8 January 2021
The data privacy landscape in Asia (East, Central, and South) and the Pacific has undergone a dramatic transformation in the past decade and all indications are that the region’s privacy rules will continue to change at an equally rapid pace into 2021 and beyond. Prior to 2010, only six jurisdictions had comprehensive data privacy laws and two of these enacted their laws prior to 2000: New Zealand in 1993 and Hong Kong in 1995. Between 2010 and 2020, 13 more jurisdictions enacted new data privacy laws and seven amended their existing laws (four of the seven jurisdictions amended their laws twice during this 10-year period).
In the next couple of years, we may see as many as eight new or updated laws enacted or introduced into national legislatures. China, India, and Indonesia are the most likely to adopt laws in the short term, followed by Australia, Hong Kong, Malaysia, Sri Lanka, and Vietnam in the longer term. This means that one-third of the existing privacy regimes will be undergoing significant changes in the next few years.
While the laws in the region share the same core data protection elements found in virtually every privacy law in the world, they each have their own specific rules that differ from each other and from those in other regions. In contrast to the EU, the region is characterized by varied legal systems and historical differences that make it, impossible to generalize about the laws across Asia and the Pacific. It is important to take these differences into account when developing global or regional privacy compliance programs. This alert discusses some of the commonalities and differences among the privacy regimes in the region and identifies the jurisdictions that are likely to enact new or amended laws in the next few years.
Characteristics of the Current Regional Landscape: Commonalities and Differences
Nineteen jurisdictions in the region now have comprehensive privacy laws.[1] The newest laws are in Thailand[2] and Uzbekistan. The laws in Japan, Kazakhstan, Korea, New Zealand, and Singapore were amended recently. While they share the same core data protection elements, all of these laws have specific rules that are different from each other and from those in other regions.
Scope. Most of the laws in this region apply to processing in-country only. However, five have extraterritorial provisions that are similar to or exceed the scope of the EU’s General Data Protection Regulation (GDPR) extraterritorial provisions: Australia, Japan, New Zealand, Philippines, and Thailand.
Cross-border. Similarly, three-quarters (15) impose restrictions on cross-border transfers for personal data. However, the similarities end there, because the legal bases for transfers vary from adequacy, consent (or another legal basis like legal requirements), and/or contacts (or binding corporate rules). No jurisdiction in the region yet has issued a list of jurisdictions that provide adequate protection or, with the exception of New Zealand, model contractual clauses. Moreover, New Zealand and Japan are the only countries in region to be found adequate by the EU. South Korea and Taiwan are currently seeking to obtain an EU adequacy decision.
The laws in Hong Kong, Indonesia, Nepal, and Taiwan do not restrict cross-border transfers of personal data.
Breach notification. Slightly more than half (10) require notification in the event of a data breach. While a number of laws only require that notice be provided to individuals and/or to the data protection authority “promptly” or “without delay,” others require notification within 72 hours (Philippines, Singapore, and Thailand) or, in one case, within 14 days.
Legal bases for processing. Two-thirds of the laws (12) do not permit processing on the basis of legitimate interests. The range of available legal bases varies widely from one jurisdiction to another.
Individual Rights. Access and correction rights must be provided in all countries except Nepal. Almost half of the laws (9) provide erasure rights but only four countries provide data portability rights: China (under the Privacy Standard), the Philippines, Singapore, and Thailand. The timeframes for responding to Individual Rights requests also vary widely: four countries require responses to rights requests within 30 days or more; two within 20–21 days; two within 10–15 days; and three within 1–7 days. Seven do not specify a specific time period.
Data Protection Officer (DPO). Eight laws require the appointment of a DPO: China (under the Privacy Standard), Japan, Kazakhstan, Korea, New Zealand, Philippines, Singapore, and Thailand.
Localization Requirements. Only two jurisdictions impose data localization requirements: Kazakhstan’s privacy law requires companies to store their data locally and China’s Cybersecurity Law requires operators of critical infrastructure to store within China both personal information and “important data” collected and produced in the course of their business operations.
Registration. While the trend around the world is to minimize registration requirements, five laws in the region require organizations to register processing activities with a data protection authority: Kyrgyzstan; Macao; Malaysia; Philippines; and Uzbekistan.
Data Protection Impact Assessments (DPIAs). Most laws in the region do not require organizations to carry out DPIAs. DPIAs are required only in Singapore, South Korea, and the Philippines.
Enforcement. In the wake of large data breaches in the region over the past few years, data protection authorities (DPAs) in South Korea, Japan, and Australia have focused on enhancing private sector security practices. The DPAs in Korea, Japan, and Australia have been the most aggressive in carrying out inspections and prosecuting organizations that fail to implement proper security measures, often resulting in fines and/or corrective orders.
Enforcement of privacy rules in China, Hong Kong, and Singapore have focused more on other types of privacy violations.
New Laws Expected in 2021 and Beyond
India. Introduced into the Indian legislature in 2019, the Personal Data Protection Bill, 2019 is currently under review by a Joint Parliamentary Committee. The committee’s report has been delayed twice because of the pandemic. The report was initially delayed until the Parliament’s Monsoon session, which occurs during the July–September period, but that session was cut short because of the pandemic. The report was then expected to be issued during the Winter session, which occurs in late November/early December, but that session was canceled entirely because of the pandemic. Now it appears that Parliament may not resume until the Parliament’s Budget session, which is expected to take place in January 2021. In the meantime, there have been conflicting reports about the bill’s prospects. A member of the Indian Parliament, Rajeev Chandrasekhar, was reported in the press as expressing pessimism about its prospects and stating that he does not expect the Joint Parliamentary Committee to pass the legislation in its current form. In contrast, the Minister of Communications and Information Technology, Ravi Shankar Prasad, has expressed optimism that the legislation will be finalized “very soon.”
Given the pandemic and the controversy over some of the bill’s provisions, it is hard to say precisely if or when a data privacy law will be enacted. There are a number of provisions in the bill that raise significant concerns for industry, particularly with respect to the extraterritorial provisions of the proposed law, which exceed those found in the GDPR, the limited legal bases for processing personal data, the restrictive rules for cross-border transfers of sensitive and “critical” personal data, burdensome breach notification obligations, and additional and burdensome obligations imposed on certain types of data controllers and social media companies. In addition, the bill provides for severe penalties for law violations, corporate liability, and private rights of action, including class actions. And perhaps the most controversial and troubling is the provision in the bill that gives the government the right to access business intelligence and intellectual property of companies for its own “planning” and “development” purposes. Some of the key concerns with the legislation were outlined in a submission filed by Morrison & Foerster on behalf of the Global Privacy Alliance.
Indonesia. In January 2020, the Indonesian government introduced a data privacy bill in Parliament and the bill was expected to pass by the end of the year. However, because of the pandemic, the bill now is not expected to be finalized until sometime in early 2021. If enacted in its current form, the proposed law would, among other things, require controllers to process personal data on the basis of consent or on another legal basis, such as legitimate interests or a legal requirement, to notify individuals and the data protection authority within 72 hours after a data breach occurs, and to provide individuals with access, correction, deletion, and data portability rights. In addition, the proposed law imposes limits on cross-border transfers and prohibits the buying and selling of personal data for money.
China. In October 2020, the Chinese government released a draft privacy law, following the end of the 22nd session of the Standing Committee of the Thirteenth National People’s Congress. The draft Personal Information Protection Law (“Draft Law”) was open for public consultation until November 19, 2020. Morrison & Foerster, on behalf of the Global Privacy Alliance, filed comments in this proceeding. To date, China has not enacted a comprehensive data protection law, but rather has issued various sector-specific or issue-specific laws, regulations, and non-binding standards that address data security and privacy.
Among other things, the Draft Law provides for a narrow set of legal bases for processing personal information that include consent, contractual necessity, and legal requirements, but not legitimate interests. The Draft Law also imposes data localization requirements on critical information infrastructure operators and controllers who process personal information up to the amount prescribed by the Cyberspace Administration of China (CAC), requires notices to the government in the event of a data breach, and, for controllers that process personal information in quantities prescribed by the CAC, requires the appointment of a data protection officer. Fines for violations range up to ¥50 million (approx. US$7.6 million) or up to 5% of the previous year’s turnover. In addition, responsible corporate personnel may be subject to fines of up to ¥1 million (approx. US$153,000).
The expectation is that the legislation might be enacted sometime in 2021.
Australia. In October 2020, the Australian government released for public comment the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). The government is currently reviewing the comments received from the consultation, which ended in late November, and then plans to issue in early 2021 a discussion paper that will seek more specific feedback on preliminary outcomes, including any possible options for reform. The review covers areas including:
-
the scope and application of the Privacy Act;
-
whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices;
-
whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act;
-
whether a statutory tort for serious invasions of privacy should be introduced into Australian law;
-
the impact of the notifiable data breach scheme and its effectiveness in meeting its objectives;
-
the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks; and
-
the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
The government is working on a separate track to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.
Hong Kong. Hong Kong’s government is in the process of reviewing and studying possible amendments to Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), jointly with the Office of the Privacy Commissioner for Personal Data (PCPD). As part of this process, Hong Kong’s Constitutional and Mainland Affairs Bureau released a discussion paper in January 2020 seeking the Legislative Council Panel on Constitutional Affairs’ views on proposed changes to the PDPO. Possible amendments include expanding the scope of the law (to cover processors and expand the definition of personal data), providing the PCPD with criminal investigation and prosecution powers and the ability to issue administrative fines, increasing the maximum level of criminal fines, imposing mandatory data breach notification obligations, and requiring data users to establish retention policies that specify maximum retention periods for different types of personal data collected.
Malaysia. In February 2020, the Malaysian Department of Personal Data Protection (“JPDP”) held a public consultation on proposed changes to the Personal Data Protection Act 2010 (the “Act”). The consultation paper laid out at a high level possible changes to the Act in 22 different areas, including breach notification, privacy by design, data portability, and an expanded scope to cover processors. This consultation followed a year-long review undertaken by the JPDP to compare the Act to other international data protection laws and explore ways to strengthen the Act. Given governmental changes in 2020 and the pandemic, the timing of draft legislation is unclear.
Sri Lanka. The Sri Lankan Ministry of Digital Infrastructure and Information Technology issued a draft text of data protection legislation in September 2019. In September 2020, it was reported that the draft legislation is expected to be presented to the cabinet for approval. According to the ministry, the bill would take effect within three years from its certification date, to provide sufficient time for the public and private sectors to take adequate steps to come into compliance with the law. The data protection authority is required to be established within 18 months.
The bill mirrors the GDPR in many ways, such as the applicability of the law, the legal bases for processing, Individual Rights, comprehensive transparency and accountability obligations on controllers (including the need for privacy impact assessments), and prohibitions on sending unsolicited marketing messages without individuals’ express consent. In addition, there are data localization requirements for public sector processing of personal data.
Vietnam. In October 2020, the Vietnamese government announced that it had tasked the Ministry of Public Security (MPS) to coordinate with relevant ministries, agencies, and localities to develop and submit in the first quarter of 2021 a draft decree on personal data protection (“Decree”). In July 2020, the MPS, in coordination with the Ministry of Justice and the United Nations, held a data protection workshop that focused on disadvantaged and vulnerable groups in Vietnam. The workshop was held in the framework of the project “EU Justice and Legal Empowerment Program in Vietnam” (EU JULE) in 2020 to strengthen the rule of law and access to justice. The outcomes of the workshop are expected to be used to develop the Decree and other relevant legal documents, in order to develop a legal foundation for personal data protection in Vietnam.
[1] These jurisdictions are Australia, China, Hong Kong, India, Indonesia, Japan, Kazakhstan, Kyrgyzstan, Macao, Malaysia, Nepal, New Zealand, Philippines, Singapore, South Korea, Taiwan, Thailand, Turkmenistan, and Uzbekistan. Even though Indonesia and China have sectoral rather than omnibus privacy laws, they are included in this list because their rules have become de facto data privacy laws.
[2] The Thai data protection law was scheduled to take effect May 27, 2020; however, organizations covered by the May 23, 2020 Royal Decree are exempted until May 31, 2021.