Between new legislation, and high-profile breach cases, data privacy has stayed steadily in the headlines worldwide. Across Asia too, the impacts of a greater emphasis on data privacy is clearly visible. 

In Malaysia, a significant data leak in September that exposed medical patients’ personal data triggered an outcry for political action to plug digital security holes, with many calling for legal ramifications. At the same time, India’s government requested Facebook to decrypt private messages on its network, during a court hearing on social media and privacy rights.

Asian jurisdictions are getting increasingly serious about data privacy, both in enacting legislation, as well as enforcing those laws. This year, Thailand published its Personal Data Protection Act (PDPA), which will see far more stringent requirements placed around personal data and breach notification – to be enforced as of May 2020. While over in South Korea, the government revised its data collection laws targeting children, requiring consent by legal guardians on behalf of children under 14. According to Korea’s national regulator for broadcasting and communication services, this will come into effect next year.

Going into the new year, lawyers across APAC are guiding firms through the latest compliance measurements to ensure they don’t become a high-profile breach case themselves, but many new rules are complex, they say.

CHINA

With a population of 1.4 billion and 803 million online citizens, according to the China Internet Network Information Center, data privacy has become a critical focus for the Beijing government. In recent years China has overhauled and strengthened its personal data regulations, but the prioritization of data privacy started even before GDPR came into force. In 2017 China’s Cybersecurity Law took effect, banning online personal information collecting and selling unless user consent was explicitly given. More recent provisions have added further muscle to the requirements, outlining onsite procedures in the case of inspection and further details about compliance measures. And even more updates are expected in the future.

Yao Rao, of HHP Attorneys-At-Law, a Meritas member firm, tells Asian Legal Business that the civil right to protection of personal information being written into law and the introduction of significant laws and regulations – including the Cybersecurity Law – have been among China’s recent significant developments in this arena. Additionally, “a large number of national standards on information security technology have been issued,” says Rao.

Conglomerates operating in the market have also taken notice of the latest developments, with many clients asking about cross border data restrictions and the latest legal developments.

“How have the Cybersecurity Law impacted the labour management of a company? How should the privacy policy be amended to adapt the latest data privacy legislation? Does EU GDPR apply to Chinese subsidiaries of multinational corporations? What is the difference between the Cybersecurity Law and the EU GDPR?” are also common concerns, Rao adds.

But while there may be some uncertainty around the various updates, especially as many are still very fresh, firms in the market have sought legal support.

“Companies become active in seeking advice and support from external legal counsel specialised in personal information protection laws, as well as conducting information security compliance self-assessment and improvement internally and externally,” Rao says.

While firms have already under-taken work to ensure they “comply with the personal information protection laws including building servers in China for their multinational business or OA systems in order to prepare for the coming restriction or even prohibition on cross-border transfer of personal information” says Rao.

THE PHILIPPINES

In the Philippines, the National Privacy Commission (NPC) has strongly pushed for change in the way data is processed –giving them something of an “aggressive” reputation in the market. Last month the NPC banned 26 online lenders due to improper use and processing of personal data. The same month the commission summoned 67 online lenders after data privacy complaints.

“The NPC is very pro-active and aggressive in disseminating to the public information on the importance of data privacy – from ramped up awareness campaigns on the rights of data subjects to holding industry-specific symposiums and focused group discussions on the obligations of data controllers and processors and consequences of violations of data privacy rights,” say John Paul M Gaba and Leland R. Villadolid of ACCRALAW, also a Meritas member firm.

“Moreover, the NPC has been aggressive in asserting its primary juris-diction sometimes even going against the primary regulator of the targeted specific industry. For instance, in data security breaches involving banks and non-bank financial institutions, some-times there are differences in opinion on how to handle data breaches between the Bangko Sentral ng Pilipinas (the country’s central monetary authority) and the NPC. Through its pro-active awareness campaigns, the NPC has even investigated government and independent constitutional bodies such as the Commission on Elections for an incident that involved massive voter information leakage,” they add.

But it’s not all just about chasing those who fall short, the primary focus of the NPC over the past couple of years Gaba and Villadolid say, is to establish “a more stable and responsive system in terms of handling the registration requirements (registration of Data Protection Officer and data processing systems registration) and complaints being filed with the NPC for alleged data privacy violations”.

While clients are still seeking to understand how to asses data breaches that require 72-hour notice to the NPC and the affected data subjects and navigate rules of procedure in administrative cases filed before the commission, ACCRALAW says there has been “an earnest effort” by public and private stakeholders to meet the standards and be fully compliant with the Philippine Data Privacy Act.

But at the same time, for lawyers there are also many complex considerations to take into account. “Integration and/or coordination within the company’s in-house legal team, IT team, and Data Protection Officer (DPO) in monitoring compliance with data privacy and security as well as reaction to and procedures to be implemented in the event of a data breach event,” are among these challenges, they say.

SINGAPORE

The city-state that is perhaps the most vocal about preparing for the impact of a digitised economy, has pushed forward with measures designed to encourage legal technology innovation – while at the same time updating its data privacy requirements.

In September, the Singapore Personal Data Protection Commission issued guidance on privacy disclosures, clarifying notification requirements among other details. The following month, 500 data protection officers will be trained to monitor their organisations personal data policies and practices and to spot potential storage risks, The Straits Times reports.

In Singapore, awareness is clearly growing – in part thanks to the doom and gloom media stories that highlight the impact of falling foul of regulators. Such stories have served to bring “greater attention to data protection as a source of corporate liability and risk and has encouraged more organisations to add to and formalise their data protection practices,” says Jeffrey Lim of Joyce A Tan & Partners, a member firm of Meritas.

“The impact is hard to measure empirically without a survey but requesting for data protection advice and guidance is a very commonplace discussion now among many organisa-tions in Singapore,” he adds. Over the past few years Lim has noticed an uptick in enforcement action and penalties, issuance of enforcement guidelines and privacy by design.

Today, top questions from clients include how Singapore’s law compares against GDPR requirements, how active authorities are on enforcement, legal requirement overlaps, and compliance. Clients are also curious to know “what critical steps are needed to modify global/regional compliance programs to meet Singapore law criteria,” says Lim.

And clients aren’t just asking for curiosities’ sake – responsible organisations are ensuring they meet these new requirements. “Conducting data protection impact assessments, establishing processes and mechanisms to operationalise and refresh compliance efforts, and establishing and empowering a data protection officer for the organisation” are the top three steps that firms typically undertake to ensure they are compliant, Lim notes.

But while firms grapple to get up to speed and seek legal advice, further changes are expected in the future. “In the long term, there may be reforms concerning how Singapore’s open economy might deal with cross border data flows and differing data protection/privacy standards. Additionally, Singapore is leading the way in developing a practical approach to the data protection work in artificial intelligence through its published model framework,” says Lim.

The U.S. Perspective: Data-Privacy Compliance Timeline Is 'Yesterday'

By Todd Ehret, Senior Regulatory Intelligence Expert, Thomson Reuters Regulatory Intelligence

The regulatory and legal landscape surrounding the use of data, and data privacy, is rapidly becoming more complex. As state and even city regulations and laws are being retooled, proposed or enacted, a proverbial patchwork or regulations is becoming at best a headache, or at worst, a legal and regulatory minefield for compliance and legal departments.

Cynthia Cole, special counsel in the Palo Alto technology practice at law firm Baker Botts, warned in an interview with Regulatory Intelligence that the timeline for compliance with the new data privacy laws is “yesterday” and there are basic principles firms must be undertaking to be prepared for the onslaught of new regulations.

U.S. companies trying to manage regulations and guidance on data protection and cyber security from multiple jurisdictions met an enormous challenge last year when strict new EU rules governing the use of personal information took effect. The European Union's General Data Protection Regulation{here} laid the groundwork for others to follow in passing their own versions of stricter data privacy laws.

“GDPR was pretty well written, and mapping, segregation, and planning efforts in preparation by firms was largely successful and beneficial,” Cole told Regulatory Intelligence. However, she said, “even now a year later, most companies are still nowhere near compliant.”

GDPR is designed to protect the privacy rights of EU individuals but applies to all companies processing or controlling the personal information of EU residents, regardless of where those firms are located. The regulation took effect May 25, 2018.

The regulation was created with a deliberate global reach and set a new level of obligations and expectations regarding data protection, security, and management. It was also more restrictive than its predecessor — the EU’s 1995 Data Protection Directive — and any U.S. or state laws.

GDPR applies to all online interactions with EU citizens no matter where in the world the business is taking place. It includes enhanced requirements regarding consent to use, and a “right to be forgotten” — or removed from the record — which is one of the more problematic challenges from a U.S. perspective.

Preparing for GDPR came with myriad implications for U.S. firms. A key principle of the regulation is that the ownership of personal data is deemed to remain with the individual and not with the data controllers or processors. This is a distinctly different legal view and approach from the United States, where there are countless businesses whose commercial models are based on the use and sale of data. This presents unique challenges for U.S. companies and U.S. regulators or lawmakers.

ENFORCEMENT AND PENALTIES

The enforcement powers associated with GDPR are significant. Fines for violations can reach up to 20 million euro or 4 percent of a firm’s global annual revenue, per violation, whichever is larger.

With the potential for such stiff penalties, there was great concern of heavy-handed enforcement from data protection authorities in the EU. However, violation penalties imposed so far under GDPR have been low, totaling approximately 56 million euro for the first nine months.

The biggest penalty — 50 million euro — was issued by the French Data Protection Authority (CNIL) in January against Google. The fine was related to a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

A new risk emerging from GDPR is the risk of private litigation. Under GDPR, individuals are able to claim for “material or non-material damage” as a result of a breach of the GDPR.

She noted that all of the preparation efforts by companies, service providers and technology departments, particularly related to mapping and inventory of data leading up to implementation of GDPR and other laws, could be open to legal review. It is likely that “none of it will be privileged, therefore all of that is discoverable and will be an enormous cost in future litigation,” she said.

A LIST OF ‘TO DO ITEMS’

• As with any significant regulatory change, planning and preparation are essential. Firms should start by evaluating their current data protection systems, identifying what personal data they hold, and take a cross functional approach by bringing together their legal, compliance, and IT teams to develop a detailed implementation plan.
• Firms should consider how much data is high risk and is subject to the GDPR or other applicable law or regulation. This includes data managed by third parties. They need to determine which data is deemed to be controlled or processed.
• Firms should also create a process to verify, and determine access rights internally and a process to address access requests.
• Firms should review data mapping performed thus far in preparation for GDPR and check it against other laws.
• A review of all vendor agreements and contracts from both vendor and customer side must be undertaken by legal counsel to determine whether it falls under the service provider exceptions.
• Firms should devise a plan or process for responding to deletion or opt out requests.
• All online privacy notices and customer consents must be reviewed and revised by counsel. 
• Businesses should be prepared to invest more in their data security capabilities, either by hiring additional staff or upgrading existing technology. In many cases, financial firms many need to appoint a data protection officer to liaise directly with regulators.
• A good data protection program will include a framework where compliance and legal departments manage or oversee workflow with a strong accountability component, as there will be a need to evidence the privacy program to regulators.
• A consideration of GDPR or other laws is now essential in developing a regulatory compliance framework for dealing with the vast amounts of personal data created and shared every day within a firm.
• Firms should create a unified compliance regime that accommodates all regulatory obligations. Identifying gaps and overlap between regulations is critical.
• Companies must be cognizant of the rapidly changing landscape when it comes to privacy data. Many do not understand the complexities of data and the potential misuses. Therefore, training and education of these new evolving risks are critical.

This article was provided by Thomson Reuters Regulatory Intelligence. To read more, please visit http://bit.ly/TR-RegIntel.

To contact the editorial team, please email ALBEditor@thomsonreuters.com.