The Committee appreciates and supports the government’s “Information Security is National Security 2.0” strategy, which emphasizes the importance of transitioning to Zero Trust Architecture (ZTA) Architecture to strengthen verification protocols and enhance digital protection. However, the reduction in the government’s security budget for 2025 poses a challenge to fully implementing this architecture. Adequate funding is essential for effective identity verification mechanisms, device authentication, and trust inference.

We suggest the government allocate additional resources or adjust existing budgets to strengthen information security protections. In alignment with the national goal of transforming Taiwan into an AI island under the AI Taiwan Action Plan 2.0, we recommend adopting a principles-based framework that balances AI innovation with risk management, aligns with international standards, and emphasizes public-private collaboration.

The Committee also recommends launching cross-agency initiatives to enhance Taiwan’s position in the global quantum computing landscape. Quantum computing could transform key industries and significantly boost competitiveness. We propose a new five-year plan focused on strengthening R&D, cultivating talent, incentivizing industry participation, and developing post-quantum cryptography strategies.

The Committee encourages continued dialogue and collaboration to strengthen Taiwan’s technological resilience and security.

Suggestion 1: Modernize Taiwan’s privacy laws to balance economic development and personal data protection.

The Committee commends the Preparatory Office of the Personal Data Protection Commission (PDPC) for its ongoing efforts to establish the PDPC by August this year. As part of this process, the Preparatory Office is also proposing amendments to the Personal Data Protection Act (PDPA). We recommend leveraging this opportunity to modernize the legislation to reflect Taiwan’s evolving economy and reliance on international trade. We offer the following recommendations:

1. Clarify the distinction between data controllers and data processors. Article 4 of the PDPA currently does not differentiate between the roles and responsibilities of data controllers and data processors. To align with international standards and clarify legal responsibilities, we recommend defining a data controller as a person who determines the purposes and means of processing personal data, and a data processor as one that processes data on behalf of the controller.
   Processors should be responsible only for implementing appropriate security measures and complying with the terms stipulated in agreement with the controller. Because they typically lack direct relationships with data subjects and insight into the broader context, it is impractical to assign them the same legal responsibilities as controllers.
   Clarifying these roles will strengthen accountability, improve compliance, and align Taiwan’s data protection framework with internationally recognized practices. Although this issue was raised in the 2024 White Paper, no substantial progress has yet been made.
2. Assign breach notification obligations solely to data controllers. Building on the recommended role distinctions in Suggestion 1.1, the PDPA should clarify that data controllers and not data processors are responsible for notifying the competent authority and affected data subjects. Processors should be required only to report breaches to controllers. These obligations should take effect only after the relevant subsidiary legislation outlining thresholds, mechanisms, and timelines is finalized, so as to prevent ambiguity in compliance expectations.
3. Make data subject breach notification contingent on a harm threshold. An effective data breach notification mechanism should alert data subjects to actual risks and provide the information needed to mitigate potential harm. In line with the EU’s General Data Protection Regulation and Singapore’s Personal Data Protection Act, notification obligations should be subject to a harm threshold. This prevents over-notification, which may desensitize recipients by alerting them to incidents that pose no genuine threat, ultimately diminishing the impact of critical warnings.
4. Grant a rectification period before imposing penalties for violations of data breach reporting and record-keeping requirements. The latest PDPA amendments impose penalties for certain violations, such as failures in data breach reporting and record-keeping, without first allowing a period for correction. However, these violations are rarely intentional, and organizations typically need time to assess the nature and impact of a breach before determining their compliance obligations. Emerging digital businesses may also face uncertainty about which regulatory authority has jurisdiction, leading to inadvertent delays. In line with the approach taken for notifying data subjects of breaches, a rectification period should likewise apply to reporting and record-keeping violations.
5. Adopt a flexible approach to security maintenance mechanisms. When establishing security maintenance requirements and management mechanisms, the government should avoid overly prescriptive requirements and allow non-governmental agencies to adopt security measures flexibly based on their industry characteristics, risk exposure, and the types of data they process. Subsidiary legislation should support flexible, risk-based implementation tailored to each organization’s context.
6. Establish a transition period of at least one year to support compliance with new PDPA requirements. Non-governmental agencies, particularly those with complex operations, will require sufficient time to implement the systemic changes needed to comply with new data protection requirements, especially those related to data breaches. To ensure effective compliance, we recommend establishing a transition period of at least one year following the promulgation of any new requirements.
7. Conduct thorough public consultations on proposed PDPA subsidiary legislation. The latest PDPA amendments grant the competent authority broad regulatory powers to develop detailed implementation requirements. To ensure that all relevant stakeholders have a meaningful opportunity to provide input, the Personal Data Protection Commission should conduct thorough public consultations for at least 60 days on any proposed subsidiary legislation.
8. Ensure continued flows of personal and other data. Given Taiwan’s export-oriented economy, it is vital to maintain an open legal framework that permits cross-border data transfers to facilitate international trade and investment.
9. Promote the use of anonymized and de-identified data. In line with the PDPA’s definition of personal data as “information that may be used to directly or indirectly identify a natural person,” we recommend that data rendered truly anonymous, with no possibility of re-identification, not be classified as personal data under the PDPA. Such clarity would reduce compliance burdens and support innovation across sectors. We also recommend that the government adopt global anonymization and de-identification standards in future PDPA amendments, thereby encouraging innovation in privacy-enhancing technologies.

Suggestion 2: Strengthen government cybersecurity and procurement policy through sustainable investment and alignment with international standards.

1. Ensure adequate and sustained cybersecurity funding to support full implementation of ZTA. According to the National Development Council’s initiative to promote the information security industry, cybersecurity funding should account for 5% to 7% of total IT expenditures, with this benchmark maintained or increased beyond 2025. We recommend that the government meet this target by increasing or reallocating funds to ensure full ZTA deployment.
2. Align government cloud service procurement with international security and data protection standards. Under the joint government procurement contract for cloud services, the “Reference List of Basic Requirements for Common Information and Communication Security” is applied to cloud services before listing. However, the List’s “Application Software or System Development Services” category requires suppliers to submit security documentation and testing for inspection. This requirement is overly broad and should apply only to custom-developed solutions, not to public cloud services with standardized features used across clients.
   Requiring public cloud providers to disclose proprietary source codes raises serious concerns regarding trade secrets and fails to meet principles of necessity and proportionality. It also creates uncertainty, as the List does not clearly define the scope of application software or system development.
   We recommend discontinuing the current pre- inspection requirement. Instead, the government should assess whether cloud services meet widely recognized international or industry standards (including ISO/IEC 27001, ISO/IEC 27018, SOC 2). This approach would reflect best practices in global cloud procurement and enable agencies to adopt secure, compliant cloud services more efficiently.
3. Base ICT procurement decisions on international cybersecurity standards rather than country of origin. Under Executive Yuan Document No. 1090201804A, ICT products used by government agencies, including software, hardware, and services, must not originate from mainland Chinese brands. In 2024, the Executive Yuan approved a draft amendment to the Cyber Security Management Act, elevating these restrictions into law under Article 11, which prohibits public agencies from procuring or using products that pose national ICT security risks.
   Focusing on country-of-origin, without clear technical criteria, may discourage international investment and complicate vendor evaluation. A standards-based approach ensures both security and openness. The Committee recommends shifting the procurement focus from country-of-origin to compliance with international standards for cybersecurity, personal data protection, and supply chain integrity (including ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 20243, NIST SP 800-193, NIST SP 800-171). This approach still allows the government to exercise discretion in excluding non-compliant products, including those from mainland China, while offering a more transparent and consistent basis for evaluation. We also urge the government to identify a competent authority, such as the Ministry of Digital Affairs (MODA) or the Ministry of Economic Affairs, to address this critical issue.
   To minimize procurement uncertainty and protect the rights of both vendors and agencies, we further recommend publishing the list of prohibited products referenced in Article 11-1 or creating a secure inquiry mechanism. In addition, the views of ICT manufacturers should be taken into consideration during the drafting of sub-laws and implementation measures to ensure practical enforcement.
   Overreliance on country-of-origin restrictions, without clear technical guidelines, risks confusing procurement staff, deterring global companies, and weakening Taiwan’s ICT industry’s competitiveness in international supply chains. We urge the government to anchor future procurement policy in internationally accepted cybersecurity standards.

Suggestion 3: Ensure that AI regulation supports innovation through a principles-based, risk-proportionate framework.

To support Taiwan’s ambition of becoming an AI island under the Taiwan AI Action Plan 2.0, the Committee recommends that the AI Basic Act and related guidelines adopt a regulatory approach that promotes innovation while managing real risks. We offer the following recommendations:

1. Adopt a principles-based framework and implement regulations grounded in a risk-based approach. AI regulation should focus on high-risk scenarios and avoid prescriptive regulation to maintain flexibility amid rapid AI technological advancements. Adopting a risk-based, principles-driven AI regulatory framework will not only encourage innovation but also attract global AI developers seeking a stable and trusted policy environment.
2. Align with international standards. Considering Taiwan’s export-oriented trade model and global AI development trends, it is crucial to align with international or industry standards and practices (such as the U.S. NIST AI Risk Management Framework and ISO/IEC 42001). In accordance with the AI Basic Act, international cooperation should be actively promoted, such as with Taiwan’s AI Safety Institute (AISI), which facilitates cross-border collaboration on AI safety testing, research, and policy coordination to improve the global governance of advanced AI systems.
3. Prioritize the application of existing regulations and incorporate industry opinions through public-private collaboration. New regulations, including reference guidelines, should only be established when current laws are insufficient, and industry opinions should be collected through public-private collaboration at an early stage.
4. Tailor data protection requirements to application-specific risk levels. Regulations should support the use of AI by encouraging context-specific data protection measures, rather than blanket prohibitions. For example, bans on sharing confidential or personal data with generative AI services should distinguish between open models and closed, on-premises deployments. This risk-based approach enables practical use of AI while safeguarding sensitive data.
5. Revise public sector guidelines to align with AI Basic Act principles. As MODA promotes AI applications across government agencies, the National Science and Technology Council (NSTC) reference guidelines on using generative AI should be updated to reflect the principles and risk management framework of the AI Basic Act. This alignment will support innovation, enable responsible AI adoption in the public sector, and help position Taiwan as a leader in AI-driven digital governance.

Suggestion 4: Initiate cross-agency efforts to build Taiwan’s quantum leadership through a multi-pronged approach.

1. Expand R&D to accelerate quantum integration. Quantum computing is a revolutionary technology capable of solving complex problems beyond the reach of classical computers. It holds transformative potential across leading sectors such as material science, machine learning, cybersecurity, fintech, and transportation, while fostering new economic opportunities and high-value employment. The NSTC has identified quantum technology as one of its eight major forward-looking research platforms and is investing NT$8 billion (US$288.2 million) from 2022 to 2026 to advance this field.
   We recommend that the government prioritize R&D in its next five-year plan by expanding resources for deploying and utilizing integrated quantum high-performance computing systems. These systems will significantly accelerate computational tasks for both scientific and industrial applications. Additional support should go toward research in quantum software and practical applications, including the identification of government specific-use cases.
2. Cultivate a quantum-ready workforce. Talent development is critical to meeting the growing demand for quantum technologies. The Committee urges the government to expand quantum education and training programs to cultivate a skilled domestic workforce. This includes academic partnerships, curriculum development, and training opportunities across all levels of education and professional development.
3. Incentivize private-sector engagement. Industry participation must be a core pillar of Taiwan’s national quantum strategy. The framework should encourage involvement from both large enterprises and emerging startups through financial incentives, innovation grants, public-private research initiatives, and infrastructure support. This approach will help foster a robust talent pipeline and accelerate commercialization of quantum technologies.
4. Develop a national strategy for post-quantum cryptography. One of the future risks of quantum computing is its potential to break current encryption standards. Taiwan should act now to integrate post-quantum cryptography into national security and industry protection plans. To prepare Taiwan’s digital infrastructure for the coming quantum era, we recommend the development of a national quantum readiness plan focused on post-quantum cryptography (PQC). This plan should incorporate PQC into existing cybersecurity strategies and encourage early migration to globally recognized post-quantum algorithms. Doing so will ensure Taiwan’s long-term data security and international competitiveness in cybersecurity resilience.

Suggestion 5: Enable Taiwan’s digital future by ensuring fair treatment for internet data centers and cloud service providers.

Internet data centers (IDCs) and cloud service providers (CSPs) are critical to Taiwan’s digital economy, supporting a significant share of its economic activity and enabling digital transformation, technological leadership, and national resilience. As major customers of Taiwan’s semiconductor industry and essential enablers of AI development, IDCs and CSPs reinforce Taiwan’s strategic position in the global technology supply chain and as a regional AI hub. IDC establishment also drives large-scale infrastructure investment, including in fiber optic networks and transport systems, leading to direct and indirect job creation across construction, engineering, and services, with significant contributions to Taiwan’s GDP.

1. Ensure fairness in electricity pricing for IDCs. Electricity is the largest operating expense for IDCs and CSPs, which run high-availability digital infrastructure 24/7. However, recent electricity price hikes have created a growing cost burden, threatening the competitiveness of these sectors. In April 2024, Taipower introduced Schedule 6, imposing an additional price adjustment on IDCs whose annual electricity consumption exceeds 50 million kWh. This measure, which singles out IDCs from other growing industries classified under Schedule 5, is unprecedented in the Asia-Pacific region and lacks a clear rationale.
   The Committee urges the government to revise the electricity pricing structure to uphold principles of fairness and non-discrimination. In particular, IDCs should not be singled out as a distinct pricing category. Instead, pricing policies should apply consistently across all industries, with classifications based on objective criteria such as voltage levels, load profiles, and grid utilization. A holistic approach will help prevent the disproportionate allocation of Taipower’s cost recovery burden onto a single sector, and ensure a more equitable and sustainable electricity market. We recommend removing Schedule 6 and reclassifying IDCs under Schedule 5 to restore parity and promote balanced economic development.
2. Promote transparency and consultation in electricity pricing policy. The classification process and calculation of electricity price adjustments must be transparent and inclusive. Effective policy should involve early consultation with relevant industry stakeholders to prevent unintended economic consequences. A well-defined, predictable mechanism for electricity pricing will provide long-term visibility and stability, enabling IDCs and CSPs to make infrastructure investments with confidence. A clear, consultative pricing policy is essential for Taiwan to maintain its attractiveness as a regional digital infrastructure hub.
3. Implement performance-based energy standards for CSPs. Ongoing discussions on potential new compliance requirements for CSPs, such as mandatory disclosures on technical and efficiency metrics, risk undermining Taiwan’s technological competitiveness and cloud infrastructure resilience. The Committee urges the government to recognize the inherent operational efficiencies of cloud services, which benefit from dynamic workload optimization, high utilization rates, and advanced cooling technologies.
   We recommend adopting performance-based energy standards rather than prescriptive technical requirements. Metrics like Power Usage Effectiveness remain useful, but target values should reflect facility type, operating patterns, and local climate conditions. Regulatory frameworks should focus on environmental impact and overall energy efficiency, allowing CSPs the flexibility to pursue innovative solutions that may exceed traditional efficiency benchmarks.