A Before and After Impact Comparison of Applying Statute for Industrial Innovation Article 23-1 Draft on Venture Capital Limited Partnerships

Post Brexit – An Update on the United Kingdom Privacy Regime 2021/9/10 　　After lengthy talks, on 31 January 2020, the United Kingdom (‘UK’) finally exited the European Union (‘EU’). Then, the UK shifted into a transition period. The UK government was bombarded with questions from all stakeholders. In particular, the data and privacy industry yelled out the loudest – what am I going to do with data flowing from the EU to the UK? Privacy professionals queried – would the UK have a new privacy regime that significantly departs from the General Data Protection Regulation (‘GDPR’)? Eventually, the UK made a compromise with all stakeholders – the British, the Europeans and the rest of the world – by bridging its privacy laws with the GDPR. On 28 June 2021, the UK obtained an adequacy decision from the EU.[1] This was widely anticipated but also widely known to be delayed, as it was heavily impacted by the aftermaths of the invalidation of the US- EU Privacy Shield.[2] 　　While the rest of the world seems to silently observe the transition undertaken by the UK, post-Brexit changes to the UK’s privacy regime is not only a domestic or regional matter, it is an international matter. Global supply chains and cross border data flows will be affected, shuffling the global economy into a new order. Therefore, it is crucial as citizens of a digital economy to unpack and understand the current UK privacy regime. This paper intends to give the reader a brief introduction to the current privacy regime of the UK. The author proposes to set out the structure of the UK privacy legislation, and to discuss important privacy topics. This paper only focuses on the general processing regime, which is the regime that is most relevant to general stakeholders. UK Privacy Legislation 　　There are two main privacy legislation in the UK – the Data Protection Act 2018 (‘DPA’) and the United Kingdom General Data Protection Act (‘UK GDPR’). These two acts must be read together in order to form a coherent understanding of the current UK privacy regime. 　　The UK GDPR is the creature of Brexit. The UK government wanted a smooth transition out of the EU and acknowledged that they needed to preserve the GDPR in their domestic privacy regime to an extent that would allow them to secure an adequacy decision. The UK government also wanted to create less impact on private companies. Thus, the UK GDPR was born. Largely it aligns closely with the GDPR, supplemented by the DPA. ICO 　　The Information Commissioner’s Office (‘ICO’) is the independent authority supervising the compliance of privacy laws in the UK. Prior to Brexit, the ICO was the UK’s supervisory authority under the GDPR. A unique feature of the ICO’s powers and functions is that it adopts a notice system. The ICO has power to issue four types of notices: information notices, assessment notices, enforcement notices and penalty notices.[3] The information notice requires controllers or processors to provide information. The ICO must issue an assessment notice before conducting data protection audits. Enforcement is only exercisable by giving an enforcement notice. Administrative fines are only exercisable by giving a penalty notice. Territorial Application 　　Section 207(1A) of the DPA states that the DPA applies to any controller or processor established in the UK, regardless where the processing of personal data takes place. Like the GDPR, the DPA and the UK GDPR have an extraterritorial reach to overseas controllers or processors. The DPA and the UK GDPR apply to overseas controllers or processors who process personal data relating to data subjects in the UK, and the processing activities are related to the offering of goods or services, or the monitoring of data subjects’ behavior.[4] Transfers of Personal Data to Third Countries 　　On 28 June 2021, the UK received an adequacy decision from the EU.[5] This means that until 27 June 2025, data can continue to flow freely between the UK and the European Economic Area (‘EEA’). 　　As for transferring personal data to third countries other than the EU, the UK has similar laws to the GDPR. Both the DPA and the UK GDPR restrict controllers or processors from transferring personal data to third countries. A transfer of personal data to a third country is permitted if it is based on adequacy regulations.[6] An EU adequacy decision is known as ‘adequacy regulations’ under the UK regime. 　　If there is no adequacy regulations, then a transfer of personal data to a third country will only be permitted if it is covered by appropriate safeguards, including standard data protection clauses, binding corporate rules, codes of conduct, and certifications.[7] The ICO intends to publish UK standard data protection clauses in 2021.[8] In the meantime, the EU has published a new set of standard data protection clauses (‘SCCs’).[9] However, it must be noted that the EU SCCs are not accepted to be valid in the UK, and may only be used for reference purposes. It is also worth noting that the UK has approved three certification schemes to assist organizations in demonstrating compliance to data protection laws.[10] Lawful Bases for Processing 　　Basically, the lawful bases for processing in the UK regime are the same as the GDPR. Six lawful bases are set out in article 6 of the UK GDPR. To process personal data, at least one of the following lawful bases must be satisfied:[11] The data subject has given consent to the processing; The processing is necessary for the performance of a contract; The processing is necessary for compliance with a legal obligation; The processing is necessary to protect vital interests of an individual – that is, protecting an individual’s life; The processing is necessary for the performance of a public task; The processing is necessary for the purpose of legitimate interests, unless other interests or fundamental rights and freedoms override those legitimate interests. Rights & Exemptions 　　The UK privacy regime, like the GDPR, gives data subjects certain rights. Most of the rights granted under the UK privacy regime is akin to the GDPR and can be found under the UK GDPR. Individual rights under the UK privacy regime is closely linked with its exemptions, this may be said to be a unique feature of the UK privacy regime which sets it apart from the GDPR. Under the DPA and the UK GDPR, there are certain exemptions, meaning organizations are exempted from certain obligations, most of them are associated with individual rights. For example, if data is processed for scientific or historical research purposes, or statistical purposes, organizations are exempted from provisions on the right of access, the right to rectification, the right to restrict processing and the right to object in certain circumstances.[12] Penalties 　　The penalty for infringement of the UK GDPR is the amount specified in article 83 of the UK GDPR.[13] If an amount is not specified, the penalty is the standard maximum amount.[14] The standard maximum amount, at the time of writing, is £8,700,000 (around 10 million Euros) or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.[15] In any other case, the standard maximum amount is £8,700,000 (around 10 million Euros).[16] Conclusion 　　The UK privacy regime closely aligns with the GDPR. However it would be too simple of a statement to say that the UK privacy regime is almost identical to the GDPR. The ICO’s unique enforcement powers exercised through a notice system is a distinct feature of the UK privacy regime. Recent legal trends show that the UK while trying to preserve its ties with the EU is gradually developing an independent privacy persona. The best example is that in regards to transfers to third countries, the UK has developed its first certification scheme and is attempting to develop its own standard data protection clauses. The UK’s transition out of the EU has certainly been interesting; however, the UK’s transformation from the EU is certainly awaited with awe. [1] Commission Implementing Decision of 28.6.2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, C(2021) 4800 final,https://ec.europa.eu/info/sites/default/files/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf.. [2] Judgment of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, C-311/18, EU:C:2020:559, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311. [3] Data Protection Act 2018, §115. [4] Data Protection Act 2018, §207(1A); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 3. [5] supra note 1. [6] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 44-50. [7] Data Protection Act 2018, §17A-18; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 46-47. [8]International transfers after the UK exit from the EU Implementation Period, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ (last visited Sep. 10, 2021). [9] Standard contractual clauses for international transfers, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (last visited Sep. 10, 2021). [10] ICO, New certification schemes will “raise the bar” of data protection in children’s privacy, age assurance and asset disposal, ICO, Aug. 19, 2021, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/08/ico-approves-the-first-uk-gdpr-certification-scheme-criteria/ (last visited Sep. 10, 2021). [11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art 6(1)-(2); Lawful basis for processing, ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ (last visited Sep. 10, 2021). [12] Data Protection Act 2018, sch 2, part 6, para 27. [13] id. at §157. [14] id. [15] id. [16] id.

I.Summary In 1995, the Computer-Processed Personal Data Protection Law was implemented in the Republic of China. With the constant development of information technology and the limitations in the application of the legislation, the design of the original legal system is no longer consistent with practical requirements. Considering the increasing number of incidents of personal data leaks, discussions were carried out over a long period of time and the new version of the Personal Information Protection Act was passed after three readings in April, 2010. The title of the law was changed to Personal Information Protection Act. The new system has been officially implemented since 1 October, 2012. The new Act not only revised the provisions of the law in a comprehensive way, but also significantly increased the obligations and responsibilities of enterprises. In terms of civil liability, the maximum amount of compensation for a single incident is 200 Million NTD. For domestic industries, how to effectively respond to the requirements under the Personal Information Protection Act and adopt proper corresponding measures to lower the risk has become a key task for enterprise operation. II. Main Points 1. Implementation of the Enforcement Rules of the Personal Information Protection Act Personal information protection can be said the most concerned issue in Taiwan recently. As a matter of fact, the Computer-Processed Personal Data Protection Law was established in Taiwan as early as August 1995. After more than 10 years of development, computer and information technology has evolved significantly, and many emerging business models such as E-commerce are extensively collecting personal data. It has become increasingly important to properly protect personal privacy. However, the previous Computer-Processed Personal Data Protection Law was only applicable to certain industries, i.e. the following 8 specific industries: the credit investigation business, hospital, school, telecommunication business, financial business, securities business, insurance business, and mass media. And other business was designated by the Ministry of Justice and the central government authorities in charge of concerned enterprises. In addition, the law only protected personal information that was processed by “computer or automatic equipment”. Personal information that was not computer processed was not included. There were clearly no sufficient regulations for the protection of personal data privacy and interest. There were numerous incidents of personal data leaks. Among the top 10 consumer news issued by the Consumer Protection Committee of the Executive Yuan in 2007, “incidents of personal data leaks through E-commerce and TV shopping” was on the top of the list. This provoked the Ministry of Justice and the Ministry of Economic Affairs to “jointly designate” the retail industry without physical boutique (including 3 transaction models: online shopping, catalogue shopping and TV shopping) to be governed by the Computer-Processed Personal Data Protection Law since 1 July 2010. To allow the provisions of the personal information protection legal system to meet the environment of rapid change, the Executive Yuan proposed a Draft Amendment to the Computer-Processed Personal Data Protection Law very early and changed the title to the Personal Information Protection Act. The draft was discussed many times in the Legislative Yuan. Personal Information Protection Act was finally passed after three readings in April 2010, which was officially published by the Office of the President on 26 May. Although the new law was passed in April 2010, to allow sufficient time for enterprises and the public to understand and comply the new law, the new version of the personal information protection law was not implemented on the date of publication. In accordance with Article 56 of the Act, the date of implementation was to be further established by the Executive Yuan. After discussions over a long period of time, the Executive Yuan decided for the Personal Information Protection Act to be officially implemented on 1 October 2012. However, the implementation of two articles is withheld: Article 6 of the Act about the principal prohibition against the collection, processing and use of special personal information and Article 54 about the obligation to notice the Party within one year for personal information indirectly acquired before the implementation of the new law. In terms of the personal data protection legal system, other than the most important Personal Data Protection Act, the enforcement rules established in accordance with the main law also play a key role. The previous Enforcement Rules of the Computer-Processed Personal Data Protection Law were published and implemented on 1 May, 1996. Considering that the Computer-Processed Personal Data Protection Law was amended in 2010 and that its title has been changed to the Personal Data Protection Act, the Ministry of Justice also followed the amended provisions under the new law and actively studied the Draft Amendment to the Enforcement Rules of the Computer-Processed Personal Data Protection Act. After it was confirmed that the new version of the Personal Data Protection Act would be officially launched on 1 October 2012, the Ministry of Justice announced officially the amended enforcement rules on 26 September, 2012. The title of the enforcement rules was also amended to the Enforcement Rules of the Personal Data Protection Act. The new version of personal data protection law and enforcement rules was thus officially launched, creating a brand new era for the promotion of personal data protection in Taiwan. II. Personal Data Administration System and Information Privacy Protection Charter Before the amendment to the Personal Data Protection Act was passed, the Legislative Yuan made a proposal to the government in June 2008 to promote a privacy administration and protection certification system in Taiwan, in reference to foreign practices. In August of the following year, the Strategic Review Board of the Executive Yuan passed a resolution to promote the E-Commerce Personal Data Administration and Information Security Action Plan. In December of the same year, approval was granted for the plan to be included in the key government promotion plans from 2010 to 2013. Based on this action plan, since October 2010, the Ministry of Economic Affairs has asked the Institution for Information Industry to execute an E-Commerce Personal Data Administration System Setup Plan. Since 2012, the E-Commerce Personal Data Administration System Promotion Plan and the Taiwan Personal Information Protection and Administration System (TPIPAS) have been established and promoted, with the objective of procuring enterprises to, while complying with the personal data protection legal system, properly protect consumers’ personal information through the establishment of an internal administration mechanism and ensuring that the introducing enterprises meet the requirements of the system. The issuance of the Data Privacy Protection Mark (dp.mark) was also used as an objective benchmark for consumers to judge the enterprise’s ability to maintain privacy. Regarding the introduction of the personal data administration system, enterprises should establish a content administration mechanism step by step in accordance with the Regulations for Taiwan Personal Information Protection and Administration System. Such system also serves as the review benchmark to decide whether domestic enterprises can acquire the Data Privacy Protection Mark (dp.mark). Since domestic enterprises did not have experience in establishing internal personal data administration system in the past, starting 2011, under the Taiwan Personal Information Protection and Administration System, enterprises received assistance in the training of system professionals such as Personal Data Administrators and Personal Data Internal Appraisers. Quality personal data administrators can help enterprises establish complete internal systems. Internal appraisers play the role of confirming whether the systems established by the enterprises are consistent with the system requirements. As of 2012, there are almost 100 enterprises in Taiwan that participate in the training of system staff and a total of 426 administrators and 131 internal appraisers. In terms of the introduction of TPIPAS, in additional to the establishment and introduction of administration systems by qualified administrators, enterprises can also seek assistance from external professional consulting institutions. Under the Taiwan Personal Information Protection and Administration System, applications for registration of consulting institutions became available in 2012. Qualified system consulting institutions are published on the system website. Today 9 qualified consulting institutions have completed their registrations, providing enterprises with personal data consulting services. After an enterprise completes the establishment of its internal administration system, it may file an application for certification under the Taiwan Personal Information Protection and Administration System. The certification process includes two steps: “written review” and “site review”. After the enterprise passing certification, it is qualified to use the Data Privacy Protection Mark (dp.mark). Today 7 domestic companies have passed TPIPAS certification and acquired the dp.mark: 7net, FamiPort, books.com.tw, LOTTE, GOHAPPY, PAYEASY and Sinya Digital, reinforcing the maintenance of consumer privacy information through the introduction of personal data administration system. III. Event Analysis The Taiwan Personal Information Protection and Administration System (TPIPAS) is a professional personal data administration system established based on the provisions of the latest version of the domestic Personal Data Protection Act, in reference to the latest requirements of personal data protection by international organizations and the experience of main countries in promoting personal data administration system. In accordance with the practical requirements to protect personal data by industries, TPIPAS converted professional legal conditions into an internal personal data administration procedure to effectively assist industries to establish a complete and proper personal data administration system and to comply with the requirements of personal data legislations. With the launch of the new version of the Personal Data Protection Act, introducing TPIPAS and acquiring dp.mark are the best strategies for enterprises to lower the risk from the personal data protection law and to upgrade internal personal data administration capability.

Preface Considering that, many countries and regional international organizations already set up ABS system, such as Andean Community, African Union, Association of Southeast Asia Nations (ASEAN), Australia, South Africa, and India, all are enthusiastic with the establishment of the regulations regarding the access management of biological resources and genetic resources. On the other hand, there are still many countries only use traditional and existing conservation-related regulations to manage the access of biological resources. Can Taiwan's regulations comply with the purposes and objects of CBD? Is there a need for Taiwan to set up specific regulations for the management of these access activities? This article plans to present Taiwan's regulations and review the effectiveness of the existing regulations from the aspect of enabling the legal and effective access to biological resources. A recommendation will be made on whether Taiwan should reinforce the management of the bio-resources access activities. Review and Recommendation of the Regulations on the Legal and Effective Access to Taiwan's Biological Rersearch Resources （1）Evaluate the Needs and Benefits before Establishing the Regulation of Access Rights When taking a look at the current development of the regulations on the access of biological resources internationally, we discover that some countries aggressively develop designated law for access, while some countries still adopt existing regulations to explain the access rights. Whether to choose a designated law or to adopt the existing law should depend on the needs of establishing access and benefit sharing system. Can the access and benefit sharing system benefit the functioning of bio-technological research and development activities that link closely to the biological resources? Can the system protect the interests of Taiwan's bio-research results? In Taiwan, in the bio-technology industry, Agri-biotech, Medical, or Chinese Herb Research & Development are the key fields of development. However, the biological resources they use for the researches are mainly supplied from abroad. Hence, the likelihood of violating international bio-piracy is higher. On the contrary, the incidence of international research houses searching for the biological resources from Taiwan is comparatively lower, so the possibility for them to violate Taiwan's bio-piracy is very low. To look at this issue from a different angle, if Taiwan establishes a separate management system for the access of biological resources, it is likely to add more restrictions to Taiwan's bio-tech R&D activities and impact the development of bio-industry. Also, under the new management system, international R&D teams will also be confined, if they wish to explore the biological resources, or conduct R&D and seek for co-operation activities in Taiwan. Not to mention that it is not a usual practice for international R&D teams to look for Taiwan's biological resources. A new management system will further reduce their level of interest in doing so. In the end, the international teams will then shift their focus of obtaining resources from other countries where the regulation on access is relatively less strict. Before Taiwan establishes the regulations on the legal and effective access to bio-research resources, the government should consider not only the practical elements of the principal on the fair and impartial sharing of the derived interests from bio-research resources, but also take account of its positive and negative impacts on the development of related bio-technological industries. Even if a country's regulation on the access and benefit sharing is thorough and comprehensive enough to protect the interests of bio-resource provider, it will, on the contrary, reduce the industry's interest in accessing the bio-resources. As a result, the development of bio-tech industry will be impacted and the resource provider will then be unable to receive any benefits. By then, the goal of establishing the regulation to benefit both the industry and resource provider will not be realized. To sum up, it is suggested to evaluate the suitability of establishing the management system for the access to biological resources through the cost-effect analysis first. And, further consider the necessity of setting up regulations by the access the economic benefits derived from the regulation for both resource provider and bio-tech industry. （2）The Feasibility of Managing the access to Bio-research Resources from existing Regulations As analysed in the previous paragraphs, the original intention of setting up the Wildlife Conservation Act, National Park Law, Forestry Act, Cultural Heritage Preservation Act, and Aboriginal Basic Act is to protect the environment and to conserve the ecology. However, if we utilize these traditional regulations properly, it can also partially help to manage the access to biological resources. When Taiwan's citizens wish to enter specific area, or to collect the biological resources within the area, they need to receive the permit from management authority, according to current regulations. Since these national parks, protection areas, preserved areas, or other controlled areas usually have the most comprehensive collections of valuable biological resources in a wide range of varieties, it is suggested to include the agreements of access and benefit sharing as the mandatory conditions when applying for the entrance permit. Therefore, the principal of benefit sharing from the access to biological resources can be assured. Furthermore, the current regulations already favour activities of accessing biological resources for academic research purpose. This practice also ties in with the international trend of separating the access application into two categories - academic and business. Australia's practice of access management can be a very good example of utilizing the existing regulations to control the access of resources. The management authority defines the guidelines of managing the entrance of control areas, research of resources, and the collection and access of resources. The authority also adds related agreements, such as PIC (Prior Informed Consent), MTA (Material Transfer Agreement), and benefit sharing into the existing guidelines of research permission. In terms of scope of management, the existing regulation does not cover all of Taiwan's bio-research resources. Luckily, the current environmental protection law regulates areas with the most resourceful resources or with the most distinctive and rare species. These are often the areas where the access management system is required. Therefore, to add new regulation for access management on top of the existing regulation is efficient method that utilizes the least administrative resources. This could be a feasible way for Taiwan to manage the access to biological resources. （3）Establish Specific Regulations to Cover the Details of the Scope of Derived Interests and the Items and Percentage of Funding Allocation In addition to the utilization of current regulations to control the access to biological resources, many countries establish specific regulations to manage the biological resources. If, after the robust economic analysis had been done, the country has come to an conclusion that it is only by establishing new regulations of access management the resources and derived interests of biological resources can be impartially shared, the CBD (Convention of Bio Diversity), the Bonn Guidelines, or the real implementation experiences of many countries can be an important guidance when establishing regulations. Taiwan has come up with the preliminary draft of Genetic Resources Act that covers the important aspects of international access guidelines. The draft indicates the definition and the scope of access activities, the process of access applications (for both business and academic purpose), the establishment of standardized or model MTA, the obligation of disclosing the sources of property rights (patents), and the establishment of bio-diversity fund. However, if we observe the regulation or drafts to the access management of the international agreements or each specific country, we can find that the degree of strictness varies and depends on the needs and situations. Generally speaking, these regulations usually do not cover some detailed but important aspects such as the scope of derived interests from biological resources, or the items and percentage of the allocation of bio-diversity fund. Under the regulation to the access to biological resources, in addition to the access fee charge, the impartial sharing of the derived interests is also an important issue. Therefore, to define the scope of interests is extremely important. Any interest that is out of the defined scope cannot be shared. The interest stated in the existing regulation generally refers to the biological resources or the derived business interests from genetic resources. Apart from describing the forms of interest such as money, non-money, or intellectual property rights, the description of actual contents or scope of the interests is minimal in the regulations. However, after realizing the importance of bio-diversity and the huge business potential, many countries have started to investigate the national and international bio-resources and develop a database system to systematically collect related bio-research information. The database comprised of bio-resources is extremely useful to the activities related to bio-tech developments. If the international bio-tech companies can access Taiwan's bio-resource database, it will save their travelling time to Taiwan. Also, the database might as well become a product that generates revenues. The only issue that needs further clarification is whether the revenue generated from the access of database should be classified as business interests, as defined in the regulations. As far as the bio-diversity fund is concerned, many countries only describe the need of setting up bio-diversity funds in a general manner in the regulations. But the definition of which kind of interests should be put into funds, the percentage of the funds, and the related details are not described. As a result, the applicants to the access of bio-resources or the owner of bio-resources cannot predict the amount of interests to be put into bio-diversity fund before they actually use the resources. This issue will definitely affect the development of access activities. To sum up, if Taiwan's government wishes to develop the specific regulations for the access of biological resources, it is advised to take the above mentioned issues into considerations for a more thoroughly described, and more effective regulations and related framework. Conclusion In recent years, it has been a global trend to establish the regulations of the access to and benefit sharing of bio-resources. The concept of benefit sharing is especially treated as a useful weapon for the developing countries to protect the interests of their abundant bio-research resources. However, as we are in the transition period of changing from free access to biological resources to controlled access, we are facing different regulations within one country as well as internationally. It will be a little bit disappointing for the academic research institution and the industry who relies on the biological resources to conduct bio-tech development if they do not see a clear principal direction to follow. The worse case is the violation of the regulation of the country who owns the bio-resources when the research institutions try to access, exchange, or prospect the biological resources without thorough understanding of related regulations. For some of Taiwan's leading fields in the bio-tech industry, such as Chinese and herbal medicine related products, agricultural products, horticultural products, and bio-tech products, since many resources are obtained from abroad, the incidence of violation of international regulation will increase, and the costs from complying the regulations will also increase. Therefore, not only the researcher but also the government have the responsibility to understand and educate the related people in Taiwan's bio-tech fields the status of international access management regulations and the methods of legally access the international bio-research resources. Currently in Taiwan, we did not establish specific law to manage the access to and benefit sharing of bio-resources. Comparing with the international standard, there is still room of improvement for Taiwan's regulatory protection to the provider of biological resources. However, we have to consider the necessity of doing so, and how to do the improvement. And Taiwan's government should resolve this issue. When we consider whether we should follow international trend to establish a specific law for access management, we should always go back to check the potential state interests we will receive and take this point into consideration. To define the interests, we should always cover the protection of biological resources, the development of bio-tech industry, and the administrative costs of government. Also the conservation of biological resources and the encouragement of bio-tech development should be also taken into consideration when the government is making decisions. In terms of establishing regulations for the access to biological resources and the benefit sharing, there are two possible solutions. The first solution is to utilize the existing regulations and add the key elements of access management into the scope of administrative management. The work is planned through the revision of related current procedures such as entrance control of controlled areas and the access of specific resources. The second solution is to establish new regulations for the access to biological resources. The first solution is relatively easier and quicker; while the second solution is considered to have a more comprehensive control of the issue. The government has the final judgement on which solution to take to generate a more effective management of Taiwan's biological resources.

Taiwan Has Passed “Statute of Human Biobank Management” to Maintain Privacy and Improve Medicine Industries Due to lack of regulations, divergent opinions abounded about the establishment of Biobanks and collection of human biological specimen. For example, a researcher in an academic research organization and a hospital-based physician collected biospecimens from native Taiwanese. Although they insisted that the collections were for research only, human rights groups, ethics researchers, and groups for natives´ benefits condemned the collections as an invasion of human rights. Consequently, the Taiwanese government recognized the need for Biobanks regulation. To investigate the relationship between disease and multiple factors and to proceed with possible prevention, The Legislative Yuan Social Welfare and Healthy Environment Committee has passed "the draft statute of human biobank management" through primary reviewing process on December 30, 2009 and subsequently passed through entire three-reading procedure on January 7, 2010. Therefore, the medical and research institute not only can set up optimal gene database for particular disease curing, but also can collect blood sample for database establishment, legally. However, the use of sample collections will be excluded from the use of judiciary purpose. In the light of to establish large scale biobank is going to face the fundamental human right issue, from the viewpoint of biobank management, it is essential not only to set up the strict ethics regulation for operational standard, but also to make the legal environment more complete. For instance, the Department of Health, Executive Yuan had committed the earlier planning of Taiwan biobank establishment to the Academic Sinica in 2006, and planned to collect bio-specimen by recruiting volunteers. However, it has been criticized by all circles that it might be considered violating the Constitution article 8 provision 1 front paragraph, and article 22 rules; moreover, it might also infringe the personal liberty or body information privacy. Therefore, the Executive Yuan has passed the draft statute of human biobank management which was drafted and reviewed by Department of Health during the 3152nd meeting, on July 16, 2009, to achieve the goal of protecting our nation’s privacy and promoting the development of medical science by management biomedical research affairs in more effective ways. Currently, the draft statute has been passed through the primary review procedure by the Legislative Yuan. About the draft statute, there are several important points as following: (1) Sample Definition: Types of collected sample include human somatic cell, tissues, body fluids, or other derivatives; (2) Biobank Establishment: It requires not only to be qualified and permitted, but also to set up the ethical reviewing mechanism to strengthen its management and application; (3)Sample Collection and Participant Protection: In accordance with the draft statute, bio-specimen collecting should respect the living ethics during the time and refer to the "Medical Law" article 64 provision 1; before sample collection, all related points of attention should be kept in written form , the participant should be notified accordingly, and samples can only be collected with the participant’s consent. Furthermore, regarding the restrained read right and setting up participants’ sample process way if there were death or lost of their capacity; (4) Biobank Management: The safety regulation, obligation of active notification, free to retreat, data destruction, confidentiality and obligation, and termination of operation handling are stipulated; and (5) Biobank Application: According to the new draft statute, that the biological data can’t be used for other purposes, for example, the use of inquisition result for the "Civil law", article 1063, provision 2, prosecution for denying the parent-child relationship law suit", or according to the "Criminal law", article 213, provision 6. This rule not only protects the participants’ body information and their privacy right, but also clearly defines application limits, as well as to set up the mechanism for inner control and avoid conflict of interests to prevent unnecessary disputes. Finally, the Department of Health noted that, as many medical researches has shown that the occurrence of diseases are mostly co-effected by various factors such as multiple genes and their living environment, rather than one single gene, developed countries have actively devoted to human biological sample collection for their national biobank establishment. The construction and usage of a large-scale human bank may bring up the critical issue such as privacy protection and ethical problems; however, to meet the equilibrium biomedical research promotion and citizen privacy issue will highly depend on the cooperation and trust between the public and private sectors. Taiwan Department of Health Announced the Human Biobanks Information Security Regulation The field of human biobanks will be governed by the Act of Human Biobanks (“Biobanks Act”) after its promulgation on February 3, 2010 in Taiwan. According to Article 13 of the Biobanks Act, a biobank owner should establish its directive rules based on the regulation of information security of biobanks announced by the competent authority. Thus the Department of Health announced the draft of the Human Biobanks Information Security Regulation (“Regulation”) for the due process requirement. According to the Biobanks Act, only the government institutes, medical institutes, academic institutes, and research institutes are competent to establish biobanks (Article 4). In terms of the collecting of organisms, the participants should be informed of the relevant matters by reasonable patterns, and the collecting of organisms may be conducted after obtaining the written consent of the participants (Article 6). The relative information including the organisms and its derivatives are not allowed to be used except for biological and medical research. After all the protection of biobanks relative information above, the most important thing is the safety regulations and directive rules of the database administration lest all the restrictions of biobanks owners and the use be in vain. The draft Regulation aims to strengthen the safety of biobanks database and assure the data, the systems, the equipments, and the web circumstances are safe for the sake of the participants’ rights. The significant aspects of the draft are described as below. At first, the regulation should refer to the ISO27001, ISO27002 and other official rules. Concerning the personnel management, the security assessment is required and the database management personnel and researchers may not serve concurrently. In case some tasks are outsourced, the contractor should be responsible for the information security; the nondisclosure agreement and auditing mechanism are required. The application system should update periodically including the anti-virus and firewall programs. The biobanks database should be separated physically form internet connection, including the prohibition of information transforming by email or any other patterns through internet. The authorizing protocol of access to the biobanks should be established and all log files should be preserved in a period. The system establishment and maintenance should avoid remote control. In case the database system is physically out of the owner’s control, the authorization of the officer in charge is required. If an information security accident occurred, the bionbanks owner should contact the competent authority immediately and inform the participants by adequate tunnel. The biobanks owner should establish annual security auditing program and the project auditing will be conducted subject to the necessity. To sum up, while the biobanks database security regulation is fully established, the biobanks owners will have the sufficient guidance in connection with the biobank information security to comply with in the future.