25 April, 2016
The initial push for comprehensive data protection regulation across the Asia-Pacific region that took hold between 2010 and 2015 has now run its course. During this period, the number of jurisdictions in the region with comprehensive “European-style” data protection regulatory regimes more than doubled from five to eleven, with new regimes coming into force in India, Malaysia, the Philippines, Singapore, South Korea and Taiwan.
Looking back on 2015 and forward to 2016, we see a new phase of regulatory development taking shape in the Asia-Pacific region. Some of the longer established laws are now being stepped up and we see a progression towards stricter, more punitive enforcement in a number of jurisdictions. As regulators settle into their new roles under recently enacted regimes, they are turning to publish more comprehensive and detailed compliance guidance and staffing up to administer enforcement. Critically, we see an important parallel development in cyber security regulation emerging across the region. The policy considerations relating to cyber security regulation often include data protection concerns, but often bring wider geopolitical and national security concerns into play.
Stepped up laws, more exacting compliance standards 2015 saw more onerous regulatory requirements under evaluation or introduced to a number of the more mature data protection regimes in the region:
– amendments to Japan’s Personal Information Protection Act introduced a concept of “sensitive personal data”, added data export controls and, critically, made provision for the appointment of a dedicated regulator;
– South Korea added punitive damages to its already stringent privacy laws;
– Taiwan introduced a concept of “sensitive personal data” to its Personal Data Protection Act; and
– Australia launched consultations towards introducing a mandatory data breach notification obligation to its Privacy Act.
There was also a general trend towards more demanding compliance environments across the region.
Hong Kong saw three convictions under its direct marketing offences. While the fines in these cases
were relatively small (HK$10,000 in two cases and HK$30,000 in the third), all three prosecutions were widely publicized in the Hong Kong press, underscoring the growing reputational risks for failing to comply with Hong Kong’s Personal Data (Privacy) Ordinance. Hong Kong’s official enforcement statistics for 2015 showed a 16% increase in the number of complaints and a record high of 98 data breach notifications, up from 70 in 2014.
The Hong Kong and Singapore privacy regulators continued to be relatively prolific in their publication of detailed compliance guidance across a range of topics.
Looking forward to 2016, we expect to see the push towards comprehensive “European-style” data protection regulation to continue:
– Thailand’s cabinet approved a new data protection and a cyber security law in January 2015, and these are proceeding through the legislative process; and
– Indonesia expects to introduce a new data protection law in early 2016.
At the time of printing, Malaysia had issued its Personal Data Protection Standards dealing with data security, integrity and retention requirements. Detailed direct marketing guidelines are expected later this year.
Singapore has announced that it will be publishing a Cyber Security Bill in the course of 2016.
Is Asia-Pacific harmonisation on the way?
At the moment, we do not yet see any clear trend towards common compliance standards across the region. Moving from a plain reading of the text of the newly enacted data protection laws (which in many respects appear similar across the region) to
the practicalities of enforcement and compliance, we actually see increasing divergence as jurisdictions prescribe more and more detailed requirements, often with local nuance.
The APEC Privacy Framework has provided some rough signposts for a common approach to principles- based regulation, but priorities for policy-making and enforcement vary significantly by jurisdiction. These differences reflect different levels of economic development and political agendas, as well as different cultures and experiences with data protection issues.
While 2015 saw a general tightening of regulatory requirements across the region, there are some outliers. Malaysia and the Philippines still lack regulators responsible for administering their data protection laws, and this can reasonably be expected to be limiting in terms of the effective enforcement of the law. While Taiwan saw reforms to its laws directed at enhancing data protection standards, the removal of a number of offences from the law could be taken as a signal that aggressive enforcement will not be a priority.
With these differences emerging there is as yet no clear pathway towards conformity, through APEC or otherwise. It is clear that there is an increasingly pressing need to resolve differences in areas such as cross-border data transfer controls, which impact both businesses seeking to leverage regional and global operating platforms and regulators requesting or demanding data from other jurisdictions in support of compliance with anti-money laundering regulations and cross-border assistance with criminal investigations. A number of the national laws in the region, for example, provide for “white lists” of data transfer destination jurisdictions which are deemed to provide adequate standards of protection without any additional compliance measures being taken. However, in no case has a national authority issued a completed white list that would give effect to this intended flexibility.
Cyber Security – the emerging challenge
Asia-Pacific headlines reported on significant cyber security incidents throughout 2015, concluding the year with reports that Hong Kong-based toymaker Vtech had experienced a hacking in which the details of 5 million adults and over 6 million children had been compromised.
In addition to broader concerns about criminal activity, there is clearly a geopolitical dimension to cyber security developments in the region, particularly with respect to China. The passage of a new National Security Law and Anti-Terrorism Law and the publication of a draft Cyber Security Law pushed China to the forefront of developments in cyber security regulation. In China as elsewhere, industry sector regulation has been key to the growing compliance burden. China’s banking and insurance regulators have both issued stringent technology risk management guidelines directing institutions to adopt quotas for “secure and controllable” technologies.
Banking regulators in Hong Kong and Singapore, two of the region’s financial services hubs, both issued directions to their authorised institutions highlighting the increasing urgency of the need to address cyber security risks. Institutions in both jurisdictions are already subject to detailed technology risk management and data security requirements. The regulatory notices were essentially calling for institutions to go above and beyond these existing requirements and proactively develop solutions to the shifting nature and source of cyber threats.
South Korea has long been home to challenging technical cyber security regulation and data localisation requirements, but now we see these impulses elsewhere. Indonesia, for example, has already moved to enact a data localisation law that will have significant impact on businesses operating there from 2017.
Biometrics, Big Data and the Internet of Things
As data protection regimes mature across the region, we are increasingly seeing lawmakers and regulators crafting regulation and compliance guidance that specifically address data protection aspects of advancing technologies in areas such as biometrics, big data and the internet of things.
In the Asia-Pacific region, as elsewhere, high tech solutions are promising individuals great benefits in terms of quality of life and productivity, but at the same time are raising important data protection and cyber security issues and often running ahead of existing regulations.
Mobile health initiatives, for example, hold promise for improving the efficiency of healthcare delivery in increasingly costly environments of advanced economies and also offer means of extending the scope of healthcare to developing economies that lack the infrastructure to make consistent delivery of basic medical services. These technologies, however, can involve the processing of extremely sensitive personal data.
Biometric data is also playing an increasingly prominent role in combatting cyber security risks, with increasing use of fingerprints, voice authentication and other technologies that seek to improve security controls but at the same time pose a delicate balancing act with respect to data protection interests.
Asia-Pacific region regulators are reacting to these developments. In 2015 we saw Japan introduce a concept of “sensitive personal data” that includes a data subject’s medical history. Taiwan broadened its definition of sensitive personal data to include medical records. In both cases the effect is to give health information greater protection under the privacy law.
Hong Kong published detailed guidance on the handling of biometric information, requiring that privacy impact assessments be carried out before such data is used, and that efforts be made to minimise its use in proportion to the objectives.
Japan, Korea and Singapore are all positioning themselves to be regional leaders in Big Data innovations.
Japan’s 2015 amendments to its Personal Information Protection Act include specific measures addressing the use of big data and anonymised datasets. South Korea introduced measures addressing many of the same topics in December, 2014.
Singapore’s Smart Nation initiative has put a focus on promoting Singapore as a regional hub for developing data analytics and the internet of things, with the Personal Data Protection Commission calling for balance between compliance concerns and space for technological innovation. This balance is reflected in a number of respects under the Singaporean Personal Data Protection Act, which, for example does not apply to publicly available personal data.
We expect to see continuing tensions between the economic development case for advanced data analytics technologies and the data protection risks that these technologies raise, as regulators increasingly turn to issue detailed guidance and take enforcement action.
Individual country spotlights
China
A rapid sequence of legislative reforms in recent years demonstrates a serious resolve by China to move the country towards a more comprehensive data privacy regime, even as abuses of privacy remain stubbornly widespread in its massive and increasingly wired economy.
2015 saw separate but related advances in the area of cyber security regulation. Taken together, we see a greatly sharpened focus for technology use and data management principles for multi-nationals operating in China, particularly in the financial services sector.
In the absence of a dedicated regulator and a unifying legal framework, China’s approach to data protection and cyber security matters remains piecemeal. Analysing data privacy issues in China requires a very careful assessment of a number of laws, decisions and guidelines against the specific type of personal data involved and the circumstances of their collection and processing.
The most significant recent development on the data protection side has been the 2014 amendments to the Consumer Rights Protection Law which enshrined data protection principles across the full range of consumer activity. While China has in recent years progressively enacted a fairly significant body of law protecting consumers in the online setting, the 2014 consumer law reforms take China, in practical terms, much closer to a comprehensive approach to regulation.
Cyber security regulation dominated international reports of Chinese regulatory developments in 2015. The passage of the National Security Law in July, the publication of a draft Cyber Security Law a few days later and then finally the passage of the Counter-Terrorism Law in December set the stage for an increasingly complex overlay of cyber security regulation. These new laws are directed at a much wider range of issues than data protection, but at the same time introduce elements of data localisation and technology regulation that must be read together with the increasing thicket of data regulation in China in order to properly manage data collection and processing, The banking and insurance sector regulators have at the same time published draft regulations directed at the use of “secure and controllable” technologies that pick up on the same themes found in the new national laws. These reforms may drive multi-nationals to establish separate operating platforms in China making use of local technology.
As electronic and mobile commerce and social media continue their explosive growth in China through 2016, we can only expect data protection and cyber security issues to continue to register in China’s headlines and policy initiatives. We expect the final form of the banking and insurance regulators’ “secure and controllable” regulations to be key to understanding the landscape for China’s data protection and cyber security going forward.
Hong Kong
Data privacy regulation has a relatively long history
in Hong Kong, with the Personal Data (Privacy) Ordinance (the “PDPO”) dating back to 1995. After years of relatively lax enforcement, Hong Kong has stepped to the fore as a policy-making leader on data protection issues in the Asia-Pacific region, with 2015 seeing an increased tendency towards the application of the PDPO’s offence provisions.
The Hong Kong Privacy Commissioner for Personal Data’s most recent enforcement statistics show a continuing escalation of complaints and enforcement action. Complaints increased 16 per cent year on year to a record high of 1,971. 871,000 Hong Kong individuals were affected by data breaches in 2015, up from 47,000 in 2014. Ninety-eight incidents were reported to the Commissioner last year – a 40 per cent increase year on year – even though Hong Kong’s data breach notification regime remains a voluntary one.
Hong Kong saw four convictions under its direct marketing offences. While the fines in these cases were relatively small (HK$5,000 in one case, HK$10,000 in two and HK$30,000 in the fourth), all four prosecutions were widely publicized in the Hong Kong press, underscoring the growing reputational risks for failing to comply with the PDPO.
Hong Kong was caught in the middle of an international data breach incident in November 2015, with the announcement by local toy manufacturer Vtech that customer records of 5 million adults and over 6 million children had been compromised. A well-publicised investigation was also launched into the potential for personal data being taken from contactless credit cards making use of near field communications (“NFC”) technologies.
The new Commissioner taking office in August of 2015 has announced an intention to stay at the front of research and policy-making initiatives, with focus on areas such as big data, mobile apps, the internet of things and other electronic data, continuing the regulator’s leadership regionally.
Cyber security regulation is also becoming a feature of regulatory considerations in Hong Kong. The banking regulator issued a notice to its regulated institutions in 2015 calling for a stepping up of compliance measures in light of the shifting sources and nature of cyber security threats.
Singapore
Singapore implemented its comprehensive “European- style” Personal Data Protection Act (“PDPA”) in two stages in January and July 2014. In the time since, Singapore’s new Personal Data Protection Commission has been very active in publishing a significant volume of explanatory guidance for businesses and consumers alike.
Singapore’s new law has been enacted with some of the stiffest penalties for data protection offences in the region, with fines of up to S$1 million (USD800,000), but we have yet to see an aggressive approach to enforcement in the island state.
There are economic motives informing the new law, and in this sense Singapore’s interpretation of the APEC Privacy
Framework may be truer to the accord’s stated intentions of promoting e-commerce and cross- border business. Singapore has gone so far as to draw an explicit link between the implementation of data protection regulation and its national ambitions to
be a leading high tech hub in the region, including in areas such as data analytics. In January 2016, the government announced an intention to merge the Commission’s office with the Infocommunications Media Development Authority, Singapore’s telecommunications and broadcasting authority. This move may be seen as a subordination of data protection regulation to Singapore’s ambitions to be a Smart City and a haven for technology development.
At the same time, the Singapore government is recognising that cyber security threats pose challenges for these national ambitions. In 2015, the Monetary Authority issued a direction to its authorised institutions to step up their evaluation of and response to cyber security threats. The Ministry of Communications and Industry announced in January 2016 that a new cyber security bill would be put forward as part of a program to manage cyber security risks, drawing a link between the benefits of a smart city and the growing cyber threat.
Japan
Japan’s Personal Information Protection Act (the “PIPA”) dates back to 2003 and stands as one of Asia’s oldest laws in this area. The PIPA is framework legislation that delegates discretion to national administrative agencies and local governments to develop implementing regulations to accomplish the purposes of the law. Following a series of high profile data security breaches and revelations of unlawful sales of personal data in Japan, the Japanese government passed extensive reforms to the PIPA in September 2015. These are the first amendments to the law since its enactment in 2003. The reforms will become fully effective in September 2017.
The main changes include:
– expanding the definition of “personal data” to include biometric information such as fingerprint and face recognition data;
– where personal data has been anonymised, pseudonymised, or otherwise processed so that there is a reduced possibility that the person can be identified, consent of the individual will not be required for the transfer of such data;
– “sensitive” information such as an individual’s race, creed, social status and criminal record is now separately protected;
– the establishment of an independent authority to enforce the laws and regulations with stronger enforcement powers; and
– restrictions on the transfer of personal data outside Japan unless contractual provisions are put in place with the overseas recipient to ensure appropriate compliance and prior data subject consent is obtained.
South Korea
South Korea has firmly established itself as one of the toughest jurisdictions for data protection and privacy compliance in the world. Provisions of the over-arching Personal Information Protection Act and the IT Network Act (which regulates the collection and use of personal information by any commercial enterprise that sells or markets its goods or services online) are supplemented by sector-specific laws, creating a very difficult compliance environment. There are extensive registration and disclosure requirements and a need for separate specific data subject consents in areas such as the processing of sensitive personal data, data transfers and data exports. Businesses are obliged to disclose the identities of third party data processors and must report all data security breaches to data subjects and the authorities. Data subject consent is now also required by any business transmitting advertising information by email.
The legislation is also backed up with extensive enforcement measures, including provision for data subject class action suits against offenders. South Korea also has Asia’s first revenue-based penalties where fines of up to 3% of revenues can be imposed under the IT Network Act on commercial enterprises selling or marketing goods or services online.
In 2015, South Korea’s Ministry of Government Administration and Home Affairs issued an amended version of the Standards of Personal Information Security Measures (the ‘Standards’). These Standards seek to close loopholes and inadequacies in the South Korean data protection law and to counter the growing number of data breaches, especially those arising from the use of mobile devices.
The Standards now require that data handlers (data users in Hong Kong parlance) actively supervise manage and monitor outsourcing providers. In addition, ‘mobile devices’ have been added to the definition of personal information processing systems, and data handlers must ensure that all mobile devices are equipped with appropriate security measures, including the encryption of any personal information stored on them.
Thailand
The Thai government is gearing up for the digital economy and is currently considering nine bills regulating different aspects of that economy. As part of this package of reforms, on 6 January 2015, the Cabinet of Thailand approved a draft data protection bill. Considerable criticism has been raised in public about the draft bill and as a result, the exact date for it to be considered
and voted upon by the National Legislative Assembly is not yet known.
One of the main concerns under the draft bill is that personal data may only be collected by the data controller for a lawful purpose directly related to the activities of the person collecting the data. However, critics argue that the draft bill does not draw a distinction between a data controller and a data processor. Without this separation, any third party collecting, using or disclosing personal data on behalf of a data controller could share the same liability and duties of the controller. This approach to regulation would clearly be discouraging for internet service providers, cloud service providers and other participants in the digital economy who process data on others’ behalf.
Malaysia
At the time of printing, Malaysia had issued its Personal Data Protection Standards dealing with data security, integrity and retention requirements. Detailed direct marketing guidelines are expected later in 2016 and if these are brought forward in their current form it would introduce controls similar to those in Hong Kong, where specific categories of goods and services and cross-marketing partners need to be identified in the direct marketing consents.
These very specific regulations can be challenging for an increasingly diversified mobile economy, and we understand that the draft has raised considerable debate.
Taiwan
In December 2015, the Office of the President announced a proposal to amend Taiwan’s Personal Data Protection Law. It is expected that this proposal will be in force by June 2016. While some of the anticipated changes will enhance data protection in certain aspects, criminal sanctions under the law have been removed and there is broader scope for implied consent to processing “non-sensitive personal data”. The definition of “sensitive personal data” has also been broadened to include all medical records and not just information related to treatment, giving health information greater protection under the law.
Indonesia
Indonesia has yet to adopt a comprehensive data protection law but is expected to introduce a draft bill to this effect in the course of 2016. Indonesia’s Regulation 82 has introduced a measure of data protection regulation to the country, with particular focus by multi-nationals directed at data localisation measures that will come into effect in 2017. Regulation 82 has threatened significant disruption of regional operating platforms that have tended to host Indonesian data processing operations in jurisdictions such as Singapore, where a more advanced data centre and telecommunications sector can be found.
With a population of over a quarter billion and one of the highest economic growth rates globally, Indonesia is an increasingly important target for multi-national businesses. Accessing this potential is being challenged by an increasingly restrictive regulatory environment for data and technology.
For further information, please contact:
Patrick Sherrington, Partner, Hogan Lovells
patrick.sherrington@hoganlovells.com
