Review of Taiwan's Existing Regulations on the Access to Bioloical Resources

Research on Policies for building a digital nation in Recent Years (2016-2017) 　　Recent years, the government has already made some proactive actions, including some policies and initiatives, to enable development in the digital economy and fulfill the vision of Digital Nation. Those actions are as follows: 1. CREATING THE “FOOD CLOUD” FOR FOOD SAFETY CONTROLS 　　Government agencies have joined forces to create an integrated “food cloud” application that quickly alerts authorities to food safety risks and allows for faster tracing of products and ingredients. The effort to create the cloud was spearheaded by the Executive Yuan’s Office of Food Safety under the leadership of Vice Premier Chang San-cheng on January 12, 2016. 　　The “food cloud” application links five core systems (registration, tracing, reporting, testing, and inspection) from the Ministry of Health and Welfare (MOHW) with eight systems from the Ministry of Finance, Ministry of Economic Affairs, Ministry of Education (MOE), Council of Agriculture and Environmental Protection Administration. 　　The application gathers shares and analyzes information in a methodical and systematic manner by employing big data technology. To ensure the data can flow properly across different agencies, the Office of Food Safety came up with several products not intended for human consumption and had the MOHW simulate the flow of those products under import, sale and supply chain distribution scenarios. The interministerial interface successfully analyzed the data and generated lists of food risks to help investigators focus on suspicious companies. 　　Based on these simulation results, the MOHW on September 2, 2015, established a food and drug intelligence center as a mechanism for managing food safety risks and crises on the national level. The technologies for big data management and mega data analysis will enable authorities to better manage food sources and protect consumer health. 　　In addition, food cloud systems established by individual government agencies are producing early results. The MOE, for instance, rolled out a school food ingredient registration platform in 2014, and by 2015 had implemented the system across 22 countries and cities at 6,000 schools supplying lunches for 4.5 million students. This platform, which made school lunch ingredients completely transparent, received the 2015 eAsia Award as international recognition for the use of information technology in ensuring food safety. 2. REVISING DIGITAL CONVERGENCE ACTS 　　On 2016 May 5th, the Executive Yuan Council approved the National Communications Commission's (NCC) proposals, drafts of “Broadcasting Terrestrial and Channel Service Suppliers Administration Act”, “Multichannel Cable Platform Service Administration Act”, “Telecommunications Service Suppliers Act”, “Telecommunications Infrastructure and Resources Administration Act”, “Electronic Communications Act”, also the five digital convergence laws. They will be sent to the Legislature for deliberation. But in the end, this version of five digital convergence bills did not pass by the Legislature. 　　However, later on, November 16, 2017, The Executive Yuan approved the new drafts of “Digital Communication Act” and the “Telecommunication Service Management Act”. 　　The “Digital Communication Act” and the “Telecommunication Service Management Act” focused summaries as follows: 　　1. The digital communication bill 　　A. Public consultation and participation. 　　B. The digital communication service provider ought to use internet resource reasonability and reveal network traffic control measures. 　　C. The digital communication service provider ought to reveal business information and Terms of Service. 　　D. The responsibility of the digital communication service provider. 　　2. The telecommunication service management bill 　　A. The telecommunication service management bill change to use registration system. 　　B. The general obligation of telecommunications to provide telecommunication service and the special obligation of Specific telecommunications. 　　C. Investment, giving, receiving and merging rules of the telecommunication service. 　　Telecommunications are optimism of relaxing rules and regulations, and wish it would infuse new life and energy into the market. Premier Lai instructed the National Communications Commission and other agencies to elucidate the contents of the two communication bills to all sectors of society, and communicate closely with lawmakers of all parties to build support for a quick passage of the bills. 3. FOCUSING ON ICT SECURITY TO BUILD DIGITAL COUNTRIES 　　Ｔhe development of ICT has brought convenience to life but often accompanied by the threat of illegal use, especially the crimes with the use of new technologies such as Internet techniques and has gradually become social security worries. Minor impacts may cause inconvenience to life while major impacts may lead to a breakdown of government functions and effects on national security. To enhance the capability of national security protection and to avoid the gap of national security, the Executive Yuan on August 1st 2016 has upgraded the Office of Information and Communication Security into the Agency of Information and Communication Security, a strategic center of R.O.C security work, integrating the mechanism of the whole government governance of information security, through specific responsibility, professionalism, designated persons and permanent organization to establish the security system, together with the relevant provisions of the law so that the country's information and communication security protection mechanism will become more complete. The efforts to the direction could be divided into three parts: 　　First, strengthening the cooperation of government and private sectors of information security: In a sound basis of legal system, the government plans to strengthen the government and some private sectors’ information security protection abilities ,continue to study and modify the relevant amendments to the relevant provisions, strengthen public-private collaborative mechanism, deepen the training of human resources and enhance the protection of key information infrastructure of our country. 　　Second, improving the information and communication security professional capability: information and communication security business is divided into policy and technical aspects. While the government takes the responsibility for policy planning and coordination, the technical service lies in an outsourcing way. Based on a sound legal system, the government will establish institutionalized and long-term operation modes and plan appropriate organizational structures through the discussion of experts and scholars from all walks of life. 　　Third, formulating Information and Communication Safety Management Act and planning of the Fifth National Development Program for Information and Communication Security: The government is now actively promoting the Information and Communication Safety Management Act as the cornerstone for the development of the national digital security and information security industry. The main content of the Act provides that the applicable authorities should set up security protection plan at the core of risk management and the procedures of notification and contingency measures, and accept the relevant administrative check. Besides the vision of the Fifth National Development Program for Information and Communication Security which the government is planning now is to build a safe and reliable digital economy and establish a safe information and communication environment by completing the legal system of information and communication security environment, constructing joint defense system of the national Information and Communication security, pushing up the self-energy of the industries of information security and nurture high-quality human resources for elite talents for information security. 4. THE DIGITAL NATION AND INNOVATIVE ECONOMIC DEVELOPMENT PLAN 　　The Digital Nation and Innovative Economic Development Plan (2017-2025) known as “DIGI+” plan, approved by the Executive Yuan on November 24, 2016. The plan wants to grow nation’s digital economy to NT $ 6.5 trillion (US$205.9 billion), improve the digital lifestyle services penetration rate to 80 %, increase broadband connections to 2 Gbps, ensure citizens’ basic rights to have 25 Mbps broadband access, and put our nation among the top 10 information technology nations worldwide by 2025. 　　The plan contains several important development strategies: DIGI+ Infrastructure: Build infrastructure conducive to digital innovation. DIGI+ Talent: Cultivate digital innovation talent. DIGI+ Industry: Support cross-industry transformation through digital innovation. DIGI+ Rights: Make R.O.C. an advanced society that respects digital rights and supports open online communities. DIGI+ Cities: Build smart cities through cooperation among central and local governments and the industrial, academic and research sectors. DIGI+ Globalization: Boost nation’s standing in the global digital service economy. 　　The plan also highlights few efforts: 　　First is to enrich “soft” factors and workforce to create an innovative environment for digital development. To construct this environment, the government will construct an innovation-friendly legal framework, cultivate interdisciplinary digital talent, strengthen research and develop advanced digital technologies. 　　Second is to enhance digital economy development. The government will incentivize innovative applications and optimize the environment for digital commerce. 　　Third, the government will develop an open application programming interface for government data and create demand-oriented, one-stop smart government cloud services. 　　Fourth, the government will ensure broadband access for the disadvantaged and citizens of the rural area, implement the participatory process, enhance different kinds of international cooperation, and construct a comprehensive humanitarian legal framework with digital development. 　　Five is to build a sustainable smart country. The government will use smart network technology to build a better living environment, promote smart urban and rural area connective governance and construction and use on-site research and industries innovation ecosystem to assist local government plan and promote construction of the smart country. 　　In order to achieve the overall effectiveness of the DIGI + program, interdisciplinary, inter-ministerial, inter-departmental and inter-departmental efforts will be required to collaborate with the newly launched Digital National Innovation Economy (DIGI +) Promotion Team. 5. ARTIFICIAL INTELLIGENCE SCIENTIFIC RESEARCH STRATEGY 　　The Ministry of Science and Technology (MOST) reported strategy plan for artificial intelligence (AI) scientific research at Cabinet meeting on August 24, 2017. Artificial intelligence is a powerful and inevitable trend, and it will be critical to R.O.C.’s competitiveness for the next 30 years. 　　The ministry will devote NT$16 billion over the next five years to building an AI innovation ecosystem in R.O.C. According to MOST, the plan will promote five strategies: 　　1. Creating an AI platform to provide R&D services 　　MOST will devote NT$5 billion over the next four years to build a platform, integrating the resources, providing a shared high-speed computing environment and nurturing emerging AI industries and applications. 　　2. Establishing an AI innovative research center 　　MOST will four artificial intelligence innovation research centers across R.O.C. as part of government efforts to enhance the nation’s competitiveness in AI technology. The centers will support the development of new AI in the realms of financial technology, smart manufacturing, smart healthcare and intelligent transportation systems. 　　3. Setting up AI robot maker spaces 　　An NT$2 billion, four-year project assisting industry to develop the hardware-software integration of robots and innovative applications was announced by the Ministry of Science and Technology. 　　4. Subsidizing a semiconductor “moonshot” program to explore ambitious and groundbreaking smart technologies 　　This program will invest NT$4 billion from 2018 through 2021 into developing semiconductors and chip systems for edge devices as well as integrating the academic sector’s R&D capabilities and resources. the project encompasses cognitive computing and AI processor chips; next-generation memory designs; process technologies and materials for key components of sensing devices; unmanned vehicles, AR and VR; IoT systems and security. 　　5. Organizing Formosa Grand Challenge competitions 　　The program is held in competitions to engage young people in the development of AI applications. 　　The government hopes to extend R.O.C.’s industrial advantages and bolster the country’s international competitiveness, giving R.O.C. the confidence to usher in the era of AI applications. All of these efforts will weave people, technologies, facilities, and businesses into a broader AI innovation ecosystem. 6. INTELLIGENT TRANSPORTATION SYSTEM PLANS 　　Ministry of Transportation and Communications (MOTC) launched plans to develop intelligent transportation systems at March 7th in 2017. MOTC integrates transportation and information and communications technology through these plans to improve the convenience and reduce the congestion of the transportation. These plans combine traffic management systems for highways, freeways and urban roads, a multi-lane free-flow electronic toll collection system, bus information system that provides timely integrated traffic information services, and public transportation fare card readers to reduce transport accidence losses, inconvenience of rural area, congestion of main traffic arteries and improve accessibility of public transportation. 　　There are six plans are included: 1. Intelligent transportation safety plan; 2. Relieve congestion on major traffic arteries; 3. Make transportation more convenient in Eastern Taiwan and remote areas; 4. Integrate and share transportation resources; 5. Develop “internet-of-vehicles” technology applications; and 6. Fundamental R&D for smart transportation technology. 　　These plans promote research and development of smart vehicles and safety intersections, develop timely bus and traffic information tracking system, build a safe system of shared, safe and green-energy smart system, and subsidize the large vehicles to install the vision enhancement cameras to improve the safety of transportation. These plans also use eTag readers, vehicle sensors and info communication technologies to gather the traffic information and provide timely traffic guidance, reduce the congestion of the traffic flow. These plans try to use demand-responsive transit system with some measures such as combine public transportation and taxi, to improve the flexibility of the public traffic service and help the basic transportation needs of residents in eastern Taiwan and rural areas to be fulfilled. A mobile transport service interface and a platform that integrating booking and payment processes are also expected to be established to provide door-to-door transportation services and to integrate transportation resources. And develop demonstration projects of speed coordination of passenger coach fleets, vehicle-road interaction technology, and self-driving car to investigate and verify the issues in technological, operational, industrial, legal environments of internet-of-vehicles applications in our country. Last but not least, research and development on signal control systems that can be used in both two and four-wheeled vehicles, and deploy an internet-of-vehicles prototype platform and develop drones traffic applications. 　　These plans are expected to reduce 25% traffic congestion, 20% of motor vehicle incidence, leverage 10% using rate of public transportation, raise 20% public transportation service accessibility of rural area and create NT$30 billion production value. After accomplishing these targets, the government can establish a comprehensive transportation system and guide industry development of relating technology areas. 　　Through the aforementioned initiatives, programs, and plans, the government wants to construct the robust legal framework and policy environment for digital innovation development, and facilitate the quality of citizens in our society.

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 　　After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] 　　While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation 　　There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. 　　The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO 　　The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application 　　Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries 　　On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). 　　As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. 　　If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing 　　Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions 　　The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties 　　The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion 　　The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.

I.Summary In 1995, the Computer-Processed Personal Data Protection Law was implemented in the Republic of China. With the constant development of information technology and the limitations in the application of the legislation, the design of the original legal system is no longer consistent with practical requirements. Considering the increasing number of incidents of personal data leaks, discussions were carried out over a long period of time and the new version of the Personal Information Protection Act was passed after three readings in April, 2010. The title of the law was changed to Personal Information Protection Act. The new system has been officially implemented since 1 October, 2012. The new Act not only revised the provisions of the law in a comprehensive way, but also significantly increased the obligations and responsibilities of enterprises. In terms of civil liability, the maximum amount of compensation for a single incident is 200 Million NTD. For domestic industries, how to effectively respond to the requirements under the Personal Information Protection Act and adopt proper corresponding measures to lower the risk has become a key task for enterprise operation. II. Main Points 1. Implementation of the Enforcement Rules of the Personal Information Protection Act Personal information protection can be said the most concerned issue in Taiwan recently. As a matter of fact, the Computer-Processed Personal Data Protection Law was established in Taiwan as early as August 1995. After more than 10 years of development, computer and information technology has evolved significantly, and many emerging business models such as E-commerce are extensively collecting personal data. It has become increasingly important to properly protect personal privacy. However, the previous Computer-Processed Personal Data Protection Law was only applicable to certain industries, i.e. the following 8 specific industries: the credit investigation business, hospital, school, telecommunication business, financial business, securities business, insurance business, and mass media. And other business was designated by the Ministry of Justice and the central government authorities in charge of concerned enterprises. In addition, the law only protected personal information that was processed by “computer or automatic equipment”. Personal information that was not computer processed was not included. There were clearly no sufficient regulations for the protection of personal data privacy and interest. There were numerous incidents of personal data leaks. Among the top 10 consumer news issued by the Consumer Protection Committee of the Executive Yuan in 2007, “incidents of personal data leaks through E-commerce and TV shopping” was on the top of the list. This provoked the Ministry of Justice and the Ministry of Economic Affairs to “jointly designate” the retail industry without physical boutique (including 3 transaction models: online shopping, catalogue shopping and TV shopping) to be governed by the Computer-Processed Personal Data Protection Law since 1 July 2010. To allow the provisions of the personal information protection legal system to meet the environment of rapid change, the Executive Yuan proposed a Draft Amendment to the Computer-Processed Personal Data Protection Law very early and changed the title to the Personal Information Protection Act. The draft was discussed many times in the Legislative Yuan. Personal Information Protection Act was finally passed after three readings in April 2010, which was officially published by the Office of the President on 26 May. Although the new law was passed in April 2010, to allow sufficient time for enterprises and the public to understand and comply the new law, the new version of the personal information protection law was not implemented on the date of publication. In accordance with Article 56 of the Act, the date of implementation was to be further established by the Executive Yuan. After discussions over a long period of time, the Executive Yuan decided for the Personal Information Protection Act to be officially implemented on 1 October 2012. However, the implementation of two articles is withheld: Article 6 of the Act about the principal prohibition against the collection, processing and use of special personal information and Article 54 about the obligation to notice the Party within one year for personal information indirectly acquired before the implementation of the new law. In terms of the personal data protection legal system, other than the most important Personal Data Protection Act, the enforcement rules established in accordance with the main law also play a key role. The previous Enforcement Rules of the Computer-Processed Personal Data Protection Law were published and implemented on 1 May, 1996. Considering that the Computer-Processed Personal Data Protection Law was amended in 2010 and that its title has been changed to the Personal Data Protection Act, the Ministry of Justice also followed the amended provisions under the new law and actively studied the Draft Amendment to the Enforcement Rules of the Computer-Processed Personal Data Protection Act. After it was confirmed that the new version of the Personal Data Protection Act would be officially launched on 1 October 2012, the Ministry of Justice announced officially the amended enforcement rules on 26 September, 2012. The title of the enforcement rules was also amended to the Enforcement Rules of the Personal Data Protection Act. The new version of personal data protection law and enforcement rules was thus officially launched, creating a brand new era for the promotion of personal data protection in Taiwan. II. Personal Data Administration System and Information Privacy Protection Charter Before the amendment to the Personal Data Protection Act was passed, the Legislative Yuan made a proposal to the government in June 2008 to promote a privacy administration and protection certification system in Taiwan, in reference to foreign practices. In August of the following year, the Strategic Review Board of the Executive Yuan passed a resolution to promote the E-Commerce Personal Data Administration and Information Security Action Plan. In December of the same year, approval was granted for the plan to be included in the key government promotion plans from 2010 to 2013. Based on this action plan, since October 2010, the Ministry of Economic Affairs has asked the Institution for Information Industry to execute an E-Commerce Personal Data Administration System Setup Plan. Since 2012, the E-Commerce Personal Data Administration System Promotion Plan and the Taiwan Personal Information Protection and Administration System (TPIPAS) have been established and promoted, with the objective of procuring enterprises to, while complying with the personal data protection legal system, properly protect consumers’ personal information through the establishment of an internal administration mechanism and ensuring that the introducing enterprises meet the requirements of the system. The issuance of the Data Privacy Protection Mark (dp.mark) was also used as an objective benchmark for consumers to judge the enterprise’s ability to maintain privacy. Regarding the introduction of the personal data administration system, enterprises should establish a content administration mechanism step by step in accordance with the Regulations for Taiwan Personal Information Protection and Administration System. Such system also serves as the review benchmark to decide whether domestic enterprises can acquire the Data Privacy Protection Mark (dp.mark). Since domestic enterprises did not have experience in establishing internal personal data administration system in the past, starting 2011, under the Taiwan Personal Information Protection and Administration System, enterprises received assistance in the training of system professionals such as Personal Data Administrators and Personal Data Internal Appraisers. Quality personal data administrators can help enterprises establish complete internal systems. Internal appraisers play the role of confirming whether the systems established by the enterprises are consistent with the system requirements. As of 2012, there are almost 100 enterprises in Taiwan that participate in the training of system staff and a total of 426 administrators and 131 internal appraisers. In terms of the introduction of TPIPAS, in additional to the establishment and introduction of administration systems by qualified administrators, enterprises can also seek assistance from external professional consulting institutions. Under the Taiwan Personal Information Protection and Administration System, applications for registration of consulting institutions became available in 2012. Qualified system consulting institutions are published on the system website. Today 9 qualified consulting institutions have completed their registrations, providing enterprises with personal data consulting services. After an enterprise completes the establishment of its internal administration system, it may file an application for certification under the Taiwan Personal Information Protection and Administration System. The certification process includes two steps: “written review” and “site review”. After the enterprise passing certification, it is qualified to use the Data Privacy Protection Mark (dp.mark). Today 7 domestic companies have passed TPIPAS certification and acquired the dp.mark: 7net, FamiPort, books.com.tw, LOTTE, GOHAPPY, PAYEASY and Sinya Digital, reinforcing the maintenance of consumer privacy information through the introduction of personal data administration system. III. Event Analysis The Taiwan Personal Information Protection and Administration System (TPIPAS) is a professional personal data administration system established based on the provisions of the latest version of the domestic Personal Data Protection Act, in reference to the latest requirements of personal data protection by international organizations and the experience of main countries in promoting personal data administration system. In accordance with the practical requirements to protect personal data by industries, TPIPAS converted professional legal conditions into an internal personal data administration procedure to effectively assist industries to establish a complete and proper personal data administration system and to comply with the requirements of personal data legislations. With the launch of the new version of the Personal Data Protection Act, introducing TPIPAS and acquiring dp.mark are the best strategies for enterprises to lower the risk from the personal data protection law and to upgrade internal personal data administration capability.

Impact of Government Organizational Reform to Scientific Research Legal System and Response Thereto (2) – For Example, The Finnish Innovation Fund (“SITRA”) III. Comparison of Strength and Weakness of Sitra Projects 1. Sitra Venture Capital Investment Model 　　In order to comprehend how to boost innovation business development to upgrade innovation ability, we analyze and compare the innovation systems applied in Sweden, France and Finland[1] . We analyze and compare the characteristics, strength and weakness of innovation promotion models in terms of funding, networking and professional guidance. Generally, the first difficulty which a start-up needs to deal with when it is founded initially is the funding. Particularly, a technology company usually requires tremendous funding when it is founded initially. Some potentially adequate investors, e.g., venture capitals, seldom invest in small-sized start-up (because such overhead as supervision and management fees will account for a high percentage of the investment due to the small total investment amount). Networking means how a start-up integrates such human resources as the management, investors, technical advisors and IP professionals when it is founded initially. Control over such human resources is critical to a new company’s survival and growth. Professional guidance means how professional knowledge and human resource support the start-up’s operation. In order to make its product required by the market, an enterprise usually needs to integrate special professional knowledge. Notwithstanding, the professional knowledge and talents which are available from an open market theoretically often cannot be accessed, due to market failure[2]. 　　Assuming that Sitra’s funding is prioritized as Pre-seed-Initiation stage, Seed-Development stage and Follow-up – Growth stage, under Finland model, at the Pre-seed-Initiation stage, Sitra will provide the fund amounting to EUR20,000 when Tekes will also provide the equivalent fund, provided that the latter purely provides subsidy, while the fund provided by Sitra means a loan to be repaid (without interest) after some time (usually after commercialization), or a loan convertible to shares. Then, the loan would be replaced by soft or convertible (to shares) investment and the source of funding would turn to be angel investors or local seed capital at the Seed-Development stage. At this stage, the angel investors, local seed capital and Sitra will act as the source of funding jointly in Finland, while Tekes will not be involved at this stage. At the Follow-up-Growth stage, like the Sweden model, Sitra will utilize its own investment fund to help mitigate the gap between local small-sized funding and large-sized international venture capital[3]. 　　How to recruit professional human resources is critical to a start-up’s success. Many enterprises usually lack sufficient professional human resources or some expertise. DIILI service network set up by Sitra is able to provide the relevant solutions. DILLI is a network formed by product managers. Its members actively participate in starts-up and seek innovation. They also participate in investment of starts-up independently sometimes. Therefore, they are different from angel investors, because they devote themselves to the starts-up on a full-time basis[4]. In other words, they manage the starts-up as if the starts-up were their own business. 2. Key to Public Sector’s Success in Boosting Development of Innovation Activity Business 　　In terms of professional guidance, voluntary guidance means the direct supply of such professional resources as financing, human resource and technology to starts-up, while involuntary guidance means the supply of strategic planning in lieu of direct assistance to help the enterprises make routine decisions[5]. The fractured and incomplete professional service attendant market generates low marginal effect. Therefore, it is impossible for the traditional consultation service to mitigate such gap and the investment at the pre-seed initiation stage will be excessive because of the acquisition of the professional services. Meanwhile, professional advisors seldom are involved in consultation services at the pre-seed initiation stage of a start-up because of the low potential added value. Therefore, at such stage, only involuntary professional guidance will be available usually. Under Sitra model, such role is played by an angel investor. 　　Upon analysis and comparison, we propose six suggested policies to boost innovation activities successfully as the reference when observing Sitra operation. First of all, compared with the French model, Finland Sitra and Sweden model set more specific objectives to meet a start-up’s needs (but there is some defect, e.g., Sitra model lacks voluntary professional guidance). Second, structural budget is a key to the successful model. Sitra will receive the funds in the amount of EUR235,000,000 from the Finnish Government, but its operating expenditure is covered by its own operating revenue in whole. Third, it is necessary to provide working fund in installments and provide fund at the pre-seed-initiation stage. Under both of Finland model and Sweden model, funds will be provided at the pre-seed-initiation stage (Tekes is responsible for providing the fund in Finland). Fourth, the difficulty in networking must be solved. In Sitra, the large-sized talent network set up by it will be dedicated to recruiting human resources. Fifth, the voluntary professional guidance is indispensable at the pre-seed-initiation stage, while the same is unavailable at such stage under Sitra model. Instead, the Sweden model is held as the optimal one, as it has a dedicated unit responsible for solving the difficulty to seek profit. Sixth, soft loan[6] will be successfully only when the loan cannot be convertible to shares. At the pre-seed initiation stage or seed-development stage, a start-up is usually funded by traditional loan. Assuming that the start-up is not expected to gain profit, whether the loan may be convertible to shares will also be taken into consideration when the granting of loan is considered (therefore, the fund provider will not be changed to the “capital” provider). Besides, the government authorities mostly lack the relevant experience or knowledge, or are in no position to negotiate with international large-sized venture capital companies. For example, under the French model, the government takes advantage of its power to restrict the venture capital investment and thereby renders adverse impact to starts-up which seek venture capital. Finally, the supply of own fund to meet the enterprises’ needs at seed-development stage and follow-up-growth stage to mitigate the gap with large-sized venture capital[7] is also required by a successful funding model. IV. Conclusion－Deliberation of Finnish Sitra Experience 　　As the leading national industrial innovation ability promoter in Finland, Sitra appears to be very characteristic in its organizational framework or operating mechanism. We hereby conclude six major characteristics of Sitra and propose the potential orientation toward deliberation of Taiwan’s industrial innovation policies and instruments. 1. Particularity of Organizational Standing 　　In consideration of the particularity of Sitra organizational standing, it has two characteristics observable. First, Sitra is under supervision of the Finnish Parliament directly, not subordinated to the administrative organizational system and, therefore, it possesses such strength as flexibility and compliance with the Parliament’s requirements. Such organization design which acts independently of the administrative system but still aims to implement policies has been derived in various forms in the world, e.g., the agency model[8] in the United Kingdom, or the independent apparatus in the U.S.A. Nevertheless, to act independently of the administrative system, it has to deal with the deliberation of responsible political principles at first, which arouses the difficulty in taking care of flexibility at the same time. In Taiwan, the intermediary organizations include independent agencies and administrative corporations, etc., while the former still involves the participation of the supreme administrative head in the right of personnel administration and is subordinated to the ministries/departments of the Executive Yuan and the latter aims to enforce the public missions in the capacity of “public welfare” organization. Though such design as reporting to the Parliament directly is not against the responsible political principles, how the Parliament owns the authority to supervise is the point (otherwise, theoretically, the administrative authorities are all empowered by the parliament in the country which applies the cabinet system). Additionally, why some special authorities are chosen to report to the parliament directly while other policy subjects are not is also disputable. The existence of Sitra also refers to a circumstantial evidence substantiating that Finland includes the innovation policy as one of the important government policies, and also the objective fact that Finland’s innovation ability heads the first in the world. 　　Second, Sitra is a self-sufficient independent fund, which aims to promote technical R&D and also seeks profit for itself, irrelevant with selection of adequate investment subjects or areas. Instead, for this purpose, the various decisions made by it will deal with the utility and mitigate the gap between R&D and market. Such entity is responsible for public welfare or policy projects and also oriented toward gain from investment to feed the same back to the individuals in the organization. In the administrative system, Sitra is not directed by the administrative system but reports to the Parliament directly. Sitra aims to upgrade the national R&D innovation ability as its long-term goal mission and utilizes the promotion of innovation business and development of venture capital market. The mission makes the profit-orientation compatible with the selection of investment subjects, as an enterprise unlikely to gain profit in the future usually is excluded from the national development view. For example, such industries as green energy, which is not likely to gain profit in a short term, is still worth investing as long as it meets the national development trend and also feasible (in other words, selection of marketable green technology R&D, instead of comparison of the strength and weakness in investment value of green energy and other high-polluted energy). 2. Expressly Distinguished From Missions of Other Ministries/Departments 　　For the time being, Sitra primarily invests in starts-up, including indirect investment and direct investment, because it relies on successful new technology R&D which may contribute to production and marketability. Starts-up have always been one of the best options, as large-sized enterprises are able to do R&D on their own without the outsourcing needs. Further, from the point of view of an inventor, if the new technology is marketable, it will be more favorable to him if he chooses to start business on his own or make investment in the form of partnership, instead of transfer or license of the ownership to large-sized enterprises (as large-sized enterprises are more capable of negotiation). However, note that Sitra aims to boost innovation activities and only targets at start-up business development, instead of boosting and promoting the start-up per se. Under the requirement that Sitra needs to seek profit for itself, only the business with positive development view will be targeted by Sitra. Further, Sitra will not fund any business other than innovation R&D or some specific industries. Apparently, Sitra only focuses on the connection between innovation activities and start-up, but does not act as the competent authority in charge of small-sized and medium-sized enterprises. 　　Meanwhile, Sitra highlights that it will not fund academic research activities and, therefore, appears to be distinguished from the competent authority in charge of national scientific research. Though scientific research and technology innovation business, to some extent, are distinguished from each other in quantity instead of quality, abstract and meaningless research is existent but only far away from the commercialization market. Notwithstanding, a lot of countries tend to distinguish basic scientific research from industrial technology R&D in the administration organization's mission, or it has to be. In term of the way in which Sitra carries out its mission, such distinguishing ability is proven directly. 3. Well-Founded Technology Foresight-Based Investment Business 　　The corporate investments, fund investments and project funding launched by Sitra are all available to the pre-designated subjects only, e.g. ecological sustainable development, energy utilization efficiency, and social structural changes, etc. Such way to promote policies as defining development area as the first priority and then promoting the investment innovation might have some strength and weakness at the same time. First of all, the selection of development areas might meet the higher level national development orientation more therefor, free from objective environmental restrictions, e.g. technical level, leading national technology industries and properties of natural resources. Notwithstanding, an enterprise’s orientation toward innovation R&D might miss the opportunity for other development because of the pre-defined framework. Therefore, such way to promote policies as defining development areas or subjects as the first priority will be inevitably based on well-founded technology foresight-based projects[9], in order to take various subjective and objective conditions into consideration and to forecast the technology development orientation and impact to be faced by the home country’s national and social economies. That is, said strength and weakness will be taken into consideration beforehand for foresight, while following R&D funding will be launched into the technology areas pre-designated after thorough analysis. 4. Self-Interested Investment with the Same High Efficiency as General Enterprises 　　Sitra aims to gain profit generally, and its individual investment model, e.g., DIILI, also permits marketing managers to involve business operation. The profit-sharing model enables Sitra to seek the same high efficiency as the general enterprises when purusing its innovation activity development. The investment launched by Sitra highlights that it is not “funding” (which Tekes is responsible for in Finland) or the investment not requiring return. Therefore, it has the system design to acquire corporate shares. Sitra participates in a start-up by offering its advanced technology, just like a general market investor who will choose the potential investment subject that might benefit him most upon his personal professional evaluation. After all, the ultimate profit will be retained by Sitra (or said DIILI manger, subject to the investment model). Certainly, whether the industry which requires permanent support may benefit under such model still remains questionable. However, except otherwise provided in laws expressly, said special organization standing might be a factor critical to Sitra profit-seeking model. That is, Sitra is not subordinated to the administrative system but is under supervision of the parliament independently, and how its staff deal with the conflict of interest issues in the capacity other than the public sector’s/private sector’s staff is also one of the key factors to success of the system. 5. Investment Model to Deal With Policy Instruments of Other Authorities/Agencies 　　Sitra decides to fund a start-up depending on whether it may gain profit as one of its priorities. As aforesaid, we may preliminarily recognize that the same should be consistent with funding to starts-up logically and no “government failure” issue is involved. For example, the funding at the pre-seed-initiation stage needs to tie in with Tekes’ R&D “funding” (and LIKSA service stated herein) and, therefore, may adjust the profit-seeking orientation, thereby causing deviation in promotion of policies. The dispute over fairness of repeated subsidy/funding and rationality of resource allocation under the circumstance must be controlled by a separate evaluation management mechanism inevitably. 6. Affiliation with Enhancement of Regional Innovation Activities 　　Regional policies cannot be separable from innovation policies, especially in a country where human resources and natural resources are not plentiful or even. Therefore, balancing regional development policies and also integrating uneven resource distribution at the same time is indispensable to upgrading of the entire national social economic benefits. The Finnish experience indicated that innovation activities ought to play an important role in the regional development, and in order to integrate enterprises, the parties primarily engaged in innovation activities, with the R&D ability of regional academic research institutions to upgrade the R&D ability effectively, the relevant national policies must be defined for adequately arranging and launching necessary resources. Sitra's approaches to invest in starts-up, release shares after specific period, integrate the regional resources, upgrade the national innovation ability and boost the regional development might serve to be the reference for universities’ centers of innovative incubator or Taiwan’s local academic and scientific sectors[10] to improve their approaches. 　　For the time being, the organization engaged in venture capital investment in the form of fund in Taiwan like Sitra of Finland is National Development Fund, Executive Yuan. However, in terms of organizational framework, Sitra is under supervision of the Parliament directly, while National Development Fund is subordinated to the administrative system of Taiwan. Though Sitra and National Development Fund are both engaged in venture capital investments primarily, Sitra carries out its missions for the purpose of “promoting innovative activities”, while the National Development Fund is committed to achieve such diversified goals as “promoting economic changes and national development[11]” and is required to be adapted to various ministries’/departments’ policies. Despite the difference in the administrative systems of Taiwan and Finland, Sitra system is not necessarily applicable to Taiwan. Notwithstanding, Sitra’s experience in promotion and thought about the system might provide a different direction for Taiwan to think when it is conceiving the means and instruments for industrial innovation promotion policies in the future. [1] Bart Clarysse & Johan Bruneel, Nurturing and Growing Innovation Start-Ups: The Role of Policy As Integrator, R&D MANAGEMENT, 37(2), 139, 144-146 (2007). Clarysse & Bruneel analysis and comparison refers to Sweden Chalmers Innovation model, French Anvar/Banque de Developpement des PMEs model and Finland Sitra PreSeed Service model. [2] id. at 141-143. [3] id. at 141. [4] id. at 145-146. [5] id. at 143. [6] The loan to be repaid is not a concern. For example, the competent authority in Sweden only expects to recover one-fourths of the loan. [7] Clarysse & Bruneel, super note 26, at 147-148. [8] 彭錦鵬，〈英國政署之組織設計與運作成效〉，《歐美研究》，第30卷第3期，頁89-141。 [9] Technology foresight must work with the innovation policy road mapping (IPRM) interactively, and consolidate the forecast and evaluation of technology policy development routes. One study case about IPRM of the environmental sustainable development in the telecommunication industry in Finland, the IPRM may enhance the foresighted system and indicates the potential factors resulting in systematic failure. Please see Toni Ahlqvist, Ville Valovirta & Torsti Loikkanen, Innovation policy road mapping as a systemic instrument for forward-looking policy design, Science and Public Policy 39, 178-190 (2012). [10] 參見李昂杰，〈規範新訊：學界科專辦法及其法制配套之解析〉，《科技法律透析》，第23卷第8期，頁33（2011）。 [11] National Development Fund, Executive Yuan website, http://www.df.gov.tw/(tftgkz45150vye554wi44ret)/page-aa.aspx?Group_ID=1&Item_Title=%E8%A8%AD%E7%AB%8B%E5%AE%97%E6%97%A8#(Last visit on 2013/03/28)