Year in Review and What’s Ahead in Data Privacy in Asia

By Desarack Teso, CIPP-A, CIPP-E | December 17 2020, 10:30 PM SGT
Photo by Clay Banks on Unsplash

 

With year-end approaching for somewhat a chaotic year of 2020, in the world of privacy we have seen the rapid pace of regulatory actions this year and how data protection laws are increasingly being used to restrict cross-border data transfers.

In Europe, we are still awaiting the impact of the Schrems II decision in July where the EU’s Court of Justice applied the General Data Protection Regulation (GDPR) to invalidate a key data transfer mechanism, the EU-US Privacy Shield, for moving personal data from Europe to the United States. The Schrems II decision may also give a nudge to European countries to start looking at jurisdictions with powerful surveillance authorities and restrict transfers to those jurisdictions as well.

In a number of countries in Asia where 2020 saw rapid regulatory movements to align national data protection legislations with GDPR, will we see a similar Schrems II reasonings to restrict data transfers?

Vibrant Actions in Asia in 2020

Take a look at movements in 2020 where these Asian countries have beefed up their data protection legislations or are considering a new legislative bill in line with the GDPR.

  • South Korea (January): Amendments were made to consolidate the legal protection and enforcement provisions for personal information from three different legislations primarily into the Personal Information Protection Act. However, the amendment did not expand on the legal basis for processing and transferring of personal information beyond consent.
  • Thailand (May): The Personal Data Protection Act, which adopts many concepts of the GDPR, was set to come into force in May 2020 but was delayed by a year due to the Covid-19 pandemic. It is expected that the implementation regulations, expected to be issued in early 2021, will address cross-border data transfer mechanisms.
  • Japan (June): The Act on Protection of Personal Information was amended (expected to be implemented by early 2022) to prohibit the data transfer of “personal-related data” (similar concept as GDPR’s pseudonymized data) to a third party except in some specific cases.
  • Singapore (June, November): True to form to its pragmatism identity, the island nation updated its Personal Data Protection Act twice in 2020. In June, the Personal Data Protection Regulations were revised to recognize APEC’s Cross Border Privacy Rules (CBPR) System and the Privacy Recognition for Processors (PRP) System certification as an additional data transfer mechanism outside of Singapore. In November, the Personal Data Protection (Amendment) Bill was passed by Parliament (expected to come into force in early 2021) to align closer to GDPR such as mandatory breach notification, adding legitimate interests exception to consent, and new right to data portability.
  • Indonesia: It is developing a draft Personal Data Protection Bill as the country already put data localization requirements in place through various ministerial and sectoral regulations. The draft bill models after the GDPR on many areas, and prohibits the transfer of personal data outside of Indonesia except in some specific cases.
  • India: The nation continues to consider its comprehensive Personal Data Protection Bill, which requires localization of critical data and copies of sensitive data in India.

 

More Restrictions Likely in 2021  

Organizations in Asia were hoping that the equalizer to the increasing cross-border data transfer restrictions is the Regional Comprehensive Economic Partnership (RCEP) Agreement signed in November 2020 between the 10-ASEAN member states, Australia, China, Japan, Korea and New Zealand. The RCEP Agreement commits member countries to support cross-border data flow and logically eliminate local computing facilities requirements, promote privacy and consumer protection, and enhance cybersecurity protection. These commitments will no doubt build trust and consumer confidence in online services.

However, the commitment on cross-border data flow and prohibition against local computing facilities do not apply to a “financial institution” or a “public entity,” nor does it apply to localization measures implemented for national security or other legitimate public policy reasons.

Against this landscape, we can expect more restrictions will be forthcoming in 2021.

Can Data Sovereignty Be Achieved Without Data Localization?

There is no easy answer to change the discussion that data localization equates security. For policymakers in Asian jurisdictions, the concerns are not only about personal data protection and access restrictions, but more so about preserving timely government access to data for regulatory supervision and law enforcement purposes. For starters, there need to be a shift in discussion that the location of the data is not as important as the owner of the data having the sole control over access to their data, for example, via encryption keys which can only be resided in the customer’s home jurisdiction.

Then again, adopting a pragmatic approach similar to Singapore – that reflects the development of technology while promoting digital trade – might be the way to go!

Posted in

Related Articles

Dethroning the Dollar? Monetary Innovation and International Implications of China’s Digital RMB

By Brandon Chye | April 1, 2021, 11:30AM Photo by Carlos Muza on unsplash Continuing China’s monetary innovation Paper bills were first developed and printed en-masse in China during the 11th century, a major evolution complementing commodity-based payment instruments such as copper coins. This legacy still persists via the sovereign fiat banknotes that are used ubiquitously across different economies. […]

Things to Know Before Entering the Philippine Market

By Juan Carlos Eusebio| March 26, 2021, 12.00PM Photo by Alexes Gerard on unsplash The Philippines’ economy is considered one of the most dynamic economies in East Asia and the Pacific. In 2020, however, GDP contracted by an estimated 8.3% due to the outbreak of COVID-19. Nevertheless, according to the IMF’s October 2020 forecast, GDP […]

South Korea agonizes over the power of online platforms

By Somang Yang | March 18, 2021, 1:30PM Photo by Shawn Ang on unsplash As South Korea heads into an election year, there is no disagreement among the competing parties that the monopoly power of online platforms needs to be curbed. The only real source of debate is who will do the regulating, and how far […]