Longstanding privacy regimes in Asia (East, Central, and South) and the Pacific that once eschewed the European notion of adequacy for cross-border transfers of personal information are now fully embracing this concept, with the expectation of securing an EU seal of approval. Japan, New Zealand, and South Korea are recognized by the EU as providing adequate protection. EU adequacy negotiations with Taiwan are currently ongoing, so Taiwan may be next.
In the past couple of years, more than one-quarter of the 20 jurisdictions with privacy laws[1] in this region have amended or are in the process of amending their laws to incorporate prescriptive, EU-like rules such as mandatory data protection impact assessments, the appointment of data privacy officers, and rapid notification to individuals and regulators in the event of a data security breach. These jurisdictions are also moving towards more stringent cross-border rules. At the same time, newcomers to the privacy arena, such as China and Thailand, and anticipated new jurisdictions such as India, Indonesia, and Vietnam, are eager to join their ranks.
Furthermore, data localization pressures continue to grow, particularly after China’s adoption of the Personal Information Protection Law (PIPL), which requires certain types of companies to store personal data in country. Kazakhstan and, most recently, Uzbekistan, are the only other jurisdictions in the region with data localization requirements. However, other jurisdictions such as India and Vietnam may impose similar data localization rules soon.
These changes to the region’s privacy landscape present new challenges for companies with established regional or global compliance approaches or those seeking to develop one. More changes are expected in 2022 in almost half of the jurisdictions in the region, as Australia, China, Japan, South Korea, and Thailand implement and/or amend their existing rules, and India, Indonesia, Sri Lanka, and Vietnam enact new laws.
This alert discusses some of the significant changes that took place in 2021, reviews the current commonalities and differences among the privacy regimes in the region, and then identifies possible new laws and regulations in 2022 and beyond.
Privacy Laws Enacted and Other Developments in 2021
The following provides a snapshot of new laws enacted and related developments in 2021:
China. China’s first comprehensive data privacy law, the Personal Information Protection Law (PIPL), was enacted in August 2021 and took effect on November 1, 2021. In addition to applying to processing within China, the PIPL applies to processing outside of China if undertaken for the purpose of providing products or services to or monitoring the behavior of individuals in China. Significantly, the PIPL imposes restrictions on cross-border transfers, as well as data localization requirements on operators of critical infrastructure and companies that process high volumes of personal data (the threshold amount has yet to be specified). In order to transfer personal data outside China, organizations must pass a security assessment conducted by the Cyberspace Administration of China (CAC), undergo a personal information protection certification by a specialized agency, or conclude a contract with the overseas recipient in the standard form promulgated by the CAC. There are also requirements on some organizations to appoint a data protection officer (DPO) and carry out a data impact assessment (DPIA) before engaging in certain activities such as processing sensitive personal data, using personal data for automated decision-making, or transferring personal data outside China. Various key implementing regulations have not yet been issued.
South Korea. Korea is now recognized by the European Commission as providing adequate protection for personal information. The Commission’s adequacy decision, issued on December 17, 2021, allows for personal information flows between Korea and the EU Member States without the need for an additional transfer mechanism (such as the EU’s Standard Contractual Clauses or Binding Corporate Rules). The strengthening of the investigatory and enforcement powers of the Korean central regulator, the Personal Information Protection Commission (PIPC), as a result of the 2020 amendments to the Personal Information Protection Act (PIPA) played an important role the adoption of the adequacy finding. During the EU-Korean negotiations on adequacy, several additional safeguards were agreed upon to increase the protection of personal information processed in Korea, such as enhanced notice obligations (by requiring Korean data importers to inform Europeans about the processing of their data), onward data transfers (by ensuring that data continues to benefit from the same level of protection when further transferred to third countries), and processing for national security purposes. Importantly, the ability for the PIPC to facilitate EU individuals’ access to redress was included to address the concerns raised in the ECJ’s Schrems II decision. This means that EU individuals whose personal information is transferred to Korea will be able to lodge complaints with the PIPC.
Singapore. Singapore’s amended Personal Data Protection Act (PDPA) entered into force on February 1, 2021. The amendments introduced important changes to the law, including mandatory breach notification, an expanded concept of “deemed consent,” new consent exceptions, a new accountability principle, strengthened regulations on unsolicited commercial messages, and increased financial penalties and enforcement powers for the DPA. Since that time, Singapore’s Personal Data Protection Commission has been active in carrying out its enforcement authority under the PDPA, and, in particular, imposing financial penalties on organizations that fail to implement reasonable security practices.
Uzbekistan. In January 2021, Uzbekistan’s Law No. ZRU-547 on Personal Data was amended to require data localization. The data localization requirement, which became operative on April 16, 2021, requires database owners and operators that process Uzbek citizens’ personal data using information technologies, including via global information networks (e.g., the internet), to:
- Ensure that the data is collected and stored using technical means physically located in the territory of Uzbekistan; and
- Register such databases in the State Register of Personal Databases.
Uzbekistan’s State Personalization Centre (the “Centre”) issued a clarification in February 2021 that the rule applies only to information such as names, phone numbers, and passport information that Uzbek citizens use to register on such networks, and that it does not apply to databases containing users’ posts, comments, and/or uploaded multimedia. The data localization requirement became operative in April 2021 and the Centre moved quickly to establish a registry of violators and the procedures by which access to infringing online resources is restricted and, if applicable, how access is subsequently restored. The Centre also took immediate enforcement action by restricting access to several social networking and telecommunications sites.
Characteristics of the Current Regional Landscape: Commonalities and Differences
While the laws in the region share the same core data protection elements found in virtually every privacy law in the world, they each have their own specific rules that differ from each other and from those in other regions. In contrast to the EU, the region is characterized by varied legal systems and historical differences that make it impossible to generalize about the laws across Asia and the Pacific. It is important to take these differences into account when developing global or regional privacy compliance programs.
The following provides a high-level overview of the commonalities and differences among the 20 jurisdictions in the region that now have comprehensive privacy laws. The newest laws are in Thailand[2] and Uzbekistan. The laws in Japan, Kazakhstan, New Zealand, Singapore, and South Korea were amended recently.
Scope. Most of the laws in this region apply to processing in-country only. However, seven have extraterritorial provisions that are similar to or exceed the scope of the EU’s General Data Protection Regulation (GDPR) extraterritorial provisions: Australia, China, Indonesia, Japan, New Zealand, Philippines, and Thailand.
Cross-border Transfers. Similarly, more than three-quarters (16) impose restrictions on cross-border transfers of personal data. However, the similarities end there, because the legal bases for transfers vary from adequacy, consent (or another legal basis like legal requirements), and/or contracts (or binding corporate rules). No jurisdiction in the region yet has issued a list of jurisdictions that provide adequate protection or, with the exception of New Zealand, model contractual clauses. Moreover, New Zealand, Japan, and most recently South Korea are the only countries in region to be found adequate by the EU. Taiwan is currently seeking to obtain an EU adequacy decision.
The laws in Hong Kong, Indonesia, Nepal, and Taiwan do not restrict cross-border transfers of personal data.
Breach Notification. Half (10) require notification in the event of a data breach. While a number of laws only require that notice be provided to individuals and/or to the data protection authority “promptly” or “without delay,” others require notification within 72 hours (New Zealand, Philippines, Singapore, and Thailand), five days (South Korea), or, in one case, within 14 days (Indonesia).
Legal Bases for Processing. Two-thirds of the laws (13) do not permit processing on the basis of legitimate interests. The range of available legal bases varies widely from one jurisdiction to another.
Individual Rights. All of the laws provide access and correction rights. Slightly more than half of the laws (11) provide erasure rights but only the laws in four jurisdictions provide data portability rights: China, the Philippines, Singapore, and Thailand. The timeframes for responding to Individual Rights requests also vary widely: four laws require responses to rights requests within 30 days or more; three within 15–21 days; two within 10 days; and five within 1–7 days. Six do not specify a specific time period.
Data Protection Officer (DPO). Eight laws require the appointment of a DPO: China, Japan, Kazakhstan, Korea, New Zealand, Philippines, Singapore, and Thailand.
Data Localization Requirements. Three jurisdictions impose data localization requirements. Kazakhstan’s privacy law requires companies to store their data locally. China’s Personal Information Protection Law requires organizations that process high volumes of personal data and operators of critical infrastructure to store personal data within China. Where it is truly necessary to provide such information to a party abroad, these organizations must pass a security assessment conducted by CAC, except in cases where the assessment requirement is exempted by law. The Uzbek law requires owners and/or operators to process personal data of Uzbek citizens only with technical means physically located in Uzbekistan. Such technical means must be registered in the State Register of Personal Data Databases. In addition, this requirement also applies to the processing of personal data using information technologies, including through the internet.
Registration. While the trend around the world is to minimize registration requirements, six laws in the region require organizations to register processing activities with a data protection authority: Kyrgyzstan, Macao, Malaysia, Philippines, Tajikistan, and Uzbekistan. Three of these jurisdictions require controllers and processors to register.
Data Protection Impact Assessments (DPIAs). Most laws in the region do not require organizations to carry out DPIAs. DPIAs are required only in China, Singapore, South Korea, and the Philippines.
Enforcement. To-date, enforcement of data privacy laws in this region has been the most active in Australia, Hong Kong, Japan, Singapore, and South Korea but, with the enactment of new and amended laws with increased penalties, enforcement is expected to increase in the coming year. With the increasing frequency of data breaches, many authorities are focused on going after organizations that fail to implement proper security measures. However, 2021 saw some large fines for other types of privacy violations. For example, the Korean PIPC imposed fines of KRW 6.6 billion on overseas online platform operators for failing to inform individuals about the disclosure of personal data to third parties, including transfers to third countries and a fine of KRW133 million on an AI technology company for violating, among other provisions, the rules on lawfulness of processing, in particular consent, and the processing of pseudonymized information.
What to Expect in 2022 and Beyond
Australia. Reform legislation that includes higher penalties (up to A$10 million or 10% of an entity’s annual Australian turnover) is expected to move forward for legislative approval this year.
Late last year, the government released its proposed Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (“Bill”) for public comment. The Bill, which seeks to address specific privacy challenges posed by social media and online platforms in complying with the Australian Privacy Principles (APPs) in the online space, introduces an Online Privacy Code (“OP Code”) as well as enhanced penalties and enforcement measures under the Privacy Act. The OP Code would apply specifically to organizations that provide social media services, data brokerage services, and large online platforms.
In addition, the government’s review of the Privacy Act will continue this year. The government solicited public feedback on its discussion paper, which covered such topics as the scope and application of the Privacy Act; the protections contained in the APPs; and how the Privacy Act is regulated and enforced. The consultation period ended on January 10, 2022.
China. The government is working on implementing regulations for PIPL that will establish, among other things, the threshold for data localization and the appointment of a DPO, as well as the rules for handling sensitive personal data, breach notification, and cross-border transfers. Consultative draft regulations on cross-border transfers and security of network data were issued in late 2021 and are expected to be finalized in 2022.
India. Two years after the Personal Data Protection Bill, 2019 (“Bill”) was introduced into the legislature in 2019, India’s Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill tabled its report in Parliament on December 16, 2021. The 542-page report contains 81 recommendations and 150 corrections and improvements to various provisions of the Bill. The two houses of Parliament, the Lok Sabha and Rajya Sabha, must now consider and act on the Bill. The legislature failed to act on the Bill during the Winter Session, which ended on December 23, 2021, so the next opportunity for action will be during the Budget Session, which will be held in two parts: January 31–February 11 and March 14–April 8, 2022.
Some of the proposed JPC recommendations include expanding the scope to cover both personal and non-personal data; imposing more extensive breach notification obligations, including a 72-hour reporting timeframe and liability for harm resulting from delayed breach reporting; implementing data localization requirements for all local and foreign entities; and requiring DPOs to hold key management positions and have adequate technical knowledge in the field. In addition, the JPC recommends that new provisions be added to enable the Data Protection Authority to regulate hardware manufacturers and related entities, and, in particular, establish a mechanism for the formal certification process for all digital and IoT devices in order to ensure the integrity of such devices with respect to data security.
Indonesia. In January 2020, the Indonesian government introduced a data privacy bill in Parliament and the bill was expected to pass by the end of the year. However, because of the pandemic, the government is now expecting the legislation to be finalized in 2022. According to a statement in late December 2021 by the Communication and Informatics Minister, the bill is currently in the discussion stage between the ministry and the Indonesian House of Representatives. If enacted in its current form, the proposed law would, among other things, require controllers to process personal data on the basis of consent or on another legal basis, such as legitimate interests or a legal requirement, to notify individuals and the data protection authority within 72 hours after a data breach occurs, and to provide individuals with access, correction, deletion, and data portability rights. In addition, the proposed law imposes limits on cross-border transfers and prohibits the buying and selling of personal data for money.
Japan. On April 1, 2022, amendments to Japan’s privacy law, the Protection of Personal Information Act (PIPA), enacted in 2020, will take effect. The amendments impose new obligations on businesses that handle personal information with respect to, among other things, mandatory breach notification to the privacy regulator and affected individuals, cross-border transfers, and the use of cookies. They also require overseas companies that process personal information as part of providing goods or services to a person in Japan, non-personal information (such as cookies), anonymized information, or pseudonymized information to comply with all of the obligations and restrictions under the law. Currently, foreign companies are subject to a more limited set of obligations under the PIPA. In addition, the amendments enhance individual rights, strengthen PIPA’s criminal penalties, and empower the regulator to investigate non-compliance by companies located overseas and issue orders to and/or impose penalties on them. These types of investigations and orders are currently limited to businesses located in Japan.
South Korea. Additional amendments to the PIPA are under legislative consideration in 2022. Last September, the government submitted its proposed amendments to the National Assembly that would, among other things, expand the legal bases available for processing and cross-border transfers, increase financial penalties, and enhance individual rights with respect to data portability and automated decision-making. Alternative amendment bills have also been proposed by some members of the legislature. Depending on the outcome of the debate, we may see further changes made to the PIPA in 2022.
Sri Lanka. The government’s Personal Data Protection Bill (“Bill”) is currently under consideration in the legislature. On January 20, 2022, the Bill was presented for its first parliamentary reading. The Bill contains GDPR-like extraterritorial provisions that apply to processing by entities outside of Sri Lanka that offer goods or services to or monitor the behavior of individuals in Sri Lanka. In addition, the Bill restricts cross-border transfers to countries that do not provide adequate protection, imposes breach notification obligations, requires the appointment of a DPO and the carrying out of DPIAs, imposes direct marketing obligations, and provides for the creation of a data protection authority. If the Bill is approved, the provisions will come into operation on a date determined by the Minister, which will not be earlier than two years from the date of enactment.
Thailand. Enforcement of Thailand’s Personal Data Protection Act B.E. 2562, enacted in 2019, is finally expected to begin June 1, 2022 after a two-year delay. The delay was intended to reduce the impact on both government agencies and businesses during the COVID-19 epidemic. At a high level, the Thai law is similar to the GDPR with respect to the law’s extraterritorial scope, legal bases for processing personal data, cross-border transfer restrictions, and 72-hour breach notification obligations. However, the DPA has yet to issue guidance to address many unanswered questions about how certain provisions will be implemented.
Vietnam. In February 2021, the government held a public consultation on a Draft Decree on Personal Data Protection (“Draft Decree”) and then issued a second draft (“Revised Draft Decree”) for public consideration. The Revised Draft Decree, which largely mirrored the original draft, specified an effective date of December 1, 2021. However, the draft decree was heavily criticized for being overly burdensome and challenging to implement, and not in the best interest of stakeholders, including individuals and the Vietnamese government. As a result, the draft decree is not expected to be enacted in its current form.
As currently drafted, the Draft Decree applies to public- and private-sector organizations that process personal data, and, among other things, provides for very limited bases for processing Personal Data, establishes onerous conditions for cross-border transfers, including data localization, and imposes large penalties for repeated law violations.
For further information, please contact:
Cynthia J. Rich, Partner, Morrison Foerster
crich@mofo.com
[1] These jurisdictions are Australia, China, Hong Kong Special Administrative Region, India, Indonesia, Japan, Kazakhstan, Kyrgyzstan, Macao, Malaysia, Nepal, New Zealand, Philippines, Singapore, South Korea, Taiwan, Tajikistan, Thailand, Turkmenistan, and Uzbekistan. Even though Indonesia has a sectoral rather than omnibus privacy law, it is included in this list because these rules have become a de facto data privacy law.
[2] The Thai data protection law was scheduled to take effect May 27, 2020; however, organizations covered by the May 23, 2020 Royal Decree were exempted until May 31, 2021.