The Institutionalization of the Taiwan Personal Data Protection Committee - Triumph of Digital Constitutionalism: A Legal Positivism Analysis

Research on Policies for building a digital nation in Recent Years (2016-2017) 　　Recent years, the government has already made some proactive actions, including some policies and initiatives, to enable development in the digital economy and fulfill the vision of Digital Nation. Those actions are as follows: 1. CREATING THE “FOOD CLOUD” FOR FOOD SAFETY CONTROLS 　　Government agencies have joined forces to create an integrated “food cloud” application that quickly alerts authorities to food safety risks and allows for faster tracing of products and ingredients. The effort to create the cloud was spearheaded by the Executive Yuan’s Office of Food Safety under the leadership of Vice Premier Chang San-cheng on January 12, 2016. 　　The “food cloud” application links five core systems (registration, tracing, reporting, testing, and inspection) from the Ministry of Health and Welfare (MOHW) with eight systems from the Ministry of Finance, Ministry of Economic Affairs, Ministry of Education (MOE), Council of Agriculture and Environmental Protection Administration. 　　The application gathers shares and analyzes information in a methodical and systematic manner by employing big data technology. To ensure the data can flow properly across different agencies, the Office of Food Safety came up with several products not intended for human consumption and had the MOHW simulate the flow of those products under import, sale and supply chain distribution scenarios. The interministerial interface successfully analyzed the data and generated lists of food risks to help investigators focus on suspicious companies. 　　Based on these simulation results, the MOHW on September 2, 2015, established a food and drug intelligence center as a mechanism for managing food safety risks and crises on the national level. The technologies for big data management and mega data analysis will enable authorities to better manage food sources and protect consumer health. 　　In addition, food cloud systems established by individual government agencies are producing early results. The MOE, for instance, rolled out a school food ingredient registration platform in 2014, and by 2015 had implemented the system across 22 countries and cities at 6,000 schools supplying lunches for 4.5 million students. This platform, which made school lunch ingredients completely transparent, received the 2015 eAsia Award as international recognition for the use of information technology in ensuring food safety. 2. REVISING DIGITAL CONVERGENCE ACTS 　　On 2016 May 5th, the Executive Yuan Council approved the National Communications Commission's (NCC) proposals, drafts of “Broadcasting Terrestrial and Channel Service Suppliers Administration Act”, “Multichannel Cable Platform Service Administration Act”, “Telecommunications Service Suppliers Act”, “Telecommunications Infrastructure and Resources Administration Act”, “Electronic Communications Act”, also the five digital convergence laws. They will be sent to the Legislature for deliberation. But in the end, this version of five digital convergence bills did not pass by the Legislature. 　　However, later on, November 16, 2017, The Executive Yuan approved the new drafts of “Digital Communication Act” and the “Telecommunication Service Management Act”. 　　The “Digital Communication Act” and the “Telecommunication Service Management Act” focused summaries as follows: 　　1. The digital communication bill 　　A. Public consultation and participation. 　　B. The digital communication service provider ought to use internet resource reasonability and reveal network traffic control measures. 　　C. The digital communication service provider ought to reveal business information and Terms of Service. 　　D. The responsibility of the digital communication service provider. 　　2. The telecommunication service management bill 　　A. The telecommunication service management bill change to use registration system. 　　B. The general obligation of telecommunications to provide telecommunication service and the special obligation of Specific telecommunications. 　　C. Investment, giving, receiving and merging rules of the telecommunication service. 　　Telecommunications are optimism of relaxing rules and regulations, and wish it would infuse new life and energy into the market. Premier Lai instructed the National Communications Commission and other agencies to elucidate the contents of the two communication bills to all sectors of society, and communicate closely with lawmakers of all parties to build support for a quick passage of the bills. 3. FOCUSING ON ICT SECURITY TO BUILD DIGITAL COUNTRIES 　　Ｔhe development of ICT has brought convenience to life but often accompanied by the threat of illegal use, especially the crimes with the use of new technologies such as Internet techniques and has gradually become social security worries. Minor impacts may cause inconvenience to life while major impacts may lead to a breakdown of government functions and effects on national security. To enhance the capability of national security protection and to avoid the gap of national security, the Executive Yuan on August 1st 2016 has upgraded the Office of Information and Communication Security into the Agency of Information and Communication Security, a strategic center of R.O.C security work, integrating the mechanism of the whole government governance of information security, through specific responsibility, professionalism, designated persons and permanent organization to establish the security system, together with the relevant provisions of the law so that the country's information and communication security protection mechanism will become more complete. The efforts to the direction could be divided into three parts: 　　First, strengthening the cooperation of government and private sectors of information security: In a sound basis of legal system, the government plans to strengthen the government and some private sectors’ information security protection abilities ,continue to study and modify the relevant amendments to the relevant provisions, strengthen public-private collaborative mechanism, deepen the training of human resources and enhance the protection of key information infrastructure of our country. 　　Second, improving the information and communication security professional capability: information and communication security business is divided into policy and technical aspects. While the government takes the responsibility for policy planning and coordination, the technical service lies in an outsourcing way. Based on a sound legal system, the government will establish institutionalized and long-term operation modes and plan appropriate organizational structures through the discussion of experts and scholars from all walks of life. 　　Third, formulating Information and Communication Safety Management Act and planning of the Fifth National Development Program for Information and Communication Security: The government is now actively promoting the Information and Communication Safety Management Act as the cornerstone for the development of the national digital security and information security industry. The main content of the Act provides that the applicable authorities should set up security protection plan at the core of risk management and the procedures of notification and contingency measures, and accept the relevant administrative check. Besides the vision of the Fifth National Development Program for Information and Communication Security which the government is planning now is to build a safe and reliable digital economy and establish a safe information and communication environment by completing the legal system of information and communication security environment, constructing joint defense system of the national Information and Communication security, pushing up the self-energy of the industries of information security and nurture high-quality human resources for elite talents for information security. 4. THE DIGITAL NATION AND INNOVATIVE ECONOMIC DEVELOPMENT PLAN 　　The Digital Nation and Innovative Economic Development Plan (2017-2025) known as “DIGI+” plan, approved by the Executive Yuan on November 24, 2016. The plan wants to grow nation’s digital economy to NT $ 6.5 trillion (US$205.9 billion), improve the digital lifestyle services penetration rate to 80 %, increase broadband connections to 2 Gbps, ensure citizens’ basic rights to have 25 Mbps broadband access, and put our nation among the top 10 information technology nations worldwide by 2025. 　　The plan contains several important development strategies: DIGI+ Infrastructure: Build infrastructure conducive to digital innovation. DIGI+ Talent: Cultivate digital innovation talent. DIGI+ Industry: Support cross-industry transformation through digital innovation. DIGI+ Rights: Make R.O.C. an advanced society that respects digital rights and supports open online communities. DIGI+ Cities: Build smart cities through cooperation among central and local governments and the industrial, academic and research sectors. DIGI+ Globalization: Boost nation’s standing in the global digital service economy. 　　The plan also highlights few efforts: 　　First is to enrich “soft” factors and workforce to create an innovative environment for digital development. To construct this environment, the government will construct an innovation-friendly legal framework, cultivate interdisciplinary digital talent, strengthen research and develop advanced digital technologies. 　　Second is to enhance digital economy development. The government will incentivize innovative applications and optimize the environment for digital commerce. 　　Third, the government will develop an open application programming interface for government data and create demand-oriented, one-stop smart government cloud services. 　　Fourth, the government will ensure broadband access for the disadvantaged and citizens of the rural area, implement the participatory process, enhance different kinds of international cooperation, and construct a comprehensive humanitarian legal framework with digital development. 　　Five is to build a sustainable smart country. The government will use smart network technology to build a better living environment, promote smart urban and rural area connective governance and construction and use on-site research and industries innovation ecosystem to assist local government plan and promote construction of the smart country. 　　In order to achieve the overall effectiveness of the DIGI + program, interdisciplinary, inter-ministerial, inter-departmental and inter-departmental efforts will be required to collaborate with the newly launched Digital National Innovation Economy (DIGI +) Promotion Team. 5. ARTIFICIAL INTELLIGENCE SCIENTIFIC RESEARCH STRATEGY 　　The Ministry of Science and Technology (MOST) reported strategy plan for artificial intelligence (AI) scientific research at Cabinet meeting on August 24, 2017. Artificial intelligence is a powerful and inevitable trend, and it will be critical to R.O.C.’s competitiveness for the next 30 years. 　　The ministry will devote NT$16 billion over the next five years to building an AI innovation ecosystem in R.O.C. According to MOST, the plan will promote five strategies: 　　1. Creating an AI platform to provide R&D services 　　MOST will devote NT$5 billion over the next four years to build a platform, integrating the resources, providing a shared high-speed computing environment and nurturing emerging AI industries and applications. 　　2. Establishing an AI innovative research center 　　MOST will four artificial intelligence innovation research centers across R.O.C. as part of government efforts to enhance the nation’s competitiveness in AI technology. The centers will support the development of new AI in the realms of financial technology, smart manufacturing, smart healthcare and intelligent transportation systems. 　　3. Setting up AI robot maker spaces 　　An NT$2 billion, four-year project assisting industry to develop the hardware-software integration of robots and innovative applications was announced by the Ministry of Science and Technology. 　　4. Subsidizing a semiconductor “moonshot” program to explore ambitious and groundbreaking smart technologies 　　This program will invest NT$4 billion from 2018 through 2021 into developing semiconductors and chip systems for edge devices as well as integrating the academic sector’s R&D capabilities and resources. the project encompasses cognitive computing and AI processor chips; next-generation memory designs; process technologies and materials for key components of sensing devices; unmanned vehicles, AR and VR; IoT systems and security. 　　5. Organizing Formosa Grand Challenge competitions 　　The program is held in competitions to engage young people in the development of AI applications. 　　The government hopes to extend R.O.C.’s industrial advantages and bolster the country’s international competitiveness, giving R.O.C. the confidence to usher in the era of AI applications. All of these efforts will weave people, technologies, facilities, and businesses into a broader AI innovation ecosystem. 6. INTELLIGENT TRANSPORTATION SYSTEM PLANS 　　Ministry of Transportation and Communications (MOTC) launched plans to develop intelligent transportation systems at March 7th in 2017. MOTC integrates transportation and information and communications technology through these plans to improve the convenience and reduce the congestion of the transportation. These plans combine traffic management systems for highways, freeways and urban roads, a multi-lane free-flow electronic toll collection system, bus information system that provides timely integrated traffic information services, and public transportation fare card readers to reduce transport accidence losses, inconvenience of rural area, congestion of main traffic arteries and improve accessibility of public transportation. 　　There are six plans are included: 1. Intelligent transportation safety plan; 2. Relieve congestion on major traffic arteries; 3. Make transportation more convenient in Eastern Taiwan and remote areas; 4. Integrate and share transportation resources; 5. Develop “internet-of-vehicles” technology applications; and 6. Fundamental R&D for smart transportation technology. 　　These plans promote research and development of smart vehicles and safety intersections, develop timely bus and traffic information tracking system, build a safe system of shared, safe and green-energy smart system, and subsidize the large vehicles to install the vision enhancement cameras to improve the safety of transportation. These plans also use eTag readers, vehicle sensors and info communication technologies to gather the traffic information and provide timely traffic guidance, reduce the congestion of the traffic flow. These plans try to use demand-responsive transit system with some measures such as combine public transportation and taxi, to improve the flexibility of the public traffic service and help the basic transportation needs of residents in eastern Taiwan and rural areas to be fulfilled. A mobile transport service interface and a platform that integrating booking and payment processes are also expected to be established to provide door-to-door transportation services and to integrate transportation resources. And develop demonstration projects of speed coordination of passenger coach fleets, vehicle-road interaction technology, and self-driving car to investigate and verify the issues in technological, operational, industrial, legal environments of internet-of-vehicles applications in our country. Last but not least, research and development on signal control systems that can be used in both two and four-wheeled vehicles, and deploy an internet-of-vehicles prototype platform and develop drones traffic applications. 　　These plans are expected to reduce 25% traffic congestion, 20% of motor vehicle incidence, leverage 10% using rate of public transportation, raise 20% public transportation service accessibility of rural area and create NT$30 billion production value. After accomplishing these targets, the government can establish a comprehensive transportation system and guide industry development of relating technology areas. 　　Through the aforementioned initiatives, programs, and plans, the government wants to construct the robust legal framework and policy environment for digital innovation development, and facilitate the quality of citizens in our society.

The use of automated facial recognition technology and supervision mechanism in UK I. Introduction 　　Automatic facial recognition (AFR) technology has developed rapidly in recent years, and it can identify target people in a short time. The UK Home Office announced the "Biometrics Strategy" on June 28, 2018, saying that AFR technology will be introduced in the law enforcement, and the Home Office will also actively cooperate with other agencies to establish a new oversight and advisory board in order to maintain public trust. AFR technology can improve law enforcement work, but its use will increase the risk of intruding into individual liberty and privacy. 　　This article focuses on the application of AFR technology proposed by the UK Home Office. The first part of this article describes the use of AFR technology by the police. The second part focuses on the supervision mechanism proposed by the Home Office in the Biometrics Strategy. However, because the use of AFR technology is still controversial, this article will sort out the key issues of follow-up development through the opinions of the public and private sectors. The overview of the discussion of AFR technology used by police agencies would be helpful for further policy formulation. II. Overview of the strategy of AFR technology used by the UK police 　　According to the Home Office’s Biometrics Strategy, the AFR technology will be used in law enforcement, passports and immigration and national security to protect the public and make these public services more efficient[1]. Since 2017 the UK police have worked with tech companies in testing the AFR technology, at public events like Notting Hill Carnival or big football matches[2]. 　　In practice, AFR technology is deployed with mobile or fixed camera systems. When a face image is captured through the camera, it is passed to the recognition software for identification in real time. Then, the AFR system will process if there is a ‘match’ and the alarm would solicit an operator’s attention to verify the match and execute the appropriate action[3]. For example, South Wales Police have used AFR system to compare images of people in crowds attending events with pre-determined watch lists of suspected mobile phone thieves[4]. In the future, the police may also compare potential suspects against images from closed-circuit television cameras (CCTV) or mobile phone footage for evidential and investigatory purposes[5]. 　　The AFR system may use as tools of crime prevention, more than as a form of crime detection[6]. However, the uses of AFR technology are seen as dangerous and intrusive by the UK public[7]. For one thing, it could cause serious harm to democracy and human rights if the police agency misuses AFR technology. For another, it could have a chilling effect on civil society and people may keep self-censoring lawful behavior under constant surveillance[8]. III. The supervision mechanism of AFR technology 　　To maintaining public trust, there must be a supervision mechanism to oversight the use of AFR technology in law enforcement. The UK Home Office indicates that the use of AFR technology is governed by a number of codes of practice including Police and Criminal Evidence Act 1984, Surveillance Camera Code of Practice and the Information Commissioner’s Office (ICO)’s Code of Practice for surveillance cameras[9]. (I) Police and Criminal Evidence Act 1984 　　The Police and Criminal Evidence Act (PACE) 1984 lays down police powers to obtain and use biometric data, such as collecting DNA and fingerprints from people arrested for a recordable offence. The PACE allows law enforcement agencies proceeding identification to find out people related to crime for criminal and national security purposes. Therefore, for the investigation, detection and prevention tasks related to crime and terrorist activities, the police can collect the facial image of the suspect, which can also be interpreted as the scope of authorization of the  PACE. (II) Surveillance Camera Code of Practice 　　The use of CCTV in public places has interfered with the rights of the people, so the Protection of Freedoms Act 2012 requires the establishment of an independent Surveillance Camera Commissioner (SCC) for supervision. The Surveillance Camera Code of Practice  proposed by the SCC sets out 12 principles for guiding the operation and use of surveillance camera systems. The 12 guiding principles are as follows[10]: A. Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need. B. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified. C. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints. D. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used. E. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them. F. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged. G. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes. H. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards. I. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use. J. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published. K. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value. L. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date. (III) ICO’s Code of Practice for surveillance cameras 　　It must need to pay attention to the personal data and privacy protection during the use of surveillance camera systems and AFR technology. The ICO issued its Code of Practice for surveillance cameras under the Data Protection Act 1998 to explain the legal requirements operators of surveillance cameras. The key points of ICO’s Code of Practice for surveillance cameras are summarized as follows[11]: A. The use time of the surveillance camera systems should be carefully evaluated and adjusted. It is recommended to regularly evaluate whether it is necessary and proportionate to continue using it. B. A police force should ensure an effective administration of surveillance camera systems deciding who has responsibility for the control of personal information, what is to be recorded, how the information should be used and to whom it may be disclosed. C. Recorded material should be stored in a safe way to ensure that personal information can be used effectively for its intended purpose. In addition, the information may be considered to be encrypted if necessary. D. Disclosure of information from surveillance systems must be controlled and consistent with the purposes for which the system was established. E. Individuals whose information is recoded have a right to be provided with that information or view that information. The ICO recommends that information must be provided promptly and within no longer than 40 calendar days of receiving a request. F. The minimum and maximum retention periods of recoded material is not prescribed in the Data Protection Act 1998, but it should not be kept for longer than is necessary and should be the shortest period necessary to serve the purposes for which the system was established. (IV) A new oversight and advisory board 　　In addition to the aforementioned regulations and guidance, the UK Home Office mentioned that it will work closely with related authorities, including ICO, SCC, Biometrics Commissioner (BC), and Forensic Science Regulator (FSR) to establish a new oversight and advisory board to coordinate consideration of law enforcement’s use of facial images and facial recognition systems[12]. 　　To sum up, it is estimated that the use of AFR technology by law enforcement has been abided by existing regulations and guidance. Firstly, surveillance camera systems must be used on the purposes for which the system was established. Secondly, clear responsibility and accountability mechanisms should be ensured. Thirdly, individuals whose information is recoded have the right to request access to relevant information. In the future, the new oversight and advisory board will be asked to consider issues relating to law enforcement’s use of AFR technology with greater transparency. IV. Follow-up key issues for the use of AFR technology 　　Regarding to the UK Home Office’s Biometrics Strategy, members of independent agencies such as ICO, BC, SCC, as well as civil society, believe that there are still many deficiencies, the relevant discussions are summarized as follows: (I) The necessity of using AFR technology 　　Elizabeth Denham, ICO Commissioner, called for looking at the use of AFR technology carefully, because AFR is an intrusive technology and can increase the risk of intruding into our privacy. Therefore, for the use of AFR technology to be legal, the UK police must have clear evidence to demonstrate that the use of AFR technology in public space is effective in resolving the problem that it aims to address[13]. 　　The Home Office has pledged to undertake Data Protection Impact Assessments (DPIAs) before introducing AFR technology, including the purpose and legal basis, the framework applies to the organization using the biometrics, the necessity and proportionality and so on. (II)The limitations of using facial image data 　　The UK police can collect, process and use personal data based on the need for crime prevention, investigation and prosecution. In order to secure the use of biometric information, the BC was established under the Protection of Freedoms Act 2012. The mission of the BC is to regulate the use of biometric information, provide protection from disproportionate enforcement action, and limit the application of surveillance and counter-terrorism powers. 　　However, the BC’s powers do not presently extend to other forms of biometric information other than DNA or fingerprints[14]. The BC has expressed concern that while the use of biometric data may well be in the public interest for law enforcement purposes and to support other government functions, the public benefit must be balanced against loss of privacy. Hence, legislation should be carried to decide that crucial question, instead of depending on the BC’s case feedback[15]. 　　Because biometric data is especially sensitive and most intrusive of individual privacy, it seems that a governance framework should be required and will make decisions of the use of facial images by the police. (III) Database management and transparency 　　For the application of AFR technology, the scope of biometric database is a dispute issue in the UK. It is worth mentioning that the British people feel distrust of the criminal database held by the police. When someone is arrested and detained by the police, the police will take photos of the suspect’s face. However, unlike fingerprints and DNA, even if the person is not sued, their facial images are not automatically deleted from the police biometric database[16]. 　　South Wales Police have used AFR technology to compare facial images of people in crowds attending major public events with pre-determined watch lists of suspected mobile phone thieves in the AFR field test. Although the watch lists are created for time-limited and specific purposes, the inclusion of suspects who could possibly be innocent people still causes public panic. 　　Elizabeth Denham warned that there should be a transparency system about retaining facial images of those arrested but not charged for certain offences[17]. Therefore, in the future the UK Home Office may need to establish a transparent system of AFR biometric database and related supervision mechanism. (IV) Accuracy and identification errors 　　In addition to worrying about infringing personal privacy, the low accuracy of AFR technology is another reason many people oppose the use of AFR technology by police agencies. Silkie Carlo, director of Big Brother Watch, said the police must immediately stop using the AFR technology and avoid mistaking thousands of innocent citizens as criminals; Paul Wiles, Biometrics Commissioner, also called for legislation to manage AFR technology because of its accuracy is too low and the use of AFR technology should be tested and passed external peer review[18]. 　　In the Home Office’s Biometric Strategy, the scientific quality standards for AFR technology will be established jointly with the FSR, an independent agency under the Home Office. In other words, the Home Office plans to extend the existing forensics science regime to regulate AFR technology. 　　Therefore, the FSR has worked with the SCC to develop standards relevant to digital forensics. The UK government has not yet seen specific standards for regulating the accuracy of AFR technology at the present stage. V. Conclusion 　　From the discussion of the public and private sectors in the UK, we can summarize some rules for the use of AFR technology. Firstly, before the application of AFR technology, it is necessary to complete the pre-assessment to ensure the benefits to the whole society. Secondly, there is the possibility of identifying errors in AFR technology. Therefore, in order to maintain the confidence and trust of the people, the relevant scientific standards should be set up first to test the system accuracy. Thirdly, the AFR system should be regarded as an assisting tool for police enforcement in the initial stage. In other words, the information analyzed by the AFR system should still be judged by law enforcement officials, and the police officers should take the responsibilities. 　　In order to balance the protection of public interest and basic human rights, the use of biometric data in the AFR technology should be regulated by a special law other than the regulations of surveillance camera and data protection. The scope of the identification database is also a key point, and it may need legislators’ approval to collect and store the facial image data of innocent people. Last but not least, the use of the AFR system should be transparent and the victims of human rights violations can seek appeal. [1] UK Home Office, Biometrics Strategy, Jun. 28, 2018, https://www.gov.uk/government/publications/home-office-biometrics-strategy (last visited Aug. 09, 2018), at 7. [2] Big Brother Watch, FACE OFF CAMPAIGN: STOP THE MET POLICE USING AUTHORITARIAN FACIAL RECOGNITION CAMERAS, https://bigbrotherwatch.org.uk/all-campaigns/face-off-campaign/ (last visited Aug. 16, 2018). [3] Lucas Introna & David Wood, Picturing algorithmic surveillance: the politics of facial recognition systems, Surveillance & Society, 2(2/3), 177-198 (2004). [4] Supra note 1, at 12. [5] Id, at 25. [6] Michael Bromby, Computerised Facial Recognition Systems: The Surrounding Legal Problems (Sep. 2006)(LL.M Dissertation Faculty of Law University of Edinburgh), http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.197.7339&rep=rep1&type=pdf , at 3. [7] Owen Bowcott, Police face legal action over use of facial recognition cameras, The Guardian, Jun. 14, 2018, https://www.theguardian.com/technology/2018/jun/14/police-face-legal-action-over-use-of-facial-recognition-cameras (last visited Aug. 09, 2018). [8] Martha Spurrier, Facial recognition is not just useless. In police hands, it is dangerous, The Guardian, May 16, 2018, https://www.theguardian.com/commentisfree/2018/may/16/facial-recognition-useless-police-dangerous-met-inaccurate (last visited Aug. 17, 2018). [9] Supra note 1, at 12. [10] Surveillance Camera Commissioner, Surveillance camera code of practice, Oct. 28, 2014, https://www.gov.uk/government/publications/surveillance-camera-code-of-practice (last visited Aug. 17, 2018). [11] UK Information Commissioner’s Office, In the picture: A data protection code of practice for surveillance cameras and personal information, Jun. 09, 2017, https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/cctv/ (last visited Aug. 10, 2018). [12] Supra note 1, at 13. [13] Elizabeth Denham, Blog: facial recognition technology and law enforcement, Information Commissioner's Office, May 14, 2018, https://ico.org.uk/about-the-ico/news-and-events/blog-facial-recognition-technology-and-law-enforcement/ (last visited Aug. 14, 2018). [14] Monique Mann & Marcus Smith, Automated Facial Recognition Technology: Recent Developments and Approaches to Oversight, Automated Facial Recognition Technology, 10(1), 140 (2017). [15] Biometrics Commissioner, Biometrics Commissioner’s response to the Home Office Biometrics Strategy, Jun. 28, 2018, https://www.gov.uk/government/news/biometrics-commissioners-response-to-the-home-office-biometrics-strategy (last visited Aug. 15, 2018). [16] Supra note 2. [17] Supra note 13. [18] Jon Sharman, Metropolitan Police's facial recognition technology 98% inaccurate, figures show, INDEPENDENT, May 13, 2018, https://www.independent.co.uk/news/uk/home-news/met-police-facial-recognition-success-south-wales-trial-home-office-false-positive-a8345036.html (last visited Aug. 09, 2018).

I. Introduction 　　When, Finland, this country comes to our minds, it is quite easy for us to associate with the prestigious cell-phone company “NOKIA”, and its unbeatable high technology communication industry. However, following the change of entire cell-phone industry, the rise of smart phone not only has an influence upon people’s communication and interaction, but also makes Finland, once monopolized the whole cell-phone industry, feel the threat and challenge coming from other new competitors in the smart phone industry. However, even though Finland’s cell-phone industry has encountered frustrations in recent years in global markets, the Finland government still poured many funds into the area of technology and innovation, and brought up the birth of “Angry Birds”, one of the most popular smart phone games in the world. The Finland government still keeps the tradition to encourage R&D, and wishes Finland’s industries could re-gain new energy and power on technology innovation, and indirectly reach another new competitive level. 　　According to the Statistics Finland, 46% Finland’s enterprises took innovative actions upon product manufacturing and the process of R&D during 2008-2010; also, the promotion of those actions not merely existed in enterprises, but directly continued to the aspect of marketing and manufacturing. No matter on product manufacturing, the process of R&D, the pattern of organization or product marketing, we can observe that enterprises or organizations make contributions upon innovative activities in different levels or procedures. In the assignment of Finland’s R&D budgets in 2012, which amounted to 200 million Euros, universities were assigned by 58 million Euros and occupied 29% R&D budgets. The Finland Tekes was assigned by 55 million Euros, and roughly occupied 27.5% R&D budgets. The Academy of Finland (AOF) was assigned by 32 million Euros, and occupied 16% R&D budges. The government’s sectors were assigned by 3 million Euros, and occupied 15.2% R&D budgets. Other technology R&D expenses were 2.1 million Euros, and roughly occupied 10.5% R&D. The affiliated teaching hospitals in universities were assigned by 0.36 million Euros, and occupied 1.8% R&D budgets. In this way, observing the information above, concerning the promotion of technology, the Finland government not only puts more focus upon R&D innovation, but also pays much attention on education quality of universities, and subsidizes various R&D activities. As to the Finland government’s assignment of budges, it can be referred to the chart below. 　　As a result of the fact that Finland promotes industries’ innovative activities, it not only made Finland win the first position in “Growth Competitiveness Index” published by the World Economic Forum (WEF) during 2000-2006, but also located the fourth position in 142 national economy in “The Global Competitiveness Report” published by WEF, preceded only by Swiss, Singapore and Sweden, even though facing unstable global economic situations and the European debt crisis. Hence, observing the reasons why Finland’s industries have so strong innovative power, it seems to be related to the Finland’s national technology administrative system, and is worthy to be researched. II. The Recent Situation of Finland’s Technology Administrative System A. Preface 　　Finland’s administrative system is semi-presidentialism, and its executive power is shared by the president and the Prime Minister; as to its legislative power, is shared by the Congress and the president. The president is the Finland’s leader, and he/she is elected by the Electoral College, and the Prime Minister is elected by the Congress members, and then appointed by the president. To sum up, comparing to the power owned by the Prime Minister and the president in the Finland’s administrative system, the Prime Minister has more power upon executive power. So, actually, Finland can be said that it is a semi-predisnetialism country, but trends to a cabinet system. 　　Finland technology administrative system can be divided into four parts, and the main agency in each part, based upon its authority, coordinates and cooperates with making, subsidizing, executing of Finland’s technology policies. The first part is the policy-making, and it is composed of the Congress, the Cabinet and the Research and Innovation Council; the second part is policy management and supervision, and it is leaded by the Ministry of Education and Culture, the Ministry of Employment and the Economy, and other Ministries; the third part is science program management and subsidy, and it is composed of the Academy of Finland (AOF), the National Technology Agency (Tekes), and the Finnish National Fund Research and Development (SITRA); the fourth part is policy-executing, and it is composed of universities, polytechnics, public-owned research institutions, private enterprises, and private research institutions. Concerning the framework of Finland’s technology administrative, it can be referred to below. B. The Agency of Finland’s Technology Policy Making and Management (A) The Agency of Finland’s Technology Policy Making 　　Finland’s technology policies are mainly made by the cabinet, and it means that the cabinet has responsibilities for the master plan, coordinated operation and fund-assignment of national technology policies. The cabinet has two councils, and those are the Economic Council and the Research and Innovation Council, and both of them are chaired by the Prime Minister. The Research and Innovation Council is reshuffled by the Science and Technology Policy Council (STPC) in 1978, and it changed name to the Research and Innovation Council in Jan. 2009. The major duties of the Research and Innovation Council include the assessment of country’s development, deals with the affairs regarding science, technology, innovative policy, human resource, and provides the government with aforementioned schedules and plans, deals with fund-assignment concerning public research development and innovative research, coordinates with all government’s activities upon the area of science, technology, and innovative policy, and executes the government’s other missions. 　　The Research and Innovation Council is an integration unit for Finland’s national technology policies, and it originally is a consulting agency between the cabinet and Ministries. However, in the actual operation, its scope of authority has already covered coordination function, and turns to direct to make all kinds of policies related to national science technology development. In addition, the consulting suggestions related to national scientific development policies made by the Research and Innovation Council for the cabinet and the heads of Ministries, the conclusion has to be made as a “Key Policy Report” in every three year. The Report has included “Science, Technology, Innovation” in 2006, “Review 2008” in 2008, and the newest “Research and Innovation Policy Guidelines for 2011-2015” in 2010. 　　Regarding the formation and duration of the Research and Innovation Council, its duration follows the government term. As for its formation, the Prime Minister is a chairman of the Research and Innovation Council, and the membership consists of the Minister of Education and Science, the Minister of Economy, the Minister of Finance and a maximum of six other ministers appointed by the Government. In addition to the Ministerial members, the Council shall comprise ten other members appointed by the Government for the parliamentary term. The Members must comprehensively represent expertise in research and innovation. The structure of Council includes the Council Secretariat, the Administrative Assistant, the Science and Education Subcommittee, and the Technology and Innovation Subcommittee. The Council has the Science and Education Subcommittee and the Technology and Innovation Subcommittee with preparatory tasks. There are chaired by the Ministry of Education and Science and by the Minister of Economy, respectively. The Council’s Secretariat consists of one full-time Secretary General and two full-time Chief Planning Officers. The clerical tasks are taken care of at the Ministry of Education and Culture. (B) The Agency of Finland’s Technology Policy Management 　　The Ministries mainly take the responsibility for Finland’s technology policy management, which includes the Ministry of Education and Culture, the Ministry of Employment and Economy, the Ministry of Social Affairs and Health, the Ministry of Agriculture and Forestry, the Ministry of Defense, the Ministry of Transport and Communication, the Ministry of Environment, the Ministry of Financial, and the Ministry of Justice. In the aforementioned Ministries, the Ministry of Education and Culture and the Ministry of Employment and Economy are mainly responsible for Finland national scientific technology development, and take charge of national scientific policy and national technical policy, respectively. The goal of national scientific policy is to promote fundamental scientific research and to build up related scientific infrastructures; at the same time, the authority of the Ministry of Education and Culture covers education and training, research infrastructures, fundamental research, applied research, technology development, and commercialization. The main direction of Finland’s national scientific policy is to make sure that scientific technology and innovative activities can be motivated aggressively in universities, and its objects are, first, to raise research funds and maintain research development in a specific ratio; second, to make sure that no matter on R&D institutions or R&D training, it will reach fundamental level upon funding or environment; third, to provide a research network for Finland, European Union and global research; fourth, to support the research related to industries or services based upon knowledge-innovation; fifth, to strengthen the cooperation between research initiators and users, and spread R&D results to find out the values of commercialization, and then create a new technology industry; sixth, to analyze the performance of national R&D system. 　　As for the Ministry of Employment and Economy, its major duties not only include labor, energy, regional development, marketing and consumer policy, but also takes responsibilities for Finland’s industry and technical policies, and provides industries and enterprises with a well development environment upon technology R&D. The business scope of the Ministry of Employment and Economy puts more focus on actual application of R&D results, it covers applied research of scientific technology, technology development, commercialization, and so on. The direction of Finland’s national technology policy is to strengthen the ability and creativity of industries’ technology development, and its objects are, first, to develop the new horizons of knowledge with national innovation system, and to provide knowledge-oriented products and services; second, to promote the efficiency of the government R&D funds; third, to provide cross-country R&D research networks, and support the priorities of technology policy by strengthening bilateral or multilateral cooperation; fourth, to raise and to broaden the efficiency of research discovery; fifth, to promote the regional development by technology; sixth, to evaluate the performance of technology policy; seventh, to increase the influence of R&D on technological change, innovation and society; eighth, to make sure that technology fundamental structure, national quality policy and technology safety system will be up to international standards. (C) The Agency of Finland’s Technology Policy Management and Subsidy 　　As to the agency of Finland’s technology policy management and subsidy, it is composed of the Academy of Finland (AOF), the National Technology Agency (Tekes), and the Finnish National Fund Research and Development (SITRA). The fund of AOF comes from the Ministry of Education and Culture; the fund of Tekes comes from the Ministry of Employment and Economy, and the fund of SITRA comes from independent public fund supervised by the Finland’s Congress. (D) The Agency of Finland’s Technology Plan Execution 　　As to the agency of Finland’s technology plan execution, it mainly belongs to the universities under Ministries, polytechnics, national technology research institutions, and other related research institutions. Under the Ministry of Education and Culture, the technology plans are executed by 16 universities, 25 polytechnics, and the Research Institute for the Language of Finland; under the Ministry of Employment and Economy, the technology plans are executed by the Technical Research Centre of Finland (VTT), the Geological Survey of Finnish, the National Consumer Research Centre; under the Ministry of Social Affairs and Health, the technology plans are executed by the National Institute for Health and Welfare, the Finnish Institute of Occupational Health, and University Central Hospitals; under the Ministry of Agriculture and Forestry, the technology plans are executed by the Finnish Forest Research Institute (Metla), the Finnish Geodetic Institute, and the Finnish Game and Fisheries Research Institute (RKTL); under the Ministry of Defense, the technology plans are executed by the Finnish Defense Forces’ Technical Research Centre (Pvtt); under the Ministry of Transport and Communications, the technology plans are executed by the Finnish Meteorological Institute; under the Ministry of Environment, the technology plans are executed by the Finnish Environment Institute (SYKE); under the Ministry of Financial, the technology plans are executed by the Government Institute for Economic Research (VATT). At last, under the Ministry of Justice, the technology plans are executed by the National Research Institute of Legal Policy.

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 　　After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] 　　While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation 　　There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. 　　The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO 　　The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application 　　Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries 　　On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). 　　As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. 　　If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing 　　Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions 　　The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties 　　The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion 　　The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.