Introduction to Taiwan’s Guidelines for Implementing Decentralized Elements in Medicinal Product Clinical Trials

The Institutionalization of the Taiwan Personal Data Protection Committee - Triumph of Digital Constitutionalism: A Legal Positivism Analysis 2023/07/13 The Legislative Yuan recently passed an amendment to the Taiwan Personal Data Protection Act, which resulted in the institutionalization of the Taiwan Personal Data Protection Commission (hereunder the “PDPC”)[1]. This article aims to analyze the significance of this institutionalization from three different perspectives: legal positivism, digital constitutionalism, and Millian liberalism. By examining these frameworks, we can better understand the constitutional essence of sovereignty, the power dynamics among individuals, businesses, and governments, and the paradox of freedom that the PDPC addresses through governance and trust. I.Three Layers of Significance 1.Legal Positivism The institutionalization of the PDPC fully demonstrates the constitutional essence of sovereignty in the hands of citizens. Legal positivism emphasizes the importance of recognizing and obeying (the sovereign, of which it is obeyed by all but does not itself obey to anyone else, as Austin claims) laws that are enacted by legitimate authorities[2]. In this context, the institutionalization of the PDPC signifies the recognition of citizens' rights to control their personal data and the acknowledgment of the sovereign in protecting their privacy. It underscores the idea that the power to govern personal data rests with the individuals themselves, reinforcing the principles of legal positivism regarding sovereign Moreover, legal positivism recognizes the authority of the state in creating and enforcing laws. The institutionalization of the PDPC as a specialized commission with the power to regulate and enforce personal data protection laws represents the state's recognition of the need to address the challenges posed by the digital age. By investing the PDPC with the authority to oversee the proper handling and use of personal data, the state acknowledges its responsibility to protect the rights and interests of its citizens. 2.Digital Constitutionalism The institutionalization of the PDPC also rebalances the power structure among individuals, businesses, and governments in the digital realm[3]. Digital constitutionalism refers to the principles and norms that govern the relationship between individuals and the digital sphere, ensuring the protection of rights and liberties[4]. With the rise of technology and the increasing collection and use of personal data, individuals often find themselves at a disadvantage compared to powerful entities such as corporations and governments[5]. However, the PDPC acts as a regulatory body that safeguards individuals' interests, rectifying the power imbalances and promoting digital constitutionalism. By establishing clear rules and regulations regarding the collection, use, and transfer of personal data, the PDPC may set a framework that ensures the protection of individuals' privacy and data rights. It may enforce accountability among businesses and governments, holding them responsible for their data practices and creating a level playing field where individuals have a say in how their personal data is handled. 3.Millian Liberalism The need for the institutionalization of the PDPC embodies the paradox of freedom, as raised in John Stuart Mill’s “On Liberty”[6], where Mill recognizes that absolute freedom can lead to the infringement of others' rights and well-being. In this context, the institutionalization of the PDPC acknowledges the necessity of governance to mitigate the risks associated with personal data protection. In the digital age, the vast amount of personal data collected and processed by various entities raises concerns about privacy, security, and potential misuse. The institutionalization of the PDPC represents a commitment to address these concerns through responsible governance. By setting up rules, regulations, and enforcement mechanisms, the PDPC ensures that individuals' freedoms are preserved without compromising the rights and privacy of others. It strikes a delicate balance between individual autonomy and the broader social interest, shedding light on the paradox of freedom. II.Legal Positivism: Function and Authority of the PDPC 1.John Austin's Concept of Legal Positivism: Sovereignty, Punishment, Order To understand the function and authority of the PDPC, we turn to John Austin's concept of legal positivism. Austin posited that laws are commands issued by a sovereign authority and backed by sanctions[7]. Sovereignty entails the power to make and enforce laws within a given jurisdiction. In the case of the PDPC, its institutionalization by the Legislative Yuan reflects the recognition of its authority to create and enforce regulations concerning personal data protection. The PDPC, as an independent and specialized committee, possesses the necessary jurisdiction and competence to ensure compliance with the law, administer punishments for violations, and maintain order in the realm of personal data protection. 2.Dire Need for the Institutionalization of the PDPC There has been a dire need for the establishment of the PDPC following the Constitutional Court's decision in August 2022, holding that the government needed to establish a specific agency in charge of personal data-related issues[8]. This need reflects John Austin's concept of legal positivism, as it highlights the demand for a legitimate and authoritative body to regulate and oversee personal data protection. The PDPC's institutionalization serves as a response to the growing concerns surrounding data privacy, security breaches, and the increasing reliance on digital platforms. It signifies the de facto recognition of the need for a dedicated institution to safeguard the individual’s personal data rights, reinforcing the principles of legal positivism. Furthermore, the institutionalization of the PDPC demonstrates the responsiveness of the legislative branch to the evolving challenges posed by the digital age. The amendment to the Taiwan Personal Data Protection Act and the subsequent institutionalization of the PDPC are the outcomes of a democratic process, reflecting the will of the people and their desire for enhanced data protection measures. It signifies a commitment to uphold the rule of law and ensure the protection of citizens' rights in the face of emerging technologies and their impact on privacy. 3.Authority to Define Cross-Border Transfer of Personal Data Upon the establishment of the PDPC, it's authority to define what constitutes a cross-border transfer of personal data under Article 21 of the Personal Data Protection Act will then align with John Austin's theory on order. According to Austin, laws bring about order by regulating behavior and ensuring predictability in society. By granting the PDPC the power to determine cross-border data transfers, the legal framework brings clarity and consistency to the process. This promotes order by establishing clear guidelines and standards, reducing uncertainty, and enhancing the protection of personal data in the context of international data transfers. The PDPC's authority in this regard reflects the recognition of the need to regulate and monitor the cross-border transfer of personal data to protect individuals' privacy and prevent unauthorized use or abuse of their information. It ensures that the transfer of personal data across borders adheres to legal and ethical standards, contributing to the institutionalization of a comprehensive framework for cross-border data transfer. III.Conclusion In conclusion, the institutionalization of the Taiwan Personal Data Protection Committee represents the convergence of legal positivism, digital constitutionalism, and Millian liberalism. It signifies the recognition of citizens' sovereignty over their personal data, rebalances power dynamics in the digital realm, and addresses the paradox of freedom through responsible governance. By analyzing the PDPC's function and authority in the context of legal positivism, we understand its role as a regulatory body to maintain order and uphold the principles of legal positivism. The institutionalization of the PDPC serves as a milestone in Taiwan's commitment to protect individuals' personal data and safeguard the digital rights. In essence, the institutionalization of the Taiwan Personal Data Protection Committee represents a triumph of digital constitutionalism, where individuals' rights and interests are safeguarded, and power imbalances are rectified. It also embodies the recognition of the paradox of freedom and the need for responsible governance in the digital age in Taiwan. Reference: [1] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023). [2] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [3] Edoardo Celeste, Digital constitutionalism: how fundamental rights are turning digital, (2023): 13-36, https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 3, 2023). [4] GIOVANNI DE GREGORIO, DIGITAL CONSTITUTIONALISM IN EUROPE: REFRAMING RIGHTS AND POWERS IN THE ALGORITHMIC SOCIETY 218 (2022). [5] Celeste Edoardo, Digital constitutionalism: how fundamental rights are turning digital (2023), https://doras.dcu.ie/28151/1/2023_Celeste_DIGITAL%20CONSTITUTIONALISM_%20HOW%20FUNDAMENTAL%20RIGHTS%20ARE%20TURNING%20DIGITAL.pdf (last visited July 13, 2023). [6]JOHN STUART MILL,On Liberty (1859), https://openlibrary-repo.ecampusontario.ca/jspui/bitstream/123456789/1310/1/On-Liberty-1645644599.pdf (last visited July 13, 2023). [7] Legal positivism, Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/entries/legal-positivism/?utm_source=fbia (last visited July 13, 2023). [8] Lin Ching-yin & Evelyn Yang, Bill to establish data protection agency clears legislative floor, CNA English News, FOCUS TAIWAN, May 16, 2023, https://focustaiwan.tw/society/202305160014 (last visited, July 13, 2023).

Shifting AI Governance in East Asia: AI Legislative Progress in Japan, South Korea and Taiwan 2025/09/09 Keywords: artificial intelligence, artificial intelligence regulation I.Introduction The landscape of AI governance in East Asia is changing, with two new AI laws enacted and one on the way. In South Korea, an act titled “the Basic Act on the Development of Artificial Intelligence and the Establishment of Foundation for Trustworthiness“ (“인공지능 발전과 신뢰 기반 조성 등에 관한 기본법”, henceforth referred to as “South Korea’s AI Act” or “SKAIA”)[1]was approved on December 26[2], 2024 and promulgated on January 21, 2025. The AI Basic Act is designed to establish a national AI governance framework and systematically foster the AI industry while preventing potential AI risks.[3]A few months later, Japan’s first law regulating AI was passed by the National Diet on May 28, 2025. The new law is titled "the Act on Promotion of Research and Development, and Utilization of AI-related Technology" (“人工知能関連技術の研究開発及び活用の推進に関する法律”, henceforth referred to as "Japan's AI Act" or "JAIA")[4], which reflects the strong will of the government to catch up in the global AI race.[5] Elsewhere in the region, Taiwan’s Executive Yuan finally passed its draft AI Basic Act (“人工智慧基本法草案”) on August 28[6] [7], which must now be submitted to the Legislative Yuan for deliberation. The government hopes the new law will lay the foundation for establishing Taiwan as an AI island and a key driving force in global AI development.[8] This article will give a quick overview of the key features of the three new AI regulations to illustrate the new landscape these countries are shaping in AI governance. II.Key features of Japan’s AI Act (JAIA) 1.Purpose and principles of JAIA Given Japan's lagging AI development and rising public concerns, JAIA reflects the government's worry about falling behind global peers in AI investment and adoption.[9] It is believed that new laws are needed in addition to existing laws and regulations to promote innovation and address risks.[10] Hence JAIA aims to advance the R&D and application of AI through the formulation of basic principles and plans, and the establishment of an "AI Strategic Headquarters".[11] JAIA establishes basic principles for the promotion of the R&D and application of AI-related technologies[12], including enhancing industry R&D capabilities and competitiveness, systematically promoting AI collaboration from research to application with transparency, and enabling Japan to shape global norms through international cooperation.[13] 2.Industry Development and Promotion JAIA requires the government to develop a National AI Basic Plan, in accordance with the basic principles, to promote the R&D and application of AI. The AI Basic Plan should set out fundamental policy guidelines and measures to comprehensively and systemically advance the R&D and application of AI-related technologies, along with other necessary provisions.[14] JAIA also specifies basic measures to be included in the plan, which cover issues of promotion of R&D, expansion and sharing of facilities and data, human resources and education, international engagement in AI norm setting, and domestic guidelines making. In addition, the government should monitor AI technology trends and analyze cases of rights violations from improper AI use to develop countermeasures and provide guidance accordingly.[15] 3.Governance JAIA stipulates that an AI Strategy Headquarters should be established under the Cabinet, composed of all cabinet members and headed by the Prime Minister.[16] The AI Strategic Headquarters is tasked with comprehensively and systematically advancing AI-related technology R&D and application policies, including the formulation, promotion, and implementation of AI Basic Plans and other related initiatives.[17] The Act also empowers the AI Strategy Headquarters to invite stakeholders to provide information, opinions or explanations, and other necessary assistance.[18] 4.Risk managements and rights protection JAIA does not impose direct compliance obligations, but AI companies and research institutions are required to cooperate with government investigations and follow government guidance in cases involving violations of human rights and interests.[19] 5.Implementation of JAIA and Follow-up Work JAIA came into force in May 2025. The Japanese government is required to develop guidelines that align with international standards and launch the Strategic Headquarters for the preparation and implementation of the National AI Basic Plan. III.Key features of the South Korea’s AI Act (SKAIA) 1.Purpose and principles of SKAIA SKAIA is designed to establish a foundation for AI development and trustworthiness, increasing citizens’ rights and interests protection, quality of life, and the country’s competitiveness.[20] It focuses on advancing national AI collaboration to foster a flourishing AI sector and developing legal frameworks to mitigate risks.[21] Accordingly, the Act establishes basic AI development principles: prioritizing safety and reliability to improve quality of life, and ensuring those affected by AI output receive clear, meaningful explanations within reasonable parameters.[22] 2.Industry development and promotion Supporting AI technology and industry development is a key feature of SKAIA. It establishes comprehensive measures covering technology development, industry revitalization, SME support, industrial foundations, talent cultivation, regulatory adaptation, and international cooperation.[23] 3.Governance SKAIA also strengthens the institutional framework for AI governance. The Ministry of Science and ICT (henceforth referred to as “MSIT”) is mandated to execute an AI Master Plan every three years and empowered to investigate violations, require corrective action, and impose fines on non-compliant entities.[24] The National AI Committee is authorized to review and decide on the AI Master Plan and AI-related matters, making it the highest decision-making body for South Korea's AI policies. It is composed of the heads of central administrative agencies and civilian AI experts appointed by the president.[25] SKAIA also establishes the AI Policy Center to support MSIT on AI policy formulation, and the AI Safety Institute for AI safety matters.[26] 4.Risk management and rights protection SKAIA imposes specific obligations on operators of high-impact AI and generative AI systems. All operators must ensure system transparency and safety, while high-impact AI operators face additional responsibilities including conducting fundamental rights impact assessments.[27] High-impact AI systems are defined as AI systems that have a significant impact on or may pose a risk to human life, safety, and fundamental rights and are mainly utilized in critical infrastructure sectors and human rights-sensitive areas, or other areas specified by presidential decree.[28] The procedure for determining whether an AI system qualifies as high-impact AI will be established through subordinate legislation.[29] 5.Implementation of SKAIA and Follow-up Work SKAIA will come into effect on January 1, 2026 and the formulation of subordinate statutes that detail enforcement mechanisms and guidelines should be expedited. However, domestic critics argue that corporate obligation provisions may hinder AI development and advocate for postponing their implementation.[30] Actually, an amendment to the Act was proposed in April 2025, seeking such a postponement along with a three-year grace period.[31] IV. Key features of Taiwan’s draft AI Basic Act 1.Purpose and Principles of the draft AI Basic Act[32] Taiwan adopts a relatively conservative approach to AI policy and measures to boost industrial development have long occupied the agenda of AI governance. Given that AI is a crucial technology for national development, the draft AI Basic Act (henceforth referred to as "the draft Act") seeks to ensure that AI technology develops vigorously in a human-centered approach, encourage innovation while considering human rights, and safeguard Taiwan’s national sovereignty and cultural values.[33] Hence, the draft Act establishes seven guiding principles in line with international norms, which are sustainability, human autonomy, privacy protection and data governance, security, transparency and explainability, fairness and accountability.[34] 2.Industry Development and Promotion It is the government’s responsibility to promote the R&D and application of AI and construct the infrastructure needed.[35] In order to facilitate AI innovations, competent authorities may provide a controlled environment for testing and validating AI innovation products and services before they are released to the market or put into use.[36] Considering the wide scope of AI application and development, the government is encouraged to collaborate with the private sector, including through public-private partnerships, and should promote international cooperation on AI matters.[37] The government should also continue to comprehensively promote AI education at all levels to enhance the public's AI literacy.[38] Data is crucial for AI development, so the draft Act mandates the government to establish mechanisms to enhance data availability, and measures to facilitate AI outputs that maintain the country's multicultural values, and protect intellectual property rights.[39] 3.Risk Management and Rights Protection (1) Risk Management The draft Act includes several provisions addressing AI risks. The government should take steps to prevent AI from being used for illegal purposes. For example, Ministry of Digital Affairs (MODA) and other relevant agencies may provide or recommend tools or methods for AI evaluation and verification to avoid misuse of AI.[40] Secondly, MODA is mandated to foster an AI risk classification framework, based on which sectoral competent authorities should establish risk-based tiered management standards.[41] Thirdly, the government may, through binding regulations or non-binding administrative guidance, promote safety standards, verification, transparent and explainable traceability, or accountability mechanisms to enhance the trustworthiness of AI development and application.[42] Lastly, the government should clarify the ownership and conditions of liability for high-risk AI applications and establish relevant mechanisms for relief, compensation or insurance to protect affected parties.[43] However, AI application responsibility norms would not apply to pre-release activities in order to support technological innovation.[44] [45] (2) Rights Protection The draft Act concerns not only the privacy rights of individuals but also labor rights. The government should ensure the protection of personal data used throughout the AI lifecycle on the one hand[46] , and also protect workers' rights and provide necessary assistance to help them adapt to technological changes, especially those who have lost their jobs due to AI use.[47] 4.Governance and Implementation Despite the heated debate regarding the designation of a dedicated AI regulatory authority in the country, the Executive Yuan decided against establishing such an authority, given AI's cross-ministerial nature. Relevant competent authorities will be responsible for formulating implementing regulations and guidelines and the Executive Yuan will continue to guide relevant agencies and departments at all levels through the existing Digital Legal Coordination Meeting to facilitate the development of AI.[48] V.Analysis and conclusion Japan, South Korea and Taiwan all seek to maintain the countries' momentum in promoting AI development through AI legislation. The three parties all emphasize trustworthy AI, though they actually place greater emphasis on AI development. They share considerable common ground in the policies to foster AI industry development, such as promoting AI R&D and application and supporting infrastructure-building, and diverge in their approaches to addressing potential AI-related risks and governance structure. Japan adopts a ‘light touch’ regulatory approach to AI regulation, maintaining coherent policy coordination that responds to domestic imperatives and global trends without imposing regulatory burdens on industries.[49] The country favors a soft approach with governmental guidance. In contrast, South Korea incorporates regulatory provisions specifically targeting high-impact AI systems in its AI Basic Act, seeking to balance between enhancing national competitiveness through AI and mitigating potential risks stemming from AI misuse, though this approach actually faces some domestic opposition currently. Taiwan adopts an approach similar to Japan's. The draft AI Basic Act avoids imposing regulatory obligations, and the government will prioritize AI verification and evaluation mechanisms to ensure trustworthy AI development. Regarding governance approaches, both Japan and South Korea seek to strengthen governmental AI governance functions through legislation, with Japan establishing an AI Strategic Headquarters and South Korea creating an AI Committee, both operating under their respective Cabinets. In contrast, Taiwan's draft AI Basic Act does not address governance structural matters. Given the profound societal transformations that AI technology may bring, all three East Asian countries recognize the importance of sustained AI advancement while acknowledging the critical need to ensure AI safety and trustworthiness to protect human rights. In an era of intense global AI competition, it seems to be the best policy for governments to carefully design AI policies that strike a balance between fostering innovation and safeguarding human rights. This cautious approach is essential as significant challenges remain and AI risks demand comprehensive solutions. Reference: [1] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법（법률 제20676호, 2025. 1. 21, 제정），법제처 국가법령정보센터，https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EC%9D%B8%EA%B3%B5%EC%A7%80%EB%8A%A5%20%EB%B0% 9C%EC%A0%84%EA%B3%BC%20%EC%8B%A0%EB%A2%B0%20%EA%B8%B0%EB%B0%98%20%EC%A1%B0%EC% 84%B1%20%EB%93%B1%EC%97%90%20%EA%B4%80%ED%95%9C%20%EA%B8%B0%EB%B3%B8%EB%B2%95/(206 76,20250121) （最後瀏覽日：2025/09/11）。 [2] A New Chapter in the Age of AI: Basic Act on AI Passed at the National Assembly‘s Plenary Session, Ministry of Science and ICT, https://www.msit.go.kr/eng/bbs/view.do?sCode=eng&mId=4&mPid=2&pageIndex=&bbsSeqNo=42&nttSeqNo=1071&searchOpt=ALL&searchTxt= (last visited Sept. 11, 2025). [3] A New Chapter in the Age of AI: Basic Act on AI Passed at the National Assembly‘s Plenary Session, Ministry of Science and ICT, https://www.msit.go.kr/eng/bbs/view.do?sCode=eng&mId=4&mPid=2&pageIndex=&bbsSeqNo=42&nttSeqNo=1071&searchOpt=ALL&searchTxt= (last visited Sept. 11, 2025). [4] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号），e-Gov法令検索，https://laws.e-gov.go.jp/law/507AC0000000053（最後瀏覽日：2025/09/11）。 [5] CABINET OFFICE, GOVERNMENT OF JAPAN, Outline of the Act on Promotion of Research and Development, and Utilization of AI-related Technology (AI Act), https://www8.cao.go.jp/cstp/ai/ai_hou_gaiyou_en.pdf (last visited Sept. 11, 2025). [6] 〈政院通過「人工智慧基本法」草案 建構AI發展與應用良善環境 打造臺灣成為AI人工智慧島〉，行政院，https://www.ey.gov.tw/Page/9277F759E41CCD91/5d673d1e-f418-47dc-ab35-a06600f77f07（最後瀏覽日：2025/09/09）。 [7] There are other AI bills brought up by legislators in the Legislative Yuan. The purpose of this article is to analyze the AI governance priorities of the governments of Japan, South Korea, and Taiwan; therefore, other AI bills proposed by legislators are not included in the discussion. [8] 蘇文彬，〈行政院通過AI基本法草案，將不設立AI專責機關〉，iThome，2025/08/28，https://www.ithome.com.tw/news/170874 (最後瀏覽日：2025/09/09)。 [9] Japan’s AI Bill Advances Toward Enactment, Connect on Tech (May 27, 2025), https://connectontech.bakermckenzie.com/japans-ai-bill-advances-toward-enactment/ (last visited Sept. 9, 2025). [10] 松尾剛行，〈【2025年施行】AI新法とは？AIの研究開発・利活用を推進する法律を分かりやすく解説！〉，Keiyaku-Watch，https://keiyaku-watch.jp/media/hourei/2025-ai-law/（最後瀏覽日：2025/09/11）。 [11] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号）第1条。 [12] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号）第3条。 [13] Japan Enacts AI Promotion Act: Overview and Implications for Businesses, Zelo Law Square (May, 2025), https://zelojapan.com/en/lawsquare/56899 (last visited Sept. 9, 2025). [14] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号）第18条。 [15] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号）第11-17条。 [16] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号）第19、21-24条。 [17] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号）第20条。 [18] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号）第25条。 [19] 人工知能関連技術の研究開発及び活用の推進に関する法律（令和7年法律第53号）第16条。 [20] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제1조。 [21] The Korean AI Basic Act: Asia’s First Comprehensive Framework on AI, Lexology (Mar. 17, 2025), https://www.lexology.com/library/detail.aspx?g=f91ff0fb-94ed-4aa9-b667-65d6206a7227 (last visited Sept. 9, 2025). [22] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제3조。 [23] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제13-26조。 [24] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제40조。 [25] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제7조。 [26] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제6-12조。 [27] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제31-32조。 [28] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제4조。 [29] 인공지능 발전과 신뢰 기반 조성 등에 관한 기본법，제33조。 [30] Seungmin (Helen) Lee, South Korea’s Evolving AI Regulations, Stimson (June 12, 2025), https://www.stimson.org/2025/south-koreas-evolving-ai-regulations/ (last visited Sept. 9, 2025). [31] 〈인공지능 발전과 신뢰 기반 조성 등에 관한 기본법 일부개정법률안〉，대한민국국회，https://likms.assembly.go.kr/bill/bi/billDetailPage.do?billId=PRC_N2M5K0S3R2R0Q1O3X5X1W1U1T7P3Q6&currMenuNo=2600044（最後瀏覽日：2025/09/09）。 [32] 〈政院通過「人工智慧基本法」草案 建構AI發展與應用良善環境 打造臺灣成為AI人工智慧島〉，行政院，https://www.ey.gov.tw/Page/9277F759E41CCD91/5d673d1e-f418-47dc-ab35-a06600f77f07（最後瀏覽日：2025/09/09）。 [33] 人工智慧基本法草案第1條。 [34] 人工智慧基本法草案第3條。 [35] 人工智慧基本法草案第4條。 [36] 人工智慧基本法草案第5條。 [37] 人工智慧基本法草案第6條。 [38] 人工智慧基本法草案第7條。 [39] 人工智慧基本法草案第14條。 [40] 人工智慧基本法草案第8條。 [41] 人工智慧基本法草案第9條。 [42] 人工智慧基本法草案第10條。 [43] 人工智慧基本法草案第11條。 [44] 人工智慧基本法草案第11條。 [45] See also: Taiwan Rolls Out Draft Artificial Intelligence Law, OCACNEWS, July 18, 2024, https://ocacnews.net/article/374412 (last visited Sept. 3, 2025). [46] 人工智慧基本法草案第14條。 [47] 人工智慧基本法草案第12條。 [48] 蘇文彬，〈行政院通過AI基本法草案，將不設立AI專責機關〉，iThome，2025/08/28，https://www.ithome.com.tw/news/170874 (最後瀏覽日：2025/09/09)。 [49] Sun Ryung Park, Less Regulation, More Innovation in Japan’s AI Governance, East Asia Forum (May 21, 2025), https://eastasiaforum.org/2025/05/21/less-regulation-more-innovation-in-japans-ai-governance/ (last visited July 4, 2025).

After the European Union's Artificial Intelligence Law, the draft of AI Basic Law is announced in Taiwan. 2024/09/19 Countries around the world are currently seeking to establish AI governance principles. The U.S. currently has only AI executive orders and state bills, and the European Union (EU) first AI law came into effect in August 2024. Taiwan has announced a draft of AI Basic Law for public comments on July 15, 2024, which, if passed by the Legislative Yuan, will become the world's second special legislation on AI. Taiwan's Coming AI Basic Law - Legislative Development and Progress With the successful conclusion of the 2024 Paris Olympics, AI technology has demonstrated its potential on the global stage, bringing new experiences to the public in varied areas, such as sport competition analysis, athlete training, and referee assisting, and showing that AI has also crossed over into the sports industry, in addition to its known applications in areas such as healthcare, finance, transportation, arts and culture fields. As AI will be apply in various industries, it may also bring new risks or impacts to individuals or society. Countries are seeking to establish guidelines and principles for AI governance. The EU’s Artificial Intelligence Act, which was announced to take effect in August 2024. Even in the AI pioneer, the U.S., there are currently only U.S. President’s AI Executive Orders and bills introduced by Congress or state governments. When Taiwan President Lai announced the promotion of the Island of Artificial Intelligence, Taiwan also had a draft of the AI Basic Law announced for public comments by the National Science and Technology Council (NSTC) on July 15, 2024, proposing the principles of basic values for the development of AI in Taiwan. What is the Basic Law in Taiwan? There are 11 basic laws/acts in Taiwan, including the Fundamental Science and Technology Act, and the Ocean Basic Act, etc. A basic law/act is a legislative model of principle, progress, or guideline for a specific important matter. The AI Basic Law serves as a declaration of policy integration, reveals the government's goals and principles, and regulates the executive branch without directly regulating the people, or deriving the rights for substantive claims. Why Taiwan need a Basic Law on Artificial Intelligence? AI is evolving rapidly, and its applications are spreading to a wider range of areas. If all sectors and administrations have different values, there will be no way for a country to develop AI. NSTC has announced a total of 18 articles in the draft, in Article 3 first set out 7 common principles, such as human autonomy, from the AI research and development to the final market application must comply with the basic values; and in the following provisions of Article 4 to declare that the government's 4 major promotional focuses. The most important provision is found in Article 17, which requires that government ministries should review and adjust the functions, businesses and regulations under their scope in accordance with the Basic Law, so as to enable the executive branch to accelerate its response to the changes brought about by AI, and to share a common set of values: the promotion of innovation while taking human rights into consideration. 7 basic principles The draft AI Basic Law in the announcement contains the following 7 basic principles: 1. Sustainable development and well-being: Social equity and environmental sustainability should be taken into account. Appropriate education and training should be provided to minimize the possible digital gap, so that people can adapt to the changes brought about by AI. 2. Human autonomy: It shall support human autonomy, respect for fundamental human rights and cultural values such as the right to personal integrity, and allow for human oversight, thereby implementing a human-based approach that upholds the rule of law and democratic values. 3. Privacy Protection and Data Governance: The privacy of personal data should be properly protected to avoid the risk of data leakage, and the principle of data minimization should be adopted; at the same time, the opening and reuse of non-sensitive data should be promoted. 4. Security and safety: In the process of AI research and development and application, security measures should be established to prevent security threats and attacks and to ensure the robustness and safety of the system. 5. Transparency and explainability: The output of AI should be appropriately disclosed or labeled to facilitate the assessment of possible risks and the understanding of the impact on related rights and interests, thereby enhancing the trustworthiness of AI. 6. Fairness and non-discrimination: In the process of AI research and development and application, the risks of bias and discrimination in algorithms should be avoided as much as possible, and should not lead to discriminatory results for specific groups. 7. Accountability: Ensure the assumption of corresponding responsibilities, including internal governance responsibilities and external social responsibilities. 4 key areas of promotion 1. Innovative Collaboration and Talent Cultivation: Ensuring the resources and talent needed for AI. 2. Risk management and application responsibility: Risks must be identified and managed before AI systems can be safely applied. 3. Protection of rights and access to data: People's basic rights, such as privacy, cannot be compromised. 4. Regulatory Adaptation and Business Review: Policies and regulations must be agile to keep pace with AI development. The AI Basic Law is paving the way for Taiwan's future opportunities and challenges. AI development requires sufficient resources, data and a friendly environment; to ensure the safe application of AI, it is necessary to first identify and plan for different possible risks, and the draft AI Basic Law has initially drawn a blueprint for the above innovative development and safe application. In the future, various government ministries will need to work together to keep up with the wave of AI innovation in terms of business and legal regulations for multiple fields and industries. It is believed that Taiwan can leverage the advantages in the semiconductor industry and talent resources to gain a favorable global strategic position for the development of AI, as well as to help achieve the goal of "AI for good" to enhance the well-being of Taiwan people through a sound legal environment.

I.Summary In 1995, the Computer-Processed Personal Data Protection Law was implemented in the Republic of China. With the constant development of information technology and the limitations in the application of the legislation, the design of the original legal system is no longer consistent with practical requirements. Considering the increasing number of incidents of personal data leaks, discussions were carried out over a long period of time and the new version of the Personal Information Protection Act was passed after three readings in April, 2010. The title of the law was changed to Personal Information Protection Act. The new system has been officially implemented since 1 October, 2012. The new Act not only revised the provisions of the law in a comprehensive way, but also significantly increased the obligations and responsibilities of enterprises. In terms of civil liability, the maximum amount of compensation for a single incident is 200 Million NTD. For domestic industries, how to effectively respond to the requirements under the Personal Information Protection Act and adopt proper corresponding measures to lower the risk has become a key task for enterprise operation. II. Main Points 1. Implementation of the Enforcement Rules of the Personal Information Protection Act Personal information protection can be said the most concerned issue in Taiwan recently. As a matter of fact, the Computer-Processed Personal Data Protection Law was established in Taiwan as early as August 1995. After more than 10 years of development, computer and information technology has evolved significantly, and many emerging business models such as E-commerce are extensively collecting personal data. It has become increasingly important to properly protect personal privacy. However, the previous Computer-Processed Personal Data Protection Law was only applicable to certain industries, i.e. the following 8 specific industries: the credit investigation business, hospital, school, telecommunication business, financial business, securities business, insurance business, and mass media. And other business was designated by the Ministry of Justice and the central government authorities in charge of concerned enterprises. In addition, the law only protected personal information that was processed by “computer or automatic equipment”. Personal information that was not computer processed was not included. There were clearly no sufficient regulations for the protection of personal data privacy and interest. There were numerous incidents of personal data leaks. Among the top 10 consumer news issued by the Consumer Protection Committee of the Executive Yuan in 2007, “incidents of personal data leaks through E-commerce and TV shopping” was on the top of the list. This provoked the Ministry of Justice and the Ministry of Economic Affairs to “jointly designate” the retail industry without physical boutique (including 3 transaction models: online shopping, catalogue shopping and TV shopping) to be governed by the Computer-Processed Personal Data Protection Law since 1 July 2010. To allow the provisions of the personal information protection legal system to meet the environment of rapid change, the Executive Yuan proposed a Draft Amendment to the Computer-Processed Personal Data Protection Law very early and changed the title to the Personal Information Protection Act. The draft was discussed many times in the Legislative Yuan. Personal Information Protection Act was finally passed after three readings in April 2010, which was officially published by the Office of the President on 26 May. Although the new law was passed in April 2010, to allow sufficient time for enterprises and the public to understand and comply the new law, the new version of the personal information protection law was not implemented on the date of publication. In accordance with Article 56 of the Act, the date of implementation was to be further established by the Executive Yuan. After discussions over a long period of time, the Executive Yuan decided for the Personal Information Protection Act to be officially implemented on 1 October 2012. However, the implementation of two articles is withheld: Article 6 of the Act about the principal prohibition against the collection, processing and use of special personal information and Article 54 about the obligation to notice the Party within one year for personal information indirectly acquired before the implementation of the new law. In terms of the personal data protection legal system, other than the most important Personal Data Protection Act, the enforcement rules established in accordance with the main law also play a key role. The previous Enforcement Rules of the Computer-Processed Personal Data Protection Law were published and implemented on 1 May, 1996. Considering that the Computer-Processed Personal Data Protection Law was amended in 2010 and that its title has been changed to the Personal Data Protection Act, the Ministry of Justice also followed the amended provisions under the new law and actively studied the Draft Amendment to the Enforcement Rules of the Computer-Processed Personal Data Protection Act. After it was confirmed that the new version of the Personal Data Protection Act would be officially launched on 1 October 2012, the Ministry of Justice announced officially the amended enforcement rules on 26 September, 2012. The title of the enforcement rules was also amended to the Enforcement Rules of the Personal Data Protection Act. The new version of personal data protection law and enforcement rules was thus officially launched, creating a brand new era for the promotion of personal data protection in Taiwan. II. Personal Data Administration System and Information Privacy Protection Charter Before the amendment to the Personal Data Protection Act was passed, the Legislative Yuan made a proposal to the government in June 2008 to promote a privacy administration and protection certification system in Taiwan, in reference to foreign practices. In August of the following year, the Strategic Review Board of the Executive Yuan passed a resolution to promote the E-Commerce Personal Data Administration and Information Security Action Plan. In December of the same year, approval was granted for the plan to be included in the key government promotion plans from 2010 to 2013. Based on this action plan, since October 2010, the Ministry of Economic Affairs has asked the Institution for Information Industry to execute an E-Commerce Personal Data Administration System Setup Plan. Since 2012, the E-Commerce Personal Data Administration System Promotion Plan and the Taiwan Personal Information Protection and Administration System (TPIPAS) have been established and promoted, with the objective of procuring enterprises to, while complying with the personal data protection legal system, properly protect consumers’ personal information through the establishment of an internal administration mechanism and ensuring that the introducing enterprises meet the requirements of the system. The issuance of the Data Privacy Protection Mark (dp.mark) was also used as an objective benchmark for consumers to judge the enterprise’s ability to maintain privacy. Regarding the introduction of the personal data administration system, enterprises should establish a content administration mechanism step by step in accordance with the Regulations for Taiwan Personal Information Protection and Administration System. Such system also serves as the review benchmark to decide whether domestic enterprises can acquire the Data Privacy Protection Mark (dp.mark). Since domestic enterprises did not have experience in establishing internal personal data administration system in the past, starting 2011, under the Taiwan Personal Information Protection and Administration System, enterprises received assistance in the training of system professionals such as Personal Data Administrators and Personal Data Internal Appraisers. Quality personal data administrators can help enterprises establish complete internal systems. Internal appraisers play the role of confirming whether the systems established by the enterprises are consistent with the system requirements. As of 2012, there are almost 100 enterprises in Taiwan that participate in the training of system staff and a total of 426 administrators and 131 internal appraisers. In terms of the introduction of TPIPAS, in additional to the establishment and introduction of administration systems by qualified administrators, enterprises can also seek assistance from external professional consulting institutions. Under the Taiwan Personal Information Protection and Administration System, applications for registration of consulting institutions became available in 2012. Qualified system consulting institutions are published on the system website. Today 9 qualified consulting institutions have completed their registrations, providing enterprises with personal data consulting services. After an enterprise completes the establishment of its internal administration system, it may file an application for certification under the Taiwan Personal Information Protection and Administration System. The certification process includes two steps: “written review” and “site review”. After the enterprise passing certification, it is qualified to use the Data Privacy Protection Mark (dp.mark). Today 7 domestic companies have passed TPIPAS certification and acquired the dp.mark: 7net, FamiPort, books.com.tw, LOTTE, GOHAPPY, PAYEASY and Sinya Digital, reinforcing the maintenance of consumer privacy information through the introduction of personal data administration system. III. Event Analysis The Taiwan Personal Information Protection and Administration System (TPIPAS) is a professional personal data administration system established based on the provisions of the latest version of the domestic Personal Data Protection Act, in reference to the latest requirements of personal data protection by international organizations and the experience of main countries in promoting personal data administration system. In accordance with the practical requirements to protect personal data by industries, TPIPAS converted professional legal conditions into an internal personal data administration procedure to effectively assist industries to establish a complete and proper personal data administration system and to comply with the requirements of personal data legislations. With the launch of the new version of the Personal Data Protection Act, introducing TPIPAS and acquiring dp.mark are the best strategies for enterprises to lower the risk from the personal data protection law and to upgrade internal personal data administration capability.