Data Privacy Laws in APAC: What You Need to Know

Share Post

The importance of data privacy is growing across the Asia-Pacific region, as people are increasingly immersed in a digital world. From social media to ride-hailing to food delivery and mobile banking, digital is changing the way people live. Smart city initiatives are aiming to improve citizen safety, fuel economic growth and enhance quality of life.

The maturity of data privacy laws varies greatly across the region, and for a multinational organization, compliance means understanding the requirements of different countries and cultures. As countries reform their existing laws or create new data privacy laws, we’re increasingly seeing lawmakers and data protection authorities across APAC look to the European Union General Data Protection Regulation (GDPR).

Let’s take a look at data privacy laws across the region.

Australia regulates data privacy and protection through a mix of federal, state and territory laws. Most recently, the Notifiable Data Breaches scheme was introduced in February 2018. It aims to strengthen protections to personal information, thereby building trust with consumers. The scheme applies to all Australian government agencies, businesses and nonprofit organizations with annual turnover of $3 million or more, private-sector health service providers, as well as small businesses that trade in personal information.

If a breach is likely to result in “serious harm,” the organization must notify the affected individuals and the Office of the Australian Information Commissioner. Serious harm can include psychological, emotional, physical, reputational or other harm. An organization has  must conduct an assessment within 30 days if a breach is suspected, and the notification must be made as soon as practical.

The OAIC was notified of 812 data breaches in the first year, an average of 67 breaches a month.

Japan’s Act on the Protection of Personal Information (APPI) is one of the earliest privacy laws in the region, enacted in 2003. In 2017, Japan issued an extensive amendment that reflects the global trend toward increased data privacy.

APPI applies to the processing of personal information for business purposes, and prior to the 2017 amendment, businesses could transfer personal data to third parties without requiring explicit consent from the individuals. The new amendment requires Japanese companies to receive approval from Japan’s Personal Information Protection Committee before using opt-out arrangements, and once approved, the data must be made anonymous before being transferred to a third party.

The Japanese government and the European Commission have been working together on data privacy to create operational efficiency for global business. As of January 2019, they have formalized a framework for the mutual and smooth transfer of personal data between Japan and the EU.

Penalties for misusing personal information for unlawful gain face imprisonment for at least a year and/or a fine of 500,000 yen. Breach notifications are not mandatory, although business are expected to notify Japan’s central data protection authority, the Personal Information Protection Commission, if a breach occurs.

The China Internet Security Law  to increase cybersecurity and national security. The law is applicable to network operators and businesses in critical sectors, such as telecom, information services, energy transport, water, financial services, public services and digital government services.

In practice, the law is applicable to almost all businesses in China that manage their own email or data networks. Network operators are expected to clarify cybersecurity responsibilities in their organization, safeguard network operations, prevent data leaks and theft, and report any cybersecurity incidents to the users as well as the relevant government department for that sector. The law also provides regulations and definitions on legal liability, including punishments.

New provisions added in November 2018 have been controversial. The provisions give state agencies the legal authority to conduct inspections of the network security of companies operating in China—without informing the companies. The Ministry of Public Security can check for prohibited content that’s banned inside China’s border. It can perform penetration testing on businesses on any Internet-related business operating in China. It can copy and share any user information that government officials find on inspected systems.

Under the law, foreign businesses must store their data on Chinese-regulated local servers and cooperate with Chinese national security agencies if asked, which could potentially compromise business secrets and sensitive information and exclude foreign products from the market.

Hong Kong
Hong Kong is a leader in the region for data privacy with one of the region’s best developed data protection laws. The Personal Data Privacy Ordinance was established in 1995, and it protects the individuals in relation to their personal data. Personal data is widely defined. It is any data that directly or indirectly relates to a living person. The law applies to any organization that controls, processes or holds personal data in or from Hong Kong. Data breach notification is voluntary. 

Singapore signed its Cybersecurity Bill into law in February 2018,and it provides a framework for data privacy for information infrastructure providers. Singapore’s Personal Data Protection Commission (PDPC) is also considering adding a mandatory breach notification as well as relaxing the consent requirements on data controllers.

South Korea
South Korea is one of the toughest on data protection and privacy compliance in the world. The Personal Information Protection Act provides the overarching guidance, and are supplemented by sector-specific laws.

In 2016, the penalties for data breaches were increased. Telecom and online service providers are liable for punitive damages, forfeiting profits resulting from a breach, or pay a fine of up to 3% of revenue if the breach involves a prohibited overseas transfer. Senior officers of a company are also held accountable and could be personally exposed to penalties.

The Philippines
The Philippines National Privacy Commission also set a high bar for data protection, with rules and regulations that went into effect in September 2016. The law requires consent, accompanied by data subject disclosures, for any private-sector data sharing. Organizations must appoint a data protection officer or person accountable for data privacy and security. When data processing is outsourced, the third party must use proper safeguards to protect personal data.

As with GDPR, the Philippines has a 72-hour data breach notification requirement, the data subjects’ rights to be informed of profiling and automated decision making, and a right to data portability.

In February 2019, Thailand passed the Personal Data Protection Act, which offers similar protections to GPDR. The bill applies to any company that collects, uses and discloses citizen’s data, specifically if the information will be used for marketing or behavior monitoring. In addition, a new CyberSecurity Act gives the Thai National Cybersecurity Committee the power to summon citizens and enter private property without a court order in cases of actual or potential serious cyber-threats.

In Malaysia, the Personal Data Protection Act (PDPA) 2010, managed by the Department of Personal Data Protection, is meant to be the vanguard of protection for information collected of an individual. Notably, the PDPA 2010 only protects against the inappropriate use of personal data for commercial purposes. However, it has severe gaps in data management and protection as the PDPA has no provisions that specifically address the issue of online privacy, which includes data such as geolocation and cookies. PDPA 2010 is not applicable if the personal data is processed outside of Malaysia.

In India is moving closer toward having a data privacy law. The Personal Data Protection Bill, which was introduced in 2018, proposes a framework to protect individuals’ personal data and to create trust between people and the entities processing their personal data. The bill is likely to be introduced to Parliament in June 2019.

Compliance in a Global Business
Data protection requirements are growing, but the laws can seem like a patchwork of requirements. Greater consistency for data privacy and breach notification standards will strength data privacy around the world and fuel the growth of digital business.

The ability to quickly detect and stop data breaches is critical – not only to comply with 72-hour notification rules but also to protect an organization’s intellectual property, continued operations and customer trust.