The data privacy landscape in Asia is evolving rapidly, but not always in lock-step with the rollout of Europe’s General Data Protection Regulation. Our region remains unique and the challenges to provide safety and security are never straightforward. Putro Harnowo reports
Recent years have seen positive developments with data protection regimes in Asia. China, for example, unveiled its draft of the Personal Information Protection Law (PIPL), and Indonesia announced its draft of a Personal Data Protection (PDP) Bill to the public in 2020, marking their first attempts to legislatively establish provisions on the protection and regulation of personal information.
Last year, Japan amended its Act on the Protection of Personal Information (APPI), and South Korea amended its three major data privacy laws: The Personal Information Protection Act (PIPA); the Act on the Promotion of Information and Communications Network Utilisation and Information Protection (network act); and the Act on the Use and Protection of Credit Information (credit information act).
Hong Kong, meanwhile, proposed amendments to its Personal Data (Privacy) Ordinance in January 2020, although an update on official implementation is still unknown. Previously, in 2019, India tabled its Data Protection Bill to overhaul the current data protection regime, which is still pending. Thailand published its first Personal Data Protection Act (PDPA), which will take effect on 31 May.
Singapore expects the amendment to its PDPA to come into force this year, while on 9 February, Vietnam released a draft decree on personal data protection, which sets out principles of data protection and the regulation of cross-border data transfers. The draft is open for public consultation until 9 April.
All this progress is not surprising, as many jurisdictions have seen a rise in social and economic activities taking place virtually, and the importance of data privacy and protection has risen with this phenomenon.
However, the efficacy of these laws will be contested in the short term as data breaches continue to increase and regulators struggle to curb the damage.
In Japan, the APPI is scheduled to be reviewed every three years, and it is assumed that the protection of personal data will be strengthened step-by-step, rather than all at once, considering public opinion and an expected burden on business owners.
The country received the European Commission’s adequacy decision based on article 45 of the General Data Protection Regulation (GDPR) in January 2019, which permits a cross-border data transfer outside the EU without further authorisation.
“We acknowledge that many Japanese companies implemented the GDPR measures to protect personal information of individuals located within the EU,” says Masatoshi Tanaka, the founding partner of Meilin International Law Firm in Fukuoka. “This experience is used to deal with Japan’s personal information protection rule, which is strengthening in stages.”
However, implementing a high level of security does not necessarily free the data privacy environment from breaches. Tanaka says security accidents caused by human error, such as unintentionally sending emails or personal information, and by cyberattacks or unauthorised access, are notable examples in Japan.
“Japan’s regulatory authorities impose general obligations on information security under the APPI,” says Tanaka. “However, it seems that Japan’s regulatory authorities are struggling to show clear and up-to-date standards for information security to be complied with by companies.”
This leaves the companies having to apply general rules to improve their security, using the information security auditing services within the private sector, and referring to ISO/IEC 15408 standards for computer security certifications, as well as other standards for the evaluation of security.
It’s been a year since South Korea has amended its privacy laws, and John Kim, a senior foreign attorney at Lee & Ko in Seoul, says companies have welcomed the amendments because existing consent-oriented regulations had been criticised for being excessively formalistic and stringent.
“Although [South] Korea has developed a reputation for burdensome regulatory regimes, the recent amendments to the key privacy laws are meant to demonstrate responsiveness in a fast-moving and globally connected commercial landscape,” says Kim.
For example, the removal of some consent requirements for service providers when outsourcing data processing has helped streamline the regulatory process.
In South Korea, speed is often a key positive differentiator, and many of the changes were issued to align with international standards and achieve the EU adequacy for transfers of personal data under the GDPR.
However, the country has also experienced serious data breaches, the most recent one being in February, when the artificial intelligence (AI) chatbot named Lee Luda allegedly disclosed personal information from hundreds of millions of private conversations in South Korea’s most popular messaging app, KakaoTalk, and made offensive comments when prompted by certain cues.
“This unfortunate incident, like many other leaks around the world, highlighted the need for further discourse and examination regarding who we entrust with our personal information across the many key platforms and providers that we use in our day-to-day lives,” says Kim.
Keeping up with regulatory regimes, India also follows the GDPR within its own data privacy bill. Sajai Singh, a partner and co-chair of corporate practice at J Sagar Associates in Bengaluru, believes that such an approach is significant to bring regulation in line with international best practice. As the law evolves, India will need to understand the opportunities that the data-driven economy can create, and try to ensure that the law does not become an impediment to development.
“Controls and checks placed on surveillance, and the government’s reach with respect to data, are other aspects where India can take lessons from jurisdictions such as the EU,” says Singh. “Adequate controls put in place for surveillance will ensure that businesses are not discouraged, and India continues to be seen as a viable option for data transfer. Unchecked powers of the government with respect to data access may create chaos.”
In terms of data breaches, India is not so different from the rest of the world, with stolen credentials, malware and technical vulnerabilities of companies continuing to be primary failures. But the bigger issue is the mindset that is yet to evolve with respect to cybersecurity.
“Expenditure in connection with cybersecurity shouldn’t be treated as an avoidable cost, not in these times,” says Singh. “Businesses have to realise that an incident will have an impact on the reputation of the company and business continuity. Clients, vendors and even employees will be quite reluctant to share their data with a company that does not have in place the necessary controls.”
A similar trend of adopting GDPR standards is present in Malaysia. The country may revise its PDPA following the issuance of a proposal paper for public consultation in 2020 consisting of various proposals that, if implemented, will substantially extend the application of data protection laws with references to the EU’s regulation.
“Although Malaysia’s PDPA has been in force since 2014, based on public news reports and general public perception, there does not appear to be substantive or active enforcement by the data protection regulators in respect of data breach incidents,” says Charmayne Ong, a partner and head of the technology, media and telecoms (TMT) practice at Skrine in Kuala Lumpur.
Ong says the most common failure of global companies in implementing appropriate security measures is to have proper security policies in place, and even if such policies are in place, implementation and enforcement may not be considered a great priority.
“This increases the weight of security risk caused by third-party actions such as ransomware and employee fraud, which, on some occasions, are outside the control of the organisation,” says Ong.
The Philippines has one of the strictest privacy laws in the region. Its Data Privacy Act, which was modelled after the EU Data Protection Directive and the GDPR, further established the National Privacy Commission (NPC) in 2016 to administer and implement provisions of the act. and is endowed with rulemaking power.
Francis Africa, a partner at Gorriceta Africa Cauton & Saavedra in Manila, says the act has been useful to maintain a robust data protection and privacy regime relevant in all jurisdictions. However, disadvantages remain with the act’s implementation.
“Considering that it is a relatively new law, there is a need to create and influence the conditions that allow for development of a culture of privacy,” says Africa. “Thus, the onus remains on the government, through the NPC, to help stakeholders to open their minds to caring about privacy, at least enough to meet the minimum compliance obligations.”
Palawi Bunnag, a partner at ILCT Thailand in Bangkok, notes the close resemblance between Thailand’s PDPA and the GDPR. She says Thai companies and organisations that have already adopted GDPR standards may require a little adjustment to their usual practice to ensure compliance with the PDPA, which is expected to meet GDPR standards that will facilitate cross-border data transfer without further approval.
However, Bunnag says most companies or organisations preparing for PDPA implementation are facing the problem of interpretation of the PDPA’s provisions, such as the meaning of “data controller” and “data processor”, the roles of concerned parties, and practical procedures for data management.
China’s PIPL draft has also borrowed a number of regulatory approaches from the GDPR, including extraterritorial application, more lawful bases other than consent for processing personal information, and huge fines.
Prior to that, the Standing Committee of the National People’s Congress (SCNPC) had released the draft of the Data Security Law (DSL) in July 2020, which relates to the collection, processing, control and storage of data involving national security, business secrets and personal data. The DSL will be applied to all data activities within China, and imposes various security obligations.
Ken Dai, a partner and co-chair of the antitrust practice group of Dentons China in Shanghai, explains that a lack of attention to compliance and unfamiliarity with data security have resulted in many foreign companies falling short of adopting the required measures. Such failures are particularly related to the Multi-Level Protection Scheme (MLPS) and Critical Information Infrastructure Operators (CIIO) security measures.
The MLPS is China’s unique management regime for cybersecurity, dividing all information systems into five levels according to the level of exposure to risks, and providing corresponding requirements for technical measures for each level.
CIIOs are the operators of networks or systems that may endanger national security, national economy, people’s livelihoods, or the public interest via damage, loss of function or data breach. CIIOs should adopt various security measures including anti-virus technology, network inspection and monitoring, data classification, disaster backup and recovery, encryption, etc.
“China’s Cybersecurity Law requires that CIIOs should be protected in a particular way, in addition to the MLPS regime,” says Dai.
“Together with other regulations and national standards, the regulator has launched more frequent actions targeting MLPS compliance. Non-compliant companies can be ordered to rectify, and receive warnings and fines.”
In efforts to catch up with peers in the region, Indonesia is still in the process of finalising its own data protection bill. According to Danny Kobrata, a partner at K&K Advocates in Jakarta, the bill in general reflects the GDPR, with certain modifications to accommodate “local values”.
“The Indonesian government has been quite open, with input from business players and foreign governments,” says Kobrata. “I hope we can learn from the experience of other countries, particularly on how personal data protection laws can be balanced with business interests.”
While the GDPR has been hailed elsewhere as the gold standard, many jurisdictions in the region have opted to implement different approaches for protecting their own cyberspace.
Singapore’s PDPA was originally based on a combination of laws within the APEC Privacy Framework, says Sheena Jacob, a partner and co-head of the media and technology practice at CMS in Singapore.
“Like many other Asian laws, it is largely consent-based, unlike the GDPR,” says Jacob.
“The regulator has been very active, especially in issuing a slew of guidelines, which have very clear directions making it easy for businesses to understand the expectations of the regulator and the measures required for compliance.”
As the privacy compliance culture in Asia is relatively new, and not yet as strong as elsewhere, she points out that a few global companies have not adequately implemented security measures throughout their organisations. As a result, the local arms of global companies may not adhere to written compliance processes in practice.
Recently, the growing amount of sensitive data collected via apps has also becomes a concern, following an exponential increase in cyberattacks as a result of covid-19, and the adoption of remote workplaces and work-from-home practices.
“The amendments to the [Singapore] PDPA provide for higher penalties, and we are likely to see increased penalties when companies collect sensitive personal information without implementing proportionate measures to protect the data,” she says.
In Vietnam, despite no single comprehensive law that addresses privacy rights, the government regulates relevant provisions in the Civil Code, Penal Code, Consumer Protection Law, E-Transaction Law, Information Technology Law and the most recent Cybersecurity Law, which came into effect in 2019.
“Vietnam laws protect information pertaining or belonging to individuals that can serve to personally identify an individual,” says Dang Thanh Son, managing partner of DNA Vietnam in Hanoi.
Unfortunately, Dang says, the laws and regulations do not employ a consistent definition of what constitutes personal data, with definitions varying from sector to sector. The law has been interpreted to consider, at a minimum, any information that enables the identification of an individual to be considered subject to protection.
As a general principle, the data subject must grant informed consent to the collection, use and transfer of their personal data, but no specific provisions prescribe the format that such consent must take. If personal data is transferred to a third party, proper consent must also be obtained, and the data subject may revoke the consent.
Although Vietnam’s law is relatively clear as to the responsibilities of those collecting and using the data, Steven Jacob, a foreign associate at Indochine Counsel in Ho Chi Minh City, says the country’s basic governmental model prevents it from keeping pace with the technology.
“For example, the proposed amendment to the cybersecurity law has been circulating for nearly two years now, and there is no sign that it is going to be adopted any time soon,” he says.
“If Vietnam is going to achieve the digital growth it desires, it needs to be more flexible and improve its ability to react in real time.”
Strict law enforcement is also needed, he adds, pointing out that many companies fail to abide by the privacy policies that they have posted on their own platforms. These companies don’t create mechanisms to monitor their employees’ use of collected data, and many times individual data are being stolen by those same employees, sold to third parties and used for marketing or other abuses.
Unfortunately, the authorities in Vietnam have been unable to prosecute any violations, as there have been no individuals that have pursued the companies for violations of the data protection law.
GDPR v Asian laws
Since the GDPR came into force in 2018, many Asian jurisdictions have adopted, or are close to adopting, the EU law into their data privacy laws. Japan, South Korea, Thailand, the Philippines and China are among those who match their regimes up to strict regulations, however, these laws have fundamental differences with the EU’s GDPR.
“The most obvious difference is that, for most of Asia, the laws rely on getting individuals’ consent to collect, use and share their personal data, while the GDPR avoids the need to get consent,” says Carolyn Bigg, a partner and head of privacy, Asia, at DLA Piper in Hong Kong.
In Asia, normally the privacy notice on what a company will do with the user data is issued to get approval from the users, whereas in Europe, businesses have strict tests as to whether consent can be freely given.
As an example, an employee starting a job is given a privacy notice and asked to sign it because that is how the employer will collect the employee’s personal data. Under the GDPR, this is a lawful basis for collecting and processing personal data.
“Europe has moved away largely from a concept of consent,” says Bigg. “Instead, they have what they call these lawful bases. The GDPR sets out that you have to describe the different lawful bases that are permitted, that allow you to collect and use personal data.”
Another difference is related to culture. The GDPR is built on a European concept of privacy being a fundamental human right, and inherent in how the GDPR has been drafted and enforced. In Asia, a lot of countries have cultures surrounding community and family that may consist of little sense of a right of privacy.
“Data protection laws in Asia are more pragmatic and commercial, but also recognise that consumers in Asia actually want that personalised targeted service or product,” says Bigg. “They understand that data may be shared, and it’s part of a transaction in getting the service they want.”
Businesses in Asia may need to comply with the GDPR, but it depends on the nature of the business, and doesn’t necessarily apply to all of their data. On the other side, a lot of businesses in Asia have not thought about the GDPR at all, hence exposing themselves to the risks of big fines.
“If you’re an airline based in Asia, and you have EU residents flying on your airline, when you’re handling their personal data, you have to comply with the GDPR,” says Bigg. “That’s probably the first failure I see that’s really common in Asia – that people just don’t know that the GDPR is even relevant.”
The digital age is pushing businesses around the world to move into cyberspace. Big tech companies top the list of Forbes’ most valuable brands, and consumers now prefer to use digital services in daily transactions, making data security a critical value for customer trust.
“There is no problem with sharing data to another company, especially within a group of companies, as long as it done in a legal way,” says Kobrata, at K&K Advocates.
Although users have options not to accept a policy and stop using a service, the case raises alarming concerns of a big company knowing everything about its user by holding and utilising their personal data.
Bunnag, at ILCT, says as data privacy becomes the new global norm, users are more concerned about what data are being shared, and how data are used. Transparency regarding company data management policies is therefore rising in importance.
“With this in mind, users should be clearly informed upfront as to which data are to be collected and how they are to be used,” she says. “Moreover, companies have the responsibility to adopt an adequate data security protocol, stay up-to-date with the current laws, and employ staff who are well educated on the subject.”
The pandemic has demonstrated the importance of data privacy as it pushed regulators to seek balance between community health and privacy, for example with the rollout of mobile applications for contact tracing.
In India, the covid-19 tracking app, Aarogya Setu, became the world’s fastest growing application. The app was developed on the premise that if two persons are close enough for their devices to connect via Bluetooth, they are potentially close enough to spread the coronavirus.
“Within a few weeks of being launched, the hull and structure of the app was subject to wide criticism,” says Singh, at J Sagar. “While the idea itself is righteous, experts have expressed concerns about the app, particularly from a privacy and data security standpoint.”
At the moment, very little is known about the privacy policies of these apps and the manner in which they deal with data. In India, if a body corporate collects sensitive personal data or information, it is required to put in place certain security measures.
“Data minimisation is another principle that may come in handy,” says Singh. “These apps should collect as much data as is necessary. Creating a data bank without any purpose is not a risk government or organisations should take.”
Many companies partner with third parties to manage their customers’ data, and correspondingly third-party data breaches have smeared global companies across industries. One intrusive case was a leaking of more than 10 million guests’ personal information from a hotel booking platform, Prestige Software – which hosts the user data of Hotels.com, Booking.com and Expedia – in November last year.
While outsourcing, or use of third-party vendors, is a common practice, companies must go beyond providing privacy compliance as stipulated in their contracts. Sheena Jacob, at CMS, suggests that vendors conduct due diligence, and regulators audit third-party practices from time to time, to ensure that contractual privacy compliance obligations are met.
“Companies remain responsible for data breaches by their vendors, and should not take a hands-off approach when entrusting personal data to third parties,” she says.
“The duty remains with companies who choose to use third-party vendors to ensure that they are maintaining proper standards, or companies will lose customer trust.”
Ong, at Skrine, suggests companies consider obtaining indemnities, particularly in respect of any fines or third-party actions that the companies may be subject to in the event of a data breach.
“Obligations on the vendor or third-party contractor to keep proper audit trails of its data processing and data security procedures, including in the event of a data breach incident, and immediately notify the company in the event of a data breach, should also feature in the contract,” says Ong.
Companies need to be aware that compliance with data privacy laws does not completely remove the risks of a data breach or a cyberattack. Africa, at Gorriceta Africa Cauton & Saavedra, says organisations commonly believe that keeping sensitive data secure from hackers means they are automatically compliant with data privacy regulations, or vice versa.
“This is not the case,” he says. “Data security protects data from compromise by external attackers and malicious insiders. Data privacy governs how data are collected, shared and used. Thus, an organisation needs to be both compliant with data privacy laws while maintaining a robust cybersecurity infrastructure.”