INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being...

28
CLOUD COMPUTING CONTRACTS AND DATA PROTECTION CHALLENGES SPONSORSHIP AGREEMENTS: NINE STEPS TO MAXIMISING RETURN ON INVESTMENT THE CONTRADICTORY WORLD OF SPANISH LAW AGAINST LATE PAYMENT INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS Perspectives •  Analysis •  Visionary Ideas www.dlapiper.com ASIA PACIFIC NOVEMBER 2016 CYBER RISK: SECURING YOUR SUCCESS UNFAIR CONTRACT TERMS IN THE IT SPACE: WHAT YOU NEED TO KNOW INSURTECH PROPOSED AUSTRALIAN MANDATORY DATA BREACH NOTIFICATION REGIME SIGNIFICANT CHANGES TO DATA AND CYBERSECURITY PRACTICES IN CHINA STRICTER PRC ONLINE ADVERTISING REGULATION IN RESPONSE TO SEARCH SCANDAL MOBILE APPS UNDER CLOSE WATCH OF THE HONG KONG PRIVACY COMMISSIONER SINGAPORE’S ENFORCEMENT OF DATA PROTECTION LAW ON THE RISE

Transcript of INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being...

Page 1: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Cloud Computing ContraCts and data proteCtion Challenges

sponsorship agreements nine steps to maximising return on investment

the ContradiCtory World of spanish laW against late payment

INTELLECTUAL PROPERTY AND TECHNOLOGY NEWSperspectivesensp bullensp analysisensp bullensp visionary ideas

wwwdlapipercom

ASIA PACIfIC

NOvEmbER 2016

CyBer risK seCuring your suCCess

unfair ContraCt terms in the it spaCe What you need to KnoW

insurteCh

proposed australian mandatory data BreaCh notifiCation regime

signifiCant Changes to data and CyBerseCurity praCtiCes in China

striCter prC online advertising regulation in response to searCh sCandal

moBile apps under Close WatCh of the hong Kong privaCy Commissioner

singaporersquos enforCement of data proteCtion laW on the rise

Welcome to the latest Asia Pacific Edition of Intellectual Property and Technology News our biannual publication designed to report on worldwide developments in intellectual property and technology law offering perspective analysis and visionary ideas

This month we have turned our focus to technology Words such as lsquocyberrsquo lsquobreachrsquo lsquodatarsquo are being used more than ever before In this issue we delve into cybersecurity and respective laws in Asia-Pacific (page 4) We go further and explore Australiarsquos proposed mandatory breach notification bill (page 14) Singaporersquos enforcement of data protection (page 22) and significant changes to cybersecurity laws in China (page 16)

Another word that we are hearing more frequently is lsquoinsurtechrsquo we look at the steps insurers are taking to innovate in the technology space (page 12) We also look at unfair contract terms in IT (page 10) privacy and mobile apps in Hong Kong (page 20) and stricter advertising regulations in the PRC (page 19)

Moving into December we wish you all the best for the season and look forward to working with you in 2017

Kind regards

EDITORrsquoS COLUMNIN THIS ISSUEhellipIN THIS ISSUEhellip

Editorrsquos column

meet Greg bodulovic

Cyber risk Securing your success

Unfair contract terms in the IT space What you need to know

Insurtech

Proposed Australian mandatory data breach notification regime

Significant changes to data and cybersecurity practices in China

Stricter PRC online advertising regulation in response to search scandal

mobile apps under close watch of the Hong Kong Privacy Commissioner

Singaporersquos enforcement of data protection law on the rise

IPT insights

Whatrsquos on The award ndash winning Intellectual Property and Technology News is now published in the United States Asia Pacific and EMEA regions Find all current and past editions of the IPT News here wwwdlapipercomipt_news

dla piper is a global law firm operating through various separate and distinct legal entities Further details of these entities can be found at wwwdlapipercom

This publication is intended as a general overview and discussion of the subjects dealt with and does not create a lawyer-client relationship It is not intended to be and should not be used as a substitute for taking legal advice in any specific situation DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication This may qualify as ldquoLawyer Advertisingrdquo requiring notice in some jurisdictions Prior results do not guarantee a similar outcome

Copyright copy 2016 DLA Piper All rights reserved | NOV16 | 3154851

Horace Lam Head of Intellectual Property and Technology ndash China horacelamdlapipercom

melinda Upton Head of Intellectual Property and Technology ndash Australia melindauptondlapipercom

Edward Chatterton Head of Intellectual Property and Technology ndash Hong Kong edwardchattertondlapipercom

mEET GREG bODULOvIC How long have you been at DLA Piper and what brought you to this position

I joined DLA Piper in September 2016 I came to this position having worked in intellectual property for 10 years most recently in the Sydney office of a large US firm

Having qualifications in biotechnology and experience in patent litigation and advising on the regulation of therapeutic goods I was particularly drawn to DLA Piperrsquos life sciences sector as well as the breadth and scope of the IPT practice in Australia more generally The people at DLA Piper the firm culture and the opportunities to work on high-profile matters and in cutting edge areas of technology were all key to my decision to join

I have really enjoyed my time at the firm ndash the IPT team in Sydney is fantastic and I have also had the opportunity to meet and work with colleagues in Melbourne which has been an equally positive experience

What do you love about your job

I love the breadth and variety of work within the area of intellectual property law and the exposure to various technologies and brands Over my career I have been fortunate to have worked on various contentious and non-contentious patent design trade mark and copyright matters in fields as diverse as pharmaceuticals and medical devices food and beverages software and hardware clothing and fashion and consumer goods I also advise on transactional intellectual property matters which has enabled me to work on the intellectual property and technology aspects of large multi-jurisdictional corporate transactions I have also had the opportunity to be seconded to a medical devices company as an in-house counsel which gave me an insight into the practical application of legal advice from the client perspective

Also it goes without saying that I enjoy overcoming the challenges encountered on a daily basis in the course of my job and obtain satisfaction from achieving a successful outcome

Do you have any hobbies and interests outside of work

I try to keep to fit by running cycling and playing tennis I have a keen interest in modern art (and am involved with the Museum of Contemporary Art in Sydney) as well as in technology and innovation Recently most of my time outside of work has been spent with my 10-month old daughter

Greg bodulovic Senior Associate Sydney T +61 2 9286 8218 gregbodulovicdlapipercom

wwwdlapipercom | 03

CYbER RISKSECURING YOUR SUCCESS

recently aon dla piper and symantec hosted a cyber risk symposium across australia the guest speakers on the day delivered important clarity regarding the global threat environment this article is a summary of the legal influences on the cyber risk landscape and the technology solutions and strategies available that were discussed throughout the event it also explores the growing role played by cyber insurance in underpinning safe and sustainable business models

04 | Intellectual Property and Technology News

Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle

But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards

Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach

The global threat environment

There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees

According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem

China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security

In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem

Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned

A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time

Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types

These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo

While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for

Legal influences on the cyber risk landscape

Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up

Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally

This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps

Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country

Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data

wwwdlapipercom | 05

Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief

organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach

in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue

says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo

Cyber rules around the region

Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer

China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC

Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker

Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises

Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage

South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence

Thailand some constitutional requirements but no breach notification

06 | Intellectual Property and Technology News

In the event of a breachhellip

1 Refer to the data breach response plan

2 Call lawyers to preserve privilege

3 Involve communications and PR team

4 Alert insurers to the breach

5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments

6 Engage incident response team to analyse breach and remediate

Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist

Assessing the technologyinsurance inflexion point

technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation

there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance

tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base

he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack

a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators

however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged

in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance

wwwdlapipercom | 07

organisations attacked once are three times more likely to be attacked again ndash symantec

45x more cyber ransom events year on year ndash symantec

08 | Intellectual Property and Technology News

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 2: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Welcome to the latest Asia Pacific Edition of Intellectual Property and Technology News our biannual publication designed to report on worldwide developments in intellectual property and technology law offering perspective analysis and visionary ideas

This month we have turned our focus to technology Words such as lsquocyberrsquo lsquobreachrsquo lsquodatarsquo are being used more than ever before In this issue we delve into cybersecurity and respective laws in Asia-Pacific (page 4) We go further and explore Australiarsquos proposed mandatory breach notification bill (page 14) Singaporersquos enforcement of data protection (page 22) and significant changes to cybersecurity laws in China (page 16)

Another word that we are hearing more frequently is lsquoinsurtechrsquo we look at the steps insurers are taking to innovate in the technology space (page 12) We also look at unfair contract terms in IT (page 10) privacy and mobile apps in Hong Kong (page 20) and stricter advertising regulations in the PRC (page 19)

Moving into December we wish you all the best for the season and look forward to working with you in 2017

Kind regards

EDITORrsquoS COLUMNIN THIS ISSUEhellipIN THIS ISSUEhellip

Editorrsquos column

meet Greg bodulovic

Cyber risk Securing your success

Unfair contract terms in the IT space What you need to know

Insurtech

Proposed Australian mandatory data breach notification regime

Significant changes to data and cybersecurity practices in China

Stricter PRC online advertising regulation in response to search scandal

mobile apps under close watch of the Hong Kong Privacy Commissioner

Singaporersquos enforcement of data protection law on the rise

IPT insights

Whatrsquos on The award ndash winning Intellectual Property and Technology News is now published in the United States Asia Pacific and EMEA regions Find all current and past editions of the IPT News here wwwdlapipercomipt_news

dla piper is a global law firm operating through various separate and distinct legal entities Further details of these entities can be found at wwwdlapipercom

This publication is intended as a general overview and discussion of the subjects dealt with and does not create a lawyer-client relationship It is not intended to be and should not be used as a substitute for taking legal advice in any specific situation DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication This may qualify as ldquoLawyer Advertisingrdquo requiring notice in some jurisdictions Prior results do not guarantee a similar outcome

Copyright copy 2016 DLA Piper All rights reserved | NOV16 | 3154851

Horace Lam Head of Intellectual Property and Technology ndash China horacelamdlapipercom

melinda Upton Head of Intellectual Property and Technology ndash Australia melindauptondlapipercom

Edward Chatterton Head of Intellectual Property and Technology ndash Hong Kong edwardchattertondlapipercom

mEET GREG bODULOvIC How long have you been at DLA Piper and what brought you to this position

I joined DLA Piper in September 2016 I came to this position having worked in intellectual property for 10 years most recently in the Sydney office of a large US firm

Having qualifications in biotechnology and experience in patent litigation and advising on the regulation of therapeutic goods I was particularly drawn to DLA Piperrsquos life sciences sector as well as the breadth and scope of the IPT practice in Australia more generally The people at DLA Piper the firm culture and the opportunities to work on high-profile matters and in cutting edge areas of technology were all key to my decision to join

I have really enjoyed my time at the firm ndash the IPT team in Sydney is fantastic and I have also had the opportunity to meet and work with colleagues in Melbourne which has been an equally positive experience

What do you love about your job

I love the breadth and variety of work within the area of intellectual property law and the exposure to various technologies and brands Over my career I have been fortunate to have worked on various contentious and non-contentious patent design trade mark and copyright matters in fields as diverse as pharmaceuticals and medical devices food and beverages software and hardware clothing and fashion and consumer goods I also advise on transactional intellectual property matters which has enabled me to work on the intellectual property and technology aspects of large multi-jurisdictional corporate transactions I have also had the opportunity to be seconded to a medical devices company as an in-house counsel which gave me an insight into the practical application of legal advice from the client perspective

Also it goes without saying that I enjoy overcoming the challenges encountered on a daily basis in the course of my job and obtain satisfaction from achieving a successful outcome

Do you have any hobbies and interests outside of work

I try to keep to fit by running cycling and playing tennis I have a keen interest in modern art (and am involved with the Museum of Contemporary Art in Sydney) as well as in technology and innovation Recently most of my time outside of work has been spent with my 10-month old daughter

Greg bodulovic Senior Associate Sydney T +61 2 9286 8218 gregbodulovicdlapipercom

wwwdlapipercom | 03

CYbER RISKSECURING YOUR SUCCESS

recently aon dla piper and symantec hosted a cyber risk symposium across australia the guest speakers on the day delivered important clarity regarding the global threat environment this article is a summary of the legal influences on the cyber risk landscape and the technology solutions and strategies available that were discussed throughout the event it also explores the growing role played by cyber insurance in underpinning safe and sustainable business models

04 | Intellectual Property and Technology News

Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle

But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards

Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach

The global threat environment

There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees

According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem

China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security

In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem

Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned

A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time

Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types

These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo

While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for

Legal influences on the cyber risk landscape

Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up

Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally

This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps

Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country

Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data

wwwdlapipercom | 05

Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief

organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach

in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue

says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo

Cyber rules around the region

Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer

China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC

Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker

Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises

Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage

South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence

Thailand some constitutional requirements but no breach notification

06 | Intellectual Property and Technology News

In the event of a breachhellip

1 Refer to the data breach response plan

2 Call lawyers to preserve privilege

3 Involve communications and PR team

4 Alert insurers to the breach

5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments

6 Engage incident response team to analyse breach and remediate

Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist

Assessing the technologyinsurance inflexion point

technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation

there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance

tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base

he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack

a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators

however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged

in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance

wwwdlapipercom | 07

organisations attacked once are three times more likely to be attacked again ndash symantec

45x more cyber ransom events year on year ndash symantec

08 | Intellectual Property and Technology News

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 3: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

mEET GREG bODULOvIC How long have you been at DLA Piper and what brought you to this position

I joined DLA Piper in September 2016 I came to this position having worked in intellectual property for 10 years most recently in the Sydney office of a large US firm

Having qualifications in biotechnology and experience in patent litigation and advising on the regulation of therapeutic goods I was particularly drawn to DLA Piperrsquos life sciences sector as well as the breadth and scope of the IPT practice in Australia more generally The people at DLA Piper the firm culture and the opportunities to work on high-profile matters and in cutting edge areas of technology were all key to my decision to join

I have really enjoyed my time at the firm ndash the IPT team in Sydney is fantastic and I have also had the opportunity to meet and work with colleagues in Melbourne which has been an equally positive experience

What do you love about your job

I love the breadth and variety of work within the area of intellectual property law and the exposure to various technologies and brands Over my career I have been fortunate to have worked on various contentious and non-contentious patent design trade mark and copyright matters in fields as diverse as pharmaceuticals and medical devices food and beverages software and hardware clothing and fashion and consumer goods I also advise on transactional intellectual property matters which has enabled me to work on the intellectual property and technology aspects of large multi-jurisdictional corporate transactions I have also had the opportunity to be seconded to a medical devices company as an in-house counsel which gave me an insight into the practical application of legal advice from the client perspective

Also it goes without saying that I enjoy overcoming the challenges encountered on a daily basis in the course of my job and obtain satisfaction from achieving a successful outcome

Do you have any hobbies and interests outside of work

I try to keep to fit by running cycling and playing tennis I have a keen interest in modern art (and am involved with the Museum of Contemporary Art in Sydney) as well as in technology and innovation Recently most of my time outside of work has been spent with my 10-month old daughter

Greg bodulovic Senior Associate Sydney T +61 2 9286 8218 gregbodulovicdlapipercom

wwwdlapipercom | 03

CYbER RISKSECURING YOUR SUCCESS

recently aon dla piper and symantec hosted a cyber risk symposium across australia the guest speakers on the day delivered important clarity regarding the global threat environment this article is a summary of the legal influences on the cyber risk landscape and the technology solutions and strategies available that were discussed throughout the event it also explores the growing role played by cyber insurance in underpinning safe and sustainable business models

04 | Intellectual Property and Technology News

Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle

But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards

Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach

The global threat environment

There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees

According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem

China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security

In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem

Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned

A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time

Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types

These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo

While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for

Legal influences on the cyber risk landscape

Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up

Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally

This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps

Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country

Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data

wwwdlapipercom | 05

Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief

organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach

in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue

says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo

Cyber rules around the region

Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer

China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC

Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker

Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises

Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage

South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence

Thailand some constitutional requirements but no breach notification

06 | Intellectual Property and Technology News

In the event of a breachhellip

1 Refer to the data breach response plan

2 Call lawyers to preserve privilege

3 Involve communications and PR team

4 Alert insurers to the breach

5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments

6 Engage incident response team to analyse breach and remediate

Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist

Assessing the technologyinsurance inflexion point

technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation

there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance

tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base

he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack

a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators

however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged

in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance

wwwdlapipercom | 07

organisations attacked once are three times more likely to be attacked again ndash symantec

45x more cyber ransom events year on year ndash symantec

08 | Intellectual Property and Technology News

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 4: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

CYbER RISKSECURING YOUR SUCCESS

recently aon dla piper and symantec hosted a cyber risk symposium across australia the guest speakers on the day delivered important clarity regarding the global threat environment this article is a summary of the legal influences on the cyber risk landscape and the technology solutions and strategies available that were discussed throughout the event it also explores the growing role played by cyber insurance in underpinning safe and sustainable business models

04 | Intellectual Property and Technology News

Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle

But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards

Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach

The global threat environment

There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees

According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem

China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security

In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem

Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned

A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time

Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types

These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo

While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for

Legal influences on the cyber risk landscape

Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up

Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally

This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps

Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country

Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data

wwwdlapipercom | 05

Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief

organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach

in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue

says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo

Cyber rules around the region

Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer

China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC

Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker

Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises

Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage

South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence

Thailand some constitutional requirements but no breach notification

06 | Intellectual Property and Technology News

In the event of a breachhellip

1 Refer to the data breach response plan

2 Call lawyers to preserve privilege

3 Involve communications and PR team

4 Alert insurers to the breach

5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments

6 Engage incident response team to analyse breach and remediate

Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist

Assessing the technologyinsurance inflexion point

technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation

there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance

tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base

he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack

a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators

however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged

in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance

wwwdlapipercom | 07

organisations attacked once are three times more likely to be attacked again ndash symantec

45x more cyber ransom events year on year ndash symantec

08 | Intellectual Property and Technology News

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 5: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle

But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards

Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach

The global threat environment

There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees

According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem

China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security

In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem

Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned

A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time

Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types

These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo

While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for

Legal influences on the cyber risk landscape

Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up

Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally

This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps

Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country

Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data

wwwdlapipercom | 05

Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief

organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach

in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue

says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo

Cyber rules around the region

Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer

China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC

Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker

Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises

Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage

South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence

Thailand some constitutional requirements but no breach notification

06 | Intellectual Property and Technology News

In the event of a breachhellip

1 Refer to the data breach response plan

2 Call lawyers to preserve privilege

3 Involve communications and PR team

4 Alert insurers to the breach

5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments

6 Engage incident response team to analyse breach and remediate

Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist

Assessing the technologyinsurance inflexion point

technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation

there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance

tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base

he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack

a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators

however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged

in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance

wwwdlapipercom | 07

organisations attacked once are three times more likely to be attacked again ndash symantec

45x more cyber ransom events year on year ndash symantec

08 | Intellectual Property and Technology News

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 6: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief

organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach

in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue

says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo

Cyber rules around the region

Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer

China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC

Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker

Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises

Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage

South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence

Thailand some constitutional requirements but no breach notification

06 | Intellectual Property and Technology News

In the event of a breachhellip

1 Refer to the data breach response plan

2 Call lawyers to preserve privilege

3 Involve communications and PR team

4 Alert insurers to the breach

5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments

6 Engage incident response team to analyse breach and remediate

Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist

Assessing the technologyinsurance inflexion point

technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation

there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance

tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base

he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack

a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators

however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged

in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance

wwwdlapipercom | 07

organisations attacked once are three times more likely to be attacked again ndash symantec

45x more cyber ransom events year on year ndash symantec

08 | Intellectual Property and Technology News

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 7: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

In the event of a breachhellip

1 Refer to the data breach response plan

2 Call lawyers to preserve privilege

3 Involve communications and PR team

4 Alert insurers to the breach

5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments

6 Engage incident response team to analyse breach and remediate

Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist

Assessing the technologyinsurance inflexion point

technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation

there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance

tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base

he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack

a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators

however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged

in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance

wwwdlapipercom | 07

organisations attacked once are three times more likely to be attacked again ndash symantec

45x more cyber ransom events year on year ndash symantec

08 | Intellectual Property and Technology News

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 8: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

organisations attacked once are three times more likely to be attacked again ndash symantec

45x more cyber ransom events year on year ndash symantec

08 | Intellectual Property and Technology News

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 9: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Digital transformation and the impact of insurance

once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection

those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance

By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires

Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand

the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims

ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich

he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place

in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage

off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy

effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services

Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular

armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk

Cyber risk are you properly prepared

There are four key questions that every organisation needs to address regarding cyber risk and protection

What can go wrong

how bad can it be

how am i protected

Will my insurance work

Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure

Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down

The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries

Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge

wwwdlapipercom | 09

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 10: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

UNFAIR CONTRACT TERMS IN THE IT SPACE

WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)

10 | Intellectual Property and Technology News

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 11: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity

From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016

What is an ldquounfairrdquo contract term

Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied

it causes a significant imbalance in the partiesrsquo rights and obligations under the contract

it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and

it would cause detriment (whether financial or otherwise) to a party if the term were relied upon

A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation

Unfair terms in standard form contracts

Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include

terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence

terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer

terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and

terms that provide for automatic renewal without the customerrsquos consent

What does this mean for your business

Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo

If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law

Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market

Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties

wwwdlapipercom | 11

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 12: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

INSURTECHCarolyn Bigg of Counsel (hong Kong)

sarah fountain senior associate (melbourne)

12 | Intellectual Property and Technology News

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 13: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials

Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016

Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies

These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs

and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence

Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses

As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations

As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive

wwwdlapipercom | 13

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 14: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017

What are the mandatory data breach notification requirements under the bill

The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if

the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or

the Information Commissioner directs the entity to do so

If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply

Step 1 Prepare a statement setting out the prescribed details

The affected entity must prepare a statement that sets out

the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities

a description of the eligible data breach

the kind or kinds of information affected by the eligible data breach and

recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it

If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction

Step 2 Give a copy of the prepared statement to the Information Commissioner

Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach

Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use

If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement

PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)

14 | Intellectual Property and Technology News

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 15: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

What are lsquoeligible data breachesrsquo

An lsquoeligible data breachrsquo occurs when

there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or

personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates

Remedial action exception to the definition of eligible data breaches

An eligible data breach is deemed never to have occurred where the affected entity

in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or

in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals

What is lsquoserious harmrsquo

lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation

The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include

the kind(s) and sensitivity of the information

whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome

the persons or the kinds of persons who have obtained or who could obtain the information

the nature of the harm

Exceptions

There are a small number of circumstances in which entities are exempted from complying with the notification obligations

multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply

Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities

Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information

Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations

Assessment of suspected eligible data breaches

If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party

The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion

If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement

wwwdlapipercom | 15

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 16: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China

The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products

The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)

Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws

permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China

A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China

In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of

16 | Intellectual Property and Technology News

SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 17: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China

As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems

Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities

More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social

norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users

Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service

Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services

Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers

Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market

wwwdlapipercom | 17

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 18: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly

Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China

Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities

While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available

18 | Intellectual Property and Technology News

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 19: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results

Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further

The changes

The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results

must not be misleading

cannot be used in relation to the advertisement of prescription medication and tobacco products

cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and

must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience

The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements

Practical implications

The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results

Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement

Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation

STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)

wwwdlapipercom | 19

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 20: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)

The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps

Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data

Enforcement risks for mobile apps

At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data

In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in

20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 21: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market

However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months

Privacy by Design

The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered

Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset

Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use

Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control

Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data

In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users

wwwdlapipercom | 21

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 22: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions

A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused

A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange

A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions

As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data

SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE

By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)

22 | Intellectual Property and Technology News

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 23: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Investigation on a multinational bankrsquos data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the

PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices

Some interesting issues to note

The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA

The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)

this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom

wwwdlapipercom | 23

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 24: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES

The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016

Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat

In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly

This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances

HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and

likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information

For more information the Information Leaflet is available here

DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here

JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS

In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority

Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court

The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year

IPT INSIGHTS

24 | Intellectual Property and Technology News

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 25: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

WHATrsquoS ONWrap up 5th Global Technology Summit

On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park

This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments

Speaker Highlights

At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc

Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics

Please visit our Summit website and blog for any further information

DLA Piper is pleased to announce the launch of Telecommunications Laws of the World

telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world

Key features include

telecommunications laws regulations and policies

regulatory bodies or authorities

overview of consents licenses and authorisations

regulatory taxes and fees

key sanctions and penalties

telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical

today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services

access telecommunications laws of the World here

wwwdlapipercom | 25

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 26: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

Intellectual property webinar series

Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom

intellectual property issues in China

confidential information and trade secrets global insights global protection

grey market parallel importation and anti-counterfeiting

content protection and digital piracy

advertising and marketing

Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide

We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam

Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom

Are you an in-house lawyer Join WIN today

Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register

26 | Intellectual Property and Technology News

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 27: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW

We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam

Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as

trademark filing and prosecution

oppositions

revocation invalidation and cancellation

trademark enforcement

trademark exploitation

unregistered trademark rights

domain and company name disputes

To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom

wwwdlapipercom | 27

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19
Page 28: INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being able to demonstrate a sophisticated and comprehensive approach to cyber security,

GLOBAL PATENT LAWSAROUND THE WORLD

COmING SOON

global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries

DLA PIPERrsquoS PATENT GROUP

With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe

for further information please contact us by email at patentsdlapipercom

global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on

Benefits of global patent laws

patent laws simply put global reach easy access 247

infringing Conduct

defences to infringement

Before taking action

patent validity

taking action

remedies

procedure amp timing

  1. Button 19