Concepts of ownership and control in Asia-Pacific
07 December 2017
There is nothing akin to the Europe-wide data protection regime across the various jurisdictions in South East Asia. Nonetheless, the huge growth of online commerce as seen in the recent "Singles Day" promotion (reportedly worth in excess of US$100 billion in online retail sales), has brought to the fore questions of ownership and control of data across these burgeoning markets.
Similar to those in the EU, legal rights concerning data in Hong Kong can include (i) intellectual property rights such as copyright, database rights (as well as concepts such as confidentiality); (ii) rights set out in contracts; and (iii) data regulations.
IP rights are territorial in nature and vary by country depending on the particular right involved. Data businesses are global, however, with data flowing instantaneously around the world. Hence, most businesses currently harnessing big data rely on contractual rights to offer protection. When properly structured these can provide a high degree of reassurance that rights are protected. From a regulation perspective, whilst competition and antitrust concerns regarding data are in their infancy in the region, it is notable that the first major legal action taken by Hong Kong's relatively new Competition Commission is in the field of information technology.
Whilst the legal framework for big data is far less developed in Hong Kong than it is for the UK and EU, some aspects of Hong Kong law do regulate the control, use and flow of data. However, the focus to date, in terms of regulations, has only been on personal data (rather than business data in general). The Privacy Commissioner has hinted that the provisions of the Personal Data (Privacy) Ordinance (PDPO) should not necessarily hold back moves towards open data given the exemptions for statistics and research activities. Personal data is exempt from restrictions on use, provided that the data is used for preparing statistics or carrying out research, the data is used for no other purpose and the resulting statistics are not made available in a form which identifies the data subjects.
Free-flow of data
In Hong Kong, questions about the free-flow of data are seen through the prism of data privacy. There is nothing similar to the proposed draft EC Regulation on the free flow of non-personal data, which aims to prohibit Member States from implementing or maintaining data localisation requirements.
The transfer of personal data to places outside Hong Kong is, in theory, at least, restricted by section 33 of the PDPO. The section, however, is not in force, giving rise to uncertainty, since the Commissioner has indicated in a guidance note that data users should behave as if the section is in force.
Section 33 prohibits the free flow of data under a number of conditions. The destination must have been approved by the Commissioner in writing (the so called "white list") and the data user must have reasonable grounds for believing that the location has privacy laws which are substantially similar to the PDPO. Data subjects must be notified that such data may be transferred outside of Hong Kong and must consent if the data is later used for a new purpose or given to new classes of people.
Section 33 mirrors to some extent the data transfer provisions of the General Data Protection Regulation (GDPR), according to which transfers of personal data to countries outside the European Economic Area are permitted if the countries provide an adequate level of data protection. Although the section has been on the statute books for more than twenty years, there is no sign of it coming into force anytime soon, meaning that there are no restrictions on the transfer of personal data to jurisdictions outside Hong Kong. Parties wishing to transfer data to other countries have to rely on contractual terms to restrict the use, security and destruction of data once the purpose for which the data has been collected, has been accomplished.
In its guidance note on cloud computing, the Privacy Commissioner recognises the challenges brought about by the rapid flow of data across borders. The note advises cloud providers to disclose to data users the locations and jurisdictions where the data will be stored. It also suggests that data users should consider their personal data privacy responsibility arrangements with regard to such storage. The note warns that access by law enforcement agencies to the data held in that jurisdiction may not have the same safeguards as in Hong Kong, and that contractual restrictions on data access between data users and cloud providers cannot override the law of that jurisdiction. The note also advises data users to choose cloud providers that allow them to choose locations and jurisdictions where there is adequate legal protection given to personal data.
In China, the new Cyber Security law imposes strict requirements on the free flow of data outside the PRC, with stringent registration and network security requirements. Pending the publication of more detailed rules (especially those on data export), the full impact of the Cyber Security law on multinational corporations and financial institutions is presently uncertain.
As in many other jurisdictions, there is no overarching framework for data ownership in Hong Kong. Databases are protected through copyright under the provisions of the Copyright Ordinance as literary works, defined as "a compilation of data or other material, in any form, which by the reason of the selection or arrangement of its contents constitutes an intellectual creation."
In order to afford copyright protection, the database must be original and the author must have used sufficient skill, judgement and labour in its making. It must have been reduced to a material form, either in writing or otherwise recorded.
Copyright protection is unlikely to cover databases in which there has been little human creative input and where the process of creation has been automated. Once afforded copyright protection, the owner has the exclusive right to copy the database, display the database in public and make adaptations of it.
In neighbouring China, similarly, there is no specific legal framework on data ownership. However, databases can also be protected in China through copyright (for both disclosed and undisclosed data). In order to be protected by copyright, there needs to be a minimum level of innovation or originality in the arrangement and combination of data in the database, and the data must be capable of being reproduced in a tangible form.
In terms of data regulations, whilst there is nothing like the extensive regulatory investigations under way in Europe into competition concerns, the first major case to be brought by the Competition Commission in Hong Kong concerns alleged bid rigging undertaken by five information technology companies in the supply of server equipment to the Young Women's Christian Association. With the Competition Ordinance relatively new in Hong Kong, it will be interesting to see whether the Commission eventually turns its attention to the less tangible data aspects currently under the spotlight in Europe.
Moves towards encouraging investment in big data have taken place in Hong Kong, with the accompanying legal framework lagging behind that in Europe. Through the passage of new legislation, such as the Cyber Security law, China arguably seems more prepared to join the race towards first recognising, then regulating, global movements of data, with all that implies for competition and privacy concerns.