Asia-Pacific news

computer law & security review 25 (2009) 596–602

available at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Asia-Pacific news Gabriela Kennedy, Sarah Doyle Lovells, Hong Kong

abstract Keywords:

This column provides a country by country analysis of the latest legal developments, cases

Asia-Pacific

and issues relevant to the IT, media and telecommunications’ industries in key jurisdic-

IT/Information technology

tions across the Asia-Pacific region. The articles appearing in this column are intended to

Communications

serve as ‘alerts’ and are not submitted as detailed analyses of cases or legal developments.

Internet

ª 2009 Lovells. Published by Elsevier Ltd. All rights reserved.

Media Law

1.

Hong Kong

1.1. Hong Kong Government invites public views on the proposals to amend the Personal Data (Privacy) Ordinance The Personal Data Privacy Ordinance (‘‘PDPO’’) which came into force in 1996 is set for a review. On 28 August 2009, the Government published the Consultation Document on Review of the Personal Data (Privacy) Ordinance (‘‘Consultation Document’’) and invited comments on the proposed amendments. The consultation period closes on 30 November 2009. The Consultation Document contains major proposals concerning, amongst others, the regulation of sensitive personal data and of data processors, the introduction of a personal data breach notification system and of new offences and sanctions, enhanced enforcement powers for the Privacy Commissioner. Surprisingly, Section 33 of the PDPO, the only section yet to come into force which relates to cross-border transfers of data (a hot topic at the international level) has not been included in the review. Other proposals include amendments to simplify the operation of the PDPO while addressing technical and operational problems encountered in the implementation of the ordinance so far. Some of the major proposals are highlighted below.

1.1.1.

Sensitive personal data

Unlike data protection legislation in the EU, the UK and Australia, the PDPO does not contain specific provisions

regulating the handling of sensitive personal data (that is, data such as racial or ethnic origin; political, religious or philosophical beliefs, health related information, sexual orientation). To restrict the scope of collection and use of such data, the Government has proposed a possible regulatory model. While a contravention of a Data Protection Principle (‘‘DPP’’) is currently not an offence in itself, the Government may consider making non-compliance with DPPs relating to the handling of sensitive personal data an offence. If the proposal is implemented, data users, may encounter serious practical difficulties in response to the new requirements as retrospective consents may be required from data subjects in respect of the collection and holding of sensitive personal data unless such data: (i) was obtained with the data subject’s explicit consent; (ii) was required by law; or (iii) was necessary to prevent or lessen a threat to the life or health of an individual. Possible options are to have such requirements apply to sensitive personal data collected after the proposed amendments come into force, or to specify a transitional period during which sensitive personal data will be exempted from the additional requirements for a defined period subsequent to the enactment of the new regime.

1.1.2. Regulation of data processors and sub-contracting activities Unlike the data protection regimes in other countries, the PDPO does not regulate data processors (i.e., entities which process personal data on behalf of data users). The

0267-3649/$ – see front matter ª 2009 Lovells. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2009.09.011

computer law & security review 25 (2009) 596–602

Government is proposing to regulate data processors either directly or indirectly. Views are being sought on whether different categories of data processors should be treated differently (for example, Internet Service Providers who may have no knowledge of the type of data they handle vs. providers of outsourced services, who will be aware of the kind of data they handle). The proposed regulation will also have a significant impact on data users who outsource the processing of their data (e.g. financial institutions which in the future will have to comply with the statutory requirements in PDPO in addition to existing regulatory requirements such as the Guidance Note of the Supervisory Policy Manual on Outsourcing issued by the Hong Kong Monetary Authority).

1.1.3.

Personal data security breach notification

The Government has proposed the introduction of a voluntary breach notification system followed by a mandatory system in the long term. This proposal has been prompted by a series of highly publicised leakages of personal data in Hong Kong in the last couple of years. The aim of the breach notification system would be to gauge the impact of breach notifications more precisely and minimise the possible damage to data subjects. Views on a possible notification mechanism are being sought taking into consideration the burden this would place on data users and the risks involved if notification is not given in a timely manner. Views on sanctions for failure to give notification are also being sought.

1.1.4.

Making contravention of a DPP an offence

The Privacy Commissioner currently has the power to remedy a contravention of a DPP by issuing an enforcement notice which requires a data user to take certain remedial steps within a specified period. A contravention of an enforcement notice constitutes an offence unlike a contravention of a DPP in the first instance, which does not. Effectively this allows data users to avoid sanction for all firsttime contraventions of DPPs. Making a contravention of a DPP an offence would certainly give the data protection regime more teeth but this will have to be balanced against the impact on civil liberties in cases where an unintentional act or omission may amount to a breach of a DPP thereby attracting criminal liability.

1.1.5. Unauthorized obtaining, disclosure and sale of personal data In response to a series of data leaks which occurred over the Internet in recent years, the Government is proposing to make it an offence to obtain personal data unlawfully and to disclose or sell such data. The proposal is largely modelled on Section 55 of the UK Data Protection Act. In order to avoid the provision catching inoffensive web-browsing that results in downloading of personal data already leaked on the Internet, it is proposed that the offence will occur only ‘‘if a person knowingly or recklessly obtained the personal data without the consent of the data user and discloses the personal data so obtained for profits or malicious purposes’’. Views on possible defence provisions and the level of penalty for breach are being sought.

597

1.1.6. Raising penalty for misuse of personal data in direct marketing Direct marketing activities are ubiquitous in Hong Kong and data subjects often complain about the nuisance caused by unwanted direct marketing calls. Currently, the penalty for misuse of personal data in direct marketing is a fine of up to HK$10,000. This may not be sufficient to act as an effective deterrent and a proposal has been put forward to raise the penalty level. This will likely impact a range of companies including direct marketing companies, telecommunications companies and other businesses which rely heavily on direct marketing to promote their products and services. ªGabriela Kennedy (Partner), [email protected] and Emmy Choi (Trainee Solicitor), [email protected]; Intellectual Property, Media and Technology Group, Lovells, Hong Kong.

2.

People’s Republic of China (PRC)

[No submissions for this edition].

3.

Taiwan

3.1. Implementing regulations for ISP Safe Harbor Amendments announced Taiwan Intellectual Property Office (‘‘TIPO’’) announced the Regulations Governing Implementation of Limitations on the Liability of Internet Service Providers (the ‘‘Regulations’’) on 7 September. The Regulations address amendments to the Copyright Act establishing safe harbor provisions for Internet Service Providers (‘‘ISP’’) that came into force earlier in 2009. The Regulations have been based on the outcome of discussions with interested parties during the drafting of the amendments to the Copyright Act and public hearings this past summer. Interested parties had until 17 September to submit comments on the Regulations. Absent significant opposition, the TIPO anticipates that the Regulations will come into force by early November 2009.

3.1.1.

Notifications and counter-notifications

Article 3 of the Regulations sets out the requirements for notifications sent to ISP by rights holders under the Copyright Act. Notification may be made in writing sent by mail or fax or via electronic signature document sent by e-mail. The rights holder or its authorized representative must sign or chop the notification. ISP may provide alternate means of receiving notification from rights holders. The notification must include: i. Identity of the rights holder’s name along with their address, phone number, fax number, or e-mail; ii. Identity of the infringed copyright; iii. Request to the ISP to remove or deny user access to the infringing content;

598

computer law & security review 25 (2009) 596–602

iv. Adequate information and access routing information on the infringing content; v. A statement that the rights holder has a good faith belief that the content cited is unauthorized or violates the Copyright Act; and vi. A statement that the rights holder will assume liability if third parties incur damages as a result of false notification. If multiple infringements will be alleged then these may be cited in a single notification. Article 4 requires that an ISP notify a rights holder of any required amendments to a notification within five working days of the day following the receipt of the notification. A rights holder then has five working days to submit an amended notification. A notification shall be void if the rights holder fails to comply within the five-day period. Notification that does not meet the requirements and that has not been amended within the prescribed time to comply with the requirements shall not constitute evidence that an ISP has knowledge or awareness of the alleged infringement. That is to say, improper notice shall be deemed no notice. The Copyright Act provides users of information storage service providers with a mechanism to challenge an infringement notification. Users of other types of ISP do not enjoy this right. A user of an information storage service provider who believes he or she has been wrongly accused of infringement by a rights holder may submit counter-notification to the information storage service provider requesting restoration of the alleged infringing content. Article 5 of the Regulations provides that a counter-notification must be signed or chopped by the user (or representative) and include: i. ii. iii. iv.

Identity of the user and contact information; Request to restore deleted content or access to the same; Adequate information on the content; A statement that the user has a good faith belief that he or she has legal authorization to use the content in question and that the deletion or denial of access to content is a result of a false claim by the rights holder; v. Consent to the information storage service provider to forward the counter-notification to rights holder; and vi A statement that the user will assume liability if third parties incur damages as a result of false counternotification.

A representative making counter-notification must simultaneously state that he/she is doing so on behalf of the user. Article 6 requires that an ISP notify a user of any required amendments to the counter-notification within five working days of the day following the receipt of the notification. A user then has five working days to submit the amended counternotification. A counter-notification shall be void if the rights holder fails to comply within the five-day period and an ISP will not be required to restore access to the content.

3.1.2.

Three-strikes rule

The Copyright Act provides that an ISP must avail itself of the safe harbor protections and inform its users that their service shall be terminated in whole or in part if a user has been

involved with three incidents of infringement. The Copyright Act does not, however, expressly require that the ISP terminate the service. Furthermore the Regulations do not address the ‘three-strikes’ provision of the amendments at all although its absence from the Regulations had been expected as users of connection ISP had not been provided with a means within the Copyright Act to challenge a notification. The amendments to the Copyright Act and the Regulations appear to have been carefully thought through to appease those parties lobbying for the inclusion of a ‘three-strikes’ mechanism while ensuring that the ISP and individual users of connection services have a degree of protection.

3.1.3.

Observations on the ‘‘Safe Harbor’’ regime

There has, first, been no actual obligation imposed by the Copyright Act or the Regulations on an ISP to terminate service, throttle, or restrict a user’s connection after the occurrence of ‘three-strikes’. For example, where a user of a connection ISP has not been provided with any means within the notification system to challenge a notification then making it in fact a contractual issue between the ISP and user limits the likelihood of the law being challenged. A rights holder has no right to know what action an ISP has taken against a connection service user, and additional laws and regulations that prevent the disclosure of such information in the absence of a court order. There would be little current incentive for ISP frequently trying to upsell consumers to more expensive and faster connections to actually enforce the ‘three-strikes’ rule as a notification only contains an allegation of infringement. Given some of the cases reported in other jurisdictions and the use of automated notification systems that troll for infringement is based on keywords rather than the actual content, an ISP would be wary. An ISP could face liability but this would require that a rights holder litigate first against a connection user, which would in turn require sufficient evidence to support a court order to disclose the identity of the user. The amendments also impose civil liability on any party who files a false notification of infringement. The Regulations further require that a notification include both a statement by the rights holder that:  it has a good faith belief that the content cited is unauthorized or violates the Copyright Act; and  the rights holder will assume liability if third parties incur damages as a result of fraudulent notification. Where, for example, a user of a connection ISP has received a false notification then the only redress to avoid ‘the strike’ would be to bring legal action against the rights holder, and that user would have statements by the rights holder contained in the notification on which to base the action. The prospect of civil liability should serve to somewhat check the over enthusiastic use of automated infringement notification systems sometimes seen in other jurisdictions as a rights holder should have sufficient and actual evidence of infringement at the time that the notification had been issued. ªMarcus Clinch (Associate) [email protected]; Winkler Partners, Taiwan.

computer law & security review 25 (2009) 596–602

4.

New Zealand

4.1. The new interception guidelines of Telecommunications Carriers’ Forum The Telecommunications Carriers’ Forum (‘‘TCF‘‘) has developed a new interception code (‘‘Interception Guidelines’’) to direct telcos and ISPs in their responses to requests for interceptions made by law enforcement agencies. The TCF is an organization that develops industry standards and codes of practice for approval by the Commerce Commission, in accordance with the Telecommunications Act 2001. It does so in order to promote competition in telecommunications markets for the long-term benefit of end-users of telecommunications services in New Zealand. The TCF’s members are (for the most part) the major telecommunications service providers in New Zealand. Under the Telecommunications (Interception Capability) Act 2004 (‘‘Act’’), ‘‘network operators’’ must ensure their telecommunications and data networks have interception capability. However, the Act does not outline how network operators satisfy this requirement. The TCF believes this creates a significant risk as network operators could have differing interpretations of the requirements of the Act, and thus provide different levels of service to Government agencies. The resulting lack of standardised responses would then create uncertainty and inefficiency and may force Government departments to liaise differently with each network operator. In 2008, the TCF created an Interception Working Party to address these risks. This leads to the development of the Interception Guidelines, which were originally endorsed by the TCF in June 2009. A subsequent update was endorsed in August 2009. The Interception Guidelines are to be read in conjunction with the Act, which will take precedence in the event of inconsistency. The Interception Guidelines:  strongly recommend the adoption of international standards for lawful interception developed by the European Telecommunications Standards Institute which are used in the European and Asia-Pacific regions;  require, where feasible, that all intercepted data be encrypted when communicated to law enforcement agencies;  require, where possible, that internal communications concerning interception also be secured and encrypted; and  define two forms of interception: o internal interceptions which are software-based and sit on routers or gateways in telecommunication providers’ networks; and o external interceptions which involve the use of probes that are physically separate from, but co-located with, network elements, and pass captured data to law enforcement agencies. The guidelines issued by the TCF do not have the force of law as they are only binding on members of the TCF. However, most of the large telecommunications network operators and

599

telecommunication service providers in New Zealand are members of the TCF. In addition, when contracting with TCF members, non-members will often be required to enter into contracts which are consistent with, or require active adherence to, TCF guidelines. In August 2009 the scope of the Interception Working Party’s functions was extended to include the following deliverables:  The establishment of a forum that will facilitate quarterly meetings between the Interception Working Party, relevant Government agencies, and the Ministry of Justice. Other meetings may also be scheduled for matters requiring immediate attention.  The establishment of a technical subgroup consisting of representatives from Government agencies, the TCF, and third parties, meeting ‘‘as required’’ to discuss technical issues.

ªKaren Ngan (Partner), [email protected], from Auckland Office, Simpson Grierson (tel: þ64 9 9775080).

5.

Australia

5.1. Strengthening computer network protection laws – proposed amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) The Australian Government has released proposals to amend the Telecommunications (Interception and Access) Act 1979 (Cth) (‘‘Interception and Access Act’’) to assist Australians to protect their computer networks from malicious attack and other inappropriate activities. Currently, interception legislation in Australia only allows national security and law enforcement agencies to protect their networks appropriately – these provisions are due to expire on 13 December 2009. For other members of the community, the legislation does not currently provide sufficiently clear guidance on when network activity can be lawfully undertaken. Furthermore, there is little guidance on the legitimate use and disclosure of information accessed by network owners and operators for network protection purposes. Such arrangements, as they currently stand, may expose network owners and operators to inadvertent breaches of the law when monitoring their networks for potentially harmful attack and inappropriate use of computer systems by employees and other users. This could also have the effect of rendering such information inadmissible as evidence in disciplinary processes or criminal prosecutions. Consequently, the Australian Government is seeking to amend the Interception and Access Act to clarify the circumstances in which intercepting, accessing and using communications over a computer network is permissible. The Government is currently considering public submissions on the proposed amendments. Legislation is expected to be introduced into the parliament and passed by December 2009, prior to expiry of the current laws.

600

5.1.1.

computer law & security review 25 (2009) 596–602

Network protection

Under the proposed approach, a new s 7(2)(aa) of the Interception and Access Act will provide that accessing communications passing over a computer network without the knowledge of the sender will not constitute unlawful interception if:

digitize approximately 920,000 titles (about one-fourth of its collection) by the end of the next fiscal year 2010. It was reported that the digitized data will be available online for several hundred yen per title.

7.1.1.  the interception is carried out by a person appointed in writing to carry out duties relating to the protection, operation or maintenance of the network or ensuring its appropriate use; and  the interception is reasonable necessary for the performance of those duties. A person will also be permitted under new ss 63(C) and 63(D) of the Interception and Access Act to use and disclose lawfully intercepted communications if it is reasonably necessary to do so for the purpose of protecting the network, or to respond to an inappropriate use of the network. The person responsible for the computer network must ensure that intercepted communications and other such records are destroyed if no longer required for any of the above legitimate purposes contemplated by the Interception and Access Act. Note that the proposed amendments will not authorise interception of speech for network protection purposes.

5.1.2.

Appropriate use of a computer network

The proposed amendments in s 6AAA of the Interception and Access Act will also enable network owners and operators to ensure that their networks are used appropriately by obtaining written undertakings from their employees to use the network in accordance with any reasonable conditions specified by the owner or operator. Where such an undertaking has been given, the network owner or operator will be entitled to use or disclose information collected about inappropriate use by employees for disciplinary purposes. However, such information can only be disclosed for disciplinary purposes where no other Commonwealth, State or Territory law would prohibit such use or disclosure. This ensures that employers cannot circumvent existing workplace relations requirements by accessing information under the Interception and Access Act. If a written undertaking has not been given, then intercepted communications cannot be used or disclosed to relevant authorities for disciplinary or other related purposes. ªJeremy Storer (Senior Associate), jeremy.storer@blakedawson. com; Blake Dawson, Sydney.

6.

Revision of the Copyright Law

One of the newly-amended articles under the Copyright Law enables the NDL to digitize its collections without the authorization of the copyright holder(s) to the extent necessary to avoid loss, damage, or tarnishing of the original material in the course of making them available to the public (article 31(2)). The revised copyright law will come into effect on 1 January 2010.

7.1.2.

Target books for digitization

The NDL has already digitized approximately 148,000 titles whose copyrights have already expired and the digitized materials are currently being made available to the public. The NDL is said to have spent approximately 200 million yen examining the authenticity of copyright holders in order to make the digitized documents available to the public. The new article 31(2) makes it possible for the NDL to digitize materials without such a complex and costly examination. The NDL will digitize approximately 920,000 titles including books, magazines, doctoral theses, and official gazettes under the new article by the end of the fiscal year 2010. The Japanese Government allocated 12.6 billion yen to the NDL from the supplementary budget for the digitization project.

7.1.3.

Distribution center for electronic publications

The scheme to make the digitized materials available for the public is presently under discussion between the NDL, the Japan Writers’ Association and the Japan Book Publishers Association. The parties are planning to establish a private entity named the ‘Distribution Center for Electronic Publications’ (‘‘DCEP’’, Denshi Syuppanbutsu Ryutsu Sentah). Further legislation will be needed to execute this scheme. Nevertheless, according to the parties’ proposals, the NDL will lend the digitized data to the DCEP for free and the DCEP will make the data available to the public. The users will pay several hundred yen for each title and the DCEP pays a copyright fee to copyright control organizations. Finally, writers or publishers receive a copyright fee from the copyright control organizations in compensation for their authorization. ªKenji Okura (Associate), [email protected]; Intellectual Property, Media and Technology Group, Lovells, Tokyo.

India

[No submissions for this edition].

7.

Japan

7.1.

National Diet Library digitizing 920,000 titles

Under the Copyright Law, revised on 12 June 2009, the National Diet Library (the ‘‘NDL’’) has commenced a project to

8.

Singapore

8.1.

Pitfalls in the discovery of electronic documents

In Fermin Aldabe v Standard Chartered Bank [2009] SGHC 194, the Singapore High Court had to consider the authenticity of computer output, and also practical issues arising in the course of discovery of computer documents, particularly e-mail correspondence.

computer law & security review 25 (2009) 596–602

The Plaintiff had commenced proceedings against the defendant bank for wrongful termination of employment. The defendants identified 153 emails in its list of documents (‘‘LOD’’) tendered in the course of discovery, and the Plaintiff sought access to the email boxes of the Defendant to verify the integrity of the emails. The defendants applied to court for an order to allow it to give inspection of only the e-mails listed in its own List of Documents either by providing printed copies of the e-mails or by providing them in electronic form, and objected to inspection of the entire mailboxes principally on account of the number of relevant e-mails relative to the contents of the entire mailbox of each employee being small, and there being other e-mails in the mailboxes of these employees which were subject to banking secrecy and/or confidentiality obligations. The court accepted that as each mailbox contained a collection of individual e-mail messages arranged in either the default or user-defined folders, each mailbox may be treated as a database of individual e-mail messages. However, as inspection of an entire database would be far more intrusive than discovery and inspection of specified information contained therein, as held in Alliance Management, the judicial inquiry had to involve the balancing of competing interests among parties; i.e., the requesting party’s right to reasonable access to documents that are necessary to conduct his case without unduly burdening the other party in terms of time and expense and to prevent unauthorized ‘‘trawling’’ through the database. The court further observed that a request for discovery and inspection of a database had to be clearly spelt out. In the present case, the court held that taken together, the Plaintiff’s earlier correspondence on discovery amounted to a request for the direct inspection of individual e-mail messages listed in the Defendant’s LOD from the mailboxes of the relevant employees of the Defendant. The Plaintiff had not identified which of the 153 e-mail messages he wanted to inspect, but the court held that this lack of specificity could not have converted his request to one for inspection of the entire mailboxes of all 14 employees. In the course of submissions, the Plaintiff clarified that he wished only to inspect the e-mail headers, which contained metadata relating to parties to the e-mail, and information tracking the various e-mail servers through which the email had been routed. Consequently, the court directed that the Plaintiff to identify these e-mails for such inspection. The second issue before the court was how inspection of individual e-mail messages was to be given, which raised subsidiary issues relating to how the common practice of giving inspection by providing copies of the discoverable documents first, and deferring the physical inspection of specified documents had to be adapted for electronically stored documents. The court observed that where documents are stored in an electronic form, it is preferable that copies be provided in that form. The provision of copies of electronic documents in their native format also had the benefit of facilitating transfer in portable media, and depending on the format, the preservation of metadata information and searchability of the information.

601

As to the issue of the electronic format for these e-mail messages, the Defendant proposed to use the Microsoft Outlook PST format used by its e-mail client software to deposit the discoverable e-mail messages from the mailboxes of the employees concerned. The Plaintiff was unable to accept this as he did not have the software to read such PST files, and requested that copies be exchanged in PDF format instead. The court recognized that this was a practical concern, and it was desirable that the e-mail messages be provided in a manner which the Defendant was able to access with reasonable ease. On the issue of the manner of giving inspection of e-mail messages, the Defendant was concerned that allowing the Plaintiff access to the e-mail mailboxes of its employees would breach confidentiality and banking secrecy. The Defendant relied on Vinelott J’s observations in Derby & Co Ltd v Weldon (No 9) [1991] 1 WLR 652 to highlight difficulties in providing inspection in this manner, including that the inspecting party may gain access to privileged material; and whether access can be arranged and if so, whether the granting of access may unduly interrupt the necessary daily use of the computer. On this basis, the Defendant’s solicitors sought for inspection to be given by providing electronic copies of the discoverable e-mail messages in PST format, in lieu of physical inspection. This was not acceptable to the Plaintiff as he was not able to access PST files. Additionally, he wanted to be able to view the e-mail header information which will show the routing history of the e-mail messages. The court held that a party’s obligation to give inspection could be fulfilled by the provision of copies, but the Plaintiff could not be disentitled to physical inspection of the relevant e-mails, even if he had been provided with copies. Further, given the limited number of e-mail messages to be inspected, the court did not think that giving inspection of these e-mail messages would present any major difficulties or incur unnecessary costs. As to how inspection should be provided, the court accepted that it was well established that inspection is not limited to ocular examination and equipment may be used to inspect documents: UMCI Ltd v Tokio Marine & Fire Insurance Co (Singapore) Pte Ltd and Others [2006] 4 SLR 95; [2006] SGHC 142. Furthermore, the principle of law articulated in Grant and Another v Southwestern and County Properties Ltd and Another [1975] 1 Ch 185 was that where a document cannot be meaningfully examined by ocular examination, the party giving discovery has an obligation to provide the technical means necessary in order to give effect to the inspecting party’s right of inspection. In the present case, as the e-mail messages were stored electronically on the Defendant’s e-mail servers, the Defendant had to provide the technical means necessary in order to give effect to the Plaintiff’s right to inspect the e-mail messages which he had identified. At a minimum, the Defendant had to provide a computer system from which the relevant e-mail mailboxes may be accessed and the 14 e-mail messages displayed on screen for the Plaintiff to view. However, this was not to say that the Plaintiff would be given full access to the e-mail mailboxes of the Defendant’s employees. A sensible approach would thus be for the Defendant to assist by providing an operator who would

602

computer law & security review 25 (2009) 596–602

retrieve each of the identified e-mail messages and display them on screen for the Plaintiff’s inspection, and call up the metadata information which the Plaintiff intended to inspect. Following an adjournment to allow for the inspection, further technical issues arose and were brought before the court. The Plaintiff highlighted that not all the e-mail messages to be inspected were stored on e-mail servers, as emails were periodically archived from the e-mail servers into PST files stored on the hard disk of the employee’s personal computer or notebook. In order to provide inspection, arrangements had to be made for the e-mail servers, personal computers or notebooks to be available, but this posed difficulties as some of these were in London. For the purposes of discovery, the Defendant’s Singapore office had been provided with hard copy printouts as well as a PST file containing electronic copies of these e-mail messages by its London offices. The court held that since the copies which the Defendant had given discovery of were either hard copy printouts or the electronic copies residing in the PST file in their possession in Singapore, the inspection should be carried out on these, and the Plaintiff could inspect email headers off the PST file which was in the possession of the Defendants. The Plaintiff also challenged the authenticity of e-mail messages which had been transferred from e-mail server to PST files, asserting that once e-mail messages had been transferred to the hard disk of an employee’s personal computer or notebook, it was possible for the employee to alter the contents of the messages. The Plaintiff thus requested that copies of these e-mail messages stored in the Defendant’s backup storage be produced to prove authenticity. A further application by the Defendant was for an order that copies of e-mail messages given in discovery be duly authenticated by certification of a person responsible for the operation or management of the Defendant’s relevant computer system. The court held that this was too premature, being an evidential issue to be addressed at trial. As parties headed towards trial, many evidential issues could be addressed through agreement, such as an agreed bundle of documents where both authenticity and accuracy are not disputed, or under production of certifications in accordance with Section 35 of the Evidence Act, Singapore (dealing with computer output). As such, it was not appropriate to make any order relating to the manner in which the Defendant may comply with the Evidence Act at this early stage. A further issue which arose was also whether inspection was to be given for 14 e-mail messages identified by the Plaintiff, or 14 items listed in the Defendant’s LOD where each item consisted of one or more e-mail messages. For example, certain entries in the Defendant’s LOD were described as ‘‘email exchanges’’ between identified parties over a specified

range of dates. The Plaintiff stated that he had requested for inspection of the 14 e-mail messages under the impression that if an e-mail message contained within it the contents of several prior e-mail messages, he would be able to inspect the metadata information of these e-mail messages separately. The court held that each item in a list of documents should refer only to a single e-mail message. Where there was a chain of prior e-mails appended to an e-mail, inspection would be offered on the same basis as where annexures to a document may be inspected, i.e., for just that document including the annexures. If the inspecting party wished to inspect the original documents used as the annexures, a request for specific discovery had to be made. As such, the Plaintiff had to specifically request inspection of an e-mail message appended in a chain, and an order for discovery and inspection could only be made if the Defendant has a copy of the requested e-mail message in its possession, custody or power. Even so, it may still not be necessary to order discovery and inspection on grounds of relevance, or the cost of recovery of a copy of the requested e-mail message being disproportionate to the significance of the e-mail message to the issues in dispute. In the end, good sense prevailed and parties agreed to adopt the common practice of giving inspection whereby copies of documents referred to in their respective lists of documents would be exchanged first and deferring inspection by agreement. The court observed that this case was an object lesson in the pitfalls in electronic discovery which could have been avoided had parties heeded the admonition in Digicel (St. Lucia) Ltd & Ors v Cable & Wireless Plc & Ors [2008] EWHC 2522 (Ch). ªLam Chung Nian (Partner), chungnian.lam@wongpartnership. com; WongPartnership LLP, Singapore.

9.

Thailand

[No submissions for this edition].

10.

Vietnam

[No submissions for this edition].

11.

Philippines

[No submissions for this edition].