China Customs Recordal System Goes Paperless By Alan Chiu, Partner, Mayer Brown JSM, Beijing
China Customs has had its new online intellectual property protection system (New Recordal System) up and running since 1 March 2014. The New Recordal System, which can be accessed at http://184.108.40.206/, has been developed – based on the existing online recordal system (Old Recordal System) – with a view to achieving better reliability and information accuracy of the trademark, patent and copyright recordal records of the Customs of the People’s Republic of China. Under the New Recordal System, all Customs recordal applications, renewals, cancellations, changes to particulars, changes of agent, etc. can be completed online, making it a true paperless system. In the past, the system was primarily paper-based; for example, for a fresh recordal application, an IPR owner had to complete the recordal application online, print and sign the application form and submit it together with a signed Power of Attorney, the contact person’s ID copy (with his or her signature thereon) and documentary proof of payment of the application fee to the General Administration of Customs (GAC) in Beijing for processing. Paper filings were also required to make changes to the online account details, IPR owner’s particulars or contact information. Hardcopy applications were often piled up on officials’ desks, making it extremely difficult for applicants to check on the status of their applications. Furthermore, it was hardly possible for GAC officials to respond in a timely manner to any telephone or email enquiries due to their heavy workload. With the new system in place, it is expected that the filing logistics will be much simplified and expedited. IPR owners can now easily maintain, modify or update their recordals themselves through the click of a mouse. An automated paperless system should also help reduce risks of human error and delay. The transition from the old to the new system took place between 17 and 28 February 2014, during which time China Customs suspended operation of the Old Recordal System and refused to accept new recordal filings. Existing account holders under the Old Recordal System can continue to use their original login IDs and passwords to access the New Recordal System. If an IPR owner has registered an account through the old system without having completed the paper filing and payment, they will need to register a new account and re-file under the New Recordal System. It is particularly noteworthy that the New Recordal System requires patent owners to submit documentary proof of patent annuities payment to ensure that the relevant patents recorded with Customs remain valid and are duly entitled to Customs protection. For patents recorded prior to 31 January 2013, patent owners are required to submit documentary proof in support of the patents’ validity on or before 31 May 2014; and for patents recorded between 1 February 2013 and 17 February 2014, patent owners must file the necessary proof no later than 31 December 2014. If a patent owner fails to comply with this requirement prior to the prescribed deadline, their existing Customs recordal will be terminated but they will still have a right to restore the said recordal upon provision of the required document(s) within the original recordal validity period. Customs Actions – ChinaI P & T M T Q u a rTe r ly re vIe w 3 mayer brown jsm Trade Marks – China Tips on Protecting Chinese Characters Trade Marks under the New Chinese Trade Mark Law By Benjamin Choi, Partner, Mayer Brown JSM, Hong Kong Valerie Chan, Associate, Mayer Brown JSM, Hong Kong Trade mark squatting has always been a nuisance to brand owners in China. Even when brand owners have adopted rigorous protection and precaution strategies to maintain a seemingly strong registration portfolio, often trade mark squatters may still register or attempt to register Chinese transliterations or Chinese names of foreign brands that are adopted by local consumers or traders in the market. Chinese ChARACteRs tRAde mARks Some Chinese consumers may find brand names in English or other foreign languages such as French or Italian hard to pronounce. Different Chinese transliterations of brand names are then created and used in the market which can become prevalent – to the extent that sometimes they are better recognised than the original foreign names. Before brand owners have even become aware of it, squatters may have already registered the Chinese transliterations of their reputable trade marks. Below are just a few examples of such instances: Brand name Chinese transliteration/translation registered by squatters Burberry 博柏利 Burt’s Bees 伯特小蜜蜂 Gucci 古馳 McQueen 麥昆 Mercedes-Benz 賓士 Nu Skin 如新 Saint Laurent 聖羅蘭 Starbucks 星巴克 Stitch (Disney cartoon character) 史迪仔 Twit ter 推特 Allowing such squatting to occur may prove costly to brand owners. mAndAtoRy tRAnsLAtion oF tRAde mARk APPLiCAnt’s nAme Recently, the Chinese Trade Mark Office has implemented a more stringent approach towards the translation of names of foreign applicants seeking trade mark registrations in China for the first time. A foreign applicant whose name consists of letters or words that cannot be translated or transliterated into Chinese completely (for example, the Korean electronics brand name “LG Electronics Inc.” only translates to “LG 電子株式會社”) cannot be registered. The Chinese Trade Mark Office now insists on a full translation of the name into Chinese, particularly if the applicant does not have any prior trade mark records in China. I P & T M T Q u a rTe r ly re vIe w 4 mayer brown jsm As a foreign applicant needs to record a full translation of its entity’s name in Chinese, brand owners may have to pay more thought at the outset to choosing the right translation or transliteration for their company’s name and their trade marks, and thus pre-empt trade mark squatting. WhAt ABout BRAnds thAt ALReAdy hAve A Chinese nAme? Brands that already have Chinese names registered in China are also facing new challenges as there has been a recent trend for squatters to attempt to snatch their common names or nicknames. For instance, Cheung Kong Holdings Limited (長江實業(集團)有限公司) is often referred to as “長實” by the press and the public. While both the Chinese and the English names for the group have been secured, trade mark squatters have been trying their luck in going for the short form “長實集團”. In these circumstances, brand owners may have insufficient argument to mount successful opposition to such names as they are not the official names appearing in corporate documents, products or advertisements. Under the new Chinese Trade Mark Law, if opposition to a name fails in the first instance, there is no right of review and the mark will proceed to registration. The only recourse available at this point for an aggrieved brand owner would be to pursue a cancellation action. This significantly shortens the window for brand owners to postpone the registration of an undesired mark by way of the opposition and review process, which was available under the old law. So, what should brand owners do? seLeCt And ReGisteR A Chinese ChARACteRs tRAde mARk Adopt and register a fitting Chinese name to: • Help the brand better connect with local consumers directly and instantly; • Promote a uniform brand image for the Greater China region; • Reduce the chance of an unauthorised Chinese transliteration/translation of the brand being created by local consumers – or worse, by infringers; • Avoid inconsistent transliteration/translation in different countries within the Greater China regions; • Better protect the brand name from trade mark squatting. The provisions introduced by the new Chinese Trade Mark Law highlight the urgency of choosing the right Chinese characters trade marks, getting broader registration that would also cover nicknames to pre-empt squatting, and having the Chinese characters mark reviewed and assessed by locals to ensure it does not bear any negative or degrading meaning in Chinese. WAtCh out FoR suBsequent nAme vARiAtions in the mARket Brand owners may adopt different Chinese characters trade marks using different characters to cater for different markets (China, Hong Kong and Taiwan) where different Chinese dialects are used (such as Cantonese and Mandarin). Different pronunciations of names are adopted for different regions to resemble the original brand name in a foreign language. Such variations may potentially dilute the distinctive character of the Chinese characters mark and offer the Trade Marks – ChinaI P & T M T Q u a rTe r ly re vIe w 5 mayer brown jsm opportunity for trade mark squatters to develop other different versions of the Chinese characters mark in China. Below are some examples of how the different transliterations (usually used in Taiwan or Hong Kong) could look dissimilar to the official transliteration in China: original brand name transliteration used in China other Chinese transliteration Burberry 勃貝雷 博柏利 / 巴寶莉 Givenchy 紀梵希 紀旺西 Mercedes-Benz 奔馳 賓士 / 平治 Saint Laurent 聖羅蘭 聖洛朗 To reduce the chances of trade mark squatting, multiple versions of Chinese characters trade marks should be registered. Consistent design and font style amongst the different versions can better preserve the overall distinctiveness of the brand image and show consumers that such multiple versions all belong to the same (and to only one) brand. Conclusion With the new Chinese Trade Mark Law just round the corner, now would be the appropriate time for brand owners to review their existing trade mark protection in China and to seize the opportunity to strengthen their portfolio. Trade Marks – ChinaI P & T M T Q u a rTe r ly re vIe w 6 mayer brown jsm Copyright - Hong Kong Consultation on Treatment of Parody under the Copyright Ordinance – Still Ongoing By Eugene Low, Senior Associate, Mayer Brown JSM, Hong Kong Diana Tsang, Associate, Mayer Brown JSM, Hong Kong The existing Copyright Ordinance of Hong Kong is largely modelled on the Copyright, Designs and Patents Act 1988 of the UK. In order to keep pace with the rapid technological development in the digital environment, the Hong Kong government has been attempting to make various changes to the Copyright Ordinance. In 2006, the Hong Kong government issued a consultation paper, “Copyright Protection in the Digital Environment”. Following extensive consultation, a Bill was introduced in June 2011. Among other proposed changes, the Bill sought to introduce a technology-neutral communication right which would make it an offence for any person to communicate a copyright work to the public without authorisation for the purpose of any trade or business or to such an extent as to affect prejudicially the copyright owner. While parody was not a subject that was expressly addressed during the consultation process or in the Bill, the legislative process was derailed by debates on the treatment of parody when the Bill was tabled before the Legislative Council during the legislative year of 2011-2012. End-user groups voiced their concerns that by criminalising certain acts of communication of copyright works, the Hong Kong government was creating a threat to parody and other user-generated content on the Internet. They claimed that parody is a means to express creativity and usually causes little or no economic harm to the copyright owner. Hence, they proposed a special exemption for parody use of copyright works from the civil and/or criminal liabilities under the Copyright Ordinance. Under the existing Copyright Ordinance, there is no special treatment or exemption for parody. The term “parody” is not defined in the Copyright Ordinance and there has been no case law in Hong Kong which may cast light on the meaning of the term. It is generally considered that “parody” may encompass satire, caricature and pastiche. While the current Copyright Ordinance provides exemptions for certain fair dealing acts that may apply to parody (such as fair dealing with a work for the purpose of criticism or review), there appears to be a misconception that parody does not attract criminal liabilities under the current law – in fact, the unauthorised distribution of infringing copies of a work, regardless of whether such copies amount to parody use, will be an offence so long as the distribution is for the purpose of any trade or business or to such an extent as to affect prejudicially the copyright owner. At the other end of the spectrum, copyright owners are keen on protecting their legitimate interests in the digital environment and are concerned with the potential uncertainties and abuse that any special treatment for parody may bring. ConsuLtAt ion PAPeR on tReAtment oF PARody In light of the concerns about the treatment of parody, the Hong Kong government launched a three-month public consultation on this topic in July 2013. In the Consultation Paper, the government put forward three options to deal with parody in the new Copyright Ordinance:I P & T M T Q u a rTe r ly re vIe w 7 mayer brown jsm Copyright - Hong Kong option 1 Clarifying the existing general provisions on the criminal offences for “prejudicial distribution / communication” This option aims to clarify that parodies commonly disseminated on the Internet would unlikely be caught by the criminal offences. option 2 Introducing a criminal exemption This option would exempt parodies from criminal liabilities unless their distribution causes more than “trivial economic prejudice” to the copyright owner. option 3 Introducing a fair dealing exception This option would exempt parodies from both civil and criminal liabilities so long as they are considered to be “fair dealing”. Despite the fact that the consultation period was extended for one month to November 2013 and over 2,000 submissions were received by the Hong Kong government, none of the three options gained majority support from the public. The only consensus that was apparently achieved was that non-commercial parodies should be afforded some kind of exemption. The Legislative Council Panel on Commerce and Industry (the Panel) further met in December 2013 to discuss the results of the Consultation and the way forward. In particular, the following new proposals were tabled for discussion: i. Introducing a copyright exemption for non-profit-making user-generated content (UGC) or for UGC not used in the course of trade, as put forward by the Copyright and Derivative Works Alliance. ii. Introducing a criminal exemption for parody (without any fair dealing exception), which focuses on whether “the use of the original copyright work is solely for noncommercial purposes and the parody is not a substitute of the original underlying work”, and whether “the use has the potential to cause an unreasonable loss of income to the copyright owner and whether the purpose and character of the unlicensed use is of parody nature”. This proposal was suggested by the Hong Kong Copyright Concern Groups. It is worth bearing in mind though that the Panel would observe the following guiding principles when considering the various proposals: a. A fair balance between protecting the legitimate interests of copyright owners and other public interests, such as reasonable use of copyright works and freedom of expression, should be maintained. b. Any criminal/civil exemption to be introduced must be fully compliant with Hong Kong’s international obligations such as Article 61 of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) and the “three-step test” requirement under Article 13 of TRIPS Agreement. c. Any proposed amendment to the Copyright Ordinance must be sufficiently clear and certain so as to afford a reasonable degree of legal certainty – this means that, for instance, the definitions of key concepts such as “parody” or “UGC” must be sufficiently clear. The Panel recently issued a discussion paper to facilitate a further round of discussion scheduled for March 2014. The discussion paper has set out the principal direction for moving this agenda forward: I P & T M T Q u a rTe r ly re vIe w 8 mayer brown jsm Copyright - Hong Kong i. Through a detailed analysis of the various types of work commonly found on the Internet nowadays, the Panel would seek to particularise a specific scope that warrants special treatment, for example, altered pictures/videos/posters and mash-ups. However, the Panel pointed out that such works, if they are created in response to current events, could have been already covered by the existing fair dealing exception for reporting current events. On the other hand, for altered pictures/videos/posters created for other purposes, the works are generally playful and parodic in tone and would unlikely be a substitute for the original works. The Panel did not conclude on a suitable scope for special treatment in the discussion paper. ii. Subject to identifying a possible scope to be particularised for special treatment, the Panel proposed to invite the court to undertake a fairness assessment to determine whether an act in question may conflict with a normal exploitation of the original copyright work and unreasonably prejudice the legitimate interests of the copyright owner. To this end, the Panel has suggested a non-exhaustive list of relevant factors for the court to consider: a. The purpose and nature of the dealing, including whether the dealing is non-profitmaking or belongs to a commercial nature; b. The nature of the work; c. The amount and substantiality of the portion dealt with in relation to the work as a whole; and d. The effect of the dealing on the potential market for or value of the work. iii. The Panel considered Option 1 (as explained above) to be useful in addressing users’ concerns about criminal liability as it would clarify the threshold for criminal enforcement for all subject matters without confining to a particular type of use. Having considered the public’s concerns regarding Option 1, the Panel proposed to consider possible refinement to Option 1, such as laying emphasis on whether the infringement would amount to a substitution for the original copyright work for the court to assess possible criminal liability. The Panel pointed out that, with a refined Option 1 that would apply to all types of uses or purposes, a narrow criminal exemption for a certain genre would be superfluous. iv. The Panel had reservations in giving special treatment to UGC for two reasons. First, UGC is a wide and vague concept which cannot be clearly defined to satisfy the “threestep test” requirement under TRIPS Agreement. Second, the Panel considered that with a refined Option 1, UGC – which normally does not amount to a substitute for the original copyright work – would unlikely be caught by the criminal net. v. Lastly, the Panel pointed out that the proposed introduction of safe harbour provisions to limit online service providers’ liability for copyright infringement on service platforms caused by subscribers would provide an efficient and effective mechanism for rights owners to deal with trivial infringement cases. With such a mechanism in place, rights owners would be unlikely to initiate civil proceedings in cases of trivial infringement. In the meantime, concerned groups have intensified their lobbying in Hong Kong urging the government to re-introduce the Copyright Bill without delay. I P & T M T Q u a rTe r ly re vIe w 9 mayer brown jsm Data Privacy - Hong Kong Moving from Compliance to Accountability – the Privacy Commissioner of Hong Kong Issues Best Practice Guide on Privacy Management Programme By Gabriela Kennedy, Partner, Mayer Brown JSM, Hong Kong Eugene Low, Senior Associate, Mayer Brown JSM, Hong Kong “Accountability” has been an emerging trend both in data privacy laws around the world and in corporate practices of many global companies. Jurisdictions such as Canada and the European Union have introduced or are actively considering introducing accountability frameworks to encourage data users to implement data privacy protection as part of their corporate governance. Data privacy is no longer merely a matter of legal compliance. It is against this international background that the Privacy Commissioner of Hong Kong published on 18 February 2014 Privacy Management Programme: A Best Practice Guide (the Best Practice Guide). The Best Practice Guide aims to encourage businesses to embrace personal data protection as part of their corporate governance responsibilities, as regulatory experience has shown time and again that data privacy cannot be managed effectively if it is treated merely as a legal compliance issue. A more pro-active approach is needed to meet the challenges of technological expansion and the rising public expectation for privacy protection. This article provides an overview of the “Privacy Management Programme” (PMP) and the context in which it was introduced. By introducing PMP, the Privacy Commissioner is clearly trying to shift the focus from enforcement (which remains important) to self-compliance and respect for data privacy. The Best Practice Guide underscores the point that it is high time for businesses to prepare for this changing culture and review (and overhaul if necessary) their personal data governance framework. BACkGRound to the intRoduCtion oF PmP According to the Privacy Commissioner’s reports to the Legislative Council in January 2013 and January 2014, PMP was considered by the Privacy Commissioner to be an interim substitute for the Data User Returns Scheme (DURS), the implementation of which has been postponed despite the fact that the legislative provisions had been in place since the enactment of the Personal Data (Privacy) Ordinance in 1996. In July 2011, the Privacy Commissioner issued a consultation document setting out the proposed implementation of DURS. DURS aimed to enhance the protection of personal data by requiring corporate data users to submit an annual return detailing the personal data they control and the purposes of collection and processing of such data. DURS would have introduced criminal liabilities for submitting false or misleading information in a data user return and for failure to submit a data user return or for late submission. Under the proposed mechanism, the Privacy Commissioner would have maintained a database of data user returns which would have been open for public inspection. The Privacy Commissioner initially intended to roll out DURS phase by phase, targeting in this order the public service sector, the banking, telecommunications and insurance industries, and organisations with a large database of members. According to the reports to the Legislative Council made by the Privacy Commissioner, DURS was met with much scepticism by data users during the consultation exercise. The Privacy Commissioner also noted that the European Union’s data privacy regime, upon which the Hong Kong legislation was based, was undergoing reforms. In the absence of general support from I P & T M T Q u a rTe r ly re vIe w 10 mayer brown jsm Data Privacy - Hong Kong the relevant data users, the Privacy Commissioner decided to put on hold the implementation of DURS. It is against this background that the Privacy Commissioner introduced PMP in order to meet the increasing public expectation for protection of personal data amongst the data users targeted by DURS. PmP At A GLAnCe PMP is a voluntary programme that helps corporate data users to develop and implement personal data protection frameworks as part of their corporate governance responsibilities. PMP is neither a statutory requirement nor a formal code of practice or guidance note issued under the Personal Data (Privacy) Ordinance. While there will be no specific legal liability or any adverse inference made against a corporate data user solely for the reason that it has not adopted a PMP, the implementation of a PMP and compliance with it would reduce the risk of violating the law and would be viewed favourably by the Privacy Commissioner, and the court in the event of complaints to the Privacy Commissioner or legal proceedings under the Personal Data (Privacy) Ordinance. The spirit of PMP is that personal data protection cannot be simply seen as a matter of legal compliance. Rather, it should be part and parcel of every corporate data user’s corporate governance responsibilities, covering business practices, operational processes, product and service design, physical and technical infrastructure, etc. the Best PRACtiCe Guide The Best Practice Guide is divided into two parts dealing with: (i) the fundamental components of PMP, and (ii) maintenance of PMP. The fundamental components consist of: • Organisational commitment Organisations should develop a governance structure that fosters a privacy-respectful culture. Top management support is a key component. In addition, organisations should appoint designated data protection officer(s) to oversee and manage personal data matters. These data protection officers will play a pivotal role in PMP by structuring and managing matters like developing policies, auditing, training, etc. • Programme controls Organisations should keep an inventory of personal data with details of the kinds of personal data they hold and how they collect or use such data. Documenting these items is important and can help the data user in many areas, e.g. identifying whether or not any data has been transferred to an external data processor. Organisations should also formulate personal data policies and educate employees periodically. Privacy risk assessments should also be carried out to evaluate the potential impact on privacy whenever new projects are rolled out. In addition, corporate data users should develop clear policies on matters like data breach handling and data processor engagement. These principles echo some of the tightened statutory requirements under the Personal Data (Privacy) Ordinance as amended in 2012, for instance, under the Data Protection Principles (2) and (4), data users are obligated to adopt contractual or other means to ensure compliance by external data processors of data retention and security requirements.I P & T M T Q u a rTe r ly re vIe w 11 mayer brown jsm Data Privacy - Hong Kong The second part of the Best Practice Guide offers guidance on how corporate data users should maintain PMP on an ongoing basis. Organisations are advised to develop an “Oversight and Review Plan” that sets out how and when the effectiveness of PMP will be monitored and reviewed. Organisations should also monitor and periodically audit the various programme controls, e.g. by responding to the latest technological threats and risks. For high-risk areas, organisations should consider periodic internal or external audits. Smaller organisations should also at least compile checklists that will be reviewed on a regular basis. oRGAnisAtions PLedGinG to PmP so FAR On 18 February 2014, the Privacy Commissioner announced that the Hong Kong government (including all bureaux and departments), together with 25 companies from the insurance sector, nine companies from the telecommunications sector and five organisations from other sectors, has pledged to implement PMP. The PMP initiative is also supported by several major industry associations, namely, the Hong Kong Federation of Insurers, the Communications Association of Hong Kong, and the Hong Kong Association of Banks. I P & T M T Q u a rTe r ly re vIe w 12 mayer brown jsm Data Privacy - Hong Kong A Recap of Year 2013 by the Privacy Commissioner of Hong Kong and Strategic Focus for Year 2014 By Gabriela Kennedy, Partner, Mayer Brown JSM, Hong Kong Eugene Low, Senior Associate, Mayer Brown JSM, Hong Kong 2013 proved to be a significant milestone year in the development of data privacy in Hong Kong. One of the most important changes was the commencement of new statutory provisions regulating direct marketing on 1 April 2013. 2013 was also significant because of the record high number of enquiries and complaints received by the Privacy Commissioner of Hong Kong. This increase reflects the public’s growing concern for data privacy and underscores the belief held by the Privacy Commissioner that all organisations need to treat this subject seriously. This article provides a summary of the Privacy Commissioner’s Annual Report for 2012/2013 and his report to the Legislative Council on work carried out by his office in 2013, and concludes with the strategic focus of the Privacy Commissioner for 2014. ReCoRd - h iGh numBeR oF enqu iRies And ComPL Aints In 2013, the Privacy Commissioner received a total of 24,161 enquiries and 1,792 complaints, a record high in both categories since the commencement of the Personal Data (Privacy) Ordinance (the Ordinance) in 1996. Interestingly, over half of the enquiries related to the new provisions in the Ordinance which tightened the requirements for use of personal data for direct marketing. A massive spike in enquires occurred in April and May 2013 right after the new direct marketing provisions came into force on 1 April 2013. neW stAtutoRy PRov is ions on d iReCt mARket inG The introduction of the new statutory provisions on direct marketing in April 2013 was one of the most important changes to the data privacy regime in Hong Kong since the enactment of the Ordinance. In essence, the new provisions tighten control over the use of personal data in direct marketing by requiring data users to clearly explain the scope of their intended direct marketing use and obtain explicit consent (as opposed to implicit consent obtained by silence or non-response) from data subjects before they can use or transfer the personal data for direct marketing activities. Under the new regime, data subjects are also entitled to opt out of or withdraw their consent for further direct marketing use of their personal data at any time. Failure to comply with these new requirements constitutes a criminal offence punishable by a maximum fine of HK$500,000 and imprisonment for up to three years; if the data is transferred for gain to a third party for use in direct marketing, non-compliance with the new requirements may result in a maximum fine of HK$1 million and five years’ imprisonment. A transitional “grandfathering” arrangement was introduced to exempt the use of personal data collected prior to 1 April 2013 from these new requirements provided that certain conditions had been met, such as that the data users had collected and used such personal data for the same direct marketing purposes before 1 April 2013. Since the new provisions came into force in April 2013, 14 cases had been referred to the police in 2013 for potential prosecution for suspected contraventions of the new direct marketing requirements. I P & T M T Q u a rTe r ly re vIe w 13 mayer brown jsm Data Privacy - Hong Kong LeGAL AssistAnCe FoR CiviL CLAims Another important amendment to the Ordinance which came into force on 1 April 2013 was the introduction of the “Legal Assistance Scheme”. The Scheme aims to provide legal assistance to aggrieved individuals to lodge civil proceedings against data users who are in breach of the Ordinance so as to seek compensation from the data user for damage, including injury to feelings. The legal assistance may take the form of legal advice, mediation and legal representation in court. The Scheme is administered by the Privacy Commissioner. In 2013, the Privacy Commissioner received 16 applications for legal assistance under the Scheme and granted assistance to one applicant. inCReAs inG enFoRCement eFFoRts 32 warnings and 25 enforcement notices were issued in 2013 – more than double the number of enforcement notices (11) issued in 2012. This increase is a direct result of the enhanced power of the Privacy Commissioner to issue enforcement notices pursuant to the amendments to the Ordinance in 2012. The Privacy Commissioner also conducted more compliance checks and self-initiated investigations in 2013. In particular, the Privacy Commissioner focused its efforts on promoting data privacy compliance in the field of information and communications technologies (ICT). The Privacy Commissioner conducted a survey of smartphone applications developed by Hong Kong entities which revealed that their privacy policies were generally inadequate. The Privacy Commissioner advised smartphone application developers to make improvement on data privacy compliance (an Information Leaflet was issued by the Privacy Commissioner in November 2012 to highlight the privacy implications that mobile applications developers and operators should consider in connection with designing and developing mobile applications). In 2013, the Privacy Commissioner also received reports of over 60 data breach incidents affecting 90,000 individuals. These incidents were either made known to the Privacy Commissioner through voluntary notifications from the data users or through reports from the media and the general public. stRAteGiC FoCus FoR yeAR 2014 The Privacy Commissioner has made clear that his strategic focus for 2014 will be on: a. The privacy issues associated with the increased use of ICTs and mobile applications; b. Promoting the adoption of privacy management programmes for organisations to embrace data privacy protection as part of their corporate governance; and c. Assisting the government in reviewing the regulatory issues concerning cross-border flows of personal data. The Privacy Commissioner has taken active steps to pursue each of these objectives. In August 2013, the Privacy Commissioner published an investigation report on a smartphone application called “Do No Evil” (which compiled individuals’ litigation and bankruptcy data from public sources and allowed users to make searches against targeted individuals), finding that the application seriously invaded data privacy. An enforcement notice was issued against the developer. I P & T M T Q u a rTe r ly re vIe w 14 mayer brown jsm Data Privacy - Hong Kong Recognising the shift from compliance to accountability, the Privacy Commissioner published Privacy Management Programme: A Best Practice Guide on 18 February 2014. The aim of this guide is to encourage businesses to pro-actively embrace personal data protection as part of their corporate governance responsibilities rather than merely look at it as a legal compliance issue. As of 18 February 2014, the Hong Kong government (including all bureaux and departments), together with 25 companies from the insurance sector, nine companies from the telecommunications sector and five organisations from other sectors, has pledged to implement the Best Practice Guide. In relation to the regulation of cross-border flows of personal data, the Privacy Commissioner recognised that Section 33 of the Ordinance provides a very comprehensive framework regulating the transfer of personal data outside Hong Kong. The current framework set out in Section 33 prohibits all transfers of personal data to a place outside Hong Kong except in specified circumstances, namely, the place has been specified by the Privacy Commissioner as one which has in force a data protection law which is substantially similar to, or serves the same purpose as, the Ordinance, and that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be handled in a manner tantamount to a contravention of a requirement under the Ordinance. However, Section 33 has not been brought into force since the enactment of the Ordinance in 1995 and the government has no timetable for its implementation. The Privacy Commissioner completed in 2013 a survey of 50 jurisdictions and provided the government with a white list of places which have in force a data protection law which is substantially similar to, or serves the same purpose as the Ordinance. The Privacy Commissioner commented that global data flows are prevalent and integral to many businesses today, and it is very important for the government to bring into force Section 33 as soon as possible to preserve and enhance Hong Kong’s status as an international financial centre and data hub. Conclusion 2014 looks to be a busy year again for the Privacy Commissioner. Enforcement of the Ordinance is likely to continue apace and while the plan to bring into force the Data User Return has been shelved for now, the Privacy Commissioner is keen to promote the Privacy Management Programme and will likely take steps to bring into force Section 33 of the Ordinance. I P & T M T Q u a rTe r ly re vIe w 15 mayer brown jsm Electronic Payments - Hong Kong The Bitcoins Saga: The View from Hong Kong By Gabriela Kennedy, Partner, Mayer Brown JSM, Hong Kong Karen Lee, Associate, Mayer Brown JSM, Hong Kong The digital currency known as “bitcoins” has been growing more popular with the general public, which has, not surprisingly, raised concerns with legal authorities across the globe. WhAt ARe BitCoins And the Risks Posed By them? Bitcoins are a digital currency that can be used to purchase goods (whether virtually or in the real world). However, they are not backed by any central bank or government and have no fixed exchange rate. Bitcoins were introduced in 2009, but only began to take off as a more mainstream payment alternative in early 2013. Bitcoins have been gathering increased attention and concern from regulators worldwide, especially in respect of the security risks or weaknesses that make the bitcoin vulnerable to hackers or cyber attacks; anti-money laundering issues that arise due to the anonymous nature of bitcoin exchanges (i.e. a KYC check or validation of a user’s identity is not typically required); and the potential for fraud and unscrupulous companies setting up fake bitcoin trading platforms. For example, in October 2013, GBL, the bitcoin trading platform aimed at users in China, shutdown and the owners absconded with the users’ and investors’ money. The China authorities later arrested three individuals in connection with the case. We may start to see a decrease in the growing popularity of bitcoins, in light of such cases as the GBL case, and after the bankruptcy of (and the cybersecurity issues that led to the bankruptcy of) Japan based MtGox, which was one of the largest bitcoin exchange companies. Certain weaknesses in MtGox’s system resulted in hundreds of thousands of bitcoins being stolen. An investigation into the situation has been launched by the Japanese authorities. Flexcoin bank, based in Canada, has also announced that it is closing its operations due to a cybersecurity attack that resulted in the theft of bitcoins. This was a further blow that has shaken users’ trust in bitcoins. The situation of GBL, MtGox and Flexcoin highlights the risks involved with bitcoins, which may put a damper on any growing mainstream acceptance of bitcoins by the public. WhAt is the CuRRent Position oF the honG konG LeGAL AuthoRities? The first bitcoin retail store in Hong Kong recently opened at the end of February 2014. The bitcoin-teller manufacturer, Robocoin, also intends to launch the first bitcoin ATM machine in Hong Kong in 2014. At the moment, bitcoins are still not widely accepted in Hong Kong as an alternative form of payment. As such, bitcoins are not presently regulated in Hong Kong, but this situation could change if bitcoins become more widely used locally. The Hong Kong Monetary Authority has stated that bitcoins are not considered by it as a means of payment or an electronic currency, but more as a virtual commodity. However, the Hong Kong Secretary for Financial Services and the Treasury has warned the public to “exercise extra caution, given the highly speculative nature of bitcoins. Consideration must be given to the risk factors such as the price volatility and the lack of backing by any physical items, issues or the real economy to avoid losses from the use of or investment in bitcoins.” 1 I P & T M T Q u a rTe r ly re vIe w 16 mayer brown jsm Electronic Payments - Hong Kong Most other countries also do not have specific regulations dealing with bitcoins, but are in the process of determining whether any are required. The European Banking Authority, for example, will soon set up a task force to review whether or not bitcoins should be regulated. However, some other countries, such as Russia and China, have already issued restrictions on the use of bitcoins, and Thailand has indicated that bitcoins currency exchange transactions will, for now, be treated as illegal. Either way, one thing is clear, users should be extremely cautious and should make sure that they are aware of all risks before investing in or using bitcoins.