Staying on top of data privacy

In this edited extract from a roundtable hosted by India Business Law Journal and Ikigai Law, moderator Sreenidhi Srinivasan and a distinguished panel of global data privacy experts discuss how companies can create globally compliant data privacy policies.

Many countries in the Asia-Pacific region have introduced or are on the verge of introducing data protection laws. For companies doing business outside their borders, a key challenge is knowing how to be compliant with global privacy laws.

The discussion examines various themes around data compliance such as setting a common minimum baseline for global compliance, strategic approaches to different privacy laws, the role played by the EU’s General Data Protection Regulation (GDPR), the importance of data subject rights, and navigating cross-border data transfers.

Accompanying moderator Sreenidhi Srinivasan, partner and lead lawyer on data at Ikigai Law, are Scott Warren, a partner at Squire Patton Boggs in Tokyo specialising in data privacy; Michelle Chan, a TMT of counsel based in Bird & Bird’s London office; and Kritiyanee Buranatrevedhya, an IP and tech partner at Baker McKenzie’s Bangkok office who focuses on data privacy and protection.

Sreenidhi Srinivasan: There are more than 150 data privacy protection laws across the world. For tech businesses that want to go global, how should they think about privacy compliance? What should they start with? Is there a strategic way of thinking about data governance within an organisation?

Scott Warren: In some ways I really feel sad for the in-house counsel of today, because before we just used to be worried about GDPR in Europe, and then we’d worry about the US because of the high penalties. But in the past 10 years or so there’s been an explosion, and within probably the past 20 years, there’s a number of other APAC countries that have their own data privacy laws, which are quite challenging to follow.

So over time, it’s come to me that there’s a concept I’ve called the data privacy continuum. I used to think of it before as you know, digital, a one or a zero, right? It was either Europe or American or something like that. But now I see it as a continuum.

You’ve got Europe that sees data privacy as a fundamental human right. And I actually think the US uses it as a fundamental corporate right. But God forbid you collect it improperly, you lie when you collect it, you abuse it, or lose it, then you’re going to be sued with class action lawsuits, with shareholder derivative lawsuits, and penalised by government regulatory authorities. Facebook, I think, paid USD5 billion not too long ago to resolve a US privacy issue.

But then we have these jurisdictions such as China, the new law, as well as Russia, the old law, that are looking at data privacy much more as a fundamental state right. But at any rate, Europe certainly has a focus on protecting the state secrets, or the state side of that coin. The US is complaining about Huawei, and all the things that might happen with routers that could be used to take data. Frankly, Cisco could do the same thing if they wanted to.

So, this all becomes a matter of who you trust. But the US certainly has a state-located interest. So the thing that’s helpful for me about this continuum is if you look at it, you can see kind of where each country’s laws … fall within it.

And for a lot of APAC countries – Japan, for example, and a lot of other places – I see them trying to straddle the US and Europe side of it. They want to follow Europe so that they can perhaps get an adequacy finding. But they also want to have free transfer of data to trusted sources in the US style.

And then we see some places that we wonder where they fall. Certainly Vietnam is much closer to the China state protection side. And there was some concern with the earlier draft for India, that it was somewhat of a localisation rule. That seems to be relaxed somewhat, but we’re still waiting to see how that actually passes.

But if you can think of it within that continuum, it really helps you figure out – okay, these are the fundamental hot button issues with this country. By reading the law, I know where their focus is, and then it can help you kind of design some common themes through that.

Srinivasan: Michelle, I’ll come to you with sort of a variation of this question. Scott spoke about this continuum – the different triggers or different objectives that different regions might have. How would one be able to glean a common minimum baseline? And are there any differences or similarities that have really stood out to you in the privacy laws of any particular country in South Asia, or the world? Also, how do you then account for those outliers and differences?

Michelle Chan: If you look at the overarching data protection laws in some of the major jurisdictions – the EU, the US, Japan, South Korea and now China – what you see is actually that there will always be some common parts to the data protection law.

So, most of them will define what personal data or personal information is. Most of them will try to distinguish between data controller and data processor. But of course, there are also jurisdictions that don’t draw that sort of distinction. And then you have some data protection principles. Some countries have 10 of them, some only have six. Some don’t call them data protection principles. They’re just embedded somewhere in the law.

And then, I think EU data protection lawyers like to talk about the legal basis. Now, different countries will have different legal bases. I think it’s always a shock to my EU colleagues that there is no legal basis for legitimate interest under China’s PIPL (Personal Information Protection Law). I’m not sure if there is going to be one in India and, if not, what happened to that? And then, of course, you also have rules about notification, data subject rights, transfer rules, governance. So, the framework actually is very similar.

But as Scott has already said, different governments pursue different objectives, and the substance of that sometimes will be slightly different. But are there lots of differences? I actually don’t see lots of differences. But to the extent that there is a difference, there is always a reason for that.

For example, the local data localisation rules in China, yes, there is one. But is it as aggressive as the one in Russia? Not really. And then when you take a step back and look at the reasoning behind why isn’t the rule as aggressive as the one in Russia, it’s because there are Chinese companies that are based everywhere in the world.

So having a very stringent transfer rule is not going to help their own companies. So therefore, the rules are slightly different. And I think that when it comes to India’s upcoming data protection law, I think that sort of framework will be useful. For data protection lawyers that are already familiar with the GDPR, it’s actually a good thing because then you can draw the differences, and then try to understand the law. I don’t think the laws of various jurisdictions are that different because the GDPR almost sets out what we call the golden standard.

I think a lot of countries are also trying to pursue that. And sometimes a country simply wants to have a law just to show that it’s a modern nation, it isn’t lagging behind. So that’s my thought on this particular question.

Srinivasan: I’m also wondering if there are trends to glean from regulatory enforcement actions. For instance, how do you ascertain the common minimum? And what have regulators been most concerned about as well? I was wondering if Kritiyanee could tell us about her experience with the Thai PDPC (Personal Data Protection Committee). I understand that a lot of GDPR fines are often about security breaches or direct marketing. Is that also something that could aid compliance efforts?

Kritiyanee Buranatrevedhya: Yes, that’s correct Sreenidhi. The Thai PDPA (Personal Data Protection Act) has drawn certain concepts from the GDPR, but obviously the devil is always in the details. So even if the concepts are similar, it doesn’t mean that there cannot be deviations in terms of implementation and the details of the Thai law.

You can see from the law itself that even for the age of minors, and even the exception for minors when it comes to personal data processing, there would be differences compared to the GDPR. There are also certain discrepancies in terms of sub-regulations under the PDPA and a lot of details are different from the GDPR itself.

One of the key problems that global business operators face right now are these differences and discrepancies, so that even if they implemented the local compliance programme to be aligned with the Thai PDPA, they will still spot some differences from their branches that are located in the EU region.

That being said, with regards to possible enforcement in the future, some companies, even if they are aware that Thai law has drawn some concepts from GDPR, might not yet be aware that there are differences in the details. When they believe that they already comply with the GDPR, they would think that they don’t need to do anything further to be compliant with Thai law. So that could lead to one of the problems, which might lead to enforcement actions.

Srinivasan: All of you have talked about how there’s this perception that the GDPR is like the gold standard in the world. But I think we’re all in agreement that it is not as though compliance with the GDPR will get you to be compliant with the laws of every country. In fact, there may be some outliers, or several instances, where regional laws are more stringent than what the GDPR requires. Scott, are there any sort of baselines that we can actually draw from the GDPR? Maybe basic principles like data mapping? And would you advise businesses to look to the GDPR even if they have no operations there in the foreseeable future?

Warren: So, is it the gold standard? It isn’t, at least in the sense that there are stricter laws. South Korea has a 24-hour notice rule, not 72. The Philippines and Vietnam say that their law applies to citizens that live in Los Angeles or abroad, even though that data isn’t even collected in the Philippines. Now, how they enforce that is a great question.

And then you’ve got all sorts of different challenges because the data privacy laws are not implemented directly from the GDPR but certain concepts are. The one concept that goes through every law that I’ve looked at so far – the newer law – is the data subject rights, which is the right to access, the right to query, the right to correct. All those concepts are kind of GDPR stated. My friends in South Korea say that the GDPR actually stole this from them because they had it earlier. But at any rate those things are standards, and just thinking about implementing that alone for a company is phenomenally different.

We also rely on getting consent in different ways. Sometimes it is direct and express, like under the GDPR, and sometimes it’s implied. The real-world challenge that I’ve seen was with a client, a European-headquartered company that had an internal investigation they needed to do in one of their India subsidiaries. It involved a bribery allegation or something, which for a regulatory investigation they actually needed to follow up on. They wanted to collect information from employee cell phones and all of them were willing to give consent to do that.

But under the European model, there’s almost an allergic reaction to consent in an employer-employee setting. There’s a belief that it’s impossible for an employee to give free and valid consent to an employer. So, Europe didn’t want to gather that data, when that’s the only way you could do it under Indian law. If you simply apply the GDPR across the globe you’re going to have a number of issues. It’s not the same jurisprudence, it’s not the same laws.

And in some ways, you’re trying to argue with local vendors about a GDPR concept that makes no sense to them. And they’re probably not in any position to comply with. I think you have to take a much more structured, rational approach to which laws you’re going to put out and how, and which of your privacy principles you’re going to implement locally.

Srinivasan: Michelle, does that mean you need to have a different privacy policy for each region or each country that you’re operating in? Does it even mean a different user interface on the app for different regions? And, as external counsel and in-house counsel, how do you really help the business teams mitigate some of this uncertainty?

Chan: It depends, because we have clients that like to have one single global privacy policy, which will apply to their entire global business. And then when you read it, there will be parts that will only apply to certain jurisdictions but, by and large, that’s what they want.

I think that’s primarily driven by how stringent the data protection law is at the headquarters. But, on the other hand, we also have clients that prefer to have different privacy policies. Either due to pressure from the local subsidiary, and if you speak to someone in an Asian country, and say: “you have to comply with GDPR.” And if that business is actually doing fairly well, you’re going to get resistance from that local business. And they will say: “we prefer to have something that our customers and clients understand. So, if you push GDPR on us, it’s not going to work.”

But if you’re talking about a quite localised service where data will actually be collected locally, it is probably not a good idea to have a single policy with very little reference to the requirements under local law. Some countries do have slightly more stringent requirements than the GDPR, and I’m pretty sure that the new Indian data protection law would have specific features that are different from the GDPR.

In which case, I think it is quite foolish to say let’s ignore that and just comply with this single global policy. I think you need to think about, at least at a minimum, [treating] these more stringent requirements as mandatory requirements and trying to comply with them together with your global requirements.

Srinivasan: I completely agree that you can’t simply import GDPR standards. But we often get queries from clients saying: “We have a user base across the world, but we have the same set of people who will be working with Indian, Singaporean and EU user data.” Now, do we tell them to handle that data differently within the organisation? And what might that look like practically? Is it sort of one internal policy with addendums for different uses? And because these questions do emerge when you’re engaging vendors, we’ll have the same vendor analysing data from all of these regions. So, what sort of contractual protections would you bring in?

Buranatrevedhya: So, the draft version of Thailand’s sub-regulation about cross-border transfers has recently been opened for … public consultation. And since we rely on the concepts of the GDPR, we have introduced the concept of SSCs (standard contractual clauses). The details that are put in the draft sub-regulation are different from the GDPR. So this would pose another problem in terms of launching global compliance programmes for multinational companies.

If your company has a certain physical base in the EU, then you need to use the SCCs from the GDPR side without having room for revision. But then if you want to transfer data from your presence in Thailand, then you need to follow SCCs from the Thai data protection point of view. So, this will cause a clash, and I think that most of the local regulations in other APAC countries might be similar as well.

Another thing to consider is how we can lower the liability as much as possible in terms of sending personal data overseas – both inbound and outbound. Some companies used binding corporate rules (BCRs) instead of SCCs for cross-border transfer. But there’s a problem there as well because of certain legislative requirements with the regulator, and it’s not as easy as the SCCs, which don’t need registration.

These are pros and cons to consider as to which agreement, template, or what type of legal document that company would like to launch.

Srinivasan: If there’s a US business that’s engaging an Indian vendor for data analytics, it will be sending the data of those users across regions. They could be based in India, Singapore, Thailand, Brazil and Japan. What kind of contractual safeguards do we bring in?

Warren: You can probably implement 90% of a strong standard law across your organisation in a way that helps you to ensure that you can deal with data subject access requests in a timely fashion. That could be the most aggressive timely fashion, even though you still have some time as long as you have that data structured in a way you can query it, and respond, and you may make a global standard for that unless there’s some unique rule that says you have to respond in a quicker time and so you need some eyes on the local laws.

In terms of the contractual side, what we’re seeing with many clients is that they have a basic agreement that says I’m going to entrust you with this data. Usually, it’s really important for any third-party vendor that’s going to get the data that you have restrictions – you’re only going to use it for what I have entrusted it to you for, and not another purpose, because that leads to a number of data privacy issues.

If you don’t have that, then you’re going to have a requirement for them to co-operate with you in the event of a data breach, or if there’s a data query that you need to respond to. If they’re collecting data, you’re going to say you’re collecting it under local rules. Usually, it’s helpful to state the specific rules that apply to the data that they’re collecting, [and that] they’re going to comply with the data privacy laws. So, I think what’s needed is a strategic and sensible approach to know where your risks are, and make sure that those things are covered.

But you really need to have that third-party contract if you’ve given that data out, because even in countries that don’t specifically state that you have to have it, it’s implicit. Because if you don’t have it, you can’t control it.

Srinivasan: Even in India, while we aren’t yet required by law, you do have certain clauses for this if not a separate data processing addendum. But Michelle, if you could argue from the vendor’s side – if a local vendor gets a request and they have this massive document that says you may be processing data of individuals from various countries, and it’s a seeking a blanket representation that you will abide by all applicable data protection laws of the world. How would one approach that from the vendor’s perspective?

Chan: I actually do have a client that has been slapped by the EU SCCs, saying that they have to comply with it. I have some sympathy for that request because the customer is a global player with headquarters in one of the EU countries. However, I think if you work for a vendor, and you strongly believe that actually it doesn’t really apply, then you do need to say, look, I can’t comply with or sign your EU SCCs, or your data processing agreements, in a blanket way.

But I’m happy to comply with these points because these are the local law requirements and I think it’s actually quite legitimate for the vendor to say that. And, in fact, what we are seeing is a lot of our global clients have some sort of generic data processing agreement or arrangement. And then where the EU SCCs have to apply, then they will say “appendix one”, which is the EU SCCs that will apply to you. And then for China, obviously we’re going to have very interesting situations. If the data goes into China, maybe you comply with EU SCCs; when the data comes out from China, you comply with the not yet existing PRC SCCs.

So this is an issue a lot of the Indian companies will also face because how do you go about putting in place a data processing arrangement that will comply with, first of all, India’s own transfer rules, as well as where you have a global Indian business? How you then make it consistent with all these other rules, I think that is going to be a real challenge. The GDPR may have been around for quite some time now but our clients are still struggling with complying with the EU SCCs when they’re combined with all these other rules that are coming out from the US, as well as other countries in Asia, Thailand, Vietnam, the Philippines and China.

So this is going to be a challenge, but hopefully some of the clients have already worked out some solutions. And we may be able to borrow some of those solutions for the benefit of some of our clients, and possibly share those solutions.

Srinivasan: I think data mapping is often seen as a starting point for compliance because you need to know where data is. In the run-up to India’s data privacy law being finalised a lot of businesses now ask us how long will it take for us to achieve compliance once the law is enacted? Scott, what would you advise them to do in order to be better prepared?

Warren: In terms of timing, so much depends on whether there is already an existing legal framework for data privacy, or whether it’s a new law. But don’t be afraid to start – please don’t let us scare you from starting because you’ve got 15 countries to deal with. Start by data mapping, figure out what data you have in your organisation, where it is, where it came from. Oftentimes where it sits now is not where it came from.

Then you have to apply a separate set of rules. If it came from Europe and now sits in India, for example, or California. Figure out whether it’s regular personal information and realise every country defines it differently. Figure out if it’s sensitive personal information or if it’s critical infrastructure. In that fashion, do your data mapping, and you do a gap assessment of where you have things in place to handle, and the laws that apply.

Did you actually collect it correctly in the first place based upon that country’s laws? Did you have the consents in place, or other things that allow you to collect it? Do a risk assessment to figure out where you really need to focus first to solve the issues. So that’s three – data mapping, gap analysis and risk assessment.

On implementation, usually I see clients do it at various levels, and they do the public implementation first. That is, what’s the public facing, what’s on the website, and what documentation do you need to be able to show the data privacy authorities?

And then they start digging a little bit deeper into getting it internally. Do you have the right things in order to respond to a data subject access request? Do you have the right types of privilege forms set up for those people that look at the personal information data? Do you do training for employees? Because that’s oftentimes required. So, you do the implementation and test whether or not that implementation is going well.

My recommendation for in-house counsel is to watch when there’s new transformation of your business. That is, when you go into new business areas, expand and take on new products, or when [employing] new marketing techniques using the latest SMS technologies, and others. And you’re going to think about how that impacts the data that you’ve collected, and where it’s going. And I think then you’re in a position to make that transition successfully.