INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being...
Transcript of INTELLECTUAL PROPERTY AND TECHNOLOGY NEWS › ~ › media › Files › Insights › ... · Being...
Cloud Computing ContraCts and data proteCtion Challenges
sponsorship agreements nine steps to maximising return on investment
the ContradiCtory World of spanish laW against late payment
INTELLECTUAL PROPERTY AND TECHNOLOGY NEWSperspectivesensp bullensp analysisensp bullensp visionary ideas
wwwdlapipercom
ASIA PACIfIC
NOvEmbER 2016
CyBer risK seCuring your suCCess
unfair ContraCt terms in the it spaCe What you need to KnoW
insurteCh
proposed australian mandatory data BreaCh notifiCation regime
signifiCant Changes to data and CyBerseCurity praCtiCes in China
striCter prC online advertising regulation in response to searCh sCandal
moBile apps under Close WatCh of the hong Kong privaCy Commissioner
singaporersquos enforCement of data proteCtion laW on the rise
Welcome to the latest Asia Pacific Edition of Intellectual Property and Technology News our biannual publication designed to report on worldwide developments in intellectual property and technology law offering perspective analysis and visionary ideas
This month we have turned our focus to technology Words such as lsquocyberrsquo lsquobreachrsquo lsquodatarsquo are being used more than ever before In this issue we delve into cybersecurity and respective laws in Asia-Pacific (page 4) We go further and explore Australiarsquos proposed mandatory breach notification bill (page 14) Singaporersquos enforcement of data protection (page 22) and significant changes to cybersecurity laws in China (page 16)
Another word that we are hearing more frequently is lsquoinsurtechrsquo we look at the steps insurers are taking to innovate in the technology space (page 12) We also look at unfair contract terms in IT (page 10) privacy and mobile apps in Hong Kong (page 20) and stricter advertising regulations in the PRC (page 19)
Moving into December we wish you all the best for the season and look forward to working with you in 2017
Kind regards
EDITORrsquoS COLUMNIN THIS ISSUEhellipIN THIS ISSUEhellip
Editorrsquos column
meet Greg bodulovic
Cyber risk Securing your success
Unfair contract terms in the IT space What you need to know
Insurtech
Proposed Australian mandatory data breach notification regime
Significant changes to data and cybersecurity practices in China
Stricter PRC online advertising regulation in response to search scandal
mobile apps under close watch of the Hong Kong Privacy Commissioner
Singaporersquos enforcement of data protection law on the rise
IPT insights
Whatrsquos on The award ndash winning Intellectual Property and Technology News is now published in the United States Asia Pacific and EMEA regions Find all current and past editions of the IPT News here wwwdlapipercomipt_news
dla piper is a global law firm operating through various separate and distinct legal entities Further details of these entities can be found at wwwdlapipercom
This publication is intended as a general overview and discussion of the subjects dealt with and does not create a lawyer-client relationship It is not intended to be and should not be used as a substitute for taking legal advice in any specific situation DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication This may qualify as ldquoLawyer Advertisingrdquo requiring notice in some jurisdictions Prior results do not guarantee a similar outcome
Copyright copy 2016 DLA Piper All rights reserved | NOV16 | 3154851
Horace Lam Head of Intellectual Property and Technology ndash China horacelamdlapipercom
melinda Upton Head of Intellectual Property and Technology ndash Australia melindauptondlapipercom
Edward Chatterton Head of Intellectual Property and Technology ndash Hong Kong edwardchattertondlapipercom
mEET GREG bODULOvIC How long have you been at DLA Piper and what brought you to this position
I joined DLA Piper in September 2016 I came to this position having worked in intellectual property for 10 years most recently in the Sydney office of a large US firm
Having qualifications in biotechnology and experience in patent litigation and advising on the regulation of therapeutic goods I was particularly drawn to DLA Piperrsquos life sciences sector as well as the breadth and scope of the IPT practice in Australia more generally The people at DLA Piper the firm culture and the opportunities to work on high-profile matters and in cutting edge areas of technology were all key to my decision to join
I have really enjoyed my time at the firm ndash the IPT team in Sydney is fantastic and I have also had the opportunity to meet and work with colleagues in Melbourne which has been an equally positive experience
What do you love about your job
I love the breadth and variety of work within the area of intellectual property law and the exposure to various technologies and brands Over my career I have been fortunate to have worked on various contentious and non-contentious patent design trade mark and copyright matters in fields as diverse as pharmaceuticals and medical devices food and beverages software and hardware clothing and fashion and consumer goods I also advise on transactional intellectual property matters which has enabled me to work on the intellectual property and technology aspects of large multi-jurisdictional corporate transactions I have also had the opportunity to be seconded to a medical devices company as an in-house counsel which gave me an insight into the practical application of legal advice from the client perspective
Also it goes without saying that I enjoy overcoming the challenges encountered on a daily basis in the course of my job and obtain satisfaction from achieving a successful outcome
Do you have any hobbies and interests outside of work
I try to keep to fit by running cycling and playing tennis I have a keen interest in modern art (and am involved with the Museum of Contemporary Art in Sydney) as well as in technology and innovation Recently most of my time outside of work has been spent with my 10-month old daughter
Greg bodulovic Senior Associate Sydney T +61 2 9286 8218 gregbodulovicdlapipercom
wwwdlapipercom | 03
CYbER RISKSECURING YOUR SUCCESS
recently aon dla piper and symantec hosted a cyber risk symposium across australia the guest speakers on the day delivered important clarity regarding the global threat environment this article is a summary of the legal influences on the cyber risk landscape and the technology solutions and strategies available that were discussed throughout the event it also explores the growing role played by cyber insurance in underpinning safe and sustainable business models
04 | Intellectual Property and Technology News
Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle
But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards
Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach
The global threat environment
There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees
According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem
China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security
In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem
Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned
A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time
Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types
These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo
While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for
Legal influences on the cyber risk landscape
Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up
Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally
This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps
Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country
Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data
wwwdlapipercom | 05
Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief
organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach
in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue
says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo
Cyber rules around the region
Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer
China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC
Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker
Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises
Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage
South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence
Thailand some constitutional requirements but no breach notification
06 | Intellectual Property and Technology News
In the event of a breachhellip
1 Refer to the data breach response plan
2 Call lawyers to preserve privilege
3 Involve communications and PR team
4 Alert insurers to the breach
5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
6 Engage incident response team to analyse breach and remediate
Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist
Assessing the technologyinsurance inflexion point
technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation
there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance
tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base
he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack
a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators
however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged
in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance
wwwdlapipercom | 07
organisations attacked once are three times more likely to be attacked again ndash symantec
45x more cyber ransom events year on year ndash symantec
08 | Intellectual Property and Technology News
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
Welcome to the latest Asia Pacific Edition of Intellectual Property and Technology News our biannual publication designed to report on worldwide developments in intellectual property and technology law offering perspective analysis and visionary ideas
This month we have turned our focus to technology Words such as lsquocyberrsquo lsquobreachrsquo lsquodatarsquo are being used more than ever before In this issue we delve into cybersecurity and respective laws in Asia-Pacific (page 4) We go further and explore Australiarsquos proposed mandatory breach notification bill (page 14) Singaporersquos enforcement of data protection (page 22) and significant changes to cybersecurity laws in China (page 16)
Another word that we are hearing more frequently is lsquoinsurtechrsquo we look at the steps insurers are taking to innovate in the technology space (page 12) We also look at unfair contract terms in IT (page 10) privacy and mobile apps in Hong Kong (page 20) and stricter advertising regulations in the PRC (page 19)
Moving into December we wish you all the best for the season and look forward to working with you in 2017
Kind regards
EDITORrsquoS COLUMNIN THIS ISSUEhellipIN THIS ISSUEhellip
Editorrsquos column
meet Greg bodulovic
Cyber risk Securing your success
Unfair contract terms in the IT space What you need to know
Insurtech
Proposed Australian mandatory data breach notification regime
Significant changes to data and cybersecurity practices in China
Stricter PRC online advertising regulation in response to search scandal
mobile apps under close watch of the Hong Kong Privacy Commissioner
Singaporersquos enforcement of data protection law on the rise
IPT insights
Whatrsquos on The award ndash winning Intellectual Property and Technology News is now published in the United States Asia Pacific and EMEA regions Find all current and past editions of the IPT News here wwwdlapipercomipt_news
dla piper is a global law firm operating through various separate and distinct legal entities Further details of these entities can be found at wwwdlapipercom
This publication is intended as a general overview and discussion of the subjects dealt with and does not create a lawyer-client relationship It is not intended to be and should not be used as a substitute for taking legal advice in any specific situation DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication This may qualify as ldquoLawyer Advertisingrdquo requiring notice in some jurisdictions Prior results do not guarantee a similar outcome
Copyright copy 2016 DLA Piper All rights reserved | NOV16 | 3154851
Horace Lam Head of Intellectual Property and Technology ndash China horacelamdlapipercom
melinda Upton Head of Intellectual Property and Technology ndash Australia melindauptondlapipercom
Edward Chatterton Head of Intellectual Property and Technology ndash Hong Kong edwardchattertondlapipercom
mEET GREG bODULOvIC How long have you been at DLA Piper and what brought you to this position
I joined DLA Piper in September 2016 I came to this position having worked in intellectual property for 10 years most recently in the Sydney office of a large US firm
Having qualifications in biotechnology and experience in patent litigation and advising on the regulation of therapeutic goods I was particularly drawn to DLA Piperrsquos life sciences sector as well as the breadth and scope of the IPT practice in Australia more generally The people at DLA Piper the firm culture and the opportunities to work on high-profile matters and in cutting edge areas of technology were all key to my decision to join
I have really enjoyed my time at the firm ndash the IPT team in Sydney is fantastic and I have also had the opportunity to meet and work with colleagues in Melbourne which has been an equally positive experience
What do you love about your job
I love the breadth and variety of work within the area of intellectual property law and the exposure to various technologies and brands Over my career I have been fortunate to have worked on various contentious and non-contentious patent design trade mark and copyright matters in fields as diverse as pharmaceuticals and medical devices food and beverages software and hardware clothing and fashion and consumer goods I also advise on transactional intellectual property matters which has enabled me to work on the intellectual property and technology aspects of large multi-jurisdictional corporate transactions I have also had the opportunity to be seconded to a medical devices company as an in-house counsel which gave me an insight into the practical application of legal advice from the client perspective
Also it goes without saying that I enjoy overcoming the challenges encountered on a daily basis in the course of my job and obtain satisfaction from achieving a successful outcome
Do you have any hobbies and interests outside of work
I try to keep to fit by running cycling and playing tennis I have a keen interest in modern art (and am involved with the Museum of Contemporary Art in Sydney) as well as in technology and innovation Recently most of my time outside of work has been spent with my 10-month old daughter
Greg bodulovic Senior Associate Sydney T +61 2 9286 8218 gregbodulovicdlapipercom
wwwdlapipercom | 03
CYbER RISKSECURING YOUR SUCCESS
recently aon dla piper and symantec hosted a cyber risk symposium across australia the guest speakers on the day delivered important clarity regarding the global threat environment this article is a summary of the legal influences on the cyber risk landscape and the technology solutions and strategies available that were discussed throughout the event it also explores the growing role played by cyber insurance in underpinning safe and sustainable business models
04 | Intellectual Property and Technology News
Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle
But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards
Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach
The global threat environment
There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees
According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem
China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security
In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem
Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned
A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time
Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types
These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo
While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for
Legal influences on the cyber risk landscape
Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up
Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally
This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps
Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country
Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data
wwwdlapipercom | 05
Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief
organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach
in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue
says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo
Cyber rules around the region
Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer
China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC
Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker
Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises
Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage
South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence
Thailand some constitutional requirements but no breach notification
06 | Intellectual Property and Technology News
In the event of a breachhellip
1 Refer to the data breach response plan
2 Call lawyers to preserve privilege
3 Involve communications and PR team
4 Alert insurers to the breach
5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
6 Engage incident response team to analyse breach and remediate
Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist
Assessing the technologyinsurance inflexion point
technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation
there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance
tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base
he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack
a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators
however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged
in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance
wwwdlapipercom | 07
organisations attacked once are three times more likely to be attacked again ndash symantec
45x more cyber ransom events year on year ndash symantec
08 | Intellectual Property and Technology News
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
mEET GREG bODULOvIC How long have you been at DLA Piper and what brought you to this position
I joined DLA Piper in September 2016 I came to this position having worked in intellectual property for 10 years most recently in the Sydney office of a large US firm
Having qualifications in biotechnology and experience in patent litigation and advising on the regulation of therapeutic goods I was particularly drawn to DLA Piperrsquos life sciences sector as well as the breadth and scope of the IPT practice in Australia more generally The people at DLA Piper the firm culture and the opportunities to work on high-profile matters and in cutting edge areas of technology were all key to my decision to join
I have really enjoyed my time at the firm ndash the IPT team in Sydney is fantastic and I have also had the opportunity to meet and work with colleagues in Melbourne which has been an equally positive experience
What do you love about your job
I love the breadth and variety of work within the area of intellectual property law and the exposure to various technologies and brands Over my career I have been fortunate to have worked on various contentious and non-contentious patent design trade mark and copyright matters in fields as diverse as pharmaceuticals and medical devices food and beverages software and hardware clothing and fashion and consumer goods I also advise on transactional intellectual property matters which has enabled me to work on the intellectual property and technology aspects of large multi-jurisdictional corporate transactions I have also had the opportunity to be seconded to a medical devices company as an in-house counsel which gave me an insight into the practical application of legal advice from the client perspective
Also it goes without saying that I enjoy overcoming the challenges encountered on a daily basis in the course of my job and obtain satisfaction from achieving a successful outcome
Do you have any hobbies and interests outside of work
I try to keep to fit by running cycling and playing tennis I have a keen interest in modern art (and am involved with the Museum of Contemporary Art in Sydney) as well as in technology and innovation Recently most of my time outside of work has been spent with my 10-month old daughter
Greg bodulovic Senior Associate Sydney T +61 2 9286 8218 gregbodulovicdlapipercom
wwwdlapipercom | 03
CYbER RISKSECURING YOUR SUCCESS
recently aon dla piper and symantec hosted a cyber risk symposium across australia the guest speakers on the day delivered important clarity regarding the global threat environment this article is a summary of the legal influences on the cyber risk landscape and the technology solutions and strategies available that were discussed throughout the event it also explores the growing role played by cyber insurance in underpinning safe and sustainable business models
04 | Intellectual Property and Technology News
Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle
But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards
Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach
The global threat environment
There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees
According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem
China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security
In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem
Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned
A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time
Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types
These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo
While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for
Legal influences on the cyber risk landscape
Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up
Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally
This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps
Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country
Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data
wwwdlapipercom | 05
Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief
organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach
in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue
says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo
Cyber rules around the region
Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer
China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC
Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker
Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises
Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage
South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence
Thailand some constitutional requirements but no breach notification
06 | Intellectual Property and Technology News
In the event of a breachhellip
1 Refer to the data breach response plan
2 Call lawyers to preserve privilege
3 Involve communications and PR team
4 Alert insurers to the breach
5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
6 Engage incident response team to analyse breach and remediate
Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist
Assessing the technologyinsurance inflexion point
technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation
there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance
tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base
he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack
a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators
however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged
in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance
wwwdlapipercom | 07
organisations attacked once are three times more likely to be attacked again ndash symantec
45x more cyber ransom events year on year ndash symantec
08 | Intellectual Property and Technology News
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
CYbER RISKSECURING YOUR SUCCESS
recently aon dla piper and symantec hosted a cyber risk symposium across australia the guest speakers on the day delivered important clarity regarding the global threat environment this article is a summary of the legal influences on the cyber risk landscape and the technology solutions and strategies available that were discussed throughout the event it also explores the growing role played by cyber insurance in underpinning safe and sustainable business models
04 | Intellectual Property and Technology News
Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle
But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards
Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach
The global threat environment
There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees
According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem
China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security
In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem
Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned
A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time
Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types
These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo
While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for
Legal influences on the cyber risk landscape
Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up
Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally
This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps
Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country
Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data
wwwdlapipercom | 05
Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief
organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach
in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue
says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo
Cyber rules around the region
Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer
China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC
Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker
Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises
Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage
South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence
Thailand some constitutional requirements but no breach notification
06 | Intellectual Property and Technology News
In the event of a breachhellip
1 Refer to the data breach response plan
2 Call lawyers to preserve privilege
3 Involve communications and PR team
4 Alert insurers to the breach
5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
6 Engage incident response team to analyse breach and remediate
Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist
Assessing the technologyinsurance inflexion point
technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation
there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance
tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base
he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack
a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators
however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged
in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance
wwwdlapipercom | 07
organisations attacked once are three times more likely to be attacked again ndash symantec
45x more cyber ransom events year on year ndash symantec
08 | Intellectual Property and Technology News
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
Cyber security is becoming part of the national conversation It is a conversation initiated by a rash of attacks on public and private computing infrastructure propelled by the Federal Governmentrsquos cyber security strategy released in early 2016 and amplified by the high profile Census debacle
But cyber security requires more than talk it demands action Organisations that effectively identify and plot their risk profile take steps to manage mitigate and where appropriate transfer that risk secure their future and are better poised to reap competitive rewards
Being able to demonstrate a sophisticated and comprehensive approach to cyber security a company positions itself as a favoured and trusted business partner But this is not a set and forget strategy the threat landscape is in a state of constant flux and organisations need to regularly review and refresh their approach
The global threat environment
There are no longer any doubts that cyber risk is an immediate and significant issue for enterprises of all scales and in every sector Left unchecked it can bring corporations and countries to their knees
According to Professor Greg Austin director of the Australian Centre for Cyber Security one of the major challenges is that the full dimensions of the problem are still being assessed globally But he notes that US President Barack Obama has for the second year declared a national emergency in cyberspace which indicates the scale and seriousness of the global problem
China also has stepped up its efforts in the area according to Prof Austin under the direct control of the President and introduced a draft bill on cyber security
In Australia the Prime Minister has assessed that cyber-crime has an economic impact ranging somewhere between $1 billion and $17 billion Prof Austin said that extraordinary range indicates the continued lack of clarity about the true extent of the problem
Where there is no lack of clarity is in the acknowledgement that there is a problem and senior managers and boards are increasingly concerned
A PricewaterhouseCoopers report into global economic crime has for the first time identified cyber-crime as the number one threat ndash edging out asset misappropriation for the first time
Prof Austin says that eight vectors of attack are currently in evidence ndash software hardware networks payload people power supply policy ecosystem In addition nine major sources of threats have been identified and Symantec data suggests there are as many as 30 different threat types
These variables in combination make it difficult if not impossible to prevent any and all attacks Prof Austinrsquos warnings are stark ldquoThe criminals are always ahead of you or Ihellipthe bad news is that governments are well behind criminals and corporatesrdquo
While he acknowledges that the chances of a serious cyber-attack on any one corporation or entity are quite low the probability of the consequences being high in a handful of cases are extremely high And that he says is what organisations need to prepare for
Legal influences on the cyber risk landscape
Legislation and regulation often lags technology and this is particularly evident in the cyber security area where nations continually play catch up
Enterprises operating internationally must navigate a global legal landscape in constant flux and establish strategies for managing security and data that comply with regulations locally and regionally
This is particularly challenging for companies migrating information systems to the cloud While there may be scale cost and flexibility benefits associated with cloud computing services it is essential to review contracts regarding how data will be treated and identify any potential security gaps
Blue Edge Lab a wholly owned subsidiary of DLA Piper delivers a solution to track legislative changes regionally called CyberTrak Blue Edge Lab is not a law firm and does not provide legal services Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy data and security Scott Thiel DLA Piper partner specialising in technology and privacy says that organisations operating in multiple jurisdictions need to decide whether to take a ldquohigh watermark approachrdquo and establish security and privacy settings that meet the most stringent conditions in the countries they operate or tackle the issue country by country
Neither is ideal ndash the costs associated with meeting high watermark regulation across the region could be high ndash while a piecemeal approach could be difficult to maintain especially given the rapid pace of change However failing to address the issue properly is a mistake with potentially serious financial implications witness the company sued for $HK 15 million over a consumerrsquos ldquohurt feelingsrdquo regarding unauthorised exposure of their data
wwwdlapipercom | 05
Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief
organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach
in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue
says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo
Cyber rules around the region
Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer
China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC
Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker
Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises
Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage
South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence
Thailand some constitutional requirements but no breach notification
06 | Intellectual Property and Technology News
In the event of a breachhellip
1 Refer to the data breach response plan
2 Call lawyers to preserve privilege
3 Involve communications and PR team
4 Alert insurers to the breach
5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
6 Engage incident response team to analyse breach and remediate
Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist
Assessing the technologyinsurance inflexion point
technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation
there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance
tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base
he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack
a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators
however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged
in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance
wwwdlapipercom | 07
organisations attacked once are three times more likely to be attacked again ndash symantec
45x more cyber ransom events year on year ndash symantec
08 | Intellectual Property and Technology News
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the panama papers leak which threw the issue into sharp relief
organisations pitching for work responding to tenders or planning an ipo may find it an advantage to be able to reference a comprehensive even audited data collection storage and use strategy along with a well-constructed and rehearsed cyber security plan that plan should leverage technology solutions and services such as encryption penetration testing and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach
in the event of a breach this also streamlines discussions with regulators an enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies policies and procedures in place to protect that data should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue
says thiel ldquoinstitutional awareness of how systems hang together will speed root problem analysis and rectificationrdquo
Cyber rules around the region
Australia the arrival of a new privacy amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer
China racing ahead in terms of regulations and has a security draft law which will have significant implications for international companies operating in the prC
Hong Kong specific and stringent security requirements while there are no data breach notification rules these are expected in 12ndash18 months the first person to be jailed for a privacy breach was a hong Kong based insurance broker
Singapore legislation in place for over two years and more meaningful enforcement is anticipated while regulations are expected to evolve particularly for foreign enterprises
Japan a mix of regulations impacting various industries but strong culture of compliance meaning level of enforcement is low because of fear of reputational damage
South Korea a long tradition of privacy and security law and robust enforcement with serious enterprise consequence
Thailand some constitutional requirements but no breach notification
06 | Intellectual Property and Technology News
In the event of a breachhellip
1 Refer to the data breach response plan
2 Call lawyers to preserve privilege
3 Involve communications and PR team
4 Alert insurers to the breach
5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
6 Engage incident response team to analyse breach and remediate
Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist
Assessing the technologyinsurance inflexion point
technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation
there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance
tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base
he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack
a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators
however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged
in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance
wwwdlapipercom | 07
organisations attacked once are three times more likely to be attacked again ndash symantec
45x more cyber ransom events year on year ndash symantec
08 | Intellectual Property and Technology News
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
In the event of a breachhellip
1 Refer to the data breach response plan
2 Call lawyers to preserve privilege
3 Involve communications and PR team
4 Alert insurers to the breach
5 Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
6 Engage incident response team to analyse breach and remediate
Access DLA Piperrsquos cyber incidentdata breach response Your emergency checklist here httpswwwdlapipercomenaustraliainsightspublications201504cyber-data-breach-checklist
Assessing the technologyinsurance inflexion point
technology and education are the first frontier of data protection and cyber security investing in a spread of security technologies such as firewalls encryption system monitoring vulnerability assessments and penetration testing along with effective employee education programmes to ensure staff understand how to avoid spear phishing or ransomware attacks are all essential for any organisation
there is however a point at which additional investment in security offers diminishing value at this inflexion point an organisation needs to refocus their investment attention toward cyber risk insurance
tim fitzgerald chief security officer and vp at symantec explains that exactly when an organisation reaches that inflexion point will vary and also be impacted by the scale of an organisationrsquos data collection its reliance on cloud computing services deployment of internet of things devices and also the mobility of its workforce and user base
he recommends that organisations conduct a cyber risk assessment analyse the data stores held and assess by who and why they may be targeted and then develop a security strategy based on that insight the board and senior managers need to be appraised of the security risk and strategy and through gap analysis determine the need for cyber insurance understanding that conventional corporate insurance policies are unlikely to properly protect an organisation in the event of a cyber-attack
a data breach response plan which can be informed by the office of the australian information Commissionerrsquos guidelines httpswwwoaicgovauresourcesagencies-and-organisationsguidesdata-breach-notification-guide-august-2014pdf ensures that should a cyber-attack occur the organisation and staff understand their responsibilities a comprehensive response plan also demonstrates good governance to business partners investors and regulators
however any cyber response plan must remain a living document and needs regular review ensuring that current regulatory requirements are acknowledged
in addition any personnel with responsibilities under that plan must be properly trained to act swiftly in the event of a breach the plan should also identify any third party support services required should an attack occur allowing engagement contracts to be negotiated well in advance
wwwdlapipercom | 07
organisations attacked once are three times more likely to be attacked again ndash symantec
45x more cyber ransom events year on year ndash symantec
08 | Intellectual Property and Technology News
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
organisations attacked once are three times more likely to be attacked again ndash symantec
45x more cyber ransom events year on year ndash symantec
08 | Intellectual Property and Technology News
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
Digital transformation and the impact of insurance
once an organisation has deployed robust technology defences educated staff about the risks of cyber-attack and promulgated policies about how to react and respond to cyber events it has laid important foundations for its protection
those people process technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires
Kevin Kalinich aonrsquos global cyber practice leader advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption the impact on supply chains on sCada industrial control systems on reputation and brand
the anticipated introduction of mandated data breach notification should spur action and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate Based on international experience mandated breach notification leads to significant costs associated with legal services regulator notification customer notification forensics remediation and potentially compensation claims
ldquotake steps to mitigate to allocate liability or minimise your own liability this is not all about prevention ndash it is about your response if you have prepared a response there is data that shows you can reduce the total cost of an incidentrdquo says Kalinich
he also warns that organisations should not assume that their existing insurance policies provide any coverage in the event of a cyber-attack nor that a third party information systems provider such as a cloud computing vendor would have them covered similarly existing directors and officers policies and professional indemnity coverage might prove inadequate should a cyber-attack take place
in order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with monte Carlo evaluation techniques the resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage
off the shelf policies have limited value base cyber insurance policies can cover external hacks malicious code and internal mistakes ndash but may not cover the impact of a bug in the system Consequential ndash punitive incidental ndash costs are excluded from all base insurance policies as is tangible property damage but can be negotiated in a customised policy
effective cyber insurance policies also cover costs associated with legal support communications costs forensic analysis notification and remediation services
Kalinich warns however that given the changes in the legal landscape and the technology terrain this is not a set-and-forget requirement noting that risk assessment needs to be both thorough and regular
armed with that insight the organisation can work with an insurance broker to find tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk
Cyber risk are you properly prepared
There are four key questions that every organisation needs to address regarding cyber risk and protection
What can go wrong
how bad can it be
how am i protected
Will my insurance work
Assessing the organisational risk profile requires input from multiple stakeholders including the chief financial officer chief information security officers risk management head and legal counsel External consultants can also provide a fresh lens through which to explore exposure
Knowing the risk is one thing ndash dealing with it effectively also demands the support of the most senior management and board Effective security requires a whole-organisation commitment from the top down
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations ldquoought reasonably to have been awarerdquo which suggests regulators may penalise companies found to have inadequate security systems It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries
Cyber security is a critical issue for organisations of every scale and in every sector Robust and comprehensive security frameworks a well-crafted response plan and effective cyber insurance developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge
wwwdlapipercom | 09
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
UNFAIR CONTRACT TERMS IN THE IT SPACE
WHAT YOU NEED TO KNOWsarah dolan senior associate (melbourne) stephanie tran graduate (melbourne)
10 | Intellectual Property and Technology News
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
The lsquoone size fits allrsquo approach to contracting is a common feature within the IT industry Standard form contracts are an efficient and cost-effective method of doing business and are often used for online terms of use and projects which are of low risk value andor complexity
From 12 November 2016 the unfair contract terms regime in the Australian Consumer Law which until then only applied to individual consumers was extended to contracts where at least one party is a ldquosmall businessrdquo and the upfront price payable is $300000 (or $1 million if the contract is for a term longer than 12 months) A ldquosmall businessrdquo is a business that employs less than 20 people It will also apply to contracts which are varied after 12 November 2016
What is an ldquounfairrdquo contract term
Whether a term is ldquounfairrdquo is decided by a court or tribunal A term is ldquounfairrdquo if the following three criteria are satisfied
it causes a significant imbalance in the partiesrsquo rights and obligations under the contract
it is not reasonably necessary to protect the legitimate interest of the party who would be advantaged by the term and
it would cause detriment (whether financial or otherwise) to a party if the term were relied upon
A court or tribunal in determining whether a term is unfair must assess the transparency of the term This includes an assessment of how the term is expressed is it in plain language and is it presented clearly The court or tribunal must also consider the term in light of the contract as a whole and not in isolation
Unfair terms in standard form contracts
Examples of standard form contract terms that may be challenged in court or at a tribunal for ldquounfairnessrdquo include
terms requiring the customer to indemnify the supplier for any damage caused even if it is caused by the supplierrsquos own negligence
terms that allow a supplier to cancel a contract at will for an inconsequential breach of contract by the customer
terms that restrict a customer from obtaining a refund or exercising a termination right where the supplier has failed to meet its obligations under the contract and
terms that provide for automatic renewal without the customerrsquos consent
What does this mean for your business
Where a supplierrsquos business model is directed at providing services to small to medium enterprises (SMEs) and the supplier has not had to address this issue in the past for ldquoconsumerrdquo customers it is likely to be impacted by this extension of the unfair contract terms regime Standard form contracts (eg online terms of use confidentiality agreements software licences support agreements supply andor services contracts) for SME customers should be reviewed to determine whether any of the terms may be considered ldquounfairrdquo
If a court determines that a term is ldquounfairrdquo it can make a range of orders including declaring part or all of the contract void andor varying the contract If a court orders a contract to be varied this may result in the supplier being unable to enforce other rights it may otherwise have either under the contract itself or at law
Additionally customers which are small businesses may challenge contract terms that they consider are unfair to prevent a supplier from enforcing express rights under the contract Such challenges will cost a supplier both time and money to address even if it is able to successfully defend the claim In addition in this day of instant and free customer feedback on social media sites there is also the risk of reputational damage in the market
Suppliers should ensure their standard terms are appropriate for the type size and nature of both the target customer and the goods and services being provided with an appropriate balance of risk and responsibility between the parties
wwwdlapipercom | 11
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
INSURTECHCarolyn Bigg of Counsel (hong Kong)
sarah fountain senior associate (melbourne)
12 | Intellectual Property and Technology News
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
The customer experience of insurance has largely remained the same for many years A customer completes a proposal form (normally in hard copy) and submits it to the broker the broker requests quotes from insurers insurers provide quotes the broker places a policy the policy is issued (normally on an annual basis) and then the customer probably gives no further thought to it unless he or she needs to make a claim This process does not fit well with the digital era we now live in and has not adapted quickly enough to meet changing consumer expectations largely driven by millennials
Insurers widely recognise the need to innovate Despite this most insurers have been slow to change their ways with less than a quarter giving customers the option to submit claims online This signals huge opportunities for those in the insurance sector which explains the huge growth we are seeing in lsquoinsurtechrsquo (a word that was barely known a few years ago but now seems to be everywhere) Globally investment in insurtech increased from US$800 million in 2014 to US$26 billion in 2015 and was US$1 billion in the first half of 2016
Across Asia Pacific there are numerous examples of insurers embracing insurtech Some insurers have opened innovation labs or incubators such as Metlifersquos LumenLabs in Singapore Others have established corporate VC funds to invest in insurtech startups that will drive value for the business For example Suncorp recently invested in Trov an app that allows customers to turn insurance on and off by swiping right or left on their phones We have also seen collaboration between insurers and car manufacturers to make available one-click single use motor vehicle policies in connected cars as well as collaboration between insurers and technology companies Another indicator of the opportunities in insurtech is the level of interest shown in the insurance market by leading players in other markets For example earlier this year China Mobile announced it is planning to enter the insurance market by making significant investments in two insurance companies
These initiatives are already starting to have an impact on the insurance experience The use of drones by insurance companies to assess property damage is reducing claims costs
and the time taken to assess claims The implementation of wearable technology in the workplace such as smart glasses and smart hats is increasing workplace safety and thereby reducing the risk of injuries The use of wearable devices has also been adopted by health insurers and life insurers enabling them to capture data and potentially pass on lower premiums to policy holders In the future we predict the most significant areas of growth and change in insurtech will be data analytics wearables and IoT blockchain and artificial intelligence
Whilst regulators understandably adopt a cautious approach they are taking steps to encourage fintech and insurtech initiatives The Monetary Authority of Singapore very recently published guidelines for a lsquoregulatory sandboxrsquo to encourage growth in fintech within a relaxed regulatory environment This follows the announcement by the Australian Securities amp Investments Commission of a sandbox for fintech businesses
As the insurance sector becomes increasingly digitised cybersecurity risks also increase Regulators around the region have published new and updated guidance that is relevant to the increasingly sophisticated cybersecurity threats It is important that insurersrsquo compliance and risk teams focus not only on the immediate cybersecurity compliance obligations arising from the latest regulations but also ensure that cybersecurity compliance programmes are developed to take into account increasing reliance on technology and data at the core of their operations
As technology continues to evolve and improve insurtech opportunities will increase Although the rise of insurtech has been rapid in recent years it is still in its infancy This presents significant opportunities for insurers who adapt to changing consumer expectations and invest in insurtech especially in Asia where many people are uninsured but are well connected and spend a lot of time online via their mobile devices Adapting quickly to this dynamic landscape will enable insurers to remain competitive
wwwdlapipercom | 13
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
In October 2016 the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches There is bipartisan support for the bill and it is likely to become law in late 2016 or early 2017
What are the mandatory data breach notification requirements under the bill
The Bill requires that an entity must as soon as practicable comply with the notification steps outlined below if
the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity or
the Information Commissioner directs the entity to do so
If an lsquoeligible data breachrsquo occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity the entity that disclosed the information must comply
Step 1 Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out
the identity and contact details of the entity If the eligible data breach relates to more than one entity the statement may set out the identity and contact details of those other entities
a description of the eligible data breach
the kind or kinds of information affected by the eligible data breach and
recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it
If a statement is prepared at the direction of the Information Commissioner the statement must also include any information specified in that direction
Step 2 Give a copy of the prepared statement to the Information Commissioner
Step 3 Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach The entity may use the channels it ordinarily uses to communicate with individuals (eg email text message mail) to provide those notifications but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use
If it is not practicable for the affected entity to notify individuals the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement
PROPOSED AUSTRALIAN mANDATORY DATA bREACH NOTIfICATION REGImEBy nicholas Boyle senior associate (sydney)
14 | Intellectual Property and Technology News
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
What are lsquoeligible data breachesrsquo
An lsquoeligible data breachrsquo occurs when
there is unauthorised access to or unauthorised disclosure of personal credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates or
personal credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to or unauthorised disclosure of the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity
in the case of lost information takes action before there is unauthorised access to or unauthorised disclosure of information which is lost and no unauthorised access or disclosure actually occurs or
in the case of information which is the subject of unauthorised access or disclosure takes action before there is serious harm to any individual to whom the information relates and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
What is lsquoserious harmrsquo
lsquoSerious harmrsquo is to be interpreted broadly The explanatory memorandum to the Bill states that lsquoserious harmrsquo could include serious physical psychological emotional economic and financial harm and serious harm to reputation
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to or disclosure of information is likely to result in ldquoserious harmrdquo These matters include
the kind(s) and sensitivity of the information
whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome
the persons or the kinds of persons who have obtained or who could obtain the information
the nature of the harm
Exceptions
There are a small number of circumstances in which entities are exempted from complying with the notification obligations
multiple affected entities Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations those other affected entities do not need to separately comply
Enforcement related activities Where the affected entity is an enforcement body and the bodyrsquos CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities
Inconsistency with a secrecy provision Where complying with the notification obligations is to any extent inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information
Declaration by the Commissioner Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred This could occur where an entity is notified of a breach by a third party
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion
If the eligible data breach applies to more than one entity only one entity needs to undertake an assessment for all entities to comply with this requirement
wwwdlapipercom | 15
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
After a third deliberation the Chinese government passed the new PRC cybersecurity law on 7 November 2016 The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China
The new PRC cybersecurity law intends to combat online fraud and protect China against internet security risks In short it imposes new security and data protection obligations on ldquonetwork operatorsrdquo puts restrictions on transfers of data outside China by ldquokey information infrastructure operatorsrdquo and introduces new restrictions on critical network and cybersecurity products
The new law has been widely reported in both the local and international press While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law there has been widespread international unease since the first reading Commentators have expressed concern that competition will be stifled regarding the handover of intellectual property source codes and security keys to the Chinese government as to perceived increased surveillance and controls over the internet in China and in relation to the data localisation requirements Other new obligations including increased personal data protections have been less controversial but are a clear indicator of the increased focus within the Chinese authorities on data protection and could signal a change to the data protection enforcement environment in China
Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia)
Chinese citizenrsquos personal information and ldquoimportant datardquo gathered and produced by ldquokey information infrastructure operatorsrdquo (KIIO) during operations in China must be kept within the borders of the PRC If it is ldquonecessaryrdquo for the KIIO to transfer such data outside of China a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws
permit the overseas transfer While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection such as public communications and information service energy transportation water conservancy finance public service and e-government the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors ldquoPersonal informationrdquo is defined as including all kinds of information recorded electronically or through other means that taken alone or together with other information is sufficient to identify a natural personrsquos identity including but not limited to natural personsrsquo full names birth dates identification numbers personal biometric information addresses telephone numbers and so forth However the types of information that might constitute ldquoimportant datardquo is currently unclear In any case these data localisation rules are likely to create practical issues for international businesses operating in China
A range of new obligations apply to organisations that are ldquonetwork operatorsrdquo (ie network owners network administrators and network service providers) A ldquonetworkrdquo means any system comprising computers or other information terminals and related equipment for collection storage transmission exchange and processing of information Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networksinfrastructure or even just websites in China
In terms of data protection network operators must make publicly available data privacy notices (explicitly stating purposes means and scope of personal information to be collected and used) and obtain individualsrsquo consent when collecting using and disclosing their personal information Network operators must adopt technical measures to ensure the security of personal information against loss destruction or leaks and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities They must also comply with principles of
16 | Intellectual Property and Technology News
SIGNIfICANT CHANGES TO DATA AND CYbERSECURITY PRACTICES IN CHINABy scott thiel partner and Carolyn Bigg of Counsel (hong Kong) and paula Cao associate (Beijing)
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
legality propriety and necessity in their data handling and not be excessive not provide an individualrsquos personal information to others without the individualrsquos consent nor illegally sell an individualrsquos personal data to others The rules do not apply to truly anonymised data There are also general obligations to keep user information confidential and to establish and maintain data protection systems Data subject rights to correction of their data as well as a right to request deletion of data in the event of a data breach are also provided While an earlier draft specifically provided protection to personal information of ldquocitizensrdquo the final law does not make this distinction and so seemingly offers a broader protection to all personal information These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China
As regards network security network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity which includes (amongst other things) formulating internal security management systems and operating instructions appointing dedicated cybersecurity personnel taking technological measures to prevent computer viruses and other similar threats and attacks and formulating plans to monitor and respond to network security incidents retaining network logs for at least six months undertaking prescribed data classification back up encryption and similar activities complying with national and mandatory security standards reporting incidents to users and the authorities and establishing complaints systems
Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes and will be subject to government and public supervision The form and extent of such cooperation is not currently clear and international businesses have expressed concerns over the extent to which this may require them to disclose their IP proprietary and confidential information to the Chinese authorities
More general conditions on network operators carrying out business and service activities include obeying all laws and regulations mandatory and industry national standards social
norms and commercial ethics being honest and credible and bearing social responsibility There are also requirements on network operators to block delete and report to the authorities prohibited information and malicious programs published or installed by users
Network operators handling ldquonetwork access and domain registration servicesrdquo for users including mobile phone and instant message service providers are required to comply with ldquoreal identityrdquo rules when signing up or providing service confirmation to users or else may not provide the service
Additional security safeguards apply to KIIOs including security background checks on key managers staff training obligations disaster recovery back ups emergency response planning and annual inspections and assessments Further strict procurement procedures will apply to KIIOs buying network products and services
Providers of ldquonetwork products and servicesrdquo must comply with national and mandatory standards their products and services must not contain malicious programs must take remedial action against security issues and report them to users and relevant authorities and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and in particular the contractual terms on which they are offered to customers
Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided This potentially catches a wide range of software hardware and other technologies being sold ndash or proposed to be sold ndash by international companies in the China since the definitions used in the law are drafted very broadly Further guidance by way of a catalogue of key network products is expected in due course There are concerns that this may create barriers to international businesses looking to enter the Chinese market
wwwdlapipercom | 17
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
Each individual and organisation shall be responsible for its own use of websites and may not set up websites or communication groups for the purpose of committing fraud imparting criminal methods producing or selling prohibited items or engaging in other unlawful activities Again there is scope for this to be interpreted and applied broadly
Institutions organisations and individuals outside China that cause serious consequences by attacking interfering or destructing key information infrastructure of China shall be responsible for any damage and the relevant public security department of the State Council may freeze assets and impose other sanctions against them While these provisions would appear to have an extra-territorial effect and could be interpreted very broadly it is unclear what sanctions could in practice be enforced against organisations without a presence in China
Other new rules relate to networkonline protections for minors the establishment of schemes for network security monitoring early warning and breach notification to relevant authorities and the public as well as rights for individuals and organisations to report conduct endangering network security opening of public data resources and prohibitions on hacking and supporting activities
While criminal sanctions administrative penalties and civil liabilities potentially await those (both organisations and in some circumstances individual employees and officers) who violate the new law unfortunately great uncertainties remain as to how the new legislation will be enforced who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them It is hoped that the Chinese authorities will publish more detailed practical guidance in the coming months In the meantime organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017 and to keep these under review as further guidance becomes available
18 | Intellectual Property and Technology News
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
The China State Administration of Industry and Commercersquos Online Advertising Regulation (Regulation) came into force on September 1 2016 The Regulation has been widely regarded as the response to a recent scandal regarding paid search results
Earlier this year a promising college student in China Wei Ze Xi sought cancer treatment at a hospital which was returned as a paid search result on an internet search engine The hospital promised that the treatment would be effective and charged Wei US$30000 The treatment was later found to be ineffective but Wei could not then afford further
The changes
The newly amended Advertising Law did not expressly address the regulation of lsquopaid search resultsrsquo but the new Regulation includes a specific definition of paid search results which sees them classified as an internet advertisement and thus subject to the Advertising Law As such the Regulation means inter alia paid search results
must not be misleading
cannot be used in relation to the advertisement of prescription medication and tobacco products
cannot be used in relation to the advertisement of medical services medicine medical formula food medical devices pesticides veterinary medicines and health care products unless the relevant products and services have been previously approved by the relevant authorities and
must be able to be closed with lsquoone clickrsquo and must not interfere with a usersrsquo internet experience
The Regulation also requires online advertising service providers to establish internal systems for inter alia identifying clients who use paid search results and storing their details and advertisements
Practical implications
The new Regulation affects not only search engine providers but all online advertising businesses and users of paid search results
Businesses advertising in China using paid search results must check to ensure such paid search results are in compliance with the Advertising Law and those businesses operating in any of the restricted fields listed above must now ensure prior approval is sought before placing a paid search result advertisement
Our team of lawyers in China is ready to advise you on the preparations you need to make for the implementation of the Regulation
STRICTER PRC ONLINE ADvERTISING REGULATION IN RESPONSE TO SEARCH SCANDALBy edward Chatterton partner (hong Kong) horace lam partner (Beijing) ian Jebbit registered foreign lawyer (hong Kong)
wwwdlapipercom | 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
mObILE APPS UNDER CLOSE WATCH Of THE HONG KONG PRIvACY COmmISSIONERBy scott thiel partner and Carolyn Bigg of Counsel (hong Kong)
The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps On 21 April 2016 the Office of the Privacy Commissioner for Personal Data (the PCPD) held the lsquoMobile App Development Forum on Privacy and Securityrsquo (Forum) for the mobile app industry which discussed key issues for mobile app developers businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider
Lessons to learn from mobile apps in the market
The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access and that only around half of these mobile apps provided a privacy policy
A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected stored used andor shared by the app for example in the case of using third party codes in the app development Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way usersrsquo data are handled also run the risk of having imprecise privacy policies for individual apps
Security remains a key concern in relation to personal data collected and handled by mobile apps It was revealed at the Forum that alarmingly some extremely popular mobile apps failed to apply adequate security to safeguard usersrsquo personal data
Enforcement risks for mobile apps
At the Forum the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently largely due to excessive data collection and inadequate security of personal data
In recent years the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators As a result the relevant companies have taken corrective actions and in
20 | Intellectual Property and Technology News20 | Intellectual Property and Technology News
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
some instances the Privacy Commissionerrsquos enforcement action attracted much media attention and some of these mobile apps are no longer available in the market
However there is a limit to the Privacy Commissionerrsquos enforcement powers as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kongrsquos data privacy law As the appsrsquo operators were located outside Hong Kong the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months
Privacy by Design
The Chief Personal Data Officer of the PCPD Dr Henry Chang highlighted the lsquoPrivacy by Designrsquo approach that business should adopt which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app Set out below are key factors that should be considered
Data minimisation ndash The collection of personal data should be reduced to the absolute minimum especially where sensitive personal data is involved An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset
Surprise minimisation ndash Businesses should ensure there is transparency to users in terms of what data will be collected or accessed and provide users with a choice to opt-out from such access or use where possible It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use
Risk minimisation ndash Businesses must ensure adequate protection of data being transmitted andor stored for example through encryption and access control
Trust and respect ndash To earn the trust and respect of users it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects even if they do not amount to personal data This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data
In particular businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent to gain the trust and respect of users
wwwdlapipercom | 21
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
Singaporersquos Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA) Following the release of its first nine enforcement decisions in April this year the PDPC has published a further enforcement decision in June and two decisions in July and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures which organisations should consider carefully
Recent enforcement decisions
Some of the key points to note from the three recent enforcement decisions
A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015 The enforcement decision was made even though there was no evidence that any personal data had actually been misused
A document processing company was fined SGD 5000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange
A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holderrsquos chiropractor) to obtain further medical information about the policy holder in September 2015 The PDPC found that the disclosure of the policy holderrsquos bank account details being of a sensitive financial nature was not for a reasonable purpose
It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA Although the PDPA does not have a separate definition of lsquosensitive personal datarsquo which requires additional protection the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions
As noted by Mr Leong Keng Thai Chairman of the PDPC the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data
SINGAPORErsquoS ENfORCEmENT Of DATA PROTECTION LAW ON THE RISE
By scott thiel partner Carolyn Bigg of Counsel amy Kong associate (hong Kong)
22 | Intellectual Property and Technology News
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
Investigation on a multinational bankrsquos data disposal incident
The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bankrsquos disposal of client documents In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bankrsquos headquarters in Singapore
The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customersrsquo data
New guides issued by the PDPC
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions the PDPC has published new guides on data protection clauses for agreements relating to data processing securing personal data in electronic medium and building websites for small to medium enterprises
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the
PDPA regarding content on withdrawal of consent and access requests Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices
Some interesting issues to note
The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts Such data protection clauses should contain specific security measures a schedule containing the authorised personnel who are permitted to access the personal data on a lsquoneed to knowrsquo basis a requirement for a written undertaking about return or deletion of personal as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA
The PDPCrsquos guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration shredding or pulping In relation to shredding different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals)
this article was first published in august 2016 for further updates in relation to singaporersquos data protection laws please contact scott thiel scottthieldlapipercom or Carolyn Bigg carolynbiggdlapipercom
wwwdlapipercom | 23
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
AUSTRALIA ndash TRADE mARKS ndash CHANGES TO OffICIAL fEES
The Australian Trade Marks Office has made a number of changes to its official fee structure to reduce or shift the timing of fees some of which are to align with practices and other jurisdictions and (hopefully) to cut red tape The changes took effect on 10 October 2016
Significantly the official fees on filing a new application have increased (by around AU$100 per class) but there will no longer be a separate registration fee payable at the acceptanceregistration stage While this might result in more deadwood on the Register in cases where an applicant loses interest in its application after filing but before acceptanceregistration the new process will hopefully reduce the administrative burden on applicants somewhat
In addition the AU$150 fee for opposing a removal application will be abolished Renewal fees will also increase slightly
This is an adjustment to official fees only at this time and DLA Piper Australia is not increasing its fees for the relevant attendances
HONG KONGrsquoS PRIvACY COmmISSIONER ADDRESSES PRIvACY COmPLIANCE AND bEST PRACTICE fOR bYOD
Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the HKAB Guidelines) the trend towards Bring Your Own Device (BYOD) has come to the attention of Hong Kongrsquos Privacy Commissioner The Commissioner published an information leaflet on 31 August 2016 (the Information Leaflet) which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emailssystems and suggests best practices for organisations allowing BYOD Unlike previous industry-specific guidance the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance) and the Data Protection Principles (DPPs)
The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and
likelihood of loss or unauthorised disclosure This reflects the approach taken in the HKAB Guidelines which recommend specific and distinct practices which differ depending on whether or not the organisationrsquos data is stored on the personal devices or within a lsquosandboxrsquo The Commissioner has suggested as best practice that organisations should at the outset of any BYOD implementation conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance
The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance For instance organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (eg sandboxing password protection and independent encryption)
The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme and any practices implemented to manage employeesrsquo BYOD devices should respect the employeesrsquo private information
For more information the Information Leaflet is available here
DLA Piperrsquos Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe To learn more please click here
JUDICIAL REvIEW Of AUSTRALIAN GOvERNmENT PROCUREmENTS
In order to comply with its free trade obligations under the Trans-Pacific Partnership Agreement the Australian Government is planning to introduce the Government Procurement (Judicial Review) Bill (Bill) which will allow suppliers to raise complaints about government procurement processes for review by an independent judicial authority
Where the supplier believes the procuring Government entity has breached the Commonwealth Procurement Rules in order to seek a remedy (for example damages) the supplier must follow the approach prescribed in the Bill This is likely to be a two-step process Firstly the supplier must attempt to resolve the complaint with the procuring entity Secondly if the complaint cannot be resolved the supplier may choose to have the complaint judicially reviewed by the Federal Circuit Court
The proposed Bill is likely to be introduced into the Australian Parliament by the end of this year
IPT INSIGHTS
24 | Intellectual Property and Technology News
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
WHATrsquoS ONWrap up 5th Global Technology Summit
On September 27 and 28 DLA Piperrsquos Technology Sector hosted its 5th Global Technology Summit with more than 450 industry leaders attending the standing-room-only event in Menlo Park
This year the Summit was divided into two distinct days of programing The first day which was called lsquoGarage2Globalrsquo was dedicated to providing entrepreneurs emerging-technology professionals and investors from all stages of the investment community with insights into the legal and business foundations needed to drive sustainable growth and take companies from lsquogarage to globalrsquo And the second day which was entitled lsquoTechLawrsquo provided in-house counsel and leaders from mature technology companies with updates on the latest trends impacting legal departments
Speaker Highlights
At lsquoGarage2Globalrsquo Alec Ross Former Senior Advisor for Innovation to the US Secretary of State delivered the morning keynote address and spoke on the themes from his new book The Industries of the Future as well as the impact of Brexit and the coming presidential election on the technology sector and innovation Later in the day Sarah Lacy Editor in Chief at Pandocom sat down with Michelle Zatlyn Co-Founder of CloudFlare a web performance and security company to discuss how she and her co-founders turned an idea into one of the worldrsquos largest networks that powers more than 10 trillion requests per month nearly 10 of all Internet requests for more than 25 billion people worldwide Other speakers included c-level executives founders and investors from a wide variety of leading companies including August Home Cisco Investments Ford Research and Innovation GE Digital KPCB McKesson Ventures Qualcomm Ventures RetailNext Siemens Corporate Research and New Enterprise Associates Inc
Kicking off lsquoTechLawrsquo Stasia Kelly Co-Managing Partner (Americas) of DLA Piper sat down with Mark Chandler Senior Vice President and General Counsel at Cisco to discuss his role as an innovator within the legal industry the challenges in conducting acquisitions and how the legal department is viewed as a business partner During the afternoon sessions Dan Cooperman Of Counsel at DLA Piper chatted with Mike Callahan Senior Vice President and General Counsel at LinkedIn and Hillary Smith General Counsel at Zenefits to discuss the GCrsquos role in such areas as privacy and cybersecurity legal and policy and corporate investigations Other speakers included general counsel and thought leaders from some of the worldrsquos largest and most innovative technology companies including Adobe Systems Intel NetApp Netflix Nike Oracle Pandora PayPal Qualcomm and Samsung Electronics
Please visit our Summit website and blog for any further information
DLA Piper is pleased to announce the launch of Telecommunications Laws of the World
telecommunications laws of the World is an online handbook providing global businesses with an overview and comparison of key telecommunications laws and policies across the world
Key features include
telecommunications laws regulations and policies
regulatory bodies or authorities
overview of consents licenses and authorisations
regulatory taxes and fees
key sanctions and penalties
telecommunications infrastructure is at the heart of any global business in the modern age from data security and data resilience requirements through cloud and data centre connectivity requirements to latency minimisation and time-based stamping for trading transactions robust reliable and resilient networks are critical
today telecommunications operators are increasingly seeking to expand customer-specific and value added services (such as combining connectivity with application services) to retain relevancy and protect against increased margin erosion at the same time the growth of ott (over the top) applications raises novel regulatory questions as service providers many of whom have no infrastructure and often no physical presence at all in the country can nevertheless use licensed operatorsrsquo infrastructure to provide services
access telecommunications laws of the World here
wwwdlapipercom | 25
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
Intellectual property webinar series
Throughout 2016 DLA Piper will be hosting an intellectual property webinar series focusing on the following topics If you are interested in joining these webinars contact eventsaustraliadlapipercom
intellectual property issues in China
confidential information and trade secrets global insights global protection
grey market parallel importation and anti-counterfeiting
content protection and digital piracy
advertising and marketing
Pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide
We will soon be releasing the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos Macau Malaysia Myanmar New Zealand Philippines Singapore Taiwan Thailand and Vietnam
Covering the complete brand life cycle this user-friendly guide provides practical insight into key aspects of trademark law and practice in Asia-Pacific including
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia-Pacific Trademark Guide email APACTMGuidedlapipercom
Are you an in-house lawyer Join WIN today
Win is our award-winning series of events tools and forums addressing the technical commercial and personal aspects of working in-house our online community provides access to tailored information a personal library best practice guides and toolkits and extensive selection of recorded webinars a range of online tools and much more Click here to register
26 | Intellectual Property and Technology News
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
DLA PIPER ASIA PACIFIC TRADEmARK GUIDE 2016pre-order your Complimentary Copy noW
We are pleased to bring you the DLA Piper Asia Pacific Trademark Guide a comprehensive review of trademark laws and key tips covering these 18 countries Australia Cambodia China Hong Kong India Indonesia Japan Korea Laos macau malaysia myanmar New Zealand Philippines Singapore Taiwan Thailand and vietnam
Relevant for the complete brand life cycle this user-friendly guide looks at such essential issues as
trademark filing and prosecution
oppositions
revocation invalidation and cancellation
trademark enforcement
trademark exploitation
unregistered trademark rights
domain and company name disputes
To pre-order your copy of the inaugural edition of DLA Piperrsquos Asia Pacific Trademark Guide please complete this card or email us at APACTMGuidedlapipercom
wwwdlapipercom | 27
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19
GLOBAL PATENT LAWSAROUND THE WORLD
COmING SOON
global patern laws is designed to provide you with an overview of the key patent laws and dispute resolution procedures that are relevant to business operating in the countries featured for example what acts infringe a patent the availability of and approach to granting preliminary injuctions the ability to obtain evidence the approach to assessing validity and the typical time to trial for companies operating in multiple countries managing the risk of and successfully bringing or defending patent proceedings can often depend on strategic exploitation of the differences in approach between jurisdictions accordingly our guide also allows you to compare the laws and procedures of one country with that in other countries
DLA PIPERrsquoS PATENT GROUP
With more than 130 patent litigators on the ground in key jurisdictions worldwide dla piper is uniquely positioned to help companies successfully navigate their patent matters around the globe
for further information please contact us by email at patentsdlapipercom
global patent laws is a comparative reference guide on patent laws providing business insight on critical patent laws around the world and procedural matters businesses need to know about the handbook includes guidance on
Benefits of global patent laws
patent laws simply put global reach easy access 247
infringing Conduct
defences to infringement
Before taking action
patent validity
taking action
remedies
procedure amp timing
- Button 19