Recently I completed a research project on Asia-Pacific privacy law, which satisfied my long-time craving for exploring in details the privacy law and enforcement regime of this region beyond mainland China. After reading the statutes, government reports, and articles relating to South Korea, Japan, Singapore, India, Australia, Hong Kong, Taiwan, Malaysia, Philippines, Thailand, and Vietnam, I had some observations that I would like to share. This is an intro piece to give a privacy law panorama of this region.
Before getting into the weeds, a quick comment to warm up – Asia-Pacific is a highly dynamic region in terms of privacy law with rapid evolvement and rich diversity, which means, in the sense of law compliance, this is a complicated and risky area requiring constant monitoring.
There is no “unified” Asia-Pacific privacy law regime. Although the APEC (Asia-Pacific Economic Cooperation) Privacy Framework aims to develop a uniform privacy protection system across the region to facilitate data flows, the system is based on a set of voluntary, non-binding principles, not designed to replace domestic laws. As such, the landscape of Asia-Pacific privacy law is a patchwork of separate and varying domestic laws drafted and enforced under different cultural, economic, and political environments of different countries and special regions like Hong Kong.
Overall, due to the sweeping impact of the GDPR and the growing concerns about data abuse and breaches, Asia-Pacific has seen a tightening regulatory environment. But the maturity is still uneven when focusing on specific locations, which I have roughly divided into three tiers. The first tier, representing a high level of maturity of privacy protections, is led by South Korea, Japan, Singapore, Hong Kong, Australia and maybe also Taiwan, each with their own well-established privacy laws and active enforcement. This group generally has enforced a comprehensive privacy law for more than a decade. To name a few, Hong Kong started to enforce its privacy law, the Personal Data (Privacy) Ordinance (PDPO), since 1996, and Japan’s privacy law, the Act on the Protection of Personal Information (APPI), came into force in 2005. The second-tier are countries that already have a number of relevant laws, regulations, or soft-laws like national standards to limit data collection and processing to some extent. However, this tier still lacks a robust and comprehensive mechanism to protect privacy. The representative countries are mainland China and India, both of which are now in the process of drafting their own comprehensive privacy laws. India released a first draft of the Personal Data Protection Bill in the middle of last year, now in the review process, and China has placed the legislation of Personal Information Protection Law into its national legislative priority agenda, indicating a targeted deadline of the year of 2023. The third tier includes countries like Myanmar which have very few privacy-relevant regulations.
Their approaches to privacy protection are diversified as well, reflecting varied legislative motivations, government priorities, and historical backgrounds. Some are closer to the European model to protect privacy as a fundamental human right, while others like mainland China and Vietnam place more emphasis on national interests and national security. Some regulate government entities the same way as regulating private companies, while others only restrict data practices by private companies or have a separate privacy law applying to government. Compared to its peers with similarly robust privacy protections, Singapore is slightly more business-friendly. For example, its privacy law, the Personal Data Protection Act, exempts business contact information that refers to a person’s name, position title, business address and telephone number, etc.
Despite numerous differences on specific requirements, I found wide-spread recognition of some privacy law principles across this region.
1. Transparency and Lawful Basis for Data Processing
Almost all the privacy laws I’ve checked in this region require certain levels of disclosures to inform individuals of some information, including what data is collected and the purposes for the collection and processing. A lawful basis is normally required to legitimize data practices, and the data processing must adhere to or be compatible with the originally disclosed purposes. While only one of several lawful bases under the GDPR, “consent” plays a more central role in Asia-Pacific. For example, Singapore requires that organizations collect, use, or disclose personal data only with the individual’s knowledge and consent, subject to a few exceptions. Japan explicitly requires consent for data repurposing, providing data to a third party, or processing sensitive data. And as discussed in an earlier post, currently China also hinges the legality of data practices almost entirely on consent.
2. Individual Rights
Almost all laws recognize the rights of individuals to control their data, though of varying scale degrees. The rights to access and correction are universally granted. Additional rights such as the right of deletion are given by South Korea, Japan and Taiwan. It is noteworthy to mention that Taiwan expressly forbids the data subject rights to be abandoned or contractually restricted. As mentioned above, Singapore is relatively more pro-business, which is also reflected in the individual rights protections that, according to Singapore law, must be balanced against the organizational needs to collect and use data for legitimate and reasonable purposes. The rights of data portability and restricting data profiling are largely missing in this region, but regulatory awareness is emerging. For example, in February, Singapore regulator initiated an official research to explore the benefits and implications of introducing a data portability requirement.
Regardless, many laws still fall short of an effective mechanism for individuals to meaningfully exercise their rights, such as requiring a deadline for the data holders to respond to individual requests, and any redress the requesting individuals may be able to seek if that deadline has passed.
3. Data Security
All privacy laws impose data security obligations, requiring reasonable or appropriate efforts to safeguard data system. Some countries have more detailed requirements, like Japan, which requires that when the data processing is entrusted to a third party, the entruster – similar to data controller under the GDPR – must engage in necessary and appropriate supervision of the entrusted third party handling the data. The guideline accompanying Japan’s privacy law provides further detailed guidance on documentation, organizational structure, employee training, physical security systems, and a few other aspects relevant to data security.
Nevertheless, at present, data breach notification is not universally mandatory in Asia-Pacific, though that may get changed soon. Some actors, such as Hong Kong, do not have breach notification requirement at all despite having a robust privacy law system. Some only have a basic requirement but no concrete details to support an effective implementation. And some others limit the notification obligation by setting up different triggering thresholds. India currently mandates in its Information Technology Act the breach reporting to the government when certain types of incidents occur, such as identity theft or the compromise of critical information systems. Japan is a little bit more knotted. Its general privacy law APPI does not mandate breach notification, but breach reporting to the government is specified in its privacy regulator’s guideline (PPC Notification No.1 of 2017), as well as in some sectoral regulations targeting industries like healthcare and finance, but no penalties for non-compliance. South Korea is further ahead on this issue, requiring data controllers to report data breach to government if it involves personal data of 1,000 or more data subjects. In addition, data controllers must notify the impacted data subjects, regardless of how many people are involved, of detailed information including the types of leaked data, when and how the breach happened, countermeasures that have been taken in response, and what data subjects could do to minimize damages. The Philippines set up a complicated threshold to trigger the notification obligation, requiring the notification to government and the affected individuals if it is reasonably believed that sensitive data is involved or the leaked data may be used to commit identity fraud, and the controller or the regulator believes that it is likely to cause a real risk of serious harm to any affected data subject.
A recent trend shows that mandatory breach notification is spreading in Asia-Pacific. In March, the government of Singapore released an official statement about the plan to introduce a mandatory breach notification regime. Malaysia is on the same page. And according to the latest released draft of an important Chinese national standard regarding the personal information security, China is also seeking to upgrade its breach notification system with more detailed requirements.
4. Criminal Liabilities
Almost all privacy laws I’ve explored in this region impose criminal liabilities for a variety of misconduct relating to personal information, from illegal data disclosure or disposal, to misleading government in its investigation or contravening a government enforcement notice, to negligence in maintaining a security mechanism. Some countries look to intentions, like the intention to seek profits. A riskier country is the Philippines, which imposes criminal liabilities to a wide range of data mishandling, which even extend to responsible officers of companies and entities, as long as they participated in the process or grossly negligent in allowing the violations to happen.
This post is already too long, so I’d better stop here. I will try to write more posts about Asia-Pacific in the near future since there are really a lot of interesting stuff. In short, when examining the privacy legislation of this region, it is important to bear in mind that this is a fast changing landscape. The past three years alone have already witnessed many significant events and shifts in policy, including new national privacy laws or amendments bringing in substantial changes, in addition to the increasingly active role of law enforcement. This adds to the complexity and risks for law compliance in this area, not to mention the additional difficulty due to the inconsistent cross-border data transfer requirements among different countries. But still, as Asia-Pacific’s economy and technology industry keeps booming, and the privacy law environment keeps shifting, new challenges should be expected and more attention should be given.
