Asia IP & TMT: Quarterly Review - Second Quarter 2022

Online Platform Liability for IP Infringement – A Tale of Two Platforms By Amita Haylock, Partner Mayer Brown, Hong Kong Grace Wong, Associate Mayer Brown, Hong Kong Introduction With the rise of e-commerce and online trading, online platforms are increasingly exposed to claims of intellectual property (“IP”) infringement. Their visibility and deep pockets often make them a more worthy target as compared to individual users of platforms, whose obscure identities and business scale seldom justify protracted legal proceedings. This article examines two recent cases where IP infringement claims were brought against online platforms. These two decisions reflect the contrasting views of the Hangzhou Internet Court (“Chinese Court”) and the Hong Kong Court of First Instance (“CFI”) towards an online platform’s level of care and contributory liability for IP infringement. In the landmark decision of Shenzhen Qice Diechu Cultural Creativity Co., Ltd. v Hangzhou Yuanyuzhou Technology Co., Ltd., the Chinese Court held in April 2022 that Chinese NFT platform operator Bigverse was liable for copyright infringement for allowing a seller to mint a non-fungible tokens (“NFT”)1 from artwork 1 In China, the term “digital collectibles” is used instead of “NFT” to minimize association with cryptocurrency trading and mining, which are banned in China. CHINA AND HONG KONG Intellectual Property MAYER BROWN | 3 stolen from the plaintiff, Shenzhen Qice Diechu Cultural Creativity Co., Ltd. (“Qice”).2 In Mary Kay Inc and Others v Zhejiang Tmall Network Co, Ltd and Others, the CFI held that there was no triable issue on whether the Tmall and Taobao entities were jointly liable as online platform operators for alleged trade mark infringement and passing off committed by individual sellers on the platforms.3 The plaintiffs’ applications for leave to appeal against the CFI’s decision was dismissed by the CFI in July 2021 and recently by the Court of Appeal in March 2022.4 The Qice decision This decision is the first public ruling on NFTrelated lawsuits in China. The Chinese Court held that, as the operator of a platform focusing on NFT transactions, Bigverse failed to check if the seller who minted an NFT featuring a chubby tiger was not the rightful owner of the underlying artwork but had instead stolen the identical artwork from Qice. The Chinese Court held that Bigverse contributorily infringed Qice’s right of dissemination through information networks.5 Bigverse was ordered to destroy the infringing NFT by sending it to an inaccessible address. In terms of monetary compensation, Bigverse was ordered to pay RMB 4,000 (approx. USD 600) for Qice’s economic loss and reasonable expenses of evidence collection and legal fees.6 Key takeaways from the Qice decision concerning online platform liability are as follows. NATURE OF THE PLATFORM The Chinese Court held that Bigverse specialized in providing NFT trading services while its registered users created the NFTs. Given its trading model and service content, the Chinese Court defined 2 No.1008 [2022], First, Civil Decision, 0192 Zhejiang, Hangzhou Internet Court 3 Mary Kay Inc. and Others v. Zhejiang Tmall Network Co., Ltd and Others (20/05/2021, HCA2406/2017) [2021] HKCFI 1403 4 Mary Kay Inc. and Others v. Zhejiang Tmall Network Co, Ltd and Others (15/07/2021, HCA2406/2017) [2021] HKCFI 2153; Mary Kay Inc. and Others v. Zhejiang Tmall Network Co, Ltd and Others (15/03/2022, CAMP301/2021) [2022] HKCA 360 5 Article 10(12), Copyright Law of the People’s Republic of China 6 Article 54, Copyright Law of the People’s Republic of China 7 Articles 20 to 23, Regulation on the Protection of the Right to Communicate Works to the Public over Information Networks 8 Article 1195, Civil Code of the People’s Republic of China; Article 23, Regulation on the Protection of the Right to Communicate Works to the Public over Information Networks. Bigverse as an internet service provider (“ISP”) rather than an internet content provider. The Chinese Court noted that Bigverse was different from an ordinary ISP, which provided automatic access or transmission services, information storage space, searching or linking services.7 In determining the obligations of Bigverse, it was necessary to take into account all circumstances, such as special features of the NFT trading model, technical characteristics of NFTs, and the degree of control Bigverse exercised over the platform. NOT AN ORDINARY ISP Generally, an ISP is protected by the safe harbour rule and is not obliged to actively review and take down infringing content unless and until it is put on notice of the potential infringement.8 However, the Chinese Court noted the following features of Bigverse and held that its obligations exceed those of an ordinary ISP:- 1. An NFT platform should be well aware that only the copyright owner or licensee of the underlying work is allowed to mint an NFT of that work. 2. Given the use of blockchain and smart contracts in NFT transactions is meant to enhance the safety and certainty of the transactions, any defect in the title of an NFTs and its underlying works will undermine the intended safety and certainty and affect the rights of the copyright owner. 3. All data generated in NFT transactions are stored on the Bigverse platform, with Bigverse controlling the entire minting and transaction process. 4. Bigverse was not confronted by a massive amount of content to review, so it had a higher degree of control over the content. 5. Bigverse profited directly from the minting of Online Platform Liability for IP Infringement – A Tale of Two Platforms 4 | IP & TMT Quarterly Review NFTs on its platform, and received a commission for every transaction.9 The above factors led the Chinese Court to hold Bigverse to a higher level of care than ordinary ISPs. As a result, in addition to an ISP’s general noticetake-down obligation, the Chinese Court noted that Bigverse should also implement an effective IP review mechanism of the NFTs listed by, for example, examining the manuscript or copyright registration certificate of the underlying works and requiring sellers to guarantee their copyright ownership or licence. The review should rule out any evidence that obviously does not support copyright ownership or licence, and should lead an ordinary reasonable person to believe in a “general possibility” that such rights existed. CONCLUSION Under the Civil Code of the People’s Republic of China, an ISP is jointly and severally liable with a user if the ISP knows, or should have known, that the user is infringing on the civil rights or interest of another person through the ISP’s services and the ISP fails to take necessary measures, such as deleting, blocking or disconnecting the infringing content.10 The Chinese Court found that Bigverse did not conduct any vetting before an NFT was uploaded. After an NFT was uploaded, Bigverse only conducted copyright registration searches for conflicting rights; since copyright registration is not mandatory in China, the scope of vetting was clearly very limited. Further, the Chinese Court considered the underlying artwork in question to be obviously infringing, since it bore the original artist’s Weibo watermark. Regrettably, Bigverse neither queried the seller about the watermark nor contacted the artist about the suspicious work. The Chinese Court concluded that Bigverse failed to discharge its vetting obligations and to cease the infringement in a timely manner when it ought to have known of the infringement. Bigverse was therefore liable for contributory infringement of Qice’s copyright. 9 Article 11, Provisions of the Supreme People’s Court on Several Issues concerning the Application of Law in Hearing Civil Dispute Cases Involving Infringement of the Right of Dissemination on Information Networks 10 Article 1197, Civil Code of the People’s Republic of China The Mary Kay decision BACKGROUND The plaintiffs are a US cosmetics group Mary Kay Inc. (“Mary Kay”) engaging in the production and marketing of skin care and cosmetic products through the “direct-selling” or “network-marketing model”, whereby authorized direct sales representatives market Mary Kay products to individuals who then enroll themselves as representatives to enjoy a larger discount for the products. Mary Kay sued two Mainland China companies that were found selling genuine but unauthorized Mary Kay products on Tmall outside of the “direct-selling” model for trade mark infringement and passing-off (“Individual Sellers”). In addition, Mary Kay also sued three Tmall and Taobao entities (collectively, “Alibaba”) as joint tortfeasors with the Individual Sellers. NO JOINT TORTFEASANCE The decision at first instance concerned Alibaba’s applications to set aside an order granting leave to serve the writ out of jurisdiction and to oppose Mary Kay’s default judgment applications against the Individual Sellers. In the setting-aside application, the CFI found no serious issue to be tried in respect of Mary Kay’s claims against the Individual Sellers for trade mark infringement. The removal of product lot codes on the product packaging did not preclude the Individual Sellers from being entitled to rely on the exhaustion of rights defence. There was also no serious issue to be tried in respect of passing-off since there was no misrepresentation made by the Individual Sellers. It followed that Alibaba could not be liable as joint tortfeasors. Nevertheless, the CFI proceeded to rule on Alibaba’s secondary contention that: even if there were serious issues to be tried against the Individual Sellers, Alibaba was not liable because it was only providing the service of neutral online platform operators. INTELLECTUAL PROPERTY – CHINA AND HONG KONG MAYER BROWN | 5 Agreeing with Alibaba that the present case shared many similarities with L’Oreal SA v eBay International AG, 11 the CFI held that the joint tortfeasance claim could not possibly succeed:- 1. A joint tortfeasor must have procured the infringement, whether by inducement, incitement or persuasion. There was no evidence of authorization or procurement by Alibaba of any alleged infringing acts of the Individual Sellers. Mere provision of online platforms to the Individual Sellers was not sufficient. 2. It must also be proved that the joint tortfeasor had acted in a way which furthered the commission of a tort by another person (in this case, IP infringement) in pursuance of a common design. Mary Kay failed to identify the alleged common design between Alibaba and the Individual Sellers, let alone adduce evidence of such design. 3. Alibaba was not under a legal duty or obligation to prevent IP infringement. There was nothing in Alibaba’s platform policy which could be said to favour or encourage infringement. In fact, Alibaba had taken active steps to require sellers to submit documents to show that the products to be sold are genuine. It also had a notice-takedown procedure to deal with complaints from brand owners. The fact that Alibaba may have benefited from the Individual Sellers’ acts did not make it liable. It is worth noting that in addition to platform liability, the Mary Kay case also examines at length various issues of the exhaustion of rights defence to trade mark infringement, jurisdiction and the problem of forum shopping, as well as material non-disclosure in Mary Kay’s application for service out of jurisdiction. 11 L’Oreal SA v eBay International AG [2009] RPC 21 12 A “service provider” is defined as a person who, by means of electronic equipment or a network, or both, provides, or operates facilities for, any online services (Proposed Section 65A(2) under Clause 47 of the 2022 Bill; proposed Section 88A under Clause 56 of the 2022 Bill) 13 Proposed Section 88B under Clause 56 of the 2022 Bill 14 In determining whether a service provider is receiving a financial benefit, the court may take into account all circumstances of the case, in particular, the industry practice among other service providers that are providing a similar service to which the infringement relates, and whether the fee for the online service is for, and the value of the online service lies in, providing access to the infringing material. However, such financial benefits exclude one-off set up fees and flat periodic payments that are charged on a non-discriminatory basis. (Proposed Section 88A under Clause 56 of the 2022 Bill) 15 Proposed Section 88B(5) under Clause 56 of the 2022 Bill Hong Kong Copyright (Amendment) Bill 2022 The Copyright (Amendment) Bill 2022 (“2022 Bill”) was published on 27 May 2022 and is currently under consideration by the Bills Committee, after which the Legislative Council will debate and vote on it. The 2022 Bill proposes to introduce safe harbor provisions to limit the liability of online service providers12 for copyright infringement caused by users on their platforms, on conditions that the service provider:13 1. Took reasonable steps to limit or stop the infringement as soon as practicable after receiving a notice of alleged infringement, becoming aware that the infringement has occurred, or becoming aware of the facts or circumstances that would lead inevitably to the conclusion that infringement had occurred; 2. Did not receive, and is not receiving, any financial benefit directly attributable to the infringement;14 3. Accommodated and did not interfere with the standard technical measures that are used by copyright owners to identify or protect their copyright works; and 4. Designated an agent to receive notices of alleged infringements and supplies the agent’s name and contact details on its service. To the relief of service providers, the 2022 Bill also confirms that they are not required to monitor their services or actively seek facts that indicate infringing activity, except to the extent consistent with standard technical measures of copyright owners.15 Online Platform Liability for IP Infringement – A Tale of Two Platforms 6 | IP & TMT Quarterly Review INTELLECTUAL PROPERTY – CHINA AND HONG KONG Conclusion The Qice decision signals the Chinese Court’s desire to cultivate a legal landscape that is favorable to IP rights holders as well as the development of the NFT industry. This aligns with the buzzing NFT market in China, and China’s initiative to become a “powerful IP nation” by enhancing the standards of IP creation, application, protection, management and services.16 In contrast, the Mary Kay decision reflects a relatively pro-platform approach and confirms that such platforms are not under a legal duty to prevent infringement. This approach is codified in the 16 Guidelines for Building a Powerful Intellectual Property Nation (2021-2035) issued by the State Council of the People’s Republic of China dated 22 September 2021 safe harbor provisions in the 2022 Bill, which given the broad definition of “service providers”, would appear to apply equally to traditional e-commerce platforms, such as eBay and Alibaba, as well as NFT platforms. Brand owners and NFT platforms should pay attention to the judicial and legislative developments in this space and adjust their infringement monitoring and enforcement policies accordingly. The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this article. MAYER BROWN | 7 Introduction In recent years, the Chinese government has implemented various measures to crack down on bad faith trade mark filings, including amending the Trade Mark Law in 2019 to empower the China National Intellectual Property Administration (“CNIPA”) to reject applications on the basis of bad faith without intent to use during substantive examination. In light of the 2019 amendment of the Trade Mark Law and other recent developments, the CNIPA has issued updated Guidelines for Trade Mark Examination and Review (“Guidelines”)17, to clarify the CNIPA’s examination approach under the current law. These updated Guidelines came into effect on 1 January 2022. “Bad faith” under the 2019 amended Trade Mark Law Prior to the 2019 amendment of the Trade Mark Law, the CNIPA could only consider bad faith arguments during opposition or invalidation proceedings, which placed the onus on brand owners to actively oppose or 17 Original text can be found here: 《商标审查审理 指南》 Combatting Trade Mark Squatting in China: Guidelines for Trade Mark Examination and Review By Michelle G.W. Yee, Counsel Mayer Brown, Hong Kong Intellectual Property CHINA AND HONG KONG 8 | IP & TMT Quarterly Review invalidate bad faith filings. This was the case even after the CNIPA had established an unofficial blacklist for trade mark squatters with a history of filing large numbers of copycat marks – the CNIPA did not have the power to automatically reject applications filed by blacklisted applicants during substantive examination, and could only do so if the marks were challenged by brand owners through opposition or invalidation proceedings. Article 4 of the amended Trade Mark Law introduced “filed in bad faith without intent to use” as a basis to reject applications during substantive examination (this ground can also be pleaded in opposition or invalidation proceedings). The framing of a bad faith filing as an application filed “without intent to use” raised concerns amongst practitioners and brand owners, who worried that applications filed by legitimate businesses for defensive purposes might be caught by Article 4. It was also unclear what criteria would be used to determine whether an application should be rejected as being filed in bad faith without intent to use. In the updated Guidelines, the CNIPA has clarified its interpretation of “without intent to use” and elaborated on the factors to be considered when assessing whether an application should be rejected pursuant to Article 4. The Guidelines set out 10 situations in which applications would be considered to be “filed in bad faith without intent to use” under Article 4 unless the applicant provides evidence to the contrary: 1. the applicant files a large number of trade mark applications that clearly exceeds the applicant’s business needs without a genuine intention to use; 2. the applicant copies, imitates or replicates a large number of trade marks that have attained a certain level of reputation or distinctiveness of multiple brand owners; 3. the applicant repeatedly applies to register a particular brand owner’s well-known or distinctive trade mark; 4. the applicant applies to register a large number of trade marks that are identical or similar to the trade names, abbreviations of trade names, e-commerce names, domain names, product names that are influential to a certain degree, packaging, decorations, advertising slogans that have become well known and distinctive, and designs; 5. the applicant applies to register a large number of trade marks that are identical or similar to the names of famous persons, literary works or characters, well-known and distinctive works of art, or other similar public cultural resources; 6. the applicant applies to register a large number of trade marks that are identical or similar to the names of administrative divisions, mountains or rivers, tourist attractions or buildings; 7. the applicant applies to register a large number of trade marks that are identical or similar to generic terms, industry technical terms, terms that directly refer to the quality, raw materials, function, weight, quantity of the designated goods or services that lack distinctiveness; 8. the applicant applies to register a large number of trade marks and assigns them to multiple entities; 9. with the intention of obtaining improper benefits, the applicant sells a large number of trade marks, imposes collaboration arrangements with earlier users or other parties, or demands the payment of exorbitant transfer fees, licence fees or damages for infringement from other parties; and 10.any other situation that can be regarded as bad faith filing behaviour. When assessing whether applications are filed in bad faith without intent to use, the CNIPA will consider not only the filing behaviour of the applicant, but also the filing behaviour of the applicant’s related parties. The Guidelines also specifically set out two types of filing behaviour that would not fall foul of Article 4: 1. applications filed for defensive purposes that are identical or similar to the applicant’s existing trade marks; and 2. applications filed for legitimate future business needs. How many is too many? Whilst the Guidelines do clarify certain aspects of the amended Trade Mark Law, such as whether defensive filings would be caught under Article 4, they also leave some important questions unanswered. For example, in the context of the 10 situations listed above, what is meant by “a large number of trade marks”? Would 50 trade marks be INTELLECTUAL PROPERTY – CHINA AND HONG KONG MAYER BROWN | 9 sufficient to impute bad faith filing behaviour, or would the number need to be closer to 1000? The Guidelines only state that the threshold will depend on the specific facts of each case, such as the number of classes covered by the filings, the time period during which the filings were made, the business scope of the applicant, among many other factors. This is borne out by the real-life examples cited in the Guidelines – in one example around 20 trade mark applications (for names of famous people) was deemed sufficient to meet the bad faith threshold, whereas in most of the other examples applicants were found to have engaged in bad faith filing behaviour after filing several hundred trade marks within a short period of time. Conclusion It is interesting to note that most of the real-life examples cited in the Guidelines involved substantial fact-finding before the CNIPA was able to determine that the behaviour amounted to bad faith under Article 4. In several examples, the CNIPA looked into the applicant’s business scope, the applicant’s common shareholders and relationships with other entities and individuals, post-registration behaviour (such as post-registration transfers to third parties) among other relevant factors before making a decision. Given the large volume of applications processed by the CNIPA, it would be unrealistic to expect examiners to proactively investigate the filing behaviour of each applicant. In practice, unless the applicant has already been blacklisted, examiners are unlikely to reject applications based on Article 4 during substantive examination. Brand owners should therefore continue to monitor published trade marks and actively oppose bad faith applications. In cases where an applicant has engaged in behaviour that clearly falls within the 10 situations set out in the Guidelines, brand owners can also write to the CNIPA to present the relevant facts and request that the applicant be blacklisted, in order to increase the likelihood that future filings made by the applicant will be rejected outright by examiners during substantive examination. The author would like to thank Jackie Leung, Trainee Solicitor at Mayer Brown, for her assistance with this article. Combatting Trade Mark Squatting in China: Guidelines for Trade Mark Examination and Review 10 | IP & TMT Quarterly Review Introduction To bring Hong Kong’s copyright regime closer to technological developments and international norms, the Hong Kong Government launched a 3-month public consultation from November 2021 to February 2022 to update Hong Kong’s Copyright Ordinance (Cap. 528) (“CO”). The Government’s key legislative proposals in its public consultation paper (the “Consultation Paper”) were discussed in a previous article “At Last – Renewed Attempts to Update Hong Kong’s Copyright Ordinance” published in our IP & TMT Quarterly Review (Fourth Quarter 2021). Following the public consultation, the Government published a summary of the views collected and its plans to update the CO. The majority of respondents agree with the Government’s proposal to use the Copyright (Amendment) Bill 2014 as the basis for the present amendments and were generally supportive of the key legislative proposals. The Copyright (Amendment) Bill 2022 (the “2022 Bill”) was published on 27 May 2022. The 2022 Bill is currently under consideration by the Bills Committee, after which the Legislative Council will debate and vote on it. The Beginning of a New Chapter: Hong Kong’s Copyright (Amendment) Bill 2022 is Gazetted By Amita Haylock, Partner Mayer Brown, Hong Kong Grace Wong, Associate Mayer Brown, Hong Kong CHINA AND HONG KONG Intellectual Property The Beginning of a New Chapter: Hong Kong’s Copyright (Amendment) Bill 2022 is Gazetted MAYER BROWN | 11 As a follow-up to our last article, we look at the views collected on the key legislative proposals, the Government’s responses, and key provisions of the 2022 Bill. Technology-Neutral Communication Right and Criminal Liability The Government proposed a new communication right for copyright owners to communicate their works to the public on any electronic platform, while stipulating that certain acts do not constitute “communication to the public”, such as the mere provision of facilities for enabling or facilitating the communication of a work to the public. Many copyright owners are of the view that the specified acts are too broad and should be deleted. The Government maintains that the specified acts strike a balance between protecting copyright owners’ legitimate interests and public interests and should be retained, subject to appropriate adjustments and clarifications in the drafting. Accordingly, the 2022 Bill introduces provisions which give copyright owners the exclusive right of communication.18 The “communication of a work” means the electronic communication of the work to the public, including (a) broadcasting of the work; (b) inclusion of the work in a cable programme service; and (c) making available of the work to the public.19 A person is to be regarded as having communicated a work to the public if she has “determined” the content of the communication. The 2022 Bill does not define or explain how content of a communication is to be “determined”. That said, the 2022 Bill clarifies that a person will not be considered as having determined such content only because she has taken steps for the purpose of (a) gaining access to what is made available by someone else in the communication; or (b) receiving the electronic transmission of which 18 New section 22(1)(fa) of the CO under Clause 10(3) of the 2022 Bill 19 New section 28A(2) of the CO under Clause 14 of the 2022 Bill 20 New sections 28A(4) and (5) of the CO under Clause 14 of the 2022 Bill 21 New section 28A(6) of the CO under Clause 14 of the 2022 Bill 22 New sections 118(8B)-(8D) and 119(3) of the CO under Clauses 63(10) and 64 of the 2022 Bill; Cap. 221 Criminal Procedure Ordinance — Schedule 8 Level of Fines for Offences 23 Section 108(2) of the CO; new sections 108(2)(d) and (e) of the CO under Clause 61(3) of the 2022 Bill the communication consists.20 For instance, a person does not determine the content of a webpage by merely clicking on a link to access the webpage. The mere provision of facilities for enabling or facilitating the communication of a work to the public does not constitute an act of communication, but “mere provision” does not include the provision of facilities that are primarily designed, produced, or adapted to enable or facilitate direct access to a copyright work without the copyright owner’s permission.21 Adding force to this new right, the 2022 Bill seeks to impose criminal liability for unauthorised communications in circumstances where the copyright in the work is infringed: (i) for the purpose of, or in the course of any trade or business that consists of, communicating works to the public for profit or reward; or (ii) otherwise to such an extent as to affect prejudicially the copyright owner. However, it is a defence to prove that the defendant did not know and had no reason to believe that, by communicating the work in question in the said circumstances, she was infringing the copyright. The maximum penalty is a fine at level 5 (currently at HK$50,000) and 4-year imprisonment.22 Additional Damages in Civil Cases The CO currently provides that the Court may have regard to all circumstances in awarding additional damages for copyright infringement, for example, the flagrancy of the infringement and any benefit accrued to the defendant by reason of the infringement. The 2022 Bill proposes to add two factors which the Court may take into account, namely (i) any unreasonable conduct of the defendant after the infringement occurred; and (ii) the likelihood of widespread circulation of infringing copies as a result of the infringement.23 12 | IP & TMT Quarterly Review Safe Harbour Provisions Respondents provided diverse views in relation to the proposed new safe harbour provisions for Online Service Providers (“OSPs”) which limit the OSPs’ liability for copyright infringement occurring on their platforms. While some copyright owners believe that OSPs should be subject to more conditions in order to benefit from the safe harbour provisions, some OSPs opine that they will be placed under a significant burden under the proposed provisions. In addition, a few copyright users are concerned about the adverse impact of the proposed takedown mechanism on freedom of expression. The Government is of the view that the proposed provisions balance the interests of different stakeholders, noting that similar provisions are included in copyright legislations of jurisdictions such as Australia, Singapore, the UK and the US. Hence, the Government’s position is that the relevant safe harbour mechanism should be first established by statute, and the operational details can be addressed in a voluntary Code of Practice, which may be published to provide practical guidance to OSPs. In short, the OSPs will not be liable for damages or any other pecuniary remedy for copyright infringement occurring on their platforms if the following conditions are met:24 1. The OSP has taken reasonable steps to limit or stop the infringement as soon as practicable after receiving a notice of alleged infringement, becoming aware that the infringement has occurred, or becoming aware of the facts or circumstances that would lead inevitably to the conclusion that infringement had occurred; 2. The OSP has not received, and is not receiving, any financial benefit directly attributable to the infringement; 3. The OSP accommodates and does not interfere with the standard technical measures that are used by copyright owners to identify or protect their copyright works; and 24 New section 88B of the CO under Clause 56 of the 2022 Bill. A “service provider” is defined as a person who, by means of electronic equipment or a network, or both, provides, or operates facilities for, any online services (new section 65A(2) of the CO under Clause 47 of the 2022 Bill; new section 88A of the CO under Clause 56 of the 2022 Bill). 25 New section 88B(5) of the CO under Clause 56 of the 2022 Bill 26 New sections 88B to 88J in Division IIIA in Part II of the CO under Clause 56 of the 2022 Bill 27 Amended section 39(2) of the CO under Clause 19 of the 2022 Bill 4. The OSP designates an agent to receive notices of alleged infringements and supplies the agent’s name and contact details on its service. The 2022 Bill also clarifies that OSPs are not required to monitor their services or actively seek facts that indicate infringing activity, except to the extent consistent with standard technical measures of copyright owners.25 The surrounding provisions include, for example, procedures of giving a notice to OSPs for alleged infringement, the steps that OSPs may take after becoming aware of an infringement, and the counter-notice mechanism for alleged infringers to contest the complaint.26 New Fair Dealing Exceptions The Government proposed new fair dealing exceptions for the use of copyright works for (i) parody, satire, caricature and pastiche; (ii) commenting on current events; and (iii) quotation of copyright works. Some copyright users opine that the Government should introduce a new exception for secondary creations, while copyright owners believe that the proposed exceptions should be tightened. The Government is of the view that the proposed exceptions have balanced the interests of copyright owners and copyright users, and hence included in the 2022 Bill that: • Use of a quotation from a copyright work is not infringing, provided that (i) the work has been released or communicated to the public; (ii) the use of the quotation is fair dealing with the work; (iii) the extent of the quotation is no more than is required by the specific purpose for which it is used; and (iv) the use of the quotation is accompanied by a sufficient acknowledgement (unless it is not reasonably practicable to do so).27 • Fair dealing with a copyright work for the purpose of commenting on current events is not infringing, provided that the use is accompanied by a sufficient acknowledgement (unless it is not INTELLECTUAL PROPERTY – CHINA AND HONG KONG The Beginning of a New Chapter: Hong Kong’s Copyright (Amendment) Bill 2022 is Gazetted MAYER BROWN | 13 reasonably practicable to do so).28 • Fair dealing with a copyright work for the purpose of parody, satire, caricature or pastiche is not infringing.29 These terms are not defined in the 2022 Bill. Rather, the Government relied on the definitions of these terms in the Concise Oxford English Dictionary in the Consultation Paper and considered that the definitions are clear and confined.30 For each of the above exceptions, a non-exhaustive list of factors are proposed for determining whether the dealing with a copyright work is fair – this includes (i) the purpose and nature of the dealing; (ii) the nature of the work; (iii) the amount and substantiality of the portion dealt with in relation to the work as a whole; and (iv) the effect of the dealing on the potential market for, or value of, the work.31 Conclusion The 2022 Bill is long overdue and in line with Hong Kong’s commitment to provide a robust IP regime and the Central People’s Government’s support in its 14th Five-Year Plan for Hong Kong to develop 28 Amended section 39(3) of the CO under Clause 19 of the 2022 Bill 29 New section 39A of the CO under Clause 20 of the 2022 Bill 30 Footnote 11, page 9 of the Consultation Paper 31 Amended section 39(4) of the CO under Clause 19 of the 2022 Bill; new section 39A(2) of the CO under Clause 20 of the 2022 Bill into a regional IP trading centre. Whilst the Hong Kong Government maintains the view that it is unnecessary to introduce specific provisions to tackle illicit streaming devices or to provide for a judicial site blocking mechanism, it does leave the door open for future amendments as the 2022 Bill is hopefully the start of a continuous process to update the copyright regime. There is no concrete timeline on when the 2022 Bill is expected to be passed. It is hoped that the 2022 Bill will fare better than its predecessor the Copyright (Amendment) Bill 2014, which was shelved in 2016 due to polarizing views, and will be given due consideration by the Legislative Council. The authors would like to thank Jackie Leung, a Trainee Solicitor at Mayer Brown, for her assistance with this article. 14 | IP & TMT Quarterly Review Introduction On 12 May 2022, the Hong Kong Privacy Commissioner for Personal Data (“PCPD”) issued a Guidance Note on the Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data (“2022 Guidance”). The 2022 Guidance is split into 3 “parts”: 1. Part 1, which is an introduction of the 2022 Guidance and the rationale underpinning it; 2. Part 2, which is an explanation on the use of the Recommended Model Contractual Clauses; and 3. The Schedule which sets out the recommended model clauses. The PCPD last issued a guidance note on Personal Data Protection in Cross-border Data Transfer in December 2014 (“2014 Guidance”). The 2014 Guidance also included a set of model data transfer clauses , though the clauses made heavy reference to the Personal Data (Privacy) Ordinance (“PDPO”) and consequently had to be governed by the laws of Hong Kong in order to achieve certainty on the Is It Time? The PCPD’s 2022 Guidance Note on Model Contractual Clauses for Crossborder Transfers By Gabriela Kennedy, Partner Mayer Brown, Hong Kong Joshua Woo, Registered Foreign Lawyer (Singapore) Mayer Brown, Hong Kong HONG KONG Data Privacy MAYER BROWN | 15 application and enforcement of the PDPO. The 2014 model clauses also did not distinguish between data users32 and data processors. In contrast, the recommended model clauses appear to be more self-contained, providing for defined terms and making fewer references to the substantive provisions of the PDPO, thus achieving a more user friendly guidance for personal data recipients outside of Hong Kong. Furthermore, in recognition of the growth in outsourced processing, and much like the Standard Contractual Clauses of the EU GDPR, the 2022 Guidance now contains two sets of recommended model clauses to cater for (i) data user to data user transfers, and (ii) data user to data processor transfers. Background Section 33 of the PDPO prohibits the cross-border transfer of personal data unless an exception applies. However, Section 33 has yet to come into effect and no timetable has been announced for its implementation despite the PDPO being in force since 1996. Notwithstanding that Section 33 has yet to come into force, it is important for data users to have the appropriate protection for any cross-border transfers of personal data since data processors are not directly subject to the PDPO requirements and data users are ultimately responsible in the event of any breach of the PDPO by its data processors. The issuance of the 2022 Guidance by the PCPD is reflective of this, and addresses the relevant legal requirements, such as the Data Protection Principles articulated in the PDPO. The increasing digitalization of personal data and the proliferation of cross-border outsourced data processing operations are the main reasons for the 2022 Guidance. The recommended model clauses are presented as “free-standing clauses” that are meant to be incorporated into commercial agreements in order to help small and medium-sized enterprises adopt best practices as part of their data governance responsibilities. 32 A “data user” is the PDPO equivalent of a “data controller” and is defined under the PDPO as a “person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.” 33 DPP 1(3), PDPO. 34 DPP 3, PDPO. 35 DPP 4(2), PDPO. 36 Direct marketing requirements are found in Part 6A of the PDPO. 37 Section 65, PDPO. The 2022 Guidance provides a good reminder in Part 1of the relevant legal requirements that are engaged when data users carry out cross-border personal data transfers. PURPOSE LIMITATION Under the PDPO, data subjects must be explicitly informed of the purpose for which the personal data is to be used and the classes of persons to whom the personal data may be transferred33. The PDPO further prohibits the use of personal data for a new purposes without the data subject’s prescribed consent34. The 2022 Guidance highlights the fact that that cross-border personal data transfers constitute “use” within the meaning of the DPPs, and would therefore require the prescribed consent of the data subject if the transfer is for a new purpose, save for where an exception under Part 8 of the PDPO applies. DATA PROCESSORS Given the prevalence of cross-border outsourced data processing the 2022 Guidance highlights the relevant provisions of the PDPO when data users engage data processors, and which need to be addressed in the recommended model clauses, including: 1. requiring data users to adopt contractual or other means to prevent personal data transferred to data processors from: a. being kept longer than is necessary; b. unauthorised or accidental access, processing, erasure, loss or use of the personal data 35; 2. adhering to the direct marketing requirements of the PDPO36; and 3. remaining liable for any act done by agents with their authority37. COMPLIANCE Lastly, the 2022 Guidance promotes the use of the Is It Time? The PCPD’s 2022 Guidance Note on Model Contractual Clauses for Cross-border Transfers 16 | IP & TMT Quarterly Review recommended model clauses to demonstrate compliance with the PDPO when engaging in cross-border transfers. Part 2 Unlike the GDPR standard contractual clauses, the recommended model clauses do not have to be included in their entirety. While the recommended model clauses are intended to form the base terms and conditions applicable to cross-border transfers, they are ultimately prepared as free-standing clauses which may be adapted by organisations and incorporated into a service agreement. The 2022 Guidance also states that alternative wording may be used so long as such wording mirrors the substantive requirements of the PDPO. Notably, the recommended model clauses are also intended to be applied in contracts between entities that are both outside Hong Kong where the transfer is controlled by a Hong Kong data user (e.g. where the original independent contractor in turn sub-contracts the processing activities) since the recommended model clauses include provisions to ensure that the onward transfers of personal data are subject to the same or substantially similar data protection obligations. USER TO USER RECOMMENDED MODEL CLAUSES The key purpose of the user to user recommended model clauses is to ensure that the transferor takes all reasonable precautions to ensure that the personal data transferred to the transferee data user is not processed in a manner that would otherwise be a violation of the PDPO. The provisions of the user to user recommended model clauses therefore apply requirements that a data user in Hong Kong would need to adhere to, in the form of contractual warranties from the transferee, including: 1. only using personal data for the agreed transfer purposes and consistent with the original purpose of collection; 2. ensuring that the personal data transferred is adequate but not excessive with regard to the purposes of the transfer; 3. adopting security measures as agreed upon with the transferor; 4. retaining the personal data only for as long as necessary or for the agreed retention period; 5. taking all practicable steps to: a. erase personal data once personal data ought to no longer be retained; b. ensure that personal data is accurate with regards to the transfer purposes; c. ensure that inaccurate personal data is not used unless it is rectified or it should be erased; d. ensure that data subjects should be able to access its policies and practices in relation to the personal data; 6. not to make any onward personal data transfers unless agreed; 7. ensuring that any onward transfers are subject to the same or substantially similar data protection obligations provided by the recommended model clauses; 8. not to make any onward personal data transfers to any other jurisdictions except as agreed; 9. give effect to the data subject’s access and correction rights; and 10.comply with obligations to cease direct marketing activities using the personal data upon receipt of written notice. USER TO PROCESSOR RECOMMENDED MODEL CLAUSES Similarly, the user to processor recommended model clauses reflect the requirements for the data user transferor to be accountable for the data processor transferee’s compliance with the PDPO. This includes: 1. only processing personal data for the agreed transfer purposes and consistent with the original purpose of collection; 2. ensuring that the personal data transferred is adequate but not excessive with regard to the purposes of the transfer; 3. adopting security measures as agreed upon with the transferor; 4. retaining the personal data only for as long as necessary or for the agreed retention period; 5. taking all practicable steps to: a. erase personal data once personal data ought to no longer be retained; b. ensure that personal data is accurate with regards to the transfer purposes; DATA PRIVACY – HONG KONG MAYER BROWN | 17 c. ensure that inaccurate personal data is not used unless it is rectified or it should be erased; 6. not making any onward personal data transfers unless agreed; and 7. ensuring that any onward transfers are subject to the same or substantially similar data protection obligations provided by the user to processor recommended model clauses. Recommended Model Clauses DATA TRANSFER SCHEDULE Both types of recommended model clauses also incorporate a Data Transfer Schedule which sets out the agreements between the transferor and transferee vis-à-vis operational and technical aspects of the data transfer. ADDITIONAL CONTRACTUAL MEASURES Helpfully, the 2022 Guidance recognises that the above provisions may, by themselves, may be insufficient to ensure compliance with the PDPO, and provides suggestions as to additional assurances that may need to be given. These include: 1. Reporting, Audit and Inspection Rights These rights are important in helping transferor data users ensure and ascertain that transferees are complying with their obligations under the respective recommended model clauses. This could include regular security reports or even include an audit right exercisable by the transferor data user. Drawing from our experience, regulators in other jurisdictions have found that notwithstanding the inclusion of relevant contractual provisions with its data processors, data users, by not exercising their audit rights, were found to have failed to take all practicable steps to protect the personal data in their possession. 2. Data Breach Notification Obligations There are no mandatory requirements under the PDPO for data users (much less data processors) to 38 See Clause 4.2 of the user to user RMCCs, Clause 3.2 of the user to processor RMCCs. 39 See Clause 4.7 of the user to user RMCCs, Clause 3.7 of the user to processor RMCCs. 40 See Clause 4.8 of the user to user RMCCs. notify the PCPD or data subjects about data breaches in Hong Kong, let alone for data users or data processor outside of Hong Kong in respect of transferred data. Transferor data users may wish to impose contractual requirements for transferees to notify them immediately in the event of a data breach that occurs or is likely to have occurred as soon as reasonably possible. This is important to prevent situations where the PCPD may become aware of the data breach before the transferor data user becomes aware of it, and leads to them being caught off guard by an investigation initiated by the regulator in Hong Kong. 3. Compliance Support and Co-operation Obligations In the course of investigations and regulatory compliance reviews, transferor data users may require the co-operation of their transferees. To ensure that they obtain the necessary co-operation, transferor data users may wish to include a contractual provision to such effect. Comments The recommended model clauses impose certain obligations on the transferees that will likely be resisted especially by data processors as they may involve actions outside their control. These include: 1. requiring the transferee to ensure that personal data transferred is adequate but not excessive38; 2. taking all practicable steps to ensure that any inaccurate personal data is not used unless it is rectified or erased even though the transferee may not have direct contact with the data subject, and may be unaware of any inaccuracies if not otherwise informed by the transferor data user clause39; and 3. taking all practicable steps to ensure that data subjects should be able to access their policies and practices in relation to personal data40. Given these requirements, the recommended model clauses are likely to be heavily negotiated by both data users and their processors. Data users will also now likely push for the inclusion of additional contractual measures in their data Is It Time? The PCPD’s 2022 Guidance Note on Model Contractual Clauses for Cross-border Transfers 18 | IP & TMT Quarterly Review processing agreements. Conclusions This is the second iteration of guidelines that attempt to formulate procedures for cross-border transfers and it is perhaps time for Section 33 to be brought into force at last. For now, data users should comply with the 2022 Guidance lest a negative view is taken of them in the event of an investigation for non-compliance. DATA PRIVACY – HONG KONG MAYER BROWN | 19 New draft Regulations on the Online Protection of Minors (Draft Regulations) were released by the Cyberspace Administration of China (CAC) on 14 March 2022. They update the 2016 Draft Regulations of the same name which were released for public comment but never adopted. The latest Draft Regulations have been issued pursuant to the PRC Law on Protection of Minors (LPM), PRC Cybersecurity Law and PRC Personal Information Protection Law (PIPL) and reflect the government’s growing concern about the negative impact of the internet on society, particularly its youth – and come hot on the heels of the rules introduced last year that prescribe the amount of time minors are allowed to spend on video games on a weekly basis. Scope of Application The LPM defines “minors” as individuals Minor(s) Regulation, Major Consequences? Cyberspace Administration of China’s New Draft Regulations for Online Protection of Minors By Gabriela Kennedy, Partner Mayer Brown, Hong Kong Joshua Woo, Registered Foreign Lawyer (Singapore) Mayer Brown, Hong Kong Cybersecurity CHINA 20 | IP & TMT Quarterly Review CYBERSECURITY – CHINA under the age of 18. As the name suggests, the Draft Regulations focus on the protection of minors online, and specifically address and impose obligations on online product and service providers, personal information handlers (Data Controllers) and the manufacturers or sellers of smart terminals41 — with additional requirements for important internet service providers.42 However, they also apply in general to other internet users. High Level Obligations Broadly worded, value-based requirements are imposed on online product and service providers (Online Providers), Data Controllers, and the manufacturers or sellers of smart terminals to “respect social mores”, “comply with professional ethics”, “be truthful and credible” and “take social responsibility”. They also require these entities to establish effective and clear complaint channels and policies, and address complaints promptly.43 Important Internet Service Providers Important internet service providers with a “large base of minor users or with influence on minors as a group” are required to fulfill the following further obligations: • Periodically carry out impact assessments on the protection of minors online;44 • Provide “Youth Modes” and special areas for minor users;45 • Establish an independent body to conduct oversight of the online protection for minors;46 • Draft special rules and alert minor users in a conspicuous manner of the rights they enjoy for protection online in accordance with the law 41 Article 6 of the Draft Regulations. 42 Article 20 of the Draft Regulations. 43 Article 7 of the Draft Regulations. 44 Article 20 (1) of the Draft Regulations. 45 Article 20 (2) of the Draft Regulations. 46 Article 20 (3) of the Draft Regulations. 47 Article 20 (4) of the Draft Regulations. 48 Article 20 (5) of the Draft Regulations. 49 Article 20 (6) of the Draft Regulations. 50 Article 22 of the Draft Regulations. 51 ibid. 52 Article 23 of the Draft Regulations. and of remedies for harms suffered online;47 • Stop providing services to providers of products or services on the platform who seriously violate laws and administrative regulations and harm minors’ rights and interests;48 and • Annually publish a special report on their online protection of minor users.49 These requirements for important internet service providers are quite onerous, and require the establishment of separate processes (special reports, independent oversight body etc.), although it is unclear whether such companies would need to separately retain a professional entity to conduct audits or exercise oversight of their compliance. Content Prohibition More generally, the Draft Regulations also prohibit the use of networks to: • Reproduce, publish or transmit content harmful to minors’ physical or psychological health;50 • Send minors content harmful to or that might impact minors’ physical or psychological health; and51 • Entice or compel minors to produce, reproduce, publish or transmit text, pictures and audiovisual content of pornographic nature.52 Online Providers must also ensure that any information that may lead or entice minors to imitate unsafe conduct, carry out conduct that violates social mores, or impact minors’ physical or psychological health must be accompanied with conspicuous content warnings before the content can be displayed (Sensitive Content). The CAC is expected to release more detailed MAYER BROWN | 21 guidance on what constitutes Sensitive Content.53 This is something to pay close attention to as the Draft Regulations also prohibit the production, reproduction, publication or transmission of Sensitive Content in online products or services aimed at minors, and the embedding of Sensitive Content in “eye-catching positions”, or areas of the products or services that are likely to draw users’ attention, such as landing pages, pop-up windows or even suggested searches.54 Online Providers are also required to put into place necessary mechanisms enabling them to take down Sensitive Content upon discovery, store relevant records and make a report to relevant departments.55 The Sensitive Content provisions do not currently distinguish between content organically created by Online Providers, and advertisements. Accordingly, since these “eye-catching positions” are often made available to advertisers (and perhaps beyond direct control of Online Providers), Online Providers with an application or website accessible by minors in the PRC may have to review their advertising policies and exercise more control over their online content.56 Software Pre-installed Requirement Smart terminal products intended for use by minors are required to have content-filtering features facilitating prevention of minors’ exposure to Sensitive Content, or employ noticeable methods to inform users about the channels and methods for installing such software.57 It is anticipated that the CAC will further clarify the relevant technical standards and requirements for these smart terminal products. 53 Article 24 of the Draft Regulations. 54 Article 26 of the Draft Regulations. 55 Article 30 of the Draft Regulations. 56 Article 26 of the Draft Regulations. 57 Article 19 of the Draft Regulations. 58 Article 33 and 53 of the Draft Regulations. 59 Article 34 of the Draft Regulations. 60 Article 35 of the Draft Regulations. 61 Article 37 of the Draft Regulations. 62 Article 42 of the Draft Regulations. 63 Article 44 of the Draft Regulations. Real Name Registration Requirement Real-name registration requirement in respect of certain services is also imposed. Online Providers providing minors with information publishing, instant messaging or gaming services are required to obtain from the minors or their guardians the minors’ real-name information.58 Where the minors or their guardians do not provide the minors’ real-name information, the Online Providers are prohibited from providing the relevant services to the minors. Personal Information Protection Law Articles 34 to 45 also reiterate the applicability of the PIPL provisions relating to minors. These include ensuring that principles of lawfulness, propriety, necessity and good faith are observed when handling personal information;59 the need to obtain new consent when there are changes to the purpose, method of handling or types of personal information handled;60 and obtaining separate consent when handling sensitive personal information of minors.61 Notably, the Draft Regulations mandate that Data Controllers “strictly set access rights to information and control the scope of access to minors’ personal information (Minors’ PI)”. This requires them to ensure staff accessing Minors’ PI obtain the approval of management, record circumstances of access, and implement technical measures to avoid improper handling of Minors’ PI.62 Data Controllers are also required to conduct an annual compliance audit of their handling of Minors’ PI.63 Minor(s) Regulation, Major Consequences? Cyberspace Administration of China’s New Draft Regulations for Online Protection of Minors 22 | IP & TMT Quarterly Review CYBERSECURITY – CHINA Industry Specific Obligations Under the Draft Regulations, providers of online education products and services aimed at minors are not allowed to send advertisements, or other information unrelated to education.64 Providers of online services such as games, live streams, video and social media, are required to employ measures to reasonably limit the amount that minors can spend as single payments and daily totals for online products or services.65 In particular, providers are prohibited from providing payment services to minors that are incongruous with the minors’ “capacity for civil action”.66 The Draft Regulations do not elaborate further on how this capacity is to be determined – for example, whether it relates to their ability to bear any financial liability or otherwise. Furthermore, online live streaming service providers are required to verify the identities of its users, and ensure that minors under 16 do not register for online live streaming accounts.67 Stiff Penalties Penalties under the Draft Regulations mirror those under PIPL and include a fine of up to RMB 50 million or 5 percent of the preceding year’s annual 64 Article 29 of the Draft Regulations. 65 Article 50 of the Draft Regulations. 66 Article 51 of the Draft Regulations. 67 Article 33 of the Draft Regulations. 68 Article 63 of the Draft Regulations. turnover, rectification orders, warnings, confiscation of illegal gains, suspension or cessation of services, cessation of operations or revocation of permits or business licenses. In egregious cases, directly responsible personnel may be held personally liable for up to RMB 1,000,000.68 Takeaways The broad applicability of the Draft Regulations mean that online businesses – even those not specifically catering to minors – may be impacted, so long as their services are accessible by minors. This is particularly the case for online businesses that operate in the gaming, live streaming, video, social media and online education sectors. In summary, all companies with websites or mobile applications accessible in the PRC by minors should review their policies, processes and guidelines relating to their handling of Minors’ PI. The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this article.