Introduction

Bad faith trademark applications are a problem in any first to file jurisdiction, including China. A bad faith trademark application is one where the objective is to improperly acquire the brand recognition and benefit of another party, or to prevent another party from registering their trademark, and so to gain a commercial advantage.

The problem is particularly acute in “first to file jurisdictions” like China because there is usually no enquiry into actual or intended usage in the trademark registration process.

China is a jurisdiction where registering a known trademark has been very profitable and there are many reported instances involving high profile brands.

Trademark registration policies in China have traditionally required such a high level of proof of bad faith that it was extremely difficult to establish. Not impossible, we have had many successes where our client has had the level of proof needed, but very difficult.

China’s bad faith regulatory changes

China has clarified the need for trademark applications to be bona fide for commercial purposes. In 2019 new provision were added to the Trademark Law, among them: “A trademark application that is malicious and not filed for the purpose of use shall be rejected.” Later that year this was amplified by Regulations. In 2021, the China National Intellectual Property Administration (“CNIPA”) announced that it was cracking down on bad faith registrations.

Taken together it is clear that there is an official intention to regulate trademark registration and bring a commercial requirement into China’s first to file regime.

The official message is clear, but opportunists will still try to get their profits. The real message for foreign applicants and registrants is to take action in China.

Recent practical examples of bad faith

Derek’s* case

Derek told a home country friend about his China problems. As it happens, she was a professional colleague and referred him to us.

Derek’s China problem was not uncommon. He found that an OEM he had dealings with had applied to register “his” trademarks in China. He had engaged a China trademark agent to object during the gazettal period, but that had failed, and the trademarks proceeded to registration.

We asked him to send all the documents that he had, reviewed them when received, and came back to him with our recommendations and our fee. His initial reaction? “The other agent was cheaper!”

We explained what needed to be done for a successful case and he agreed to proceed with an action at the CNIPA to invalidate the trademarks.

We examined Derek’s materials in detail and found that the failed objection application lacked focus and that crucial evidence to support his case had not been fully translated into Chinese.

Our invalidation case was built around the relationship between Derek and the OEM and prior use of his trademarks in China:

  • Evidence of the dealings between Derek and the OEM including their signed MOU; Derek’s purchase orders; OEM’s commercial invoices to Derek; and related email correspondence.
  • Secondary evidence showing Derek’s prior use of his trademarks before the OEM trademark application; documents showing Derek’s participation in exhibitions in China; purchase orders placed by Derek with other suppliers; bills of lading; and related commercial documents.

The CNIPA accepted our submission that the evidence proved that Derek and OEM were business contacts; OEM was aware of Derek’s trademarks at the time they applied to register identical trademarks to Derek’s on the same and similar goods; and there had been genuine prior use of the relevant trademarks by Derek within China.

We have received the formal notice of invalidation from the CNIPA.

Maria’s* case

Maria’s company is a global supplier of goods to the fitness and martial arts community. They have valid China trademarks for certain goods in Classes 28 and 25.

Maria changed to a new China distributor for her goods. She later found that a company associated with her former distributor (“Applicant”) had applied to register her trademarks in Classes 9 and 35, which were not similar goods or services to the Classes 28 and 25 covered by Maria’s registration.

Maria was referred to us near the beginning of the gazettal period for the Applicant’s trademarks. Maria had ample evidence and we assisted her to raise an objection with the CNIPA.

Our submission included evidence of:

  • The previous distribution relationship, including Maria’s documents authorising the previous distributor
  • The relationship between the previous distributor and the Applicant. This included company searches which revealed that the same individuals were the senior management of the previous distributor and the Applicant.
  • The Applicant had also applied to register many other famous brands in addition to Maria’s, showing that their intention was to benefit from the branding and reputation of others.

The CNIPA accepted our submissions and we have received the official notice that the objection was successful.

Commentary

The changes to China’s trademark regime are very welcome and recent experience suggests that they are being implemented.

Derek’s case is conventional and the successful submissions showing bad faith reflect that.

Derek’s experience confirms that price is not everything in trademark work – value is the key. It also confirms, yet again, the importance of translation for China work. Good Chinese translation is important in China. Putting untranslated material before a Chinese court or tribunal is an exercise in futility. In China, as a general rule, if it is not in Chinese it is not there.

Maria’s case was more challenging to show bad faith and the evidentiary burden was higher. Without being able to show the close management link between the previous distributor and the Applicant it would have been much more difficult to succeed. The expense of searches was warranted. Similarly, being able to show that Maria’s experience was not isolated but part of an apparent scheme to register foreign trademarks as their own was important.

As anywhere, successful cases are founded on understanding the law, attention to detail, and admissible, relevant evidence.

Take-aways

  • China has clearly signalled that it is cracking down on bad faith trademark applications.
  • Foreign applicants and trademark owners should take action in China to protect their interests.
  • Contested matters in China are run on documentary evidence. It may take time and effort to gather it, but it is essential for success.
  • Good translation is important in the presentation of a case.
  • Cheap is not always confined to price and is a poor indicator of value.

*Names changed to maintain confidentiality

WEI Xin & ZHAO Wei

# If you would prefer to have articles in printable PDF format, please let us know by email. #

Introduction

Personal data is getting increased attention globally. China has enacted a new law to regulate the collection, storage, and use of personal data. It comes as China has turned its attention to technology, Internet and other areas of business where personal data is collected. China is not alone in this: there is increased attention being paid to personal data in many jurisdictions, including, most recently, the US where reports indicate that the FTC is considering strengthening privacy rules. (Alternative link)

Internet related business has probably made greater strides in China than just about anywhere. On-line purchases are the first choice for the aspiring middle class and young people. Almost anything can be delivered to your door. Any city is alive with delivery vehicles of one sort or another. This activity has brought with it many different forms of payment, primarily by phone Apps.

Concurrently, of course, this unification of personal, commercial, and financial data has fuelled a huge trade in and based on personal data collected by whatever available means.

This is the context for the new law. China has decided that this trade based on personal data, Internet based or not, must be regulated.

The Personal Data Protection Law

The Standing Committee of China’s National People’s Congress adopted the Personal Information Protection Law (“Law”) on August 20, 2021, with effect from November 1, 2021. It is a substantial piece of legislation with 74 Articles set out in 8 Chapters. Previously there were only guidelines and regulations governing collected personal data. The Law formalises and unifies the approach to these issues. The Law lacks detail in some of its provisions and the implementing regulations are expected to be put in place to provide this.

Application of the Law

The Law applies to:

  1. any activities in China processing the personal data of an individual; and
  2. any activities outside China processing the personal data of an individual in China where the activities are for:
  • providing products or services to an individual;
  • analysis or evaluation of the behaviour of an individual; or
  • meeting other circumstances provided by law.

Processing” includes activities to collect, store, use, process, transmit, provide, disclose, or delete personal data.

Personal data as defined in the Law only refers to data that can be used to identify a person. Anonymized personal data is expressly excluded from the scope of the Law.

Processing Requirements

Personal data must be processed:

  • lawfully and in good faith, securely to prevent any unauthorized access to, leakage of, or tampering with, or loss;
  • for a specific and reasonable purpose and only to the necessary extent;
  • according to publicized rules in an open and transparent way; and
  • properly to ensure that the personal data is accurate and complete for the purpose.

Consent

Except for specific circumstances provided by law – necessary for the conclusion or performance of contract where the individual is a party; fulfilling a statutory responsibility; responding to a public health emergency; etc; personal consent is required for processing an individual’s personal data.

Consent should be voluntary, explicit, and on a fully informed basis. The individual may withdraw consent at any time, but only with prospective effect.

Consent from parents or legal guardian is necessary for individuals under the age of 14 for any of their personal data.

Major Obligations of the Data Processor (“Processor”)

Except as provided by law, or in an emergency, the Processor is required to inform an individual, truthfully, accurately and completely using clear and easily understandable language of the:

  • name and contact details of the Processor;
  • purpose and methods of processing personal data, type of personal data to be processed and how long the data will be kept;
  • rights of the individual whose data is collected and how to exercise them; and
  • other matters to be informed as required by law.

Personal Data Protection Officer

The Processor must designate a personal data protection officer (“Protection Officer”) once the personal data it collects has reached a threshold amount. This is not defined by the Law and is likely to be clarified by the implementing regulations or by the National Cyberspace Authority (“NCA”).

The Protection Officer is responsible for supervising the processing of personal data and the actions taken by the Processor to safely protect it.

If a Processor is located outside China, it should either establish a specific body in China or designate a representative there. It is required to submit the name of the body or the name of the representative and their contact details to the NCA.

The Law is silent on appointing an individual to this role. Directly employing a Chinese individual from offshore can be risky for the offshore employer.

Evaluate the Impact on Personal Data Protection

Before proceeding with the following activities, the Processor is required to evaluate their impact on personal data protection:

  • processing sensitive personal data such as biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other data of an individual;
  • use of personal data in automated decision making;
  • engaging a third party to process the personal data on its behalf or providing personal data to other Processors, or disclosing personal data;
  • transmitting personal data to offshore; or
  • other activities provided by law.

Additional Obligations for Major Processors

Processors that provide important Internet platform services, have a huge user base or operate a complex type of business (none defined yet), have the following obligations to:

  • establish a sound personal data protection and compliance system;
  • formulate and set out the policies to be followed;
  • set up an independent body composed mainly of external members to supervise their protection of personal data;
  • develop platform rules in accordance with the principles of transparency, fairness and impartiality;
  • these rules should specify the standards for processing personal data and the obligations to protect personal data to be met by the product or service providers operating on their platform;
  • stop providing service to product or service providers operating on their platforms which seriously breach the laws or regulations for the processing of personal data; and
  • publish social responsibility reports on protection of personal data regularly and accept public scrutiny.

Processors’ Shared Responsibility

If two or more Processors share the processing of personal data, they are jointly and severally liable to the individual. Using a subcontract Processor does not relieve the primary contractor of liability.

The Processor is required to regularly audit its operations to ensure compliance with its legal obligations.

Sensitive Personal Data

If the personal data to be processed includes sensitive data such as biometrics, religion, specific identity, medical and health, financial accounts, personal location tracking and the like, the Processor will be subject to stricter rules. Specific consent is required, and very strict protective measures should be in place to protect this data.

Transfer of Personal Data Offshore

A Processor may only transmit personal data offshore as required and necessary, with specific and informed consent from the relevant individual. Data to be provided when obtaining consent includes the name and contacts of the offshore recipient; the purpose and method of processing; the type of data to be processed and transferred; and how an individual can exercise their rights against the offshore recipient, including the procedure for this.

Offshore transfer requires that the Processor meets one or more of the following:

  • pass the cyber security evaluation organised by the NCA;
  • be certified by a professional institution designated by the NCA;
  • have a contract with the offshore recipient to specify their rights and obligations using the standard contract provided by the NCA; and
  • meet other requirements set out by law.

The China Processor sending personal data offshore is responsible for the offshore Processor complying with China’s legal requirements. These include the Chinese security assessments set out in the Law. If these are not met, the personal data must remain on servers located in China.

Individual Rights

As detailed in the Law and subject to its limitations, an individual has a right to:

  • know about and control the use and processing of of their personal data;
  • access and take copies of personal data held;
  • transfer data held to another Processor;
  • correct and complete personal data; and
  • have their personal data deleted once the purpose for which it was provided has been completed. 

Consequences of Breach

The Processor may face both administrative penalties and civil liabilities for breach of their obligations. Administrative penalties could be up to RMB 1 million (Approx USD 155,000); or for serious cases, RMB 50 million (USD 7,752,000) or 5% of the total revenue of the previous year. Further, the individuals whose rights and interests were damaged can seek remedies against the Processor.

The Protection Officer or any other individual directly liable for the breach could face personal liability. Personal liabilities include penalties between RMB 10,000 (Approx USD 1,550) to RMB 100,000 (Approx USD 15,500). Penalties in serious cases go up to RMB 1 million (Approx USD 155,000) or being banned from taking the position as director, supervisor or other senior management or Protection Officer for a period.

Who can take action?

A wide range of aggrieved persons and entities are empowered to take action for misuse of personal data and other breaches of the Law.

Commentary

This article attempts to summarize the key provisions of a substantial piece of legislation. As such it cannot be a substitute for reading and understanding the Law in its complete form.

The Law, as is common with many Chinese laws, is short on the detail required to actually comply with it. Implementing regulations usually provide the essential details and guide administrative bodies on applying the law. In the absence of this supplementary guidance it is difficult for any business to know exactly what they must do to comply with it.

For example, personal data necessary for the conclusion or performance of a contract is an exception for consent, but personal financial data is sensitive personal data, requiring special handling. Which applies to credit card details supplied for a purchase? Is the test necessity?

The Law requires substantial changes in how personal data is collected and processed, imposing obligations that did not really exist before. Businesses will have to develop wholly new methods to comply. Many of the requirements will need software changes, or new software to be effectively implemented. Software takes time to be written and tested, but it is the only practical means to monitor the processing of personal data held in digital form.

The Law imposes very onerous burdens for personal data acquired by businesses located outside China or sent offshore from China for “processing”.

Foreign companies whose business is large enough will need to consider carefully the obligations imposed by the Law. Among them the need to appoint a Protection Officer and ensure their systems are audited. If the data collected meets the threshold, they must also pass the security assessments set out in the Law or store it on servers within China.

Smaller businesses too cannot ignore the provisions of the Law.

Take-aways

  • The Law is comprehensive, but in its present form lacks detail in some key areas. Despite this, prudence suggests that planning for the obligations imposed by it should commence immediately.
  • The obligations imposed upon cross-border transactions are particularly onerous. Dealing with these and the associated costs will have to be managed carefully.
  • Many of the obligations imposed by the Law will require a technical response via software that may not yet exist. The personal data governed by the Law exists in a digital form and can only be monitored and dealt with digitally.
  • Despite any difficulties, there is an obligation to comply. Those that gather and process personal data in or from China need to be preemptive rather than reactionary.

Graham BROWN & PENG Wei

# If you would prefer to have articles in printable PDF format, please let us know by email. #