If you can’t read this email - please click here
STLI Quarterly Newsletter 2021 No.04

  Taiwan’s privacy profession has considered 2021 to be the year of privacy. Several privacy laws have be amended in 2021. This newsletter intends to give readers an overview of the context behind this year’s reform and the important amendments made.

Context of Taiwan’s 2021 Privacy Reform

  Around the end of 2020, a privacy breach occurred. The impact was of national scale affecting most Taiwanese citizens. The current administration determined to resolve this issue and in the beginning of 2021, it requested that all executive government departments meet to discuss a strategy to resolve this national crisis.

  Following this meeting, the National Development Council, which is the body that is responsible for interpreting Taiwan’s Personal Data Protection laws, led Taiwan’s 2021 privacy reform.

What is Taiwan’s 2021 Privacy Reform?

  Taiwan’s Privacy Regime consists of a general privacy law called the Personal Data Protection Act (‘PDPA’). The PDPA should be read with the Enforcement Rules of the Personal Data Protection Act, as it is supplementary to the PDPA.

  Section 27(3) of the PDPA delegates central government authorities in charge of the industries to make privacy legislation specific to the industry that they are in charge of (‘Industry Specific Privacy Legislation’). We ought to explain what is a central government authority in charge of the industries. Taiwan does not have an independent body that governs all national privacy issues, such as a privacy commissioner. Instead, each government body is in charge of one or more industries’ privacy issues. Currently, there are government bodies that are in charge of specific industries (e.g. the transport industry, the financial sector etc), and they govern every aspect of that industry. These government bodies are seen to be suitable to govern each industry’s privacy issues, as they have a close relationship with their governing companies.

  Taiwan’s 2021 Privacy Reform is initiated and supervised by the National Development Council. In essence, the National Development Council requested central government authorities in charge of the industries to amend its Industry Specific Privacy Legislation. Up to the date of writing, 8 Industry Specific Privacy Legislation have been amended.[1] They are within the sports betting and lottery industry, schooling industry, tobacco and alcohol industry, multilevel marketing industry, human resources recruitment industry, engineering consulting industry. One Industry Specific Privacy Legislation has been enacted.[2] It is within the police sector.

Important Amendments

  The most important amendment is in regards to data breach notifications. All of the Industry Specific Privacy Legislation mentioned above have amended the section in regards to data breach notification to reflect the following:

1. Time for notification: industries must notify within 72 hours after the data breach occurs or notify within 72 hours after being aware of the data breach. Each Industry Specific Privacy Legislation has adopted different approaches but the requirement is either of the above.

2. Who to notify: industries must notify central government authorities in charge of the industries. The PDPA only requires companies to notify the data subject when a data breach occurs. Prior to Taiwan’s 2021 Privacy Reform, there were very few legislation that required companies to notify central government authorities in charge of the industries.

3.Checks: post notification, central government authorities in charge of the industries have the power to inspect the company and the company must not refuse.

[1]運動彩券業個人資料檔案安全維護計畫實施辦法, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=H0120077;
海外臺灣學校及大陸地區臺商學校個人資料檔案安全維護計畫實施辦法, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=H0110008;
私立職業訓練機構個人資料檔案安全維護計畫及處理辦法, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=N0080048;
多層次傳銷業訂定個人資料檔案安全維護計畫及業務終止後個人資料處理方法作業辦法, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=J0150015;
人力仲介業個人資料檔案安全維護計畫及處理辦法, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=N0090045;
工程技術顧問業個人資料檔案安全維護計畫及處理辦法, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=D0070242;

[2]內政部指定警政類非公務機關個人資料檔案安全維護管理辦法, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=D0080210.


  With the prosperity of online shopping, the Third-Party Payment Enterprises that protects the rights of sellers and buyers and the security of the transaction has emerged. At present, the Third-Party Payment does not be required mandatorily to check or confirm the identity of customers, it is easily used for financial fraud or money laundering. To prevent such crimes, the Executive Yuan issued an order on August 18th, 2021 to designate Third-Party Payment enterprises as nonfinancial businesses or professions, regulated by Money-Laundering Control Act.

  The types of transactions applicable to the Third-Party Payment Enterprises refers to the enterprises that is not an electronic payment institution under the Act Governing Electronic Payment Institutions. The term “Third-Party Payment Service” refer to the enterprises who structure internet platforms which are provided to internet transaction consumers for their online payment activities. Upon occurrence of online transactions receives proceeds of online transactions, the Third-Party payment enterprises will forwards the proceeds to the recipients according to instructions of consumers(Collecting and making payments for real transactions as an agent),such as Newebpay, Sunpay.

  According to the order of Executive Yuan, the Ministry of Economic Affairs (MOEA) drafting "Regulation Governing Anti-Money Laundering and Countering the Financing of Terrorism for Third-Party Payment Enterprises" (AML/CFT) based on the Money-Laundering Control Act, and commences a period of public comments to allow public and interested parties to express their opinions on the draft regulation before Nov. 29, 2021. Under the draft regulation, the third-party payment enterprises are required to conduct customer due diligence, keep service records, report suspicious transactions, establish internal control measures, etc. The content of the regulation as follows:

1. Terms used in the Regulations. (Article 2)

2. Preparation and regular updates of the risk assessment report on AML/CFT. (Article 3)

3. Establish a system for management and reduction of the risk of money laundering and financing of terrorism. (Article 4)

4. Establish its own internal control and audit system. (Article 5)

5. Risk management measures for new services or new types of business. (Article 6)

6. Customer due diligence (CDD) measures. (Article 7)

7. Circumstances of declining to provide services. (Article 8)

8. Implement ongoing CDD measures. (Article 9)

9. Determine the intensity of CDD on the basis of Risk-based approach (RBA). (Article 10)

10. Verification of Politically Exposed Persons (PEPs). (Article 11)

11. Monitoring and report obligation of transactions or services. (Article 12)

12. Period and requirements for service record keeping. (Article 13)

13. Measures and procedures for reporting suspicious ML/TF transaction. (Article 14)

14. The report measures, procedures and record keeping of the sanctioned individual, legal person or organization under the Terrorism Financing Prevention Act. (Article 15)

1. MOEA solicits public's comments on drafting money laundering prevention regulation for Third-Party Payment Enterprises, The Ministry of Economic Affairs, available at https://www.moea.gov.tw/Mns/english/news/News.aspx?kind=6&menu_id=176&news_id=97272 (last visited Nov. 3, 2021).
2. Regulation Governing Anti-Money Laundering and Countering the Financing of Terrorism for Third-Party Payment Enterprises, Commerce Industrial Services Portal, available at https://law.moea.gov.tw/DraftForum.aspx (last visited Nov. 3, 2021).


  On October 6, 2021, an unprecedented ruling concerning whether artificial intelligence can be listed as an inventor under Taiwan’s Patent Law was issued by the Taipei High Administrative Court. The ruling concluded that only natural persons are eligible to be patent inventors, and thus artificial intelligence cannot be qualified as one. The ruling is still subject to appeal and is not a judicially final decision.


  The plaintiff, known as Stephen L. Thaler (hereafter as “Thaler”) is a registered inventor of DABUS, a kind of generative artificial intelligence mainly derived or modified from generative adversarial neural network. This type of network is a kind of novel neural network proposed by Ian Goodfellow in 2014. By combining a discriminator and generator plus training their respective weight matrices according to a two-player minimax game with contradicting target value, a generator in generative adversarial neural network can then generate patterns that mimic the original data given by human.

  With this functionality, DABUS generated “devices and methods for attracting enhanced attention” (hereafter as “the devices”) under Thaler’s training. Thaler then filed a patent application to Taiwan’s Intellectual Property Office (hereafter as “TIPO”) for the devices. In the application, Thaler, as the applicant, listed DABUS as the inventor of the devices. However, TIPO did not accept the notion that artificial intelligence can qualify as a patent inventor and requested Thaler to correct and list a natural person as the inventor in the application. Thaler rejected the request and as a result, TIPO refused Thaler’s application.

  Thaler then made a petition to the Ministry of Economic Affairs in Taiwan. However the petition was also denied on the ground that only natural persons are eligible to be patent inventors. Thaler then filed the present lawsuit, listing TIPO as the defendant.

Details in the Court’s Opinion

  The court, in its final deliberation, filed a ruling against Thaler in favor of TIPO’s notion based on the following reasons:

(1) Based on the follow lexical terminology of the Patent Act (hereafter as “the act”) and the Enforcement Rules of the Patent Act (hereafter as “the rule”) in Taiwan, only natural persons are eligible to be inventors This can be seen in several articles of the act. Article 16 stipulates that “When filing a patent application for invention, the application form shall specify the following items: 1. title of invention; 2. name and nationality of the inventor; ….” Also in article 31 “Whenever a patent application for invention is laid open by the Specific Patent Agency, the following items shall be laid open to the public: … 7. name(s) of the inventor(s); ….” Similarly, article 83 also stipulates that whenever a patent is granted, the name of the inventor shall be listed in the Patent Gazette. Since these articles mentions the name and nationality of the inventor several times, it is obvious that the law deems an inventor as a natural person.

(2) Artificial Intelligence obviously is not a natural person. Thus artificial intelligence cannot be qualified as a patent inventor.

  Thus the court filed a ruling in favor of TIPO, denying Thaler’s complaint.

Other Opinions

  The court’s ruling is widely viewed as the replica of previous decisions made by the UK Intellectual Property Office (UKIPO), the European Patent Office (EPO), and the United States Patent and Trademark Office (USTPO) that came through in 2020, when Thaler filed the same application to the aforementioned offices and listed DABUS as the inventor. These offices also required Thaler to correct and re-list natural person as the inventor and were also rejected by Thaler. The aforementioned offices likewise denied Thaler’s application. Since then, several lawsuits and petitions have been around the world’s intellectual offices.

  Whether or not artificial intelligence is eligible to be a patent inventor has been a long-debated issue. There remains several hurdles for artificial intelligence to acquire the legal status of inventor. Obviously, the first hurdle is the technical proof and criterion required to demonstrate that artificial intelligence is human-like and “creative” enough. The second one is the lack of socio-economic need for recognizing artificial intelligence as patent inventors. If any of these two hurdles is not overcome, it will be difficult for most jurisdictions to recognize artificial intelligence as a patent inventor.

  Furthermore, even though some artificial intelligence might be considered “creative” enough, the question remains as to how the artificial intelligence, as the inventor, can consent to the transfer of the invention’s ownership to the applicant at hand. This question has been raised by USPTO and other offices. However, Thaler has not yet provided a solid answer to this question.

  Nonetheless, the debate on whether artificial intelligence is eligible to be a patent inventor might go on for another decade until some even more creative artificial intelligences are built and that it becomes socio-economic urgent for the law to recognize artificial intelligence as inventors. Before then, artificial intelligence might be considered just a tool other than human-privileged inventor.