Over the recent years, Asian regulators have put rigorous effort into ramping up their data protection regimes. Several Asian countries such as India, China, South Korea, Vietnam, Malaysia, Thailand and Indonesia have introduced or enhanced their existing cybersecurity or data protection laws. Recently, China gave a final read to its Personal Information Protection Law (“PIPL”) and enacted it as its first comprehensive law on data protection in 2021. India, Indonesia and Vietnam are most likely to follow suit in the short term.
The EU’s General Data Protection Regulation (“GDPR”) in 2018 and other similar regulations elsewhere in the world has increased the awareness of the rights of individuals in protecting their privacy and data protection in general. As opposed to the EU, the Asia-Pacific landscape entails numerous legal systems of diverse characters and historical backgrounds, making it close to impossible to generalise how the data protection laws operate in this region. Corporations in these jurisdictions must bear with the intricacies that each prescribes while developing a privacy compliance programme.
Most of the data protection regimes in Asia are analogous to each other at their core as they are aligned to the globally recognised principles of data privacy; however, a few tweaks have been made to customise them to the specific regional requirements of these States. These countries have drawn inspiration from the EU’s GDPR, but some, on the other hand, have extended the reach of their regional laws beyond that of their European counterparts.
This article is a high-level overview of the commonalities and differences present in the privacy regimes in the Asia-Pacific region.
Regional comparison of Asian Data Protection regimes – Commonalities and Differences
To date, twenty jurisdictions in this region have a comprehensive privacy regulation in place. China, Thailand and Uzbekistan are the newest members to join the party. Laws in Japan, Kazakhstan, South Korea, New Zealand and Singapore have been recently amended. They have been included in this overview to get an up-to-date understanding of the difference in privacy regulations of this region.
- Scope – Extraterritorial application
The GDPR applies to organisations “established” in the EU that personal process data, regardless of whether the processing occurs in the EU. Concerning the extraterritorial scope, it applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to the offering of goods or services to individuals in the EU or the monitoring of the behaviour of individuals in the EU.
Most of the countries in the Asia-Pacific region have laws that prescribe the processing of data within the jurisdictional boundaries of the country. However, seven countries provide extraterritorial provisions that are similar or sometimes exceed the scope of the extraterritorial requirements of the GDPR. Australia, Japan, China, Indonesia, the Philippines, New Zealand and Thailand.
- Cross-border transfer of data
A majority (sixteen) of the countries in the Asia-Pacific region impose restrictions on cross-border transfers of personal data. However, the laws of Hong Kong, Indonesia, Taiwan and Nepal allow the cross-border transfer of personal data without any restrictions. The legal bases for such transfers vary significantly depending upon the adequacy, consent from data subjects/data regulation authority (or any other legal requirements), treaty obligations or even binding corporate rules or agreements. Thus, although these countries allow cross border transfer of data with restrictions, the similarities are said to end there as the conditions attached to determine whether countries can transfer the data or not.
No country in the Asia-Pacific region has laid out a list of jurisdictions that provides adequate protection to safeguard the data transferred or any model contractual clauses as seen in the EU. For example, Japan, New Zealand and recently South Korea have been approved to provide adequate protection by the EU. Taiwan is currently working its way to obtain a proper decision as well.
- Breach Notification
Mandatory breach notification laws are spreading quickly as they are currently perceived as “best practice” and “politically popular” in the prevailing geopolitical scenario. In the event of a data breach, half (ten) of the countries listed in this region require some form of a mandatory notification to be made to the relevant authorities and the affected individuals. Some laws only require entities to notify the affected individuals and the data protection authority “promptly” or “without any delay”. Some jurisdictions have specified the period as seventy-two hours, such as in the case of the Philippines, Singapore and Thailand, five days in the case of South Korea and fourteen days in the case of Indonesia. Singapore also requires entities to submit a report within fourteen days of the initial notification detailing the causes of the incident, impact and remedial measures taken by the organisation to tackle the data breach incident.
- Legal basis for the processing of data
The GDPR provides seven major fundamentals for processing data: consent, the performance of a contract, legitimate interest, vital interest, legal requirement, and public interest. Most of the countries in the Asia-Pacific region (thirteen) do not allow data processing based on legitimate interests. The range of legal basis for the processing of data varies widely from one jurisdiction to another. For instance, consent of the data subject is considered the most common legal basis for processing in these States.
- Rights of data subjects
The right to provide access to and correct the personal data stored is provided in all jurisdictions. Erasure rights are available in eleven countries, whereas only four countries- China, Philippines, Singapore and Thailand- provide data portability rights. The time frame within which an entity must respond to a data subject’s rights varies in this region. Under the GDPR, one month is provided to an organisation to respond to a request made. Here, four countries provide requests to be attended within 30 days, three within 15-21 days, two within 10 days, and five within 1-7 days. The others do not prescribe a specific period.
- Appointment of Data Protection Officer (DPO)
Data protection officers are independent experts in data protection who are responsible for monitoring and advising on an organisation’s data protection compliance programme, monitoring and assessing DPIAs and acting as a point of contact for data subjects and relevant supervisory authorities. China, Japan, Kazakhstan, Korea, New Zealand, Philippines, Singapore and Thailand are the eight countries that mandate the appointment of a DPO in this region.
- Data Localisation Requirements
Currently, only three jurisdictions mandate data localisation in this region. However, the pressure to uniformly implement the same continues to grow significantly after China adopts the PIPL. Now, organisations in China that have high process volumes of personal data and operators of “critical infrastructure” are required to store such information within the borders of China. When such information is critically needed to be transferred to a third-party operator abroad, such an organisation must clear the security assessment conducted by the CAC except in those cases where they are exempted by law from taking such an assessment. Kazakhstan’s privacy regulation mandates entities to store their data locally. In Uzbekistan, the owners or operators processing their citizens’ data must use technical means located in Uzbekistan itself. Additionally, such technical standards must also be registered in the State Register of Personal Data Databases, even if the processing occurs through information technologies or the internet.
- Registration
Under Article 30 of the GDPR, all companies are now required to maintain an internal electronic registry of all the information of the personal data processing activities carried out to provide for the principle of accountability. The trend prevalent around the world is to minimise the registration requirements. However, Kyrgyzstan, Macao, Malaysia, the Philippines, Uzbekistan, and Tajikistan are the six countries requiring organisations to register their processing activities with a data protection authority.
- Data Protection Impact Assessments (DPIAs)
Under the GDPR, a DPIA is required to be performed every time a new project is taken on by an organisation that poses a “high risk” to people’s personal information. In the Asia-Pacific region, Singapore, South Korea, China and the Philippines are the only four countries that require organisations to carry out DPIAs. In contrast, most other local laws do not require organisations to carry out such assessments.
- Enforcement
The enforcement authorities or the data protection authorities (DPAs) in South Korea, Japan, Hong Kong, Singapore and Australia have responded to the ongoing massive data breaches with the utmost strictness. They have carried out aggressive inspections and have prosecuted organisations that have failed to implement the proper security measures mandated by law, resulting in heavy fines and sometimes corrective orders. These countries are also focussing on enhancing their private sector security practices. Enforcement is expected to increase in the coming years due to new and amended laws that increase the penalties. Other types of privacy violations, the Korean Personal Information Protection Commission (PIPC) imposed a fine of KRW 6.6 billion on an online platform operator for violating lawful processing requirements, consent particulars, and processing of pseudonymised information, are also in play.
Conclusion
The above comparisons show that when it comes to inter-state trade between Europe and the Asian countries, the EU’s adequacy decision plays a vital role in facilitating data transfers between Europe and other countries. As data transfers are essential to most business processes today along with the ECJs judgement in Schremes II, the EU’s role in dictating model contractual clauses and best practices will seep into the data protection practices of the Asia-Pacific countries as well. After several rounds of negotiations, South Korea has recently obtained the EU’s adequacy decision where additional safeguards were agreed upon, such as enhanced notice obligations, onward data transfers, and processing for national security purposes. Importantly, individuals in the EU whose data is transferred to South Korea can now complain with the PIPC. Thus, we can expect similar changes to be made in other privacy regulations in the Asia-Pacific region.
This article was written by Aryashree Kunhambu
Wonderful post however , I was wondering if you could write a litte more on this subject?
I’d be vvery grateful if you could elaboratee a little
bit further. Thanks!
Here is my blog: Gabriela
Zaproxy dolore alias impedit expedita quisquam.
Very well written! The points discussed are highly relevant. For further exploration, I recommend visiting: LEARN MORE. Keen to hear everyone’s opinions!
ed pills cheap: Best Canadian online pharmacy – drug prices
drugs prices http://canadiandrugsgate.com/# cheap pills online
ed men
dapoxetine price: dapoxetine price – cheap priligy
amoxicillin 500mg capsule cost https://prednisoneraypharm.com/# india buy prednisone online
buy prednisone tablets online: raypharm – prednisone 50 mg tablet canada
amoxicillin 875 mg tablet https://prednisoneraypharm.com/# buy prednisone 10mg
prednisone 5 mg tablet without a prescription: cheap prednisone – buy prednisone 10mg online
amoxicillin 500mg capsule buy online: amoxil com pharm – buy amoxicillin 500mg canada
amoxacillian without a percription https://prednisoneraypharm.com/# buy prednisone without prescription paypal
prednisone 10mg price in india: raypharm – over the counter prednisone cream
cheap priligy: cheap priligy – cheap priligy
buying prescription drugs in mexico online http://mexicanpharmgate.com/ mexican pharmaceuticals online
lisinopril 20 mg tablet: buy Lisinopril 1st – lisinopril1st
lisinopril1st: cheapest Lisinopril – buy Lisinopril online
buy plavix: Clopidogrel Best Prices – Plavix 75 mg price
cheapest Lisinopril: ordering lisinopril without a prescription – cheapest Lisinopril
drug lisinopril: lisinopril1st – Lisinopril 1st
Clopidogrel 75 MG price: Clopidogrel Best Prices – plavix best price
Priligy tablets: max pharm – buy dapoxetine online
пин ап кз: pinup – pinup
пинап казино пин ап казино официальный сайт pinup
пин ап казино: пин ап казино – пин ап кз
pin up казино: pinup kazi – пин ап казино
пин ап казино онлайн: pinup kazi – pinup-kazi.kz
http://vavada-kazi.ru/# vavada
пин ап вход: пин ап вход – пин ап зеркало
пин ап казино: pinup kazi – pin up казино
пин ап казино: пин ап казино – пин ап казино
pinup kazi пин ап казино официальный сайт пинап казино
vavada kazi: vavada-kazi.ru – вавада
pinup: пин ап казино – pin up казино
пин ап зеркало: pinup – pinup-kazi.ru
пин ап зеркало: pinup – пин ап зеркало
pinup: пин ап казино онлайн – пин ап казино онлайн
pinup пин ап кз pinup kazi
pin up казино: пин ап кз – pinup-kazi.kz
вавада казино: вавада казино зеркало – vavada kazi
вавада: вавада казино онлайн – vavada
вавада казино зеркало: vavada-kazi.ru – вавада казино зеркало
vavada-kazi.ru: вавада казино онлайн – вавада
пинап казино: пин ап казино онлайн – pin up казино
https://vavada-kazi.ru/# vavada kazi
пинап казино: пин ап казино – pin up казино
otc ed pills https://mexicanpharmeasy.com/# mexican border pharmacies shipping to usa
ed and diabetes: canadian pharm 1st – pumps for ed
legal to buy prescription drugs without prescription: canadianpharm1st.com – the best ed pill
mexican pharmaceuticals online: MexicanPharmEasy – mexican online pharmacies prescription drugs
mail order pharmacy india indian pharmacy cheapest online pharmacy india
mexican drugstore online: Mexican Pharm – best online pharmacies in mexico
male ed: canadianpharm1st – buying pills online
ed meds online pharmacy: canadian pharm – what are ed drugs
medication from mexico pharmacy Pharm Easy mexican drugstore online
best india pharmacy: indian pharm star – online pharmacy india
best online pharmacies in mexico: Pharm Easy – buying prescription drugs in mexico online
drug store online canadian pharm erectile dysfunction
mexican online pharmacies prescription drugs: Pharm Easy – mexican pharmaceuticals online
best india pharmacy: indian pharm – top 10 pharmacies in india
buying from online mexican pharmacy: Mexican Pharm – mexico drug stores pharmacies
п»їbest mexican online pharmacies: Mexican Pharm – buying prescription drugs in mexico online
ed medicine online http://indianpharmstar.com/# indianpharmacy com
mexican rx online MexicanPharmEasy purple pharmacy mexico price list
ed dysfunction: canadian pharmacy – pain meds without written prescription
top 10 pharmacies in india: indian pharmacy – buy medicines online in india
mail order pharmacy india: IndianPharmStar – pharmacy website india
best male enhancement pills https://indianpharmstar.com/# best india pharmacy
mexican border pharmacies shipping to usa MexicanPharmEasy mexican drugstore online
viagra without doctor prescription: canadianpharm1st – erectile dysfunction drug
world pharmacy india: indian pharm star – world pharmacy india
mexican rx online: mexican pharmacy – purple pharmacy mexico price list
drugs and medications http://mexicanpharmeasy.com/# mexican mail order pharmacies
prices of viagra at walmart: canadian pharmacy – erection pills
medicine in mexico pharmacies: mexican pharmacy – buying from online mexican pharmacy
best pharmacy online http://canadianpharm1st.com/# ed prescription drugs
buying prescription drugs in mexico online MexicanPharmEasy mexican border pharmacies shipping to usa
Online medicine order: IndianPharmStar – buy prescription drugs from india
buy ed pills online: canadian pharm – ed causes and cures
impotence treatment http://mexicanpharmeasy.com/# mexican border pharmacies shipping to usa
mexican mail order pharmacies: Mexican Pharm – mexican online pharmacies prescription drugs
is ed reversible: canadian pharm 1st – muse for ed
ed meds online without doctor prescription canadian pharmacy ed drug comparison
Ivermectin Pharm: minocycline 50 mg tablets for humans for sale – Ivermectin Pharm Store
buy semaglutide online: rybelsus – cheap Rybelsus 14 mg
https://paxlovid.ink/# Paxlovid.ink
Amoxil Pharm Store Amoxil Pharm Store amoxicillin cephalexin
Paxlovid.ink: Paxlovid.ink – buy paxlovid online
Amoxil Pharm Store: can you buy amoxicillin uk – where can i get amoxicillin
https://semaglutidepharm.com/# rybelsus price
Paxlovid.ink: п»їpaxlovid – Paxlovid.ink
https://semaglutidepharm.com/# rybelsus price
Amoxil Pharm Store: AmoxilPharm – AmoxilPharm
Rybelsus 7mg: buy rybelsus – Buy compounded semaglutide online
paxlovid covid: paxlovid india – Paxlovid.ink
https://amoxilpharm.store/# generic amoxicillin online
medicine amoxicillin 500: Amoxil Pharm Store – amoxicillin 500mg prescription
buy minocycline 100 mg tablets: Ivermectin Pharm Store – ivermectin 4 mg
https://amoxilpharm.store/# AmoxilPharm
buy semaglutide online: rybelsus generic – Rybelsus 7mg
https://paxlovid.ink/# Paxlovid over the counter
semaglutide pharm: rybelsus – Buy compounded semaglutide online
https://paxlovid.ink/# Paxlovid.ink
Amoxil Pharm Store: generic amoxicillin cost – AmoxilPharm
Ivermectin Pharm: ivermectin over the counter canada – stromectol for sale
https://cytotec.top/# cytotec pills buy online
buy cipro online canada: buy ciprofloxacin over the counter – ciprofloxacin generic price
how can i get clomid for sale: where to get generic clomid pills – order clomid without a prescription
https://ciprofloxacin.cheap/# buy cipro online usa
price of lisinopril 30 mg: zestril pill – lisinopril pill 5 mg
http://ciprofloxacin.cheap/# ciprofloxacin 500 mg tablet price
where can i buy zithromax capsules: where to get zithromax – zithromax prescription in canada
http://ciprofloxacin.cheap/# cipro for sale
buy zithromax without presc: buy zithromax – can you buy zithromax over the counter
http://ciprofloxacin.cheap/# cipro ciprofloxacin
https://clomid.store/# cost clomid tablets
can i order generic clomid for sale: where to buy generic clomid pill – buy cheap clomid without dr prescription
cytotec pills buy online: Misoprostol 200 mg buy online – cytotec abortion pill
http://lisinoprilus.com/# zestril 5 mg price
buy cheap generic zithromax: zithromax over the counter – zithromax 500mg price
https://lisinoprilus.com/# lisinopril 12.5 20 g
lisinopril 5mg: buy lisinopril online – lisinopril 1 mg
http://cytotec.top/# purchase cytotec
buy generic ciprofloxacin: buy ciprofloxacin – buy cipro
where to buy cipro online: ciprofloxacin 500 mg tablet price – ciprofloxacin 500 mg tablet price
https://clomid.store/# clomid buy
buy misoprostol over the counter: buy cytotec online fast delivery – order cytotec online
buy cipro online canada: ciprofloxacin over the counter – cipro 500mg best prices
generic zithromax india: zithromax tablets for sale – zithromax canadian pharmacy
http://lisinoprilus.com/# zestril canada
how can i get clomid no prescription: how to get generic clomid without a prescription – where to buy generic clomid without rx
Abortion pills online buy cytotec pills Cytotec 200mcg price
https://lisinoprilus.com/# lisinopril 20 mg tab price
where to buy clomid without dr prescription: can i buy clomid for sale – order cheap clomid now
cytotec abortion pill buy cytotec online cytotec online
https://cytotec.top/# buy cytotec over the counter