislative Yuan recently passed an amendment to the Taiwan Personal Data Protection Act, which resulted in the institutionalization of the Taiwan Personal Data Protection Commission (hereunder the “PDPC”)[1]. This article aims to analyze the significance of this institutionalization from three different perspectives: legal positivism, digital constitutionalism, and Millian liberalism. By examining these frameworks, we can better understand the constitutional essence of sovereignty, the power dynamics among individuals, businesses, and governments, and the paradox of freedom that the PDPC addresses through governance and trust. I.Three Layers of Significance 1.Legal Positivism The institutionalization of the PDPC fully demonstrates the constitutional essence of sovereignty in the hands of citizens. Legal positivism emphasizes the importance of recognizing and obeying (the sovereign, of which it is obeyed by all but does not itself obey to anyone else, as Austin claims) laws that are enacted by legitimate authorities[2]. In this context, the institutionalization of the PDPC signifies the recognition of citizens' rights to control their personal data and the acknowledgment of the sovereign in protecting their privacy. It underscores the idea that the power to govern personal data rests with the individuals themselves, reinforcing the principles of legal positivism regarding sovereign Moreover, legal positivism recognizes the authority of the state in creating and enforcing laws. The institutionalization of the PDPC as a specialized commission with the power to regulate and enforce personal data protection laws represents the state's recognition of the need to address the challenges posed by the digital age. By investing the PDPC with the authority to oversee the proper handling and use of personal data, the state acknowledges its responsibility to protect the rights and interests of its citizens. 2.Digital Constitutionalism The institutionalization of the PDPC also rebalances the power structure among individuals, businesses, and governments in the digital realm[3]. Digital constitutionalism refers to the principles and norms that govern the relationship between individuals and the digital sphere, ensuring the protection of rights and liberties[4]. With the rise of technology and the increasing collection and use of personal data, individuals often find themselves at a disadvantage compared to powerful entities such as corporations and governments[5]. However, the PDPC acts as a regulatory body that safeguards individuals' interests, rectifying the power imbalances and promoting digital constitutionalism. By establishing clear rules and regulations regarding the collection, use, and transfer of personal data, the PDPC may set a framework that ensures the protection of individuals' privacy and data rights. It may enforce accountability among businesses and governments, holding them responsible for their data practices and creating a level playing field where individuals have a say in how their personal data is handled. 3.Millian Liberalism The need for the institutionalization of the PDPC embodies the paradox of freedom, as raised in John Stuart Mill’s “On Liberty”[6], where Mill recognizes that absolute freedom can lead to the infringement of others' rights and well-being. In this context, the institutionalization of the PDPC acknowledges the necessity of governance to mitigate the risks associated with personal data protection. In the digital age, the vast amount of personal data collected and processed by various entities raises concerns about privacy, security, and potential misuse. The institutionalization of the PDPC represents a commitment to address these concerns through responsible governance. By setting up rules, regulations, and enforcement mechanisms, the PDPC ensures that individuals' freedoms are preserved without compromising the rights and privacy of others. It strikes a delicate balance between individual autonomy and the broader social interest, shedding light on the paradox of freedom. II.Legal Positivism: Function and Authority of the PDPC 1.John Austin's Concept of Legal Positivism: Sovereignty, Punishment, Order To understand the function and authority of the PDPC, we turn to John Austin's concept of legal positivism. Austin posited that laws are commands issued by a sovereign authority and backed by sanctions[7]. Sovereignty entails the power to make and enforce laws within a given jurisdiction. In the case of the PDPC, its institutionalization by the Legislative Yuan reflects the recognition of its authority to create and enforce regulations concerning personal data protection. The PDPC, as an independent and specialized committee, possesses the necessary jurisdiction and competence to ensure compliance with the law, administer punishments for violations, and maintain order in the realm of personal data protection. 2.Dire Need for the Institutionalization of the PDPC There has been a dire need for the establishment of the PDPC following the Constitutional Court's decision in August 2022, holding that the government needed to establish a specific agency in charge of personal data-related issues[8]. This need reflects John Austin's concept of legal positivism, as it highlights the demand for a legitimate and authoritative body to regulate and oversee personal data protection. The PDPC's institutionalization serves as a response to the growing concerns surrounding data privacy, security breaches, and the increasing reliance on digital platforms. It signifies the de facto recognition of the need for a dedicated institution to safeguard the individual’s personal data rights, reinforcing the principles of legal positivism. Furthermore, the institutionalization of the PDPC demonstrates the responsiveness of the legislative branch to the evolving challenges posed by the digital age. The amendment to the Taiwan Personal Data Protection Act and the subsequent institutionalization of the PDPC are the outcomes of a democratic process, reflecting the will of the people and their desire for enhanced data protection measures. It signifies a commitment to uphold the rule of law and ensure the protection of citizens' rights in the face of emerging technologies and their impact on privacy. 3.Authority to Define Cross-Border Transfer of Personal Data Upon the establishment of the PDPC, it's authority to define what constitutes a cross-border transfer of personal data under Article 21 of the Personal Data Protection Act will then align with John Austin's theory on order. According to Austin, laws bring about order by regulating behavior and ensuring predictability in society. By granting the PDPC the power to determine cross-border data transfers, the legal framework brings clarity and consistency to the process. This promotes order by establishing clear guidelines and standards, reducing uncertainty, and enhancing the protection of personal data in the context of international data transfers. The PDPC's authority in this regard reflects the recognition of the need to regulate and monitor the cross-border transfer of personal data to protect individuals' privacy and prevent unauthorized use or abuse of their information. It ensures that the transfer of personal data across borders adheres to legal and ethical standards, contributing to the institutionalization of a comprehensive framework for cross-border data transfer. III.Conclusion In conclusion, the institutionalization of the Taiwan Personal Data Protection Committee represents the convergence of legal positivism, digital constitutionalism, and Millian liberalism. It signifies the recognition of citizens' sovereignty over their personal data, rebalances power dynamics in the digital realm, and addresses the paradox of freedom through responsible governance. By analyzing the PDPC's function and authority in the context of legal positivism, we understand its role as a regulatory body to maintain order and uphold the principles of legal positivism. The institutionalization of the PDPC serves as a milestone in Taiwan's commitment to protect individuals' personal data and safeguard the digital rights. In essence, the institutionalization of the Taiwan Personal Data Protection Committee represents a triumph of digital constitutionalism, where individuals' rights and interests are safeguarded, and power imbalances are rectified. It also embodies the recognition of the paradox of freedom and the need for responsible governance in the digital age in Taiwan. [1] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023). [2] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [3] Edoardo Celeste, Digital constitutionalism: how fundamental rights are turning digital, (2023): 13-36, https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 3, 2023). [4] GIOVANNI DE GREGORIO, DIGITAL CONSTITUTIONALISM IN EUROPE: REFRAMING RIGHTS AND POWERS IN THE ALGORITHMIC SOCIETY 218 (2022). [5] Celeste Edoardo, Digital constitutionalism: how fundamental rights are turning digital (2023), https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 13, 2023). [6]JOHN STUART MILL,On Liberty (1859), https://openlibrary-repo.ecampusontario.ca/jspui/bitstream/123456789/1310/1/On-Liberty-1645644599.pdf (last visited July 13, 2023). [7] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [8] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023).

Draft of AI Product and System Evaluation Guidelines Released by the Administration for Digital Industries to Enhance AI Governance 2024/08/15 I. AI Taiwan Action Plan 2.0 In 2018, the Executive Yuan launched the “AI Taiwan Action Plan” to ensure that the country keeps pace with AI developments. This strategic initiative focuses on attracting top talent, advancing research and development, and integrating AI into critical sectors such as smart manufacturing and healthcare. The action plan has sparked growing discussion on AI regulation. Through these efforts, Taiwan aims to position itself as a frontrunner in the global smart technology landscape. Later in 2023, the Executive Yuan updated the action plan, releasing “AI Taiwan Action Plan 2.0” to further strengthen AI development. “AI Taiwan Action Plan 2.0” outlines five main pillars: 1. Talent Development: Enhancing the quality and quantity of AI expertise, while improving public AI literacy through targeted education and training initiatives. 2. Technological and Industrial Advancement: Focusing on critical AI technologies and applications to foster industrial growth; and creating the Trustworthy AI Dialogue Engine (TAIDE) that communicates in Traditional Chinese. 3. Enhancing work environments: Establishing robust AI governance infrastructure to facilitate industry and governmental regulation, and to foster compliance with international standards. 4. International Collaboration: Expanding Taiwan's role in international AI forums, such as the Global Partnership on AI, to collaborate on developing trustworthy AI practices. 5. Societal and Humanitarian Engagement: Utilizing AI to tackle pressing societal challenges such as labor shortages, an aging population, and environmental sustainability. II. AI Product and System Evaluation Guidelines: A Risk-based Approach to AI Governance To support infrastructure, in March 2024, the Administration for Digital Industries issued the draft AI Product and System Evaluation Guidelines. The Guidelines are intended to serve as a reference for industry when developing and using AI products and systems, thus laying a crucial foundation for advancing AI-related policies in Taiwan. The Guidelines outline several potential risks associated with AI: 1. Third-Party Software and Hardware: While third-party software, hardware, and datasets can accelerate development, they may also introduce risks into AI products and systems. Therefore, effective risk management policies are crucial. 2. System Transparency: The lack of transparency in AI products and systems makes risk assessment relatively challenging. Inadequate transparency in AI models and datasets also pose risks for development and deployment. 3. Differences in Risk Perception: Developers of AI products and systems may overlook risks specific to different application scenarios. Moreover, risks may gradually emerge as the product or system is used and trained over time. 4. Application Domain Risks: Variations between testing results and actual operational performance can lead to differing risk assessments for evaluated products and systems. 5. Deviation from Human Behavioral Norms: If AI products and systems behave unexpectedly compared to human operations, this can indicate a drift in the product, system, or model, thereby introducing risks. The Guidelines also specify that businesses have to categorize risks when developing or using AI products and systems, and manage them in accordance with these classifications. In alignment with the EU AI Act, risks are classified into four levels: unacceptable, high, limited, and minimal. 1. Unacceptable Risk: If AI systems used by public or private entities provide social scoring of individuals, this could lead to discriminatory outcomes and the exclusion of certain groups. Furthermore, if AI systems are employed to manipulate the cognitive behavior of individuals or vulnerable populations, causing physical or psychological harm, such systems are deemed unacceptable and prohibited. 2. High risk: AI systems are classified as high-risk in several situations. These include applications used in critical infrastructure, such as transportation, where there is potential risk to citizens' safety and health. These situations also encompass AI systems involved in educational or vocational training (such as exam scoring), which can determine access to education or professional paths. AI used as safety-critical product components, such as robot-assisted surgery, also falls into this category. In the employment sector, AI systems used for managing recruitment processes, including CV-sorting software, are considered high-risk. Essential private and public services, such as credit scoring systems that impact loan eligibility, also fall under high-risk. AI used in law enforcement in ways that it may affect fundamental rights, such as evaluating the reliability of evidence, is also included. AI systems involved in migration, asylum, and border control, such as automated visa application examinations, are categorized as high-risk. Finally, AI solutions used in the administration of justice and democratic processes, such as court ruling searches, are also classified as high-risk. If an AI system is classified as high risk, it must be evaluated across ten criteria—Safety, Explainability, Resilience, Fairness, Accuracy, Transparency, Accountability, Reliability, Privacy, and Security—to ensure the AI system’s quality. 3. Limited risk: When an AI product or system is classified as having limited risk, it is up to the enterprise to determine whether an evaluation is required. The Guidelines also introduce specific transparency obligations to ensure that humans are informed when necessary, thus fostering trust. For instance, when using AI systems such as chatbots or systems for generating deepfake content, humans must be made aware that they are interacting with a machine so they can take an informed decision to continue or step back. 4. Minimal or no risk: The Guidelines allow the free use of minimal-risk AI. This includes applications such as AI-enabled video games and spam filters. Ⅲ. Conclusion The AI Product and System Evaluation Guidelines represent a significant step forward in establishing a robust, risk-based framework for AI governance in Taiwan. By aligning with international standards like the EU AI Act, these Guidelines ensure that AI products and systems are rigorously assessed and categorized into four distinct risk levels: unacceptable, high, limited, and minimal. This structured approach allows businesses to manage AI-related risks more effectively, ensuring that systems are safe, transparent, and accountable. The emphasis on evaluating AI systems across ten critical criteria—including safety, explainability, and fairness—reflects a comprehensive strategy to mitigate potential risks. This proactive approach not only safeguards the public but also fosters trust in AI technologies. By setting clear expectations and responsibilities for businesses, the Guidelines promote responsible development and deployment of AI, ultimately contributing to Taiwan's goal of becoming a leader in the global AI landscape.

Reviews on Taiwan Constitutional Court's Judgment no. 13 of 2022 2022/11/24 I.Introduction 　　In 2012, the Taiwan Human Rights Promotion Association and other civil groups believe that the National Health Insurance Administration released the national health insurance database and other health insurance data for scholars to do research without consent, which may be unconstitutional and petitioned for constitutional interpretation. 　　Taiwan Human Rights Promotion Association believes that the state collects, processes, and utilizes personal data on a large scale with the "Personal Data Protection Law", but does not set up another law of conduct to control the exercise of state power, which has violated the principle of legal retention; the data is provided to third-party academic research for use, and the parties involved later Excessive restrictions on the right to withdraw go against the principle of proportionality. 　　The claimant criticized that depriving citizens of their prior consent and post-control rights to medical data is like forcing all citizens to unconditionally contribute data for use outside the purpose before they can use health insurance. The personal data law was originally established to "avoid the infringement of personality rights and promote the rational use of data", but in the insufficient and outdated design of the regulations, it cannot protect the privacy of citizens' information from infringement, and it is easy to open the door to the use of data for other purposes. 　　In addition, even if the health insurance data is de-identified, it is still "individual data" that can distinguish individuals, not "overall data." Health insurance data can be connected with other data of the Ministry of Health and Welfare, such as: physical and mental disability files, sexual assault notification files, etc., and you can also apply for bringing in external data or connecting with other agency data. Although Taiwan prohibits the export of original data, the risk of re-identification may also increase as the number of sources and types of data concatenated increases, as well as unspecified research purposes. 　　The constitutional court of Taiwan has made its judgment on the constitutionality of the personal data usage of National Health Insurance research database. The judgment, released on August 12, 2022, states that Article 6 of Personal Data Protection Act(PDPA), which asks“data pertaining to a natural person's medical records, healthcare, genetics, sex life, physical examination and criminal records shall not be collected, processed or used unless where it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject”does not violate Intelligible principle and Principle of proportionality. Therefore, PDPA does not invade people’s right to privacy and remains constitutional. 　　However, the judgment finds the absence of independent supervisory authority responsible for ensuring Taiwan institutions and bodies comply with data protection law, can be unconstitutional, putting personal data protection system on the borderline to failure. Accordingly, laws and regulations must be amended to protect people’s information privacy guaranteed by Article 22 of Constitution of the Republic of China (Taiwan). 　　In addition, the judgment also states it is unconstitutional that Articles 79 and 80 of National Health Insurance Law and other relevant laws lack clear provisions in terms of store, process, external transmission of Personal health insurance data held by Central Health Insurance Administration of the Ministry of Health and Welfare. 　　Finally, the Central Health Insurance Administration of the Ministry of Health and Welfare provides public agencies or academic research institutions with personal health insurance data for use outside the original purpose of collection. According to the overall observation of the relevant regulations, there is no relevant provision that the parties can request to “opt-out”; within this scope, it violates the intention of Article 22 of the Constitution to protect people's right to information privacy. II.Independent supervisory authority 　　According to Article 3 of Central Regulations and Standards Act, government agencies can be divided into independent agencies that can independently exercise their powers and operate autonomously, and non- independent agencies that must obey orders from their superiors. In Taiwan, the so-called "dedicated agency"(專責機關) does not fall into any type of agency defined by the Central Regulations and Standards Act. Dedicated agency should be interpreted as an agency that is responsible for a specific business and here is no other agency to share the business. 　　The European Union requires member states to set up independent regulatory agencies (refer to Articles 51 and 52 of General Data Protection Regulation (GDPR)). In General Data Protection Regulation and the adequacy reference guidelines, the specific requirements for personal data supervisory agencies are as follows: the country concerned should have one or more independent supervisory agencies; they should perform their duties completely independently and cannot seek or accept instructions; the supervisory agencies should have necessary and practicable powers, including the power of investigation; it should be considered whether its staff and budget can effectively assist its implementation. Therefore, in order to pass the EU's adequacy certification and implement the protection of people's privacy and information autonomy, major countries have set up independent supervisory agencies for personal data protection based on the GDPR standards. 　　According to this research, most countries have 5 to 10 commissioners that independently exercise their powers to supervise data exchange and personal data protection. In order to implement the powers and avoid unnecessary conflicts of interests among personnel, most of the commissioners are full-time professionals. Article 3 of Basic Code Governing Central Administrative Agencies Organizations defines independent agency as "A commission-type collegial organization that exercises its powers and functions independently without the supervision of other agencies, and operates autonomously unless otherwise stipulated." It is similar to Japan, South Korea, and the United States. III.Right to Opt-out 　　The judgment pointed out that the parties still have the right to control afterwards the personal information that is allowed to be collected, processed and used without the consent of the parties or that meets certain requirements. Although Article 11 of PDPA provides for certain parties to exercise the right to control afterwards, it does not cover all situations in which personal data is used, such as: legally collecting, processing or using correct personal data, and its specific purpose has not disappeared, In the event that the time limit has not yet expired, so the information autonomy of the party cannot be fully protected, the subject, cause, procedure, effect, etc. of the request for suspension of use should be clearly stipulated in the revised law, and exceptions are not allowed. 　　The United Kingdom is of great reference. In 2017, after the British Information Commissioner's Office (ICO) determined that the data sharing agreement between Google's artificial intelligence DeepMind and the British National Health Service (NHS) violated the British data protection law, the British Department of Health and Social Care proposed National data opt-out Directive in May, 2018. British health and social care-related institutions may refer to the National Data Opt-out Operational Policy Guidance Document published by the National Health Service in October to plan the mechanism for exercising patient's opt-out right. The guidance document mainly explains the overall policy on the exercise of the right to opt-out, as well as the specific implementation of suggested practices, such as opt-out response measures, methods of exercising the opt-out right, etc. 　　National Data Opt-out Operational Policy Guidance Document also includes exceptions and restrictions on the right to opt-out. The Document stipulates that exceptions may limit the right to Opt-out, including: the sharing of patient data, if it is based on the consent of the parties (consent), the prevention and control of infectious diseases (communicable disease and risks to public health), major public interests (overriding) Public interest), statutory obligations, or cooperation with judicial investigations (information required by law or court order), health and social care-related institutions may exceptionally restrict the exercise of the patient's right to withdraw. 　　What needs to be distinguished from the situation in Taiwan is that when the UK first collected public information and entered it into the NHS database, there was already a law authorizing the NHS to search and use personal information of the public. The right to choose to enter or not for the first time; and after their personal data has entered the NHS database, the law gives the public the right to opt-out. Therefore, the UK has given the public two opportunities to choose through the enactment of special laws to protect public's right to information autonomy. 　　At present, the secondary use of data in the health insurance database does not have a complete legal basis in Taiwan. At the beginning, the data was automatically sent in without asking for everyone’s consent, and there was no way to withdraw when it was used for other purposes, therefore it was s unconstitutional. Hence, in addition to thinking about what kind of provisions to add to the PDPA as a condition for "exception and non-request for cessation of use", whether to formulate a special law on secondary use is also worthy of consideration by the Taiwan government. IV.De-identification 　　According to the relevant regulations of PDPA, there is no definition of "de-identification", resulting in a conceptual gap in the connotation. In other words, what angle or standard should be used to judge that the processed data has reached the point where it is impossible to identify a specific person. In judicial practice, it has been pointed out that for "data recipients", if the data has been de-identified, the data will no longer be regulated by PDPA due to the loss of personal attributes, and it is even further believed that de-identification is not necessary. 　　However, the Judgment No. 13 of Constitutional Court, pointed out that through de-identification measures, ordinary people cannot identify a specific party without using additional information, which can be regarded as personal data of de-identification data. Therefore, the judge did not give an objective standard for de-identification, but believed that the purpose of data utilization and the risk of re-identification should be measured on a case-by-case basis, and a strict review of the constitutional principle of proportionality should be carried out. So far, it should be considered that the interpretation of the de-identification standard has been roughly finalized. V.Conclusions 　　The judge first explained that if personal information is processed, the type and nature of the data can still be objectively restored to indirectly identify the parties, no matter how simple or difficult the restoration process is, if the data is restored in a specific way, the parties can still be identified. personal information. Therefore, the independent control rights of the parties to such data are still protected by Article 22 of the Constitution. 　　Conversely, when the processed data objectively has no possibility to restore the identification of individuals, it loses the essence of personal data, and the parties concerned are no longer protected by Article 22 of the Constitution. 　　Based on this, the judge declared that according to Article 6, Item 1, Proviso, Clause 4 of the PDPA, the health insurance database has been processed so that the specific party cannot be identified, and it is used by public agencies or academic research institutions for medical and health purposes. Doing necessary statistical or academic research complies with the principles of legal clarity and proportionality, and does not violate the Constitution. 　　However, the judge believes that the current personal data law or other relevant regulations still lack an independent supervision mechanism for personal data protection, and the protection of personal information privacy is insufficient. In addition, important matters such as personal health insurance data can be stored, processed, and transmitted externally by the National Health Insurance Administration in a database; the subject, purpose, requirements, scope, and method of providing external use; and organizational and procedural supervision and protection mechanisms, etc. Articles 79 and 80 of the Health Insurance Law and other relevant laws lack clear provisions, so they are determined to be unconstitutional. 　　In the end, the judge found that the relevant laws and regulations lacked the provisions that the parties can request to stop using the data, whether it is the right of the parties to request to stop, or the procedures to be followed to stop the use, there is no relevant clear text, obviously the protection of information privacy is insufficient. Therefore, regarding unconstitutional issues, the Constitutional Court ordered the relevant agencies to amend the Health Insurance Law and related laws within 3 years, or formulate specific laws.

Legal Analysis of the U.S. BIOSECURE Act: Implications for Taiwanese Biotechnology Companies 2024/11/15 I.Introduction The U.S. BIOSECURE Act (H.R.8333)[1](hereunder, "BIOSECURE Act" or "Act") is a strategic legislative measure designed to protect U.S. biotechnology technologies and data from potential exploitation by foreign entities deemed to be threats to national security. Passed by the House of Representatives on September 9, 2024, with a vote of 306-81[2], the Act demonstrates robust bipartisan support to limit foreign influence in critical U.S. sectors. Passed during the legislative session known as "China Week[3]," the Act imposes restrictions on government contracts, funding, and technological cooperation with entities classified as "Biotechnology Companies of Concern" (hereunder, "BCCs") that are affiliated with adversarial governments. Given Taiwan's prominent role in biotechnology and its strong trade ties with the U.S., Taiwanese companies must examine the implications of the BIOSECURE Act, specifically in regard to technology acquisition from restricted foreign companies and compliance obligations for joint projects with U.S. partners. This analysis will delve into three core aspects of the BIOSECURE Act: (1) the designation and evaluation of BCCs, (2) prohibitions on transactions involving BCCs, and (3) enforcement mechanisms. Each section will evaluate potential impacts on Taiwanese companies, focusing on how the Act might influence technology transfers, compliance obligations, and partnership opportunities within the U.S. biotechnology supply chain. II.Designation and Evaluation of Biotechnology Companies of Concern A central element of the BIOSECURE Act is the process of identifying and evaluating foreign biotechnology companies considered potential threats to U.S. national security.[4] Under Section 2(f)(2) of the Act, a "Biotechnology Company of Concern" is defined as any entity associated with adversarial governments—specifically, China, Russia, North Korea, and Iran[5]—that engages in activities or partnerships posing risks to U.S. security[6]. These risks may include collaboration with foreign military or intelligence agencies, involvement in dual-use research, or access to sensitive personal or genetic information of U.S. citizens. Companies already designated as BCCs include BGI, MGI, Complete Genomics, WuXi AppTec, and WuXi Biologics, all of which have substantial ties to China and the Chinese government or military[7]. Under Section 2(f)(4) of the Act, the Office of Management and Budget (OMB) is required to continuously evaluate and update the BCC list in consultation with agencies such as the Department of Defense, Department of Commerce, and the National Intelligence Community to reflect evolving security concerns[8]. The designation process presents significant challenges for Taiwanese companies, particularly those that have connections with BCCs or rely on BCC technologies for their products, diagnostics, or research initiatives. For instance, if a Taiwanese company uses gene sequencing technology or multiomics tools sourced from one of the designated BCCs, it may face restrictions when pursuing contracts with U.S. entities or seeking federal funding. To proactively address these challenges, Taiwanese companies should establish compliance protocols that verify the origin of their technology and data sources. Moreover, developing new supply chain relationships with U.S. or European suppliers may not only reduce reliance on BCC-affiliated technology but also enhance Taiwanese companies' reputation as secure and reliable partners in the biotechnology industry. By adapting proactively to the BCC designation process, Taiwanese companies can anticipate and respond to future regulatory shifts more effectively. Diversifying their technology base away from BCCs positions these companies to better align with U.S. biosecurity standards, thereby becoming more attractive collaborators for U.S.-based biotechnology and life sciences companies. Given the rapid pace of regulatory and security developments, staying informed about changes in BCC designations will enable Taiwanese companies to operate with greater agility, adjusting suppliers and adopting new compliance measures as needed. Such proactive alignment can strengthen their resilience and reinforce their status as stable and secure participants in the global biotechnology landscape. III.Prohibition on Government Contracts and Funding A core component of the BIOSECURE Act is its stringent restrictions on contracting and funding involving entities linked to BCCs, as detailed in Section 2(a) of the act[9]. These restrictions extend beyond direct federal interactions to include any recipients of federal funds, prohibiting them from using such funds to procure biotechnology products or services from BCCs[10]. By curtailing federal support and preventing indirect financial benefits to these companies, the U.S. aims to mitigate national security risks posed by adversarial governments. The wide-reaching scope of these prohibitions makes the BIOSECURE Act one of the most comprehensive legislative efforts to secure the biotechnology sector and address concerns over foreign technologies potentially compromising U.S. security interests. For Taiwanese biotechnology companies, these prohibitions introduce substantial compliance demands, particularly for companies that utilize BCC technology within their supply chains. For example, a Taiwanese company engaged in a joint research project with a U.S. government contractor may be required to demonstrate that none of its technology or data sources originate from BCCs. Compliance could necessitate rigorous supply chain audits and operational adjustments, potentially increasing short-term costs. However, aligning with U.S. regulatory standards preemptively can position Taiwanese companies as more desirable partners for U.S. entities that are increasingly prioritizing security and regulatory adherence. The BIOSECURE Act also incentivizes Taiwanese companies to explore alternative technology providers that meet U.S. biosecurity criteria, including secure data management practices, compliance with federal regulations, and the absence of connections to adversarial governments. By sourcing technology from approved U.S. or European biotechnology companies, Taiwanese companies can enhance their market access and collaborative prospects in the U.S. biotechnology and life sciences sectors. This strategy may also foster long-term stability in partnerships and mitigate risks associated with supply chain disruptions, particularly if more companies are designated as BCCs in the future[11]. Establishing partnerships with U.S.-aligned suppliers can also provide Taiwanese companies with a competitive edge in securing government contracts and research funding, as U.S.-based entities increasingly prefer suppliers that comply with national biosecurity requirements. IV.Enforcement Mechanisms, Transition Periods, and Taiwanese Considerations The BIOSECURE Act outlines key enforcement mechanisms and transitional provisions designed to facilitate the adjustment process for companies affected by its restrictions. Specifically, Section 2(c) of the Act provides an eight-year grandfathering period for contracts established prior to the Act’s effective date involving existing BCCs, allowing these agreements to continue until January 1, 2032[12]. This provision is intended to provide companies that are dependent on BCC-supplied biotechnology ample time to transition to compliant suppliers. In addition, the Act includes a "safe harbor" provision[13], which clarifies that equipment previously produced by a BCC but now sourced from a non-BCC entity will not be restricted. This allows companies to re-source components without the risk of penalties for past procurement decisions. For Taiwanese companies, this transition period presents a critical opportunity to adapt to the new regulatory environment without facing immediate disruptions to business operations. Companies dependent on BCC technology for essential biotechnological functions can leverage the eight-year window to gradually phase out such suppliers, thereby minimizing the impact on operations while ensuring future compliance. For example, a Taiwanese company that relies on a BCC’s sequencing technology for genomic research can use this period to forge partnerships with compliant technology suppliers, thereby avoiding sudden disruptions in research or production. Additionally, the Act includes a waiver provision[14] that allows case-by-case exemptions under specific conditions, particularly when compliance is infeasible, such as in instances where critical healthcare services abroad are at risk[15]. By making strategic use of the phased enforcement and waiver provisions, Taiwanese companies can restructure their supply chains to align fully with U.S. requirements. Those that plan these transitions carefully not only ensure regulatory compliance but also enhance their appeal as resilient and trustworthy partners in the U.S. market. Exploring new collaborations with U.S.-approved biotechnology suppliers can further bolster supply chain resilience against future geopolitical or regulatory uncertainties. The transition period[16] and waiver options[17] reflect the BIOSECURE Act's balanced approach between immediate security needs and pragmatic implementation, which Taiwanese companies can capitalize on to build robust, compliant biotechnological operations. V.Conclusion The U.S. BIOSECURE Act[18] presents both significant challenges and strategic opportunities for Taiwanese biotechnology companies. The Act’s restrictions on contracts with designated BCCs and funding constraints necessitate a reassessment of technology acquisition strategies and a reinforcement of compliance practices. Taiwanese companies seeking deeper integration into U.S. and global biotechnology markets will benefit from aligning their procurement approaches with non-BCC suppliers, particularly those in the U.S. or allied countries. This proactive alignment will not only mitigate potential compliance risks but also enhance Taiwanese companies’ reputations as reliable global partners in biotechnology. The phased enforcement and waiver provisions of the BIOSECURE Act[19] provide Taiwanese companies with a clear pathway to navigate the evolving regulatory landscape, allowing them to establish stronger, more resilient supply chains that meet U.S. standards. Such alignment positions these companies as competitive players in the biotechnology sector, contributing to secure and innovative progress in an increasingly interconnected world. By actively engaging with the BIOSECURE Act’s compliance demands, Taiwanese biotechnology companies can leverage the Act's phased implementation to ensure sustained, secure access to the U.S. market and foster strategic biotechnology partnerships. [1] U.S. CONGRESS, H.R. 8333 – U.S. BIOSECURE Act (2024), https://www.congress.gov/bill/118th-congress/house-bill/8333 (last visited Nov. 1, 2024). [2] OFFICE OF THE CLERK, U.S. HOUSE OF REPRESENTATIVES, Roll Call Vote No. 402 on H.R. 8333 (Sept. 9, 2024), https://clerk.house.gov/Votes?RollCallNum=402&BillNum=H.R.8333 (last visited Nov. 1, 2024). [3] JANINE LITTLE, U.S. House Of Representatives Passes The BIOSECURE Act During “China Week”, Global Supply Chain Law Blog (Sept. 13, 2024), https://www.globalsupplychainlawblog.com/supply-chain/u-s-house-of-representatives-passes-the-biosecure-act-during-china-week/ (last visited Nov. 1, 2024). [4] SABINE NAUGÈS & SARAH L. ENGLE, BIOSECURE Act: US Target on Chinese Biotechnology Companies, NAT'L L. REV. (Sept. 13, 2024), https://natlawreview.com/article/biosecure-act-us-target-chinese-biotechnology-companies (last visited Nov. 1, 2024). [5] 10 U.S.C. § 4872(d) (2024), https://www.law.cornell.edu/uscode/text/10/4872 (last visited Nov. 1, 2024). [6] U.S. CONGRESS, H.R. 8333 – U.S. BIOSECURE Act (2024), https://www.congress.gov/bill/118th-congress/house-bill/8333 (last visited Nov. 1, 2024). [7] id. [8] id. [9] id. [10] id. [11] JANINE LITTLE, U.S. House Of Representatives Passes The BIOSECURE Act During “China Week”, Global Supply Chain Law Blog (Sept. 13, 2024), https://www.globalsupplychainlawblog.com/supply-chain/u-s-house-of-representatives-passes-the-biosecure-act-during-china-week/ (last visited Nov. 1, 2024). [12] U.S. CONGRESS, H.R. 8333 – U.S. BIOSECURE Act (2024), https://www.congress.gov/bill/118th-congress/house-bill/8333 (last visited Nov. 1, 2024). [13] id. [14] id. [15] id. [16] id. [17] id. [18] id. [19] id.