APAC Monthly TMC Update  – November 2020 

Australia

Discussion paper on national in-service safety law for automated vehicles

On 16 October 2020, the Australian National Transport Commission (NTC) published a discussion paper seeking feedback for a national law for in-service safety of automated vehicles equipped with automated driving systems (ADS). The new law will put in place general safety duties and due-diligence obligations for entities responsible for ADS since existing laws that regulate human parties do not cover ADS. The discussion paper covers the functions and powers of an in-service regulator (e.g. monitoring, guiding and enforcing regulations on reporting, investigations and regulatory approvals), how the regulator should interact with other agencies, implementation of the law to complement state and territory laws, practical effects and the operation of in-service safety requirements, etc. The discussion sets out 30 specific consultation questions, for which feedback is due by 11 December 2020.

The NTC discussion paper can be found here.

China

Classification guide for cybersecurity protection takes effect

Under the PRC Cybersecurity Law, each network operator must perform cybersecurity protection obligations suitable for the specific cybersecurity-protection level under which its operation falls. The national standard “GBT/22240-2020 Classification Guide for Classified Protection of Cybersecurity”, which took effect on 1 November 2020, sets out requirements and procedures regarding how the applicable cybersecurity protection level will be assessed and decided.

Depending on the importance of an operation on national security, public interest the legal rights of individuals and organisations, and the damage that these protected interests may suffer, a network operator should first make an internal assessment on the applicable level. For a level 2 operation or higher, the network operator must report to the local public security authority in charge of cybersecurity matters, and cooperate with qualified or white-listed testing institutions to further assess whether the reported level is appropriate. Once the level is decided, the operator will check its current operation against the applicable cybersecurity requirements provided for in the standards (e.g. the Baseline for Classified Protection of Cybersecurity, the Assessment Requirements for Classified Protection of Cybersecurity, and the Design Technical Requirements for Classified Protection of Cybersecurity) and make adjustments if necessary.

During the next few years, implementing the classified cybersecurity protection requirements will likely become the focus of authorities. Compliance actions will be necessary if a company operates public websites, mobile applications, an e-commerce platform, cloud computing services, IoT projects, or any other online services or networks, but has not initiated the classified cybersecurity protection related work.

Please click here for the full version of the standard.

China passes draft law on personal data protection

On 21 October 2020, China's National People’s Congress published the Draft Personal Data Protection Law for public consultation, which will be held until 19 November 2020. Once passed, this legislation will be the first designated personal data protection law in China.

The draft has exterritorial effect and may apply to a foreign company processing the personal data of individuals physically located within China if the company supplies goods or services to individuals located within China, or has processed data to analyse or assess the behaviour of individuals in China. The draft introduces a few additional lawful bases for processing personal data apart from consent; proposes two new channels to handle the cross-border transfer of data and government organised security assessments; and proposes a high administrative fine of up to RMB 50 million or 5% of the total turnover of the previous year in case of a violation.

Please click here for a Law-Now article discussing the highlights in details.

Hong Kong

Prison sentence handed down in first doxing case

Amid the social unrest in Hong Kong over the last year, personal information has been “weaponised” with an explosion of complaints over doxing. While public consultation has taken place over legislative changes to Hong Kong’s Personal Data (Privacy) Ordinance to better tackle this issue, a number of recent court decisions demonstrate how doxing may be addressed under the existing legal framework.

On 3 November 2020, a telecommunications technician was convicted in District Court for doxing and sentenced to 18 months imprisonment. The technician obtained and posted the personal data of a police officer's family member by hacking the officer's work computer. The accused was charged with an offence under section 64(2) of the Personal Data (Privacy) Ordinance (PDPO) for disclosing personal data obtained without the consent of the relevant data users and causing psychological harm to a family member of the police. The personal data obtained included the individual’s Identity Card number, which was disclosed to a group on a social media platform. This is the first doxing case where the defendant was convicted and sentenced to prison since the amendment of section 64(2) PDPO. The maximum penalty for this is a fine of HKD 1 million and five years imprisonment.

Recently, the High Court granted three doxing-related interim injunctions. In one case, Secretary for Justice v Persons Unlawfully and Wilfully Conducting Etc [2019] HKCFI 2773, the court found inter alia that the balance of convenience or prejudices strongly favoured granting the injunction order. Although the injunction order could restrict certain fundamental rights such as the freedom of speech or expression, the court considered it proportionate when balanced against the privacy rights of police officers and their families and the need to maintain public order.

The official PCPD link for the media statement can be found here.

Financial Services and the Treasury Bureau (FSTB) consultation on enhancing regulations for trading virtual assets

The Financial Services and Treasury Bureau (FSTB) issued the “Public Consultation on Legislative Proposals to Enhance Anti-Money Laundering and Counter-Terrorist Financing Regulation in Hong Kong”, a consultation paper proposing inter alia a licensing regime for virtual asset (VA) trading platforms in Hong Kong. The consultation was launched in response to the Financial Action Task Force’s recommendations and the recognition that virtual assets may carry considerable risks in terms of money laundering and terrorist financing. Notable concerns include investor protection, fraud, security breach and market manipulation.

Under the regime, non-security virtual assets trading platforms will require a license from the Securities and Futures Commission (SFC). It was proposed that virtual assets (VA) be defined as “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes”. Furthermore, the proposed framework requires the VA platform operator to be a Hong Kong-incorporated company with a permanent place of business in Hong Kong. The ultimate owners and responsible officers of the company must pass the fit-and-proper test where the SFC determines experience, qualifications, financial integrity, prior convictions and other relevant considerations.

The SFC will be given the power to impose licensing conditions on VA platforms and the statutory power to intervene in their businesses, under certain circumstances, in order to protect client assets. The proposals cover VA platform operators doing business in Hong Kong and companies that actively market the Hong Kong public. Unlicensed operators face criminal conviction punishable with a fine of HKD 5 million and seven years imprisonment. Additional fines and penalties may be imposed for continuing offences.

The official public consultation can be found here.

Singapore

New Smart Urban Co-Innovation Lab

On 28 October 2020, the Smart Urban Co-Innovation Lab was launched by CapitaLand and the Singapore InfoComm Media Development Authority (IMDA) and Enterprise Singapore (ESG), with a funding of SGD 10 million. It is the first smart cities solutions development lab in Southeast Asia in which industry players will collaborate, test and develop business partnerships in environmental and technology-based enterprises in a live environment with the latest technologies and 5G connectivity. Many prominent international and local industry players have committed to testing and pilot trials, including Amazon Web Services, Cisco Systems, Microsoft, and many other telecoms and data companies. The lab will focus on six industry areas over the next three years: advanced manufacturing, digital wellness, intelligent estates, smart mobility, sustainability and urban agriculture. The lab will focus on close-to-market activities in order to bring problem statements, sandbox ideas and proof-of-concepts to deployment. Participation in the lab includes infrastructure support (e.g. 5G network coverage, cloud service access) and allows industry players access to user-and-solution matching services, financial grants and testbed-lab support.

The official IMDA press release can be found here.

Model AI governance framework Compendium of Use Cases Volume 2 published

On 16 October 2020, the Singapore Personal Data Protection Commission (PDPC) published Volume 2 of its Compendium of Use Cases. The Compendiums complement the Model AI Governance Framework (first published on 23 January 2019, updated as a second edition on 21 January 2020), which provides guidance to companies on using and developing AI, and gives practical advice on responsible AI decision-making. The Compendium features illustrations of how local and international organisations have implemented AI governance practices and aligned them with the AI Model Framework. Volume 1 featured use cases from Callsign, DBS Bank, HSBC, MSD, Ngee Ann Polytechnic, Omada Health, UCARE.AI and Visa Asia Pacific.

The new Volume 2 features more organisations – including: The City of Darwin (Australia) – In using AI that employs anonymised data of people and vehicle movements from CCTV footage to detect and classify video data to capture pedestrian and vehicle details for improving public safety and city planning, the City of Darwin protects personal data by using secure on-site servers, limiting access to staff only, engaging independent consultants for privacy-impact assessments, etc.; Google – For its business solution Celebrity Recognition Application Programming Interface that allows Google’s business customers to identify and search for the professionally produced content of celebrities (instead of relying on manual tagging of video footages) to create documentaries and new movies, Google put controls in place such as a clear restricted list of celebrities, limited access to the tool and placed a prohibition on the expansion or customisation of the tool for private use in tagging non-celebrities; Microsoft – In implementing trustworthy conversational AI, Microsoft established an AI, Ethics, and Effects in Engineering and Research (Aether) Committee and an Office of Responsible AI to oversee cross-company governance and public policy, and put in place specific assessments on sensitivity-of-use cases to determine the human-involvement level required for AI bots (e.g. human-over-the-loop vs human-in-the-loop mechanisms); and Taiger – As a company that develops AI solutions to automate tasks and simplify processes for other entities, Taiger put in place detailed governance processes clearly defining the roles of specific staff and their corresponding review responsibilities.

The official PDPC link for the compendium can be found here.

Cybersecurity Labelling Scheme (CLS) in Singapore

On 7 October 2020, the Cyber Security Agency of Singapore (CSA) launched the Cybersecurity Labelling Scheme (CL”) for consumer smart devices, as part of an effort to improve the security of the Internet of Things (IoT), raise the level of overall cyber hygiene and make Singapore’s cyberspace more secure. The first of its kind in the Asia-Pacific region, the CLS would rate smart devices according to their levels of cybersecurity so that consumers are able to identify products and make informed decisions based on cybersecurity provisions.

The CLS is a voluntary scheme made up of four rating levels, represented by one, two, three or four asterisks. Each additional asterisk indicates an additional tier of testing and assessment that the product has undergone. Manufacturers applying for the first two levels must submit a declaration of compliance with supporting evidence. For Level 3 and 4 applications, an approved lab must submit an assessment report. The CSA will prioritise the introduction of the CLS to Wi-Fi routers and smart home hubs because of their wide usage and the potential impact on users if these products are compromised. The validity of the label would last as long as the device is supported with security updates, up to a maximum of three years. To encourage adoption of this scheme, the CSA will waive CLS application fees for one year until 6 October 2021.

For more details on the CLS from the CSA’s website, please click here.

Ten-year Legal Tech and Innovation Roadmap

On 2 October 2020, the Singapore Ministry of Law (MinLaw) launched the Legal Industry Technology and Innovation Roadmap (TIR). The TIR provides guidance to both law firms and in-house legal teams, and resulted from a survey conducted by the Law Society of Singapore in 2018 and subsequent consultations and industry engagement. The TIR provides practical examples of solutions law firms and legal teams can adopt depending on their desired level of technology solutions, setting out specific benefits for each level of technology. According to the MinLaw press release, the following initiatives will be rolled out over the next two years: the legal industry digital plan, an affordable and secure cloud-based platform for LegalTech, support for professional upgrading, and a legal education for digital skills, in addition to existing funding and training support through initiatives such as Tech Start for Law (2017-2018) and Tech-celerate for Law (2019-15 January 2021).

The official MinLaw press release can be found here.