New Wave of Privacy Laws in the APAC Region
New Wave of Privacy Laws in the APAC Region
A privacy sea change is taking place in Asia. By the end of 2023, the region’s privacy laws are likely to grow by as much as 25% since 2021. In the past year alone, several key jurisdictions, including China, Thailand, Indonesia, and Sri Lanka, have either adopted or are in the process of implementing comprehensive privacy laws for the very first time. 2023 is likely to usher in two more significant players—India and Vietnam. At the same time, jurisdictions with mature privacy regimes, such as Australia, Japan, Korea, New Zealand, and Singapore, continue to amend their laws to align them more closely with European privacy rules.
Increasingly, we are seeing more jurisdictions in this region expanding the scope of their laws to include extraterritorial provisions and requiring breach notification and the appointment of data privacy officers. In addition, while concerns about growing data localization rules remain, such rules are not expected to expand beyond those in China, Kazakhstan, Uzbekistan, and Vietnam. In particular, the absence of data localization requirements in the Indian government’s most recent legislative proposal is encouraging.
It is important to note that while these laws share core data privacy principles and obligations, the specific rules, particularly with respect to the permissible legal bases for processing and transferring personal information cross-border as well as the timeframes for notifying authorities and/or individuals about data breaches or responding to individual rights requests, vary widely. This lack of uniformity makes it difficult to generalize about the laws in this region, particularly as compared to those in Europe. It is important, therefore, to take these differences into account when developing global or regional privacy compliance programs.
This alert identifies possible new laws and regulations in the coming year and discusses the new laws enacted and the tweaks made to existing laws in 2022.
After years of unsuccessful attempts to enact comprehensive privacy legislation, India finally appears poised to enact legislation this year. In the next session of Parliament, the Indian government is expected to introduce its Digital Personal Data Protection Bill (the “Bill”), a significantly scaled back and less prescriptive legislative proposal, compared to the bill introduced in 2019. Noteworthy changes include the absence of any data localization requirements and the reduction in obligations imposed on “Significant Data Fiduciaries” (controllers that process large amounts of personal data and have large revenue streams). The Bill’s framework approach, focusing on core privacy requirements found in virtually all privacy laws around the world, should make enactment an easier lift this time around. However, the Bill requires the issuance of implementing rules, so it is possible that the current obligations set forth in the bill may eventually become more prescriptive.
If enacted in its current form, the legislation would add to the growing number of privacy laws in the region that apply extraterritorially to processing outside their jurisdiction where such processing is in connection with any profiling of, or offering goods or services to, individuals within the jurisdiction.
The government is currently working to finalize a Decree on Personal Data Protection. The government was reported to have approved the text in early 2022, but the text, which was expected to be formally issued in May 2022, has not yet been released so it is unclear whether the text has been modified since the second draft was released in the fall of 2021. The decree is expected to serve as the basis for a comprehensive data protection law which the Ministry of Public Security (MPS) is responsible for drafting, in coordination with the Ministry of Justice. In the interim, there are basic privacy rules under the Cyber Information Security Law enacted in 2015.
Vietnam is one of the four jurisdictions in the region with data localization rules. Last year, the government clarified that the data localization requirements of the Cybersecurity Law, No. 24/2018/QH14, apply to Vietnamese domiciled entities that are: (i) service providers in the telecommunications network, internet, or providing value added services in cyberspace and (ii) processing personal data of Vietnam users, data about the relationship of users in Vietnam, or data created by users in Vietnam. In contrast, these data localization requirements only apply to foreign (offshore) companies in nine specified sectors where 1) they have been notified by MPS that the services they provide have been used to violate the Cybersecurity Law and, as a result, they must cooperate with MPS to remedy the situation and 2) they fail to take preventive measures or resist, obstruct, or ignore requests from the relevant authorities. Sectors identified in Cybersecurity Decree No. 53/2022/ND-CP (“Decree 53”) include telecommunications, ecommerce, online payment, cloud storage and sharing, and social media.
In 2022, the Indonesian Parliament ratified the Personal Data Protection Act (the “Act”), the first comprehensive data protection law in Indonesia. The Act includes provisions setting forth the legal bases for processing personal data and requirements for data protection impact assessments (DPIAs), security breach notification, the appointment of a data protection officer (DPO), as well as establishing criminal and administrative penalties for violation of the Act. The Act became effective on October 17, 2022; organizations are expected to come into compliance with the Act’s requirements within two years.
The Ministry of Communication and Informatics (“Kominfo”) is currently preparing 10 implementing regulations that will address issues such as:
In early 2022, Sri Lanka became the first country in South Asia to enact comprehensive data privacy legislation. The Personal Data Protection Act No. 9 of 2022 (the “Act”), which became effective March 19, 2022, applies to processing that takes place within Sri Lanka as well as extraterritorially to controllers or processors that offer goods and services to individuals in Sri Lanka and/or monitor their behavior in Sri Lanka. In keeping with the majority of laws in the region, the Act limits transfers to countries that provide adequate protection unless the recipient in the third country undertakes binding and enforceable commitments to protect the data in accordance with the Act. Consent or another legal basis is required to process personal data, such as where the processing is necessary for the performance of a contract to which the individual is a party, compliance with a legal obligation, or the legitimate interests pursued by the controller or by a third party. It also requires the establishment of a data protection management program, the appointment of a DPO, data breach notification, and data protection impact assessments.
The Act does contain data localization requirements, but such requirements apply only to public authorities. In November 2022, when the Sri Lankan president first announced his 2023 budget, he noted that the creation of an independent data protection authority (DPA) was a top government priority; however, given the country’s current financial crisis, it is unclear the extent to which austerity measures adopted in December 2022 may impact the DPA’s creation and budget.
Since the enactment of the Personal Information Protection Law (PIPL) in 2021, Chinese authorities have been working to develop the necessary measures to implement PIPL’s provisions, such as those pertaining to cross-border transfers and data breach notification.
Cross-Border Transfers. To transfer personal information to a party outside of China, a “personal information handler” (broadly akin to a “controller” under the European General Data Protection Regulation or “GDPR”) is required by PIPL to satisfy one of the following conditions:
Security Assessments. In mid-2022, Chinese authorities finalized the implementing rules for security assessments—the Data Export Security Assessment Measures (“Measures”) and related Guide to Applications for Data Export Security Assessment (First Edition) (the “Guide”), which went into effect on September 1, 2022. A CAC security assessment is mandatory for the following transfers:
The Guide provides a list of the application documents and templates, such as an application form for cross-border data transfer security assessment and a self-assessment report for cross-border data transfers. Security assessments are valid for two years; however, a new assessment is required if the terms of the transfer change.
Contractual Clauses. Controllers may rely on standard contract clauses to transfer personal information cross-border in cases where a CAC security assessment is not required. CAC published in the June 2022 draft Provisions on the Standard Contract for the Cross-Border Transfer of Personal Information (“draft Provisions”), which included a draft form of standard contract. However, as of this writing, CAC has not yet issued its standard contract in final form, although they are expected to do so in early 2023.
According to the draft Provisions, a controller relying on this mechanism would be required to file a copy of the executed standard contract, together with a self-administered personal information protection impact assessment (PIA) report, with the provincial counterpart of CAC within 10 working days after the contract comes into effect. Completing this filing step would not be a pre-condition for the transfer.
Certification. In December 2022, the National Information Security Standardization Technical Committee (“TC260”) published in final form version 2.0 of the Specifications for Security Certification of the Cross‑Border Handling of Personal Information (“Specifications”). The initial version 1.0 of the Specifications had limited certification to intra-group data transfers and processing of personal information outside of China by a foreign controller subject to PIPL. Version 2.0 of the Specifications provides for no such limitation, leaving doubt as to whether certification is a viable mechanism for other export scenarios, such as an export of PI to an offshore vendor. The Specifications are recommended in effect.
According to the Specifications, the controller that is exporting the personal information and the overseas recipient must enter into a legally binding and enforceable contract for cross-border transfers. The contract must specify, among other things, that the overseas recipient commits to accept supervision (i.e., inspections, responding to inquiries) by the certification institution concerning the cross-border processing activities and accepts the application of the relevant Chinese laws and regulations on personal information protection. In addition, the parties must designate one or more legal entity(ies) in China to bear legal liability when the overseas recipient harms individuals’ data protection rights and interests.
Security Breach Notification. Under PIPL, controllers must take immediate remedial measures and notify the CAC and affected individuals when a breach, falsification, or loss of personal information occurs. However, where the measures taken by the controller can effectively avoid the harm caused by the breach, falsification, or loss, notice to individuals is not required. That said, the CAC has the right to require a controller to notify affected individuals if it believes that the breach may result in harm to the individuals.
In late December 2021, the CAC concluded a public consultation on its draft Administrative Regulations onthe Security of Network Data, the basis for its implementing breach notification rules. The draft Regulations propose that a breach notice to the authorities is only required if the data breached contain “important data” or the breach involves personal information of more than 100,000 individuals. Where such breaches occur, the municipal counterpart of the CAC and relevant sectoral authorities must be provided within eight hours following the occurrence of the data breach, a report with basic information on the data breach, including the quantity and type of data involved, the possible impact, and the measures taken or planned to respond to the data breach. In addition, within five working days after the breach has been addressed, an investigation and assessment report addressing matters such as the cause of the data breach, the consequences of the harm, the handling of liabilities, and the improvement measures taken must be provided.
In 2022, the Thai data protection authority (DPA) published a number of measures and standards to implement provisions of the country’s Personal Data Protection Act B.E, 2562 (PDPA), enforcement of which began June 1 after a two-year delay. The DPA issued minimum security standards for controllers, internal record keeping requirements for processors (the record keeping requirements for controllers are already set forth in the PDPA), the criteria for issuing administrative fines, and the criteria and procedures for handling personal data breaches (“Breach Criteria”), as well as related guidance containing examples of breaches for which notification is or is not required.
Similar to the EU approach, the DPA’s Breach Criteria groups personal data breaches into three categories: confidentiality, integrity, and availability breaches. When informed of an actual or suspected personal data breach, a controller must investigate and conduct a risk assessment to determine whether the personal data breach is likely to result in a risk or high risk to an individual's rights and freedom. The DPA must be notified within 72 hours if there is a risk to an individual’s rights and freedom. Affected individuals must also be notified without delay where there is a high risk to their rights and freedoms. Controllers must take necessary and appropriate action to correct or suppress the breach and prevent further consequences resulting from the personal data breach. Controllers must include a provision in their processing contracts that require processors to notify them within 72 hours of becoming aware of a personal data breach.
The DPA also issued guidelines on providing privacy notices and obtaining valid consent from individuals. It is currently working on measures that will set forth the requirements for the use of binding corporate rules and other cross-border transfer mechanisms including standard contractual clauses.
After three years, the review of the Privacy Act is now complete, and a final report has been provided to country’s Attorney General. The government is expected to issue its response to the report in the first half of 2023. The Attorney General has stated publicly that he expects a “large scale reform of the Privacy Act” to occur in 2023.
Contemplated changes include eliminating the employee records exemption, establishing a right to erasure, and a direct privacy right of action for individuals whose privacy rights have been violated, introducing standardized consents through a code that provides standardized layouts, wording, icons, or consent taxonomies, creating a mechanism to designate adequate countries, and issuing standard contractual clauses for international data transfers.
Alongside the review process, some Privacy Act amendments were enacted in late 2022 in response to several large data breaches, including a massive data breach in September 2022 that affected up to 10 million user accounts or about 40% of Australia’s population. The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (“Act”) increased the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS2.22million penalty to whichever is the greater of:
In addition, the Act expanded the regulatory powers of the Office of the Australian Information Commissioner, the data protection authority, with respect to requesting and sharing information and issuing infringement notices for non-compliance with information requests.
Separately, the Act also modified the threshold for “carrying on business in Australia” by removing the requirement that personal information be collected or held in Australia. This change was made to make clear that entities that collect personal information from Australians over digital platforms that do not have servers in Australia are covered.
Breach Notification. Under the PIPA Amendments and amended guidelines, the PIPC must now be notified if a data breach meets the criteria established by the PIPC. Previously, businesses subject to regulatory oversight by the Financial Services Agency (FSA) were subject to mandatory reporting requirements to supervising authority while all other businesses were “expected” to notify the PIPC. Notification is required for breaches that involve or are likely to involve:
Where businesses have deployed advanced encryption measures to protect such information, notification to the PIPC will not be required.
Notice to affected individuals is also required as soon as possible depending on the circumstances, but there is no deadline for this notice.
Cross-Border Transfers. For transfers to third countries that are not deemed to provide adequate protection, the PIPA Amendments impose new requirements on such transfers. Specifically, where such transfers are made on the basis of consent, transferors must provide detailed information on the transfer prior to obtaining consent from the individuals concerned. In addition, for all cross-border transfers of personal information and non-personal information to non‑EEA countries, transferors must confirm periodically the transferee’s data handling measures and the existence and contents of the personal data protection laws in the country where the transferee is located that may affect the implementation of these measures. The transferor must address any concerns it may have regarding the transferee’s security measures, or, if the transferor believes that the transferee is not maintaining appropriate personal data handling measures, it must cease data transfers to the transferee.
Cookies/Personal-Related Information. The PIPA Amendments include a new definition of “Personal‑Related Information,” which refers to data relating to a living individual that, on their own, are not personal information, pseudonymized information, or anonymously processed information, but are likely to become personal information when combined with other data maintained by a data transferee. Personal-Related Information includes browsing history collected by cookies, an email address that does not contain personal information, or location data. The PIPA Amendments require prior notice and opt-in consent before transferring Personal-Related Information where the transferor anticipates that the transferee will collate this information with personal information it has sourced from elsewhere to configure a new set of personal information.
In August 2022, Malaysia announced that it would be introducing amendments to Malaysia’s Personal Data Protection Act 2010 (PDPA). Among other things, the amendments to the Malaysia PDPA were expected to include an obligation for all controllers to appoint a data protection officer, and a mandatory data breach notification obligation. These changes were announced after some recent high profile data breaches in Malaysia and were expected to be presented to Parliament in October 2022. However, these amendments were never submitted to Parliament, and now that there is a new government in place after national elections in November, it is unclear if this new government will proceed with the proposed PDPA.
On October 1, 2022, enhanced financial penalties under the Singapore Personal Data Protection Act (PDPA), which were first introduced with the amendments to the PDPA in 2020, came into effect. The Personal Data Protection Commission (PDPC) can now impose financial penalties on organizations of up to SGD 1 million or 10% of an organization’s annual turnover in Singapore, whichever is higher, for PDPA violations. Previously, the PDPC could only impose financial penalties of up to SGD 1 million for PDPA violations.