A regional comparison of data privacy laws

INDIA

THE PHILIPPINES

In 2012, the Philippines passed the Data Privacy Act (DPA), protecting individual personal data in information and communications systems in both the government and the private sector (Republic Act No. 10173). This comprehensive privacy law also established the National Privacy Commission (NPC) with enforcement, rule-making, advisory and quasi-judicial powers, and tasked it to implement the provisions of the act.

On 9 September 2016, the implementing rules and regulations (IRRs) came into force. The law is intended to bring the Philippines to the next level and ensure compliance with international standards of data protection.

Application. The Philippine DPA applies to the processing of all types of personal information, with certain exceptions including those that are considered “matters of public concern”. It covers any natural and juridical person involved in personal information processing within (or, in some instances, outside) the Philippines. Based on the DPA’s extraterritorial reach, the NPC launched its own investigation in April 2018 on the Cambridge Analytica scandal, involving the unauthorized sharing of personal information including that of about 1.2 million Filipinos.

The common notion is that if the personal information is publicly available, then the DPA is not applicable. The NPC has correctly opined that this is a misconception, and said that, “even if the data subject has provided his or her personal data in a publicly accessible platform, this does not mean he or she has given blanket consent for the use of his/her personal data for whatever purposes”. The NPC’s opinion is significant as it recognizes with caution the collapsing boundaries of private and public space in the social media age.

Governing principles. The DPA adopts some of the principles under much earlier international privacy frameworks, particularly transparency, legitimate purpose and proportionality. In line with the law’s objective, processing of personal information is generally allowed provided there is at least one lawful basis for processing, for instance, the legitimate interest of the personal information controller (PIC).

In this regard, the NPC has already clarified that legitimate interest of the PIC, as a basis for processing, must consider the following three-part test: (1) the purpose test – the existence of a legitimate interest must be clearly established, including a determination of what the particular processing operation seeks to achieve; (2) the necessity test – the processing of personal information must be necessary for the purpose of the legitimate interest pursued by the PIC or third party to whom personal information is disclosed, where such purpose could not be reasonably fulfilled by other means; and (3) the balancing test – the fundamental rights and freedoms of data subjects must not be overridden by the legitimate interests of the PIC or third party, considering the likely impact of the processing on the data subjects. In contrast, processing of sensitive personal information is generally prohibited except if a lawful basis for processing exists (e.g., consent, law or physical necessity).

Rights of data subjects.The DPA provided data subjects certain rights: (1) the right to be informed (among others, on the existence of automated decision-making and profiling); (2) the right to access; (3) the right to object (to the processing of personal data, including for direct marketing, automated processing or profiling); (4) the right to erasure or blocking (of personal data from the PIC’s filing system) on specified grounds; (5) the right to damages; (6) the right to file a complaint, subject to the requirement of exhaustion and timeliness; (7) the right to rectify; and (8) the right to data portability.

Obligations. Under the IRR, the PICs and the PIPs (personal information processors) are mandated to register their data processing systems with the NPC under the following conditions: (1) if sensitive personal information of at least 1,000 individuals is processed; (2) if the personal information controller or processor employs at least 250 people; (3) if less than 250 people are employed but the processing is not occasional; or (4) if less than 250 people are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject.

The IRR sets out the following required security measures for the protection of personal data:

• Assign someone to function as data protection officer, compliance officer or any other officer accountable for ensuring compliance with applicable laws and regulations on data privacy and security;
• Implement appropriate data protection policies that provide for organization, physical and technical security measures;
• Maintain records that sufficiently describe the data processing system and identify the duties and responsibilities of those individuals who will have access to personal data;
• Select, train and supervise employees, agents or representatives who will have access to personal data;
• Develop, implement and review policies and procedures for the collection and processing of personal data, for data subjects to exercise their rights under the DPA, access management, system monitoring, protocols for security incidents or technical problems, and data retention;
• Ensure through appropriate contractual agreements that PIPs shall also implement the security measures required by the law and the IRR;
• Comply, where appropriate, with physical security guidelines set out in the IRR; and
• Adopt and establish technical security measures such as, but not limited to: security policy for the processing of personal data; safeguards to protect the computer network; periodic evaluation of security measures’ effectiveness; and personal data encryption.

To monitor the compliance of PICs and PIPs with the law, summaries of documented security incidents and personal data breaches have to be reported by the PICs and PIPs to the NPC. In case of any data breach, the NPC and the affected data subject should be notified by the concerned PIC or PIP within 72 hours from the discovery of the personal data breach.

Compliance requirements

To help those engaged in personal data processing achieve DPA compliance, the NPC developed a five-step guide called “Five Pillars of Compliance”. The guide serves as a checklist and outlines the major data privacy responsibilities under the DPA and pertinent issuances of the NPC.

Appointment of a data protection officer (DPO). The appointment of a DPO is mandated by law and is considered as proof of the organization’s compliance efforts. The DPO is accountable for the organization’s compliance with the law’s requirements. His or her main role is to oversee the organization’s data protection programme and its implementation, including formulation of data protection policies, conduct of risk assessments, and management of personal data breach. He or she also serves as the contact person of the organization on data subjects and the NPC. The DPO must be independent, knowledgeable in data protection and have a good grasp of the processing systems being carried out by the organization.

Conduct of a privacy impact assessment (PIA). A PIA is a process of identifying and evaluating potential privacy risks posed by the processing of personal information. Ideally, the PIA should be conducted for all projects, programmes and activities involving personal information. The PIA should include, among others things: (1) a systematic description of the personal data flow and processing activities of the organization; (2) assessment of the organization’s adherence to the data privacy principles and implementation of security measures; (3) identification and evaluation of the attendant risks; and (4) proposal of measures that address them.

Create a privacy management programme (PMP). The PMP is a holistic approach to ensure that privacy and data protection are embedded in all programmes, activities, services and initiatives of the organization. It sets out the organization’s commitment to protect the personal information of its data subjects, and details the organization’s practices and procedures in processing and handling of such information. Implementing a PMP includes having privacy policies, procedures and protocols in place that help the organization comply with the requirements of the law.

Implement your privacy and data protection measures. The policies and measures set out in the PMP should be implemented. Apart from having a firm organizational commitment, to ensure execution of the PMP programme controls should be integrated into the organization’s day-to-day operations. Programme controls should include the following: (1) records of processing activities; (2) risk assessment tools; (3) registration; (4) policies and procedures; (5) data security; (6) capacity building; (7) breach management; (8) notification; (9) third-party management; and (10) communication. The organization should also periodically assess the effectiveness of programme controls.

Personal data breach management. In the event of a personal data breach, the organization should be prepared to respond promptly and effectively. The organization should have a policy setting out the procedures for breach management in place. The policy should cover prevention, incident response, investigation, mitigation of breach impact, compliance with notification requirements, and prevention of recurrence. It is essential that responsibilities for managing a breach be clearly defined and assigned, and that lessons learned are integrated into the organization’s procedures and practices.

TAIWAN

The main statute in Taiwan governing data privacy is the Personal Data Protection Act (PDPA), which was last amended in December 2015 and took effect on 15 March 2016. The collection, processing and use of personal data in Taiwan is subject to the PDPA, the enforcement rules on the PDPA and related regulations and rulings issued by relevant authorities.

The PDPA differentiates between government and non-government agencies, and adopts different rules for them acting as data controller for the collection, processing and use of personal data (although the term “controller” is not used in the PDPA). Non-government agencies include any person or entity that is not a Taiwanese government agency. Collection, processing and use of personal data of Taiwanese nationals by a foreign person or entity is also subject to the PDPA.

There is no independent supervisory authority under the framework of the PDPA. Before 25 July 2018, the Ministry of Justice was the major authority responsible for interpreting the PDPA, and currently such authority lies with the National Development Council (NDC). The competent authorities of different industries may also issue rulings and regulations applicable to the data controllers in the relevant industry.

Personal and sensitive data

Under the PDPA, personal data refers to a natural person’s name, date of birth, ID Card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, data concerning a person’s sex life, records of physical examination, criminal records, contact information, financial conditions, data concerning a person’s social activities and any other information that may be used to directly or indirectly identify a natural person.

The collection, processing or use of data pertaining to a natural person’s medical records, healthcare, genetics, sex life, physical examination and criminal records (sensitive data) is subject to higher standards (see below). However, the PDPA does not specifically provide for a separate set of rules for the sensitive data.

Requirements for collection, processing or use of personal data. For the purpose of this article, the authors will focus on the requirements for non-government agencies below. For a non-government agency to collect, process or use personal data, the following requirements must be met:

(1) There shall be a notification to the data subject containing all of the following information: (i) name of the collector/processor/ user; (ii) purpose of collection/ processing /use; (iii) type of the personal data being collected/processed/used; (iv) time period, area, target and way of the use of personal data; and (v) the rights of the data subject under article 3 of the PDPA (see below), how to exercise such rights, and the influence on the data subject’s rights and interests if the data subject chooses not to provide his/her personal data.

(2) For collection/processing of personal data, there shall be at least one of the following statutory grounds: (i) the collection/processing is specifically permitted by laws; (ii) the consent of the data subject has been obtained; (iii) the personal data of the data subject have become public due to disclosure by the data subject, or in a legitimate manner; (iv) a contractual or quasi-contractual relationship with the data subject, and appropriate security measures have been adopted for; (v) the collection/processing of the personal data is necessary for statistics gathering or academic research by an academic research institution for the public interest, provided that any information sufficient to identify the data subject has been removed; (vi) the collection/processing is necessary for furthering public interests; (vii) the personal data has been collected from a source that is generally accessible; or (viii) the collection/ processing is not harmful to the data subject.

(3) For use of personal data, it must be conducted within the scope of the specific purpose for which it was collected, unless any of the following conditions are met: (i) such additional use is pursuant to a specific provision set out under the law; (ii) it is necessary for promoting public interests; (iii) it is for preventing risk to life, body, freedom or property of the data subject; (iv) it is to prevent material harm to the rights or benefits of third parties; (v) it is necessary for statistics gathering or academic research by an academic research institution for the public interest, provided that any information sufficient to identify the data subject has been removed; (vi) the consent of the data subject has been obtained; or (vii) such additional use would benefit the data subject.

Requirements for collection, processing or use of sensitive data. Sensitive data may not be collected, processed or used, unless in any of the following situations:

• Where it is specifically permitted by law;
• When it is necessary for a government agency to perform its legal duties, or for a non-government agency to fulfil its legal obligation, and proper security measures are adopted prior or subsequent to such collection, processing or use;
• When the personal data of the data subject have become public due to disclosure by the data subject, or in a legitimate manner;
• Where it is necessary to perform statistics or other academic research, a government agency or an academic research institution may collect, process or use personal data for the purpose of medical treatment, public health or crime prevention, provided that any information sufficient to identify the data subject has been removed;
• Where it is necessary to assist a government agency in performing its legal duties, or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing or use; or
• Where the data subject has consented in writing, provided that the use of such data may not exceed the necessary scope of the specific purpose, or there is no other restriction under any other statute. Moreover, such consent must not be obtained against the data subject’s free will.

Rights of data subject

Pursuant to article 3 of the PDPA, the data subject has the following rights, which may not be waived or restricted contractually in advance: (1) the right to make an inquiry about and review his/her personal data; (2) the right to have a copy of his/her personal data; (3) the right to supplement or correct his/her personal data; (4) the right to stop the collection, processing or using of his/her personal data; and (5) the right to delete his/her personal data.

International transfer of personal data

Under article 21 of the PDPA, the competent authority has the right to prohibit or restrict international transfer of personal data in any of the following circumstances: (1) where major national interests are involved; (2) where an international treaty or agreement prohibits or restricts such transfer; (3) where the country to which the personal data are transferred does not provide sound legal protection of personal data, thereby affecting/jeopardizing the interests of the data subjects; or (4) where the transfer of personal data to a third country (territory) is to circumvent the restrictions under the PDPA.

In other words, the international transfer of personal data is generally permitted, but the competent authority may prohibit or restrict the same on a case by case basis. Also, the competent authorities of different industries may issue rulings and regulations applicable to international transfer of personal data by the data controllers in the relevant industry. For instance, Taiwan’s banking regulator has required that any outsourcing of operation by financial institutions that involves international transfer of personal data should meet certain requirements, and will be subject to its prior approval.

Recent developments

The government of Taiwan is aiming to amend the PDPA, possibly this year, to meet the standards of the EU’s General Data Protection Regulation (GDPR) and obtain an adequacy decision from the European Commission. The NDC had several rounds of discussion with the authority of the European Commission about necessary amendments to the PDPA. According to the NDC, the proposed amendments would mainly include: (i) setting up an independent regulatory agency so regulations on data protection across different industry sectors can be more consistent and comprehensive; and (ii) adding more requirements or restrictions on the international transfer of personal data.

THAILAND

Thailand promulgated its Personal Data Protection Act (2019) (PDPA) on 28 May 2019. The most significant provisions of the PDPA will become effective on 27 May 2020, in order to allow for preparation time for compliance with this act. These provisions include regulations on personal data protection, rights of data subjects, complaints, civil liabilities, and penalties.

Subordinated laws under the act are currently under preparation, including personal data protection criteria, and complaints and administrative liability. The issuance of all regulations and notifications under the PDPA must be completed within one year of the date this act enters into force, on 26 May 2021.

Data protection authority. The PDPA establishes a Personal Data Protection Committee, with an expert committee and sub-committee under it. Pursuant to section 16 of the PDPA, the duties of the Personal Data Protection Committee include: determining measures or procedures for the protection of personal data; issuing notifications or regulations; announcing criteria for protection procedures as well as the protection of data that are transferred out of the country; and preparing a master plan to support and protect personal data.

Beyond the above-mentioned committee, the PDPA also establishes the Office of the Personal Data Protection Committee, a state agency that acts as the centre for academic services and protection of personal data with a supervisory board.

Breaches of data protection. The PDPA provides for civil, criminal and administrative penalties for violations. Civil liability under the PDPA includes compensation for damages and punitive damages in an amount not exceeding twice the amount of actual damages. Criminal liability includes imprisonment of up to six months, or a fine of up to THB500,000 (US$16,000) or both, depending on the nature of the violation. Administrative liability includes an administrative fine of up to THB5 million depending on the nature of the violation. The Thai Civil Procedure Code also allows for class action lawsuits.

Exempt sectors and institutions. The PDPA regulates the collection, usage and disclosure of personal data by a data controller or a data processor in Thailand. However, the PDPA does not apply to: Personal benefit or households; operations of public authorities; data that are collected only for the activities of mass media, fine arts or literature; data under the duties and power of the house of representatives, the parliament or parliamentary committees; trials and adjudications of courts, and work operations of officers in legal proceedings and legal execution; data collected by a credit bureau company and its members; and data of the deceased.

Personal data formats. Pursuant to section 6 of the PDPA, personal data means any information related to an identifiable person, directly or indirectly, but not inclusive of deceased persons.

There are two types of personal data in the PDPA: General personal data (section 24) and sensitive data (section 26). General data must be collected from the data subject with its consent. Examples include addresses, telephone numbers, credit card information, etc.

Extraterritoriality. In the event that a data controller or a data processor is outside of Thailand, the PDPA covers the offering of goods or services to data subjects in Thailand, irrespective of whether the payment is made by the data subject and the monitoring of the data subject’s behaviour is done in Thailand.

Transfer of personal data to outside of Thailand. Pursuant to section 28 of the PDPA, in the event that the data controller sends or transfers the personal data to a foreign country, the data controller must comply with the rules on transfers as prescribed by the Personal Data Protection Committee (currently unspecified) and ensure that the destination country or international organization that receives such data has adequate data protection standards as determined by the committee (currently unspecified).

Covered uses of personal data. The PDPA provides a distinction between those who control personal data and those who provide personal data processing services to owners. Controllers’ and processors’ duties differ.

Section 37 of the PDPA provides the duties of the data controller, which include arranging security measures, arranging verification procedures, and providing notification of any violations of personal data to the Office of the Personal Data Protection Committee.

Section 40 of the PDPA provides the duties of a data processor, which include arranging security measures, notifying the data controller of any violations of personal data, and preparing and maintaining logs.

Legitimate grounds for processing. Pursuant to sections 24 and 27 of the PDPA, the data controller must not process personal data without the consent of the data subject, unless there is a lawful basis to do so on the following grounds: Research; vital interests; contract; public task/office authority; legitimate interest of the data controller (balanced with the rights of the data subject); and legal obligation.

Legitimate processing – types of personal data. The PDPA imposes more stringent rules for sensitive personal data. Pursuant to sections 26 and 27 of the PDPA, any processing of sensitive personal data is prohibited without the explicit consent (affirmed in a clear statement; not consent that is inferred from action) of the data subject. Exceptions include a lawful basis on the following grounds: Vital interests; legitimate activities; public data; legal claims; and legal obligations.

Minors. Pursuant to section 20 of the PDPA, the consent of those with parental responsibility over a minor is required if the minor’s act of giving consent is not an act in which the minor may be entitled to act alone, as prescribed by sections 22-24 of the Civil and Commercial Code. Such consent is also required in the case that the minor is below the age of 10.

Notification. Pursuant to section 23 of the PDPA, the controller shall inform the data subjects, prior to or at the time of the collection of personal data, of the following:

• The purpose of the collection of personal data (i.e., utilization or disclosure);
• Period of storage of personal data;
• The identity of the data controller (contact details);
• Reasons for the data subjects to disclose their personal data;
• Identification of the recipients to whom the personal data may be disclosed;
• Information that needs to be collected;
• Rights of data subjects; and
• Impact of not providing information.

Data accuracy. Pursuant to section 35 of the PDPA, the data controller must ensure that the personal data remains accurate, up to date, complete, and not misleading.

Amount and duration of data holding. There is no specific end date for retention, although the data controller has to put in place an examination system for erasure or destruction of personal data when the personal data is irrelevant or beyond the scope of the purpose for which it has been collected, pursuant to section 37(3) of the PDPA.

Finality principle. Under section 21 of the PDPA, the collection, use or disclosure of personal data shall not be conducted in a manner that is different from the purpose previously notified to the data subject unless the data subject has been informed of the new purpose, and consent has been obtained prior to the time of collection, use or disclosure.

Security obligations. Section 37 of the PDPA provides that the data controller shall provide and maintain appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of personal data.

Notification of data breach. Section 37(4) of the PDPA requires the data controller to notify the Office of the Personal Data Protection Committee of any personal data breach within 72 hours of having become aware of it.

Data protection officer. The data controller or processor must also appoint a data protection officer (currently undefined in the act) if the activities of the data controller or processor require dealing with a large amount (currently unspecified) of personal data.

According to section 42 of the PDPA, the duties of a data protection officer include advising and verifying both the data controller’s and data processor’s compliance with the PDPA, as well as co-ordinating with the Office of the Personal Data Protection Committee where there are problems with respect to the collection, use or disclosure of personal data.

Record keeping. Section 39 states that the data controller shall maintain the following records: (1) the collected personal data; (2) the purpose of the collection of the personal data; (3) details of the data controller; (4) the retention period of the personal data; (5) rights and methods to access the personal data; (6) the use or disclosure of personal data exempted from the consent requirement; (7) the rejection of requests or objections; and (8) explanations of the appropriate security measures to prevent breaches of personal data.

Access. Pursuant to section 30 of the PDPA, the data subject is entitled to request access to and obtain copy of the personal data related to him or her, which is under the responsibility of the data controller. The request can be rejected only where it is permitted by law or pursuant to a court order.