AmCham Special Luncheon: Meet the Deputy Minister of Health and Welfare Lin Ching-yi
AmCham Special Luncheon: Meet the Deputy Minister of Health and Welfare Lin Ching-yi
AmCham Special Events & Luncheons
The Committee appreciates the progress made by the Financial Supervisory Commission, Ministry of Digital Affairs (MODA), and the National Development Council in addressing our recommendations from last year’s White Paper. The government has held constructive dialogue with industry to collectively address various technology-related challenges. We thank the government for its attention to bolstering information security and digital resilience while proactively promoting innovation.
Looking ahead, the Committee hopes to continue fruitful discussions with the new Cabinet, tackling objectives shared by industry and government. To lay the foundation for these interactions, we offer the following suggestions:
Suggestion 1: Modernize Taiwan’s privacy laws to balance economic development and personal data protection.
We applaud the creation of the Preparatory Office of the Personal Data Protection Commission (PDPC). The Preparatory Office’s main task is to draft the organic law for the PDPC with the aim of establishing the PDPC by August 2025, as well as to propose amendments to the Personal Data Protection Act (PDPA), which has been in effect since 1995. As the Preparatory Office solicits public opinion on the proposed amendments, we value this opportunity to review the PDPA from the perspective of ensuring adequate data protection while remaining mindful of Taiwan’s economic structure and heavy reliance on international trade. We offer the following recommendations:
1.1 Ensure continued, secure flows of personal and other data. Given Taiwan’s export-oriented economy, it is vital to maintain an open legal framework that permits cross-border data transfers to facilitate international trade and investment. To ensure that the transfer of personal data from Taiwan to other jurisdictions is handled securely, it is necessary to protect that data through adherence to a recognized international standard, such as certification through mechanisms like the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (CBPR) system. We urge early adoption by the PDPC, following its formation, of this or comparable mechanisms.
1.2 Distinguish the role of data processors from data controllers. Article 4 of the PDPA currently does not differentiate between the roles and responsibilities of data controllers and data processors, which should be subject to distinct obligations. We recommend that the PDPA be amended to clearly define the roles of data controllers and data processors, and to appropriately allocate liability based on each party’s level of control over data.
We propose revising the PDPA to include a precise definition of a data controller as “a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Similarly, a data processor should be defined as “a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.” These clarifications will enhance compliance and accountability, ensuring that each party understands their responsibilities and liabilities in the management and protection of personal data.
Correspondingly, the obligations of data processors should be specifically confined to implementing appropriate security measures that safeguard personal data, strictly adhering to the terms set forth in agreements with data controllers.
This distinction is crucial because data processors do not maintain the same relationship with data subjects as controllers, and they are typically unable to make significant or independent decisions regarding personal data management. Clearly defining the scope and responsibilities of data processors will bring Taiwan into alignment with global data protection standards and simplify operations for international businesses.
1.3 Promote the use of anonymized and/or de-identified data. In line with the PDPA’s definition of personal data as “information that may be used to directly or indirectly identify a natural person,” we recommend that personal data that has been anonymized, wherein the data subject cannot be re-identified, not be classified as “personal data.” Such alignment with international standards would ensure consistency and clarity in legal definitions. We further recommend that the government adopt international data anonymization and de-identification standards when amending the PDPA. Doing so will encourage innovation in the realm of anonymization and other privacy-enhancing technology.
1.4 Provide clear explanations of personal data protection regulations and ensure their transparent and consistent enforcement. Under recently enacted laws to deal with cyberattacks, the government is authorized to impose penalties on companies that failed to adequately protect personal data. However, cases have occurred in which companies have been penalized under an unclear set of conditions, leaving enterprises uncertain as to the actual violation and what rules to abide by in the future.
In practice, this approach penalizes companies that transparently disclose data breaches, while those that suffer breaches but withhold information face no repercussions. We urge the government to define the relevant personal data protection regulations more clearly and to prioritize efforts to consult companies and help them strengthen their data protection rather than penalize them. Penalties should be imposed only when, following a data breach, it is found that a company has not transparently disclosed information or accepted offers of assistance and guidance.
Suggestion 2: Enhance Taiwan’s cybersecurity through active collaboration among government agencies, industry stakeholders, and the public.
2.1 Apply international cybersecurity and data protection standards for government procurement. While the Committee appreciates the government’s commitment to national security, we have noticed a propensity toward relying on domestic practices that do not always align with global standards.
The current cybersecurity guidelines under MODA allow individual tender owners to exclude ICT products based on their country of origin, such as products made in China, particularly when tenders involve national security or the protection of sensitive data. This country-of-origin criterion is overly broad and may not accurately reflect actual security risks. A more objective approach would be to assess security risks based on international standards.
Additionally, MODA’s joint procurement contract for cloud services includes pre-inspections that rely on domestic criteria set by the tender owner to determine eligibility for listing. This process could be improved by standardizing criteria based on widely recognized standards to ensure fairness and thoroughness.
Moreover, the Ministry of Education imposes security regulations on suppliers that manage and maintain servers and applications, requiring mandatory drills and audits or examinations. However, these may not proportionately correspond to the actual security risks involved. This approach, while also applied to tenders benefiting from government subsidies, may inadvertently promote practices that are not aligned with real security needs.
Furthermore, the ambiguous and ill-defined concept of “local resilience” in government procurement requirements has been inappropriately linked with data residency requirements, which not only hinders the adoption of innovative technologies but also undermines the broader goal of enhancing resilience.
Recommendations:
2.2 Promote resilient and secure digital infrastructure through public-private partnerships. The Committee recognizes the government’s efforts in adopting innovative technologies to improve resilience, including its development of disaster recovery plans for critical government services. We further applaud the allocation of a four-year budget to modernize Taiwan’s critical infrastructure. Integrating satellite communications for network enhancement and transitioning multiple civic services to the cloud will help ensure operational continuity during large-scale disasters.
The Committee believes a cloud-first policy that leverages innovative technologies is essential to bolster Taiwan’s resilience. We therefore recommend the following measures:
2.2.1 Ensure that the network supports critical applications that require highly resilient connectivity. Taiwan’s existing network strategy and architecture fail to provide the effective redundancy solutions necessary for maintaining application availability during emergencies. We recommend that the government adopt an application-centric connectivity strategy that integrates terrestrial and non-terrestrial services, with special consideration of the constraints and scarcity of satellite bandwidth in the context of critical applications. We urge the government to enhance infrastructure to ensure it meets the critical needs of application users in times of crisis. Such improvements are essential for maintaining service levels and supporting effective response capabilities during emergencies.
2.2.2 Provide more flexibility for multi-cloud data backup systems to enhance security and data protection. Current government data management systems predominantly adhere to traditional practices, maintaining on-premises live data with backup distributed across three different cloud service providers.
The Committee recommends transitioning to best practices that exclusively employ secure cloud environments for all data needs. By implementing robust data encryption methods such as double-key encryption and utilizing Key Vault hardware maintained on government premises, alongside confidential cloud computing for highly sensitive workloads, Taiwan can achieve superior security and data availability. A practical approach could involve hosting customer workloads with one cloud service provider, with another provider serving as a backup. The Committee further recommends that government agencies actively engage with cloud service providers to stay informed about the latest security practices, as cloud services are constantly evolving.
2.3 Collaborate with industry when drafting cybersecurity policy and regulations. Given the rapid evolution of cybersecurity and innovative technologies, the Committee recommends that policies and regulations be developed through robust public-private partnerships. This approach should include active participation from various stakeholders, especially technology providers, to ensure that comprehensive and effective cybersecurity measures are implemented.
Suggestion 3: Adopt AI regulations that balance innovation and governance, align with international standards, and embrace principle-based and risk-based approaches.
Digital transformation is at a pivotal moment, especially due to the advancement of generative AI. This technology, powered by robust computing capabilities and innovative cloud services, is revolutionizing industries. AI is instrumental in improving customer service, accelerating the discovery of new treatments for cancer and various infectious and neurodegenerative diseases, and enhancing agricultural practices by developing pest-, disease-, and climate-resistant crops. Additionally, it plays a crucial role in cybersecurity and climate change mitigation.
While AI offers transformative opportunities, it also raises significant concerns related to fairness, ethics, transparency, privacy, security, and inclusion. Additional challenges include legal issues within the intellectual property rights regime and the potential for misuse, such as through the spreading of misinformation and enabling crimes that could undermine democracy. Governing AI extends beyond technical hurdles to encompass political, social, and ethical dimensions. As AI technologies continue to advance, we urge the government to both fervently support their development and remain vigilant against the potentially harmful applications of their capabilities.
Recommendations:
委員會感謝金融監督管理委員會、數位發展部(MODA)及國家發展委員會,令前一年白皮書中的建議獲得進展,也持續與業界保持具建設性的交流,共同應對各種與科技相關的挑戰。我們感謝政府在積極推動創新同時,重視強化資訊安全和數位韌性。
展望未來,委員會希望能夠保持與政府的對話,藉以達成業界和政府共同的目標。我們提出以下建議,期盼能奠定未來交流:
建議一:更新台灣的個人資料保護法,在經濟發展和個人資料保護之間取得平衡
我們對個人資料保護委員會(Personal Data Protection Commission, PDPC)籌備處的成立表示讚賞。籌備處的主要任務是起草個人資料保護委員會的組織法,目的是使該委員會在2025年8月前正式成立,並對1995年起生效的《個人資料保護法》(下稱個資法)提出修訂建議。在籌備處就擬議修正案徵求公眾意見之際,我們重視此機會,從充分保護資料的角度,同時考慮到台灣的經濟結構和對國際貿易的高度依賴,對《個人資料保護法》進行檢視。我們提出以下建議:
1.1 確保個人資料和其他資料能持續且安全地流通。鑒於台灣是出口導向型經濟,保持開放的法律體制,允許跨境資料傳輸以促進國際貿易和投資至關重要。為確保從台灣傳輸到其他司法管轄區的個人資料能得到安全處理,遵守公認的國際標準來保護這些資料實為必要,例如透過亞太經濟合作跨境隱私規則(Cross-Border Privacy Rules, CBPR)等機制進行認證。我們敦促個人資料保護委員會在成立後,儘早採用這一機制或類似機制。
1.2 區分資料處理者和資料控制者的角色。在《個資法》第4條中,資料控制者和資料處理者之角色與責任並未明確界定,但其義務應於予區別。
我們建議《個資法》應明確界定資料控制者和資料處理者的角色,並應根據各方的控制程度分配相關責任,修改《個資法》使資料控制者者更精確的定義為「決定蒐集、處理、利用個資之目的及方法之自然人或法人、公共機構、政府機構或其他團體」;而資料處理者則為「依個資控制者指示而蒐集、處理、利用個資之自然人或法人、公共機構、政府機構或其他團體」相對應地,資料處理者的義務應具體限縮為執行適當的安全措施來保護個人資料,並嚴格遵守與資料控制者簽訂的協議中規定的條款。
明確區分兩者可謂至關重要,因為資料處理者與資料當事人之間未能如控制者般保持絕對的關係,而且他們通常無法就個人資料管理做出重大或獨立的決定。因此,明確界定資料處理者的身份和責任,方能使台灣與全球資料保護標準接軌,並簡化國際商務營運。
1.3 推廣使用匿名化和/或去識別化資料。《個資法》將個人資料定義為「得以直接或間接方式識別自然人身份之資料」,根據此定義,我們建議經過匿名化處理,即無法重新識別當事人的資料,不被歸類為「個人資料」。採此方式將與國際標準接軌,確保法律定義的一致性和明確性,我們並建議政府修法時採用國際資料匿名化和去識別化的標準,以鼓勵匿名化和其他隱私加強技術領域的創新。
1.4 明確解釋相關個人資料保護法規,並確保其執行能維持透明度和一致性。根據近期因應網路攻擊所修訂之法規,政府有權對未能充分保護個人資料的公司進行處罰。然而,也有一些案例在條件尚不明確時對企業進行處罰,使企業不確定實際違規行為為何,也不清楚往後應遵守哪些規定。
實際上,這種做法懲罰了公開說明資料遭外洩的公司,而隱瞞資料外洩的公司則不受到任何影響。因此我們呼籲政府更明確地界定相關的個人資料保護法規,同時先協助企業加強資料保護,而非進行處罰。惟有在發生資料外洩事件後,發現該公司未公開說明並接受援助和行政指導時,才對其裁罰。
建議二:透過政府機構、產業利害關係人與公眾間的積極合作,加強臺灣的資安
2.1 政府採購應採用國際資安和資料保護標準。委員會感謝政府對於國家安全的承諾,但也觀察到政府有時未採用國際標準,而仰賴本地做法的傾向。根據數位發展部《資通安全管理法》之現行資安指引,允許機關在辦理涉及國家安全或敏感資訊保護之資通訊採購時,以原產地(如中國製)爲由禁止某些產品參與標案。然而,由於原產地的標準過於寬泛,且無法確切反映其資安風險,故需採用更客觀的評估方法,如參照國際標準來進行評估。另外,數位發展部對於雲端服務共同供應契約的採購要求中提及,品項上架前須先經過產品檢測,然而相關檢驗標準係依得標人自行創建。將檢驗標準依通認的標準進行流程標準化可改善現況,確保公平和完善性。
此外,教育部將安全規範施加於管理和維護伺服器及應用程式的供應商,要求履行演練與檢(稽)查,然而,上述做法對應實際的安全風險並不成比例。由於該要點亦適用於政府提供補助的標案,可能無意間增加上述不合比例要求之實行。
同時,模糊且定義不明的「本地韌性」概念,時常在日常場合被解讀為資料落地,並且錯誤地被納入政府採購案中資安相關要求,其不僅阻礙新興科技之應用,且弱化政府強化韌性的目標,亦構成潛在之非關稅貿易障礙。
我們的建議:
2.2 透過公私夥伴關係促進具韌性和安全的數位基礎設施。本委員會認同政府採用創新技術增強政府韌性所做的努力,包括為關鍵民生系統制定災害復原計劃,我們也讚揚政府編列四年預算。此外,整合衛星通訊以強化網路並將多項民生服務遷移到雲端,將有助於確保大規模災難期間仍能維持營運。
本委員會也相信借重創新技術的雲端服務優先政策,對於增強台灣韌性而言至關重要。因此,我們建議採取以下措施:
2.2.1 確保網路韌性得以支應需要高連接需求的關鍵應用程式。
台灣現有的網路策略和建設未能提供在緊急情況下維持應用程式運作所需的有效冗餘(redundancy)解決方案。我們建議政府採取以應用為導向的網路連線韌性策略,整合地面和太空的通訊服務,特別考慮關鍵應用時衛星頻寬的限制和稀缺性。我們敦促政府加強基礎設施建設,確保其在危機時期滿足應用程式使用者的關鍵需求。要維持服務水準並在緊急情況下保持即時回應之能力,這些改善措施至關重要。
2.2.2 提供富有彈性之多雲資料備份系統,以增強安全性和資料保護。
當前政府的資訊管理系統主要遵循傳統做法,即維護本地地端即時資料(live data),並將備份分散在三種不同的雲端服務供應商。委員會建議將資料遷移至具安全性的雲端環境以滿足所有資料儲存之需求。藉由實施雙重金鑰加密、結合政府機構維護之金鑰保存庫(Key Vault),以及應用於高機敏性工作負載的機密雲運算,台灣可以體現卓越的資料安全性和可用性。而其中一種實際可行的做法,包括將一種雲端服務作為另一種雲端服務運行中負載(active workload)的備份。此外,由於雲端服務的創新時常演進,委員會進一步建議政府積極與雲端服務業者合作,以了解最新可用資安實作。
2.3 與業界合作制定資安政策和法規。有鑑於資安和創新技術的快速發展,我們建議通過強健的公私合作夥伴關係來制定政策和法規,藉由多方利害關係人的積極參與,特別是技術提供者,得以確保資安措施能全面且有效的實施。
建議三:針對人工智慧(AI)規範,採取平衡創新與監理、符合國際標準、並採納基於原則和風險的方法
數位轉型正處於關鍵時刻,尤其受益於生成式人工智慧的進步。這項技術奠基於強大的運算能力和創新的雲端服務,正使各產業發生變革。人工智慧有助於改善客戶服務,加速發現癌症、數種傳染病和神經退化性疾病的新療法,並通過開發抗病蟲害和抗氣候作物來加強農業技術。此外,在資安防禦和減緩氣候變遷發揮著至關重要的作用。
雖然人工智慧提供了變革性的機會,但也引發有關公平、倫理、透明度、隱私、安全和包容性等重大擔憂。其他的挑戰包括智慧財產權領域中的法律問題,和被濫用的可能性,例如通過傳播錯誤資訊來進行可能傷害民主的犯罪行為。人工智慧治理不僅涉及技術議題,也涵蓋了政治、社會和道德層面。隨著人工智慧技術的不斷進步,我們敦促政府積極支援其發展,並對其潛在有害應用保持警惕。
我們的建議:
透過強健的公私夥伴關係來制定人工智慧政策和法規時,應積極納入多方利害關係人,尤其是技術提供者,以確保人工智慧治理採行基於原則與基於風險之方式。