Keeping watch on Data Privacy

A comparison of laws governing technology and individual rights in Thailand, Japan and the Philippines

JAPAN

This article introduces the regulations of Japan’s Act on the Protection of Personal Information (APPI) to which foreign business entities including controllers and processors (“foreign business entities” or “foreign operators”) should pay particular attention when handling personal information of individuals located in Japan.

EXTRATERRITORIAL APPLICATION

If the APPI does not apply extraterritorially, there is no need to consider its regulations. The APPI stipulates that it applies extraterritorially if a business entity is located outside Japan:

1. handles the personal data of individuals located in Japan (“data subjects”); and

2. handles this personal data in connection with providing goods or services to corporations and/or individuals located in Japan (article 171 of the APPI).

It does not matter whether the “business entity” is domestic or foreign. “Individuals located in Japan” includes data subjects regardless of their nationality, and whether their stay is temporary. The key point is that it is limited to cases related to the provision of goods or services.

For example, if a foreign business entity handles the personal data of employees of its branch in Japan as part of its global employee information management, that activity does not fall within the extraterritorial application of the APPI since it is not related to the provision of goods or services.

CROSS-BORDER TRANSFERS

As described, acquiring personal information for services targeted at Japan falls under the APPI. The methods of acquisition can be directly from data subjects or from domestic business entities, with the latter scenario involving complicated regulations. Although the subjects of these regulations are the domestic business entities intending to provide personal information to foreign businesses, understanding these regulations is imperative for foreign operators as well.

The APPI prescribes that when the domestic business entities transfer the personal data of data subjects to third parties in other countries (“cross-border data transfer”), the domestic entities shall obtain the consent of the data subjects in advance after providing them with specific reference information about the other countries (“reference information”, article 28, paragraphs 1 and 2 of APPI).

1. 1. The information to be provided includes:

      1. The name of the country concerned: If the destination country cannot be specified at the time of obtaining consent, it is necessary to provide the reason for this, along with information alternative to the name of the country (e.g. if the range of potential foreign countries is determined, that range should be provided); and

      2. Information about the personal information protection system in the foreign country: This requirement is aimed at making data subjects aware of the differences between domestic and foreign legal systems. Japan’s Personal Information Protection Commission (PPC) publishes summaries of major foreign systems on its website, and domestic entities can comply with the requirement with the provision of this information. If the foreign country of the recipient is not listed, the domestic entities would be likely first to inquire about the legal system from the foreign operator.

      3. The protective measures implemented by the third party for safeguarding personal data: If the foreign operator has taken all measures corresponding to the eight principles of the OECD Privacy Guidelines, simply providing this information suffices. If the measures taken by the foreign operator are unclear, providing that fact and the reasons suffice, but it is desirable to add explanations as they become clear.

   2. Scope of “foreign country”. The EU and the UK are excluded from the definition of “foreign country” in article 28 of the APPI and are treated as equivalent to transferring inside of Japan under the APPI. The APPI requires consent from data subjects before transference of personal data to a domestic third party as well (article 27, paragraph 1), but the regulations for transferring to a domestic third party are not as complex.

   3. Scope of “third party”. Foreign operators that have taken appropriate measures are excluded from the definition of “third party” in article 28 of the APPI. Specifically, if the measures taken by a third party in the foreign country are verified to meet the standards required for domestic business entities under the APPI, or if the third party in the foreign country has obtained certification under the Cross Border Privacy Rules system of the APEC (Asia-Pacific Economic Co-operation), it qualifies as having taken appropriate measures.

      Even when the third party in the foreign country qualifies as having taken adequate measures, where obtaining consent from the data subjects is not necessary, the domestic provider must ensure that the third party in the foreign country maintains adequate measures (article 28, paragraph 3 of the APPI). This involves taking actions such as annual certification to ensure the ongoing implementation of adequate measures, which can significantly burden the domestic provider. Thus, the requirement for adequate measures is not user-friendly.

   4. Penalties for violations. For domestic business entities that violate these regulations, the PPC may recommend corrective actions and, if not complied with, issue orders (article 148 of the APPI). If domestic entities fail to comply with these orders, the representatives of the entities in breach could face imprisonment for up to one year or a fine of up to JPY1 million (USD6,700), and the entities employing those individuals could be fined up to JPY100 million (USD670,000) (articles 178 and 184, paragraph 1, item 1 of the APPI).

DATA BREACH RULES

In the event of leakage, loss or damage of personal data (“data breach”) because of ransomware attacks or other incidents, the businesses shall report the data breaches to the PPC and to the data subjects (article 26 of the APPI).

1. PPC reporting and notification to affected data subjects are required in situations where:

   1. Personal data including sensitive personal data about the data subject, including but not limited to race, creed, social status, medical history and criminal record (see article 2, paragraph 3 of the APPI), has resulted in a data breach or is at risk of a data breach;

   2. The breach, or potential breach, of personal data could lead to financial harm, such as with leaked credit card numbers;

   3. Personal data has been breached or is at risk of a breach, because of malicious intent, such as in a third-party attack; and

   4. Where the breach or potential breach of data involves the personal data of more than 1,000 individuals.

2. The responsibility for PPC reporting and notification to the affected data subjects lies with the business entity that experiences the breach. This is straightforward in a case where the controller (business entity) experiences the data breach. However, if a processor (the subcontractor) experiences a data breach, both the controller and the subcontractor are responsible for reporting and notification. To prevent duplicate reporting, if the subcontractor informs the controller of the data breach, the subcontractor’s obligation to report and notify is considered fulfilled.

3. Reporting to the PPC involves:

   1. A preliminary report made within three to five days on the discovery of the incident, detailing what is known;

   2. A detailed report to be submitted within 30 days (60 days if the incident involves malicious intent) of discovery of the incident, including an overview of the incident, the types of personal data involved, the number of data subjects affected, the cause of the incident, the presence and nature of secondary harm or the risk thereof, the status of responses to data subjects, the status of public disclosure, protective measures for preventing recurrence and other relevant information; and

   3. Reports typically use the online reporting form of the PPC (https://roueihoukoku.ppc.go.jp/incident/?top=r2.kojindata), which requires Japanese-language proficiency. The time to be spent for translation should be considered, especially for the preliminary report.

4. In notifying the affected data subjects:

   1. There is an expectation of prompt notification according to the situation. However, the timing should be determined case by case.

   2. The notification should include an overview of the incident, the types of personal data involved, the cause of the incident, the presence and nature of secondary harm or the risk of such, and other relevant information.

   3. Direct notification to data subjects through documentation or email is standard, but if direct contact is not feasible, public disclosure or other methods might be used.

5. Failure to report to the PPC or to notify affected data subjects as required can result in the same penalties previously outlined for cross-border data transfer violations discussed in section (4) under the above-mentioned section: “Cross-border data transfer”.

In conclusion, this article outlined the general regulatory framework of the APPI for foreign operators handling personal data of individuals located in Japan and emphasised the importance of compliance with the provisions of the APPI for protecting personal data of data subjects in Japan.

PHILIPPINES

The Philippine Data Privacy Act of 2012 (DPA, or Republic Act No. 10173) was signed into law on 15 August 2012. It is a comprehensive law that governs personal data privacy protection in the Philippines. The National Privacy Commission (NPC) – the government agency primarily mandated to oversee its administration and implementation – promulgated the last implementing rules and regulations in August 2016.

The Data Privacy Act comes in response to the freer exchange of personal data on the global stage and the setting of international standards for data protection. It is important for the Philippines as a global leader in business outsourcing processing services.

Prior to Republic Act No. 10173, with no centralised regulatory oversight for personal data processing or comprehensive protective measures for data subjects, the wealth of personal data at that time was subject to abuse and misuse – from the unmitigated use and sharing of contact details for purposes beyond those initially contemplated, to identity theft and security breaches – to the detriment of the data subject’s constitutionally guaranteed right to privacy.

As early as 2006, the Philippine Department of Trade and Industry (DTI) issued DTI Administrative Order No. 8 on the Guidelines on the Protection of Personal Data. This was patterned on the EU’s then Data Protection Directive of 1995 – the predecessor of the current EU General Data Protection Regulation (GDPR). Hence, the Philippine DPA is deeply rooted in the standards and principles espoused by the EU.

Republic Act No. 10173 applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing, both private and government. It covers data controllers and processors not found in the Philippines, but either:

• Using equipment located in the Philippines; or
• Maintaining an office, branch or agency in the Philippines.

The law also applies to personal data of a Philippine citizen or resident, regardless of the location of the data subject, and wherever the data is processed. For example, Republic Act No. 10173 will apply in the case of an overseas Filipino worker in the US whose personal data is being processed by a local Philippine bank. Also, our local privacy law will apply if the same worker’s personal data is processed by a foreign bank outside the Philippines. As to how the law can be enforced is a totally different matter.

Processing is defined under Republic Act No. 10173 as any operation or set of operations performed on personal information (such as, but not limited to, collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data).

“Personal information controller” refers to any person or organisation that controls the collection, holding, processing or use of personal information (except those who perform such functions as instructed by another person or organisation; and an individual who performs the same functions in connection with an individual’s personal, family or household affairs). Meanwhile, “personal information processor” refers to any natural or juridical person to whom a personal information controller may outsource the processing of personal data.

The following is exempt from Republic Act No. 10173:

• Information on any current or previous government servant that relates to their position or functions;
• Information relating to an individual’s services performed under a government contract;
• Information relating to any discretionary financial benefit given by the government to an individual;
• Personal information processed for journalistic, artistic, literary or research purposes;
• Information necessary for the functions of a public authority;
  Information necessary for banks and financial institutions to comply with the Anti-Money Laundering Act; and
• Personal information collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions.

Republic Act No. 10173 makes distinctions between personal information and sensitive personal information, prescribing different requirements for their lawful processing.

• Personal information is any information from which an individual’s identity is apparent or can be reasonably and directly ascertained, or would directly and certainly identify an individual when put with other information.
• Sensitive personal information refers to personal information about: one’s race; marital status; age; colour; religious, philosophical or political affiliations; health; education; court proceedings issued by government agencies peculiar to an individual (e.g. social security numbers, health records, licences, tax returns, copies of government-issued IDs and/or their numbers); and those specifically declared as classified by law or regulation.

The law generally requires consent from data subjects before one can validly process personal data, unless the processing is covered by any of the conditions expressly outlined in Republic Act No. 10173, its rules or regulations. Please note that this law only recognises express consent and frowns on implied consent (consent being defined under the act as “any freely given, specific, informed indication of will … [and] shall be evidenced by written, electronic or recorded means”).

Republic Act No. 10173 extensively outlines the rights of data subjects to their personal information, which are similar to the rights recognised under the EU GDPR. These include the rights to: be informed; access; object; erasure and blocking; rectify; file a complaint; damages; and data portability.

These rights must be observed and respected by data controllers and data processors, except when the personal information is for scientific and statistical research, and no activities are carried out and no decisions are taken regarding the data subject, or are gathered for investigations into any criminal, administrative or tax liabilities of a data subject.

The law outlines general principles on security of personal information, as well as accountability for transferring personal information. Specific provisions are laid down concerning security of sensitive personal information in the government, as well as provisions on data breach and the basic guidelines for reporting instances of data breach.

Similar to the GDPR, our local privacy law and regulations impose breach notification obligations on personal information controllers in cases of personal data breaches. Such breach notifications must be served on the affected data subjects and reported to the NPC. Breach notifications must be submitted to the NPC within 72 hours “upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that a personal data breach requiring notification has occurred”.

Local privacy regulations require the designation/appointment of a data protection officer (DPO). However, not all DPOs are required to register with the NPC. Registration with the NPC is mandatory:

• If the entity employs 250 or more people;
• If the entity “processes” records containing sensitive personal information of at least 1,000 individuals; and
• If the entity’s processing of personal information is either “likely to pose a risk to the rights and freedoms of data subjects” or deemed “not occasional”.

As regards the last criteria, the NPC’s guidelines list the sectors that it considers covered by the mandatory registration requirement regardless of the number/volume of data subjects or personal information being processed. These sectors, considered critical, are the following:

• Government agencies;
• Banks and the non-banking financial institutions;
• Telecoms and internet service providers;
• BPO companies;
• Universities, colleges and all other schools and training institutions;
• Hospitals, clinics and other healthcare facilities;
• Insurance companies and insurance brokers;
• Those involved in direct marketing, networking and other companies providing reward cards and loyalty programmes;
• Pharmaceutical companies engaged in research; and
• Personal information processors processing personal data for a personal information controller included in any of these critical sectors.

Apart from the DPO, certain forms of data processing systems must be registered with the NPC. With the launch by the NPC of its new registration portal, compliance with the submission of both the DPO and DPS details are required to complete the NPC registration requirements.

Finally, violations of Republic Act No. 10173 are meted by mandatory imprisonment and fines – one of the very few data privacy legislations that impose imprisonment as a penalty. A higher range of penalties is imposed if sensitive personal information is involved.

Maximum penalties are imposed when the personal information of at least 100 people is affected. Although there was a move initiated by the NPC and other concerned sectors to propose the amendment of Republic Act No. 10173, which included the removal of the penalty of imprisonment, this was put on hold due to the covid pandemic.

ANGARA ABELLO CONCEPCION REGALA & CRUZ LAW OFFICES (ACCRALAW)

22nd to 26th Floors ACCRALAW Tower, Second Avenue corner
30th Street, Crescent Park West, Bonifacio Global City
Taguig, Metro Manila, Philippines
Tel: (632) 88308000
Email: accra@accralaw.com
www.accralaw.com

Back to top

THAILAND

Thailand’s major data privacy law is the Personal Data Protection Act (PDPA), which was passed as a law in 2019 and became fully effective in June 2022.

It sets out the key principles on personal data processing and the appointment of the Personal Data Protection Committee (PDPC) as the regulatory authority in charge. The PDPC is empowered to: implement and enforce the PDPA; issue its implementation rules and regulations; establish policies and directions for personal data protection; conduct investigations in response to complaints; and issue enforcement orders against data controllers and data processors violating the PDPA.

As of November 2023, the PDPC had issued 21 implementation rules, regulations and guidelines under the PDPA.

KEY PRINCIPLES

1. Categories of personal data. Under the PDPA, personal data means any information relating to an individual person, which enables the identification of such a person, whether directly or indirectly, but not including the information of a deceased person. The PDPA governs the processing of two categories of personal data: (i) general personal data, and (ii) sensitive personal data (SPD). SPD is personal data “pertaining to racial, ethnic origin, political opinion, cult, religious or philosophical belief, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or any other data which may affect the data subject in the same manner”.

2. Processing of personal data. The “processing” of personal data under the PDPA refers to the collection, use and disclosure of personal data. The personal data can be collected only if it is necessary, and can be kept only as long as it is needed for such purposes.

   

   The data controller must notify data subjects of the purposes of collecting their general personal data before or on collecting it by providing the privacy notice of the data controller to data subjects, containing at least: the purposes of personal data processing; details of the data controller and its data protection officer (DPO); third parties to whom the personal data may be disclosed; the rights of data subjects, and how and when they can exercise such rights.

   Collection, use or disclosure of SPD without the explicit consent from the data subject is prohibited except for a few exceptions, such as preventing or suppressing danger to the life, body or health of the person where the data subject is incapable of giving consent, for whatever reason.

   Processing personal data is lawful only when carried out in compliance with legal requirements under the PDPA. If personal data processing is based on the consent of data subjects, they can withdraw their consent any time by informing the data controller or data processor of their consent withdrawal. When processing personal data, the data controller and data processor must maintain the integrity and confidentiality of the personal data.

   Data controllers or data processors must keep full records of their personal data processing activities, so they are prepared for inspection by or submission to the PDPC.

3. Cross-border data transfers. Personal data cannot be transferred to a jurisdiction or international organisation that lacks adequate data protection, except for only: (i) Where the data subject gives explicit consent after being informed of the lack of adequate data protection; and (ii) When personal data cross-border transfer is necessary under a contract between the transferor and recipient in the destination country or receiving international organisation.

   The PDPC encourages companies in the same group to implement internal binding corporate rules to govern their intra-group data transfers to ensure that group companies adopt the same high standards of data protection.

4. DPO. Effective from 13 December 2023, the data controller and data processor are required to appoint a DPO if their core activities are involved with: (i) Processing a large scale of personal data that requires regular monitoring of personal data or systems such as tracking, monitoring, analysing or predicting behaviours or attitudes, systematic processing of personal data, membership programmes, credit scoring, fraud prevention, data processing by network service providers or telecoms operators and behavioural advertising; or (ii) Processing of SPD regardless of the scale of personal data.

   Failure to appoint a DPO can result in an administrative fine not exceeding THB1 million (USD28,300).

PROTECTING MINORS

For the collection of personal data from a minor below the age of 10, consent must be obtained from the holder of parental responsibility.

If the minor is over 10 but not sui juris by marriage, or lacks sui juris capacity, consent must be obtained from both the minor and holder of parental responsibility.

COMPLIANCE

Key compliance programmes for businesses to have in place under the PDPA include:

1. Establishing and maintaining a data privacy policy that fully complies with data processing requirements under the PDPA;
2. Signing a data processing agreement or data transfer agreement between a data controller and data processor;
3. Creating a data protection impact assessment to identify data privacy risks and measures to mitigate such risks;
4. Obtaining explicit consent from data subjects before or on collecting, using or disclosing their personal data, except only where exceptions apply, and keeping records of such consent;
5. Establishing mechanisms to protect and facilitate the exercise of rights by data subjects such as: the right to access personal data; right to withdraw consent at any time; right to rectify, delete, restrict or object to the processing of personal data; right to data portability; and the right to lodge a complaint with the PDPC Office; and
6. Appointing a DPO if so required by the core activities to ensure compliance with the PDPA and act as a contact person for data subjects and the PDPC.

DATA BREACH

A data breach notice must be submitted to the PDPC within 72 hours of becoming aware of the breach if it is likely to result in a risk to the rights and freedoms of data subjects. The notice must include the nature of the breach, details of the contact person or DPO of the data controller, possible consequences, and measures taken or to be taken to mitigate the potential adverse effects. If the data breach is likely to result in high risk to the rights and freedoms of data subjects, the data breach notice with remedial measures must be notified to both the PDPC and data subjects without delay.

If the data breach involves several data subjects, the data controller may notify each of the subjects specifically or generally to the public via public media, social media or electronic means, or any other means accessible to the data subjects or general public.

PENALTIES

Data controllers and data processors who fail to comply with the compliance requirements or violate restrictions or prohibitions under the PDPA can be subject to administrative fines, criminal liabilities and civil liabilities.

The maximum administrative fine is THB5 million. Criminal liabilities include maximum imprisonment of one year and/or a maximum fine of THB1 million per violation.

Civil liabilities are compensation for actual damages and punitive damages payable to the injured data subject as the court may order.

Penalties imposed by the PDPC or court can vary depending on the nature, severity and duration of the violation, the number of the affected data subjects, and mitigation measures implemented on and after the occurrence of the violation.

The information provided in this article is not legal advice. It is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided.

Back to top