The Committee appreciates the progress made by the Financial Supervisory Commission, Ministry of Digital Affairs (MODA), and the National Development Council in addressing our recommendations from last year’s White Paper. The government has held constructive dialogue with industry to collectively address various technology-related challenges. We thank the government for its attention to bolstering information security and digital resilience while proactively promoting innovation.

Looking ahead, the Committee hopes to continue fruitful discussions with the new Cabinet, tackling objectives shared by industry and government. To lay the foundation for these interactions, we offer the following suggestions:

Suggestion 1: Modernize Taiwan’s privacy laws to balance economic development and personal data protection.

We applaud the creation of the Preparatory Office of the Personal Data Protection Commission (PDPC). The Preparatory Office’s main task is to draft the organic law for the PDPC with the aim of establishing the PDPC by August 2025, as well as to propose amendments to the Personal Data Protection Act (PDPA), which has been in effect since 1995. As the Preparatory Office solicits public opinion on the proposed amendments, we value this opportunity to review the PDPA from the perspective of ensuring adequate data protection while remaining mindful of Taiwan’s economic structure and heavy reliance on international trade. We offer the following recommendations:

1.1   Ensure continued, secure flows of personal and other data. Given Taiwan’s export-oriented economy, it is vital to maintain an open legal framework that permits cross-border data transfers to facilitate international trade and investment. To ensure that the transfer of personal data from Taiwan to other jurisdictions is handled securely, it is necessary to protect that data through adherence to a recognized international standard, such as certification through mechanisms like the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (CBPR) system. We urge early adoption by the PDPC, following its formation, of this or comparable mechanisms.

1.2   Distinguish the role of data processors from data controllers. Article 4 of the PDPA currently does not differentiate between the roles and responsibilities of data controllers and data processors, which should be subject to distinct obligations. We recommend that the PDPA be amended to clearly define the roles of data controllers and data processors, and to appropriately allocate liability based on each party’s level of control over data.

We propose revising the PDPA to include a precise definition of a data controller as “a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”  Similarly, a data processor should be defined as “a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.” These clarifications will enhance compliance and accountability, ensuring that each party understands their responsibilities and liabilities in the management and protection of personal data.

Correspondingly, the obligations of data processors should be specifically confined to implementing appropriate security measures that safeguard personal data, strictly adhering to the terms set forth in agreements with data controllers.

This distinction is crucial because data processors do not maintain the same relationship with data subjects as controllers, and they are typically unable to make significant or independent decisions regarding personal data management. Clearly defining the scope and responsibilities of data processors will bring Taiwan into alignment with global data protection standards and simplify operations for international businesses.

1.3   Promote the use of anonymized and/or de-identified data. In line with the PDPA’s definition of personal data as “information that may be used to directly or indirectly identify a natural person,” we recommend that personal data that has been anonymized, wherein the data subject cannot be re-identified, not be classified as “personal data.” Such alignment with international standards would ensure consistency and clarity in legal definitions. We further recommend that the government adopt international data anonymization and de-identification standards when amending the PDPA. Doing so will encourage innovation in the realm of anonymization and other privacy-enhancing technology.

1.4   Provide clear explanations of personal data protection regulations and ensure their transparent and consistent enforcement. Under recently enacted laws to deal with cyberattacks, the government is authorized to impose penalties on companies that failed to adequately protect personal data. However, cases have occurred in which companies have been penalized under an unclear set of conditions, leaving enterprises uncertain as to the actual violation and what rules to abide by in the future.

In practice, this approach penalizes companies that transparently disclose data breaches, while those that suffer breaches but withhold information face no repercussions. We urge the government to define the relevant personal data protection regulations more clearly and to prioritize efforts to consult companies and help them strengthen their data protection rather than penalize them. Penalties should be imposed only when, following a data breach, it is found that a company has not transparently disclosed information or accepted offers of assistance and guidance.

Suggestion 2: Enhance Taiwan’s cybersecurity through active collaboration among government agencies, industry stakeholders, and the public.

2.1   Apply international cybersecurity and data protection standards for government procurement. While the Committee appreciates the government’s commitment to national security, we have noticed a propensity toward relying on domestic practices that do not always align with global standards.

The current cybersecurity guidelines under MODA allow individual tender owners to exclude ICT products based on their country of origin, such as products made in China, particularly when tenders involve national security or the protection of sensitive data. This country-of-origin criterion is overly broad and may not accurately reflect actual security risks. A more objective approach would be to assess security risks based on international standards.

Additionally, MODA’s joint procurement contract for cloud services includes pre-inspections that rely on domestic criteria set by the tender owner to determine eligibility for listing. This process could be improved by standardizing criteria based on widely recognized standards to ensure fairness and thoroughness.

Moreover, the Ministry of Education imposes security regulations on suppliers that manage and maintain servers and applications, requiring mandatory drills and audits or examinations. However, these may not proportionately correspond to the actual security risks involved. This approach, while also applied to tenders benefiting from government subsidies, may inadvertently promote practices that are not aligned with real security needs.

Furthermore, the ambiguous and ill-defined concept of “local resilience” in government procurement requirements has been inappropriately linked with data residency requirements, which not only hinders the adoption of innovative technologies but also undermines the broader goal of enhancing resilience.

Recommendations:

1. Apply international standards for cybersecurity and data protection (including ISO 27001, 27017, 27018, and SOC 2). These standards are well-recognized solutions to cybersecurity and data protection challenges and have been widely implemented across various industries and the public sector. For example, MODA’s guidelines already acknowledge the adoption of ISO 27001. We applaud the government’s recent initiative to establish a joint procurement contract for cloud services that adheres to ISO standards, thereby ensuring equitable treatment of international and domestic suppliers. We recommend removing the pre-inspection requirement for cloud services under joint procurement contracts and incorporating ISO standards into the cloud model contract released by the Public Construction Commission (PCC). This adjustment will streamline the procurement process and ensure that the cloud services adhere to recognized global standards, enhancing efficiency and security.
2. Review the application of “country of origin” requirements in the government procurement contract template for ICT products and differentiate it from the prohibition of “China brands” defined by the Executive Yuan to avoid misapplication. MODA has transitioned from a blanket policy that prohibited the procurement of “made in China” products to a more nuanced policy that prohibits “China brands.” This updated policy specifies that government agencies cannot procure products from brands that are registered in China, regardless of the actual country of manufacture of the products. However, MODA still permits individual tender owners to exercise discretion in prohibiting the procurement of products based on the country of origin. The Committee emphasizes that products adhering to industry standards in security measures and fabrication management should not be disadvantaged merely because of their country of origin.
3. Clarify the concept of “local resilience” in the requirements.

2.2   Promote resilient and secure digital infrastructure through public-private partnerships. The Committee recognizes the government’s efforts in adopting innovative technologies to improve resilience, including its development of disaster recovery plans for critical government services. We further applaud the allocation of a four-year budget to modernize Taiwan’s critical infrastructure. Integrating satellite communications for network enhancement and transitioning multiple civic services to the cloud will help ensure operational continuity during large-scale disasters.

The Committee believes a cloud-first policy that leverages innovative technologies is essential to bolster Taiwan’s resilience. We therefore recommend the following measures:

2.2.1  Ensure that the network supports critical applications that require highly resilient connectivity. Taiwan’s existing network strategy and architecture fail to provide the effective redundancy solutions necessary for maintaining application availability during emergencies. We recommend that the government adopt an application-centric connectivity strategy that integrates terrestrial and non-terrestrial services, with special consideration of the constraints and scarcity of satellite bandwidth in the context of critical applications. We urge the government to enhance infrastructure to ensure it meets the critical needs of application users in times of crisis. Such improvements are essential for maintaining service levels and supporting effective response capabilities during emergencies.

2.2.2  Provide more flexibility for multi-cloud data backup systems to enhance security and data protection. Current government data management systems predominantly adhere to traditional practices, maintaining on-premises live data with backup distributed across three different cloud service providers.

The Committee recommends transitioning to best practices that exclusively employ secure cloud environments for all data needs. By implementing robust data encryption methods such as double-key encryption and utilizing Key Vault hardware maintained on government premises, alongside confidential cloud computing for highly sensitive workloads, Taiwan can achieve superior security and data availability. A practical approach could involve hosting customer workloads with one cloud service provider, with another provider serving as a backup. The Committee further recommends that government agencies actively engage with cloud service providers to stay informed about the latest security practices, as cloud services are constantly evolving.

2.3   Collaborate with industry when drafting cybersecurity policy and regulations. Given the rapid evolution of cybersecurity and innovative technologies, the Committee recommends that policies and regulations be developed through robust public-private partnerships. This approach should include active participation from various stakeholders, especially technology providers, to ensure that comprehensive and effective cybersecurity measures are implemented.

Suggestion 3: Adopt AI regulations that balance innovation and governance, align with international standards, and embrace principle-based and risk-based approaches.

Digital transformation is at a pivotal moment, especially due to the advancement of generative AI. This technology, powered by robust computing capabilities and innovative cloud services, is revolutionizing industries. AI is instrumental in improving customer service, accelerating the discovery of new treatments for cancer and various infectious and neurodegenerative diseases, and enhancing agricultural practices by developing pest-, disease-, and climate-resistant crops. Additionally, it plays a crucial role in cybersecurity and climate change mitigation.

While AI offers transformative opportunities, it also raises significant concerns related to fairness, ethics, transparency, privacy, security, and inclusion. Additional challenges include legal issues within the intellectual property rights regime and the potential for misuse, such as through the spreading of misinformation and enabling crimes that could undermine democracy. Governing AI extends beyond technical hurdles to encompass political, social, and ethical dimensions. As AI technologies continue to advance, we urge the government to both fervently support their development and remain vigilant against the potentially harmful applications of their capabilities.

Recommendations:

1. Continue to enforce existing laws and regulations governing AI.
2. Implement and enhance government-led AI safety frameworks (such as the United States National Institute of Standards and Technology AI Risk Management Framework) and international standards (such as ISO/IEC 42001) to drive international harmonization. These frameworks and standards are well-recognized solutions to address concerns surrounding the use of AI. Such efforts also support the government’s ambition to promote AI norms and standards that align with international standards, as outlined in Taiwan’s AI Action Plan 2.0.
3. Clearly differentiate the roles within various aspects of AI technology, such as application development, AI modeling, deployment, and infrastructure, and distribute responsibilities accordingly between actors, deployers, and users of AI. For example, it is a fundamental principle that data users must confirm their authorization for data usage, including their inputs, when interacting with an AI system. Furthermore, companies that use AI for employment decision-making cannot claim immunity from charges of employment discrimination.
4. Develop AI policies and regulations through robust public-private partnerships. This approach should actively involve various stakeholders, particularly technology providers, to ensure that AI governance adopts a principle-based and risk-based approach.