Prior to COVID-19, the high-tech industry – both in Taiwan and globally – was already evolving at a rapid pace, driven by changing consumer expectations, heightened competition, evolving regulations, and technological advancements. The pandemic has accelerated the adoption of technology to an unprecedented level and inspired radical changes in consumer behavior, moving a significant portion of economic activity online. These trends have also served as a stress test on the regulatory environment for tech-related industries. We appreciate the Taiwan government’s efforts to create a solid foundation for the industry to develop and thrive, and we look forward to working with the authorities to resolve critical issues in the future.
Suggestion 1: Balance personal data protection with data-driven innovation.
The Committee stresses the importance of maintaining adequate data protection while still being mindful of Taiwan’s needs in terms of economic development and heavy reliance on international trade. In light of the importance of achieving that balance, we offer the following suggestions:
1.1 Maintain current cross-border data transmission rules and adopt several important amendments to the Personal Data Protection Act (PDPA). We understand that the National Development Council (NDC) has been tasked with drafting amendments to the PDPA, and make the following recommendations regarding its draft:
Maintain the current legislative model of conditional cross-border data transmission, as set forth in Article 21 of the PDPA, which allows for the free transfer of data in most situations.
Establish a specialized Privacy/Personal Data Protection Agency. In its statement of legislative intent to Article 22 of the current PDPA, the Legislative Yuan expressed its view that it would be appropriate to establish such an agency. The Committee thinks that the time has come to do so. The agency should oversee the regulation of personal data protection and be empowered to make the final decision on personal data protection matters. We also expect this agency to adopt a transparent and open communication mechanism, as we believe it would benefit from having a diverse and inclusive consulting committee, with members that include not only distinguished academics, but also industry experts and technical professionals.
Define the roles of data controllers and data processors. We propose revising Article 4 of the PDPA to provide a clear definition of data processor as “a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.” Further, we recommend that the amended PDPA clearly distinguish between the roles of data controller and data processor and align the requirements with their respective roles and respective level of personal data access and control. While data controllers should continue to be liable for processing by data processors in the spirit of the current Article 4, a data processor should no longer be deemed to have the same liability as a data controller.
Limit on-site investigation powers.We recommend vesting investigatory power exclusively in the abovementioned specialized government agency as was contemplated by the statement of legislative intent for Article 22 of the current PDPA. Moreover, the government should consider limiting the on-site investigative power of the new specialized government agency to accessing premises only when due process requirements have been met.
Promote the use of anonymized and/or de-identified data.The current PDPA is unclear as to whether anonymized or de-identified data are subject to the law. In order to make Taiwan’s data protection regime more readily understandable by international businesses, we recommend promoting anonymization or using other technical means to resolve certain personal data protection issues.
Minimize the impact of implementing the new PDPA through communication with industry and adoption of a grace period– in line with the two-year grace period provided under the EU’s General Data Protection Regulation – before the new regulations are enforced.
1.2 Design a legal framework for the safe use and transmission of health-related data. We commend the Ministry of Health and Welfare (MOHW) for its creation of the National Health Insurance Data Artificial Intelligence Service within the existing regulatory framework of the PDPA. We are concerned, however, that development of the service could be hampered if it is not hosted by industry-leading international cloud service providers (CSP) with the full-stack services and security controls that developers rely on. Moreover, we urge the National Development Council (NDC) and the MOHW to strike a careful balance between patients’ data security and integrity interests and the need for controlled access to sensitive health information by researchers and developers in the public and private sectors. We encourage both the MOHW and NDC to consult with relevant stakeholders in designing a legal framework for the safe use of National Health Insurance and other health data in line with international standards.
We are encouraged by the MOHW’s promotion of the exchange of electronic health records (EHR) among government agencies, medical institutions, and patients to improve efficiency and enable patients to have access to their complete medical records. However, we are concerned that the MOHW may restrict the transmission of EHRs to overseas CSPs, blocking access by such enterprises to a wide range of data analytic services. Doing so would prevent Taiwanese medical institutions from realizing the full potential of their data. It would also be unreasonable from a security perspective, since data security depends not on geographical location but rather on the security controls and tools being employed – controls and tools that CSPs are well equipped to offer to users. We urge the MOHW to consider these factors before imposing any undue restrictions on EHR transmission.
Suggestion 2: Create an environment conducive to cloud adoption by the financial sector.
The Committee appreciates the 2019 decision by the Financial Supervisory Commission (FSC) to enact regulations on cloud outsourcing. However, we have identified several opportunities and challenges that will affect the adoption of cloud technologies by the financial sector.
2.1 Allow e-payment institutions to outsource to the cloud.
In December 2020, the Legislative Yuan passed an amendment to the Act Governing Electronic Payment Institutions that expanded the scope of business of e-payment institutions (EPI) and began permitting financial services institutions (FSI) to offer cash-flow-related services. The FSC has set a target of more than 50% growth of financial transactions conducted via non-cash payment methods, or a total transaction value of NT$6 trillion, by 2023. We expect that many non-FSI companies will participate in this field, and their embrace of technologies such as cloud computing will undoubtedly increase.
The “Regulations Governing International Operating Systems and Procedures for the Outsourcing of Financial Institutions Operations” (the Regulations) allow FSIs to outsource workloads to the cloud, and we urge the FSC to create a similar set of regulations for EPIs. In addition, regulatory requirements for such companies should be transparent and proportional to their risk and should not be more burdensome than those imposed on FSIs.
2.2 Revise the local backup requirement.According to the Regulations, creating a local backup of important customer data is not required for FSIs when outsourcing workloads to overseas non-cloud vendors – but it is required when outsourcing to overseas CSPs. However, security on the cloud is no less rigorous than in the physical environment, making such requirements unnecessary.
Moreover, creating a local backup is impossible for international FSIs whose work is conducted on a global scale. Such FSIs may aggregate their customer data in a single location and do not categorize such data according to nationality. In order to fulfill the local backup requirement, those FSIs must pour enormous resources into identifying and segregating the data, resulting in significant costs that usually far exceed the benefits of moving to the cloud. Although the government seems eager to attract international FSIs to Taiwan, this requirement is counterproductive and could discourage FSIs from embracing digital technologies. Requiring local backups might also create a less secure environment for related customer data since threat actors, knowing that the data resides in a specific location, can more accurately target systems. Furthermore, creating one more storage location that operates in a different security-control environment and requires additional security management would entail higher risk than a single, centralized storage location.
While we acknowledge the importance of customer data protection, we urge the FSC to provide clarity and guidance on the circumstances under which approval for an exception would be granted under Article 19-1 of the Regulations. We also recommend that the FSC exclude international FSIs and workloads related to overseas business or data from the scope of the local backup requirement. Lastly, we encourage engagement with relevant stakeholders on how to facilitate FSIs’ use of cloud computing. CSPs are willing to help by sharing international best practices and proposing technical solutions.
2.3 Simplify the approval process for workloads without customer data or containing de-identified customer data.
We appreciate the FSC’s discussions with CSPs via the Bankers Association and note that it is considering exempting workloads without customer data or containing de-identified customer data from the approval/notification process required in the Regulations, on the condition that such workloads are in the testing or development stage or are related to public information on the FSI’s website.
However, we believe that such a condition is unnecessary. The security concerns regarding workloads without customer data or containing de-identified customer data are likely minimal, as is the impact of service interruptions or incidents from those workloads on an FSI’s operations. We therefore urge the FSC to consider removing this condition or to simplify or waive the approval/notification procedure for such workloads.
2.4 Create an effective, scalable method for auditing CSPs.
Currently, the Regulations require FSIs to conduct an audit of their CSPs. Given that these audits are often conducted individually, CSPs must grant data center access to multiple external assessors for different customers. This increased access undoubtedly puts millions of other customers at a higher level of security risk. Such an approach is not scalable, reduces the efficiency of CSP operations, and increases the overall cost of compliance.
We believe a community-style audit would be more effective, scalable, and cost-efficient for FSIs while ensuring a more secure cloud environment. Such audits would be conducted annually by FSC-approved independent auditors and would be based on the FSC’s cloud-related requirements. Customers could obtain a copy of the latest report each year as part of their due diligence and monitoring of CSPs. The audit reports could cover various sectors within the financial services industry, benefiting as many stakeholders as possible.
Suggestion 3: Ensure that frequency spectrum policies for Wi-Fi applications are in accord with international developments.
Spectrum is a scarce resource that enables a wide variety of radio and telecommunications services for both individuals and enterprises. Spectrum policies that are informed by international developments are economically beneficial to Taiwan. Such policies satisfy the spectrum demands of existing services while providing access to new connectivity solutions such as Wi-Fi 6E in the 5925-7125 MHz frequency range (6 GHz band). They also provide greater efficiency and opportunities for new and innovative applications.
Spectrum policies that enable next-generation Wi-Fi devices and applications would provide strong support for Taiwan’s economic growth and digital transformation. The Wi-Fi Alliance predicts that the total global economic value of Wi-Fi in 2025 will be nearly US$4.9 trillion. Taiwan’s semiconductor and electronics manufacturing industries are in a competitive position to capture a substantial portion of this value through the development and production of new silicon chips and Wi-Fi devices that comply with the latest Wi-Fi standards. Taiwan can be a great testbed for these OEM or ODM manufacturers that are considering expanding to markets outside of Taiwan.
Studies have demonstrated that the 6 GHz band is uniquely suited for Wi-Fi networks to complement 5G deployment without causing interference for incumbent users. The 2.4 and 5 GHz bands currently used by Wi-Fi devices are increasingly congested, something that license-exempt use of the 6 GHz band could help alleviate. In addition, Wi-Fi’s radio-emission characteristics make it highly complementary with other technologies such as fixed radiocommunication service, fixed-satellite service, etc.
The June 2020 consultation paper of the Ministry of Transportation and Communications (MOTC) acknowledges the global trend of license-exempt use of the 6 GHz band, referencing the examples of the U.S. and South Korea. On April 8, 2021, the MOTC announced draft amendments to the Radio Frequency Allocation Table, which under certain conditions provide for indoor use of the 6 GHz (5925-6425 MHz) band by low-power wireless information transmission equipment. These developments indicate that the Taiwan government recognizes the need to follow international developments and to enable the use of next-generation Wi-Fi devices and applications. The Committee appreciates the MOTC’s consultation with the public on 6 GHz, as well as the draft amendments.
However, the MOTC’s plan allows license-exempt use only of the lower 500 MHz range of the 6 GHz band. We believe that expanding that use to the full 1,200 MHz of spectrum would alleviate congestion for Wi-Fi without incurring costs or requiring the accommodation or relocation of incumbent users. The wider 160 MHz channels support the higher throughput and low latency requirements of immersive applications in dense deployment environments.
The Taiwan market does not generate economies of scale sufficient to motivate device manufacturers to design for Taiwan only. Furthermore, certification for a single small market adds avoidable costs. We are concerned that the MOTC’s plan could cause Taiwan to lag behind other advanced countries. More importantly, it could limit the potential economic advantages that use of the full 6 GHz band could bring.
To ensure that Taiwan is able to reap the economic benefits of Wi-Fi and accelerate its digital transformation, the Committee recommends that the government review Taiwan’s spectrum policies to ensure they are in accord with international developments, and establish a consultative mechanism with industry stakeholders, particularly with regard to the license-exempt use of the full 6 GHz band for Wi-Fi.
Suggestion 4: Provide clearly defined cybersecurity guidelines for information products and services in public tenders.
The Committee recognizes the Taiwan government’s concerns regarding cyber threats from foreign actors, as well as its efforts to strengthen its cybersecurity regime. In its December 2020 Information Security Monthly Report, the government updated its requirements regarding the reporting, replacement, and use of information and telecommunications equipment by all government agencies and public organizations. The requirements also apply to government contractors and subcontractors.
In the current global supply chain, however, a product may have components sourced from more than one country, and some of the new requirements pose serious challenges to the completion of public tenders. Further clarification of certain requirements is needed before they are implemented. As guidelines are likely to be updated on a rolling basis, we offer the following suggestions:
Task the Public Construction Commission (PCC) and the Department of Cyber Security under the Executive Yuan with holding Q&As and training sessions on how to properly design a tender for different security levels to ensure that agencies are able to purchase products and services most suited to their needs.
Provide more guidance on and flexibility under the Model Instructions to Tenderers (the Instructions) regarding country of origin. Replacement components for products that have passed their warranty period may be limited in supply and the provision allowing government agencies to refuse tendered components from China may be difficult for the original manufacturer to fully comply with. The Committee therefore suggests providing more options under this section of the Instructions to ensure that the operations of government agencies are not interrupted by a lack of access to proper maintenance services.
Provide a clear definition of “Chinese brand” and “services provided by Chinese citizens” in the Model Contract for IT Service Tenders, a complementary document to the Instructions. What makes a brand Chinese? Does it depend on the location of the company headquarters or are there other criteria? Is there a list that the Committee could refer to? In the case of Chinese citizens, does this only apply to current PRC passport holders or are previous passport holders, dual citizens, and Hong Kong and Macao passport holders also included? In addition, more clarity regarding the scope of services that Chinese citizens are prohibited from performing is needed. For example, does it include procurement? Software development? Direct work with a particular region? Or does it only involve work performed inside Taiwan?
While safeguarding Taiwan’s national security is of the utmost importance, it is important to recognize that technology will continue to evolve rapidly. Using a blanket approach to determining whether a component, device, or service jeopardizes that security does not take into consideration the sophisticated and effective technology that may be available for addressing areas of concern. The Committee therefore encourages open dialogue with stakeholders to achieve a balanced outcome and advance cybersecurity norms in Taiwan’s supply chain.
Suggestion 5: Form public-private partnerships to face the challenges of the pandemic and ensure regular communication between the Taiwan authorities and industry.
COVID-19 has caused unprecedented disruption to the global economy. Over the past year, governments have struggled to contain the pandemic, as well as to determine how to jumpstart economic growth and safely and responsibly return things to a “new normal.” Now, as governments and health providers begin the rollout of life-saving vaccines, many innovative new tools, such as vaccine passports, mobile applications verifying COVID test results, and vaccination management platforms, are being introduced. These technologies aim to assist governments as they seek to gradually and confidently emerge from the pandemic.
Taiwan received its first batch of COVID-19 vaccines in March 2021 and will continue to receive additional batches over the coming months. The Committee therefore offers the following recommendations:
Refer to the experience of countries such as the U.S., UK, Australia, and Singapore and focus on ensuring the interoperability of technologies and harmonizing the standards for data exchange between various vaccine passport platforms so that certificates can be used and verified across borders.
Consider security, reliability, and privacy in adopting a collaborative model of public-private partnerships for developing Taiwan’s vaccine passport; and
Establish a cross-sectoral platform for regular, bi-monthly public-private engagement. Government stakeholders may include the MOHW, NDC, Ministry of Science and Technology, and Ministry of Economic Affairs, among others. Participants can begin by sharing how other countries have used digital innovation at different stages of the pandemic. The discussion can then be expanded to focus on how to collaborate on issues such as data sharing and the harmonization of regulations.