A good understanding of data privacy frameworks is crucial in Asia. While the laws in the region share similar elements, gaps remain as privacy compliance culture is relatively new and jurisdictions vary in their approaches. Here, experts spell out how the Philippines, Thailand and Indonesia have built their legal frameworks governing personal data
Indonesia
The development of information technology and increased user engagement in digital media have increased people’s awareness of entitlement to a fundamental human right: personal privacy. Personal data protection has become urgent, given the vast use and exploitation of personal data, which places a growing premium on privacy.
Partner at ABNR in Jakarta
Email: aderadjat@abnrlaw.com
In Indonesia, personal data protection regulations are scattered, and can be found in the Law on Electronic Information and Transactions (EIT Law), health and medical records regulations, and demographic administrative law. Currently, the EIT Law and its implementation regulations have become the main reference for personal data protection in electronic systems, applicable to various sectors. However, there is now an urgent need for a consistent regulatory and legal umbrella to address the matter.
The Indonesian government is addressing the growing importance of personal data protection in the digital age by drafting a bill (the PDP Bill), which is currently being finalised. The PDP Bill has been designed to become the overarching privacy law in Indonesia. Based on the EU’s General Data Protection Regulation (GDPR), the PDP Bill has made some significant and much-needed changes to data privacy protection, and will bring it more in line with standards currently applied by other countries, especially the GDPR. Significant adjustments made to the PDP Bill are outlined below.
Classification of personal data
The EIT Law, Government Regulation No. 71 of 2019 on the Provision of Electronic Systems and Transactions (GR 71), and the Minister of Communications and Information Technology (MCIT) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (MR 20/2016) do not definitively describe personal data. It is broadly defined as “any data related to a person, whether identified or capable of being identified using that data, or in combination with other information, whether directly or indirectly, through the use of an electronic system and/or non-electronic means.”
In the upcoming PDP Bill, personal data is classified into general personal data, which includes name, gender, nationality, religion, and other data combined to identify an individual; and specific personal data, which includes health, biometric, genetic, political views, criminal record, personal financial data, sexual orientation, child data, and other data in accordance with the laws and regulations.
However, regardless of the classification, the PDP Bill does not differentiate between requirements for processing general personal and specific personal data. Thus, the implementing regulations of the PDP Bill and sectoral regulations that follow may need to set out detailed provisions on this matter.
Data controller v data processor
Currently, Indonesian law and regulations do not differentiate between a data controller and processor. Consequently, parties that handle personal data are exposed to the same liability and obligations, regardless of their actual role in the data processing.
This issue is addressed in the PDP Bill, which separates the data controller and processor roles, as in the GDPR. The PDP Bill defines a data controller as a party that determines the purpose and controls personal data processing, while a data processor is defined as one that processes personal data on behalf of a data controller.
The PDP Bill further distinguishes liability, as that for personal data processing is borne by the data controller, instead of a processor. However, a data processor would be liable for processing that deviates from an instruction, order, or purpose pre-determined by the data controller, which means the role of the former would be tantamount to that of a data controller.
Partner at ABNR in Jakarta
Email: ksidarta@abnrlaw.com
Lawful basis
Pursuant to GR 71, express consent will be mandatory from anyone whose personal data is processed. Currently, Indonesian law and regulations do not operate on this basis, except for law enforcement matters. This requirement is deemed burdensome by businesses, as they would be required to obtain express consent from data subjects, which might sometimes be reasonably deemed as already implied or not feasible to obtain.
The PDP Bill has adopted principles akin to those of the GDPR, where consent is only one of several requirements for the lawful processing of personal data. The PDP Bill has introduced exceptions for personal data processing without consent similar to GDPR provisions:
(1) For the performance of a contract to which the data subject is a party, or in order to fulfil a request of the data subject prior to entering into the contract;
(2) To comply with an obligation that is imposed on a data controller by law;
(3) To fulfil the vital interests of the data subject;
(4) For the exercise of authority vested in the data controller by law;
(5) For the fulfilment of a public service obligation to which the data controller is subject in the public interest; and/or
(6) For the pursuit of a legitimate interest of the data controller or the data subject.
The exception for mandatory consent requirement under the PDP Bill contradicts the provisions of GR 71. However, as the PDP law will occupy a superior position in the regulatory hierarchy than GR 71, it is likely that its provisions will supersede those of GR 71, including those on the lawful basis for personal data processing.
Cross-border data transfer
Pursuant to MR 20/2016, cross-border transfer of personal data is not restricted, as long as the transfer has been consented to by the data subject, and is subject to co-ordination with the MCIT or other relevant authorities. Based on the current policy at the MCIT, mandatory co-ordination will be implemented via the submission of an annual report.
The PDP Bill introduces new requirements on controller-to-controller, cross-border personal data transfer, which will be subject to the following conditions:
(1) The partner country has a personal data protection level that is equal to or higher than the provisions in the PDP Bill;
(2) An international agreement exists between the countries;
(3) A contract between data controllers that covers personal data protection matters; and/or
(4) Consent from the data subject.
However, the above provisions do not apply to controller-to-processor, cross-border personal data transfer.
Data breach
Upon the occurrence of a data breach, GR 71 and MR 20/2016 requires electronic systems operators to report the breach to the MCIT and law enforcement agencies immediately at the first opportunity and notify the data subject within 14 days of the discovery of the breach.
The PDP Bill also specifies detailed requirements on reporting obligations, which also apply to electronic and conventional personal data processing. Under the PDP Bill, a data controller must, within 72 hours, notify in writing the data subject and the MCIT of a failure to protect personal data. The notification must detail:
(i) the compromised data;
(ii) when and how the data was compromised; and
(iii) management and recovery efforts.
Associate at ABNR in Jakarta
Email: mtimur@abnrlaw.com
Data protection officer
The PDP Bill also introduces an obligation to appoint a data protection officer, for data controllers and processors that meet the following criteria:
Data processing is for the purpose of providing public services;
The data controller’s main activity requires large-scale, frequent, and systematic monitoring of personal data;
The data controller’s core activity involves processing of a specific personal data in a large scale and/or personal data related to criminal activity.
Data protection officers must be appointed on the basis of professional qualification, legal knowledge, and practice experience in data privacy. However, the PDP Bill does not stipulate specific mandatory qualifications, skills, or educational background. Generally, their role is to protect and ensure the security of personal data processed by a data controller or processor.
Conclusion
Although the PDP Bill is on the priority list for legislation, it is unclear when it will be issued and promulgated as law. Its finalisation may be delayed as the government is still focused on handling the coronavirus pandemic in Indonesia.
The bill is highly anticipated by businesses in Indonesia, as comprehensive and consistent personal data regulation are a crucial aspect of their activities. As business has already become fundamentally more cross-border in nature, the PDP Bill is viewed as more compatible with international standards, an unavoidable consequence of doing business in this era of ever-increasing, globalised digitisation.
Ali Budiardjo Nugroho Reksodiputro Counsellors at Law (ABNR)
Graha CIMB Niaga, 24/F
Jl. Jend. Sudirman, Kav. 58
Jakarta – 12190, Indonesia
Tel: +62 21 250 5125/5136
Email: info@abnrlaw.com
Philippines
The Philippine Data Privacy Act of 2012 was signed into law on 15 August 2012. This is a comprehensive law that governs data privacy protection in the country. The National Privacy Commission (NPC) – the government agency primarily mandated under the law to oversee the administration and implementation of the act – promulgated on 24 August 2016 the Implementing Rules and Regulations (IRR) of the act. The act was promulgated in response to the freer exchange of personal data at the global stage, and the setting of international standards for data protection, with the Philippines being the global leader in business process outsourcing (BPO) services.
Partner at ACCRALAW in Manila
Tel: +632 830 8047
Email: jmgaba@accralaw.com
Prior to the enactment of the act, without centralised regulatory oversight for personal data processing, or comprehensive protective measures, the wealth of personal data at that time was subject to abuse and misuse – from the unmitigated use and sharing of contact details for purposes beyond those initially contemplated, to identity theft or security breaches – to the detriment of the data subject’s constitutionally guaranteed right to privacy.
The data privacy regime had its origins as early as 2006, when the Department of Trade and Industry (DTI) issued DTI Administrative Order No. 8-2006, the Guidelines on the Protection of Personal Data. This issuance was patterned after the EU’s then Data Protection Directive of 1995, the predecessor of the current General Data Protection Regulation (GDPR). Hence, the act is deeply rooted in the standards and principles espoused by the GDPR.
The privacy law applies to the processing of all types of personal information, and to any natural or juridical person involved in personal information processing in the private and government sectors. It covers data controllers and processors not found in the Philippines, but who either: (1) use equipment that is located in the Philippines; or (2) maintain an office, branch or agency in the Philippines. It also applies to personal information processing in the event that the personal data being processed pertains to either a Philippine citizen or resident, regardless of the location, and wherever such processing takes place. For example, the act will apply in a case where personal data of an overseas Filipino worker (OFW) currently working in the US is being processed by a local Philippine bank. Also, the privacy law will apply in a case where personal data of the same OFW is being processed by a foreign bank located outside of the Philippines.
“Processing of personal data” is defined under the act as any operation or set of operations performed on personal information (such as collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, and destruction). “Personal information controller” refers to any person or organisation that controls the collection, holding, processing or use of personal information (except for those who perform such functions as instructed by another person or organisation, or an individual who performs the same functions in connection with the individual’s personal, family or household affairs). “Personal information processor” refers to any natural or juridical person to whom a personal information controller may outsource the processing of personal data.
The following types of information are exempt from the coverage of the act:
(1) Information on any current or previous government servant that relates to the position or functions of said individual;
(2) Information relating to the services performed by an individual under a government contract;
(3) Information relating to any discretionary financial benefit given by the government to an individual;
(4) Personal information processed for journalistic, artistic, literary or research purposes;
(5) Information necessary in order to carry out the functions of public authority;
(6) Information necessary for banks and financial institutions to comply with the Anti-Money Laundering Act; and
(7) Personal information collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions.
The act distinguishes “personal information” from “sensitive personal information”, as different requirements for lawful processing are prescribed. Personal information refers to any information from which the identity of an individual is apparent, or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify the individual. Sensitive personal information refers to personal information about one’s race, marital status, age, and religious, philosophical or political affiliations. It includes health and education, any court proceedings, information issued by government agencies peculiar to an individual (e.g., social security numbers, health records, licences and tax returns), and those specifically declared as classified by law or regulation.
The law and its IRR generally require consent from the data subjects before one can validly process personal data, unless the processing is covered by any of the conditions expressly outlined in the act and its IRR. Note that the act only recognises a valid express consent – and frowns on implied consent – which is defined under the act as “any freely given, specific, informed indication of will … [and] shall be evidenced by written, electronic or recorded means”.
The act extensively outlines the rights of the data subject with respect to his/her personal information, which are similar to the rights recognised under the GDPR. These rights include:
(1) the right to be informed;
(2) the right to access;
(3) the right to object;
(4) the right to erasure and blocking;
(5) the right to rectify;
(6) the right to file a complaint;
(7) the right to damages; and
(8) the right to data portability.
These rights of the data subject must be observed and respected by data controllers and data processors, except when the personal information shall be used for scientific and statistical research, and no activities are carried out and no decisions are taken regarding the data subject, or are gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.
The law outlines the general principles on security of personal information, as well as accountability with respect to the transfer of personal information. Specific provisions are laid down concerning the security of sensitive personal information in the government, as well as provisions on a data breach and the basic guidelines for reporting instances of data breaches.
Similar to the regime implemented under the GDPR, Philippine privacy law and regulations impose breach notification obligations on the personal information controller in cases of a personal data breach. Such a notification must be served on the affected data subjects and reported to the NPC within 72 hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor, that a personal data breach requiring notification has occurred.
Philippine privacy regulations require the designation or appointment of a data privacy officer (DPO). Not all DPOs are required to register with the NPC, but it is mandatory for the following: (1) if the entity employs 250 people or more; (2) if the entity processes records containing sensitive personal information of at least 1,000 individuals; or (3) if processing personal information of the entity is either likely to pose a risk to the rights and freedoms of data subjects, or is deemed not occasional. The NPC issued guidelines enumerating the sectors that it considers covered by the mandatory registration requirement, regardless of the number or volume of data subjects, or personal information being processed.
These sectors, considered as critical, are the following:
(1) government agencies;
(2) banks and non-bank financial institutions;
(3) telecommunications and internet service providers;
(4) BPO companies;
(5) universities, colleges and all other schools and training institutions;
(6) hospitals, clinics and other healthcare facilities;
(7) insurance companies and brokers;
(8) those involved in direct marketing, networking, and other companies providing reward cards and loyalty programmes;
(9) pharmaceutical companies engaged in research; and
(10) personal information processors processing personal data for a personal information controller included in any of these critical sectors.
Apart from the DPO, the IRR specifically provides that certain forms of data processing systems must be registered with the NPC.
Finally, violations of the act are punished with mandatory imprisonment and fines. A higher range of penalties is imposed in cases where sensitive personal information is involved. Maximum penalties are imposed when the personal information of at least 100 persons is affected, and considered as large scale. Although there have been moves initiated by the NPC and other concerned sectors to propose amendments to the act that include removal of the penalty of imprisonment, such initiatives have been put on hold due to the current pandemic.
22nd Floor, ACCRALAW Tower
2nd Avenue corner, 30th Street
Crescent Park West Bonifacio Global City,
1635 Taguig, Metro Manila, Philippines
Tel: +63 2 8830 8000
Email: accra@accralaw.com
Thailand
Thailand’s Personal Data Protection Act, 2019, (PDPA) was promulgated to protect natural persons from the unauthorised or unlawful collection, use or disclosure of their personal data. The PDPA came into force on 27 May 2019, but the spread of covid-19 led the Thai government to postpone the enforcement to 31 May 2021. However, minimum security standards already apply: Data controllers must inform their staff and relevant parties of the importance of personal data protection, and certain safeguards must be implemented.
Senior Partner at Weerawong Chinnavat & Partners in Bangkok
Tel: + 66 2 264 8000
Email: veeranuch.t@weerawongcp.com
Data authority
The PDPA established the Personal Data Protection Committee (PDPC), with an expert committee and a sub-committee under the PDPC. Pursuant to section 16 of the act, the committee’s duties include:
(1) Determining measures or procedures for the protection of personal data;
(2) Issuing notifications or regulations;
(3) Announcing criteria for protection procedures and the protection of data that are transferred out of the country; and
(4) Preparing the masterplan to support and protect personal data.
The PDPA also established the Office of the PDPC, a state agency that acts as the centre for academic services for the protection of personal data, together with a supervisory board. Many requirements of the PDPA will be covered by sub-regulations, which remain to be announced and implemented by the PDPC. In February 2021, the regulator conducted a public hearing on the draft sub-regulations with plans to launch the following sub-regulations by June 2021:
. Criteria and methods for obtaining consent;
. Notifications regarding the processing of personal data;
. Proper data protection methods for the processing of sensitive personal data;
. Criteria and protections for the transfer of data overseas;
. Personal data activity records, methods for data subject requests, and reports on any personal data breach;
. Safety measures for data processing;
. Data protection officers; and
. Procedures regarding complaints and administrative enforcement.
Scope of regulation in Thailand
The PDPA regulates the collection, use and disclosure of personal data (collectively, the act of processing data) by a data controller, or a data processor, in Thailand. However, the PDPA does not apply to:
. Data collected by a person who collects such data for the personal benefit or household activity of such person only;
. Operations of public authorities;
. Data that are collected only for the activities of mass media, fine arts, or literature;
. Data under the duties and power of the parliament or parliamentary committees;
. Trials and adjudications of courts, and work operations of officers in legal proceedings; and
. Data collected by a credit bureau company and its members.
Personal data
Pursuant to section 6 of the PDPA, personal data means any information related to an identifiable person, directly or indirectly, but excluding deceased persons.
There are two types of personal data: general personal data (section 24), and sensitive data (section 26). General personal data is any personal data that is not sensitive data. Sensitive data includes personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the PDPC.
Unless there is a lawful basis to do so, the processing of general personal data and sensitive data requires the consent of the data subject, which must be given explicitly as per section 19.
Associate at Weerawong Chinnavat & Partners in Bangkok
Tel: + 66 2 264 8000
Email: thaya.u@weerawongcp.com
Lawful basis for processing
Pursuant to sections 24, lawful basis to process general personal data without the need of the consent of the data subject includes: research, vital interests, contract, public task or office authority, legitimate interest of the data controller (balanced with the rights of the data subject), and legal obligation.
Pursuant to sections 26, lawful basis to process sensitive personal data without the need of the explicit consent of the data subject includes: vital interests, non-profit, public data, legal claims, and legal obligation to various public interest.
Data controller and processor
The PDPA provides a distinction between those who make decisions on the processing of personal data and those who provide personal data processing services. Pursuant to section 6 of the PDPA:
(1) A data controller is a natural or juristic person with the authority to make decisions on the collection, use or disclosure of personal data; and
(2) A data processor is a natural or juristic person who operates in relation to the collection, use or disclosure of the personal data pursuant to orders given by, or on behalf of, a data controller.
Section 37 sets out the duties of the data controller, which include arranging security measures and verification procedures, as well as providing notification of any violations to the Office of the PDPC. It also provides that the data controller must provide and maintain appropriate measures to prevent the unauthorised or unlawful loss, access, use, alteration, correction or disclosure of personal data.
Section 40 sets out the duties of a data processor, which include arranging security measures, notifying the data controller of any violations in connection with personal data, and preparing and maintaining logs. Most companies that collect personal data will be regarded as controllers or processors and will have to comply with the PDPA.
If a data controller or a data processor is outside of Thailand, the PDPA applies to the collection, use or disclosure of personal data of subjects who are in Thailand, where the activities of the data controller or data processor are: (1) the offering of goods or services to data subjects who are in Thailand, regardless of whether the payment is made by the data subject; and (2) the monitoring of the data subject’s behaviour taking place in Thailand.
Under section 21, the collection, use or disclosure of personal data must not be conducted in a manner different from the purpose previously notified to the data subject, unless the data subject has been informed of the new purpose, and consent has been obtained prior to the time of collection, use or disclosure.
Pursuant to section 23, the data controller must inform the data subject, prior to or at the time of the collection of personal data, of the following:
. Purpose of the collection;
. Period of storage of personal data;
. Identity of the data controller (contact details);
. Reasons for the data subjects to disclose their personal data;
. Identification of the recipients to whom the personal data may be disclosed;
. Information that needs to be collected;
. Rights of data subjects; and
. Impact of not providing information.
Section 39 states that the data controller must maintain the following records:
. Collected personal data;
. Purpose of the collection;
. Details of the data controller;
. Retention period of the personal data;
. Rights and methods to access the personal data;
. Use or disclosure of personal data exempted from the consent requirement;
. Rejection of requests or objections; and
. Explanations of the appropriate security measures to prevent breaches.
Pursuant to section 30 of the PDPA, the data subject is entitled to request access to, and obtain a copy of the personal data related to him or her, which is under the responsibility of the data controller.
Breaches of personal data
Section 37(4) requires the data controller to notify the Office of the PDPC of any personal data breach within 72 hours of having become aware of it. The penalties set out for non-compliance include criminal and civil penalties.
Criminal penalties include imprisonment for up to one year and/or fines up to THB1 million (US$ 32,500). If the violation is caused by the instruction or omission of a person who is responsible for a company, he/she could also be subject to the same penalties. Civil liabilities include punitive damages of up to twice the amount of any actual damages. Civil damages may also be claimed under a class action lawsuit.
Additionally, the expert committee of the PDPC is authorised to order administrative fines of up to THB5 million (US$163,417) against any violator.
WEERAWONG CHINNAVAT & PARTNERS
22nd Floor, Mercury Tower
540 Ploenchit RoadLumpini Pathumwan
Bangkok 10330,Thailand
Tel: +662 264 8000
Fax: +662 657 2222
