The state of privacy regulations across Asia

While GDPR looms large across the Asia-Pacific region, there are significant differences as jurisdictions develop their own national approaches to privacy. There’s also a growing focus on data security in many countries.

asia fom space night shutterstock 1422245984
Shutterstock

Throughout Asia, it’s clear that the European Union’s GDPR privacy regulations, which apply globally when handling EU residents’ data, has marked out many of the ground rules in how to handle privacy laws. But although there are some common elements, there’s no overarching uniformity. Sovereign countries have their own data-protection frameworks and focal points when it comes to regulating privacy.

And although there is some movement to better align local regulations with GDPR, some countries are actually further ahead of the EU on certain aspects of privacy regulations. “There is a miss misunderstanding that the EU is the highest standard. It definitely is in some areas, but in some areas, definitely not,” says Miriam Wugmeister, a Morrison Foerster partner and cochair of its global privacy and data security group. For example, “countries such as South Korea, Japan, and Singapore are the leaders in terms of data security. On data localization [a.k.a. data sovereignty], China’s way ahead of Europe,” Wugmeister tells CSO Online.

The move to greater consistency at the same time as increased local variation will pose challenges to businesses throughout the world when doing business in Asia, making some efforts easier to scale across the region but still requiring custom implementations around data protection and privacy.

Where GDPR has influenced Asian data-protection laws

Data-protection legislation in Asia has been influenced by the 1980 version of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” says Peggy Chow, counsel at Herbert Smith Freehills Singapore. “Most Asian data-protection regimes are principles-based and follow the main principles around choice and notice, consent, data minimization, use limitation, retention and destruction of personal data, and cross-border data transfer restriction,” she says.

Although the major data privacy principles are similar across Asia, the implementation of these principles varies across different jurisdictions. They typically differ on what constitutes valid consent, how you can obtain valid consent and the alternative legal concept of exceptions for processing personal data other than consent. “Some jurisdictions in Asia have amended their laws to introduce mandatory breach notification requirements, and some have not,” Chow says. “The spectrum of data subjects’ rights provided under data privacy laws also varies from jurisdiction to jurisdiction.”

Across the region, it’s nonetheless clear GDPR has inspired Asian countries’ data privacy regulators. Most jurisdictions have taken steps to bring the local law regime closer to the benchmarks under GDPR. For example, most Asian jurisdictions that already had a comprehensive data-protection legislation in place — including Japan, the Philippines, Singapore, and South Korea — have introduced amendments and reforms to their data-protection regimes to incorporate features of GDPR. For example, “the latest amendments to Singapore law took effect in February 2021, and the amendments to Japan law take effect in April 2022,” Chow notes.

The latest Asian jurisdictions to introduce comprehensive data-protection legislation are China (its Personal Information Protection Law came into effect in September 2021) and Thailand (the Personal Data Protection Act will come into force in full in 2022). Chow notes that India and Vietnam don’t have a comprehensive data-protection legislation yet, but both countries have introduced data-protection bills similar to GDPR.

Here are key features of the different regimes:

  • Mandatory breach notification is common in China, Japan, the Philippines, Singapore, South Korea, and Thailand. It’s also in the proposed data-protection bill currently in the Indian Parliament.
  • Enhanced data subjects’ rights, such as the right to data portability, is mandated in China, Singapore, and Thailand, and is in India’s proposed data-protection bill.
  • Extraterritorial scope (where foreign entities must abide by the rules when dealing with local citizens’ data — a key feature of the EU’s GDPR) appears in law in China and Thailand, and is in India’s proposed law.
  • There are provisions on enhancing the restrictions on the handling of sensitive personal data in Japan, and on adding biometric or genetic data to definition of sensitive data in the Philippines.
  • There are provisions clarifying the concepts of pseudonymization in Japan and South Korea.

New data-protection and privacy laws in Asia pose compliance challenges globally

Where Asian countries are introducing new data-protection and privacy laws, they’re putting more focus on rules and requirements that pose challenges in compliance for organizations active in these jurisdictions.

China

China is a challenging jurisdiction, Chow says. “Given that in addition to GDPR-inspired requirements, there are also additional requirements around cross-border data transfer and data localization requirements.”

Singapore

The Singapore Personal Data Protection Act (PDPA) is regarded as more practical and pro-business given that there is an extensive list of consent exceptions that organizations can rely on. However, “this does not mean that Singapore’s regime is weaker,” Chow says. PDPA also complements existing sector-specific laws and regulatory frameworks for banking and insurance.

South Korea

South Korea has been considered as the most challenging jurisdiction, Chow says, given its specific Personal Information Protection Act (PIPA) requirements. There are “mandatory requirements on the presentation of the privacy notice, mandatory information to be included in privacy notice is extensive, and there is extremely limited alternative legal basis for processing personal data other than consent.”

Vietnam and India

Vietnam and India, both with draft data-protection bills under consideration, will be challenging as well. “Both jurisdictions have adopted their own versions of GDPR with their own features, which may be difficult to navigate,” Chow says.

Shift in focus for Asian privacy requirements and data localization

Chow says there’s been a significant shift in focus in the region, from just compliance to the accountability of organizations handling personal data. This include privacy-impact assessments, privacy by default and privacy by design, and mandatory appointment of a data protection officer (once certain thresholds are met). “These are becoming common features in Asian data privacy laws, or have been introduced by Asian privacy regulators via their advisory guidelines,” she says.

“Another difference between Asian data privacy and the EU regime is that there is no distinction between controller and processor in some Asian jurisdictions, and all personal data handlers are subject to the same obligations — this is true for Japan and China,” Chow says.

Within the 10 ASEAN nations, there are now common data-protection principles for each member to incorporate into their data privacy legislations. ASEAN has also introduced the ASEAN Model Contractual Clauses for Cross Border Data Flows (MCCs), which represent regional efforts to facilitate transfer of personal data among ASEAN countries.

 “Unlike the EU Standard Contractual Clauses, the MCCs are a voluntary standard designed to provide guidance on baseline considerations for transferring personal data, and can be adopted or modified by the parties or as required by local laws,” Chow says.

Additionally, there is also a trend in Asia to recognize regional certification as a data transfer mechanism. The Asia-Pacific Economic Cooperation (APEC) forum is also playing a role, with certain countries such as Japan and Singapore recognizing certifications under APEC’s cross-border privacy rules and requirements for data processors and data transfers.

These types of rules and standards move into the data localization territory, which is a requirement to store data locally. Data sovereignty is becoming equally a privacy and national security issue, Chow says. “Indonesia, Vietnam, China, and India have data localization requirements, although in Indonesia it only applies to public electronic systems operators that provide public services.”

In Vietnam, the privacy regulator has the right to physically inspect the contents of the information stated in the application for the cross-border transfer of personal data and domestic, and foreign service providers must store the users’ data in the country for a certain period to be stipulated by the government.

“India’s data localization laws are set out in its draft bill and [if passed] it will join China in stipulating data localization requirements on both personal data and critical data, requiring data to be stored onshore if certain thresholds are met,” Chow says.

Growing focus on data security in Asia

Some countries moving into other data-protection areas, beyond what’s included in GDPR. Morrison Foerster’s Wugmeister sees a key commonality in the region that contrasts with other parts of the world: “the focus on data security.”

Wugmeister notes that GDPR is not the most rigorous standard on data security. “It says you need to have reasonable organizational and technical measures to protect your data. It mentions anonymization and pseudonymization, and encryption, but that’s all it says. By contrast, South Korea has 20 pages of detailed obligations.”

South Korea is not alone. “What we’re seeing now is more and more of the regulators in Asia are adding more detailed security obligations,” Wugmeister says. South Korea is ahead of the others, but Australia, Japan, and Singapore are starting to follow by putting out more guidance with respect to data security. “These countries are leading far ahead of the EU,” she says.

Related articles

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)