September 22, 2017

Intellectual Property & Technology Partner Jack Ow was featured in Asia Business Law Journal on the increasingly stringent legal frameworks concerning data protection and cybersecurity in the APAC region

Intellectual Property & Technology Partner Jack Ow was featured in the article ‘Space Invaders,’ published in Asia Business Law Journal on data protection and cybersecurity of technology in the legal sector. The article was first published on 19 September 2017. With the recent increase in cyber attacks, Asia Business Law Journal explores how the once abstract concepts of data protection and cybersecurity are quickly gaining traction. There is a clear trend that legal frameworks are becoming more stringent in Asia Pacific (APAC) countries. One such example is Singapore’s recent draft Cybersecurity Bill, in which Jack commented, “The Cybersecurity Bill gives the Cyber Security Agency (CSA) powers to require any person to assist and co-operate in investigations, and also to take steps to prevent and respond to cybersecurity threats and cybersecurity incidents.” Regulations concerning the transfer of personal data across jurisdictions are likewise becoming more stringent. “Where international transfers of personal data are concerned, then it is an express requirement under the Personal Data Protection Act (PDPA) that the transferring party must ensure, before transferring personal data overseas, that the receiving foreign party is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to the standard of protection prescribed in Singapore,” Jack advised. While many believe APAC countries could consider adopting standards to facilitate cross-border data transfer through a harmonisation of the various regimes, Jack rationalised that with differing levels of economic development, harmonisation is likely to face a stumbling block. However, he shared a reason for optimism. “The cross-border exchange of digital goods, services and even ideas between Asian economies could very well be a key driver toward harmonisation in order to facilitate and regulate intra-Asia trade.” Please click here to view the full article, as published in the Asia Business Law Journal.
September 22, 2017

RHTLaw Taylor Wessing proud to host a UK delegation comprising more than 20 Innovative Companies

RHTLaw Taylor Wessing was proud to host a UK delegation comprising more than 20 Innovative Companies at the office on 22 September 2017. Head of Regulatory Practice Nizam Ismail gave the introductory speech, showcasing the Firm’s strengths in technology and in assisting companies to expand to the region. Other presenters comprised Jayaprakash Jagateesan, CEO of RHT Holdings; Kok-Chin Tay, Chairman of SG100 Foundation; Emma Greenfield, Head of Events and Promotion at Enterprise Nation and Ashish Kothari, Director of Tech Singapore Advocates. The delegation was in Singapore to understand about the creative technology landscape as well as connect with agencies, government representatives and accelerators. This exclusive event was organised in conjunction with Enterprise Nation, UK Department of International Trade and SG100 Foundation. The team was part of Enterprise Network’s larger network of 70,000 start-up entrepreneurs, small business owners and enterprise experts who were in Singapore for a three day exploratory trade mission focusing on technology, digital and creative industries.
September 21, 2017

Head of Intellectual Property & Technology Jonathan Kok comments that the original creator of content usually owns the copyright to it, in The Straits Times article titled “Property listings portal sues rival for copyright infringement”

RHTLaw Taylor Wessing's Head of Intellectual Property & Technology Jonathan Kok commented that the original creator of content usually owns the copyright to it, in The Straits Times article titled “Property listings portal sues rival for copyright infringement”. The article was first published on 21 September 2017. Property listings portal sues rival for copyright infringement Source: The Straits Times © Singapore Press Holdings Ltd. Date: 21 September 2017 Author: Rachel Au-Yong Singapore's biggest property listings portal PropertyGuru has sued its rival 99.co over alleged copyright infringement, accusing the latter of reproducing content from its website without permission. Yesterday marked the start of the six-day trial, which is being watched for its implications on who owns the copyright of content uploaded onto online platforms. At issue in the ongoing case is the use of a third-party digital app called Xpressor, which lets property agents post listings across multiple portals - resulting in several listings on 99.co bearing PropertyGuru's watermark. PropertyGuru, which was founded here in 2007 by Finn Jani Rautiainen and Briton Steve Melhuish, has said it has the business of half the 28,000 licensed agents in Singapore. 99.co, a relative newcomer, was set up in 2014 by entrepreneur Darius Cheung and counts Facebook co-founder Eduardo Saverin among its backers. PropertyGuru filed three claims against 99.co. It alleges that 99.co had breached a previous settlement agreement made in September 2015. 99.co "substantially reproduced and continues to reproduce" content from its website, said PropertyGuru.   Implications beyond property sector Intellectual property lawyers are watching the court case involving PropertyGuru and 99.co closely. The case raises questions about who owns the copyright on images of properties taken by housing agents, and could have implications beyond the property industry. PropertyGuru is alleging that 99.co infringed its copyright by posting content from its website on the latter's, among other things. But 99.co has countered that property agents were exercising their rights to their own content. Robinson LLC lawyer Cyril Chua said for a site, or any other party, to claim copyright on the content, there must have been sufficient skill, effort, labour and judgment to change it. "If I draw a version of the Mona Lisa with different hair, I own the copyright to that parody. The question is whether resizing it and signing my name can warrant me calling it a new piece of art," he said. RHTLaw Taylor Wessing intellectual property lawyer Jonathan Kok said the scope of rights acquired by a site depends on whether the terms of use state that it is full or partial transfer of ownership. The general rule has been that whoever created the work owns the copyright in it unless he signs a written agreement and transfers ownership. A quick check showed that popular sites like Facebook and Pinterest do not own the copyright on images hosted on their sites. Others, such as sales listing site Carousell, state that users infringe copyright if they post images of items taken by other users or off their original websites. Amica Law's Jason Chan said there could be other issues such as ownership of copyright to a listing and their images when agents co-broke a deal. It is also accusing 99.co of infringing its copyright by reproducing photos bearing the PropertyGuru watermark on 99.co's website. The final claim is that 99.co had caused property agents to breach PropertyGuru's rules about content on its website by encouraging them to sign up with Xpressor to copy their listings from PropertyGuru onto 99.co's website. According to PropertyGuru's Acceptable Use Policy, agents cannot reproduce, display or provide access to its website on another site. 99.co has denied the claims, and has filed a counterclaim against PropertyGuru for "groundless threats" of copyright infringement. It argues that agents were "exercising their own copyright" in using Xpressor to post listings across multiple websites. It is also saying that it has not reproduced PropertyGuru's photos; rather, agents themselves have done so by using Xpressor. Yesterday, Mr Rautiainen, PropertyGuru's managing director, was cross-examined by 99.co's lawyer Koh Chia Ling. Mr Koh sought to establish that the act of resizing or putting a watermark on an agent's photo does not give PropertyGuru copyright over the new image. But Mr Rautiainen disagreed, citing a "high-level technical process" that allows agents' original photos to be adjusted, pixelated and resized, then have a watermark imprinted on them. He also said that the only available alternative site for Xpressor to cross-post listings to was 99.co. According to Xpressor's Facebook page, it allows cross-post listings across nine property portals, including PropertyGuru and 99.co. But when questioned by Mr Koh, Mr Rautiainen said there was never any infringement of copyright by Xpressor's parent company, Media Publishing Group. The trial continues today.
September 21, 2017

“Failure to comply can have serious consequences,” shares Head of Intellectual Property & Technology Jonathan Kok in his opinion piece on the European Union General Data Protection Regulation as featured in The Business Times

RHTLaw Taylor Wessing Head of Intellectual Propoerty & Technology Jonathan Kok authored an opinion piece titled "How Singapore SMEs should prepare for EU general data protection regulation" published in The Business Times. The article was first published in The Business Times on 19 September 2017. How Singapore SMEs should prepare for EU general data protection regulation Source: The Business Times © Singapore Press Holdings Ltd. Date: 19 September 2017 Author: Jonathan Kok SINGAPORE'S small and medium enterprises (SMEs) that have business dealings with clients based in the European Union (EU) will need to keep an important date in mind - May 25, 2018. That is the day the new legal framework, the European Union (EU) General Data Protection Regulation (GDPR), will come into force across the EU to protect all EU citizens and residents from privacy and data breaches by giving them greater control over the organisations that can use their personal data. This means that, in about 10 months, all organisations - whether in the EU or anywhere else - must adhere to the GDPR regulation as long as they collect and process personal data of EU citizens and residents. Given that the EU accounts for 10 per cent of Singapore's total trade and with bilateral trade standing at about S$91 billion in 2015, the importance of being GDPR-ready cannot be discounted. A global study by Veritas Technologies reported that 92 per cent of organisations in Singapore were concerned about not complying with the GDPR when it comes into effect next year; 56 per cent of businesses were afraid of being unable to meet the regulatory deadlines. Failure to comply can have serious consequences, especially for SMEs. The GDPR introduces a tiered approach to fines. For example, a company which does not have its records in order can be fined 10 million euros (S$16.07 million) or 2 per cent of its total global turnover of the preceding financial year, whichever is higher. Fines are also imposed if the firm fails to notify the supervising authority and the data subject about a breach, or if it fails to conduct a Privacy Impact Assessment (PIA). Organisations in breach of the GDPR can be fined up to a maximum of 4 per cent of their annual global turnover or 20 million euros of the preceding financial year, whichever is higher. GDPR requirements With the GDPR introducing some fairly stringent requirements in relation to the protection of personal data, SMEs need to be familiar with what the new regulations are. Firstly, organisations covered by the GDPR must employ a Data Protection Officer (DPO), who is responsible for ensuring that the organisation collects and secures personal data responsibly. Secondly, individuals have more rights over how organisations use their personal data. They have the "right to be forgotten" if they either withdraw their consent for the use of their personal data or if keeping their personal data is no longer required. Organisations must immediately report breaches in data security to the relevant data protection authority in the EU. Ideally, the report should be made within 24 hours of the discovery of the breach; if that is not possible, within 72 hours. Keep in mind that consent for a particular use of the personal data must now be explicitly given before this data can be used for that purpose. The previous practice of taking silence or a failure to opt out to be "deemed consent" is no longer considered as valid consent. This new requirement will be applied retroactively; personal data previously collected without meeting this new requirement cannot be used unless express consent is obtained. An organisation with fewer than 250 employees is not required to comply with the GDPR. However, the GDPR still applies to SMEs with fewer than 250 employees that either routinely process personal data that is likely to result in a risk to the rights and freedoms of EU data subjects or process special categories of data relating to criminal convictions and offences. The special categories of data include health data, information on individuals' racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation. The GDPR will apply to both controllers and processors of data. A data controller determines the purposes, conditions and means of processing the personal data; a data processor processes personal data on behalf of the controller. The GDPR places more legal obligations and liabilities on controllers than on processors. Controllers will need to ensure that their contracts with processors require the processors to comply with the obligations under the GDPR. Under the GDPR, personal data is any information that relates to a natural person or data subject that can be used to directly or indirectly identify that person. Such information can include a name, a photo, an e-mail address, bank details, posts on social media websites, medical information, or a computer IP address. Preparing to be GDPR-ready With personal data being used widely from marketing to customer relationship management, SMEs will need to rethink the way they manage and protect personal data in order to comply with the GDPR. For a start, they need to appoint a DPO, who need not be a full-time employee, and whose function can be outsourced depending on the organisation's needs. Ensure that all personal data is stored responsibly and securely, and all data-security arrangements are regularly reviewed and updated. Measures such as PIAs, which assess where privacy risks exist and how to minimise them, are essential, especially for controllers. Review the consent that was given when the personal data was collected. If the data was collected under "opt out" or other mechanisms which are no longer valid under the GDPR, the organisation must cease using the personal data unless further express consent is obtained. The organisation must update its privacy policies as the GDPR requires them to inform individuals of their new rights under the GDPR. Last but not least, the organisation should put in place plans to deal with a data breach. This will mean knowing what personal data the organisation is holding, where it is stored, who has access to it, and how to spot breaches when they occur, as well as to whom the breach must be reported. The organisation should also consider installing new technology that can provide a comprehensive approach to data identification and security. Understanding what personal data is held and where this is stored will help in monitoring compliance and the processes involved in dealing with the personal data. Given the heavy fines for non-compliance, Singapore SMEs must ensure that they have implemented privacy by design internally and externally, and put in place policies that ensure internal and external compliance with the obligations of the GDPR.