Goodbye from Watching the Connectives: hello from The Digital Watcher

Rob Bratby

To all my readers, thank you and goodbye. This blog is now an ex-blog. Continue reading

Hong Kong privacy regulator recognises ISO/IEC 27018

This guest post is written by @matthew1hunter and @aisling1odwyer.

Regular readers of this blog will know we have been tracking the impact of ISO/IEC 27018:2014 –Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISO/IEC 27018). We see this as the go-to standard for customers of public cloud computing services.  In a significant move, the Hong Kong Privacy Commissioner for Personal Data (Privacy Commissioner) has recently recognised the value of ISO/IEC 27018 in its revised Cloud Computing Information Leaflet (Information Leaflet).

The Information Leaflet is a helpful piece of guidance which sets out the practical steps cloud customers should take to ensure they comply with the Hong Kong privacy laws when using cloud computing services.  In the leaflet the Privacy Commissioner recognises ISO/IEC 27018 as “a comprehensive reference that has met the need to assist the selection of cloud providers by data users”.

Recap on ISO/IEC 27018

We previously covered the publication ISO/IEC 27018, and also discussed how ISO/IEC 27018 would be a useful tool for customers looking to ensure compliance with privacy laws in Singapore and other countries.

We predicted regulators would begin to recognise and refer to ISO/IEC 27018 in setting privacy standards for customers of cloud computing services. Hong Kong provides the most recent example of this.  We also predicted the adoption of ISO/IEC 27018 by market-leading cloud service providers (CSPs).

Why Hong Kong and its Privacy Commissioner matter

Hong Kong was one of the early adopters of privacy laws in Asia, and has an established and well-respected privacy regime. Its Personal Data (Privacy) Ordinance (PDPO) has been in force since December 1996 and the independent Privacy Commissioner has played an active role in promoting and maintaining high privacy standards since then.

It is very significant that that Privacy Commissioner in Hong Kong has recognised the benefits of ISO/IEC 27018 in its Information Leaflet.  This endorsement sets the stage for wider recognition of ISO/IEC 27018 as the go-to international standard for protecting personal information in the cloud.

When regulators accept ISO/IEC 27018 as the global gold standard for CSPs, this makes the lives of customers, CSPs and regulators easier.  It is easier for customers and CSPs to ensure compliance with one international standard that facilitates compliance with most national-level privacy laws, rather than starting with the each of the national-level privacy laws.

Does ISO/IEC 27018 help customers in Hong Kong?

Hong Kong’s privacy laws, set out in the PDPO, place obligations on organisations in relation to the collection, processing, use and deletion of data. Organisations that wish to use cloud computing services need to assess how they can implement such services and continue to comply with the PDPO, and in particular, its six data protection principles.

The revised Information Leaflet alerts customers to their obligations under the PDPO and highlights three overarching points cloud customers should have in mind when choosing a CSP. These points are:

  1. Rapid transborder data flow: CSPs may have data centres in multiple jurisdictions and customers need to know their data will have the same level of protection wherever it is stored.
  2. Loose outsourcing arrangements: Customers need to know that any CSP sub-contractors are subject to the same standards as their CSP, and that there are legally enforceable contracts in place between the CSP and its sub-contractors.
  3. Standard services and contracts: Customers need to carefully evaluate whether their specific security and personal data privacy protection needs are met by any standard contract offered.

It is helpful then to note that the controls introduced by ISO/IEC 27018 help customers to address these points.  Taking each in turn:

  1.  CSPs are required to disclose and document where personal data will be processed and the controls in ISO/IEC 27018 are applicable no matter where the personal data is located;
  2. ISO/IEC 27018 requires CSPs to be transparent about their use of sub-contractors and enter into written agreements with any sub-contractors, preventing weak, informal outsourcing arrangements; and
  3. ISO/IEC 27018 imposes strict security standards that CSPs must adhere to, which are applicable even where the CSP and the customer are contracting on standard terms.

In summary: Hong Kong’s privacy laws impose a range of obligations on customers, some of which apply to the customer’s use of cloud computing services.  ISO/IEC 27018 is a helpful tool for customers to rely on to meet those obligations.  If a customer’s CSP commits to comply with ISO/IEC 27018, this should reassure the customer that the CPS’s solution will help the customer to comply with the relevant obligations under Hong Kong’s privacy laws.

Conclusion

The recognition of ISO/IEC 27018 by the Hong Kong regulator shows that the standard is a robust tool, capable of addressing important questions customers will have to consider when choosing a CSP.

Hong Kong now joins privacy regulators in Australia, Belgium, Canada, Germany and Slovenia (among others) who have all recognised the benefit ISO/IEC 27018 offers as a global standard for CSPs.  We anticipate that more CSPs will commit to ISO/IEC 27018 and also that more customers will look for CSPs that commit to the standard (e.g. by adding a requirement in their RFPs for CSPs to be compliant with ISO/IEC 27018).

ISO 27018 – the international standard for protecting PII in the public cloud – Where are we now?

Since its release in August 2014, ISO 27018 is becoming well established as the “go to” standard to help cloud customers to comply with their privacy obligations when using public cloud services.  Privacy regulators recognise and refer to the new standard.  Cloud customers are using it in their RFP requirements and in their assessments of CSPs.  And CSPs themselves can and should adopt and commit to the new standard. 

A guest post by Matthew Hunter (@matthew1hunter) and Daniel Jung.

A reminder

We reported last year about the publication of this new standard: “ISO/IEC 27018:2014 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO 27018”).

In a subsequent post, we discussed how ISO 27018 helps cloud customers in Singapore to comply with Singapore’s Personal Data Protection Act (PDPA).  We concluded that if a cloud customer engages a cloud services provider (CSP) that complies with ISO 27018 (e.g. adopts and contractually commits to ISO 27018), then the cloud customer can be confident that the CSP’s solution will help the cloud customer to comply with its key legal obligations under the PDPA relevant to its use of cloud services.  We carried out the same research for other countries and the same conclusion applies: Cloud customers who use CSPs that comply with ISO 27018 will be better able to comply with relevant privacy law obligations in Australia, Hong Kong, Japan Korea, Malaysia, New Zealand and European countries, including the France, Germany, Spain and the UK.

In this post we will look at the latest developments in the market in relation to ISO 27018 and at how ISO 27018 is becoming the “go to” standard to help cloud customers to comply with their privacy obligations.  We will also provide pointers for cloud customers, CSPs and regulators on how to benefit from ISO 27018.

The latest ISO 27018 developments

Regulators

Since August 2014, we have seen regulators around the world recognise and refer to ISO 27018 (and this should come as no surprise as regulators often refer to ISO standards (e.g. ISO 27001).

  • In Australia, the OAIC referred to ISO 27018 in its guide to securing personal information (January, 2015).
  • In Belgium, the privacy commission referred to ISO 27018 in its Guidance on Security & Privacy in the Cloud (December, 2014).
  • In Canada, the OIPC posted on its blog that ISO 27018 allows access the benefits of the cloud whilst keeping control of data (March, 2015).
  • In Germany, a state regulator’s cloud guidance highlights the use of ISO 27018 for cloud (October, 2014).
  • In Slovenia, the Information Commissioner indicated that ISO 27018 is consistent with its requirements and should help to raise the lack of confidence in cloud (January, 2015).

These regulators and others are continuing to consider the use of ISO 27018.  The Belgian authority is also working on an analysis of ISO 27018 to be included in a global recommendation to customers using cloud.  The PDPC in Singapore is also considering the use of ISO 27018.

Cloud customers

Customers in the public and the private sector are looking at including ISO 27018 in their RFP requirements and in their procurement contracts, in the same way they have done with other ISO standards.  These are the kinds of discussions we have been having with, and recommendations we are making to, our clients.

Cloud customers have been, in the past, slow to adopt cloud services.  In part, this has been because of regulatory concerns.  But ISO 27018 has provided cloud customers with a convenient solution to address privacy regulations when using public cloud services.  We have seen that cloud customers who use CSPs that comply with ISO 27081 will be better able to comply with relevant privacy law obligations in many jurisdictions.

Cloud services providers

CSPs can now adopt and commit to ISO 27018.

Earlier this year Microsoft, one of the leading CSPs in the market, became the first CSP to adopt and commit to ISO 27018.  An independent audit confirmed its services incorporate all of the ISO 27018 controls and the ISO 27018 controls will become part of Microsoft’s contractual commitment to its customers.  We expect to see other CSPs follow suit.

No standalone certification is available as yet for ISO 27018.  However, compliance with ISO 27018 is demonstrated through an ISO 27001 certification that incorporates all of the controls from ISO 27018.  By going through this kind of assessment process, CSPs (and their ultimately their customers) can be certain of their ISO 27018 compliance.  To remain compliant, CSPs must undergo yearly independent reviews.  This is what the likes of Microsoft will do.

The more regulators recognise and refer to ISO 27018 and the more customers require compliance with ISO 27018, the more CSPs will need to adopt and commit to ISO 27018.  Like other ISO standards before it, ISO 27018 will become the norm.

What next for ISO 27018?

Regulators are adopting ISO 27018, customers are requiring compliance with ISO 27018 and CSPs are committing to ISO 27018 compliance.  ISO 27018 is already becoming the norm (just like other ISO standards).

We expect this to continue.  The adoption of cloud services is increasing across all sectors: financial services, retail, energy, logistics, manufacturers, travel and all kinds of SMEs.  In the public sector governments have pushed “public cloud first” style policies in the US, Europe, Australia and Singapore.  It is in the interest of governments to allow cloud services to be adopted in the public and private sectors.  The benefits of cloud services are clear.  But at the same time the compliance challenge will not disappear.  The regulation of data is on the rise (and rightly so).  Data should be regulated; it is a valuable and sensitive asset.  This is why ISO 27018 is proving helpful; customers can benefit from cloud services but at the same time ensure compliance with privacy regulations.

Will ISO 27018 help cloud customers to comply with Singapore’s data protection laws?

A key challenge for organisations who want to use cloud services is to do so in a way that is compliant with the organisations’ obligations under data protection laws.

This guest post by Matt Hunter (@matthew1hunter) and Daniel Jung explains how ISO 27018 is relevant and why companies considering cloud solutions should look to cloud providers who meet this standard.

Around the world, companies are coming under increasing pressure to comply with data protection laws.  Singapore is no different.  In July 2014, Singapore’s Personal Data Protection Act (PDPA) came into force.  Will the new international standard, ISO 27018, help customers in Singapore to overcome the data protection challenge when using cloud services?  Our conclusion is yes.  If a cloud customer engages a cloud service provider (CSP) that complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the PDPA relevant to the use of cloud services.  Similarly, if a CSP complies with ISO 27018, the CSP can be confident that it can offer a cloud solution that will help its customer comply with its key legal obligations under the PDPA.

Background

The PDPA places obligations on companies when it comes to the collection, use and disclosure of personal data.  One of the consequences of the PDPA is that companies in Singapore who want to engage the services of a CSP must consider how the cloud solutions will comply with the relevant obligations under the PDPA.  Similarly, CSPs who want to offer cloud solutions to customers in Singapore must consider how their cloud solutions will comply with the relevant obligations under the PDPA.

In August 2014 the International Organization for Standardization (ISO) published a new standard specifically applying to how CSPs protect and managed data on behalf of their customers. “ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (widely known as ISO 27018).  One of the main intentions of ISO 27018 is to help public CSPs to comply with applicable obligations when holding personal data for their cloud customers.

So, how do the key legal obligations in the PDPA compare to the requirements of ISO 27018?  Can ISO 27018 help cloud customers and CSPs alike to ensure compliance with PDPA requirements?  In this blog we compare the key legal obligations in the PDPA relevant to the use of cloud services to the requirements in ISO 27018 and look at the practical steps that cloud customers and CSPs can take to ensure compliance.

How do ISO 27018 and the PDPA compare?

  • Consent and Purpose.

PDPA requirement: An organisation must obtain the consent of an individual in order to process personal data about the individual.

Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and prohibits processing for any other purposes.  This requirement will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that are inconsistent with the consent the customer has obtained from individuals.

  • Notification.

PDPA requirement: An organisation must notify individuals about the purposes for which their data will be processed.

Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to process personal data in accordance with the customer’s instructions and it requires the CSP to disclose information about sub-processors and data location to the customer.  These requirements will help the customer because it will provide assurance to the customer the CPS will not use its personal data for purposes that have not been notified to individuals and the customer can provide extra information in its notice to individuals about sub-processors and locations of processing.

  • Data retention.

PDPA requirement: An organisation must cease to retain personal data as soon as the purpose for which the personal data was collected is no longer being served by the retention of the personal data.

Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to implement a policy under which the CSP ensures that personal data is erased as soon as it is no longer necessary for the specific purposes of the customer.

  • Data subjects’ right of access and correction.

PDPA requirement: An organisation must, upon the request of an individual, provide the individual with access to the personal data that an organisation holds about the individual and correct the personal data.

Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to assist its customer to comply with a data subject’s access requests and correction requests.

  • Security.

PDPA requirement: An organisation must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to take certain types of security measures, to adopt and implement security awareness policies and to subject their services to independent information security reviews at regular intervals.

  •  Sub-contracting. 

PDPA requirement: An organisation has the same obligations in respect of personal data processed on its behalf and for its purposes by a third-party, as if the personal data is processed by the organisation itself.

Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires a contract to be executed between the data controller (the customer) and the data processor (the CSP), that contains minimum security arrangements and an obligation to process data in accordance with the data controller’s requirements. Further, it also requires the CSP to seek consent from the customer before engaging any sub-contractors.

  • International transfer restrictions.  

PDPA requirement: An organisation must not transfer personal data outside of Singapore unless the transfer is made in accordance with the requirements of the PDPA to ensure that the organisation provides a standard of protection to the personal data so transferred that is comparable to the protection under the PDPA.

Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to specify and document the countries in which the personal data may be processed and, no matter where the personal data is located, all of the other requirements in ISO 27018 will apply to the Personal Data, so the customer can be sure that its personal data will be protected to the same standard of protection.

  • Policies and procedures. 

PDPA requirement: An organisation must implement policies and procedures in order to meet their obligations under the PDPA and shall make information about its policies and procedures publicly available.

Does ISO 27018 help? Yes. ISO 27018 will help the customer to comply with this obligation because it requires the CSP to execute a contract with the customer to ensure that data is processed in accordance with the customer’s instructions (including instructions as to policies and procedures that are adopted by the customer).

Put simply, the comparison shows that the key legal obligations are matched by the standard’s requirements.

What about other countries?

The same conclusion appears to us to apply in other countries as well.  The PDPA is similar to the data protection laws in many other countries, including Australia, European countries, Hong Kong, Japan, Korea, Malaysia and New Zealand.  If a cloud customer in any of these countries engages a CSP who complies with ISO 27018, the cloud customer can be confident that the CSP’s cloud solution will help the cloud customer to comply its key legal obligations under the data protection laws in its country.

How can a CSP demonstrate compliance with ISO 27018?

There are a few options:

  1. A CSP can contractually commit to comply with ISO 27018.  This will show a commitment to comply but it does not demonstrate compliance.
  2. A CSP can consider third party certification against ISO 27018. This can currently only be done through a  ISO 27001 certification that incorporates, as part of the controls that the CSP is being certified against, the controls in ISO 27018.
  3. A CSP can do a compliance self-audit against ISO 27018.  There are also good arguments that a self-audit by a provider under ISO 27018 is accepted as proof of compliance with technical and organisational measures (as required, for example, under EU law for data processing agreements).
  4. Certification against a standard that includes ISO 27018.  In November 2013, the Infocomm Development Authority of Singapore (IDA) launched a Multi-Tiered Cloud Security Standard (MTCS) in order to encourage CSPs to implement strong risk management and security practices through certification.  This standard is currently being updated by the IDA.  It would be sensible (and beneficial to customers and CSPs) if the IDA included by reference ISO 27018 or included equivalent requirements in any revised MTCS.  This would mean that a CSP that is MTCS certified, would also be ISO 27018 certified.

Conclusion

There is no silver bullet to ensure overall compliance with an organisation’s obligations under privacy laws. However, in relation to cloud solutions, ISO 27018 is a welcome step towards ensuring that such cloud solutions are compliant with relevant privacy law obligations, including those in Singapore’s PDPA, and thereby further boosting customer confidence in cloud solutions.  Customers should check that their CSPs (existing or potential) comply with ISO 27018.  This will help customers to be confident that the cloud solutions (existing or potential) comply with the relevant obligations under the PDPA (or the relevant laws in other countries).  CSPs should demonstrate compliance with ISO 27018 in order to be confident that their cloud solutions will help their customers to comply with the relevant obligations under the PDPA (or the relevant laws in other countries).

 

MAS Embraces Cloud: A Silver Lining

There should be relief at the moment felt by financial institutions and cloud service providers alike, following the release of the MAS’s consultation on the proposed new outsourcing notice and updated guidelines as mentioned in Rob’s previous post.

The MAS doesn’t use the word “cloud” expressly in its consultation.  However, the MAS has made important changes to the outsourcing guidelines.  The changes are relevant to cloud services and, most importantly, there are positive references to cloud services.  Cloud is OK provided you follow MAS’s rules.

  1. An OK for SaaS, PaaS and IaaS. In Annex 1 of the proposed updated guidelines, the MAS expressly lists “SaaS, PaaS and IaaS” as kinds of services that, when performed by a third party, would be regarded as outsourcing arrangements (and therefore subject to the MAS’s notice and guidelines on outsourcing).  Therefore, the MAS is saying that cloud is a type of service that falls within outsourcing.  The implication must be that financial institutions can use cloud services as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.
  1. An OK to multi-tenancy arrangements.  In sections 5.6.2 and 5.7.2 of the updated guidelines, the MAS makes express reference to “multi-tenancy arrangements”.  In a footnote the MAS explains that “Multi-tenancy generally refers to a mode of operation adopted by service providers where a single computing infrastructure (e.g. servers, databases etc.) is used to serve multiple customers (tenants).”  The MAS goes on to say that if a financial institution is using a multi-tenancy arrangement then it should pay particular attention to the ability of the arrangement to isolate and clearly identify the financial institution’s documents, data, information etc.  Again, therefore, the implication must be that financial institutions can use cloud services as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.  In sections 5.6.2 and 5.7.2, the MAS has picked out certain areas where the financial institutions should pay particular attention if they are using cloud services.  So this isn’t a “no” to cloud services but rather a “yes, but be careful”.
  1. An OK to transfers of customer information.  The definition of a “material outsourcing arrangement” in the updated guidelines now expressly includes an arrangement “which involves customer information”.  Most cloud services will involve customer information.  The implication is that financial institutions can enter into outsourcing transactions that involve customer information and, therefore, can use cloud services, as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.  This means that the MAS will consider most cloud services as a “material outsourcing arrangement” and so the additional requirements will apply to cloud services (e.g. notification to the MAS, prior to committing to the cloud services).
  1. An OK to outsourcing outside of Singapore.  In section 5.10 of the updated guidelines the MAS deals with outsourcing outside of Singapore.  This section has not really changed but it is noteworthy that the MAS recognises that “the engagement of a service provider in a foreign country… exposes an institution to country risk”.  The MAS does not say that a financial institution cannot outsource outside of Singapore. The MAS points out that an outsourcing outside of Singapore carries additional risks that the financial institution must address.  Many cloud services will (to varying extents) be provided from locations outside of Singapore.  The implication is that a financial institution can carry out outsourcing outside Singapore, and therefore can use cloud services that are provided from locations outside of Singapore, as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.  This means that financial institutions must address the additional “country risks”.

In summary, these are positive steps for customers and service providers of cloud services.  As the proposed new guidelines currently stand, the MAS has decided not to call out cloud services in much detail.  Instead the MAS seems to be moving towards accepting cloud services as just another service delivery model, rather than as something that needs additional regulation or treatment.  This is good news.

Apart from cloud, the new notice and update guidelines should be welcomed.  There are some points that the MAS should be asked to clarify and now’s the time to do that – more on these points in our next blog.  However, overall, these proposals are good for cloud and good for the financial services industry in Singapore.

Why bring your own device (BYOD) is not just an IT issue

I was fortunate this week to be both a speaker and a panellist at Questex Asia’s ‘BYOD and Mobile Security conference held in Singapore. It turned out I was the only lawyer in a room of 200 plus IT people, which was an interesting experience. Having made my presentation (Olswang_Asia_BYOD_presentation) my conversations with delegates brought home to me how hard it can be to effect change within an organisation.

Whilst speakers had run through the organisational benefits from BYOD, and it is clear from my experience that generation X and generation Z are increasingly demanding the ability to bring their smartphones and tablets to work, as any change requires the buy-in and collaboration between at least IT, legal HR and senior management many organisations were struggling to actually change in a structures where any stakeholder saying ‘no’ could stop implementation.

My message that the legal issues (whilst important and needing to be dealt with) shouldn’t stop BYOD deployment seemed to give comfort to some of the delegates I spoke to.

As is always the case with these things, two days after I had delivered the talk the UK Information Commissioner published their guidelines on BYOD. I was heartened to read that the guidance covers pretty the same ground as my talk, albeit (not unsurprisingly for regulatory guidance) with a somewhat more negative view.

How serious is India about foreign investment as an engine for growth?

I will be spending next week in Mumbai and Delhi (with @singarbitration), and in preparation have been contemplating the impact of the recent budget proposals on foreign investment, and in turn the implications for the Indian economy.

Before going on any trip, I like to remind myself of some basic economic facts, so my trusty EIU ‘World in 2012’ guide tells me that India has:

  • GDP of $5,083 bn (PPP)
  • a population of 1,220 m
  • a per capital GDP of $4,170 (PPP)
  • GDP growth 7.8%
  • inflation 7.7%

Whilst these statistics are impressive, India’s growth rate has persistently been a couple of percentage points lower than that of China. The reasons for this are many, but commentators seem to agree that one factor is the barriers or impediments to foreign investment in many sectors of the Indian economy, which may help to stimulate competition and growth.

Regardless of sector, one key requirement of foreign investors in India is certainty over the rules for investment, and in that context recent attempts by India to levy retrospective tax charges are very (to put it mildly) unhelpful. I’ve blogged before on the Vodafone tax case, but since the helpful supreme court judgment rather unhelpfully the budget proposals published in March 2012 contains proposals that would change significant parts of Indian tax legislation with retrospective effect (back to 1962 in some cases) and reverse decided case law on many provisions.

There are 24 retroactive provisions in the bill designed, in the words of Revenue Secretary R S Gujral, to protect the government of India from returning taxes previously collected which it would otherwise be required to do to comply with Court decisions (in itself an extraordinary statement of disrespect for the Supreme Court of India and its position under the Indian Constitution).

Although presented as mere clarifications, the changes are clearly substantive changes in law and made as a direct reaction and in contradiction to various rulings and judgments of the courts in India. Specifically the changes are reinforced by a provision (s113) which grants the tax department wide ranging powers to demand, and collect and seize tax from taxpayers notwithstanding contrary judicial decisions. The changes go to the very heart of the constitution of India, the rule of law in India, and are likely to impact many Indian as well as international investors and businesses.

Specific international M&A aspects

The most prominent of the judgments proposed to be reversed is the January 2012 Supreme Court ruling relating to the 2007 Vodafone transaction, where it was held that an overseas share transfer cannot be taxed in India even if there is a consequent change in control of a lower tier company in India. The budget now seeks not only to overturn this ruling, which had been hailed both internationally and in India as a sign of the rule of law in India and a positive sign for investor certainty, but also to do so with retrospective effect. Numerous other companies would be affected, including AT&T, General Electric, Fosters, Sanofi-Aventis, Kraft-Cadbury, Cairns, Unilever, Accenture, Mcleod Russel and E-Trade as well as a reported 400 other transactions being investigated by the Indian tax office. As the legislation is retrospective to 1962 there may well be other transactions that can be targeted by the tax authorities which were completed decades ago.

In many of the cases, the targeted companies are purchasers who made no gain, but are being pursued for the tax on a gain realised by sellers. Doing this retrospectively is extraordinary; it is impossible to withhold retrospectively once the purchase price is paid.

Other aspects

In addition, other provisions included in the budget would expand the definition of ‘royalty’ retrospectively to 1 June 1976 aiming to nullify a number of recent rulings and court decisions, including cases involving Asia Satellite Telecommunications, Ericsson AB, Factset Research Systems, Infosys Technologies, Intelsat, ISRO Satellite Centre, Lucent Technologies, Motorola, TV Today Network, and Velankani Mauritius

Impact on Investors in India

The extreme nature of the retrospective changes is a significant departure from international norms and raises major concerns among investors and multinational companies in respect of their investments into India. It undermines public confidence in the judiciary and respect for the rule of law which is one of the fundamental principles of a democratic society. It further creates uncertainty on laws and unpredictability of the cost of doing business in India, and a perception that the revenue authority can act completely unchecked by the judiciary in India. If these proposals are enacted India would distance itself from other countries which are encouraging and bringing favourable reforms to encourage foreign direct investments.

The Watcher needs to make it clear that he has investors in India as clients, and this post should be read in that light.

Continued growth in Asian technology, media and telecoms sectors in 2012 despite Eurozone troubles

With the launch party of Olswang Asia happening tonight, I have been musing on the economic outlook for Asia in 2012 and beyond. At a very micro-level I have been very pleasantly surprised by the (extraordinarily high) level of interest in our launch and it looks like the party tonight will be standing room only. I wondered if my personal experience was indicative of the wider economy so have been reviewing a number of commentaries on growth prospects for the region.

In particular,  I looked at reports from the Economist and Insight Bureau. Both commentators agreed that the outlook for Europe varied from bad to very bad, whilst the outlook for America was mildly positive.  Whilst China’s growth rate is expected to drop into single digits, caused by a slowdown in its export markets, the consensus view is that the Indian economy remains driven by domestic demand. Whilst India’s reliance on domestic demand has resulted in lower growth than China, it also means that India is less exposed to the Euro zone slowdown than China.

So aside from India and China, what are the prospects in ASEAN? Its is sometimes easy to forget that Indonesia has an economy five times the size of Greece (to pick a random comparator). Whilst it is still less than a third of the size of the German economy, it is expected to sustainably grow at around 5-6% a year for the forseeable future, whilst Germany will be lucky to not contract. Meanwhile, its ASEAN neighbours such as Malaysia, the Philippines, Thailand, Vietnam, as well as South Korea, continue to grow strongly.

So, the upshot of my limited research is that my personal experience seems to be in line with the market (much as I’d like to convince myself that we are bucking the trend). However, I think there are others factors at play that mean that the technology, media and telecoms markets across Asia are in fact growing more rapidly than the region generally.

First, the rise of average income levels resulting from GDP growth means that the middle class (for these purposes defined as those on an above subsistence wage) is doubling every few years. Members of that rapidly growing middle class all have mobile telephones, watch TV, own computers and go to the movies. 

Second, as consumers become more assertive and the market size increases they are increasingly wanting local content, services and applications. Markets with revenue growth and consumer demand are increasingly resulting in local suppliers competing, complementing or co-operating with the more established global players.

New EU Data Protection Proposals: what you need to know

Today’s blog post is courtesy of my friends and colleagues Clive Gringras and Claire Walker who have published a helpful guide to the new European Data Protection proposals.

“Today, 25 January 2012, the European Commission unveiled its proposals for far reaching changes to EU privacy legislation.

We foresee the Regulation being in force by 2015. Every aspect of an organisation’s compliance obligations will increase – and there will be fines of up to 2% of global turnover for breach. We highlight the top three immediate action points to consider. We also provide seven further action points to address in the months ahead.

Three immediate impacts

  • Non EU businesses need to select an EU Member State Scenario: a large Asian company holds personal data on Asian servers about its many EU customers. It has purposely not established a presence in the EU but will now need to decide which of the EU Member States in which it has customers to appoint its DP representative. It will need to balance the attractiveness of the enforcement approach in that state with other factors.
  • Systems design Scenario: the architecture for a new IT system is under discussion between the CTO and CEO of a large EU business. To future-proof the system, the CTO must take into account the Regulation’s changes such as allowing consumer data to be permanently deleted (R2BF) and should ensure that all processing operations involving personal data are adequately documented.
  • Outsourcing agreements Scenario: a five-year outsourcing contract involving data processing is under negotiation. The deal will be signed this year, well before the impact day of the Regulation, which will be some time in 2015. Because the processing will continue after impact day, the parties today need to anticipate in the agreement that their data protection obligations will change.

Please see here for our initial analysis of 10 potential practical impacts.”

PS – thanks for the feedback from some of my blog readers who travelled from  Paddington station today. You know who you are!

What will the Trans-Pacific Partnership mean for the technology, media and telecoms industries?

Apologies to readers for the long hiatus between recent blog posts. With hindsight (and English understatement), I may have rather underestimated the time that would be taken up in relocating personally from London to Singapore to set up our office there. It is not without irony that I find the time to write this by being ‘snowed in’ in the European Alps.

It is traditional at this time of year to look back at the events of the year just gone and to look forward to the new new year. For the press in general, there seems to be a broad consensus that 2011 was the year when social media came of age playing a very large part in the changes described as the ‘Arab Spring’ whilst the sad demise of Steve Jobs means that the world has lost a innovator who I suspect that history will compare with Watt, Edison and Ford.

Looking ahead, whilst there are lots of topics that I could consider, the rest of this post will consider the implications of the Trans-Pacific Partnership (or TPP) on the technology, telecoms and media industries. The TPP currently includes America, Australia, Brunei, Chile, Malaysia, New Zealand, Peru, Singapore and Vietnam whilst Canada, Japan and Mexico have expressed an interest in joining. At their latest summit in November 2011, the leaders of the current 9 TPP members published the following statement:

“We, the Leaders of Australia, Brunei Darussalam, Chile, Malaysia, New Zealand, Peru, Singapore, United States, and Vietnam, are pleased to announce today the broad outlines of a Trans-Pacific Partnership (TPP) agreement among our nine countries. We are delighted to have achieved this milestone in our common vision to establish a comprehensive, next-generation regional agreement that liberalizes trade and investment and addresses new and traditional trade issues and 21st-century challenges. We are confident that this agreement will be a model for ambition for other free trade agreements in the future, forging close linkages among our economies, enhancing our competitiveness, benefitting our consumers and supporting the creation and retention of jobs, higher living standards, and the reduction of poverty in our countries.

Building on this achievement and on the successful work done so far, we have committed here in Honolulu to dedicate the resources necessary to conclude this landmark agreement as rapidly as possible. At the same time, we recognize that there are sensitive issues that vary for each country yet to be negotiated, and have agreed that together, we must find appropriate ways to address those issues in the context of a comprehensive and balanced package, taking into account the diversity of our levels of development. Therefore, we have instructed our negotiating teams to meet in early December of this year to continue their work and furthermore to schedule additional negotiating rounds for 2012.

We are gratified by the progress that we are now able to announce toward our ultimate goal of forging a pathway that will lead to free trade across the Pacific. We share a strong interest in expanding our current partnership of nine geographically and developmentally diverse countries to others across the region. As we move toward conclusion of an agreement, we have directed our negotiating teams to continue talks with other trans-Pacific partners that have expressed interest in joining the TPP in order to facilitate their future participation.”

In its commentary, the Economist noted that the TPP plus the interested three constitute over 40% of the world’s GDP – more than the EU. However, there remain serious obstacles to Japan’s accession and the TPP discussions notably omit China, India, Indonesia and Brazil. It is also unclear whether regional trade arrangements complement or hinder the work of the WTO as countries prefer to deepen trade within the content of regional agreements in preference to opening markets more generally. Commentators have also commented unfavourably on the implicit export of a US-centric model of intellectual property law, and it appears that there is significant resistance to to TPP in a number of countries including US, Malaysia and Japan.

So, what might come out of the current negotiations? A background paper was published to the negotiations which summarised the agreement in more detail. Some of the sections that caught my eye were:

  • Investment. The investment text will provide substantive legal protections for investors and investments of each TPP country in the other TPP countries, including ongoing negotiations on provisions to ensure non-discrimination, a minimum standard of treatment, rules on expropriation, and prohibitions on specified performance requirements that distort trade and investment. The investment text will include provisions for expeditious, fair, and transparent investor-State dispute settlement subject to appropriate safeguards, with discussions continuing on scope and coverage. The investment text will protect the rights of the TPP countries to regulate in the public interest.
  • Technical Barriers to Trade (TBT). The TBT text will reinforce and build upon existing rights and obligations under the World Trade Organization Agreement on Technical Barriers, which will facilitate trade among the TPP countries and help our regulators protect health, safety, and the environment and achieve other legitimate policy objectives. The text will include commitments on compliance periods, conformity assessment procedures, international standards, institutional mechanisms, and transparency. The TPP countries also are discussing disciplines on conformity assessment procedures, regulatory cooperation, trade facilitation, transparency, and other issues, as well as proposals that have been tabled covering specific sectors.
  • Cross-Border Services. TPP countries have agreed on most of the core elements of the cross-border services text. This consensus provides the basis for securing fair, open, and transparent markets for services trade, including services supplied electronically and by small- and medium-sized enterprises, while preserving the right of governments to regulate in the public interest.
  • E-Commerce. The e-commerce text will enhance the viability of the digital economy by ensuring that impediments to both consumer and businesses embracing this medium of trade are addressed. Negotiators have made encouraging progress, including on provisions addressing customs duties in the digital environment, authentication of electronic transactions, and consumer protection. Additional proposals on information flows and treatment of digital products are under discussion.
  • Intellectual Property. TPP countries have agreed to reinforce and develop existing World Trade OrganizationAgreement on Trade-Related Aspects of Intellectual Property (TRIPS) rights and obligations to ensure an effective and balanced approach to intellectual property rights among the TPP countries. Proposals are under discussion on many forms of intellectual property, including trademarks, geographical indications, copyright and related rights, patents, trade secrets, data required for the approval of certain regulated products, as well as intellectual property enforcement and genetic resources and traditional knowledge. TPP countries have agreed to reflect in the text a shared commitment to the Doha Declaration on TRIPS and Public Health.
  • Telecommunications. The telecommunications text will promote competitive access for telecommunications providers in TPP markets, which will benefit consumers and help businesses in TPP markets become more competitive. In addition to broad agreement on the need for reasonable network access for suppliers through interconnection and access to physical facilities, TPP countries are close to consensus on a broad range of provisions enhancing the transparency of the regulatory process, and ensuring rights of appeal of decisions. Additional proposals have been put forward on choice of technology and addressing the high cost of international mobile roaming.

Whilst the barriers to implementation of the TPP (noted above) and the details, particularly around the detail of the IP arrangements (e.g. copyright term and software patentability (or not)), mean that negotiating and implementing the TPP is by no means a foregone conclusion the increased ability for companies in the TMT sector to directly invest in markets that are increasingly liberalised to offer cross-border services whilst having adequate protection of their intellectual property will be positive for companies in those sectors.