IP & TMT quarterly review

2 COPYRIGHT – HONG KONG The Draf t Copyright Tribunal Rules – Not There Yet 6 TR ADE MARKS – HONG KONG Burberry v Polo Santa: A Recent Case on the Standard of Use Required to Resist Non-Use Revocation 9 PATENTS – CHINA The Impact of Improved Administrative Patent Enforcement Rules for Foreign Patentees 11 DATA PRIVACY – HONG KONG Crossing Borders – New Guidance on the Transfer of Personal Data Outside Hong Kong Data Privacy in Hong Kong , the Past, the Present and the Future: An “Appy ” and Brave New World? 24 TECHNOLOGY – HONG KONG Out With the Old, and In With the New: Amendments to the Payment Regulations in Hong Kong 28 TECHNOLOGY – CHINA Made in China or Made for China: CBRC Guidelines Might Bifurcate the Global IT Supply Industry 30 CONTACT US IP & TMT Quarterly Review Table of Contents First Quarter 2015 IP & TMT Quarter ly Re vie w 2 mayer brown jsm The Draft Copyright Tribunal Rules – Not There Yet By Rosita Li, Partner, Mayer Brown JSM, Hong Kong Victoria Armstrong, Registered Foreign Lawyer (England and Wales), Mayer Brown JSM, Hong Kong Background to the Copyright Tribunal The Copyright Tribunal (the “Tribunal”) is an independent quasi-judicial body that was established on 1 December 1997 under section 169 of the Copyright Ordinance (Cap. 528) (the “CO”). The main function of the Tribunal is to decide disputes relating to licences or licensing schemes offered by licensing bodies relating to copyright works administered by them. Any suspected unreasonable licence refusal under a licensing scheme, or suspected unreasonable licence terms may be referred to the Tribunal. The Tribunal can also decide on matters which do not involve collective licensing bodies. For example, the Tribunal can give consent on behalf of an owner of the right of reproduction concerning a performance, or on behalf of an owner of performers’ rental right if the identity or whereabouts of such right owner cannot be ascertained. Decisions of the Tribunal (hearings of which are normally conducted in public) are appealable to the Court of First Instance on points of law. However, to date, there has not been a single final decision issued by the Tribunal1 . Limited use of copyright tribunals is not particular to Hong Kong however. For example, before legislative amendments2 were made in 2009 to increase its efficiency and effectiveness, the Singapore Copyright Tribunal heard only three cases from its inception in 1987. This figure can be compared to that of the UK Copyright Tribunal (following the implementation of the Copyright Tribunal Rules 2010 No. 791 of the UK Copyright Tribunal (the “UK Copyright Tribunal Rules”)) which, in 2013-2014 alone rendered four final decisions. It is little wonder, therefore, that the Hong Kong government is following the UK example in an attempt to promote the Tribunal as an effective dispute resolution forum by attempting to improve efficiency and cost-effectiveness and encouraging parties to first turn to the Tribunal before having recourse to courts. After all, with technological advancements allowing a substantial broadening of access to copyright works, it would be expected that the number of related disputes would increase dramatically year on year. The fact that this has not happened suggests that there is either little awareness of the Tribunal itself, little understanding of its role as an effective dispute resolution forum or, most likely, its current procedures are over complicated and render it inaccessible, especially for small businesses and individuals. Copyright – Hong Kong 1 There are 11 applications officially “under progress”, for example application No. 1/2010 for a grant of licence under section 163 CO (i.e., reference to the Tribunal in relation to an expiring licence) and application No. 1/2011 for a grant of licence under section 156(3) CO (i.e., reference to the Tribunal in relation to a licensing scheme), the most recent application to the Copyright Tribunal, however there are currently no scheduled hearings. Of these 11 applications 7 have in fact been withdrawn or discontinued. In relation to the remaining 4 applications, Interlocutory application hearings have taken place and interim relief was ordered by the Tribunal (the latest being on 30 August 2013 in relation to an application for the grant of a licence under section 155(3) CO and/or section 156(3) CO (i.e., reference to the Tribunal in relation to a proposed or existing licensing scheme)). 2 Amendments were made to the Copyright Act (Cap. 63). IP & TMT Quarter ly Re vie w 3 mayer brown jsm The Rules The rules regulating the procedures for making references and applications to the Tribunal are provided under the current Copyright Tribunal Rules (Cap. 528C). In August 2009, following the enactment of the Copyright (Amendment) Bill 2007 and the implementation of the Civil Justice Reform in Hong Kong in April 2009, the Hong Kong Government invited views on the direction and shape of a new set of rules (the “Draft Rules”), in order to modernise the practice and procedures of the Tribunal. Having taken into account the views submitted as well as the latest local and overseas dispute resolution practices and developments, for example the UK Copyright Tribunal Rules 2010 and the enactment of the new Arbitration Ordinance (Cap. 609) in Hong Kong in 2010, the Draft Rules were published for further consultation on 9 December 2014. In a press release by the Intellectual Property Department (the “IPD”), it was noted that: “The Draft Rules seek to make proceedings before the Tribunal as flexible, convenient and cost-effective as possible in accordance with contemporary dispute resolution practices.” 3 Although this further public consultation period was scheduled to end on 9 February 2015, it appears, at the time of writing, that it has not yet been officially ‘closed’ by the IPD. As such, final submissions have not yet been released. Following the closure of the consultation period, the Chief Justice will examine the submissions received and the Draft Rules, as appropriately revised, will be tabled before the Legislative Council. For the purposes of consultation, the Draft Rules have been split into seven sections for review, namely: principles of the civil justice reform, standardised procedures and forms, active case management, alternative dispute resolution, single member adjudication, practice directions and self-contained rules. Although no final submissions have been published in respect of the latest period of consultations, submissions from the 2009 consultation are available and draft submissions have been shared between stakeholders. Principles of Civil Justice Reform The Draft Rules provide that the Tribunal must seek to give effect to the underlying objectives of Civil Justice Reform. Given that the proceedings before the Tribunal are intended to be less formal than court proceedings, the Draft Rules do not follow the practice and procedure of the court entirely. The Draft Rules adopt a few areas from the Civil Justice Reform, in particular active case management, the use of statements of truth to verify claims and encouraging alternative dispute resolution. Comments in the 2009 submissions of stakeholders suggested that the proposed imposition of costs sanctions, in relation in particular to defective documentation, could discourage the use of the Tribunal. The Draft Rules provide the Tribunal with the ability to issue directions to rectify defective documents. Other suggestions made in 2009 included not imposing cost sanctions against unrepresented parties. This suggestion does not appear to have been taken on board and instead ‘special circumstances’ are set out under which costs sanctions may be ordered in relation to deliberate misuse of the Tribunal or misconduct in the proceedings. Copyright – Hong Kong 3 http://www.info.gov.hk/gia/general/201412/09/P201412090348.htm IP & TMT Quarter ly Re vie w 4 mayer brown jsm Copyright – Hong Kong Standardised Procedures and Forms Standardised procedures and forms for all types of applications and references under the Draft Rules are intended to streamline procedure, thereby making the Tribunal more accessible for users. This appears to discount the 2009 concerns raised by some stakeholders that the use of one application form may, in fact, cause more complexity and confusion, given the range of different matters before the Tribunal. The majority of stakeholders supported the notion of a standardised procedure, which should have the effect of being more user-friendly, and can be likened to the use of a standardised application form and the approach adopted in the UK Copyright Tribunal Rules. However, it is arguable that the forms featured in the Schedules of the Draft Rules are still too complicated. For example, one draft stakeholder submission suggests that the forms use confusing terminology (especially for unrepresented parties), for example “originator”, rather than “applicant” and requiring the said “originator” to select whether the application is “inter partes” or “ex parte”. Further, there is no specific provision for a fast track system for simple cases of low financial value, in order to improve accessibility (unlike in the UK). Active Case Management Under the Draft Rules, the Tribunal is given the power to make orders or directions as to the conduct of proceedings. This power can be exercised at any stage of the proceedings, whether on the Tribunal’s own initiative or at the request of one of the parties. No general guidance is provided in relation to case management, though once the rules are adopted it is to be expected that guidance will later follow. Practice directions, for example, (as discussed further below) may help reduce costs and delays. This would, arguably, alleviate the general concern put forward by the Law Society of Hong Kong in its 2009 submission that there is a risk that the Tribunal could, in fact, add to the up-front costs for parties to disputes. Alternative Dispute Resolution Alternative dispute resolution appears to be encouraged and facilitated by the Draft Rules, with no threat of a cost sanction should the parties fail to mediate. It is suggested that the Tribunal should have flexibility to make “considering settlement and/or mediation” a procedural step. Single Member Adjudication Under section 172(1A) of the CO, in order to increase flexibility and efficiency in the disposal of certain proceedings, all interlocutory applications may generally be heard by a single member of the Tribunal. This dispenses with the need to engage a fully constituted Tribunal (at least three members4 ), thereby capturing the spirit of Civil Justice Reform. Previous views submitted by stakeholders have been taken into account in the latest version of the Draft Rules, with the requirement that the single member of the Tribunal must be legally qualified (in fact, the Draft Rules state that the single member must be qualified for appointment as a District Judge under section 5 of the District Court Ordinance (Cap. 336)). However, at this point, there is still no requirement in the Draft Rules that key members of the Tribunal should be experienced in copyright matters. This is likely to be requested in the latest stakeholder submissions, given the complex nature of copyright licensing arrangements. 4 Section 172(1) CO. IP & TMT Quarter ly Re vie w 5 mayer brown jsm Practice Directions The Draft Rules provide that the Tribunal may issue non-mandatory administrative guidelines setting out practice and procedure, to complement the Draft Rules. The original consultation unveiled stark differences in opinion as to these guidelines, with some practitioners favouring a comprehensive set of rules, so as to avoid the need for additional practice directions, whereas some felt that instead reference could simply be made to existing court procedure. Others favoured a flexible approach. It seems that, given the legislative intent is to provide efficiency, flexibility and to avoid excessive cost, whilst having regard to the Civil Justice Reform, the Tribunal should not be obliged to follow existing court procedure. However, a set a guidelines would facilitate accessibility and would be a helpful supplement to the current Draft Rules. Self-Contained Rules The Draft Rules will no longer feature cross-references to the Arbitration Ordinance. As currently drafted, users are required to refer to a separate piece of legislation (which, it should considered, is likely to be subject to amendments from time-to-time).Given that this has the potential to cause confusion, a self-contained approach for the Draft Rules seems sensible, especially in view of the objective to ensure the Draft Rules are user-friendly and aid efficiency. Further, doing away with cross-referencing allows the Tribunal to take a less formal approach than the Court, thereby increasing accessibility and flexibility. Conclusion Although the submissions to the latest period of consultation are yet to be published, when considering the Draft Rules in light of the original 2009 submissions, it seems likely that there is still a bit more fine-tuning required. The 2009 submissions highlighted the importance in monitoring the UK experience closely. Given the encouraging level of uptake of the UK Copyright Tribunal as a forum for dispute resolution, in the years following the implementation of the UK Copyright Tribunal Rules it is hoped that the changes, proposed in the Draft Rules should, therefore, have a similar effect in Hong Kong. Copyright – Hong Kong IP & TMT Quarter ly Re vie w 6 mayer brown jsm Burberry v Polo Santa: ARecentCase on the Standard ofUse Required to ResistNon-Use Revocation By Benjamin Choi, Partner, Mayer Brown JSM, Hong Kong Nicola Kung, Associate, Mayer Brown JSM, Hong Kong The recent case Burberry Limited and Burberry Asia Limited v Polo Santa Roberta Holding HongKong Limited (HCMP 965/2014) is a salutary reminder of the genuine and actual use required of a registered mark to keep it safe from non-use revocation. In these proceedings before the Court of First Instance, the trade mark owner was unable to show any genuine use of a trade mark after its registration, so the court revoked the trade mark on the third anniversary of its actual date of registration. Background Burberry has its famous check pattern registered as a trade mark in Hong Kong in various classes, including class 18 for leather goods (the “Burberry Check”). The Defendant (“Polo Santa”) also owned a Hong Kong trade mark consisting of a check pattern (the “Polo Check Mark”). Burberry sought to revoke the Polo Check Mark. Polo Santa acquired the Polo Check Mark in January 2012, by assignment (the “Assignment”) from its affiliate Polo Santa Roberta Limited (“PSR Ltd”). Prior to the Assignment, Burberry had instigated proceedings against PSR Ltd in the High Court (HCA 1617/2010), for selling products that infringed the Burberry Check. Burberry obtained summary judgment in that action on 17 January 2012. The Assignment occurred on 2 January 2012, just a few weeks before the summary judgment. On 16 April 2014, Burberry applied by originating summons to the Court of First Instance for an order that the Polo Check Mark be revoked for 3 years of non-use, or alternatively for a declaration of invalidity of the trade mark registration. Under the Hong Kong Trade Marks Ordinance (Cap. 559) (the “TMO”), if it is established that there has been no genuine use of a registered trade mark in relation to the goods or services for which it was registered for a continuous period of at least 3 years, then the Registrar of Trade Marks or the court can make an order to revoke that mark (TMO s. 52(2)(a)). The 3 year period may begin any time from the date on which the trade mark in question was granted registration (TMO s. 52(8)). In non-use revocation proceedings, the owner of the mark in question bears the burden of proving that the mark has been genuinely used by the owner or with his consent in the Hong Kong market during the relevant period. In this case, Polo Santa was unable to satisfy the court that it had made any genuine use of the Polo Check Mark after its registration. The CFI held that the evidence of use produced by Polo Santa was insufficient to discharge their burden of proof. The CFI therefore concluded that the registration of the Polo Check Mark was to be revoked. Trade Marks – Hong Kong Burberry Check Polo Check Mark IP & TMT Quarter ly Re vie w 7 mayer brown jsm What was not satisfactory about Polo Santa’s evidence of use The court was not satisfied with the evidence of use submitted by Polo Santa. In defending the proceedings, Polo Santa relied on two main pieces of evidence: 1. Licenses: It had licensed two other entities to use the Polo Check Mark. One entity was another Hong Kong company run by Polo Santa’s director (“Far East”). The other was a PRC company which sold handbags in Mainland China. Polo Santa asserted that these entities had been using the Polo Check Mark with its consent. 2. Catalogue: Its licensees had sold large quantities of bags bearing the Polo Check mark. Polo Santa exhibited a 4 page handbag catalogue as evidence. The handbags shown in the catalogue had a small metallic badge bearing the Polo Check Mark. Polo Santa attempted to rely on the EU Court of Justice case Engelhorn KGaA v Office for Harmonisation in the Internal Market (Trade Marks and Designs) T-30/09, 8/7/2010, in which a catalogue was found to be appropriate evidence of genuine commercial activity involving the goods in question. The court made the following rulings:- Licenses Polo Santa did not dispute that to resist revocation on the ground of non-use, the genuine use must have occurred in Hong Kong. The court concluded that their license to the PRC company for use of the mark in Mainland China was irrelevant. Catalogue Whilst the judge opined that catalogues are generally accepted as useful evidence of genuine commercial activity, the catalogue provided by Polo Santa was not enough to prove genuine use. The judgment clearly describes the differences between the Engelhorn catalogue and the Polo Santa catalogue. The Engelhorn catalogue contained specific information of a large number of shops offering the goods, including telephone numbers, fax numbers, postal addresses and internet addresses. This information would enable end customers to make purchases. In perceiving the Polo Santa catalogue, the judge stated that, “The catalogue is surprisingly sparse in content. The words “Polo Santa Barbara” appear but it contains no name, address, telephone number, email address or any other contact details of the defendant or any other identity”. In other words, there was nothing in the Polo Santa catalogue suggesting that the goods were being offered to end customers for sale. It is notable that the judge specifically pointed out that there was no contact information for the defendant in the Polo Santa catalogue. When assessing whether a catalogue or brochure can constitute satisfactory evidence of use in non-use revocation proceedings, the court will be actively looking for signs that link the evidence presented to the party relying on it. The defendant’s contact information may constitute evidence that the goods are truly intended to be offered for sale to consumers by them. The absence of documents The judge also noted Polo Santa’s failure to provide certain types of supporting evidence and took the view that the absence of these documents was “highly significant”. Polo Santa had never submitted any: Trade Marks – Hong Kong IP & TMT Quarter ly Re vie w 8 mayer brown jsm • Documents evidencing in the manufacture of the goods; • Documents evidencing the actual manufacture, marketing or sale of the goods, e.g., manufacturing records, commercial invoices, advertisements, retail invoices and receipts; • Internal documents e.g., sales records, vouchers and ledgers; or • Statements from shop assistants saying that the products had been offered for sale under the Polo Santa mark. The judge concluded that given the scale and regularity of the sale of products that Polo Santa alleged, it was remarkable that the catalogue was the only evidence that Polo Santa was able to produce. Trade mark owners can’t get away with token use This case sheds light on the kind of evidence of use the court will be expecting in non-use revocation cases, and in doing so, clarifies the standard of use required of a registered trade mark. The judgment helpfully lists out certain types of documents that would assist a trade mark owner in resisting non-use revocation proceedings, e.g., documents evidencing manufacture and sale, internal records, catalogues containing the defendant’s contact information, and statements from employees stating that products had been offered for sale under the mark. Brand owners are therefore well reminded to make and preserve these documents and records, in order to safeguard their marks from non-use revocation. Trade Marks – Hong Kong IP & TMT Quarter ly Re vie w 9 mayer brown jsm The Impact ofImprovedAdministrative Patent Enforcement Rulesfor Foreign Patentees By Xiaoyan Zhang, Counsel (New York, USA), Mayer Brown JSM, Hong Kong On January 27, 2015 the State Intellectual Property Office (“SIPO”) released a Draft on Patent Administrative Enforcement Rules (the “Draft”) for public comment. The Draft aims to improve the current patent administrative enforcement rules which took effect on February 1, 2011 by adopting several new measures, including enhancement of patent enforcement in the e-commerce context and acceleration of patent administrative proceedings. Due to the nature of administrative patent enforcement both in theory and practice, these proposed improvements will affect a small number of foreign patentees at most. 1. The Limitations of Administrative Patent Enforcement in China China is one of the few jurisdictions where a patentee is offered the option to assert a patent infringement claim through an administrative action as a quicker and more cost-effective alternative to court proceedings. Administrative agencies, however, are authorized to grant only injunctive relief (not monetary damages) and may refuse to accept cases on discretionary grounds such as complexity. Since most of the foreign patentees own high-stake complex invention patents, they may not adequately benefit from this remedy. Not surprisingly, among the 24,000 administrative patent cases filed in 2014, only 15% involved invention patents and only 6% were brought by foreign patent owners. Whether the improvements in the Draft are significant enough to lure more foreign patentees to seek administrative enforcement while foregoing monetary damages remains to be seen. 2. Enhanced Administrative Patent Enforcement in E-Commerce: A Paradise in Theory or Reality? Several provisions of the Draft now offer an improved legal framework to stop patent counterfeits in e-commerce platforms. Specifically, an administrative authority may order e-commerce website owners to delete cookies, remove links or block webpages containing patent counterfeit products. As part of an effort to increase transparency, administrative authorities are further required to publish their decisions online. Since online shopping has been gaining increased popularity in China—one of the world’s largest consumer economies— this improvement, at least in theory, will offer speedy relief to foreign patentees who own simple utility and design patents that are vulnerable to infringement online. Some commentators, however, argue that the lack of specificity of the Draft concerning e-commerce enforcement may ultimately hinder its implementation, particularly since there is inconsistency in the application of the procedure and the quality of decisions from city to city. How each local agency will respond to this improvement remains to be observed. Generally speaking, administrative enforcement agencies in first-tier cities such as Shanghai, Beijing, and Guangzhou have a reputation for being more effective and professional than those in small cities. Nonetheless, foreign patentees should consider adopting a program to systematically monitor the major e-commerce websites in China for potential infringing activities, while simultaneously building relationships with local legal counsel who are experienced in administrative patent enforcement. Patents – China IP & TMT Quarter ly Re vie w 10 mayer brown jsm 3. Quicker Administrative Proceedings Demand Better Preparations The Draft shortens the duration of administrative patent proceedings from the current four month limit to three months (for invention and utility patent proceedings) and two months (for design patent proceedings) with the possibility of a one month extension upon approval of the department chief. The Draft also shortens the deadline for a party to submit a defense statement and statement of opinion, and the deadline for the administrative agency to enter the case on file after receiving a complaint from 15 days to 10 days. Notably, local administrative agencies rarely follow the timelines set forth by the SIPO, and many agencies in local provinces operate under their own timelines. Even if the revised twoand three-month timelines were to be strictly enforced, foreign patentees would face new challenges brought by the shorter deadlines in an inconvenient forum. Thus foreign patentees should be thoroughly prepared by gathering as much evidence as possible before officially initiating an administrative action. Conclusion Foreign patentees which may be aware of online distribution channels of infringing products should reassess the relevance and utility of administrative patent enforcement in light of the Draft, consider adopting a monitoring program that targets major e-commerce websites, and be well-prepared before filing a complaint, preferably before an administrative agency in one of the first-tier cities. Patents – China IP & TMT Quarter ly Re vie w 11 mayer brown jsm Crossing Borders –NewGuidance on the Transfer of PersonalDataOutside Hong Kong By Gabriela Kennedy, Partner, Mayer Brown JSM, Hong Kong Karen Lee, Associate, Mayer Brown JSM, Hong Kong Section 33 of the Hong Kong Personal Data (Privacy) Ordinance (“PDPO”), which restricts the cross-border transfer of personal data, has been in the statutory books since the PDPO was enacted in 1996. It has not yet been brought into force. The Privacy Commissioner (“PC”) indicated a few years ago that Section 33 would be enacted in the future and, to this end, his office commissioned research on the treatment of crossborder transfers in other jurisdictions. On 29 December 2014 the PC issued a new guidance on the transfer of personal data out of Hong Kong, to help data users prepare for the implementation of Section 33 (“Guidance Note”)5 . Section 33 of the PDPO Once Section 33 is in force, it will only be possible to transfer personal data outside Hong Kong if one of the following exceptions applies: a. The country to which the personal data will be transferred is part of a “white list” of jurisdictions which the Privacy Commissioner considers to have laws that protect personal data to a level commensurate with the PDPO; b. The data user has reasonable grounds to believe that the place to which the data is to be transferred has in force any law which is substantially similar to, or serves the same purposes as the PDPO; c. The data subject has consented in writing to the transfer; d. The data user has reasonable grounds to believe that the transfer is for the avoidance or mitigation of any adverse action against the data subject, and it is not practicable to obtain the data subject’s consent, but if it were, then such consent would be given; e. The personal data is exempt from data protection principle (“DPP”) 3 of the PDPO by virtue of an exemption under the PDPO; or f. The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be collected, held, processed or used in a manner that would constitute a contravention of the PDPO. The PC’s prior consent is not required in order for a data user to transfer personal data out of Hong Kong. However, if a data user’s cross-border transfer is challenged by a data subject or the PC, then it will be up to the data user to prove that at least one of the above exceptions applies. A transfer of personal data in breach of Section 33, once it comes into force, may result in the imposition of a fine of up to HK$ 10,000 and the issuance of an enforcement notice by the PC, requiring steps to be taken to rectify or prevent the recurrence of the breach. Breach of an enforcement notice will amount to a further offence, and can attract a fine of up to HK$ 50,000 and 2 years imprisonment for a first conviction. 5 http://www.pcpd.org.hk/english/resources_centre/publications/guidance/files/GN_crossborder_e.pdf. Data Privacy – Hong Kong IP & TMT Quarter ly Re vie w 12 mayer brown jsm What transfers will be covered by Section 33? Section 33 will cover not only the transfer of personal data from Hong Kong to a country outside Hong Kong, but also any further transfers that occur between 2 different countries if the transfer is controlled by a data user in Hong Kong. Some examples of when Section 33 will apply include: a. The transmission of personal data to offshore third party service providers who provide outsourced services; b. The storing of personal data in the cloud, if the cloud server is located overseas or can be accessed by anyone outside of Hong Kong; c. The sharing of personal data with affiliated companies around the world; and d. The remote access and downloading by employees outside Hong Kong of personal data stored on servers located in Hong Kong. Of the examples above, the last is probably the most difficult to accept given the mobility of the modern workforce and the fact that access to data at home when travelling overseas is normally made on devices that couple access with downloading. A refinement of this example may be needed by including volume or intention triggers. Further guidance from the PC on this will no doubt be available once Section 33 comes into force. Personal data merely being transferred between 2 recipients in Hong Kong, but where due to Internet routing the personal data is being transmitted via a place outside Hong Kong, will not fall within the scope of Section 33, provided no personal data is actually accessed or stored outside Hong Kong. Who will be subject to Section 33? The PDPO distinguishes between a “data user” and a “data processor”. A data user is a legal entity which either alone or jointly, or in common with another, controls the collection, holding, processing or use of personal data. By contrast, a data processor is a legal entity which merely holds, processes or uses personal data solely on behalf of another (i.e., the data user), and not for its own purposes. Data processors are not directly regulated under the PDPO, as data users are ultimately responsible for compliance with the PDPO, and remain liable for any breach of the PDPO caused by their data processors. Data users must therefore ensure that any cross-border transfer to or by the data processor is in compliance with Section 33. This is nothing new or revolutionary. The pitfalls of the data user / data processor agency relationship described above, have been highlighted in the last couple of years through notorious cases which made headlines. Guidance notes issued by the PC on the amendments to the PDPO have also highlighted the fact that data users must ensure, by contractual or other means, that their data processors are required to comply with the rest of the PDPO (including the DPPs) in their use, processing and storage of the personal data, to reduce the data users’ risk of being in breach of the PDPO due to the actions of its data processors. Data Privacy – Hong Kong IP & TMT Quarter ly Re vie w 13 mayer brown jsm Data Privacy – Hong Kong What guidance is provided by the Guidance Note? The new Guidance Note supersedes the previous guidance issued by the PC on cross-border transfers in April 1997, which included a recommended model contract based on a precedent prepared by the Council of Europe, The Commission of the European Communities and the International Chamber of Commerce in the 1990s6 (“Former Guidance”). The new Guidance Note retains some of the points made in the Former Guidance, but expands on each exception under Section 33 and provides recommended model clauses, some mandatory (core) others optional (additional). Unlike in the model contract contained in the Former Guidance, the Guidance Note recommends Hong Kong governing law and resolution of disputes stemming from the transfer agreement, taking place in Hong Kong. The Former Guidance allowed foreign governing law and envisaged settlement of disputes through arbitration in Hong Kong. We have summarised below the comments and advice provided under the Guidance Note in relation to each of the above exceptions. (a) “White List” exemption In 2013, the PC carried out a survey of 50 jurisdictions, and provided the government with a proposed list of countries to be included in the white list for Section 337 . However, the survey has not yet been made public and no final version of the white list has been Gazetted. When finalised, the white list is intended to be a “live” document, that is constantly re-evaluated and updated to take into account the changing laws of different jurisdictions. In reality, it may take the PC and the government a long time to finalise the white list and/or to add or remove any jurisdictions in the future. The time and effort it takes for an assessment of a jurisdiction to be completed is clearly demonstrated by the comparable cross-border data privacy laws of the European Union. Under the EU Data Protection Directive, personal data may be transferred out of the European Economic Area, without needing to satisfy the other exceptions under the Directive, if the transfer is to a country that the European Commission believes provides adequate protection (the equivalent of Hong Kong’s white list). So far, only 12 countries have been recognised by the European Commission as providing adequate protection, and have been included in the EU’s white list. New Zealand was only added to the EU’s white list in December 2012. Australia is a notable absence and other Asian countries have yet to be added. In light of the above, data users should not simply assume that the jurisdictions to which they may transfer personal data in the future will be included in the PC’s white list. Instead, we would recommend that data users build into their current practice a requirement that: (i) the data subject’s prescribed consent to any transfer be obtained at the time their personal data is collected; (ii) they have in place a data transfer agreement with the recipient of the data, consistent with the PDPO; and/or (iii) that an audit be conducted regarding each potential recipient of the personal data before the transfer occurs. These are discussed further below. 6 Fact Sheet – Transfer of Personal Data Outside Hong Kong: Some Common Questions (April 1997): http://www.pcpd.org.hk/english/resources_centre/publications/guidance/fact1_intro_1.html 7 http://www.legco.gov.hk/yr13- 14/english/panels/ca/papers/cacb2-790-1-e.pdf IP & TMT Quarter ly Re vie w 14 mayer brown jsm Data Privacy – Hong Kong (b) Laws substantially similar to, or which serve the same purposes as the PDPO To rely on this exception, the data user must have reasonable grounds, based on a professional assessment and evaluation, to believe that a country has in place laws that are substantially similar to, or serve the same purposes as the PDPO. Subjective belief would be insufficient, and a detailed assessment of the data privacy laws would need to be carried out. Relying on this exception could therefore be quite costly, as professional advice would need to be obtained. It is also not clear who will be qualified or willing to provide data users with such advice. Overseas and local lawyers may not be comfortable with signing off a statement confirming that the local laws of the country to which the personal data will be transferred are equivalent to the PDPO. This exception is also intended to apply only in relation to countries which have not yet been assessed by the PC for the purposes of the “white list”. If the PC has already assessed the laws of a jurisdiction, but has rejected them as being inadequate and therefore not included such country in the “white list”, then it is highly unlikely that a data user can rely on this exception in respect of that particular jurisdiction. Considering the costs, difficulties and risks associated with relying on this exception, we believe that this should be one of the last resorts if the other exceptions to Section 33 cannot be relied upon. (c) Consent in writing Data users can carry out cross-border transfers of personal data if the data subject’s prior consent is obtained in writing, and such consent is not subsequently withdrawn. On or before obtaining the data subject’s consent, the data user must inform them of: (i) the purpose of the transfer: (ii) the classes of persons to whom the personal data will be transferred; and (iii) any consequences of providing their consent, e.g., lower level of protection provided by the country to which his personal data will be transferred. Such information must be provided in a clear and easily understandable manner, along with a separate tick box so that the data subject can separately indicate their consent. It is recommended that such information be incorporated in the personal information collection statement provided to data subjects at the time their personal data is collected, and the data subject be required to tick a box and sign the personal information collection statement (or the form to which it is attached) to indicate their consent. If their personal data is collected online, then a requirement for them to click a box or an “I accept” button relating to the transfer, should be incorporated. (d) Necessary to avoid or mitigate any adverse action In order to rely on this exception, the data user must be able to establish that the transfer is necessary to protect the data subject’s interests, and it is not feasible for their prior consent to be obtained. For example, the transfer is required in order to perform a contract that the data subject is a party to, and failing to transfer the data would cause the data subject to suffer substantial financial loss. The PC anticipates that this exception will only apply in very limited circumstances. We would recommend that this exception only be relied upon in extremely clear cut cases that very obviously fall within its scope. IP & TMT Quarter ly Re vie w 15 mayer brown jsm Data Privacy – Hong Kong (e) Exemptions to DPP 3 DPP3 prohibits data users from using personal data for a new purpose that is different to the original purpose of collection (or a directly related purpose), unless voluntary and explicit consent to the new purpose is obtained from the data subject. Part VII of the PDPO sets out a number of exemptions to the restriction under DPP3. These same exemptions can also be relied on by a data user for the transfer of personal data out of Hong Kong. These include the following: • Where the transfer is required for preventing or detecting a crime; • Where the transfer is required to prevent, preclude or remedy any unlawful or seriously improper conduct, dishonesty or malpractice; • Where the identity, location and health related personal data of an individual must be disclosed to prevent serious harm to an individual’s physical or mental health; and • Where the transfer is to a data user who is in the business of reporting the news, and there is reasonable grounds for believing that publication or broadcasting of the personal data is in the public interest. (f ) Reasonable precautions and exercise of due diligence – data transfer agreements and due diligence Having in place an enforceable contract between the data user and the recipient of the personal data, is one of the best ways of demonstrating that all reasonable precautions have been taken in order to satisfy this exception. Even if Section 33 is not yet in force or another exception under Section 33 can be relied on, having such a contract is generally recommended as a matter of good practice. Any contract between the data user and a recipient of the personal data should include provisions that require the person receiving the personal data to comply with the PDPO, particularly DPP2 (accuracy and retention of personal data), DPP3 (use of personal data), DPP 4 (security of personal data), DPP 5 (public availability of policies) and DPP6 (right to data access and correction). This will reduce both the risk exposure of the data user and the chances of the personal data being mishandled by the recipient. The Guidance Note sets out new model clauses that can be included in data transfer agreements between data users and recipients, to ensure compliance with the PDPO. These are discussed further below. As an alternative to entering into a data transfer agreement with the recipient, a data user may instead audit and inspect the recipient’s policies and practice to ensure that they are in compliance with the PDPO. As part of the due diligence and audit, the data user should ensure that: • The recipient has in place sufficient organisational and technical measures and policies, including adequate training for staff and effective security measures, to properly safeguard the personal data and to prevent it from being kept longer than necessary or from being used for any purposes that are not permitted; • The recipient has not been involved in any data breaches in the past; • The data subjects’ rights of access and correction under the PDPO will not be affected by the transfer; and • It has the right to audit and inspect (and conducts such audits and inspections regularly on) how the recipient uses and processes personal data to determine if they comply with the PDPO. IP & TMT Quarter ly Re vie w 16 mayer brown jsm Data Privacy – Hong Kong If the overseas transfer is to an affiliated entity, the data user must still be satisfied that the relevant affiliate, and the group as a whole, has sufficient internal safeguards and policies in place that are consistent with the PDPO. The carrying out of the above due diligence and audit may be most appropriate where the recipient will be processing, using or storing personal data on behalf of the data user on a long term basis, e.g., where the data user has outsourced its payroll management services to an overseas company. In such circumstances where the long term processing and nature of the personal data means that the risks of a breach or mishandling is high, and the consequences could be severe, it is advisable for the data user to conduct due diligence and audits of the recipient – even if a data transfer agreement is entered into with the recipient. Changes to the services being provided by the recipient, or even to the law or guidance provided by the PDPO, may lead to a data transfer agreement eventually becoming outdated. It is therefore important that data users also conduct due diligence and audits, both prior to the transfer of personal data and on an ongoing regular basis, to ensure compliance. Where the transfer of personal data is a one-off event, or is provided under a short-term or limited contract (e.g., where a recruitment agency collects and processes personal data of job applicants on behalf of a data user), then it may not be cost effective for the data user to conduct a due diligence exercise or audit. Instead, entering into a contract with the recipient that is consistent with the model clauses may be more appropriate. Model Clauses The new model clauses expand the restrictions and obligations of the recipient in respect of the personal data, which reflect the data users’ obligations under the DPPs. For example, the requirement to obtain a data subject’s prescribed consent in relation to any new purpose has always been an obligation under DPP3 of the PDPO. However, whilst this was implied in the 1997 model contract (i.e., recipients had to undertake to only use the personal data for the purposes listed in the cross-border agreement), the new revised model clauses make this explicit as the Transferee is required to obtain the prescribed consent of the data subject for any new purpose of use. While the core clauses are mandatory, the exact wording in the Guidance Note is not. This means the clauses can be modified as required to meet the circumstances of a particular cross-border transfer. It is the “essence” of the core model clauses that needs to be incorporated in any data transfer agreement, rather than their exact wording. The Guidance Note also proposes additional clauses, other than the core model clauses, which parties may consider including in their data transfer agreements. These additional clauses include the conferring of rights to data subjects, by virtue of the Contracts (Rights of Third Parties) Ordinance8. Pursuant to the new Contracts (Rights of Third Parties) Ordinance, data transfer agreements can be expressed for the benefit of the data subjects, who will therefore have a right to bring a legal action directly against the recipient of their personal data if the recipient breaches the data transfer agreement between it and the data user, notwithstanding the fact that the data subject was not a party to that agreement. 8 Enacted on 5 December 2014. It will come into operation on a date to be prescribed by the Hong Kong government. IP & TMT Quarter ly Re vie w 17 mayer brown jsm Data Privacy – Hong Kong Once the Contracts (Rights of Third Parties) Ordinance comes into effect, the exclusion or inclusion of the data subjects’ right to enforce the provisions of the outsourcing/data transfer agreement against the data processor, will become a bargaining chip in contractual negotiations between data users and data processors. Data users may want such a provision but they should note the requirement to provide a copy of the agreement with the data processors, to data subjects. The Guidance Note already contains a core clause that stipulates the apportionment of liability vis-à-vis data subjects, between data users and data processors (clause 3.1). This may indeed be the preferred option in a data transfer agreement though presumably the apportionment of liability would be triggered only in situations where there is fault on both sides while an indemnity clause in favour of the data user would be needed for situations where the fault lies entirely with the data processor. What are the current legal requirements in force in relation to the transfer of personal data? Even though Section 33 has not yet come into operation, existing statutory requirements under the PDPO already impose requirements on data users, which may affect their cross-border transfer of personal data. In brief, these other requirements under the PDPO are as follows: a. General notification requirements (DPP 1(3)) On or before the collection of an individual’s personal data, data users must ensure that the relevant data subject is informed (amongst other things) of the classes of persons to whom the data may be transferred to and the purpose of such transfer. As such, if the data user will be transferring any personal data to a third party service provider or affiliate located either inside or outside Hong Kong, then this should be notified to the data subject at the time that his/her personal data is collected. b. Prescribed consent for any new purpose (DPP 3) If the data user intends to transfer any personal data to a third party service provider or affiliate (whether or not they are located inside or outside of Hong Kong), and such transfer was not within the original purpose (or a directly related purpose) of collection, then the data subject’s express and voluntary consent must be obtained beforehand. c. Direct Marketing Requirements (Part VIA) If a data user intends to transfer personal data to a third party for the purposes of direct marketing (e.g., the third party will make direct marketing calls on behalf of the data user), then the date user must obtain the relevant data subject’s prior written consent. The data user must explicitly notify the data subject in writing beforehand of its intention to transfer the personal data to a third party for direct marketing purposes and whether the transfer is made in return for gain, e.g., money or other property. The data subject must have explicitly indicated in writing that he/she does not object to the use and transfer for the purposes of direct marketing. d. Data processors (DPP2(3) and DPP 4(2)) If a data user engages a data processor (including any other entity within the same group), to use, store or process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary, and to prevent any unauthorised or accidental access, processing, erasure, loss or use of the personal data by the data processor. IP & TMT Quarter ly Re vie w 18 mayer brown jsm Data Privacy – Hong Kong Note that even after Section 33 comes into operation, data users will still be obligated to also comply with the above requirements under the PDPO. Breach of these obligations may result in an enforcement notice being issued by the PC against the data user requiring it to take certain steps or measures to rectify or prevent any recurrence of the breach. Failing to comply with an enforcement notice constitutes an offence, which attracts a maximum fine of HK$ 50,000 and 2 years imprisonment, and a daily penalty of HK$1,000 for any continuing offence. Further penalties will also apply for any subsequent repeat contraventions on the same facts or for multiple breaches of enforcement notices. Breach of the direct marketing requirements constitutes an offence, and incurs a higher maximum fine of HK$500,000 and 3 years imprisonment. Where the breach involves the sale or transfer for gain of any personal data to a third party for direct marketing purposes, then the maximum fine is HK$1,000,000 and 5 years imprisonment. Conclusion and Recommendations No official announcement has been made by the PC as to when Section 33 will come into force. However, in anticipation of Section 33 eventually coming into force in the future, data users are advised to review their current cross-border transfer practices to ensure consistency with the Guidance Note and Section 33. We would recommend that the best way for a data user to ensure compliance with Section 33 is to: a. Obtain each data subjects consent to the transfer of their personal data overseas pursuant to the exception under Section 33 (discussed above), and such consent should be obtained at the time that the data subject’s personal data is collected. The required information can be incorporated in the relevant personal information collection statement provided to data subjects at the time of collection of their personal data, and should also include a tick box enabling the data subject to indicate their specific consent to the cross-border transfer. Note that this will need to be in addition to and separate from any consent (and therefore any tick box) relating to the transfer of personal data for direct marketing purposes; b. Enter into data transfer agreements with the intended recipients of the personal data, which incorporate the PC’s recommended model clauses (amended as necessary to suit the relevant circumstances); and/or c. Conduct an audit on the intended recipient’s of the personal data to ensure that they have in place policies and practices which are consistent with the PDPO. Even though Section 33 is not yet in operation, existing obligations under the PDPO apply to all transfers of personal data. Data users should therefore review their internal policies and practices, as well as their existing and future contracts with data processors, in order to ensure compliance with both the existing requirements under the PDPO and Section 33. Taking a proactive approach is the best way for data users to mitigate any potential liability. IP & TMT Quarter ly Re vie w 19 mayer brown jsm Data Privacy inHong Kong,the Past,the Present and the Future: An “Appy” and BraveNewWorld? By Gabriela Kennedy, Partner, Mayer Brown JSM, Hong Kong Karen Lee, Associate, Mayer Brown JSM, Hong Kong 2014 saw the Hong Kong Privacy Commissioner (“PC”) take a proactive approach in the protection of personal data, as well as an increase in public awareness of data privacy as evidenced by the number of complaints received by the Office of the PC. This article reviews the data privacy landscape in 2014 and surveys the outlook for 2015. Complaints and enquiries On 28 January 2015, the PC issued his annual report for April 2013 to March 2014 (“Report”) summarising developments concerning the Personal Data (Privacy) Ordinance (“PDPO”) throughout the year as well as activities undertaken by the Office of the PC. A total of 1,888 complaints were received by the PC in 2013-2014. This represented a 53% increase compared with the previous year. Out of these 1,888 complaints, 78% were made against private organisations, the vast majority of which are in the banking and finance industry. Most of the complaints concerned the use of personal data without the requisite consent. This increase in the number of complaints demonstrates not only a heightened awareness of privacy rights by the public, but also underscores the need for companies to heed the call from the PC to move from mere “compliance” to “accountability” of the personal data that they hold. The growth in public awareness coupled with the PC’s enforcement actions (discussed below), is likely to result in companies taking a proactive approach to implement more sophisticated methods to ensure compliance and a move towards accountability for their data. Increased enforcement action Not only have the number of complaints risen when compared with previous years, but the number of enforcement notices issued by the PC have also continued to rise. In 2014, the PC issued 90 enforcement notices to stop or prevent further contraventions, whilst only 25 had been issued in the previous year9. In addition, 2014 marked the very first time a prison sentence was issued for a breach of the PDPO, since it came into force in 1996. An insurance agent was found guilty in December 2014 of knowingly making a false statement to the PC and was sentenced to 4 weeks imprisonment. The PC is likely to refer more cases to prosecution in the year ahead and given the constant barrage of headlines concerning breaches of privacy these days, it is likely that the Hong Kong courts will take a firmer approach in the future against offenders. We anticipate that breaches of Section 35E (i.e., using an individual’s personal data for direct marketing without their consent), Section 50A (i.e., breaching an enforcement notice issued by the PC) and possibly Section 64 (i.e., disclosing any personal data obtained from a data user without that data user’s consent, such as a rogue employee stealing personal data from their employer in order to sell it to a competitor) may come before the courts and may result in prison sentences in the future. Data Privacy – Hong Kong 9 http://www.pcpd.org.hk/english/news_events/media_statements/press_20150127.html IP & TMT Quarter ly Re vie w 20 mayer brown jsm Data Privacy – Hong Kong The PC has also continued to initiate his own investigations. In fact, the number of selfinitiated investigations rose from 19 in the previous year to 102 in 2014, and 217 compliance checks were conducted up from the 208 checks in the previous year10. The emphasis has clearly been on creating a privacy safe environment in Hong Kong. The PC has also had on his radar offering legal assistance to complainants under new provisions that were introduced in 2012, and came into force in 2013. Legal assistance can now be provided by the PC in the form of legal advice, mediation or legal representation for an aggrieved person. Of the 17 requests made in 2013-2014, only one was granted legal assistance, and 7 were refused (either because of lack of prima facie evidence that the PDPO had been breached or because of failure to substantiate any alleged damages suffered). The rest were either withdrawn or are still being considered. Cross-border transfers The speed with which data can move across borders enabled by technology and the increasing uptake in cloud based services, both at consumer and enterprise level, has focused attention on cross-border transfers in 2014. Section 33 of the PDPO prohibits the transfer of personal data out of Hong Kong except in specific circumstances, including the transfer of data to a country that is in the “white list” of jurisdictions which the PC considers to have laws that protect personal data to a level commensurate with the PDPO. However, Section 33 is still the only provision of the data privacy law in Hong Kong that has not come into force, 19 years since its enactment. In 2013, the PC completed a survey of 50 jurisdictions and provided to the Government a recommended “white list” of countries that have data protection laws substantially similar to the PDPO11. As an interim step, on 29 December 2014, the PC issued a Guidance Note on the transfer of personal data out of Hong Kong, to help data users prepare for the eventual implementation of Section 3312. Even though the Guidance Note is not mandatory, any failure to comply will most likely be taken into account by the PC when assessing whether or not the PDPO has been breached (either in respect of Section 33, when it eventually comes into operation, or any other relevant provision of the PDPO, e.g., breach of data protection principle 1). The Guidance Note as an interim measure offers some indication as to where the law on Section 33 will eventually stand. Apps and technology In a connected city like Hong Kong, where the mobile penetration rate is 241.7%13, it comes as no surprise that in 2014, the PC received 1,702 complaints, 12% of which were in relation to the use of information and communications technology14. This marked an increase of 122% in the number of complaints relating to information and communications technology when compared with the previous year. 10 Ibid 5. 11 http://www.legco.gov.hk/yr13- 14/english/panels/ca/papers/cacb2-790-1-e.pdf 12 For further details, please see our article entitled Crossing Borders – New Guidance on the Transfer of Personal Data Outside Hong Kong: http://www.mayerbrown.com/files/Publication/bfde8936-6f8c-4c52-b01d-a772d5cc9ee4/Presentation/ PublicationAttachment/a9e7433e-a887-4222-bcd8-b1102fff30f6/150120-HKG-PrivacySecurity-CrossBorder.pdf 13 Mobile subscribers penetration rate in November 2014, according to the Key Communications Statistics provided by the Hong Kong Office of the Communications Authority: http://www.ofca.gov.hk/en/media_focus/data_statistics/key_stat/ 14 Ibid 5. IP & TMT Quarter ly Re vie w 21 mayer brown jsm Data Privacy – Hong Kong The PC’s focus on mobile apps and technology is nothing new, but is definitely an area that warrants continued oversight. In November 2012 the PC issued an Information Leaflet on Personal Data Privacy Protection: What Mobile App Developers and their Client should Know15, which was followed by a Best Practice Guide on Mobile App Development issued in November 201416. The PC has also carried out investigations into mobile apps, most famously an investigation of the mobile app “Do No Evil”, which was found to infringe the PDPO17. The Report makes it clear that the PC will continue to focus his attention in 2015 on the protection of personal data in respect of mobile apps. Since a guidance note and information leaflet have already been issued, the PC’s activities in this area will likely focus on educating app developers and conducting self-initiated investigations and compliance checks to ensure that mobile app developers are complying with the PDPO and the PC’s recommendations. A new privacy awareness campaign targeted at mobile app developers was launched in January 201518. Privacy Management Programme 2014 debuted with the launch of the Privacy Management Programme, an initiative through which the PC has encouraged organisations to proactively embrace personal data protection as part of their corporate governance responsibilities, rather than merely treating it as a legal compliance issue19. In February 2014, the Government and 25 companies pledged to implement and comply with the Privacy Management Programme, which involves the adoption of an all encompassing privacy management programme that applies to all business and operational areas within an organisation, to ensure that privacy policies and procedures are properly implemented. The Privacy Management Programme was considered by the PC to be an interim substitute for the Data User Returns Scheme (“DURS”)20. The DURS provisions under the PDPO have been in force since the enactment of the PDPO in 1996. These provisions enable the PC to specify certain categories of data users that must periodically provide returns to the PC setting out prescribed information, e.g., the type of personal data held, the purposes of collection, etc. DURS has never been activated, as no such categories of data users have ever been specified by the PC. In July 2011, the Privacy Commissioner issued a consultation document setting out the proposed implementation of the DURS. Due to lack of support, notably from the financial sector, the introduction of the DURS was put on hold, and the Privacy Management Programme was introduced instead. It is unlikely that the DURS will be reconsidered in 2015. Instead, the PC has indicated that he will continue to focus on encouraging data users to adopt the Privacy Management Programme. 15 http://www.pcpd.org.hk/english/resources_centre/publications/information_leaflet/files/apps_developers_e.pdf 16 http://www.pcpd.org.hk/english/resources_centre/publications/guidance/files/Mobileapp_guide_e.pdf 17 For further details, please see our article entitled When is public data private data?, published by the Computer Law and Security Review: http://www.mayerbrown.com/files/News/cfea8e31-f586-4f72-92c8-19313b5598a8/Presentation/ NewsAttachment/f40d4764-f4a5-4f1a-9fa7-1a959f489a0c/CLSR%20(GABK)%20Bylined%20-%20What%20is%20public%20 data%20private%20data%20-%201213.PDF 18 http://www.pcpd.org.hk/english/news_events/media_statements/press_20150108.html 19 For further details, please see our article entitled Moving from Compliance to Accountability – the Privacy Commissioner of Hong Kong Issues Best Practice Guide on Privacy Management Programme: http://www.mayerbrown.com/files/Publication/ e8e17e07-4f6d-4862-a8a6-ba15cc7b2d4c/Presentation/PublicationAttachment/c6d1f518-adbe-407e-b3cd-de70f34d367c/ IP_TMT_QuarterlyReview_2014Q1.pdf 20 Ibid 15. IP & TMT Quarter ly Re vie w 22 mayer brown jsm Data Privacy – Hong Kong Focus on the financial sector It comes as no surprise that a sector very much in the spotlight these days should also be a sector of focus for privacy regulators. The majority of private-sector complaints in 2014 were made against organisations in the banking and finance industry. The sensitive nature of the information handled by banks and the heightened risk of cyber attacks merited a Guidance Note from the PC and this was published in the last quarter of 2014 (i.e., the Guidance Note on the Proper Handling of Customers’ Personal Data for the Banking Industry)21 This Guidance Note was followed in quick succession by circulars issued by the Hong Kong Monetary Authority (“HKMA”) and the Securities and Futures Commission (“SFC”). The SFC issued a Circular to all Licensed Corporations on Internet Trading, Reducing Internet Hacking Risks22 in January 2014, which was followed by a Circular to all Licensed Corporations on Internet Trading Information Security Management and System Adequacy23 in November 2014 (“SFC Circulars”). The SFC Circulars reconfirm that licensed corporations must comply with Chapter 18 and Schedule 7 of the SFC Code of Conduct (which relate to obligations for ensuring the integrity and security of the company’s electronic trading system), and also make specific suggestions on security control techniques and procedures (e.g., secure coding, login controls, firewalls, etc). The SFC Circulars also highlighted the major design and control deficiencies discovered by the SFC following its review of selected licensed organisations, which posed security and integrity risks. Some of the major deficiencies identified include the absence of any formal IT management polices or procedures for disaster recovery, monitoring of suspicious websites, etc, the absence of independent or qualified IT and security risk management functions, etc. On 14 October 2014 it was the turn of the HKMA to issue a Circular on Customer Data Protection (“HKMA Circular”)24. The HKMA Circular focused on the methods of control needed to help banks prevent and detect loss or leakage of customer data and the procedures needed to address and report such incidents. In addition to the obligations under the PDPO, financial institutions need to account to the HKMA on the adequacy and effectiveness of their existing controls and procedures by completing a critical review by the first quarter of 2015. The increased scrutiny of financial institutions by the data privacy regulator and the financial regulators is likely to continue throughout 2015. The emergence of mobile payments in Hong Kong will most likely trigger further attention from the PC on the security of data and data handling practices. The year ahead The PC has stated that for 2015, the areas he will specifically focus on shall include25: a. The use of mobile Apps and their implications on personal data privacy protection (discussed above); b. Continuing to assist organisations in administering the Privacy Management Programmes (discussed above); 21 For further details, please see out article entitled Banking on Your Personal Data: Recent Guidance Issued to Banks: http:// www.mayerbrown.com/files/Publication/7697fa24-69e7-4839-9c5e-7f4e746400a4/Presentation/ PublicationAttachment/54705832-9382-44e4-9022-8c1b6592e829/141223-HKG-BF-FSRE.pdf 22 http://www.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=14EC3 23 http://www.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=14EC48 24 Ibid 17. 25 Ibid 5. IP & TMT Quarter ly Re vie w 23 mayer brown jsm Data Privacy – Hong Kong c. The protection of personal data contained in public registers maintained by the Government; d. A survey on the public’s perception of the PC and various topical privacy issues; and e. Assisting the Bills Committee in the deliberations of the Electronic Health Record Sharing System Bill. The statement made by the PC so far indicate that his action points will be to: (i) educate App developers and conduct self-initiated investigations and compliance checks on mobile Apps; (ii) continue to encourage and assist data users to adopt and implement the Privacy Management Programme; and (iii) conduct self-initiated investigations and compliance checks, as well as hosting further seminars and workshops to help educate organisations on the use of personal data contained in public registers. Despite the issuance of the Guidance Note on Personal Data Protection in Cross-border Data Transfer at the end of 2014, the PC has not identified the introduction of Section 33 in his list of areas that he will specifically focus on in 2015. This is unlikely to mean that the PC will be abandoning his attempts to bring Section 33 into force or that he will not pay attention to cross-border data flows, especially given the increasing adoption of cloud services in Hong Kong. The Guidance Note on Personal Data Protection in Cross-border Data Transfer26, indicates the exact opposite. The timing of the Guidance Note suggests that Section 33 may take a while to come into force and that in the interim a fore shadowing of its re-phrasing should be accepted/tested through the model clauses (core and additional) proposed in the cross border Guidance Note. Another notable omission is any reference to the possible introduction of a binding corporate rules (“BCR”) regime. The European BCR regime, whereby organisations that implement a legally binding group policy on the transfer of personal data, which has been approved by the relevant data protection authority, can transfer personal data outside of the European Economic Area to affiliates globally, may be a lobbying item on the agenda in 2015, especially by multi-national corporations for which the model clauses in the Guidance Note will present a challenge. This is largely because the model clauses cannot accommodate additions of new entities to a group of companies, or changes in group functions, all of which would require new suites of documents each time a change occurs. A Crystal Ball for Data Privacy in Hong Kong in 2015? 2015 will continue to be a busy year for the PC, with continued active enforcement and oversight, particularly in areas such as Apps, new mobile payment technology, cloud services and security of data. Data users should not sit back and wait for the PC to come knocking, and should instead take a page from the PC’s book and be proactive in ensuring that their systems are in place and they are accountable for the data they hold. 26 Ibid 8. IP & TMT Quarter ly Re vie w 24 mayer brown jsm Technology – Hong Kong OutWith theOld, and InWith theNew: Amendmentsto the Payment RegulationsinHong Kong By Gabriela Kennedy, Partner, Mayer Brown JSM, Hong Kong Karen Lee, Associate, Mayer Brown JSM, Hong Kong Technological innovations and the public’s demand for quick and efficient payment methods, has led to the proposal that the existing regulatory regime be extended to cover a broader range of stored value facilities (“SVF”) and retail payment systems (“RPS”) to protect consumers from the fast growing emergence of new types of retail payments. Almost 2 years after a consultation paper was first issued proposing changes to the current payment regulatory regime, the Legislative Council published the Clearing and Settlement Systems (Amendment) Bill on 23 January 2015 (“Bill”). The Bill received its first reading at the Legislative Council on 4 February 2015. The Bill is largely in line with what was proposed in the consultation paper and the comments of the Financial Services and Treasury Bureau (“FSTB”) and the Hong Kong Monetary Authority (“HKMA”) following the feedback received from the public. Background An RPS is a payment system that handles the transfer, clearing or settlement of low-value payments for retail purchases, e.g., mobile payments, credit cards, etc. An SVF by contrast is where an amount has been pre-paid and the value is stored on a payment facility, which is then used to pay for goods or services. An SVF can be categorised as either a single-purpose SVF (which can only be used to purchase goods or services from a single merchant, e.g., a gift card) or a multi-purpose SVF (which can be used to obtain goods or services from multiple merchants, e.g., the Octopus card); and device based (where value is stored on a physical device) or non-device based (where value is stored on, say, a computer or mobile network). Concerns regarding the inadequacy of the current regulatory regime to protect consumers from the rising trend of innovative payment methods, led to the Financial Services and Treasury Bureau (“FSTB”) and the Hong Kong Monetary Authority (“HKMA”) to propose a new regulatory regime outlined in their public consultation paper issued on 22 May 2013 (“Consultation Paper”). The public’s overall response to the Consultation Paper was positive and supportive of the changes proposed. On 31 October 2014, the FSTB and HKMA issued the Consultation Conclusions, which summarised the key comments received from market players and government bodies, and the small number of revisions that FSTB and HKMA decided to agree to in light of the comments received. For more information on the Consultation Paper and the Consultation Conclusions, please see our previous articles “Aligning the law with innovative payments in Hong Kong”27 and “Hong Kong’s proposed new payments regulatory regime”28 published in the E-Finance & Payments Law & Policy in October 2013 and November 2014, respectively. 27 http://www.mayerbrown.com/files/News/e8cbc456-f7ba-493b-a008-09de3e7b7c64/Presentation/NewsAttachment/45a24d44- 8391-4052-996a-0be600c70801/Aligning%20the%20law%20with%20innovative%20payments%20in%20Hong%20Kong.PDF 28 http://www.mayerbrown.com/files/News/dc594ac3-8938-42b9-9d12-2c48c5fa4eba/Presentation/NewsAttachment/68fce6e6- 687b-4ad7-8a7a-2c8e8c07dcf0/EFPLP%20November%202014%20pg%2013-14.pdf IP & TMT Quarter ly Re vie w 25 mayer brown jsm Current regulations Only multi-purpose device based SVFs are currently regulated under the Banking Ordinance (Cap. 155) (“BO”), whilst non-device based SVFs and single purpose SVFs are not subject to regulatory control. RPSs are not currently regulated. The Clearing and Settlement Systems Ordinance (Cap. 584) (“CSSO”) a framework for the HKMA to designate and oversee largevalue clearing and settlement systems, but this does not apply to small transactions like those made via RPSs. Changes introduced by the Bill As far as SVFs are concerned, the government is particularly keen to protect the float (i.e., the total amount paid by a user to the SVF issuer to be stored on the SVF). For RPSs, the government is concerned with maintaining their efficiency whilst still making it safe for consumers to use such systems. These goals are clearly reflected in the proposed changes outlined in the Bill. The Bill itself is consistent with the Consultation Paper and the small number of amendments to the proposal that FSTB and HKMA decided to make based on the comments received during the consultation period, and as set out in Consultation Conclusions29. The Bill will amend the current CSSO to introduce the new regulatory regime for SVFs and RPSs. The CSSO will also be renamed the Payment Systems and Stored Value Facilities Ordinance. SVF licence Under the Bill, issuers of both device and non-device based SVFs are required to obtain a licence from the HKMA. Single-purpose SVFs will not be subject to the new licensing requirements, as the risk to consumers in using them is limited, and the government is keen not to stifle business innovation. This is also consistent with the existing multi-purpose SVF licensing regime under the BO. The Bill also excludes from the licensing requirements any loyalty and bonus point schemes, single online store platforms, and multi-purpose SVFs that have limited usage with a float size of HK$1 million or less (e.g., can only be used at shops on the university campus). These exclusions were as a result of some of the responses received during the consultation period, where concerns were raised over the fact that the broad definition of an SVF would encompass such situations. The FSTB and HKMA had agreed in the Consultation Conclusions to clarify this in the Bill and to expressly exclude such facilities. SVF licencing requirements In order to obtain and maintain an SVF licence, the Bill prescribes a number of requirements that need to be met, including the following: a. The licencee must by a company incorporated under the laws of Hong Kong and have a registered office in Hong Kong. This ensures that the HKMA will have supervisory control over SVF issuers, even if their service are provided over the Internet, or their operations or systems are located outside Hong Kong. Technology – Hong Kong 29 Ibid 24. IP & TMT Quarter ly Re vie w 26 mayer brown jsm b. The licencee’s principal business must be the issuance of SVFs. The rationale behind this is to ensure that the licensee’s resources will be primarily directed at its SVF business, which will in turn better protect consumers and the float. c. The licensee must meet a minimum on-going paid-up capital requirement of at least HK$ 25 million. d. Safeguarding measures must be implemented by the licencee in order to adequately protect the float and to keep the float separate from the licensee’s other funds. e. Controllers, directors and chief executives must be fit and proper persons, and those in charge of managing the SVF business must have appropriate knowledge and experience in providing SVFs and related services. The above criteria are consistent with those outlined in the Consultation Paper. Some respondents during the consultation period felt that the requirement to have a local presence did not take into account the fact that some overseas SVF issuers are already subject to sufficient supervision in their home country and that minimum HK$25 million on-going capital requirement was too high. However, as noted by the government in the Consultation Conclusions, the intention behind the new regime is to ensure that the HKMA has the power to exercise day-to-day supervision over the issuers, and the HK$25 million threshold was in line with the current practice under the BO in respect of multi-purpose device based SVFs. As such, the Bill remained consistent with the Consultation Paper. Licensed banks Licensed banks will already be deemed to have the necessary licence to carry on an SVF business, and will not be required to obtain a separate SVF licence. During the consultation period, some respondents were of the view that this would unfairly give banks a competitive advantage, and that banks should be required to obtain an SVF licence in order to maintain consistency and a level playing field. This was rejected in the Consultation Conclusions, and the original proposal under the Consultation Paper (and reflected in the Bill) has been maintained, i.e., licensed banks will be deemed to be licensed to issue SVFs. However, the government agreed that both banks and other SVF licensees should be required to observe the same float safeguarding principles, including having in place float safeguarding measures to be assessed on a case-by-case basis. RPS designation If enacted, the Bill will give the HKMA the power to designate certain RPSs that will be subject to its oversight. An RPS may be designated by the HKMA if it is operated in Hong Kong or processes Hong Kong dollars or any other currencies prescribed by the HKMA, and the disruption of the business of such an RPS would: a. Have an adverse impact on Hong Kong’s financial stability or the functioning of Hong Kong as an international financial centre; b. Have an adverse and material impact on the day-to-day commercial activities in Hong Kong; or c. Would adversely affect public confidence in Hong Kong’s payment or financial systems. It is expected that the HKMA will issue supervisory guidelines to outline the designation process after the Bill is enacted. Technology – Hong Kong IP & TMT Quarter ly Re vie w 27 mayer brown jsm Offences and HKMA powers Carrying on a multi-purpose SVF business without a licence will constitute an offence under the Bill, and may result in a maximum fine of HK$ 1,000,000 and 5 years imprisonment for conviction on indictment. A summary conviction attracts a maximum fine of HK$ 100,000 and 6 months imprisonment. The HKMA will have the power to conduct investigations if it reasonably believes that an offence has been committed under the proposed new regime, and can impose sanctions, such as issuing a warning, revoking or suspending a licence, or imposing a penalty of no more than HK$ 10,000,000 or three times the amount of profit gained or avoided by the breach, whichever is higher. It will also be empowered to gather information, give directions, issue regulations and guidelines in order to assist the HKMA in carrying out its on-going supervision of SVF licensees and designated RPSs. Implementation If passed, the Bill will be implemented in 2 phases and provide a 12 month transitional period. Phase 1 will see the provisions concerning the applications and processing of SVF licences and the designation of RPSs come into operation. The provisions that create offences under the Bill will only come into force in Phase 2 one year after the commencement of Phase 1. Existing SVF issuers will be able to continue their SVF business during the initial 12 month period before Phase 2 comes into play. However, SVF issuers should be using the transitional period to apply for an SVF licence, as once Phase 2 comes into operation, the SVF issuer will commit an offence if it carries on its SVF business without the required licence. Conclusion There is currently no indication when the Bill will be passed. Whilst some respondents to the Consultation Paper raised concerns that the new proposed regime will adversely impact Hong Kong’s status as an international financial centre, we believe the new regulations will help foster public confidence. With the growth of public confidence, comes the expansion of new technologically advanced payment methods that can keep Hong Kong a pace with other jurisdictions. It will also provide organisations with clarity as to what their exact obligations and liability are in respect of SVFs and RPSs, and hopefully result in an increased uptake of mobile payments in the city. Technology – Hong Kong IP & TMT Quarter ly Re vie w 28 mayer brown jsm Made inChina orMade forChina: CBRCGuidelinesMight Bifurcate theGlobal IT Supply Industry By Xiaoyan Zhang, Counsel (New York, USA), Mayer Brown JSM, Hong Kong The China Banking Regulatory Commission issued far-reaching guidelines (“CBRC Guidelines”) on 26 December 2014, requiring that 75 percent of technology products owned or used by Chinese banks be classified as “secure and controllable” by 2019. The CBRC Guidelines will have a significant impact on the global IT industry, making it more difficult for foreign IT suppliers to conduct business in China. The CBRC Guidelines broadly cover 68 categories of information technology products from personal computers to wireless routers to automated teller machines to air conditioners, and impose the following substantive requirements, among others: (1) bank software source code must be recorded with the Technology and Information Department of CBRC; (2) database software, operating systems, middleware must be registered with the CBRC and encryption technology must obtain a certification; (3) bank IT suppliers must establish R&D centers in China and build “ports” in their hardware which would allow government officials to manage and monitor data; and (4) the IT supply chain must be “controllable,” which potentially could mean that the entire process of IT equipment manufacturing must be restricted to China. It is unclear to what extent the CBRC Guidelines result from national security concerns in response to Edward J. Snowden’s disclosure 18 months ago that US spy agencies had planted code in US technology exports to snoop on overseas targets, and to what extent the Guidelines are cover for China’s effort to protect its domestic IT industry and maintain its political control. China’s web filter has created a world of two internets: a Chinese one and another for the rest of the globe. Similarly, the CBRC Guidelines might bifurcate the global IT supply industry, forcing IT suppliers to create different products exclusively for China—made for China. The decision for foreign suppliers to continue to manufacture for China will be a difficult one. On the one hand, to continue means to comply with the CBRC Guidelines, which would require a necessary redesign of software and hardware, potential erosions of intellectual property rights and rights to privacy, and forced partnerships with local suppliers. On the other hand, China accounts for 43 percent of the worldwide tech sector growth with $465 billion of expected spending in 2015 (according to the research firm IDC), a market too big to ignore. Even though the long term picture appears clear, Chinese banks cannot immediately replace all foreign suppliers that produce 90 percent of high-end servers and mainframes for them. For enterprise hardware, local brands represented only 21.3 percent of revenue share in 2010 although the percentage doubled by 2014. In addition to the technical constraint, the ambiguity in the CBRC Guidelines is another factor that makes their immediate enforcement appear illusory. For example, the Guidelines do not prescribe what specific procedures or source code registration and encryption certification are to be followed. Chinese banks are required by the CBRC Guidelines to submit their plan for changes by 15 March, 2015. However, most banks are currently submitting statements to the CBRC explaining the costs and burdens associated with implementing the required changes as well as the difficulty of finding local suppliers capable of meeting their technology, security, and global compatibility standards. It is not yet known how the CBRC will respond to these practical challenges. Technology – China IP & TMT Quarter ly Re vie w 29 mayer brown jsm An even greater concern is whether the “protectionist” kinds of policies embodied in the CBRC Guidelines will be rolled out to other sectors such as e-commerce, insurance, and automotive etc. Just a little over a month before the issuance of the CBRC Guidelines, the Chinese Congress released the Draft Anti-Terrorism Law30 for public comment. Among the 104 proposed articles, Article no. 15 requires that telecom operators and internet service providers: (1) build “ports” in their design and offer encryption schemes for examination (similar to the CBRC porting guidelines); and (2) retain all Chinese user data and “relevant equipment” in China. If this is a trend, foreign companies perhaps should begin to embrace the idea that products that may trigger potential national security concerns will be either made in China or made for China in the not too distant future. Technology – China 30 http://www.npc.gov.cn/npc/sjb/2014-11/03/content_1892759.htm (Chinese); and http://chinalawtranslate.com/en/ctldraft/ (English). Contact Us Mayer Brown JSM is part of Mayer Brown, a global legal services organisation, advising many of the world’s largest companies, including a significant portion of the Fortune 100, FTSE 100, DAX and Hang Seng Index companies and more than half of the world’s largest banks. Our legal services include banking and finance; corporate and securities; litigation and dispute resolution; antitrust and competition; employment and benefits; environmental; financial services regulatory and enforcement; government and global trade; intellectual property; real estate; tax; restructuring, bankruptcy and insolvency; and wealth management. Please visit www.mayerbrownjsm.com for comprehensive contact information for all our offices. This publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is intended to provide a general guide to the subject matter and is not intended to provide legal advice or be a substitute for specific advice concerning individual situations. Readers should seek legal advice before taking any action with respect to the matters discussed herein. Please also read the Mayer Brown JSM legal publications Disclaimer. Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. Mayer Brown Consulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions. © 2015 The Mayer Brown Practices. All rights reserved. Gabriela Kennedy Partner +852 2843 2380 [email protected] Rosita Li Partner +852 2843 4287 [email protected] Benjamin Choi Partner +852 2843 2555 [email protected] Karen Lee Associate +852 2843 4452 [email protected] Victoria Armstrong Registered Foreign Lawyer(England andWales) +852 2843 2579 [email protected] Xiaoyan Zhang Counsel(NewYork,USA) +852 2843 2209 [email protected] Nicola Kung Associate +852 2843 2261 [email protected]