With year-end approaching for somewhat a chaotic year of 2020, in the world of privacy we have seen the rapid pace of regulatory actions this year and how data protection laws are increasingly being used to restrict cross-border data transfers.
In Europe, we are still awaiting the impact of the Schrems II decision in July where the EU’s Court of Justice applied the General Data Protection Regulation (GDPR) to invalidate a key data transfer mechanism, the EU-US Privacy Shield, for moving personal data from Europe to the United States. The Schrems II decision may also give a nudge to European countries to start looking at jurisdictions with powerful surveillance authorities and restrict transfers to those jurisdictions as well.
In a number of countries in Asia where 2020 saw rapid regulatory movements to align national data protection legislations with GDPR, will we see a similar Schrems II reasonings to restrict data transfers?
Vibrant Actions in Asia in 2020
Take a look at movements in 2020 where these Asian countries have beefed up their data protection legislations or are considering a new legislative bill in line with the GDPR.
- South Korea (January): Amendments were made to consolidate the legal protection and enforcement provisions for personal information from three different legislations primarily into the Personal Information Protection Act. However, the amendment did not expand on the legal basis for processing and transferring of personal information beyond consent.
- Thailand (May): The Personal Data Protection Act, which adopts many concepts of the GDPR, was set to come into force in May 2020 but was delayed by a year due to the Covid-19 pandemic. It is expected that the implementation regulations, expected to be issued in early 2021, will address cross-border data transfer mechanisms.
- Japan (June): The Act on Protection of Personal Information was amended (expected to be implemented by early 2022) to prohibit the data transfer of “personal-related data” (similar concept as GDPR’s pseudonymized data) to a third party except in some specific cases.
- Singapore (June, November): True to form to its pragmatism identity, the island nation updated its Personal Data Protection Act twice in 2020. In June, the Personal Data Protection Regulations were revised to recognize APEC’s Cross Border Privacy Rules (CBPR) System and the Privacy Recognition for Processors (PRP) System certification as an additional data transfer mechanism outside of Singapore. In November, the Personal Data Protection (Amendment) Bill was passed by Parliament (expected to come into force in early 2021) to align closer to GDPR such as mandatory breach notification, adding legitimate interests exception to consent, and new right to data portability.
- Indonesia: It is developing a draft Personal Data Protection Bill as the country already put data localization requirements in place through various ministerial and sectoral regulations. The draft bill models after the GDPR on many areas, and prohibits the transfer of personal data outside of Indonesia except in some specific cases.
- India: The nation continues to consider its comprehensive Personal Data Protection Bill, which requires localization of critical data and copies of sensitive data in India.
More Restrictions Likely in 2021
Organizations in Asia were hoping that the equalizer to the increasing cross-border data transfer restrictions is the Regional Comprehensive Economic Partnership (RCEP) Agreement signed in November 2020 between the 10-ASEAN member states, Australia, China, Japan, Korea and New Zealand. The RCEP Agreement commits member countries to support cross-border data flow and logically eliminate local computing facilities requirements, promote privacy and consumer protection, and enhance cybersecurity protection. These commitments will no doubt build trust and consumer confidence in online services.
However, the commitment on cross-border data flow and prohibition against local computing facilities do not apply to a “financial institution” or a “public entity,” nor does it apply to localization measures implemented for national security or other legitimate public policy reasons.
Against this landscape, we can expect more restrictions will be forthcoming in 2021.
Can Data Sovereignty Be Achieved Without Data Localization?
There is no easy answer to change the discussion that data localization equates security. For policymakers in Asian jurisdictions, the concerns are not only about personal data protection and access restrictions, but more so about preserving timely government access to data for regulatory supervision and law enforcement purposes. For starters, there need to be a shift in discussion that the location of the data is not as important as the owner of the data having the sole control over access to their data, for example, via encryption keys which can only be resided in the customer’s home jurisdiction.
Then again, adopting a pragmatic approach similar to Singapore – that reflects the development of technology while promoting digital trade – might be the way to go!