Over the recent years, Asian regulators have put rigorous effort into ramping up their data protection regimes. Several Asian countries such as India, China, South Korea, Vietnam, Malaysia, Thailand and Indonesia have introduced or enhanced their existing cybersecurity or data protection laws. Recently, China gave a final read to its Personal Information Protection Law (“PIPL”) and enacted it as its first comprehensive law on data protection in 2021. India, Indonesia and Vietnam are most likely to follow suit in the short term.
The EU’s General Data Protection Regulation (“GDPR”) in 2018 and other similar regulations elsewhere in the world has increased the awareness of the rights of individuals in protecting their privacy and data protection in general. As opposed to the EU, the Asia-Pacific landscape entails numerous legal systems of diverse characters and historical backgrounds, making it close to impossible to generalise how the data protection laws operate in this region. Corporations in these jurisdictions must bear with the intricacies that each prescribes while developing a privacy compliance programme.
Most of the data protection regimes in Asia are analogous to each other at their core as they are aligned to the globally recognised principles of data privacy; however, a few tweaks have been made to customise them to the specific regional requirements of these States. These countries have drawn inspiration from the EU’s GDPR, but some, on the other hand, have extended the reach of their regional laws beyond that of their European counterparts.
This article is a high-level overview of the commonalities and differences present in the privacy regimes in the Asia-Pacific region.
Regional comparison of Asian Data Protection regimes – Commonalities and Differences
To date, twenty jurisdictions in this region have a comprehensive privacy regulation in place. China, Thailand and Uzbekistan are the newest members to join the party. Laws in Japan, Kazakhstan, South Korea, New Zealand and Singapore have been recently amended. They have been included in this overview to get an up-to-date understanding of the difference in privacy regulations of this region.
- Scope – Extraterritorial application
The GDPR applies to organisations “established” in the EU that personal process data, regardless of whether the processing occurs in the EU. Concerning the extraterritorial scope, it applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to the offering of goods or services to individuals in the EU or the monitoring of the behaviour of individuals in the EU.
Most of the countries in the Asia-Pacific region have laws that prescribe the processing of data within the jurisdictional boundaries of the country. However, seven countries provide extraterritorial provisions that are similar or sometimes exceed the scope of the extraterritorial requirements of the GDPR. Australia, Japan, China, Indonesia, the Philippines, New Zealand and Thailand.
- Cross-border transfer of data
A majority (sixteen) of the countries in the Asia-Pacific region impose restrictions on cross-border transfers of personal data. However, the laws of Hong Kong, Indonesia, Taiwan and Nepal allow the cross-border transfer of personal data without any restrictions. The legal bases for such transfers vary significantly depending upon the adequacy, consent from data subjects/data regulation authority (or any other legal requirements), treaty obligations or even binding corporate rules or agreements. Thus, although these countries allow cross border transfer of data with restrictions, the similarities are said to end there as the conditions attached to determine whether countries can transfer the data or not.
No country in the Asia-Pacific region has laid out a list of jurisdictions that provides adequate protection to safeguard the data transferred or any model contractual clauses as seen in the EU. For example, Japan, New Zealand and recently South Korea have been approved to provide adequate protection by the EU. Taiwan is currently working its way to obtain a proper decision as well.
- Breach Notification
Mandatory breach notification laws are spreading quickly as they are currently perceived as “best practice” and “politically popular” in the prevailing geopolitical scenario. In the event of a data breach, half (ten) of the countries listed in this region require some form of a mandatory notification to be made to the relevant authorities and the affected individuals. Some laws only require entities to notify the affected individuals and the data protection authority “promptly” or “without any delay”. Some jurisdictions have specified the period as seventy-two hours, such as in the case of the Philippines, Singapore and Thailand, five days in the case of South Korea and fourteen days in the case of Indonesia. Singapore also requires entities to submit a report within fourteen days of the initial notification detailing the causes of the incident, impact and remedial measures taken by the organisation to tackle the data breach incident.
- Legal basis for the processing of data
The GDPR provides seven major fundamentals for processing data: consent, the performance of a contract, legitimate interest, vital interest, legal requirement, and public interest. Most of the countries in the Asia-Pacific region (thirteen) do not allow data processing based on legitimate interests. The range of legal basis for the processing of data varies widely from one jurisdiction to another. For instance, consent of the data subject is considered the most common legal basis for processing in these States.
- Rights of data subjects
The right to provide access to and correct the personal data stored is provided in all jurisdictions. Erasure rights are available in eleven countries, whereas only four countries- China, Philippines, Singapore and Thailand- provide data portability rights. The time frame within which an entity must respond to a data subject’s rights varies in this region. Under the GDPR, one month is provided to an organisation to respond to a request made. Here, four countries provide requests to be attended within 30 days, three within 15-21 days, two within 10 days, and five within 1-7 days. The others do not prescribe a specific period.
- Appointment of Data Protection Officer (DPO)
Data protection officers are independent experts in data protection who are responsible for monitoring and advising on an organisation’s data protection compliance programme, monitoring and assessing DPIAs and acting as a point of contact for data subjects and relevant supervisory authorities. China, Japan, Kazakhstan, Korea, New Zealand, Philippines, Singapore and Thailand are the eight countries that mandate the appointment of a DPO in this region.
- Data Localisation Requirements
Currently, only three jurisdictions mandate data localisation in this region. However, the pressure to uniformly implement the same continues to grow significantly after China adopts the PIPL. Now, organisations in China that have high process volumes of personal data and operators of “critical infrastructure” are required to store such information within the borders of China. When such information is critically needed to be transferred to a third-party operator abroad, such an organisation must clear the security assessment conducted by the CAC except in those cases where they are exempted by law from taking such an assessment. Kazakhstan’s privacy regulation mandates entities to store their data locally. In Uzbekistan, the owners or operators processing their citizens’ data must use technical means located in Uzbekistan itself. Additionally, such technical standards must also be registered in the State Register of Personal Data Databases, even if the processing occurs through information technologies or the internet.
Under Article 30 of the GDPR, all companies are now required to maintain an internal electronic registry of all the information of the personal data processing activities carried out to provide for the principle of accountability. The trend prevalent around the world is to minimise the registration requirements. However, Kyrgyzstan, Macao, Malaysia, the Philippines, Uzbekistan, and Tajikistan are the six countries requiring organisations to register their processing activities with a data protection authority.
- Data Protection Impact Assessments (DPIAs)
Under the GDPR, a DPIA is required to be performed every time a new project is taken on by an organisation that poses a “high risk” to people’s personal information. In the Asia-Pacific region, Singapore, South Korea, China and the Philippines are the only four countries that require organisations to carry out DPIAs. In contrast, most other local laws do not require organisations to carry out such assessments.
The enforcement authorities or the data protection authorities (DPAs) in South Korea, Japan, Hong Kong, Singapore and Australia have responded to the ongoing massive data breaches with the utmost strictness. They have carried out aggressive inspections and have prosecuted organisations that have failed to implement the proper security measures mandated by law, resulting in heavy fines and sometimes corrective orders. These countries are also focussing on enhancing their private sector security practices. Enforcement is expected to increase in the coming years due to new and amended laws that increase the penalties. Other types of privacy violations, the Korean Personal Information Protection Commission (PIPC) imposed a fine of KRW 6.6 billion on an online platform operator for violating lawful processing requirements, consent particulars, and processing of pseudonymised information, are also in play.
The above comparisons show that when it comes to inter-state trade between Europe and the Asian countries, the EU’s adequacy decision plays a vital role in facilitating data transfers between Europe and other countries. As data transfers are essential to most business processes today along with the ECJs judgement in Schremes II, the EU’s role in dictating model contractual clauses and best practices will seep into the data protection practices of the Asia-Pacific countries as well. After several rounds of negotiations, South Korea has recently obtained the EU’s adequacy decision where additional safeguards were agreed upon, such as enhanced notice obligations, onward data transfers, and processing for national security purposes. Importantly, individuals in the EU whose data is transferred to South Korea can now complain with the PIPC. Thus, we can expect similar changes to be made in other privacy regulations in the Asia-Pacific region.
This article was written by Aryashree Kunhambu