November 01, 2022
Heading into 2023, Asia’s tech scene is well-positioned for strong growth potential. As with any industry where advancement and innovation are outpacing regulation, the complex landscape can be difficult for businesses to navigate their operations, particularly in the Asia region where a universal approach does not fit. From adapting to new realities in emerging industries such as the metaverse and fintech; to compliance and commitment to environmental, social, and governance (ESG); to a heightened emphasis on national security in deal consideration, including sensitive personal data, global and domestic entities doing business in the region should be aware of key legal trends and regulatory developments in order to remain internationally competitive. In an article based on Morgan Lewis’ inaugural Asia Technology Innovation webinar series, we explore some of these pressing issues and provide some preliminary insights into what can be anticipated for Asia’s tech sector.
- The Metaverse: Opportunities and Challenges in China and Singapore
- ESG Strategies
- IP Enforcement Trends in China
- China’s Data Privacy Regime
- CFIUS and Other National Security Factors
- Disputes Involving Founders and Startup Companies
- Mergers and Acquisitions (M&A) Due Diligence
THE METAVERSE: OPPORTUNITIES AND CHALLENGES IN CHINA AND SINGAPORE
“Metaverse” is generally used to describe any virtual world where users can interact using digital avatars. There are seven layers to any metaverse: infrastructure, human interface, decentralization, spatial computing, creator economy, discovery, and experience (such as games, social interactions, esports, theater, and shopping). Users create an avatar and can then enter existing metaverses through a virtual-reality headset or from a computer, tablet, or phone.
China’s Regulatory Outlook
Like many jurisdictions globally, China recognizes the importance of developing its digital economy amid rapid developments around the world. Although it does not reference the metaverse directly, China’s Plan for Development of the Digital Economy includes terms and covers concepts that would be applicable to the metaverse, such as blockchain and virtual reality.
- There are significant concerns regarding money laundering and the potential impact of the metaverse on China’s financial markets. For these reasons, China has a particularly robust stance on cryptocurrencies, which have been effectively banned in China since September 2021.
- Despite restrictions, certain NFT markets remain strong that operate on permissioned blockchains, with transactions conducted in Chinese Yuan and not any cryptocurrencies. With many new digital collectible platforms launching every month since early 2021, the buoyant trend seems set to continue well into 2022.
Singapore Regulatory Outlook
There has yet to be any targeted legislation addressing the metaverse; however, there are some regulations that would affect offerings made therein. For example, Singapore’s Remote Gambling Act explicitly prohibits online gambling. If online gambling operators set up a casino in the metaverse, they will need to consider steps to disable access by Singapore users to avoid contravening the law.
- With the explosion of cryptocurrency offerings, some casino games in the metaverse may conduct these games with utility tokens for rewards. If these tokens are not considered “monies worth,” then the Singapore law will not treat those games as gambling activities. However, if these tokens are exchangeable for fiat currency or other “monies-worth” items, these activities would be prohibited.
- Operators who offer tokens exchanges on the metaverse may be conducting digital-payment token services, and these activities are regulated under the Payment Services Act and the Financial Services and Markets Act of Singapore. Again, those operators in this space may need to explore restricting access from Singapore users to adhere to the laws.
Looking Ahead in Asia
In five to 10 years, it is very likely that we will see additional legislation from the region relating to the metaverse and a possible convergence of approach as we learn more from what the metaverse has to offer and how it operates. It is also worth noting that “real-world” regulation, particularly in the financial services space, would likely be sought to be replicated in the virtual metaverse space.
With Forbes calling ESG factors the “biggest economic trend of 2021,” many technology companies are at an inflection point as they evaluate adopting a full suite of ESG strategies into their overall business plans. There is no one-size-fits-all approach for tech companies as executives evaluate the many factors related to ESG. With shareholder advisory firms, environmental groups, stakeholders, government regulators, lawmakers, rating agencies, and lenders more closely scrutinizing ESG-related everything, there are some key issues for tech companies to consider when adopting an ESG strategy.
The E: Environmental
- Ten years ago, few companies outside the energy industry were even measuring their greenhouse gas emissions, much less charting a road to net-zero emissions. But today, there appears to be a sea change, with tech companies releasing detailed reports on what they are doing to promote net-zero emissions in their products and supply chains.
- Not many countries in Asia have yet committed to net-zero targets or strategic national plans, while the United States and Europe tend to have more robust climate-related regulations in place. Many tech companies in Asia have not released voluntary disclosures related to environmental plans or emission levels, which tend to draw the attention of enforcement bodies.
- ESG initiatives in Asia are largely led by governments for a wide-ranging, top-down approach, as opposed to a more bottom-up, grassroots approach in the United States.
The S: Social
- The rules around the “S” of ESG are even more amorphous, as there is a general push for more diversity from stakeholders and shareholders but very little in terms of mandates or government regulations in the United States. The same holds true in Asia, where diversity tends to focus on gender and not on racial diversity. Large multinational corporations, including banks, life sciences companies, and tech companies, are driving the demand for more data related to diversity. This creates a challenge around privacy concerns in both the collection and the use of that data, especially from the employees themselves.
- By committing to their workforces’ well-being, many companies have seen a positive impact on their long-term business by reducing turnover and positively engaging with their community. But there are also concerns that increasing employee wages or allocating resources to diversity and inclusion initiatives could take away profits from a company’s bottom line at a time when a number of economies are showing economic uncertainties and less positive economic indicators.
- After the Uyghur Force Labor Prevention Act became effective in June 2022, countries and companies doing business across the Asia Pacific are more closely reviewing where they source their goods to ensure that workers across all supply chains are treated ethically. It has also significantly affected tech companies, as several key components for the world’s tech products are manufactured in scrutinized regions in China.
The G: Governance
- ESG disclosures are driven by a number of factors, including to share positive or socially impactful outcomes, to avoid negative public relations, to appease activist shareholders, and to fulfill contractual requirements. But those disclosures are, in part, what drives an uptick in regulations and standards because there is currently little uniformity in the way individual companies report disclosures.
- In November 2021, the International Financial Reporting Standards Foundation announced a new International Sustainability Standards Board to be charged with developing global ESG disclosure mandates. In July 2021, the Global Reporting Initiative announced that it was working with the European Union on sustainability standards. In June 2022, China published its first ESG disclosure standard, the Guidance for Enterprise ESG Disclosure, which has a strong focus on Chinese laws, regulations, and policies. Other countries in Asia, including Singapore, Hong Kong, Japan, and India, have issued new or more stringent climate-change or sustainability report requirements for public companies in the last two years. And in the United States, both the Securities and Exchange Commission and the Department of Labor are taking the lead on more detailed disclosure mandates.
Tech companies play a unique role in this global transition to embracing ESG. It is not just that tech companies need to consider ESG as part of their own business strategies; the ESG movement needs tech companies to be successful. With a focus on digital transformation and IT innovations in order to meet ESG objectives, new technology will be the lynchpin for nearly all companies to improve their products and processes to meet ESG commitments.
In our recent 2022 Asia Technology Innovation Series presentation, “Why Technology Companies Should Care About ESG Issues,” we discussed how technology companies—both public and private—have addressed ESG issues internally and externally and why it is important to their various stakeholders including stockholders, investors, employees, and customers.
IP ENFORCEMENT TRENDS IN CHINA
Comprising tiers of specialized IP courts within its court system, China has bifurcated judicial and administrative proceedings for those seeking to protect and enforce against a patent infringement. The judicial route is more commonly used first, in which a case would pass through the Intermediate People’s Courts, High People’s Courts, and ultimately the Supreme People’s Court.
The administrative route operates through a local IP office or, if the case is of national significance, the China National Intellectual Property Administration to request administrative enforcement, such as requests to cease infringement and to issue administrative penalties, but notably no damages are awarded through this route. A patentee or an interested party may take the administrative route first and then the judicial route, but they cannot be undertaken concurrently. An administrative proceeding is much shorter and cheaper than a judicial proceeding. Trends drawn from recent cases in China include:
- Pro-patentee shift: In the past, patentholders in China often had trouble proving damages from infringement; however, recent cases have shown an increasing pro-patentee shift.
- High Damage Awards: Chinese courts have entered exceptionally high damage awards in cases in recent years. Awards have been ordered up to 160 million Chinese yuan ($26 million), which is the highest damages award in the Chinese appliances industry.
Key cases have considered whether a licensee can disclose or use trade secrets after the confidentiality period stipulated in a license agreement expires, as well as the use of customer information by ex-employees in divulging business secrets of their former employers.
Some interesting cases have come to light in the copyright space, including the violation of a general public license agreement by abusing open-source code; emphasizing the importance of understanding, monitoring, and tracking an open-source software license; and selecting the one that best suits a business. In addition, in relation to copyright protection sought for gaming maps, it was found by the courts that a game map can be protected as a graphic work, as can its game scene thumbnail, and that the spatial layout structure of a game is the core offering in many cases, especially for shooting games.
In 2021, there were some significant rulings in the trademark sphere, ranging from disputes relating to packaging look and feel to the use of certain terms to describe food and beverages. Each provided important guidance for those seeking to enforce on grounds of trademark infringement.
In our recent 2022 Asia Technology Innovation Series presentation, “IP Year in Review: Important Chinese Cases Decided in 2021,” we discuss which cases will affect your company’s litigation, patent prosecution, or manufacturing strategy.
CHINA’S DATA PRIVACY REGIME
Multinational tech companies handle significant amounts of often potentially sensitive personal data. The three most critical legal frameworks for data protection affecting global tech companies in China are the Cybersecurity Law (CSL), which took effect in 2017, and the Data Security Law (DSL) and Personal Information Protection Law (PIPL), both of which took effect in 2021. These laws demonstrate the Chinese government’s aim in enhancing data protection supervision, specifically with respect to data that will impact data security and national security. Over the last year, a series of guiding regulations and national standards have been rolled out, further clarifying the new regulatory requirements. This includes most recently the Security Assessment Measures for Cross-Border Data Transfers. Effective from September 1, 2022, these apply to corporations transferring data from China to overseas countries/regions, with a six-month grace period for companies to take remedial actions to complete the government security assessment as required.
Issues Affecting Multinational Technology Companies
- The Chinese data protection laws require companies acting as data handlers (a concept under the PIPL, similar to data controllers under the EU General Data Protection Regulation) to obtain informed and separate consents from the data subjects for the collection, processing, and cross-border transfer of personal information (limited exceptions apply).
- For data localization and cross-border transfers, a security assessment by the Cyberspace Administration of China, certification by a qualified institution, or standard contract may be required, depending on the types and volume of the data to be transferred cross-border.
- Global tech companies must also comply with the Multi-Level Protection Scheme (MLPS), developed to identify the nature of systems deployed and data handled in China and whether and to what extent it could raise cybersecurity concerns.
- Specific Regulations on Mobile Applications (Apps): Technology sector–specific regulations follow the general principles of the PIPL, DSL, and CSL but impose additional privacy and cybersecurity obligations.
Proactive Steps to Mitigate Compliance Risks
- Perform data mapping to understand categories and location of data and identify important data, personal information, and sensitive personal information that the company is processing.
- Perform a gap analysis of the current data-related policies, both internal employee notices and external-facing privacy notices and policies, to comply with the informed consent requirements.
- Establish a risk-assessment process for major data processing activities, covering the processing of important data, (sensitive) personal information, and cross-border data transfers, including the internal assessment and government reporting obligations.
- Conduct the MLPS as soon as possible.
- Understand the localization requirements and (if required) implement localized storage within China.
- Understand any app-specific requirements and take actions to be fully compliant.
In our recent Asia Technology Innovation Series presentations, “China’s Privacy Regime: What Tech Companies Need to Know,” and “China’s Data Protection Regime: How to Manage Cross-Border Data Transfer in China – Part II,” we provide an overview of China’s PIPL, DSL, recent regulatory guidance, and their impact on the technology industry, cross-border transfer of data and technology, and relevant data privacy compliance issues.
CFIUS AND OTHER NATIONAL SECURITY FACTORS
There are many international and Asia-based investors looking to invest in companies in the United States for both strategic and commercial reasons, and in return they offer attractive sources of funding. Often, financial investments are coupled with strategic partnerships, including licensing, collaboration, and co-development agreements; and joint ventures, with the aim of growing into a market and acquiring technology, products, and talent abroad. US government examination of such investment has been on a steep rise, which seems unlikely to change in the near future.
Against an increasingly complex US regulatory landscape, it is critically important for foreign investors and their counsel to carefully assess the multiple regulatory regimes that could potentially apply to a transaction. Foreign investors should also consider issues that are likely to be of interest to regulators, including an investment’s source of funding, financial and commercial resources, ownership and control, investment authority, reputation, and regulatory status—for example, whether it is subject to any US sanctions or export restrictions or was a company of concern in prior Committee on Foreign Investment in the United States (CFIUS) filings.
Export Control, Sanctions, and FCPA Compliance
It is key to understand the export-control status of any technology or equipment that might be exported as part of a transaction. Note that exports can be made in the United States by giving a non-US investor or its representatives access to certain technology in the United States. So-called “deemed exports” can occur with hiring non-US citizen or permanent-resident alien employees. Sufficient lead time should be allowed for obtaining any required export licenses. As part of the assessment, a foreign investor should also confirm that it is not subject to US sanctions or export restrictions by reference to various US government lists (e.g., the Consolidated Screening Lists).
Because certain foreign investors are government-owned and controlled, and their representatives are considered foreign government officials, due diligence should also include an assessment of any FCPA risks in any transaction. With transactions that involve strategic partnerships that go beyond a straight investment by a foreign investor in the US company, care must be taken by the US company so that no funds transferred to the foreign investor or its representatives violate the FCPA antibribery provisions or will be used by the foreign investor or its representatives in violation of the FCPA with respect to foreign government officials.
US Government Restrictions
If the US company has any grants, contracts, or other sources of funding from the US government, there may be further compliance obligations. US government rights under the Bayh-Dole Act may also require manufacturing in the United States, although waivers may be granted in certain situations.
The US government is increasingly using federal assistance as a means of ensuring domestic production and supply. One recent example is the CHIPS and Science Act, which requires that any US semiconductor company that receives federal financial assistance under the CHIPS Act must notify the Department of Commerce and seek clearance of any significant transactions involving the material expansion of semiconductor manufacturing capacity in China.
A key focus of FIRRMA, the latest comprehensive amendment to national security reviews adopted in 2018, is Technology, Infrastructure, and Data businesses. It is important for international investors in US companies to determine whether the US companies have “critical technology,” “critical infrastructure,” or “sensitive personal data” for CFIUS purposes. With respect to sensitive personal data in particular, even if it is not a core part of the business, data is an increasingly prevalent part of many businesses, and it should be assessed to determine whether data, even if collected and maintained incidental to a company’s business activities, triggers CFIUS jurisdiction.
Recent statistics released by CFIUS suggest an increased use of the new, streamlined Declaration process for lower-profile, noncontroversial cases, including ones for which a mandatory filing is required but the parties do not anticipate any national security concerns. In 2021, almost three-quarters of Declarations received CFIUS clearance.
Although CFIUS has reportedly been devoting increased resources to “non-notified” transactions, in 2021 CFIUS only reached out to parties in 135 transactions, and, of those, only pulled eight in for review. However, companies still need to carefully consider their potential liability for not filing in a transaction subject to CFIUS jurisdiction and assess both the risk of CFIUS pulling in the transaction and the potential remedies that CFIUS might seek, which could include mitigation or divestment.
Contractual language can be included to address CFIUS issues, and various strategies may be developed to address CFIUS concerns.
Outbound Investment Review
Although the outbound investment review process contained in the America COMPETES Act was not ultimately included in the CHIPS and Science Act, both Congress and the executive branch remain interested in reviewing US outbound investment for national security risk. If Congress does not include outbound investment in other legislation, the White House may unilaterally establish such a regime through an executive order. While such a regime would be carefully scoped, it would still be a significant change and would open up large numbers of transactions to new regulatory review.
In our recent 2022 Asia Technology Innovation Series presentation, “CFIUS Considerations with Foreign Investors,” we discuss how companies can successfully address novel issues when considering noncontrolling investments from foreign investors, which may affect your fundraising options.
DISPUTES INVOLVING FOUNDERS AND STARTUP COMPANIES
Conflict often arises in the venture capital sector when there is a fundamental mismatch between expectations between investors, management, and/or the founder of the company. This could be driven by a number of factors such as an investor’s lack of deep knowledge of a startup company; lack of trust in the broadest sense, not just relating to competence or business acumen, but in the sector; and jurisdictional expertise of a founder or investor. Founders can also sometimes feel there is excessive management oversight, and founders actively try to curtail investor control due to the investors’ lack of understanding of the business and its aims.
Typical disputes tend to occur when investors would like to remove the founder and replace management. There might be an investigation into misconduct if the founder has fraudulent accounts, which is often a reason for conflict. Convertible loan defaults and breaches of contract or fiduciary duties are also common reasons for disputes. Business entities should consider some risk-mitigation tools:
- Create strong contractual documentation at the time of the initial investment. This can be negotiated during subsequent funding rounds, and it can also include terms to curb founder powers, such as a “gross misconduct” clause.
- Have strong corporate governance controls and ensure that they are revisited and amended.
- Appoint independent lawyers. Retain independent lawyers who are not linked to the founder to advise the company and the board. Also, keep lawyers who are involved in contentious reviews and investigations separate from the company’s general corporate counsel.
- Include the provision for an independent audit/review in documentation, which can help to shift factfinding and financial irregularities to a more neutral forum. It can also form the basis of misconduct review in the context of a leadership change.
- Keep the lines of communication open with the board and chairperson, with regular updates to spot any signs of irregularities.
- Ensure that whistleblowing can be safe and, if need be, anonymous, and allow direct access to board members for certain categories of complaints.
We discussed these issues, in addition to taking a deeper dive into case studies, and more, in the presentation “Technology Disputes Involving Founders and Startup Companies in Asia,” which is part of our 2022 Asia Technology Innovation Series.
M&A DUE DILIGENCE
Mergers and acquisitions (M&A) activity in Asia’s technology sector raises unique considerations for both buyers and sellers around deal structure and regulatory nuances that various sectors and jurisdictions present. Those related to the financial sector, e.g., insurtech and fintech businesses, tend to be highly regulated and may come with additional oversight. With governments stepping up deal intervention on the grounds of national security, the likelihood of regulation increases.
Sometimes the end goals of respective parties do not align, making certain deals unviable. It is important to conduct thorough due diligence to ensure both buyer and seller are on the same page.
Below are some specific due diligence considerations:
- Data privacy laws exist in more than 120 countries worldwide with enforcement steadily rising. Inadequate compliance can directly impact revenue and potentially cause severe reputational risk. Always consider the level of risk related to data privacy.
- This is particularly relevant for Big Data, software as a service, and cloud computing services deals, and for tech providers in sectors with heavy privacy regulation, e.g., those involving health, financial services, children, and any industry that collects personally identifiable information.
- For technology companies, intellectual property (IP) is a primary asset. Note that a buyer may inherit liability for infringement and litigation over ownership issues. The breach of representations and warranties in customer and supplier agreements can also result in costly indemnification obligations.
- Seek a thorough and detailed IP due diligence request list covering patents, trademarks, copyrights, trade secrets, and licenses.
- Many companies do not know what is in their open-source software code, nor do they have policies to protect it. This can present challenges in the M&A context where there is an eventual loss of ownership or of exclusive rights, resulting in the inability to assert patent rights against others or defend your claim. Representations and warranties in customer contracts could be breached, resulting in indemnity liability and reputational risk.
- Consider conducting an audit via a third party and act accordingly on the results.
- Employees are particularly valuable to tech companies and an important part of the due diligence process. Acquisitions can be stressful for target employees, and it is important to balance the “deal reward” and the “retention component” to maximize the likelihood they remain with the company.
For those engaged in Asia’s technology scene, there is a great deal of opportunity but much yet to navigate on the regulatory front. It is therefore prudent to fully understand the jurisdiction and sectoral nuances before diving in.