Hard Law or Soft Law? –Global AI Regulation Developments and Regulatory Considerations

Legal Analysis of the U.S. BIOSECURE Act: Implications for Taiwanese Biotechnology Companies 2024/11/15 I.Introduction The U.S. BIOSECURE Act (H.R.8333)[1](hereunder, "BIOSECURE Act" or "Act") is a strategic legislative measure designed to protect U.S. biotechnology technologies and data from potential exploitation by foreign entities deemed to be threats to national security. Passed by the House of Representatives on September 9, 2024, with a vote of 306-81[2], the Act demonstrates robust bipartisan support to limit foreign influence in critical U.S. sectors. Passed during the legislative session known as "China Week[3]," the Act imposes restrictions on government contracts, funding, and technological cooperation with entities classified as "Biotechnology Companies of Concern" (hereunder, "BCCs") that are affiliated with adversarial governments. Given Taiwan's prominent role in biotechnology and its strong trade ties with the U.S., Taiwanese companies must examine the implications of the BIOSECURE Act, specifically in regard to technology acquisition from restricted foreign companies and compliance obligations for joint projects with U.S. partners. This analysis will delve into three core aspects of the BIOSECURE Act: (1) the designation and evaluation of BCCs, (2) prohibitions on transactions involving BCCs, and (3) enforcement mechanisms. Each section will evaluate potential impacts on Taiwanese companies, focusing on how the Act might influence technology transfers, compliance obligations, and partnership opportunities within the U.S. biotechnology supply chain. II.Designation and Evaluation of Biotechnology Companies of Concern A central element of the BIOSECURE Act is the process of identifying and evaluating foreign biotechnology companies considered potential threats to U.S. national security.[4] Under Section 2(f)(2) of the Act, a "Biotechnology Company of Concern" is defined as any entity associated with adversarial governments—specifically, China, Russia, North Korea, and Iran[5]—that engages in activities or partnerships posing risks to U.S. security[6]. These risks may include collaboration with foreign military or intelligence agencies, involvement in dual-use research, or access to sensitive personal or genetic information of U.S. citizens. Companies already designated as BCCs include BGI, MGI, Complete Genomics, WuXi AppTec, and WuXi Biologics, all of which have substantial ties to China and the Chinese government or military[7]. Under Section 2(f)(4) of the Act, the Office of Management and Budget (OMB) is required to continuously evaluate and update the BCC list in consultation with agencies such as the Department of Defense, Department of Commerce, and the National Intelligence Community to reflect evolving security concerns[8]. The designation process presents significant challenges for Taiwanese companies, particularly those that have connections with BCCs or rely on BCC technologies for their products, diagnostics, or research initiatives. For instance, if a Taiwanese company uses gene sequencing technology or multiomics tools sourced from one of the designated BCCs, it may face restrictions when pursuing contracts with U.S. entities or seeking federal funding. To proactively address these challenges, Taiwanese companies should establish compliance protocols that verify the origin of their technology and data sources. Moreover, developing new supply chain relationships with U.S. or European suppliers may not only reduce reliance on BCC-affiliated technology but also enhance Taiwanese companies' reputation as secure and reliable partners in the biotechnology industry. By adapting proactively to the BCC designation process, Taiwanese companies can anticipate and respond to future regulatory shifts more effectively. Diversifying their technology base away from BCCs positions these companies to better align with U.S. biosecurity standards, thereby becoming more attractive collaborators for U.S.-based biotechnology and life sciences companies. Given the rapid pace of regulatory and security developments, staying informed about changes in BCC designations will enable Taiwanese companies to operate with greater agility, adjusting suppliers and adopting new compliance measures as needed. Such proactive alignment can strengthen their resilience and reinforce their status as stable and secure participants in the global biotechnology landscape. III.Prohibition on Government Contracts and Funding A core component of the BIOSECURE Act is its stringent restrictions on contracting and funding involving entities linked to BCCs, as detailed in Section 2(a) of the act[9]. These restrictions extend beyond direct federal interactions to include any recipients of federal funds, prohibiting them from using such funds to procure biotechnology products or services from BCCs[10]. By curtailing federal support and preventing indirect financial benefits to these companies, the U.S. aims to mitigate national security risks posed by adversarial governments. The wide-reaching scope of these prohibitions makes the BIOSECURE Act one of the most comprehensive legislative efforts to secure the biotechnology sector and address concerns over foreign technologies potentially compromising U.S. security interests. For Taiwanese biotechnology companies, these prohibitions introduce substantial compliance demands, particularly for companies that utilize BCC technology within their supply chains. For example, a Taiwanese company engaged in a joint research project with a U.S. government contractor may be required to demonstrate that none of its technology or data sources originate from BCCs. Compliance could necessitate rigorous supply chain audits and operational adjustments, potentially increasing short-term costs. However, aligning with U.S. regulatory standards preemptively can position Taiwanese companies as more desirable partners for U.S. entities that are increasingly prioritizing security and regulatory adherence. The BIOSECURE Act also incentivizes Taiwanese companies to explore alternative technology providers that meet U.S. biosecurity criteria, including secure data management practices, compliance with federal regulations, and the absence of connections to adversarial governments. By sourcing technology from approved U.S. or European biotechnology companies, Taiwanese companies can enhance their market access and collaborative prospects in the U.S. biotechnology and life sciences sectors. This strategy may also foster long-term stability in partnerships and mitigate risks associated with supply chain disruptions, particularly if more companies are designated as BCCs in the future[11]. Establishing partnerships with U.S.-aligned suppliers can also provide Taiwanese companies with a competitive edge in securing government contracts and research funding, as U.S.-based entities increasingly prefer suppliers that comply with national biosecurity requirements. IV.Enforcement Mechanisms, Transition Periods, and Taiwanese Considerations The BIOSECURE Act outlines key enforcement mechanisms and transitional provisions designed to facilitate the adjustment process for companies affected by its restrictions. Specifically, Section 2(c) of the Act provides an eight-year grandfathering period for contracts established prior to the Act’s effective date involving existing BCCs, allowing these agreements to continue until January 1, 2032[12]. This provision is intended to provide companies that are dependent on BCC-supplied biotechnology ample time to transition to compliant suppliers. In addition, the Act includes a "safe harbor" provision[13], which clarifies that equipment previously produced by a BCC but now sourced from a non-BCC entity will not be restricted. This allows companies to re-source components without the risk of penalties for past procurement decisions. For Taiwanese companies, this transition period presents a critical opportunity to adapt to the new regulatory environment without facing immediate disruptions to business operations. Companies dependent on BCC technology for essential biotechnological functions can leverage the eight-year window to gradually phase out such suppliers, thereby minimizing the impact on operations while ensuring future compliance. For example, a Taiwanese company that relies on a BCC’s sequencing technology for genomic research can use this period to forge partnerships with compliant technology suppliers, thereby avoiding sudden disruptions in research or production. Additionally, the Act includes a waiver provision[14] that allows case-by-case exemptions under specific conditions, particularly when compliance is infeasible, such as in instances where critical healthcare services abroad are at risk[15]. By making strategic use of the phased enforcement and waiver provisions, Taiwanese companies can restructure their supply chains to align fully with U.S. requirements. Those that plan these transitions carefully not only ensure regulatory compliance but also enhance their appeal as resilient and trustworthy partners in the U.S. market. Exploring new collaborations with U.S.-approved biotechnology suppliers can further bolster supply chain resilience against future geopolitical or regulatory uncertainties. The transition period[16] and waiver options[17] reflect the BIOSECURE Act's balanced approach between immediate security needs and pragmatic implementation, which Taiwanese companies can capitalize on to build robust, compliant biotechnological operations. V.Conclusion The U.S. BIOSECURE Act[18] presents both significant challenges and strategic opportunities for Taiwanese biotechnology companies. The Act’s restrictions on contracts with designated BCCs and funding constraints necessitate a reassessment of technology acquisition strategies and a reinforcement of compliance practices. Taiwanese companies seeking deeper integration into U.S. and global biotechnology markets will benefit from aligning their procurement approaches with non-BCC suppliers, particularly those in the U.S. or allied countries. This proactive alignment will not only mitigate potential compliance risks but also enhance Taiwanese companies’ reputations as reliable global partners in biotechnology. The phased enforcement and waiver provisions of the BIOSECURE Act[19] provide Taiwanese companies with a clear pathway to navigate the evolving regulatory landscape, allowing them to establish stronger, more resilient supply chains that meet U.S. standards. Such alignment positions these companies as competitive players in the biotechnology sector, contributing to secure and innovative progress in an increasingly interconnected world. By actively engaging with the BIOSECURE Act’s compliance demands, Taiwanese biotechnology companies can leverage the Act's phased implementation to ensure sustained, secure access to the U.S. market and foster strategic biotechnology partnerships. Reference: [1] U.S. CONGRESS, H.R. 8333 – U.S. BIOSECURE Act (2024), https://www.congress.gov/bill/118th-congress/house-bill/8333 (last visited Nov. 1, 2024). [2] OFFICE OF THE CLERK, U.S. HOUSE OF REPRESENTATIVES, Roll Call Vote No. 402 on H.R. 8333 (Sept. 9, 2024), https://clerk.house.gov/Votes?RollCallNum=402&BillNum=H.R.8333 (last visited Nov. 1, 2024). [3] JANINE LITTLE, U.S. House Of Representatives Passes The BIOSECURE Act During “China Week”, Global Supply Chain Law Blog (Sept. 13, 2024), https://www.globalsupplychainlawblog.com/supply-chain/u-s-house-of-representatives-passes-the-biosecure-act-during-china-week/ (last visited Nov. 1, 2024). [4] SABINE NAUGÈS & SARAH L. ENGLE, BIOSECURE Act: US Target on Chinese Biotechnology Companies, NAT'L L. REV. (Sept. 13, 2024), https://natlawreview.com/article/biosecure-act-us-target-chinese-biotechnology-companies (last visited Nov. 1, 2024). [5] 10 U.S.C. § 4872(d) (2024), https://www.law.cornell.edu/uscode/text/10/4872 (last visited Nov. 1, 2024). [6] U.S. CONGRESS, H.R. 8333 – U.S. BIOSECURE Act (2024), https://www.congress.gov/bill/118th-congress/house-bill/8333 (last visited Nov. 1, 2024). [7] id. [8] id. [9] id. [10] id. [11] JANINE LITTLE, U.S. House Of Representatives Passes The BIOSECURE Act During “China Week”, Global Supply Chain Law Blog (Sept. 13, 2024), https://www.globalsupplychainlawblog.com/supply-chain/u-s-house-of-representatives-passes-the-biosecure-act-during-china-week/ (last visited Nov. 1, 2024). [12] U.S. CONGRESS, H.R. 8333 – U.S. BIOSECURE Act (2024), https://www.congress.gov/bill/118th-congress/house-bill/8333 (last visited Nov. 1, 2024). [13] id. [14] id. [15] id. [16] id. [17] id. [18] id. [19] id.

Recognized that Research infrastructures (RIs) are at the centre of the knowledge triangle of research, education and innovation and play an increasingly important role in the advancement of knowledge and technology, the EU began to finance for the establishments of RIs by its Framework Programmes (FPs) since the start of FP2 of 1987. On the other hand, the EU also assigned the European Strategy Forum on Research Infrastructures (ESFRI) to develop a coherent and strategy-led approach to policy-making on RIs between Member States and to facilitate the better use and development of RIs at EU and international level. Based on those efforts, the European Commission understood that a major difficulty in setting up RIs between EU countries is the lack of an adequate legal framework allowing the creation of appropriate partnerships and proposed a legal framework for a European research infrastructure adapted to the needs of such facilities. The new legal framework for a European Research Infrastructure Consortium (ERIC) entered into force on 28 August 2009. An successfully-set-up ERIC will have the legal personality based on EU law, and can benefit from exemptions from VAT and excise duty in all EU Member States and may adopt its own procurement procedures to get rid of the EU's public procurement procedures. It is predicted that the Biobanking and Biomolecular Resources Research Infrastructure (BBMRI) will apply to become a BBMRI-ERIC in the near future. The EU also seeks to lead in Energy, Food and Biology through the reforms of ERICs to assist the high quality of activities of European scientists and attract the best researchers from around the world. Besides, in order to connect the knowledge triangle effectively, the European Commission also established the European Institute of Innovation and Technology (EIT) on March 2008. It hopes through the research development partnership network to gather all the advantages from the science and technology chains of multiple areas, and make an effort for the strategy of EU innovation development jointly；Meanwhile, extends its roadmap to the objectives and practices of the Knowledge and Innovation Communities (KICs) of the EIT. Contrast with the EU's advance, it is necessary to our government to concentrate and contemplate whether it is the time to reconsider if our existing legal instruments available to domestic research facilities and infrastructures are sufficient enough to reach our science and technology development goals.

The activities of accessing to Taiwan's biological resources can be governed within certain extent described as follows. 1 、 Certain Biological Resources Controlled by Regulations Taiwan's existing regulation empowers the government to control the access to biological resources within certain areas or specific species. The National Park Law, the Forestry Act, and the Cultural Heritage Preservation Act indicate that the management authority can control the access of animals and plants inside the National Park, the National Park Control Area, the recreational area, the historical monuments, special scenic area, or ecological protection area; forbid the logging of plants and resources within the necessary control area for logging and preserved forestry, or control the biological resources inside the natural preserved area. In terms of the scope of controlled resources, according to the guidance of the Wildlife Conservation Act and the Cultural Heritage Preservation Act, governmental management authority is entitled to forbid the public to access the general and protected wild animals and the plant and biological resources that are classified as natural monuments. To analyse the regulation from another viewpoint, any access to resources in areas and of species other than the listed, such as wild plants or microorganism, is not regulated. Therefore, in terms of scope, Taiwan's management of the access to biological resources has not covered the whole scope. 2 、 Access Permit and Entrance Permit Taiwan's current management of biological resources adopts two kinds of schemes: access permit scheme and entrance permit in specific areas. The permit allows management authority to have the power to grant and reject the collection, hunting, or other activities to access resources by people. This scheme is similar to the international standard. The current management system for the access to biological resources promoted by many countries and international organizations does not usually cover the guidance of entrance in specific areas. This is resulting from that the scope of the regulation about access applies for the whole nation. However, since Taiwan has not developed regulations specifically for the access of bio-research resources, the import/export regulations in the existing Wildlife Conservation Act, National Park Law, Forestry Act, and Cultural Heritage Preservation Act may provide certain help if these regulations be properly connected with the principle of access and benefit sharing model, so that they will help to urge people to share the research interests. 3 、 Special Treatments for Academic Research Purpose and Aborigines Comparing to the access for the purpose of business operation, Taiwan's regulations favour the research and development that contains collection and hunting for the purpose of academic researches. The regulation gives permits to the access to biological resources for the activities with nature of academic researches. For instance, the Wildlife Conservation Act, National Park Law, and theCultural Heritage Preservation Act allow the access of regulated biological resources, if the academic research unit obtains the permit, or simply inform the management authority. In addition, the access by the aborigines is also protected by the Forestry Act, Cultural Heritage Preservation Act, and the Aboriginal Basic Act. The aborigines have the right to freely access to biological resources such as plants, animals and fungi. 4 、 The Application of Prior Informed Consent (PIC) In topics of the access to and benefit sharing of biological resources, the PIC between parties of interests has been the focus of international regulation. Similarly, when Taiwan was establishing theAboriginal Basic Act, this regulation was included to protect the aborigines' rights to be consulted, to agree, to participate and to share the interests. This conforms to the objective of access and benefit sharing system. 5 、 To Research and Propose the Draft of Genetic Resources Act The existing Wildlife Conservation Act, National Park Law, Forestry Act,Cultural Heritage Preservation Act, Aboriginal Basic Act provide the regulation guidance to the management of the access to biological resources within certain scope. Comparing to the international system of access and benefit sharing, Taiwan's regulation covers only part of the international guidance. For instance, Taiwan has no regulation for the management of wild plants and micro-organism, so there is no regulation to confine the access to wild plants and microorganism. To enlarge the scope of management in terms of the access to Taiwan's biological resources, the government authority has authorize the related scholars to prepare the draft of Genetic Resources Act. The aim of the Genetic Resources Act is to establish the guidance of the access of genetic resources and the sharing of interests in order to preserve the genetic resources. The draft regulates that the bio-prospecting activity should be classified into business and academic, with the premise of not interfering the traditional usages. After classification, application of the permit should be conducted via either general or express process. During the permit application, the prospector, the management authority, and the owner of the prospected land should conclude an agreement jointly. In the event that the prospector wishes to apply for intellectual property rights, the prospector should disclose the origin of the genetic resources and provide the legally effective documents of obtaining these resources. In addition, a Biodiversity Fund should be established to manage the profits derived from genetic resources. The import/export of genetic resources should also be regulated. Violators should be fined.

Blockchain and General Data Protection Regulation (GDPR) compliance issues (2019) I. Brief 　　Blockchain technology can solve the problem of trust between data demanders and data providers. In other words, in a centralized mode, data demanders can only choose to believe that the centralized platform will not contain the false information. However, in the decentralized mode, data isn’t controlled by one individual group or organization[1], data demanders can directly verify information such as data source, time, and authorization on the blockchain without worrying about the correctness and authenticity of the data. 　　Take the “immutable” for example, it is conflict with the right to erase (also known as the right to be forgotten) in the GDPR.With encryption and one-time pad (OTP) technology, data subjects can make data off-chain storaged or modified at any time in a decentralized platform, so the problem that data on blockchain not meet the GDPR regulation has gradually faded away. II. What is GDPR? 　　The purpose of the EU GDPR is to protect user’s data and to prevent large-scale online platforms or large enterprises from collecting or using user’s data without their permission. Violators will be punished by the EU with up to 20 million Euros (equal to 700 million NT dollars) or 4% of the worldwide annual revenue of the prior financial year. 　　The aim is to promote free movement of personal data within the European Union, while maintaining adequate level of data protection. It is a technology-neutral law, any type of technology which is for processing personal data is applicable. 　　So problem about whether the data on blockchain fits GDPR regulation has raise. Since the blockchain is decentralized, one of the original design goals is to avoid a large amount of centralized data being abused. 　　Blockchain can be divided into permissioned blockchains and permissionless blockchains. The former can also be called “private chains” or “alliance chains” or “enterprise chains”, that means no one can join the blockchain without consent. The latter can also be called “public chains”, which means that anyone can participate on chain without obtaining consent. 　　Sometimes, private chain is not completely decentralized. The demand for the use of blockchain has developed a hybrid of two types of blockchain, called “alliance chain”, which not only maintains the privacy of the private chain, but also maintains the characteristics of public chains. The information on the alliance chain will be open and transparent, and it is in conflict with the application of GDPR. III. How to GDPR apply to blockchain ? 　　First, it should be determined whether the data on the blockchain is personal data protected by GDPR. Second, what is the relationship and respective responsibilities of the data subject, data controller, and data processor? Finally, we discuss the common technical characteristics of blockchain and how it is applicable to GDPR. 1. Data on the blockchain is personal data protected by GDPR? 　　First of all, starting from the technical characteristics of the blockchain, blockchain technology is commonly decentralized, anonymous, immutable, trackable and encrypted. The other five major characteristics are immutability, authenticity, transparency, uniqueness, and collective consensus. 　　Further, the blockchain is an open, decentralized ledger technology that can effectively verify and permanently store transactions between two parties, and can be proved. 　　It is a distributed database, all users on the chain can access to the database and the history record, also can directly verify transaction records. Each nodes use peer-to-peer transmission for upload or transfer information without third-party intermediation, which is the unique “decentralization” feature of the blockchain. 　　In addition, the node or any user on the chain has a unique and identifiable set of more than 30 alphanumeric addresses, but the user may choose to be anonymous or provide identification, which is also a feature of transparency with pseudonymity[2]; Data on blockchain is irreversibility of records. Once the transaction is recorded and updated on the chain, it is difficult to change and is permanently stored in the database, that is to say, it has the characteristics of “tamper-resistance”[3]. 　　According to Article 4 (1) of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 　　Therefore, if data subject cannot be identified by the personal data on the blockchain, that is an anonymous data, excluding the application of GDPR. (1) What is Anonymization? 　　According to Opinion 05/2014 on Anonymization Techniques by Article 29 Data Protection Working Party of the European Union, “anonymization” is a technique applied to personal data in order to achieve irreversible de-identification[4]. 　　And it also said the “Hash function” of blockchain is a pseudonymization technology, the personal data is possible to be re-identified. Therefore it’s not an “anonymization”, the data on the blockchain may still be the personal data stipulated by the GDPR. 　　As the blockchain evolves, it will be possible to develop technologies that are not regulated by GDPR, such as part of the encryption process, which will be able to pass the court or European data protection authorities requirement of anonymization. There are also many compliance solutions which use technical in the industry, such as avoiding transaction data stored directly on the chain. 2. International data transmission 　　Furthermore, in accordance with Article 3 of the GDPR, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union”.[5] 　　In other words, GDPR applies only when the data on the blockchain is not anonymized, and involves the processing of personal data of EU citizens. 3. Identification of data controllers and data processors 　　Therefore, if the encryption technology involves the public storage of EU citizens' personal data and passes it to a third-party controller, it may be identified as the “data controller” under Article 4 of GDPR, and all nodes and miners of the platform may be deemed as the “co-controller” of the data, and be assumed joint responsibility with the data controller by GDPR. For example, the parties can claim the right to delete data from the data controller. 　　In addition, a blockchain operator may be identified as a “processor”, for example, Backend as a Service (BaaS) products, the third parties provide network infrastructure for users, and let users manage and store personal data. Such Cloud Services Companies provide online services on behalf of customers, do not act as “data controllers”. Some commentators believe that in the case of private chains or alliance chains, such as land records transmission, inter-bank customer information sharing, etc., compared to public chain applications: such as cryptocurrencies (Bitcoin for example), is not completely decentralized, and more likely to meet GDPR requirements[6]. For example, in the case of a private chain or alliance chain, it is a closed platform, which contains only a small number of trusted nodes, is more effective in complying with the GDPR rules. 4. Data subject claims 　　In accordance with Article 17 of the GDPR, The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay under some grounds. 　　Off-chain storage technology can help the blockchain industry comply with GDPR rules, allowing offline storage of personal data, or allow trusted nodes to delete the private key of encrypted information, which leaving data that cannot be read and identified on the chain. If the data is in accordance with the definition of anonymization by GDPR, there is no room for GDPR to be applied. IV. Conclusion 　　In summary, it’s seem that the application of blockchain to GDPR may include: (a) being difficulty to identified the data controllers and data processors after the data subject upload their data. (b) the nature of decentralized storage is transnational storage, and Whether the country where the node is located, is meets the “adequacy decision” of Article 45 of the GDPR. 　　If it cannot be met, then it needs to consider whether it conforms to the transfers subject to appropriate safeguards of Article 46, or the derogations for specific situations of Article 49 of the GDPR. Reference: [1] How to Trade Cryptocurrency: A Guide for (Future) Millionaires, https://wikijob.com/trading/cryptocurrency/how-to-trade-cryptocurrency [2] DONNA K. HAMMAKER, HEALTH RECORDS AND THE LAW 392 (5TH ED. 2018). [3] Iansiti, Marco, and Karim R. Lakhani, The Truth about Blockchain, Harvard Business Review 95, no. 1 (January-February 2017): 118-125, available at https://hbr.org/2017/01/the-truth-about-blockchain [4] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (2014), https://www.pdpjournals.com/docs/88197.pdf [5] Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN [6] Queen Mary University of London, Are blockchains compatible with data privacy law? https://www.qmul.ac.uk/media/news/2018/hss/are-blockchains-compatible-with-data-privacy-law.html