Joyce A. Tan & Partners LLC

 Introduction  The National Electronic Health Record (“NEHR”) system was set up with the goal of serving as a repository to collect different types of data of the patients’ summary health conditions and records based on their encounters with healthcare professions and clinicians throughout their life. The primary purpose has always been salutary - i.e. to enable greater coordination and informed decision-making as well as to support more accurate diagnosis, better treatment and patient-centric integrated care[1]. Indeed, the Singapore Health Information Bill (“SG HIB”) appears to focus on this mission as it is stated as intended to “ensure that health information is kept updated, accurate and accessible by healthcare providers”[2]. One key way in which the SG HIB will do this is by enacting rules which require the mandatory contribution of health information into platforms such as NEHR[3], by all organisations which are licensed to provide healthcare services, under the omnibus healthcare licensing law, the Healthcare Services Act 2020 (also known as “HCSA”). Does the SG HIB present an opportunity to do more? Such data can have great potential value. The types of data collected include patient demographics, admission and visit history, discharge summaries, laboratory results, radiology results, medication history, history of surgeries or procedures and allergies and adverse drug reactions1. Imagine the utility of such information, if the legal and technical conditions were ripe for use of this data. If used responsibly, such information could help pioneer medical treatments, establish disease insights, and execute fundamental improvements in healthcare. Indeed, such additional purposes can include research and innovation which can contribute towards what the Ministry of Health of Singapore targets as one of its key pillar of developing precision medicines pursuant to the MOH’s national medicines policy[4]. But what would the regulatory framework in supporting such purposes look like? Does Singapore’s current existing infrastructure have features or a framework which can be built on to free up responsible and accountable use of such data? The above 2 points will be addressed in part II to this article. For the purpose of part I, we explore the relevant parts of an European equivalent legislation in greater detail. Lessons from the EU? To begin with, it would be good to first look at a comparable jurisdiction and here, there are some important parallels to consider with respect to the EU’s Health Data space as embodied in the European Health Data Space (“EHDSA”). Are there key differences with the EHDSA? And if so, anything further can be done to close any gaps?[5] First, for context, a brief summary of the position in the European Union. In May 2022, the European Commission put forward an initiative that will place citizens at the centre of their healthcare, granting them full control over their data, with the goal of achieving better healthcare access across the EU. The initiative eventually gives rise to the proposal for the EHDSA which was adopted by the European Parliament on 24 April 2024 and expected to be published in the Official Journal in autumn of 20243. The key aspect of the EHDS that regulates the secondary usage of data can be found mainly in Chapter IV of the EHDS which we will review in further details[6]. This much mirrors the stated aims of the SG HIB. However, the EHDSA also aims to allow the use of health data for research and public health purposes, under strict conditions. This use, which is defined as a “secondary purpose”, is a key step forward. Chapter IV of the proposed EHDSA[7] can be largely split into the following sections: (a) types of secondary uses of data; (b) distinction between a data access request and simply a data request as well as the corresponding steps for each processes; (c) issuance of the data permit and the conditions for such withdrawal; (d) the duties of the data holders; (e) the establishment of the health data access bodies; and (f) the penalties that may be imposed for breaches committed. Types of uses for data and the types of data The EHDSA lists, at Chapter IV, Article 33, the “minimum” categories of data that a data holder must make available for secondary use[8], and this notably includes electronic health records[9], data impacting on health, including social, environmental behavioural determinants of health, health-related administrative data (including claims and reimbursement data), pathogen genomic impacting on human health, human genetic, genomic and proteomic data, population wide health data, electronic health data from clinical trials, data from research cohorts, questionnaires and surveys related to health, and many more. Each of these categories of data hold potential for innovation and hope for medical treatment – e.g. disease prediction and prevention, identifying key trends in population health, and so on. This is followed by Article 34 of the EHDSA, which sets out corresponding approved secondary purpose[10] and these include scientific research related to health or care sectors, development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices and training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices. The EHDSA would therefore play a vital role in dealing with data scarcity – the difficulties in accessing health data to help transform health care[11]. Indeed, if it is remembered that there were arguments by some that the protective, yet restrictive, nature of legislation such as the EU GDPR inadvertently created data scarcity[12], the value of the EHDSA is apparent – i.e. it provides a structured framework for the accountable and responsible sharing of health data and innovation, against the backdrop of other protective legislation. In the Singapore context, making health data available in a similar manner to the EDHSA will allow pharmaceutical companies or life science companies under trusted and legal conditions could help develop more precision medicines, promote diseases prediction and understanding, and ensure the most appropriate medicines to manage a certain disease or illness, and strengthen or reinforce the judgment of healthcare professionals, who would benefit from the availability of studies derived from the data readily available. It should also be noted that a framework such as the EHDSA would act to prevent uses which are not connected with innovation or healthcare as it also sets out prohibited uses of the data such as advertising or marketing activities towards heath professionals, organisations in health or natural persons. This strengthens the legitimacy of how the data is intended to be used and providing further safeguards to the patients whose data are being collected and used. Other features of the EDHSA Other key features of the EDHSA provide an array of checks and balances for the responsible and accountable operation of any health data exchanges that would arise from the EDHSA: Data permits are a key piece of licensing for the use of any data exchanges[13] and they would require disclosure of information, in applications for permits, about safeguards in place to protect the data and the rights and interests of the data holder and the names of the natural persons concerned. The permits issued can also prescribe the manner in which the data will be provided and conditions. A health data access body[14] would be responsible for the administration of Chapter 4 of the EHDSA. Such a body would issue or revoke data permits, impose penalties[15], examine proposed uses, supervise data users’ compliance with the conditions set out in the data permits, and maintain a management system to keep track of the data permits used during their lifecycle. They would help translate principles into practice. The EHDSA balances interests in requests for access and use of the data. Data requests can either result in direct access to the health data or they may only result in the provisions of answers to requests with anonymized statistics, without having to grant access to the actual data per se[16]. Data holders, the organisations contributing to the exchanges would be responsible for ensuring the quality of the data being processed and remain accountable for the maintenance of the data. Data quality would also be a key focus point for compliance. Article 41 sets out in details the duties of the data holders which include ensuring the data quality and utility label accompanies the dataset including sufficient documentation to the health data access body for that body to confirm the accuracy of the label. There would be commitments to put the data at the disposal of the health data access body within 2 months from receiving request for access as well as undertakings to ensure that enriched datasets are made available unless the data holder considers such data enrichment as unsuitable in which case the data holders will have to inform the health data access body. The EHDSA[17] also sets out the need for datasets made available through health data access bodies to have a EU data quality and utility label provided by the data holders which will have to comply with the following key elements: technical quality showing the completeness, uniqueness, accuracy, validity, timeliness and consistency of the data; information on data enrichments: merging and adding data to an existing dataset, including links with other datasets; and for data quality management process, level of maturity of the data quality management processes, including review and audit processes, biases examination. As envisaged, secondary purposes do not appear flagged in proposals for the SG HIB Singapore is a uniquely positioned territory within Asia. She has diverse multi-ethnic make up in her population, according to the views of local media, its world-class healthcare is somewhat under-utilised[18] but there is recognition of the excellence of the sector[19]. It is a first world city with a racially diverse and technologically advanced society that brings with it a culture of compliance and rigorous standards of governance. Its government-led approach has also allowed it to move forward with the development of a robust technological ecosystem, now ripe for further innovation. It would seem to present a clear and compelling case for an EHDSA style or EHDSA inspired approach. Whilst no doubt key differences apply in the Singapore and EU context, Singapore is well-positioned to take, if not entrench, a regional, if not global, leadership role in healthtech. To do this, its legislation would need to help propel such leadership. The SG HIB presents an opportunity to enact legislation in this regard. And whilst the SG HIB’s focus on use of health data for primary purposes is absolutely critical and right-focused, one would be hard pressed to identify any substantive discussion on health data exchanges or the controlled sharing of health data for innovation. Without taking anything away from the importance of its current mandate to promote healthcare, might this be a missed opportunity? Conclusion A fuller comparison of the SG HIB and the EDHSA is beyond the scope of this article, but the premise of whether the existing frameworks in Singapore can allow for a possible expanded use of the data in our NEHR the same way that the secondary purpose is envisaged under the EHDSA is a key one to explore We will do this further In Part II of this series, where we will discuss further whether Singapore is able to emulate and allow for similar secondary uses of the data under its NEHR. Part 1 of 2 part article on Healthcare Information Innovation in Singapore Authors: Jeffrey Lim and Frederick Tay Footnotes [1] NEHR FAQ (synapxe.sg) [2] https://www.healthinfo.gov.sg/overview/introduction/ [3] As at this time, the intended date by which such contribution is to be made is stated as “end-2025” �� See Q12 FAQs - “Should the HIB be passed, MOH intends to implement mandatory contribution in phases, starting from end-2025, depending on the readiness of each category of healthcare provider. This is to allow sufficient time for HCSA licensees and approved contributors to meet the requirements stipulated in the Bill.” [4] Refer to objective 4 of the national-medicines-policy.pdf (moh.gov.sg) that was last updated on 22 November 2022. [5] https://ec.europa.eu/commission/presscorner/detail/en/IP_24_2250 [6] Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [7] Chapter IV of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [8] Article 33(1) of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [9] Defined as “collection of electronic health data related to a natural person and collected in the health system, processed for healthcare purposes”. [10] Article 34 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [11] For an article that further argues that this data scarcity could lead to inequality in societies, see “Health data poverty: an assailable barrier to equitable digital health care”, The Lancet, Volume 3, Issue 4, E260-265, April 2021, Ibrahim, Liu, Zariffa, Morris and Kenniston - https://www.thelancet.com/journals/landig/article/PIIS2589-7500(20)30317-4/fulltext [12] For instance, see “Enablers and barriers to the secondary use of health data in Europe: general data protection regulation perspective”, accessible at NIH National Library of Medicine, National Center for Biotechnology Information https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8994086/, 9 April 2022, by Vukovic, Ivankovic, Habl and Dimnjakovic. And this echoes earlier arguments made when the EU GDPR was still relatively new, certain authors had argued that its rules would have a negative impact on the development and use of A.I. – see “The Impact of the EU’s new Data Protection Regulation on AI”, Center for Data Innovation, 27 March 2018, Wallace and Castro  - at https://www2.datainnovation.org/2018-impact-gdpr-ai.pdf [13] Article 45 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [14] Articles 36-39 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [15] Article 43 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [16] Article 47 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [17] Article 56 of Proposal for a regulation of the European Parliament and of the Council on the European Health Data Space 2022/0140 (COD) [18] See “Commentary: Healthcare in Singapore is world-class – and under-utilised”, Channel News Asia, 13 July 2023, Richard Hartung, at https://www.channelnewsasia.com/commentary/singapore-healthcare-system-healthier-sg-healthy-living-3623296 [19] See – Brookings Institute “The Singapore Healthcare System: an Overview” at https://www.brookings.edu/wp-content/uploads/2016/07/affordableexcellence_chapter.pdf or “The Remarkable Healthcare Performance in Singapore” September 2019, Ramesh and Bali at https://academic.oup.com/book/42635/chapter/358101444.

Following our first article “Goliath taking over David”[1], we will now look at ways in which David should get itself ready for such a transaction. In particular, we will start exploring some of the main concerns that the smaller start-ups should start to consider. This is especially important for smaller start-ups who are going into their first foray into the world of mergers and acquisitions. As the smaller start-ups try to make sense of the transaction, they are likely faced with concerns around whether they are even ready for such a takeover. “WINDOW-DRESSING” OR GETTING YOUR HOUSE IN ORDER? “Window-dressing” is sometimes used as a term to describe a short term strategy to make financial reports and portfolios look more appealing to investors[2]. This might unfortunately imply a certain degree of puffery at best, or at worst, a certain amount of deception. But is that a fair characterisation of “window dressing”? If Target Company, engages in window-dressing, is it trying to mislead investors, i.e. taking the opportunity before the investment transaction to hide its weakness and misrepresent its state of affairs to the Acquiring Company[3]? Or it is in fact, a fundamental step of getting its house in order for investment?[4] In wiser hands, window-dressing can actually refer to a process of emphasising the strengths of a Target Company which are essentially the key points that an Acquiring Company should be focussing on. Undertaking it requires the Target Company to be honest about its weaknesses but at the same time, showing how despite its weaknesses, the Target Company’s strengths make it a worthwhile investment for the Acquiring Company. In achieving a successful window-dressing, it should be remembered that the Target Company should not wait to do this only when an investor is interested. Window-dressing is a process that should start the moment the Target Company is set up. Let’s look at some key areas where this process should be focused on. DAVID HAS THE APPEAL BUT DOES DAVID KNOW WHAT IS APPEALING? It is not always intuitive for the Target Company to fully appreciate its true appeal or the drivers of value to an investor. This can make window-dressing a challenge as the Target Company second guesses or possible fails to capitulate its value. It may even emphasise the wrong value, and adjusting its arrangement in ways that turn out to be unappealing to a potential Acquiring Company. Consider what gives the American operations of MacDonald’s its capital value. You may at first instance believe that the true value of MacDonald’s is in the fast food chain business or the franchise. In reality, its real value is in the real estate that their restaurants are situated on as MacDonald’s buy land and lease back to franchisees who operate their franchise on those leaded back land[5]. This holds an important lesson: what the Target Company perceives as its true value may not always be consistent with what the Acquiring Company has in mind. The failure to align such perception may not only result in missed opportunities for the Target Company, but in certain situations, may even cause the Target Company to give up true value drivers for a lower financing amount or transaction value[6]. We can discuss where such mis-alignment might arise in another article, but for this article, it is worth noting that proper appreciation of where value lies is a crucial step David must make in the assessment of the value he presents an acquiring Goliath. DAVID’S CROWN JEWELS – ITS INTELLECTUAL PROPERTY RIGHTS Let’s address the key elephant in the room – in today’s world, competitive edges are increasingly driven by technological levers. It is not uncommon to see a Target Company attract the attention of an Acquiring Company because it has an innovation or possesses certain intellectual property rights (“IPR”) that is of value. IPRs can create lawful and effective barriers to entry for would-be competitors, enhancing the Target Company’s asset ledger and market position if, and that’s an important “if”, such rights are properly secured, cultivated and maintained. This point is not limited to any industry per se. However, in certain industries Acquiring Companies will pay more attention / more value with intellectual property rights than others, and, conversely, substantially reduce valuations where there is inadequate IPRs. Such industries can include the pharmaceutical sector, biotechnology sector, information technology sector, advanced manufacturing for different products and any competitive consumer business (where branding is the difference between market pole position and being a product that everyone ignores). A key issue that often arises in relation to IPRs or any innovation is that an Acquiring Company may not appreciate or be able to see the extent of value in the innovation or IPR the same way as a Target Company. As business consultants, dealmakers and business owners become more sophisticated, this problem should diminish but it begins with the fundamentals – i.e. where do you think IPRs exist and do you know when you see it? It can come as a surprise to some Target Companies or Acquiring Companies that IPRs are more than registered trade marks or patents. There are registrable IPRs, and non-registered IPRs. Consider the famous case of Coca Cola Inc. – without a doubt, the trademark is well known and has near global reach. But the company has never patented the formula for producing the original drink and there are good reasons for this[7] - including not giving away their trade secret monopoly over the recipe by subjecting it to the limited statutory monopoly of the lifespan on a patent. The recipe is said to have originated from Pemberton’s creation in 1888 – if it had been patented, the legal monopoly granted would have lapsed years ago. And though it’s arguable whether the formula is truly a reason why people buy the drink[8], the mystique and mystery of the trade secret certainly has become a market share enhancing pillar of their marketing strategy. The point is that Target Companies must understand the IPRs that it has and is developing and the different ways in which those IPRs are protected, come into existence and how they add value to the business. Not only that, they must be able to present this in an informative manner that resonates with an Acquiring Company. This does involve understanding the different types of IPRs that the Target Company can seek to enforce, and upon understanding the IPRs and how to use them. An IPR due diligence and road map is essential – even before the Target Company begins the search for investors. It should not be seen as an afterthought or a by-product of value in the Target Company. It can indeed represent the most important value driver of the Target Company. In terms of “window-dressing”, the Target Company must be able to show that it has valuable IPRs– e.g. over the innovation – which demonstrate where its competitive edge is based. Companies which emphasise IPRs are “10 times more successful in securing funding”[9] as per information from the European Patent Office. Investing in IPR due diligence and filings, implementing IPR management programs is investment that goes towards lifting overall valuation. There can be a fixation with filings. But this would be a mistake. Copyright, trade secrets, rights in goodwill, mask work rights, etc – the expenditure to procure and protect these rights can be low, provided that they are properly identified through legal analysis and appropriate operational steps (as legally advised) are undertaken to protect and enhance their value. Consider also where the IPR resides. Take the Target Company’s employees, for example. Over time, their know-how and experience becomes valuable. And yet, the Target Company may have operated mainly on trust and not having sufficient controls or covenants put in place with its employees resulting in employees taking critical information away to start something on their own. When the Target Company tries to make a case of non-compete against its former employees, it may come to realise that non-compete may not always be enforceable in all instances. All of these can cumulate into a potential issue that is waiting to rear its ugly head just when the Target Company thought it is ready to file a patent or a trade mark application as the Target Company may soon realise that due to the lack of controls in place, what the Target Company has may no longer be of much value after all. HOW WELL POSITIONED ARE DAVID’S REGULATORY LICENCES? Industries as diverse as casinos, telecommunications, travel, healthcare, tobacco, banking licences and more are regulated. If a Target Company operates in an industry where regulatory licensing is important, the Target Company needs to ensure that it has taken steps to increase its chances of obtaining and maintaining such licences. Getting your regulatory licensing in order can be an existential matter. If you are the Acquiring Company, do not assume that the licence is good simply because it has been issued or appears in force. Are there ongoing investigations and violations? Is the track record with the regulator healthy or not? Where licensing is activity-based – are the licences issued even the right ones needed by the product and service mix? Regulatory licensing can also present value as a barrier to entry – the loss of which means the Target Company is back on the “outside looking in” at economy opportunities. Acquiring a regulatory licence may not just be a matter of filling in a form and paying a fee. It can take months to get approvals. Is the Target Company taking active steps to manage regulatory stakeholders? For instance, does the Target Company have a team that has regular engagements with government officials and regulatory authorities, and are they practising appropriate methods to approach such engagements? Most licensing regime are jurisdiction specific. For example, a casino regulatory licence may be relatively easier to attain in United States of America than say in Singapore as Singapore has traditionally attempted to discourage gambling for being a societal norm[10]. Every Acquiring Company should approach acquisitions with a degree of familiarity with local licensing regimes, and this will include tapping on legal and industry experts for that territory. In a world where regulatory intervention can be driven by geopolitical influences, would the transaction engage any triggers[11]? One cautionary example is the acquisition by tobacco giant Altria of shareholding interests in Juuls Labs in which Altria paid almost US$13 billion for 13% of Juuls at the end of 2018[12] but with the increasing lawsuits and regulatory restrictions faced by Juuls, the value eventually dropped to US$250 million in less than 4 years[13] which prompted Altria to exit from Juuls. Given that there are multiple engagements with regulatory authorities, Acquiring Companies should ask if the Target Company has put in place compliance measures. DATA – DAVID’S MEAT CAN BE GOLIATH’S POISON! Data has been touted as the most precious commodity after the discovery of oil. Target Companies that have this in abundance (and meaningful abundance – i.e. with good data governance, proper controls, quality data, etc) are potentially sitting on a “goldmine” – and its value can apply across industries. Certain industries naturally prize rich data sets as the most valuable asset of a Target Company. For example, companies operating in the pharmaceutical industry have clinical trial data, e-commerce companies sit on consumer preference and transactional data, and retail companies have customers’ data with their purchasing behaviour, and so on. Here, compliance with data protection and privacy laws is fundamental. To put it simply: is the Target Company sitting on a data goldmine or a regulatory time bomb? Acquiring Companies will be most concerned with whether the data is of any value even if it is data the Acquiring Company requires as the Acquiring Company may have doubts around the manner in which the Target Company has acquired the data. One such example is the notable acquisition by Facebook of WhatsApp where the Federal Trade Commission issued a strong letter reminding Facebook to honour the promises that WhatsApp made to its users via its privacy notices[14]. As part of the window-dressing process, the Target Company must be able to, at the basic level, maintain data inventory and some form of governance processes that facilitates the oversight of the types of data, the purposes of which the data can be used and the scope of the consents or legal basis in using such data. Further considerations can be found in our last article titled “Mergers and Acquisitions – how to avoid privacy minefields”[15]. This article will provide the Target Company greater insights into areas that the Acquiring Company will usually look at when conducting a privacy due diligence. SOME PARTING NOTES The opinions shared in this article is not necessarily limited to any specific industries or companies.  Certain considerations may be pertinent to companies in certain industries. It is also important to bear in mind that as you go through this article, that a single start-up may potentially have to consider one or more of the points above and in most cases, it is not possible to only think of your industry as needing to only consider one of the points only. Finally, please note that the assumptions we have made in our first article1 continue to remain applicable in this article. IS DAVID FINALLY READY? The Target Company can never be truly ready for an acquisition but it can take steps to ensure that when an Acquiring Company starts reviewing the different potential acquisition targets, the Target Company is not far from consideration having taken active steps to present its best foot forward. Hopefully, with the Target Company being able to focus on its key aspects, the Target Company can also best allocate resources towards taking steps early in its journey to dressed up itself for the day to come. Authors: Frederick Tay and Jeffrey Lim Footnotes [1] See link to the first article here: https://www.linkedin.com/posts/joyce-a-tan-%26-partners_goliath-takes-over-david-mergers-and-acquisitions-activity-7223515301580091392-QPRL?utm_source=share&utm_medium=member_desktop [2] See https://corporatefinanceinstitute.com/resources/accounting/window-dressing/. [3] See for example article on the Wall Street Oasis: https://www.wallstreetoasis.com/resources/skills/accounting/window-dressing [4] See for example the article released by the Corporate Finance Institute: https://corporatefinanceinstitute.com/resources/accounting/window-dressing/ [5] See for example article: https://qz.com/965779/mcdonalds-isnt-really-a-fast-food-chain-its-a-brilliant-30-billion-real-estate-company [6] See for example the article: https://www.comparables.ai/articles/unlocking-value-navigating-mergers-and-acquisitions-through-valuation which gave a quick analysis of two successful M&A deals due to the recognition of the right values: Walt Disney Company's Acquisition of Marvel Entertainment and Facebook's Acquisition of Instagram [7] See https://en.wikipedia.org/wiki/Coca-Cola_formula - “Company founder Asa Chandler initiated the veil of secrecy that surrounds the formula in 1891 as a publicity, marketing, and intellectual property protection strategy While several recipes, each purporting to be the authentic formula, have been published, the company maintains that the actual formula remains a secret, known only to a very few select (and anonymous) employees.” [8] Coca Cola itself makes the claim that this is the case – https://www.coca-cola.com/ke/en/about-us/faq/is-the-coca-cola-formula-kept-secret-because-the-company-has-som [9] https://www.epo.org/en/news-events/press-centre/press-release/2023/945253 [10] Refer to Ministerial Statement then by Prime Minister Lee Hsien Loong, 18 Apr 2005 where he quoted his own letter to Mr Wee Ee-chao (who led the Tourism Working Group) in 2002 citing that “There may be economic merits to setting up a casino in Singapore. But the social impact is not negligible.” [11] Whether the deal proceeds or not, it is significant that national identity and security considerations can be operative. For a example, see how certain industries such as semiconductors are particularly sensitive – e.g. https://investmentpolicy.unctad.org/investment-policy-monitor/measures/3149/united-states-of-america-u-s-blocks-a-1-3-bn-deal-on-national-security-grounds [12] Refer to New York Times article: https://www.nytimes.com/2018/12/20/health/juul-reaches-deal-with-tobacco-giant-altria.html [13] Refer to article by the Associated Press: https://apnews.com/article/juul-altria-vaping-cigarette-njoy-b376515ea25e08ddc4372ace214c86a3 [14] Refer to https://www.ftc.gov/business-guidance/blog/2014/04/ftc-staff-facebook-and-whatsapp-privacy-promises-prevail [15] Refer to https://www.linkedin.com/posts/joyce-a-tan-%26-partners_ma-avoid-data-privacy-minefields-activity-7219146845627801600-pzgG?utm_source=share&utm_medium=member_desktop