The fourth industrial revolution is transforming business in South-Asia faster and more dramatically than in almost any other region. Across South-East Asia, from emerging powerhouse economies such as Indonesia and Vietnam, to Singapore, already an established global economy, there is one issue that our clients consistently tell us is their boardroom priority: digital transformation.
With the explosion in smartphone adoption, rapidly-improving broadband infrastructure and a generally young, tech-savvy population, the opportunity for organisations and governments to leverage new technologies to improve services and drive growth is clear – whether it is using digital wallet technologies to transform payments in Myanmar, or leveraging tele-health platforms to bring healthcare services to patients in remote locations in Indonesia and the Philippines.
Many of these technologies are being built on cloud services, often provided by third party service providers. The cloud offers the ability to expand to new markets or new businesses faster than ever before. However, these new opportunities can come with new challenges and, like every transaction with a supplier, customers need to assess any associated risks . We have covered the region’s increasingly-supportive regulatory environment for cloud adoption in previous posts. This post focuses, instead, on an often-overlooked legal consideration in moving to the cloud – intellectual property (IP). What are the IP considerations associated with a move to the cloud for organisations in South-East Asia, and how can they be addressed?
The IP landscape for companies in South-East Asia
Let’s start by looking at the IP landscape in the region. There is a tendency to generalise about IP in South-East Asia. This is a mistake. While every country in South-East Asia has an IP regime designed to protect rights holders through patents, copyright, trade marks, and so on, it is still incorrect to assume that there is any real consistency across jurisdictions.
Despite efforts to harmonise at an international level, the landscape still differs significantly from one country to the next – both in terms of the underlying legal framework and, even more so, in terms of the approach to enforcement. There is little value in comparing Vietnam, which has substantial room for improvement in terms of its patent system and approach to enforcement against infringers, with Singapore, which has a more-established system and is investing in becoming an IP hub for the region.
What this all means for companies who do business across South-East Asia is that the picture is one of fragmentation, uncertainty and risk. Although the commercial team may regard South-East Asia as a single trading area, the legal and compliance team needs to navigate the myriad different legal systems and advise their board accordingly.
The key challenges include vaguely-drafted IP laws and regulations (such as ill-defined requirements for technology transfers), a lack of specialist IP courts and judges leading to unpredictable litigation outcomes, a growing number of patent assertion entities (also known as “patent trolls”) and a lack of enforcement by the authorities in many countries.
Why the growing focus on IP in South-East Asia?
The digital economies of the fourth industrial revolution will have a far greater emphasis on intangible assets. While traditional businesses leveraging physical assets will continue to play a role, the fourth industrial revolution will see every business become a digital business.
The intangible assets of digital businesses can only be protected through legal mechanisms such as confidentiality and intellectual property rights, including patents, copyright and trade marks. Every digital business needs to have an IP strategy, both in terms of protecting its own assets and in terms of defending itself against potential infringement claims.
This is no different for companies who use the cloud than those using on-premises servers. However, the cloud gives rise to a number of new IP considerations.
How can IP be infringed in the cloud?
Unfortunately, IP risks do not disappear when information is stored in the cloud. Let’s say Company A is one of the growing number of digital, technology-powered businesses in South-East Asia. If the cloud services it uses, or the applications and services it runs on those cloud services, incorporate code that is owned by Company B, then Company A may have infringed Company B’s intellectual property rights – including copyright and/or patents.
If Company B decides to bring an infringement claim, it could be very costly for Company A – not least since Company B might be one of a growing number of patent assertion entities, companies that exist to acquire and enforce patents through litigation. Whilst Company B may be discouraged from bringing a claim in the first place because of the uncertain intellectual property landscape in much of South-East Asia, it might also decide to take advantage of that uncertainty by bringing a claim against Company A, for whom the uncertainty (and risk of many years of litigation with an uncertain outcome) might be enough to drive it to settle.
What are the key IP risks in the cloud, and how can they be addressed?
There are at least three key risk areas – but, fortunately, each of them can be managed through practical measures.
The jurisdiction risk – where are my data and services and what rules apply?
As outlined above, one of the key challenges in South-East Asia is the lack of consistency across jurisdictions. IP rights are territorial in nature – but digital businesses are increasingly international. Storing data and services in the cloud across multiple jurisdictions can generate some new challenges when it comes to establishing what laws apply and assessing the company’s exposure under those laws. This is because IP infringement claims are typically linked to the location(s) in which the infringing act occurs. In the case of the cloud, without knowing where data and services are located, it can be almost impossible to establish how laws will apply – or even what laws apply.
The solution, here, is simply to understand where the data and services will be located. Not only is this important for data protection reasons, it is also essential from an IP strategy perspective, since until the cloud customer knows where data and services will be hosted, it cannot quantify the IP risk.
With that in mind, cloud customers should ask themselves, as part of their due diligence on a cloud services provider, whether it is transparent as to where data will be stored. If it cannot confirm the geographies or locations in which data and services will be stored, that increases the uncertainty as to where an IP infringement claim could potentially be made, and therefore the risk to the cloud customer.
The confidentiality and security risk – is my proprietary information kept confidential and secure?
Much has been written about the need for confidentiality and security in the cloud – however, this is usually looked at from a data protection perspective. These issues also matter from an IP perspective.
Organisations are increasingly using the cloud for all categories of data – including commercially-sensitive data and proprietary information. If that information were to leak into the public domain through a data breach incident, the organisation could be exposed to IP risk. Not only could the organisation lose the first-mover advantage, which could be relevant (amongst other things) to future patent applications, it could also find itself having to bring an IP claim against an unscrupulous competitor in an unfamiliar jurisdiction who leverages the stolen technology without its consent.
Of course, this does not mean that organisations should view the cloud as intrinsically less secure and therefore limit themselves to on-premises solutions. In fact, with billions of dollars of investments in cloud security by the biggest players, cloud actually has the potential to enhance security versus on-premises solutions. The answer, instead, is to carry out thorough due diligence on the service provider and its security and confidentiality practices. This should happen both at an operational level (e.g. is the service provider certified against international security standards?) and at a contractual level (e.g. does the service provider make contractual commitments as to data security and confidentiality?)
The service provider risk – what happens if their technology infringes third party IP and I get sued?
What about a situation in which an IP infringement claim is caused not by the cloud customer’s own materials and code but because of the service provider’s code? This is certainly a risk area that cloud customers will want to ensure is addressed, particularly at a time when patent assertion entities are becoming more active.
On the one hand, the cloud customer may take the view that, in all likelihood, the infringement claim will be brought against the cloud services provider – not least if the cloud services provider is a large international company with deep pockets. This is true, to an extent, but the large cloud services providers also have very large and sophisticated legal teams, not to mention a vast catalogue of many thousands of patents, which it can use to defend or counter-sue. A cloud customer may not have all of these protections – and, in the uncertain IP landscape of South-East Asia, may be more inclined to settle than face years of expensive litigation with a patent assertion entity.
The practical solution lies, as always, in a fair and commercial allocation of risk between service provider and customer in the services contract. There is no magic in this issue – just as they would in any services contract, customers can ask their services provider for appropriate protection in relation to third party claims. The problem is that the standard contracts of some cloud services providers don’t always contain this type of protection.
Fortunately, the position is starting to change. Given the growing focus on legal and regulatory considerations with cloud adoption, cloud services providers are starting to compete not just based on technical specifications and service offerings but also based on their contractual offerings. Microsoft, for example, recently announced that it would offer uncapped IP indemnification coverage against third party claims through a program it calls “Azure IP Advantage”. It remains to be seen whether indemnification will become an industry standard but undoubtedly IP indemnification is an “ask” that service providers should be prepared for customers to raise in negotiations.
Conclusions – managing IP risk in a digital South-East Asia
Digital transformation is already a boardroom priority for organisations in South-East Asia and that is not going to change. It is becoming a matter of when, rather than if, organisations will take advantage of new technologies, including cloud computing.
A key part of this journey will be managing the associated legal and regulatory considerations that arise through the use of these technologies. Just as organisations have found ways to manage regulatory compliance risks, such as privacy and data security considerations, even in the most highly-regulated sectors, so too will they need to find solutions to manage the IP risk. The measures above are the bare minimum they should expect their services provider to support.
The position will no doubt continue to evolve – but as South-East Asia transforms through cloud technologies, and as economies place more emphasis and value on intangible assets, management of IP risk will be a key measure of success.