The U.S.-China trade dispute and competition for technological supremacy had already prompted some Taiwanese manufacturers to move production out of China when the coronavirus pandemic added further pressure for supply chain diversification. The Committee acknowledges the measures adopted by the Taiwan government last year, including announcement of the “Action Plan for Welcoming Overseas Taiwanese Businesses to Return to Invest in Taiwan,” to attract firms to invest in high value-added areas in Taiwan.
However, continuing regulatory challenges may hamper the effort to foster development of the tech sector. We encourage Taiwan to leverage partnerships with U.S. and other international players to create a competitive, open, and well-rounded environment to enable Taiwan to meet the challenges ahead. In that spirit, we propose the following recommendations for consideration.
Suggestion 1: Review the government’s current cybersecurity policy to align it with the latest international standards and practices.
In a world where the advancement of connected devices and cloud-based services brings both innovations and security challenges, we understand the important role of government on cybersecurity policy to prevent security risks, protect privacy for consumers and organizations, and enable the making of sound purchasing decisions. We commend the Taiwan government’s initiatives to adopt various cybersecurity guidelines and testing standards, and to create a certification mechanism for such ICT products and services as smart phones, mobile apps, and IoT products.
For testing standards and certification, however, the Committee suggests that the authorities consider taking a holistic view of cybersecurity from a global perspective, aligned with the latest international standards and practices. Regarding the guideline introduced in April 2019 prohibiting the use of products that may be considered a “threat to cybersecurity” in Taiwan, the Committee suggests that the Executive Yuan clarify the scope, so that industry and the public agencies will have a clear guideline to follow.
Regarding testing standards and certification mechanism for ICT products and services, the Committee recommends:
Minimize prescriptive regulations. We suggest that the Taiwan government exercise caution in using a prescriptive approach to regulate cybersecurity, as it does not suit the fast-changing nature of digital markets and the complexity of cybersecurity. Also, it tends to inhibit innovations as technology evolves. The prescriptive regulation approach includes implementation of a labeling scheme regarding cybersecurity for ICT products or a static certification program.
For example, guidelines announced by the National Communications Commission in 2017 for the testing of pre-loaded software for smart phone manufacturers included the setting of security levels (basic, medium, or advanced). Other government agencies have proposed guidelines for voluntary cybersecurity tests and certifications for mobile APPs and IoT products. However, a fixed label of security level and certification assigned to a product might soon be out of date as a result of constant software changes and security updates. Besides, a period of at least two to three months is needed for product testing by an authorized lab and completion of the certification process, which is impractical given the time-to-market requirements of the fast-changing digital world.
Cybersecurity issues are complicated and dynamic, and cannot be reduced to a simplistic label on the product. Moreover, the government’s ability to update prescriptive requirements inevitably cannot keep pace with technological change. We therefore believe that industry should lead in driving improvement in cybersecurity, instead of a rigid regulatory approach imposed by government. It is crucial that emerging technologies and security innovations are not stifled through inappropriate regulation.
Align with international standards. Connected products are manufactured for a global market and increasingly governed by international standards. When developing standards and testing guides on cybersecurity, it is best to align the certification framework and standards with key markets like the U.S. or EU to prevent the proliferation of different national standards. The latest international standards on cybersecurity frameworks for ICT products and services have mostly been developed as voluntary and flexible guidance to industry, not as regulatory compliance checklists with a detailed technical testing requirement.
Besides, it is important for the policymaker to engage in stakeholder consultation in order to gain a holistic view of the proper policy direction. Also critical is to consider the consumer’s perspective to avoid misunderstanding of the cybersecurity certification on ICT products. Therefore, international harmonization of standards should be a priority to ensure that no unnecessary burden is placed upon businesses, consumers, and the market.
Encourage industry self-regulation. Government has an important role to play in helping to accelerate market-driven security advances. It can define concrete security goals to be achieved, while giving manufacturers freedom on how to achieve those goals. For government agencies with specific needs or higher standards of cybersecurity requirement, it is important to build public/private relationships to enhance government-industry collaboration. Companies can use self-declaration based on an internationally uniform and practical standard to regulate how they account for cybersecurity in their products and solutions. This approach leads to greater transparency and security for consumers, and is most likely to allow market diversity and competition to drive high standards. At the same time, it meets national cybersecurity goals in the internet age of rapid technological innovation.
Regarding the 2019 guideline governing the use of products that may threaten information security, the Executive Yuan said it would publish a list of Chinese ICT products and brands that public agencies would be prohibited from purchasing or using. Until now, the list has not been announced.
The result has been that different public agencies have had different interpretations of the guideline. Some agencies have banned only finished products that are Chinese-branded, while others have required that each component in the final product must be of other than Chinese origin.
The Committee fully supports the Taiwan government’s desire to protect information security and national security. But it is essential to have a clear guideline to follow. The Committee urges the government to clarify which products are regulated by the guideline.
Suggestion 2: Adopt several important amendments to the Personal Data Protection Act (PDPA).
The National Development Council (NDC) reportedly is considering amendments to the PDPA aimed at obtaining an “adequacy decision” from the European Commission so that personal data may be freely transferred between EU member states and Taiwan. We appreciate the NDC’s continuous efforts to solicit public opinion on the proposed amendments, and value this opportunity to review the PDPA to ensure an adequate level of data protection while remaining mindful of Taiwan’s economic structure and orientation toward international trade. We offer the following points for the NDC’s consideration.
Maintain the current legislative model of “conditional cross-border data transmission.” Taiwan is an export-oriented economy. International trade and other cross-border business activities play an important role in its economic development. In recent decades, Taiwan has developed a booming IT industry that has become its major comparative advantage. To attract further investment and build Taiwan into a regional or global IT hub, Taiwan needs to maintain an open legal framework that allows global interchange and equal treatment for cross-border data transfers.
Taiwan was one of the first jurisdictions in the region to enact and enforce a data protection law. In December 2018, it became the seventh member of the Asia-Pacific Economic Cooperation Cross Border Privacy Rules (CBPR) system, reflecting Taiwan’s commitment to protecting personal data and ensuring the free flow of personal data within the CBPR framework. Several CBPR members have been recognized by the European Commission as providing adequate levels of protection for personal data, including the U.S., Canada, and Japan. The current regulation on “international transfer of personal data,” as set forth under Article 21 of the PDPA, allows personal data to be freely transferred, unless otherwise restricted or prohibited in exceptional situations. That provision should be maintained.
Establish a specialized Privacy/Personal Data Protection Agency. Although the NDC has assumed the critical role of coordinating the interpretation of the PDPA among Taiwan’s government agencies and is leading the effort to obtain an adequacy decision from the EU, power to enforce the PDPA remains vested in the various competent authorities for different sectors at both the central and municipal/local government levels. We believe that the Taiwan government will need to establish a specialized government agency to oversee the regulation of personal data protection. While the proposed specialized government agency may work with or consult the opinion of sectoral regulators, it should be empowered to make the final decision on personal data protection matters.
The Committee expects this future specialized agency to adopt a transparent and open communication mechanism. Our long history of cooperation with Taiwan government agencies leads us to believe that the agency would benefit from having a diverse and inclusive consulting committee, with members that include not only distinguished academics but also industry subject-matter experts and technical professionals.
Define the roles of data controllers and data processors. Taiwan has the potential to be the Asia Pacific hub for innovative services such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). To attract investment in these areas, Taiwan’s amended PDPA should simply and clearly define the role of data controllers and data processors. The amended PDPA should also eliminate the current distinction in the law between the role of government and non-government agencies as data controllers.
Moreover, we propose revising Article 4 of the current PDPA to provide a clear definition of data processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Further, we recommend that the amended PDPA clearly distinguish between the roles of data controller and data processor, and align the requirements with their respective roles and respective level of personal data access and control. While data controllers should continue to be liable for processing by data processors in the spirit of the current PDPA Article 4, a data processor should no longer be deemed to have the same liability as a data controller. Instead, a data processor should be liable only if it has failed to fulfil the duties of a data processor under the amended PDPA or if it has acted outside the scope or contrary to the data controller’s instructions.
These changes will have the virtue of making Taiwan’s data protection regime more readily understandable by international businesses seeking to comply with Taiwanese law. The changes would also make Taiwan more attractive to investment by IaaS and PaaS providers who typically do not know the purpose of the data processing they perform on behalf of data controllers or the kinds of data they are processing. In turn, such investment in a robust cloud-computing infrastructure will foster development of a rich ecosystem for SaaS and other innovations in Taiwan.
Limit on-site investigation powers. Article 22 of the current PDPA grants both central and local government agencies broad powers to conduct on-site investigations, including the power to confiscate equipment. The power to investigate on site currently may be exercised if the agency merely “believes that there is a likelihood that a violation of the PDPA has occurred” and can occur in the course of undefined “routine inspections.”
While to the best of our knowledge, both central and local government agencies have been restrained in their use of these powers, we recommend vesting the power of investigation exclusively in the new specialized government agency as was contemplated by the statement of legislative purpose for Article 22 of the current PDPA. Moreover, the NDC should consider limiting the on-site investigative power of the new specialized government agency to accessing premises only when due process requirements have been met. For example, the new government agency could be required to obtain a court warrant based on a reasonable belief that serious violations of the PDPA have occurred and after a showing that there is no other less intrusive way to investigate the potential violation.
We fully support robust enforcement of the PDPA, but on-site investigations, especially at the premises of IaaS and PaaS providers, could not only impair security arrangements at highly sensitive facilities, but also lead to the inadvertent large-scale disclosure of personal data being processed in the same facilities for other customers who have not violated the PDPA.
Promote the use of anonymized and/or de-identified data. The current Taiwan PDPA is unclear as to whether anonymized or de-identified data are subject to the law. In order to make Taiwan’s data protection regime more readily understandable by international businesses, we recommend promoting anonymization or using other technical means to resolve certain personal data protection issues. This step would help further Taiwan’s technology competitiveness.
Minimize the impact of implementing the new PDPA through communication with industry and adoption of a grace period. The Committee appreciates the NDC’s continuous effort to solicit public opinion on the proposed amendments to the PDPA; however, the new PDPA is still likely to encounter hurdles and confusion during implementation. A number of administrative rulings may also come into effect in connection with the new legislation, and industry will need time to understand and bring itself into compliance with each requirement.
We therefore strongly urge the Taiwan government to provide a grace period – in line with the two-year grace period provided under the EU’s General Data Protection Regulation – before the new regulations are enforced. That period should be used for extensive communication with industry to enable companies to smoothly adapt to the new PDPA and its related rulings. We also encourage strengthened cross-functional communication and collaboration among government authorities, such as discussions between NDC and the respective competent authorities, in order to establish a consistent policy and practice.
Suggestion 3: Designate a single agency to handle power consumption standards and energy efficiency labeling for electronics products.
In a speech to AmCham members, the Minister of Economic Affairs disclosed plans to require all household and commercial electronic appliances to follow minimum energy performance standards (MEPS) and energy efficiency rating labeling. It is expected that TVs, displays, desktop computers, laptops, servers, storage devices, and other products will be included in this labeling specification.
Based on current regulations governing household-appliance power consumption standards and power efficiency labeling and inspection, importers need to go through the following steps before goods can be imported:
Registration of Product Certification. Upon application to the Bureau of Standards, Inspection, and Metrology (BSMI), it takes around 15 working days to obtain a Registration of Product Certification.
Application for MEPS labeling. The MEPS benchmarks are formulated by the Bureau of Energy (BOE).
Energy Efficiency Rating Labeling from BOE.
The original BSMI certificate is color scanned into a digital file and uploaded to the designated website or sent on a disk to the BOE.
Product Certification and all required test reports need to be chopped with the official company stamp and submitted to the BOE.
The BOE then takes around 7 to 15 working days to review the application before issuing an efficiency rating for the product. The company then can download the label sticker to the factory and allow sufficient time for the factory to carry out the labeling.
Because EMC (electromagnetic compatibility) and energy safety are very different functions, normal practice around the world is for different agencies to regulate safety and energy and for applications to be processed separately. Although BSMI and BOE have worked together with regard to household appliances, it might be better to revise the process. If BOE takes responsibility for energy approval, it could make for a smoother process and help industry launch products on time.
Furthermore, maintaining the same application review capacity while adding huge numbers of TVs, displays, and projectors makes it uncertain whether BOE can still honor the 7-15 working-day schedule for energy-efficiency-rating labeling applications. IT products built with the most advanced technologies usually involve more product lines and have much shorter life cycles than do household appliances. Without even considering the extra time needed for product importation, there will be a big impact on the product launch timeline. For the above reasons, the Committee makes the following recommendations:
Assign a single agency to review energy-related specifications. Rather than require multiple review of the same documents by BSMI and BOE, the Ministry of Economic Affairs (MOEA) could maintain an integrated database for EMC & Safety reports, RoHS (Restriction of Hazardous Substances) statements, and the new MEPS report. We urge MOEA to align with international practice by assigning a single agency to review energy-related submissions.
Allow companies to apply for the Energy Efficiency Rating Labeling within 30 days after products are imported into Taiwan. Time to market is crucial for electronics products, since this year’s feature could be obsolete next year. Consumers’ rights will also be affected if the prolonged application process prevents products from being launched at the same time as other countries. In addition, MOEA’s plan to add electronics products to the system currently used for household appliances will put considerable strain on lab capacity. Adopting the 30-day post-import stipulation would provide needed flexibility to the electronics industry.
Allow e-labeling or voluntary instead of mandatory labeling for energy-efficient products. To encourage companies to develop or import more efficient electronic products, we suggest that the government consider providing some leeway for energy-efficient products, for example allowing e-labeling. Consumers would still be able to clearly understand the level of efficiency of products they purchase. Voluntary labeling for products with good energy-consumption efficiency would help the authorities in narrowing the scope of post-market surveillance.
Suggestion 4: Introduce court guidelines and reference documents for handling major trade secret cases and adopt consistent standards for assessing damages.
The Technology Committee joins the Intellectual Property & Licensing Committee (see the IP&L Committee’s Suggestion 3) in commending the Judicial Yuan’s efforts to strengthen judges’ ability to handle trade secrets cases, including the provision of reference materials to help speed up case reviews and ensure that they more closely address industrial realities.
Like the IP&L Committee, the Technology Committee encourages the Judicial Yuan to seek input from industry leaders on ways to improve the efficiency of trade secret case review and to provide judges with more capacity-building opportunities. We look forward to playing an active role in this regard.
This Committee also joins the IP&L Committee in expressing our appreciation to the Judicial Yuan for revising the “Guidelines for Speedy Trial and Decisions in Serious Criminal Cases in Court” and for making trade-secret criminal cases involving illegal profits exceeding NT$50 million subject to the Guidelines. We urge that this new revision be implemented fully and consistently in trade-secret cases, where timely action is often crucial. As for the method of estimating the monetary value, we recommend that a consistent standard be established using the valuation on the Case Detail Information Form, an appendix to Article 6 of the “Guidelines for Handling Serious Trade Secrets Act Violations by the Prosecution Authority.”