Asia-Pacific news

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 5 6 3 e5 7 0

available at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Asia-Pacific news Gabriela Kennedy Hogan Lovells, Hong Kong

abstract Keywords:

This column provides a country-by-country analysis of the latest legal developments, cases

Asia-Pacific

and issues relevant to the IT, media and telecommunications’ industries in key jurisdic-

IT/Information technology

tions across the Asia-Pacific region. The articles appearing in this column are intended to

Communications

serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments. ª 2011 Hogan Lovells. Published by Elsevier Ltd. All rights reserved.

Internet Media Law

1.

Hong Kong

1.1. New accredited registrars for “.hk” and “.香港” domain name extensions As of 18 July 2011, three new companies have been accredited by HKIRC to become registrars of “.hk” and “.香港” domain names. Together with HKDNR, these registrars will continue to provide registration service for “.hk” and “.香港” domain names, for the following extensions: “.com.hk”, “.org.hk”, “.net.hk” ".idv.hk" “.hk”, “.公司.香港”, “.組織.香港” “.網絡.香港” “.個人.香港” and “.香港”: (i) Speedy Group Corporation Limited, (ii) Todaynic.com International Limited, (iii) UDomain Web Hosting Company Limited, and (iv) Hong Kong Domain Name Registration Company Limited (HKDNR) Hong Kong Domain Name Registration Company Limited (HKDNR) remains the only registrar for the following extensions: “.edu.hk”, “.gov.hk”, “.教育.香港” and “.政府.香港”. Current registrations made through HKDNR will not be impacted by the change. Customers are however free to transfer existing registrations to one of the three new registrars or stay with HKDNR.

It is expected that other registrars may be accredited in the future. More information may be obtained from at this website https://www.hkirc.hk/content.jsp?id¼2. Gabriela Kennedy (Partner), Hogan Lovells, Hong Kong, gabriela. [email protected], and Zuzana Hecko (Intern), Hogan Lovells, Hong Kong, [email protected].

1.2. The need to boost innovation and technology development in Hong Kong Despite the fact that Hong Kong is ranked among the cities with the highest competition potential in China, in terms of innovation and technology it clearly lags behind and is now ranked only 26th in China. To boost innovation and technology development in Hong Kong, the SAR government has set up an HK$5 billion fund to stimulate the development of technology and research in Hong Kong. Despite the fact that to date more than half of the budget has been used, the aims of the fund have not been achieved. The studies and research funded so far have not yielded any successful commercial products or resulted in successful commercial ventures. A proposal has been made recently by a number of legislators including Samson Tam Wai Ho the legislator representing the IT community, for the Government to set up

0267-3649/$ e see front matter ª 2011 Hogan Lovells. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2011.08.001

564

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 5 6 3 e5 7 0

a special Innovation and Technology Bureau (“Bureau”). Councillor Tam considers that the establishment of such Bureau would send a clear signal to Hong Kong and the rest of the world that Hong Kong is moving towards the “Knowledgebased Economy” and is more than just a financial hub. Hence the aim of the Bureau would be to make Hong Kong not only a trading hot-spot, but also a centre for knowledge, research & development and technology transfer. Current discussions regarding setting up such a Bureau centre on issues such as whether the Bureau should be based on the existing structures within the Commerce and Economic Development Bureau or as a new entity, as well as the ideal background of the Secretary of such Bureau. Felix Tham (Trainee solicitor), Hogan Lovells, Hong Kong, felix. [email protected] and Zuzana Hecko (Intern), Hogan Lovells, Hong Kong, [email protected].

1.3. Hong Kong set to implement Data User Return Scheme by 2013 The Hong Kong Privacy Commissioner for Personal Data (“the Commissioner”) has issued a consultation document setting out the mechanism for a Data User Return Scheme (“the Scheme”). Provisions allowing the Commissioner to request returns from specific data users are already present in Part IV of the Personal Data (Privacy) Ordinance (“the Ordinance”). So far, the Commissioner has not exercised the right to request data user returns from data users (including entities collecting personal data) but following a survey of practices in other jurisdictions and taking into account the heightened awareness of privacy rights and corporate sensitivity about personal data, the Commissioner is now of the view that it is time to introduce the Scheme in Hong Kong. The Consultation document seeks views on the implementation and operational framework for the Scheme in Hong Kong.

information submitted annually by data users. The register will be available to the public for inspection, thus giving data subjects an opportunity to understand data users’ privacy practices and compare them with the practices of other data users. Data subjects will have a single point of access to information about how Data Users handle their personal data.

1.3.2.

1.3.3.

When will the new scheme come into operation?

The Commissioner expects to finalise the implementation framework for the Scheme by the end of 2011 and publish a Notice in the Government Gazette regarding the introduction of the Scheme by mid 2012 in the hope that it will come into force by the end of 2012. This means that by the second half of 2013 the first phase of the Scheme may be rolled out and the first data user returns expected. More information can be found on the website of the Commissioner available at http://www. pcpd.org.hk/english/publications/files/durs_eng.pdf. Gabriela Kennedy (Partner), Hogan Lovells, Hong Kong, gabriela. [email protected] and Zuzana Hecko (Intern), Hogan Lovells, Hong Kong [email protected].

2. 1.3.1.

Who will be covered by the new scheme?

It is proposed that the Scheme will be rolled out in several consecutive phases, covering: a) first the public sector; b) second, three large regulated industries (banking, telecommunications and insurance) and c) third, organizations with a large database of members (such as customer loyalty schemes). These initial sectors have been selected by the Commissioner, because of the large amount of personal data under their control, the sensitivity of the personal data they control, the frequent and diverse use of the personal data they hold, the relative high number of complaints in these sectors and because it is the common practice in these sectors to transfer personal data to third parties for marketing or other purposes.

Australia

Benefits of the Scheme

The Scheme aims to provide better protection of personal data among corporate data users. Once the Scheme is implemented data users will be required to submit an annual return detailing the personal data they control and the purposes of collection or processing of such data. Data users may provide more information than prescribed by the Commissioner if they so wish, in order to show their commitment to the protection of personal data of their customers. It is hoped that the Scheme will lead to greater accountability and transparency of data protection practices of corporations as well as an enhancement of their data privacy protection standards. Companies required to submit Data User Returns will need to take care when filling them in and provide correct information as the intentional provision of false or misleading information constitutes an offence under the Ordinance (attracting a fine of HK$10,000 and imprisonment for up to 6 months). It is also an offence not to submit a return or to submit it late (although a penalty will be applied for the late submission of a return this will not rule out a prosecution for late submission). The Commissioner will keep a Register of Data Users, in effect a database of data users, which would contain all the

2.1. Privacy Commissioner releases findings of Vodafone investigation 2.1.1.

Introduction

An investigation by the Privacy Commissioner, Timothy Pilgrim, has found that Vodafone failed to meet its obligations under National Privacy Principle 4.1 by not taking reasonable steps to protect the personal information of its customers.

2.1.2.

Background

The Privacy Commissioner launched his investigation following media reports in early January 2011 that the personal information of up to 4 million Vodafone customers was available on a publicly accessible website. The investigation looked at whether Vodafone’s practices were inconsistent with National Privacy Principles (NPPs) 2.1 and 4.1:  NPP 2.1 requires an organisation to use and disclose personal information only for the primary purpose it is collected, unless an exception applies.

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 5 6 3 e5 7 0

 NPP 4.1 requires an organisation to take reasonable steps to protect personal information from misuse and loss and from unauthorised access, modification or disclosure. Vodafone’s own investigation found that no login ID, password or customer information was ever available on the Internet or the Vodafone website. However, a small number of staff members may have breached Vodafone’s internal policies regarding login IDs and passwords. At the time the Privacy Commissioner’s investigation was launched, Vodafone’s data security measures included access controls, network protection, system monitoring and internal policies and procedures about privacy and confidentiality. Access to Vodafone’s customer management system was via a secure web portal using a secure login ID and password, with:  authorised employees given an individual login ID and password; and  retail stores and dealerships given a store login ID and store password.

2.1.3.

Privacy Commissioner’s findings

The Privacy Commissioner viewed the allegation that Vodafone had disclosed personal information contrary to NPP 2.1 to be unsubstantiated, finding no evidence in support of the claims that Vodafone customer information had been publicly available on the internet or on Vodafone’s website. While the investigation determined that a retail store login ID had been used to disclose the personal information of an individual, this had been done with the consent of the individual and was not contrary to NPP 2.1. The report noted that an organisation would not breach NPP 2 “where they are giving an individual access to information the organisation holds about them”. In respect of NPP 4.1, it was the Privacy Commissioner’s view that Vodafone failed to meet its obligations because Vodafone did not take reasonable steps to protect the personal information it held about its customers at the time of the incident. According to the Privacy Commissioner, the use of licensed dealerships by Vodafone resulted in “underlying data security risks” which required Vodafone to implement “additional security safeguards”. The use of store login IDs added to these underlying data security risks despite the use of contracts containing customer confidentiality obligations. The Privacy Commissioner noted that shared login IDs reduce the effectiveness of audit trails and reduce the likelihood of anomalies being detected. Further, if an anomaly is detected, the use of shared login IDs may prevent the anomaly from being effectively investigated.

2.1.4.

Vodafone’s response

Vodafone initiated a number of responses to the incident, including to:  commence an internal IT security review and customer protection controls;  establish a “Privacy Hotline”; and  require all retail stores and dealers to reset passwords everyday until individual login IDs were implemented.

565

Going forward, Vodafone has undertaken to implement changes to its security system, including to reassess the levels of access granted to certain users, whether identity information can be masked and to issue individual login IDs and passwords, rather than rely on store logins IDs and passwords.

2.1.5.

Lessons

In order to comply with NPP 4.1 an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. Despite having a range of security measures in place, the Privacy Commissioner still found Vodafone had failed to take reasonable steps to protect the personal information it held about its customers. Whether the steps taken by your organisation to protect personal information are reasonable is a subjective test based on the particular security risks within your organisation. In determining appropriate security measures, you should:  identify the security risks to the personal information that is being held;  develop policies and procedures to reduce those identified risks;  implement appropriate IT security settings governing system access; and  monitor and measure performance against relevant Australian and International standards. Sophie Hollier, (Lawyer), Blake Dawson, Brisbane, sophie.hollier@ blakedawson.com, and Amanda Ludlow, (Special Counsel), Blake Dawson, Brisbane, [email protected].

3.

Malaysia

3.1. Impact of recent amendments to the Consumer Protection Act 1999 on technology contracts There has been a recent amendment to the Consumer Protection Act 1999 (CPA) under the Consumer Protection (Amendment) Act 2010 (“CPA Amendment”) which was passed in Parliament and gazetted in September 2010. The CPA Amendment came into force on 1 February 2011. The CPA covers goods and services that are offered or supplied to consumers and seeks to protect the interests of consumers. The CPA contains various provisions on consumer rights, inter alia, provisions on implied warranties, product liability and rights of recourse for the consumer via the Consumer Tribunal. It is important to note that the CPA only applies to persons who acquire the goods or services for personal, domestic or household purpose, use or consumption and does not acquire or use the goods or services for trade or part of a manufacturing process. As such it would appear that the CPA does not intend to cover supply of goods and services where such goods or services are used in a commercial or trading context. However, technological products such as software or hardware supplied to end-users and consumers would come within the ambit of the CPA.

566

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 5 6 3 e5 7 0

The CPA Amendment will invariably affect contracts for supply of technological products to consumers and technological product suppliers may be required to re-examine their standard terms and conditions in light of the recent amendments.

3.1.1.

Introduction of unfair contact terms in the CPA

The CPA Amendment introduces new provisions in relation to unfair contract terms. The CPA Amendment permits the Consumer Claims Tribunal (“Tribunal”) or a Court to declare a contract or a provision of a contract to be unenforceable or void if the Tribunal or Court is satisfied that the contract is procedurally or substantively unfair or both.

3.1.1.1. Procedurally unfair. Under the CPA Amendment, a contract or a term of a contract is procedurally unfair if it has resulted in an unjust advantage to the supplier or unjust disadvantage to the consumer on account of the conduct of the supplier or the manner in which or circumstances under which the contract or the term of the contract has been entered into or has been arrived at by the consumer and supplier. In deciding whether or not a term of the contract is procedurally unfair the Tribunal may take into account factors such as, the knowledge and understanding of the consumer in relation to the meaning of the terms of the contract or their effect, the bargaining strength of the parties to the contract relative to each other, whether or not, prior to or at the time of entering into the contract, the terms of the contract were subject to negotiation or were part of a standard form contract, whether or not it was reasonably practicable for the consumer to negotiate for the alteration of the contract or a term of the contract or to reject the contract or a term of the contract as well as various other factors as listed in the CPA Amendment.

procedural unfairness (discussed above), such standard terms and conditions could run a risk of being found to be procedurally unfair as the bargaining power of the parties may be argued to be tipped in favour of the supplier. Furthermore, the terms and conditions are non-negotiable as the supply of the products is premised on a standard form contract. Provisions which limit or totally exclude implied warranties are commonly seen in contracts for the supply of technological products. Further some technological product suppliers attempt to disclaim or restrict liability for negligence. Others impose financial caps in respect of any liability that may arise. In view of the provisions in the CPA Amendment, there is a likelihood that exclusions and limitations of implied warranties as well as any exclusions or limitations of liability for negligence may fall foul of the provisions of the CPA Amendment on the basis that such exclusions and/or limitations are ‘substantively unfair’ within the meaning of the CPA Amendment. However, if the party inserting the exclusion or limitation clauses is able to show that such exclusion or limitation is adequately justified, such clauses may not fall foul of the CPA Amendment. According to the CPA Amendment, the burden of proof will lie on the party relying on such exclusion or restriction to prove that such a term is not without adequate justification. Nonetheless, it may be difficult for the product providers to prove that such provisions were “reasonably necessary for the protection of the legitimate interests” of the provider and that the provisions were adequately justified. It also remains to be seen what would be “adequate justification” in the eyes of the Tribunal and the Courts. As the CPA Amendment is still new in its implementation, it remains to be seen as to how strictly the Tribunal or Courts will view such disclaimers, exclusions or limitations. Nevertheless the CPA Amendment should be impetus for technology product suppliers to reconsider the following matters:

3.1.1.2. Substantially unfair. The CPA Amendment stipulates that the contract or a term of a contract is substantively unfair if the contract or the term of the contract: (a) (b) (c) (d) (e)

is in itself harsh; is oppressive; is unconscionable; excludes or restricts liability for negligence; or excludes or restricts liability for breach of express or implied terms of the contract without adequate justification.

In determining whether a contract or a term of a contract is substantively unfair, there are a list of factors which Tribunal may take into account such as whether the contract imposes condition which are unreasonably difficult to comply with or which are not reasonably necessary for the protection of the legitimate interests of the supplier as well as whether the contract is in standard form, amongst other things.

(i) Review of existing terms and conditions in Malaysia to take into account the latest amendments, by removing or amending clauses which exclude or restrict liability for negligence or for breach of express or implied terms. Inclusion of the words “to the furthest extent permitted by law” (which is also a common insertion) may be acceptable however this has yet to be decided by the Tribunal or the Courts in any case; (ii) Reassess approach adopted when interacting and dealing with the consumers; (iii) Collection of evidence to show the negotiation process as well as justification for inserting certain terms into the terms and conditions. Jillian Chia, Senior Associate, Skrine, Malaysia, [email protected].

4. 3.1.2.

Singapore

Impact on technology contracts

Generally, supply of technology products such as software, applications, hardware products such as computers, mobile phones, external storage devices etc. come attached with standard terms and conditions which are on a “take it or leave it” basis. Taking into consideration the determining factors for

4.1. Monetary Authority of Singapore releases Circular on cloud computing On 14 July 2011, the Monetary Authority of Singapore (“MAS”) (which has primary oversight of the financial sector in

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 5 6 3 e5 7 0

Singapore) issued Circular No. SRD TR 01/2011 on Information Technology Outsourcing (the “Circular”), which addresses cloud-computing issues. The Circular re-emphasised that the responsibilities for effective due diligence, oversight and management of outsourcing and accountability for all outsourcing decisions continue to rest with the financial institution, its board and senior management. The financial institution should put in place a proper framework, policies and procedures to evaluate, approve, review, control and monitor the risks and materiality of all its outsourcing activities, including cloud computing services. Financial institutions were reminded that outsourcing in any configuration or at any location should not result in any weakening or degradation of a financial institution’s internal controls. A financial institution should ensure that a service provider employs a high standard of care and diligence in its security policies, procedures and controls to protect the confidentiality and security of its sensitive information, such as customer data, computer files, records, object programs and source codes. In the context of cloud computing, the “unique attributes and risks especially in the areas of data integrity, recoverability and confidentiality as well as legal issues such as regulatory compliance and auditing” were highlighted. As cloud computing service providers typically process data for multiple customers, financial institutions have been asked to pay attention to the service providers’ ability to isolate and clearly identify their customer data and other information system assets for protection. In the event of contract termination with a service provider, either on expiry or prematurely, the financial institution should have the contractual power and means to have all such IT information and assets promptly removed or destroyed. Financial institutions should also consider the resiliency and safety of the service provider’s infrastructure to ensure that their business continuity preparedness is not compromised by outsourcing. Financial institutions were also reminded of their obligations under the existing regulatory framework such as the MAS Guidelines on Outsourcing, Internet Banking & Technology Risk Management Guidelines, Notice 634 and Circular on Endpoint Security and Data Protection and for the need to consult and submit the MAS’ Technology Questionnaire for Outsourcing before making any significant IT outsourcing commitment, which MAS defines to generally extend to outsourcing involving customer personal or account data, transactions, deposits, loans, payment card data, trading details and investment portfolios.

4.2.

New e-government masterplan

On 20 June 2011, the Singapore Government launched its new e-government masterplan, eGov2015, detailing its information and communications (ICT) initiatives for the next five years and building upon the last e-government masterplan, iGov2010. Under the iGov2010 Masterplan, government agencies rolled out new services and deployed new channels to improve both reach and service delivery, such as unifying

567

business identification numbers using a new Unique Entity Number (UEN) system, streamlining government processes through the use of more than 50 shared systems and services like the Alliance for Corporate Excellence, a shared human resource, finance and procurement system for 11 government agencies, and various applications. The vision of the new eGov2015 masterplan is to focus on “Collaborative Government” that “co-creates and connects” with Singaporeans, and building an interactive environment where the Government, the private sector and the people work together seamlessly through the enabling power of infocomm technologies. The approach will shift from a “government-to-you” approach to a “government-with-you” approach. The vision of a Collaborative Government will be achieved through three strategic thrusts, namely:  “Co-creating For Greater Value”, where Customers are empowered to co-create new e-services with the Government.  “Connecting For Active Participation”, where citizens are informed and involved to engage government on national policies. The Government’s existing REACH (or Reaching Everyone for Active Citizenry@Home) portal will be further enhanced, recognizing the trend towards greater adoption of social media tools and crowdsourcing.  “Catalysing Whole-of-Government Transformation”, where whole-of-government collaboration is enhanced through innovative and sustainable technologies. The Government will invest in a government private cloud (or G-Cloud) to provide a resilient and secure ICT environment, where government agencies may purchase computing resources on demand and pay based on actual usage, allowing them to flexibly scale up or downsize operations based on changing needs. A central Singapore Government Enterprise Architecture repository will also be established to aggregate government data, applications and technologies and facilitate shared services and cross-agency integration. In conjunction with the launch of eGov2015, two new platforms were also launched, mGov@SG, which is a one stop government mobile device friendly platform for access to government resources and services, and data.gov.sg which collates government datasets for research and analysis and development of new products and services by the private sector. The data.gov.sg initiative has brought together more than 5000 datasets from various public agencies and permits for users to build applications around these datasets. Some examples of the data that has been made available include:  Weather data, such as the National Environment Agency’s weather updates,  Geospatial data on the location of amenities,  Real-time traffic data, such as Land Transport Authority’s traffic camera updates. Datasets made available on data.gov.sg are generally subject to a common licensing agreement, where users are

568

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 5 6 3 e5 7 0

granted a worldwide, royalty-free, non-exclusive use of the datasets for the following purposes: i) copying, distribution or transmission of the datasets; ii) modification or adaptation of the datasets to suit developer needs; iii) use of the datasets for developer applications; or iv) sharing or commercialisation of developer applications. Developers must also be registered and agree to certain other conditions set out at the website. Lam Chung Nian (Partner), Wong Partnership LLP, Singapore, [email protected].

5.

Taiwan

5.1.

Cybercrime continues to decline

Statistics released by Taiwan’s National Police Agency indicate that efforts of the authorities to educate the public and to identify and pursue cyber criminals have been meeting with great success. Cyber related offences reported to the police fell considerably for 2010 though the clearance rate also dropped. Year

Offences Known to Police

Offences Cleared

Offenders

Clearance Rate

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

390 2567 6824 15,312 24,479 22,711 29,285 26,523 26,479 17,748

265 1340 3081 5462 5768 10,900 21,260 20,840 22,289 13,172

317 1518 3294 5105 5350 10,430 18,917 18,952 18,757 11,875

67.9 52.2 45.1 35.7 23.6 48.0 72.6 78.6 84.2 74.2

The offences included in the figures are: larceny, rape, offences against sexual morality, intimidation and extortion, fraud, violations of the Children and Youth Sexual Transaction Protection Act, infringement of Intellectual Property Rights, offences against reputation and credit, violation of the Computer Processed Personal Data Protection Act; offences of interference with use of computer systems, and others. Authorities attributed the considerable drop in reported offences to their efforts over the previous few years to both educate the public and vigorously pursue cyber criminals. The drop in the clearance rate resulted from more cyber crimes originating from or being tracked back to suspects overseas e again the likely result of efforts to actively pursue and prosecute offenders in Taiwan in recent years. Below we discuss two recent cyber crime cases:

5.1.1. Office romance leads to convictions under Articles 358 and 359 of Criminal Code The Defendant served as technical counsellor and chief creative officer of a technology company. He had been engaged in a romance with a female colleague. The company president knew of the relationship and had written e-mails to

the Defendant criticizing and discouraging the relationship. The Defendant obtained the administrator account password during a change of staff and accessed the company servers. The Defendant then deleted the relevant e-mails from the president’s account, changed the settings on his own account, and then interrupted the company’s e-mail service. The company alerted the police when it became aware of the problems with its mail server. Prosecutors indicted the Defendant for violating Article 358 and Article 359 of the Criminal Code. Article 358 of the Criminal Code prohibits access to a thirdparty’s computer system or associated equipment without cause. The scope of the prohibition includes the use of another’s account number or password, the disabling of security features, or taking advantage of security holes to gain access. Offenders face up to three years’ imprisonment, detention, and/or a fine of up to NT$100,000. Article 363 also provides that the offence is only actionable by complaint. Article 359 of the Criminal Code prohibits the acquisition, deletion, or alteration without cause of the electronic records on the computer or associated equipment of another whereby such actions result in injury to an individual or the public. Offenders face up to five years imprisonment, detention, and/ or a fine of up to NT$200,000. The Taipei District Court (99 Jian-Shang-Zi No.470) found the Defendant guilty of violating Article 358 and Article 359 and sentenced the individual to fifty days imprisonment e which could be commuted to a fine of NT$1000 per day of the sentence. The Court noted in passing sentence that the defendant continued to deny the crime, tried to shift responsibility to another staff member, and had been unwilling to settle the case.

5.1.2.

Unhappy ex-lover convicted for Facebook hack

The Defendant accessed his ex-girlfriend’s Facebook account. He then changed her password and personal information before using her account to make defamatory statements on her profile page. Prosecutors indicted the Defendant for violating Articles 310, 358, and 359 of the Criminal Code. Article 310 of the Criminal Code provides that the offence of defamation occurs when an individual raises or circulates a fact that will harm the reputation of another and does so with the intent that the fact be communicated to the public. The offence is punishable by up to one year imprisonment, detention, or a fine of up to NT$15,000. The offence is punishable by two years’ imprisonment, detention, or a fine of up to NT$30,000 when the information has been circulated by way of written word or a drawing. It will be a valid defense to establish the truth of the information as fact unless that fact relates to the personal life of the victim and is not of public concern. Article 358 of the Criminal Code prohibits access to a thirdparty’s computer system or associated equipment without cause. The scope of the prohibition includes the use of another’s account number or password, the disabling of security features, or taking advantage of security holes to gain access. Offenders face up to three years’ imprisonment, detention, and/or a fine of up to NT$100,000. Article 363 also provides that the offence is only actionable by complaint. Article 359 of the Criminal Code prohibits the acquisition, deletion, or alteration without cause of the electronic records

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 5 6 3 e5 7 0

on the computer or associated equipment of another whereby such actions result in injury to an individual or the public. Offenders face up to five years imprisonment, detention, and/ or a fine of up to NT$200,000. The Kaohsiung District Court (99 Jian-Zi No.2642) found the Defendant guilty of violating Articles 310, 358, and 359 of the Criminal Code and sentenced him to three months imprisonment e which could be commuted to a fine of NT$1000 per day of the sentence. Marcus Clinch (Of Counsel), [email protected], and Indy Liu (Attorney-at-Law), [email protected], Eiger Law, Taipei.

6.

Thailand

569

and to establish a formal investigating committee. Owing to the overbroad language and public concerns over its enforcement, the Prime Minister declined to address the proposed law and has left it to the next administration to reconsider. Most recently, a new incarnation of the data protection law has been discussed to address cloud computing and the protection of consumer data held in cloud-based servers. In the face of this growing legal infrastructure and amidst the enactment of data protection laws throughout South East Asia, it seems likely that data protection will be expanded in Thailand and the Data Protection Act which has been on hold for more than a decade will likely be dusted off and reconsidered in the near future. John Fotiadis, Senior Member Atherton Co Ltd, Bangkok, Thailand, [email protected].

6.1. Updated trends in data security e data protection laws in Thailand

7. Following recent hacking scandals and international publicity respecting the security of consumers, there has been renewed interest in Thailand at both the grassroots level and at the Ministry of Information and Communications Technology to take action. Thailand still does not have a data protection law. While a draft has been discussed for more than 10 years now, it has yet to reach final form for enactment. In the interim, there have been laws enacted to further establish the IT infrastructure. First of these was the Electronic Transactions Act in 2001 which recognized electronic data messages (such as e-mail) as legally binding for purposes ranging from contractual validity to courtroom evidence. The Royal Decree on E-Government Transactions became effective in 2007, and principally provided that all government agencies must have security and privacy policies in place to cover all aspects of their electronic services. This was shortly followed by the Computer Crimes Act (2007), which address penalties for various offences committed through the use of computers, as well as crimes targeted at computer systems and data. Data protection rules were incorporated into both the Financial Institutions Act of 2008 and the Royal Decree on EPayment Services (2008) to protect consumers’ financial information and related data from being released or sold without prior consent. By the end of 2010, a new Royal Decree on Security in Electronic Transactions was also enacted. This new law establishes three levels of security (High, Intermediate, and Basic) with varying security protocols that must be met by operators according to each level. The new Royal Decree also identifies different business categories and addresses the security level applicable to each group for purposes of compliance with sufficient security protocols in electronic transactions. In the past few months, a revised Computer Crimes Act was proposed for consideration by the Thai Cabinet. This new law sought to extend enforcement to social networks, incorporate new criminal penalties for unlawful copying of data,

New Zealand

7.1. Telecommunications (TSO, Broadband, and Other Matters) Amendment Act 2001 7.1.1.

Introduction

On 30 June 2011 the Telecommunications (TSO, Broadband, and Other Matters) Amendment Act 2011 (Act) was passed. A principal part of the Act relates to the implementation of the New Zealand Government’s telecommunications policy by, among other things, implementing the Government’s “Ultrafast Broadband Initiative” (UBI) under which several companies were chosen to partner with the Government to develop a national New Zealand fibre network for residential and business use. This update focuses on the recent changes to key aspects of the Act relating to the UBI.

7.1.2.

Telecom structure

Telecom Corporation of New Zealand Limited (Telecom) was chosen as the partner that would build the bulk of the national fibre optic cable network. A condition of Telecom’s appointment is that Telecom must separate its network business unit, Chorus, into a new, arms length company. The Act amends the Telecommunications Act 2001 by providing a formal structure to separate Telecom into two companies e one a retail company supplying telecommunications services and the other a national fibre and copper line infrastructure company that will provide wholesale access services to retailers (referred to in the Act as ChorusCo). The Act imposes arms length rules on the separation between Telecom and ChorusCo, for example the two companies will be required to maintain separate directorships. Telecom must also develop a separation plan, including directors’ undertakings to maintain an operational division in accordance with the Act. A timeline for the development of the separation plan is yet to be determined.

7.1.3.

Other changes

Two substantial changes were made to the Act during its third reading. The first change was the removal of the regulatory

570

c o m p u t e r l a w & s e c u r i t y r e v i e w 2 7 ( 2 0 1 1 ) 5 6 3 e5 7 0

“forbearance period”. Previously, this restricted the Telecommunications Commissioner (Commissioner) from recommending regulation of access to ChorusCo’s fibre infrastructure until 2019. Now the Commissioner must consider the incentives to innovate and the risks faced by future investors (a key reason for the previous inclusion of the forbearance period) when considering whether to recommend further regulation for ChorusCo. However, the Act retains the restriction on the Commissioner from recommending or investigating unbundling of point-to-multipoint layer 1 services provided by a UBI service provider where the service provider is subject to a binding undertaking (discussed below) until December 2019.

The second change was to require UBI service providers to enter into binding “open access” undertakings, such as agreeing to provide equal supply and access to the distribution network for third parties. These undertakings were introduced in the Bill as being voluntary, but were made mandatory following the removal of the forbearance period. The majority of the Act came into force on 1 July 2011, with the remaining provisions coming into force on the day that the separation of Telecom becomes effective, which will be determined in accordance with the separation plan. Sam Abbott (Solicitor), Simpson Grierson, New Zealand, Sam. [email protected].