Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019)

Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019)

I. Brief

  Blockchain technology can solve the problem of trust between data demanders and data providers. In other words, in a centralized mode, data demanders can only choose to believe that the centralized platform will not contain the false information. However, in the decentralized mode, data isn’t controlled by one individual group or organization[1], data demanders can directly verify information such as data source, time, and authorization on the blockchain without worrying about the correctness and authenticity of the data.

  Take the “immutable” for example, it is conflict with the right to erase (also known as the right to be forgotten) in the GDPR.With encryption and one-time pad (OTP) technology, data subjects can make data off-chain storaged or modified at any time in a decentralized platform, so the problem that data on blockchain not meet the GDPR regulation has gradually faded away.

II. What is GDPR?

  The purpose of the EU GDPR is to protect user’s data and to prevent large-scale online platforms or large enterprises from collecting or using user’s data without their permission. Violators will be punished by the EU with up to 20 million Euros (equal to 700 million NT dollars) or 4% of the worldwide annual revenue of the prior financial year.

  The aim is to promote free movement of personal data within the European Union, while maintaining adequate level of data protection. It is a technology-neutral law, any type of technology which is for processing personal data is applicable.

  So problem about whether the data on blockchain fits GDPR regulation has raise. Since the blockchain is decentralized, one of the original design goals is to avoid a large amount of centralized data being abused.

  Blockchain can be divided into permissioned blockchains and permissionless blockchains. The former can also be called “private chains” or “alliance chains” or “enterprise chains”, that means no one can join the blockchain without consent. The latter can also be called “public chains”, which means that anyone can participate on chain without obtaining consent.

  Sometimes, private chain is not completely decentralized. The demand for the use of blockchain has developed a hybrid of two types of blockchain, called “alliance chain”, which not only maintains the privacy of the private chain, but also maintains the characteristics of public chains. The information on the alliance chain will be open and transparent, and it is in conflict with the application of GDPR.

III. How to GDPR apply to blockchain ?

  First, it should be determined whether the data on the blockchain is personal data protected by GDPR. Second, what is the relationship and respective responsibilities of the data subject, data controller, and data processor? Finally, we discuss the common technical characteristics of blockchain and how it is applicable to GDPR.

1. Data on the blockchain is personal data protected by GDPR?

  First of all, starting from the technical characteristics of the blockchain, blockchain technology is commonly decentralized, anonymous, immutable, trackable and encrypted. The other five major characteristics are immutability, authenticity, transparency, uniqueness, and collective consensus.

  Further, the blockchain is an open, decentralized ledger technology that can effectively verify and permanently store transactions between two parties, and can be proved.

  It is a distributed database, all users on the chain can access to the database and the history record, also can directly verify transaction records. Each nodes use peer-to-peer transmission for upload or transfer information without third-party intermediation, which is the unique “decentralization” feature of the blockchain.

  In addition, the node or any user on the chain has a unique and identifiable set of more than 30 alphanumeric addresses, but the user may choose to be anonymous or provide identification, which is also a feature of transparency with pseudonymity[2]; Data on blockchain is irreversibility of records. Once the transaction is recorded and updated on the chain, it is difficult to change and is permanently stored in the database, that is to say, it has the characteristics of “tamper-resistance”[3].

  According to Article 4 (1) of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  Therefore, if data subject cannot be identified by the personal data on the blockchain, that is an anonymous data, excluding the application of GDPR.

(1) What is Anonymization?

  According to Opinion 05/2014 on Anonymization Techniques by Article 29 Data Protection Working Party of the European Union, “anonymization” is a technique applied to personal data in order to achieve irreversible de-identification[4].

  And it also said the “Hash function” of blockchain is a pseudonymization technology, the personal data is possible to be re-identified. Therefore it’s not an “anonymization”, the data on the blockchain may still be the personal data stipulated by the GDPR.

  As the blockchain evolves, it will be possible to develop technologies that are not regulated by GDPR, such as part of the encryption process, which will be able to pass the court or European data protection authorities requirement of anonymization. There are also many compliance solutions which use technical in the industry, such as avoiding transaction data stored directly on the chain.

2. International data transmission

  Furthermore, in accordance with Article 3 of the GDPR, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.[5]

  In other words, GDPR applies only when the data on the blockchain is not anonymized, and involves the processing of personal data of EU citizens.

3. Identification of data controllers and data processors

  Therefore, if the encryption technology involves the public storage of EU citizens' personal data and passes it to a third-party controller, it may be identified as the “data controller” under Article 4 of GDPR, and all nodes and miners of the platform may be deemed as the “co-controller” of the data, and be assumed joint responsibility with the data controller by GDPR. For example, the parties can claim the right to delete data from the data controller.

  In addition, a blockchain operator may be identified as a “processor”, for example, Backend as a Service (BaaS) products, the third parties provide network infrastructure for users, and let users manage and store personal data. Such Cloud Services Companies provide online services on behalf of customers, do not act as “data controllers”. Some commentators believe that in the case of private chains or alliance chains, such as land records transmission, inter-bank customer information sharing, etc., compared to public chain applications: such as cryptocurrencies (Bitcoin for example), is not completely decentralized, and more likely to meet GDPR requirements[6]. For example, in the case of a private chain or alliance chain, it is a closed platform, which contains only a small number of trusted nodes, is more effective in complying with the GDPR rules.

4. Data subject claims

  In accordance with Article 17 of the GDPR, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay under some grounds.

  Off-chain storage technology can help the blockchain industry comply with GDPR rules, allowing offline storage of personal data, or allow trusted nodes to delete the private key of encrypted information, which leaving data that cannot be read and identified on the chain. If the data is in accordance with the definition of anonymization by GDPR, there is no room for GDPR to be applied.

IV. Conclusion

  In summary, it’s seem that the application of blockchain to GDPR may include: (a) being difficulty to identified the data controllers and data processors after the data subject upload their data. (b) the nature of decentralized storage is transnational storage, and Whether the country where the node is located, is meets the “adequacy decision” of Article 45 of the GDPR.

  If it cannot be met, then it needs to consider whether it conforms to the transfers subject to appropriate safeguards of Article 46, or the derogations for specific situations of Article 49 of the GDPR.

 

Reference:

[1] How to Trade Cryptocurrency: A Guide for (Future) Millionaires, https://wikijob.com/trading/cryptocurrency/how-to-trade-cryptocurrency

[2] DONNA K. HAMMAKER, HEALTH RECORDS AND THE LAW 392 (5TH ED. 2018).

[3] Iansiti, Marco, and Karim R. Lakhani, The Truth about Blockchain, Harvard Business Review 95, no. 1 (January-February 2017): 118-125, available at https://hbr.org/2017/01/the-truth-about-blockchain

[4] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (2014), https://www.pdpjournals.com/docs/88197.pdf

[5] Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

[6] Queen Mary University of London, Are blockchains compatible with data privacy law? https://www.qmul.ac.uk/media/news/2018/hss/are-blockchains-compatible-with-data-privacy-law.html

Links
Download
※Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019),STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=55&tp=2&i=168&d=8419 (Date:2023/09/26)
Quote this paper
You may be interested
Innovative Practice of Israel's Government Procurement

Innovative Practice of Israel's Government Procurement   Government procurement is an important pillar of government services. Because of the huge number of government purchases, government procurement management play an important role in promoting public sector efficiency and building citizenship. Well-designed government procurement systems also help to achieve policy such as environmental protection, innovation, start-ups and the development of small and medium-sized enterprises.   Nowadays, countries in the world, especially OECD countries, have been widely practiced with innovative procurement to stimulate innovation and start-ups, and call Innovation procurement can deliver solutions to challenges of public interest and ICTs can play a major role in this. However, in the OECD countries, in addition to the advanced countries that have been developed, many developing countries have also used government procurement to stimulate national R & D and innovation with remarkable results. Israel is one of the world's leading technology innovation centers, one of the most innovative economies in the world, continues to leverage its own strengths, support of technology entrepreneurship and unique environment, an international reputation in the high-tech industry, the spirit of technological innovation and novelty.   Government procurement is a core element of the activities of Israeli government, agreement with suppliers and compliance with the Mandatory Tenders Law. The main challenge is how to ensure efficiency and maintain government performance while ensuring an equitable and transparent procurement process. Israel’s Mandatory Tenders Law has shown the central role played by the Israeli Supreme Court in creating and developing this law, even in the absence of any procurement legislation, based instead on general principles of administrative law. Once the project of creating a detailed body of public tendering law had been completed, and the legislator was about to step in, the Supreme Court was prepared to step out and transferring the jurisdiction to lower courts. The Knesset passed the Mandatory Tenders Law, and based on it the Government issued the various tendering regulations. Besides, Israel's various international agreements on government procurement, mainly GPA and other bilateral international agreements such as free trade agreements with Mexico and Colombia and free trade agreements and memoranda of understanding with the United States. The practical significance of these commitments can only be understood on the backdrop of Israel’s domestic preference and offset policies. These policies were therefore discussed and analyzed as they apply when none of the international agreements applies.   The Challenge Tenders "How to solve the problem of overcrowding in the emergency department and the internal medicine department?" is the first of a series of "problem solicitations" released by the Israeli Ministry of Health which seeks to find a digital solution to the public health system problem, questions from the government while avoiding preconceived prejudices affect the nature of the solution, allowing multiple innovative ideas from different fields to enter the health system, make fair and transparent judgments about the ideal solution to the problem. In order to ensure transparency and integrity, equality, efficiency and competition in the decision-making process, the tender proposed by the Israeli Ministry of Health defines a two-stage tender process. The Ministry of Health of Israel, in order to improve the quality of medical care, shorten the waiting time for hospitalized patients, protect the dignity of patients and their families with patients as its center, and ensure their rights, while alleviating the burden of hospital staff, so as to pass the targeted treatment areas reduce the gap between various residential areas. The Israeli government deals with these issues through challenging tenders and offers a digital solution combined with innovative ideas. The initiative proposed through the development of public service projects can raise the level of public services in the country and help the government to reduce costs and achieve the purpose of promoting innovation with limited conceptual, technical and financial capabilities. In addition, due to the online operation of the challenging tender process throughout the entire process, fair and transparent procedures can be ensured, while public-private partnerships are encouraged to facilitate the implementation of the implementation plan.

The opening and sharing of scientific data- The Data Policy of the U.S. National Institutes of Health

The opening and sharing of scientific data- The Data Policy of the U.S. National Institutes of Health Li-Ting Tsai   Scientific research improves the well-being of all mankind, the data sharing on medical and health promote the overall amount of energy in research field. For promoting the access of scientific data and research findings which was supported by the government, the U.S. government affirmed in principle that the development of science was related to the retention and accesses of data. The disclosure of information should comply with legal restrictions, and the limitation by time as well. For government-sponsored research, the data produced was based on the principle of free access, and government policies should also consider the actual situation of international cooperation[1]Furthermore, the access of scientific research data would help to promote scientific development, therefore while formulating a sharing policy, the government should also consider the situation of international cooperation, and discuss the strategy of data disclosure based on the principle of free access.   In order to increase the effectiveness of scientific data, the U.S. National Institutes of Health (NIH) set up the Office of Science Policy (OSP) to formulate a policy which included a wide range of issues, such as biosafety (biosecurity), genetic testing, genomic data sharing, human subjects protections, the organization and management of the NIH, and the outputs and value of NIH-funded research. Through extensive analysis and reports, proposed emerging policy recommendations.[2] At the level of scientific data sharing, NIH focused on "genes and health" and "scientific data management". The progress of biomedical research depended on the access of scientific data; sharing scientific data was helpful to verify research results. Researchers integrated data to strengthen analysis, promoted the reuse of difficult-generated data, and accelerated research progress.[3] NIH promoted the use of scientific data through data management to verify and share research results.   For assisting data sharing, NIH had issued a data management and sharing policy (DMS Policy), which aimed to promote the sharing of scientific data funded or conducted by NIH.[4] DMS Policy defines “scientific data.” as “The recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications. Scientific data do not include laboratory notebooks, preliminary analyses, completed case report forms, drafts of scientific papers, plans for future research, peer reviews, communications with colleagues, or physical objects, such as laboratory specimens.”[5] In other words, for determining scientific data, it is not only based on whether the data can support academic publications, but also based on whether the scientific data is a record of facts and whether the research results can be repeatedly verified.   In addition, NIH, NIH research institutes, centers, and offices have had expected sharing of data, such as: scientific data sharing, related standards, database selection, time limitation, applicable and presented in the plan; if not applicable, the researcher should propose the data sharing and management methods in the plan. NIH also recommended that the management and sharing of data should implement the FAIR (Findable, Accessible, Interoperable and Reusable) principles. The types of data to be shared should first in general descriptions and estimates, the second was to list meta-data and other documents that would help to explain scientific data. NIH encouraged the sharing of scientific data as soon as possible, no later than the publication or implementation period.[6] It was said that even each research project was not suitable for the existing sharing strategy, when planning a proposal, the research team should still develop a suitable method for sharing and management, and follow the FAIR principles.   The scientific research data which was provided by the research team would be stored in a database which was designated by the policy or funder. NIH proposed a list of recommended databases lists[7], and described the characteristics of ideal storage databases as “have unique and persistent identifiers, a long-term and sustainable data management plan, set up metadata, organizing data and quality assurance, free and easy access, broad and measured reuse, clear use guidance, security and integrity, confidentiality, common format, provenance and data retention policy”[8]. That is to say, the design of the database should be easy to search scientific data, and should maintain the security, integrity and confidentiality and so on of the data while accessing them.   In the practical application of NIH shared data, in order to share genetic research data, NIH proposed a Genomic Data Sharing (GDS) Policy in 2014, including NIH funding guidelines and contracts; NIH’s GDS policy applied to all NIHs Funded research, the generated large-scale human or non-human genetic data would be used in subsequent research. [9] This can effectively promote genetic research forward.   The GDS policy obliged researchers to provide genomic data; researchers who access genomic data should also abide by the terms that they used the Controlled-Access Data for research.[10] After NIH approved, researchers could use the NIH Controlled-Access Data for secondary research.[11] Reviewed by NIH Data Access Committee, while researchers accessed data must follow the terms which was using Controlled-Access Data for research reason.[12] The Genomic Summary Results (GSR) was belong to NIH policy,[13] and according to the purpose of GDS policy, GSR was defined as summary statistics which was provided by researchers, and non-sensitive data was included to the database that was designated by NIH.[14] Namely. NIH used the application and approval of control access data to strike a balance between the data of limitation access and scientific development.   For responding the COVID-19 and accelerating the development of treatments and vaccines, NIH's data sharing and management policy alleviated the global scientific community’s need for opening and sharing scientific data. This policy established data sharing as a basic component in the research process.[15] In conclusion, internalizing data sharing in the research process will help to update the research process globally and face the scientific challenges of all mankind together. [1]NATIONAL SCIENCE AND TECHNOLOGY COUNCIL, COMMITTEE ON SCIENCE, SUBCOMMITEE ON INTERNATIONAL ISSUES, INTERAGENCY WORKING GROUP ON OPEN DATA SHARING POLICY, Principles For Promoting Access To Federal Government-Supported Scientific Data And Research Findings Through International Scientific Cooperation (2016), 1, organized from Principles, at 5-8, https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/NSTC/iwgodsp_principles_0.pdf (last visited December 14, 2020). [2]About Us, Welcome to NIH Office of Science Policy, NIH National Institutes of Health Office of Science Policy, https://osp.od.nih.gov/about-us/ (last visited December 7, 2020). [3]NIH Data Management and Sharing Activities Related to Public Access and Open Science, NIH National Institutes of Health Office of Science Policy, https://osp.od.nih.gov/scientific-sharing/nih-data-management-and-sharing-activities-related-to-public-access-and-open-science/ (last visited December 10, 2020). [4]Final NIH Policy for Data Management and Sharing, NIH National Institutes of Health Office of Extramural Research, Office of The Director, National Institutes of Health (OD), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-013.html (last visited December 11, 2020). [5]Final NIH Policy for Data Management and Sharing, NIH National Institutes of Health Office of Extramural Research, Office of The Director, National Institutes of Health (OD), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-013.html (last visited December 12, 2020). [6]Supplemental Information to the NIH Policy for Data Management and Sharing: Elements of an NIH Data Management and Sharing Plan, Office of The Director, National Institutes of Health (OD), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-014.html (last visited December 13, 2020). [7]The list of databases in details please see:Open Domain-Specific Data Sharing Repositories, NIH National Library of Medicine, https://www.nlm.nih.gov/NIHbmic/domain_specific_repositories.html (last visited December 24, 2020). [8]Supplemental Information to the NIH Policy for Data Management and Sharing: Selecting a Repository for Data Resulting from NIH-Supported Research, Office of The Director, National Institutes of Health (OD), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-016.html (last visited December 13, 2020). [9]NIH Genomic Data Sharing, National Institutes of Health Office of Science Policy, https://osp.od.nih.gov/scientific-sharing/genomic-data-sharing/ (last visited December 15, 2020). [10]NIH Genomic Data Sharing Policy, National Institutes of Health (NIH), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-14-124.html (last visited December 17, 2020). [11]NIH Genomic Data Sharing Policy, National Institutes of Health (NIH), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-14-124.html (last visited December 17, 2020). [12]id. [13]NIH National Institutes of Health Turning Discovery into Health, Responsible Use of Human Genomic Data An Informational Resource, 1, at 6, https://osp.od.nih.gov/wp-content/uploads/Responsible_Use_of_Human_Genomic_Data_Informational_Resource.pdf (last visited December 17, 2020). [14]Update to NIH Management of Genomic Summary Results Access, National Institutes of Health (NIH), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-19-023.html (last visited December 17, 2020). [15]Francis S. Collins, Statement on Final NIH Policy for Data Management and Sharing, National Institutes of Health Turning Discovery Into Health, https://www.nih.gov/about-nih/who-we-are/nih-director/statements/statement-final-nih-policy-data-management-sharing (last visited December 14, 2020).

New Version of Personal Information Protection Act and Personal Information Protection & Administration System

I.Summary In 1995, the Computer-Processed Personal Data Protection Law was implemented in the Republic of China. With the constant development of information technology and the limitations in the application of the legislation, the design of the original legal system is no longer consistent with practical requirements. Considering the increasing number of incidents of personal data leaks, discussions were carried out over a long period of time and the new version of the Personal Information Protection Act was passed after three readings in April, 2010. The title of the law was changed to Personal Information Protection Act. The new system has been officially implemented since 1 October, 2012. The new Act not only revised the provisions of the law in a comprehensive way, but also significantly increased the obligations and responsibilities of enterprises. In terms of civil liability, the maximum amount of compensation for a single incident is 200 Million NTD. For domestic industries, how to effectively respond to the requirements under the Personal Information Protection Act and adopt proper corresponding measures to lower the risk has become a key task for enterprise operation. II. Main Points 1. Implementation of the Enforcement Rules of the Personal Information Protection Act Personal information protection can be said the most concerned issue in Taiwan recently. As a matter of fact, the Computer-Processed Personal Data Protection Law was established in Taiwan as early as August 1995. After more than 10 years of development, computer and information technology has evolved significantly, and many emerging business models such as E-commerce are extensively collecting personal data. It has become increasingly important to properly protect personal privacy. However, the previous Computer-Processed Personal Data Protection Law was only applicable to certain industries, i.e. the following 8 specific industries: the credit investigation business, hospital, school, telecommunication business, financial business, securities business, insurance business, and mass media. And other business was designated by the Ministry of Justice and the central government authorities in charge of concerned enterprises. In addition, the law only protected personal information that was processed by “computer or automatic equipment”. Personal information that was not computer processed was not included. There were clearly no sufficient regulations for the protection of personal data privacy and interest. There were numerous incidents of personal data leaks. Among the top 10 consumer news issued by the Consumer Protection Committee of the Executive Yuan in 2007, “incidents of personal data leaks through E-commerce and TV shopping” was on the top of the list. This provoked the Ministry of Justice and the Ministry of Economic Affairs to “jointly designate” the retail industry without physical boutique (including 3 transaction models: online shopping, catalogue shopping and TV shopping) to be governed by the Computer-Processed Personal Data Protection Law since 1 July 2010. To allow the provisions of the personal information protection legal system to meet the environment of rapid change, the Executive Yuan proposed a Draft Amendment to the Computer-Processed Personal Data Protection Law very early and changed the title to the Personal Information Protection Act. The draft was discussed many times in the Legislative Yuan. Personal Information Protection Act was finally passed after three readings in April 2010, which was officially published by the Office of the President on 26 May. Although the new law was passed in April 2010, to allow sufficient time for enterprises and the public to understand and comply the new law, the new version of the personal information protection law was not implemented on the date of publication. In accordance with Article 56 of the Act, the date of implementation was to be further established by the Executive Yuan. After discussions over a long period of time, the Executive Yuan decided for the Personal Information Protection Act to be officially implemented on 1 October 2012. However, the implementation of two articles is withheld: Article 6 of the Act about the principal prohibition against the collection, processing and use of special personal information and Article 54 about the obligation to notice the Party within one year for personal information indirectly acquired before the implementation of the new law. In terms of the personal data protection legal system, other than the most important Personal Data Protection Act, the enforcement rules established in accordance with the main law also play a key role. The previous Enforcement Rules of the Computer-Processed Personal Data Protection Law were published and implemented on 1 May, 1996. Considering that the Computer-Processed Personal Data Protection Law was amended in 2010 and that its title has been changed to the Personal Data Protection Act, the Ministry of Justice also followed the amended provisions under the new law and actively studied the Draft Amendment to the Enforcement Rules of the Computer-Processed Personal Data Protection Act. After it was confirmed that the new version of the Personal Data Protection Act would be officially launched on 1 October 2012, the Ministry of Justice announced officially the amended enforcement rules on 26 September, 2012. The title of the enforcement rules was also amended to the Enforcement Rules of the Personal Data Protection Act. The new version of personal data protection law and enforcement rules was thus officially launched, creating a brand new era for the promotion of personal data protection in Taiwan. II. Personal Data Administration System and Information Privacy Protection Charter Before the amendment to the Personal Data Protection Act was passed, the Legislative Yuan made a proposal to the government in June 2008 to promote a privacy administration and protection certification system in Taiwan, in reference to foreign practices. In August of the following year, the Strategic Review Board of the Executive Yuan passed a resolution to promote the E-Commerce Personal Data Administration and Information Security Action Plan. In December of the same year, approval was granted for the plan to be included in the key government promotion plans from 2010 to 2013. Based on this action plan, since October 2010, the Ministry of Economic Affairs has asked the Institution for Information Industry to execute an E-Commerce Personal Data Administration System Setup Plan. Since 2012, the E-Commerce Personal Data Administration System Promotion Plan and the Taiwan Personal Information Protection and Administration System (TPIPAS) have been established and promoted, with the objective of procuring enterprises to, while complying with the personal data protection legal system, properly protect consumers’ personal information through the establishment of an internal administration mechanism and ensuring that the introducing enterprises meet the requirements of the system. The issuance of the Data Privacy Protection Mark (dp.mark) was also used as an objective benchmark for consumers to judge the enterprise’s ability to maintain privacy. Regarding the introduction of the personal data administration system, enterprises should establish a content administration mechanism step by step in accordance with the Regulations for Taiwan Personal Information Protection and Administration System. Such system also serves as the review benchmark to decide whether domestic enterprises can acquire the Data Privacy Protection Mark (dp.mark). Since domestic enterprises did not have experience in establishing internal personal data administration system in the past, starting 2011, under the Taiwan Personal Information Protection and Administration System, enterprises received assistance in the training of system professionals such as Personal Data Administrators and Personal Data Internal Appraisers. Quality personal data administrators can help enterprises establish complete internal systems. Internal appraisers play the role of confirming whether the systems established by the enterprises are consistent with the system requirements. As of 2012, there are almost 100 enterprises in Taiwan that participate in the training of system staff and a total of 426 administrators and 131 internal appraisers. In terms of the introduction of TPIPAS, in additional to the establishment and introduction of administration systems by qualified administrators, enterprises can also seek assistance from external professional consulting institutions. Under the Taiwan Personal Information Protection and Administration System, applications for registration of consulting institutions became available in 2012. Qualified system consulting institutions are published on the system website. Today 9 qualified consulting institutions have completed their registrations, providing enterprises with personal data consulting services. After an enterprise completes the establishment of its internal administration system, it may file an application for certification under the Taiwan Personal Information Protection and Administration System. The certification process includes two steps: “written review” and “site review”. After the enterprise passing certification, it is qualified to use the Data Privacy Protection Mark (dp.mark). Today 7 domestic companies have passed TPIPAS certification and acquired the dp.mark: 7net, FamiPort, books.com.tw, LOTTE, GOHAPPY, PAYEASY and Sinya Digital, reinforcing the maintenance of consumer privacy information through the introduction of personal data administration system. III. Event Analysis The Taiwan Personal Information Protection and Administration System (TPIPAS) is a professional personal data administration system established based on the provisions of the latest version of the domestic Personal Data Protection Act, in reference to the latest requirements of personal data protection by international organizations and the experience of main countries in promoting personal data administration system. In accordance with the practical requirements to protect personal data by industries, TPIPAS converted professional legal conditions into an internal personal data administration procedure to effectively assist industries to establish a complete and proper personal data administration system and to comply with the requirements of personal data legislations. With the launch of the new version of the Personal Data Protection Act, introducing TPIPAS and acquiring dp.mark are the best strategies for enterprises to lower the risk from the personal data protection law and to upgrade internal personal data administration capability.

Introduction to Tax Incentive Regime for SMEs

Introduction to Tax Incentive Regime for SMEs I. Introduction   The developments of SMEs (small-and-medium enterprises) plays an important pillar of development of industries and creation of jobs in Taiwan. In 2017, the total number of SMEs in Taiwan was 1,437,616. They offer 8,904,000 jobs, accounting for 78.44% of the workforce[1]. However, SMEs have difficulties in entering international supply chains because of their weakness in finance. Therefore, how to enhance the global competitiveness of SMEs is an important issue for the concerned authority. Chapter 4 of the Act for Development of Small and Medium Enterprises prescribes the tax incentive regime based on the financial capability of SMEs and characteristics of industries in order to facilitate the development of SMEs, especially the globalization of SMEs. This paper will review the importance of tax incentives to SMEs and introduces the tax incentive regime under the Act for Development of Small and Medium Enterprises In order to help SMES have an understanding of such regime. II. SME Tax Incentives Scheme   As the gatekeeper of the market, the government may intervene the market with various policies or tools to reallocate and improve the soundness of the market environment when the market competitions is impaired due to information asymmetry or externalities. At this juncture, preferential tax rates or tax deductions can be offered to specific taxpayers through legal institution. This allows these taxpayers to retain higher post-tax earnings so that they are incentified to invest more resources in the legally defined economic activities. Tax incentives targeting at risky or spillover investments to create benefits to specific economic activities will help the development of industries and markets.   Whilst Article 10 of the Statute for Industrial Innovation has provided tax cuts for R&D expenditures, these incentives are not focus on SMEs and hence not supportive to their research and innovations. This was the reason for the 2016 amendment of the Act for Development of Small and Medium Enterprises added Article 35 to offer tax incentives in order to encourage R&D and innovative efforts and Article 35-1 to activate intellectual properties via licensing. These articles aim to accelerate the momentum of innovations and transformations which promoting investments for SMEs. OthersTo assist SMEs to cope with change of the business environment, the Article 36-2 added the tax incentives for salary or headcount increases, to contribute to the sustainability of SMEs and stabilize the labour market and industrial structures. Following is an explanation of the applicability of these schemes and the requirements to qualify such incentives. III. Tax Incentives to Promote Investments (I) Tax deductions for R&D expenditures   Governments around the world seek to encourage corporate R&D activities, that Tax incentives are put in place to reduce R&D costs and foster a healthy environment of investment for more R&D initiatives. Neighboring countries such as Japan, Korea and Singapore are frequently practicing belowing tax burdens to encourage R&D efforts. Article 35 of the Act for Development of Small and Medium Enterprises in Taiwan allows accelerated depreciation and offers tax cuts[2] to stimulate R&D and innovations and create an investment friendly environment for SMEs. 1. Taxpaying Entities and Requirements (1) Qualifications for SMEs   Article 35 of the Act is applicable to qualified SMEs and individual taxpayers, which are (1) from manufacturing, construction & engineering, mining and quarrying industries, with paid-in capital below or equal to NT$80 million or with the number of full-time employees less than 200 people; (2) from other industries with the sales of the previous year below or equal to NT$100 million or with the number of full-time employees less than 100 people. Thus, the qualifications of Small and Medium Enterprises are based on either paid-in capital/sales or number of employees under the Act[3].Meanwhile, SMEs may not have an independent R&D department due to the limit of size or operating cost.Therefore, if the taxpayers hiring full-time R&D personnel that can provide records of job descriptions and work logs to R&D activities, the SMEs can access the tax incentives provided that the R&D functions. The recognized by government agencies is increasingly flexibility for SMEs seeking policy support. 2. Taxpayers and requirements (1) A certain degree of innovativeness   As the tax incentive regime strives to promote innovations, the R&D expenses should be used to fund innovative developments. According to the official letters from the Small and Medium Enterprise Administration, Ministry of Economic Affairs, there is no high bar as forward-looking, risky and innovative as usually” required for other incentives previously, which is considering the size of SMEs and their industry characteristics. The “certain degree” of innovativeness shall be based on industry environments and SME businesses as determined by competent authorities in a flexible manner. (2) Flexibility in the utilization of business income tax reductions   To encourage regular R&D activities, The case that SMEs may not have R&D undertakings each year due to funding constraints, or start-up company may have incurred R&D expenditures but are not yet profitable and hence have no tax liabilities during the year, Corporate taxpayers were able to choose beside deduct the payable taxes during a single year, and reduce the payable taxes during the current year over three years starting from the year when tax incentives are applicable. 3. Tax incentive effects   As previously mentioned, Article 35 of the Act for Development of Small and Medium Enterprises accommodates the characteristics of SMEs by allowing reductions of corporate business taxes for up to 15% R&D expenditures during the current year, or spreading the tax reductions by spreading up to 10% of the R&D expenditures over three years from the first year when the incentives are applicable. It is worth noting that the tax deductions shall not exceed 30% of the payable business income taxes during a single year.   If the instruments and equipment for R&D, experiments or quality inspections have a lifetime over two years or longer, it is possible to accelerate the depreciation within half of the years of service prescribed by the income tax codes for fixed assets. However, the final year less than 12 months over the shortened service years shall not be counted. Accelerated depreciation brings in tax benefits for fixed asset investments during the initial stage, that meets the requirements for new technologies and risk management by frontloading the equipment depreciation and creates a buffer for capital utilization. (II) Deferred taxations on licensing/capitalization of intellectual properties   The deferral of tax payments under the Act for Development of Small and Medium Enterprises is meant to avoid any adverse effect on the application of technological R&Ds by SMEs. As the equity stakes via capitalization of intellectual properties by inventors or creators are not cashed out yet and the subsequent gains may not be at the same valuation as determined at the time of capitalization, the immediate taxation may hinder the willingness to transfer intellectual properties. Therefore, assisting SMEs to release intellectual properties with potential economic value, the licensing and capitalization of intellectual properties is strongly encouraged. The tax expenses shall be deferred within SME or an individual acquires stakes on a non-publicly-listed company by transferring their intellectual properties.   This is to stimulate the applications and sharing of relevant manufacturing technologies. When an SME or an individual acquires stakes on a non-publicly-listed company by transferring their intellectual properties, their tax expenses shall be deferred. 1. Taxpayers and requirements (1) Qualifications for individuals or SMEs   Article 35-1 of the Act for Development of Small and Medium Enterprises is applicable to SMEs and individual taxpayers. This is to foster the growth of SMEs and enhancement of industry competitiveness by encouraging R&D and innovations from individuals and start-ups. To promote the commercialize of intellectual properties in different ways, the Act for Development of Small and Medium Enterprises provides income tax incentives to individuals and SMEs transferring intellectual properties. The purpose is to encourage different paths to industry upgrades. (2) Ownership of intellectual properties   To ensure that the proceeds of intellectual property is linked to the activity of intellectual properties which perform by individuals or SMEs. Only the owners of the intellectual properties capitalized and transferred can enjoy the tax benefits.   Intellectual properties referred to in the Act for Development of Small and Medium Enterprises are the properties with value created with human activities and hence conferred with legal rights. These include but are not limited to copyrights, patent rights, trademarks, trade secrets, integrated circuit layouts, plant variety rights and any other intellectual properties protected by laws[4]. (3) Acquisition of stock options   The abovementioned tax incentives are offered to the individuals or SMEs who transfer intellectual properties to non-listed companies in exchange of their new shares. The income taxes on the owners of intellectual properties are deferred until acquisition of shares. These shares are not registered with the book-entry system yet. Before the transferrers of intellectual properties dispose or offload these shares, immediate taxations will impose economic burdens and funding challenges given the unknown prices of the eventual cash-out. Therefore, this legislation is only applicable to taxpayers who obtain options for new shares. 2. Taxpayers and requirements (1) Transfer of intellectual properties   According to Article 36 of the Copyright Act as interpreted by official letters issued by the Ministry of Finance, the transfer of intellectual properties is the conferring of intellectual properties to others, and the transferees access these intellectual properties within the scope of the transfer. In terms “transfer” of the first and second paragraphs of Article 36 does not include licensing[5], but such as granting, licensing and inheritance. (2) Timing of income tax payments   In general, the particular time that calculation of taxes payable is based on when the taxpayers acquire the incomes, less relevant expenses or costs. The taxes payable timing should be depending on when the taxpayers obtain the newly issued shares by transferring intellectual properties. However, the levy of income taxes at the time of intellectual property transfers and new share acquisitions may cause a sudden jump in taxes payable in the progressive system and thus a burden on the economics of SMEs and individuals concerned. Thus, to avoid disruptions to company operations or personal finance planning, Article 36 makes the exception for the incomes earned by subscribing to new shares as a result of transferring intellectual properties. Such incomes are not subject to taxes during the year when the shares are acquired, in order to mitigate the tax barriers concerned.   In sum, the taxes shall be paid when such shares are transferred, gifted or distributed. 3. Tax incentive effects   Article 35-1 of the Act for Development of Small and Medium Enterprises provides tax incentives to stimulate the mobilization of intellectual properties by smoothing out the impact of income taxes payable. This is applicable to (1) SMEs who can postpone the business income taxes payable from the year when they acquire new shares of non-listed companies by transferring the intellectual properties they own; (2) individuals who can postpone the individual income taxes payable from the year when they acquire new shares of non-listed companies by transferring the intellectual properties they own. IV. Tax incentives aiming to improve the business environment (I) Tax reductions for wages to additional headcounts   SMEs are vital to the Taiwan, making uo 90% of the companies accounting in Taiwan, who employ more than 6.5 million people or 72.8% of the total workforce. Any economic recession may make it difficult for SMEs to maintain their labor costs given their smaller funding size and external challenges. This will cause higher unemployment rates and hurt the economy, which may cause impairment of the capacity or create a labor gap for SMEs, eventually shrink the industry scale. To lower the burden of operational and investment costs and learn from the legislatives in Japan and the U.S.[6], tax incentives are put in place as a buffer for adverse effects of external environments. The first paragraph of Article 36-2 of the Act for Development of Small and Medium Enterprises provide tax incentives for employee salaries of new headcounts based on the assessment on the economy over a time period. This is intended to encourage domestic investments and avoid the pitfall of direct government subsidies distorting salary structures. It is hoped that investments from SMEs can stimulate the momentum of economic growth. 1. Taxpayers   The tax incentives under Article 36-2 of the Act for Development of Small and Medium Enterprises aim to assist SMEs through difficult times in an economic downturn. The threshold of the period time is based on the unemployment rate has been below the economic indicator predetermined for six consecutive months, which calculated by the Directorate General of Budget, Accounting and Statistics, Executive Yuan. In number of the unemployment rate has been below the economic indicator predetermined for six consecutive months, it is deemed that the business environment is not friendly to SMEs. In this instance, the Regulations for the Tax Preferences Provided to Small and Medium-sized Enterprises on Additional Wage Payment will trigger the tax incentives. The abovementioned economic indicator shall be published by the competent authorities once every two years.   Moreover, to qualify for the tax incentives for new employees, SMEs should investing new ventures or instill new capital by at least $500,000[7] or hiring workforce at least two full-time headcounts compared with the previous fiscal year, that constitute at the Article 36-2 of the Act for Development of Small and Medium Enterprises, which aims to encourage SMEs investments. 2. Taxpayers (1) Qualifications of additional headcounts   As the dispatched human resource services typically meet temporary or short-term requirements and contractors do not enjoy employment security, this is not consistent with the spirit of the legislation to create jobs and reduce unemployment. Therefore, to avoid the one-time increase of headcounts from accessing the tax reductions during the year and the deterioration of labor relations in Taiwan. Tax incentive is not offered to the additional recruitment of part-time or contracted workers.   Meanwhile, the tax incentives are only applicable to the additional employment of Taiwanese nationals, above or below 24 years old. A tax deduction of 50% based on annual wages is provided for the hiring of people below 24 years old. The extra tax deduction will stimulate young employment. (2) Definition of additional employment   The number of additional headcounts is based on permanent hires and calculated as the difference between the average number of Taiwanese employees covered by labor insurance per month throughout a single fiscal year or before and after the incremental increase of workforce. The conversion of regular contracts to indefinite employment in writing or signing up for indefinite R&D headcounts under the military service scheme can also be deemed as additional employment. It is worth noting, however, the new headcounts resulted from M&A activities or transfer between affiliated companies are excluded in this legislation. (3) Calculation of wages   Companies are also required to increase employment as well as the Comparable Wages. The comparable wages are estimated with the summation of 30% of the wages for the year before and after additional employment that based on the aggregate of the new hires comparable wages compared to the prior year. In other words, if the aggregate wages paid out are higher than comparable wages during the year, the companies concerned have indeed incurred higher personnel expenses. Tax incentives are thus granted because it improves the business environment and it is the purpose of this legislation. 3. Tax incentive effects   The first paragraph of Article 36-2 of the Act for Development of Small and Medium Enterprises provides deductions of business income taxes during the year to qualified SMEs at an amount equivalent to 130% of the incremental wages paid to new headcounts who are Taiwanese nationals. The deductible amount is equivalent to 150% of the incremental wages if new headcounts are Taiwanese nationals below 24 years old. (II) Tax incentives for companies that increase salaries   Companies are subject to the effect of changes in the external factors such as global supply and demand on the international market, as well as the domestic business environment as a result of risk aversion from investors and expectation from customers. These uncertainties associated with investments and the rising prices for consumers will suppress the wage levels in Taiwan. This the reason why the second paragraph of Article 36-2 of the Act for Development of Small and Medium Enterprises grants tax deductions for the companies who increase salaries, to encourage companies share earnings with employees and enhance private-sector consumption. SMEs may deduct their business income taxes payable during the year up to 30% of salary increase for existing entry-level employees who are Taiwanese nationals, not as a result of statutory requirement for basic wage adjustments. 1. Taxpayers   The tax incentives are applicable to SMEs as defined by the Regulations for the Tax Preferences Provided to Small and Medium-sized Enterprises on Additional Wage Payment and based on the same economic indicators previously mentioned. 2. Qualification for tax incentives (1) Definition of entry-level employees   The object of taxation under this act is the enterprise's average wage payment to the entry-level employees. The entry-level employees referred to in this act are authorized by the "Small and medium-sized enterprise employee salary increase, salary deduction act " that refers to employees of local nationality with an average monthly recurring salary below nt $50,000[8] whose were entered into indefinite employment contracts with SMEs. Through such conditions, the effect of tax concessions will be concentrated on promoting the salary level of grassroots staff and helping enterprises to cope with changes in the industrial environment. (2) Average salaries   The salaries to entry-level employees refer to the basic salaries, fixed allowances and bonuses paid on a monthly basis. Payment-in-kind shall be discounted based on the actual prices and included into the regular salaries. Meanwhile, regular salaries should be calculated with annualized averages, as this legislation seeks to boost salary levels. The regular salaries to entry-level employees during the year are estimated with the monthly number of entry-level employees during the same year. Only when the average basis salaries during the year are higher than those in the prior year can the tax incentives be applicable. 3. Tax incentive effects   Applying this article, SMEs can deduct their business income taxes each year up to 130% of salary increase for existing entry-level employees who are Taiwanese nationals, which are not as a result of statutory requirement for basic wage adjustments. However, it is not allowed to double count the increased personnel expenses for new headcounts applicable to the first and second paragraphs of the same article. V. Conclusions   The funding scales and relatively weak financial structures are the factors that led SMEs be susceptible influenced by supply change dynamics and business cycles. To the extent that is suppressing the flexible in capital utilization for SMEs, also influencing on the sustainability of SMEs. Differ from government subsidies require budgeting, reviewing and implementations, there are complications regarding the allocation of administrative resources. Therefore, it is important to plan for tax incentives in order to stimulate R&D, innovation and job creation by SMEs and ultimately make SMEs more competitive.   The tax incentives to SMEs amended in 2016 by the Small and Medium Enterprise Administration are known for the following: (I) The lowering of thresholds for tax reductions of R&D expenses in order to encourage SMEs to invest in R&D activities with a “certain degree” of innovativeness and enhance the momentum for SMEs to upgrade and transform themselves; (II) Deferral the income taxations on the transfer of intellectual properties for equity, in order to encourage application and utilization of such intellectual properties, provide incentives for R&D programs or innovations by individuals and SMEs. This also creates a catalyst for industry upgrade; (III) Tax deductions for the employment of new headcounts or the increase of employee wages during the time the economic indicators have reached a certain threshold and based on the health of the investment environment. This is to encourage company investments and capital increases in Taiwan and mitigate the volatility of economic cycles, in order to get ready for business improvement.   The above tax incentive programs, i.e. tax deductions for R&D and innovations; deferral of taxations on the transfer of intellectual properties for equity; tax deductions for the hiring of new headcounts and the increase of employee salaries, are meant to boost the investment from SMEs and the competitiveness of SMEs. The Act for Development of Small and Medium Enterprises seeks to reduce tax burdens of SMEs actively investing for their future and competitive advantages. Tax incentives help to mitigate the adverse effect of the economy on the business environment. It is also the fostering of the sources of business income tax revenues for the government. This is the very purpose of the Act for Development of Small and Medium Enterprises. [1]White Paper on Small and Medium Enterprises in Taiwan, 2018, p21 (November 9, 2018) published by the Ministry of Economic Affairs [2]Pursuant to the authorization conferred by Article 35 of the Act for Development of Small and Medium Enterprises, the Ministry of Economic Affairs has announced the Regulations Governing the Reduction of Expenditures for Small and Medium Enterprises Research and Development as Investment. [3]Article 2 on the definition of SMEs. The abovementioned criterion is universally applicable to the Act for Development of Small and Medium Enterprises. It also applies to the eligibility of tax incentives to be introduced in this paper unless otherwise specified. [4]Official Letter Economic-Business No. 10304605790, Ministry of Economic Affairs [5]Official Letter Taiwan-Finance No. 10300207480, Ministry of Finance [6]“Assessment of the Taxations under Article 35, Article 35-1, the first paragraph and the second paragraph of Article 36-2, the Act for Development of Small and Medium Enterprises” published by the Small and Medium Enterprise Administration, Ministry of Economic Affairs, pages 15-17, https://www.moeasmea.gov.tw/files/2670/93B9AF54-84E2-4293-A5CA-EA7DD9FAA05A(most recently browsed date September 9, 2019). [7]Order of Interpretation Economics-Business No. 104004602510 from the Ministry of Economic Affairs: “Second, on the day when the economic indicator has reached the threshold, the paid-in capital of the new business should be at least NT$500,000 and there is no need to instill additional capital during the period when tax incentives are applicable. For existing businesses, there is no limitation on the number of capital increases during the applicable period. So long as the cumulative increase in capital reaches NT$500,000 and new employees are hired during the same fiscal year or during the prior fiscal year.” [8]Paragraph 1, Article 2 of the Regulations for the Tax Preferences Provided to Small and Medium-sized Enterprises on Additional Wage Payment

TOP