To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading
To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading
On the 18 February 2016, Singapore’s Infocomm Development Agency (IDA) published its decision on the framework for the allocation of an additional 235 MHz of spectrum. This follows their earlier consultations. Key points are set out below:
Two stage process to encourage market entry by new entrant (4th MNO)
The IDA wants to encourage market entry by a fourth mobile network operator (MNO), so has split the auction into two stages. First, a ‘new entrant’ spectrum auction for 60 MHz (comprising 2x 10 MHz in the 700 band, 2 x 10 MHz in the 900 MHz band and 20Mhz of the 2.3 GHz TDD band ) from which the existing MNOs are excluded, followed by a second auction of the remainder of the spectrum to the incumbent MNOs and new entrant (if any). The reserve price for the new entrant spectrum has been lowered from SGD 40 million to SGD 30 million. The process has been designed to limit market entry to only one additional MNO.
New entrant needs to pre-qualify
Any new entrant needs to pre-qualify for the auction. To pre-qualify a bidder must:
The last condition means that any consortia will need to be formed prior to qualification for bidding.
In addition, pre-qualification will also require bidders to demonstrate:
No other material regulatory assistance for new entrant
Apart from the spectrum allocation and price, there is no other regulatory assistance for the new entrant. The IDA has decided not to mandate wholesale roaming access for the new entrant, and is not proposing to relax any regulatory obligations.
Auction processes defined
The new entrant auction will be a simple ascending round auction, and the second auction a more complex ‘Clock Plus’ format.
The IDA will make available a an information package for potential new entrants which will be available on 3 March. The IDA will issue further auction documents setting out more detail.
A key challenge for organisations who want to use cloud services is to do so in a way that is compliant with the organisations’ obligations under data protection laws.
This guest post by Matt Hunter (@matthew1hunter) and Daniel Jung explains how ISO 27018 is relevant and why companies considering cloud solutions should look to cloud providers who meet this standard.
Around the world, companies are coming under increasing pressure to comply with data protection laws. Singapore is no different. In July 2014, Singapore’s Personal Data Protection Act (PDPA) came into force. Will the new international standard, ISO 27018, help customers in Singapore to overcome the data protection challenge when using cloud services? Our conclusion is yes. If a cloud customer engages a cloud service provider (CSP) that complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the PDPA relevant to the use of cloud services. Similarly, if a CSP complies with ISO 27018, the CSP can be confident that it can offer a cloud solution that will help its customer comply with its key legal obligations under the PDPA.
The PDPA places obligations on companies when it comes to the collection, use and disclosure of personal data. One of the consequences of the PDPA is that companies in Singapore who want to engage the services of a CSP must consider how the cloud solutions will comply with the relevant obligations under the PDPA. Similarly, CSPs who want to offer cloud solutions to customers in Singapore must consider how their cloud solutions will comply with the relevant obligations under the PDPA.
In August 2014 the International Organization for Standardization (ISO) published a new standard specifically applying to how CSPs protect and managed data on behalf of their customers. “ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (widely known as ISO 27018). One of the main intentions of ISO 27018 is to help public CSPs to comply with applicable obligations when holding personal data for their cloud customers.
So, how do the key legal obligations in the PDPA compare to the requirements of ISO 27018? Can ISO 27018 help cloud customers and CSPs alike to ensure compliance with PDPA requirements? In this blog we compare the key legal obligations in the PDPA relevant to the use of cloud services to the requirements in ISO 27018 and look at the practical steps that cloud customers and CSPs can take to ensure compliance.
How do ISO 27018 and the PDPA compare?
PDPA requirement: An organisation must obtain the consent of an individual in order to process personal data about the individual.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and prohibits processing for any other purposes. This requirement will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that are inconsistent with the consent the customer has obtained from individuals.
PDPA requirement: An organisation must notify individuals about the purposes for which their data will be processed.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and it requires the CSP to disclose information about sub-processors and data location to the customer. These requirements will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that have not been notified to individuals and the customer can provide extra information in its notice to individuals about sub-processors and locations of processing.
PDPA requirement: An organisation must cease to retain personal data as soon as the purpose for which the personal data was collected is no longer being served by the retention of the personal data.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to implement a policy under which the CSP ensures that personal data is erased as soon as it is no longer necessary for the specific purposes of the customer.
PDPA requirement: An organisation must, upon the request of an individual, provide the individual with access to the personal data that an organisation holds about the individual and correct the personal data.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to assist its customer to comply with a data subject’s access requests and correction requests.
PDPA requirement: An organisation must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to take certain types of security measures, to adopt and implement security awareness policies and to subject their services to independent information security reviews at regular intervals.
PDPA requirement: An organisation has the same obligations in respect of personal data processed on its behalf and for its purposes by a third-party, as if the personal data is processed by the organisation itself.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires a contract to be executed between the data controller (the customer) and the data processor (the CSP), that contains minimum security arrangements and an obligation to process data in accordance with the data controller’s requirements. Further, it also requires the CSP to seek consent from the customer before engaging any sub-contractors.
PDPA requirement: An organisation must not transfer personal data outside of Singapore unless the transfer is made in accordance with the requirements of the PDPA to ensure that the organisation provides a standard of protection to the personal data so transferred that is comparable to the protection under the PDPA.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to specify and document the countries in which the personal data may be processed and, no matter where the personal data is located, all of the other requirements in ISO 27018 will apply to the Personal Data, so the customer can be sure that its personal data will be protected to the same standard of protection.
PDPA requirement: An organisation must implement policies and procedures in order to meet their obligations under the PDPA and shall make information about its policies and procedures publicly available.
Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to execute a contract with the customer to ensure that data is processed in accordance with the customer’s instructions (including instructions as to policies and procedures that are adopted by the customer).
Put simply, the comparison shows that the key legal obligations are matched by the standard’s requirements.
What about other countries?
The same conclusion appears to us to apply in other countries as well. The PDPA is similar to the data protection laws in many other countries, including Australia, European countries, Hong Kong, Japan, Korea, Malaysia and New Zealand. If a cloud customer in any of these countries engages a CSP who complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the data protection laws in its country.
How can a CSP demonstrate compliance with ISO 27018?
There are a few options:
There is no silver bullet to ensure overall compliance with an organisation’s obligations under privacy laws. However, in relation to cloud solutions, ISO 27018 is a welcome step towards ensuring that such cloud solutions are compliant with relevant privacy law obligations, including those in Singapore’s PDPA, and thereby further boosting customer confidence in cloud solutions. Customers should check that their CSPs (existing or potential) comply with ISO 27018. This will help customers to be confident that the cloud solutions (existing or potential) comply with the relevant obligations under the PDPA (or the relevant laws in other countries). CSPs should demonstrate compliance with ISO 27018 in order to be confident that their cloud solutions will help their customers to comply with the relevant obligations under the PDPA (or the relevant laws in other countries).
The Monetary Authority of Singapore (“MAS“) is consulting on a new notice and guidelines on outsourcing. Having already commented on its positive message for cloud services, this post addresses the rest of the consultation. In summary, we think:
Background MAS first issued its ‘Guidelines on Outsourcing’ in 2004 (and updated them in 2005). Under this consultation:
Interested parties should submit views and comments to MAS by email to email@example.com by 7 October 2014. What we like
Some important points we would like to see MAS clarify
Some less important points that could helpfully be clarified
Next steps: Customers, suppliers and advisors have until 7 October to submit a reply to the MAS. Let’s see to what extent they address the points noted above.
There should be relief at the moment felt by financial institutions and cloud service providers alike, following the release of the MAS’s consultation on the proposed new outsourcing notice and updated guidelines as mentioned in Rob’s previous post.
The MAS doesn’t use the word “cloud” expressly in its consultation. However, the MAS has made important changes to the outsourcing guidelines. The changes are relevant to cloud services and, most importantly, there are positive references to cloud services. Cloud is OK provided you follow MAS’s rules.
In summary, these are positive steps for customers and service providers of cloud services. As the proposed new guidelines currently stand, the MAS has decided not to call out cloud services in much detail. Instead the MAS seems to be moving towards accepting cloud services as just another service delivery model, rather than as something that needs additional regulation or treatment. This is good news.
Apart from cloud, the new notice and update guidelines should be welcomed. There are some points that the MAS should be asked to clarify and now’s the time to do that – more on these points in our next blog. However, overall, these proposals are good for cloud and good for the financial services industry in Singapore.
On Friday 5 September, the Monetary Authority of Singapore (which regulates financial institutions in Singapore) published a consultation on revising its existing guidelines on outsourcing.
Responses are due by the 7th October.
Singapore’s Infocomm Development Authority (IDA) has launched a new cloud security standard: Multi-Tier Cloud Security (MTCS) Standard For Singapore (SS 584). The IDA explains that the objective of the standard is: “to provide businesses with greater clarity on the levels of security offered by different cloud service providers (CSPs).”
The IDA’s fact sheet explains that: [Customer clarity is achieved] “through third-party certification and a self-disclosure requirement for CSPs covering service-oriented information normally captured in Service Level Agreements.”
The disclosure covers areas generally addressed through contractual service levels including:
Tiered Security Levels
The standard defines three tiers of security, with tier 1 being the base level and tier 3 being the most stringent:
The five certification bodies are the British Standard Institute, Certification International Pte Ltd, DNV Business Assurance, SGS International Certification and TUV SUD PSB Certification.
The IDA explains that it will work to cross-certify the MTCS SS with other international standards or certification schemes – such as the International Standard Organization (ISO) 27001 Information Security Management System (ISMS) and Cloud Security Alliance (CSA) Open Certification Framework (OCF).
In the wake of increasing global concern about data security, this initiative by Singapore is in line with its policy to promote Singapore as a data hub and is welcome. However, the small size of the Singapore domestic market and continued suspicion of cloud solutions by other regulatory bodies (notably the Monetary Authority of Singapore) means that this may have limited market impact without engagement by a wider range of regulators.
Meanwhile across the ASEAN region, current policy winds are increasingly blowing towards requiring data (especially financial data) to either be kept out of the cloud, or in national clouds. To continue the weather metaphor, on the bright side it is possible that if and when it is concluded some provisions of the Trans-Pacific Partnership (TPP) may roll-back some of the more nationalistic requirements currently in force or being considered.
On September 24, Singapore’s Personal Data Protection Commission published its final advisory guidelines on how the country’s Personal Data Protection Act 2012, which governs the collection, use, and disclosure of personal data, will be interpreted and applied.
As expected, these adopt a business friendly approach. For more details see my post on ZDNet’s Legal Tech blog here.
I was intrigued to read today’s joint response (from Starhub, M1, MyRepublic, ViewQwest, SuperInternet, Nucleus Connect and the Asia Pacific Carriers’ Coalition) to the Singapore telecoms regulator’s (IDA) public consultation on whether to allow additional ownership consolidation in its national fibre-optic network market.
With the benefit of hindsight, I was pondering how an apparently elegant solution to a regulatory challenge has ended up being so complicated and arguably ineffective. The challenge that Singapore faced was how to regulate the build out of a subsidised national fibre-optic network. The solution they chose was structural separation of the various up-stream and down-stream activities of a national fibre-network.
However, with hindsight I would argue that the chosen solution was over-engineered and was unlikely to work in a market where some of the retail competitors ended up with economic interests in some of the theoretically separate upstream entities. In part, this was because an overly complex solution was imported from another market without sufficient regard to the local market conditions and the practical difficulties of achieving de facto ownership separation in a small and concentrated market such as Singapore. Whilst it is too late for Singapore to rethink its regulatory structure in this space, there are lessons for other jurisdictions considering appropriate regulation of subsidised fibre roll-out.
To explain further, a market failure may occur in situations where, without regulatory intervention, the market will not deliver an optimal outcome for consumers. Broadband networks relying on a common infrastructure but with retail competition (such as Singapore’s national fibre broadband network or NBN) are an example of a potential market failure if the same company both controls the common infrastructure and competes in the down-stream retail market. This failure manifests itself by the company controlling the network favouring its own retail business over its retail competitors (that do not have control of the network). Without equal treatment, competitive intensity decreases and customers get worse service, quality, choice and may pay more. In essence, any vertically integrated company which both controls a network and competes in a retail market which requires use of that network has both the incentive and the ability to discriminate in favour of itself.
Regulatory invention can take many forms. What was originally intended in Singapore was that the NBN network (OpenNet) would be owned separately from the NBN operating company (Nucleus Connect) and the operators (Singtel, Starhub, myRepublic, etc) would compete at the retail level. In addition, (this happened during the tender process) the passive assets of Singtel (ducts, etc) used by OpenNet would be operationally separated from Singtel and placed into a trust – the NetLink Trust, which would be managed separately from Singtel.
This would create a four layer structure:
This structure theoretically fixes the market failure described above provided that the first three layers are regulated (as they are monopoly providers) and that no participant in the retail market has ownership or control of any of the first three layers.
However, this theoretical situation does not exist in Singapore today and the proposed consolidation proposals arguably exacerbates the existing problems by giving Singtel additional economic interest in the network owner layer as well as the passive assets.
If we come back to the issues I identified above, Singapore’s IDA has imposed various regulatory obligations that seek to constrain the ability of Singtel to effectively influence the conduct of Netlink Trust.
However, whilst Singtel retains economic ownership (even through a trust) it retains the incentive to discriminate. To be clear, this isn’t about companies or trustees seeking to do anything wrong – it is more that they have a duty to maximise shareholder value or act in the interest of relevant beneficiaries and as part of that duty any rationally managed company or trust will seek to maximise the value of its vertical integration or vertical relationship unless constrained otherwise. At the moment Singtel has a 100% ownership interest in the assets held by the Netlink Trust, and the trustees must act in the best interests of their beneficiary. Following the proposed consolidation, OpenNet’s assets will also be 100% owned by Singtel (through the trust). Although there are proposals for divestment of Singtel’s interest in the trust down to a minority interest, the timetable for the planned divestiture has been delayed.
The key question is whether the regulatory constraints on Singtel’s actions are sufficient to constrain its ability to discriminate in favour of its own downstream business. Whilst the IDA consultation sets out a list of current controls (including reference offers and non-discrimination requirements), market experience to date would suggest that there are still material deficiencies in the regulatory regime (evidenced in particular by roll-out problems) that need to be addressed, and the consortium response sets out a long list of proposed additional regulatory conditions.
An interesting contrast is the approach taken in the UK (albeit to address a somewhat different problem – bottleneck control over legacy last mile copper access) to require BT to functionally separate its copper access business into Openreach. Openreach was then made subject to a requirement of equivalence which in practice went much further than the existing Singapore requirement to provide reference offers and non-discrimination (and also goes further than the conditions proposed by the consortium).
In a small market like Singapore, it seems unlikely that ownership will ever be really disentangled, so regardless of whether consolidation is approved or not it will be interesting to see what additional regulatory requirements the IDA will consider imposing on the NetLink Trust.
On 1 April the government of Singapore adopted a ‘Intellectual Property (IP) Hub Master Plan: Developing Singapore as a Global IP Hub in Asia’. Despite the date, this is emphatically no joke. The plan helpfully summarises its key aspects in the following diagram:
The initiatives adopted are:
|OUTCOME / ENABLER||KEY STRATEGY||INITIATIVE|
|Outcome 1:A hub for IP transactions and management||Develop a vibrant IP marketplace by attracting top IP intermediaries, and supporting promising initiatives to catalyse the development of the marketplace||1. An Economic Development Board (EDB)-MinLaw Joint Programme Office will be set up to develop the IP and legal sectors. It will seek to promote quality IP marketplace players such as IP owners and service providers to Singapore.|
|Facilitate IP transactions by increasing access to IP financing, and enhancing transparency and certainty in IP transactions||2. The Government will introduce an IP financing scheme, where it partially underwrites the value of patents used as collateral in event of default. The intention is to encourage banks to recognise IP as an asset class, build IP financing capabilities among our financial institutions, and allow IP-rich companies to raise capital more easily using their IP assets.3. Financial institutions undertaking IP financing-related courses (such as IP valuation) may be eligible for support under the Financial Training Scheme administered by the Monetary Authority of Singapore (MAS).4. The Intellectual Property Office of Singapore (IPOS) will establish a new Centre of Excellence for IP Valuation, which will work with industry stakeholders to undertake a range of activities, including research on IP valuation methodologies, training and certification for IP valuation professionals, and establishing industry-wide best practices. 5. The Singapore Exchange (SGX) will encourage listed companies to disclose their IP rights. A clear and structured disclosure of IP rights of material importance can provide investors with better insights into the company’s strengths and potential growth.|
|Outcome 2:A hub for quality IP filings||Create a strong value proposition to attract IP filings by offering world-class services, and strengthening international collaborations with other IP offices||6. IPOS will invest $50 million to build up patent search and examination (S&E) capabilities in technology areas of strategic importance to Singapore. This will draw companies to register IP in Singapore. IPOS has started its S&E team in September 2012, and will be expanding this team progressively. The team is expected to be operational in mid-2013, after completing training by the European and Japan Patent Offices. 7. IPOS will forge stronger cooperation with other national IP offices, and establish a comprehensive network of Patent Prosecution Highways (PPHs)1 building on our existing network with the US, Japan and South Korea. A strong network of PPHs will allow applicants to expedite the patent filing process in other jurisdictions from Singapore.|
|Outcome 3:A hub for IP dispute resolution||Develop Singapore as a choice venue for IP dispute resolution, through a strong IP Court and deep IP alternative dispute resolution capabilities||8. The Supreme Court is establishing a specialised docket system for all cases. For the IP Court, in addition to the current practice of assigning an assistant registrar to each IP case after it is filed, an IP Judge will also be assigned earlier. This will allow judges of the IP Court to build greater familiarity with IP cases and enhance the efficiency of case disposal. To support the IP Court’s adjudication functions, the Supreme Court will promote the use of assessors (for technical expertise) and amicus curiae (for legal expertise).9. MinLaw will work with the Singapore International Arbitration Centre (SIAC) to establish a panel of top international IP arbitrators in Singapore. This will enhance the international profile of Singapore’s IP alternative dispute resolution capabilities and attract such cases to Singapore.10. IPOS will collaborate with the World Intellectual Property Organization’s Arbitration and Mediation Centre (WIPO AMC) to offer parties in patent disputes a new expert determination2 option. This option allows parties to select a trusted third party expert with the relevant expertise and experience from WIPO AMC’s panel, and will be implemented by Q2 2013. Benefits of this option include cost and time savings, as well as autonomy in the selection of their arbiter.|
|Enabler 1:Skilled manpower resources networked to the region and beyond||Build a globally competitive IP workforce that is equipped with specialised IP skill sets and networked to other markets, and support the continued professional development of IP professionals||11. IPOS will launch the IP Competency Framework (IPCF) to define the competencies required for key IP job roles in the industry, accredit training providers and their programmes offered under the framework, and to certify the attainment of these competencies into industry-recognised qualifications. 45 competency units under the IPCF will be rolled out in April 2013.12. IPOS will invest $15 million to strengthen IP Academy to be the central agency to orchestrate the delivery of IP education and training for Singapore.|
|Enabler 2:A conducive and progressive environment for IP activities||Enhance the tax environment to attract and anchor IP portfolios and substantive management activities||13. The Productivity and Innovation Credit scheme, introduced by the Ministry of Finance (MOF) and administered by the Inland Revenue Authority of Singapore (IRAS), covers activities such as the acquisition and registration of IP. From years of assessment 2013 to 2015, the scheme will be enhanced to include IP in-licensing for innovation or productivity improvements.|
|Nurture a progressive environment that shapes and promotes IP thought leadership, and builds international perception||14. We will leverage flagship events to create a nexus for the exchange of views among the international IP community. Examples include the Global Forum on IP and the IP Business Congress Asia Conference which Singapore will host in 2013.|
The plan is certainly ambitious.
Perhaps the biggest challenge (which the plan openly acknowledges on pages 14 and 15) is Singapore’s small domestic IP market, which means that the plan can only be achieved by tapping into international markets and bringing in expertise and capability.
With concerns about importation of foreign talent and expertise very much on Singapore’s domestic political agenda it will be interesting to see how Singapore manages to balance those interests with attracting the international talent required to turn Singapore into Asia’s IP Hub.
In my view, to achieve its objectives Singapore will need to significantly liberalise its market for service providers further – for so long as patent filing and IP litigation is restricted to local firms and some practicing restrictions remain on international law firms in Singapore, Singapore will find it hard to turn aspiration into reality.
For those interested in more detail on the IP dispute proposals, @singarbitration view’s can be found here.