As cross-border data flows become a vital part of business practices, countries look to amend or enact privacy laws that reflect the demands of a surging digitalized global economy. The Asia-Pacific region in particular has seen a tightening of its data protection regulatory environment that has led to major developments in the implementation and enforcement of privacy and data security laws. For example, in February 2017, Australia amended the Australia Privacy Act 1988 to include mandatory breach notification requirements that will require organizations to report an “eligible data breach” to the Office of the Australian Information Commissioner and notify affected customers immediately. Enforcement of these new amendments will occur in February 2018.
In May of 2017, Japan also amended its privacy law, Personal Information Protection Act (PIPA), to change how companies handle personal information with respect to disclosures to third parties, international transfers, anonymously processed information and the collection and use of sensitive personal information. The amendments also created the Personal Information Protection Commission (PIPC), an independent authority charged with overseeing data protection compliance.
Although it has yet to enact a comprehensive data privacy law, in 2017 the Chinese government took steps to enforce privacy and data security provisions through its Cyber Security Law. China’s Cyber Security Law mandates that the collection and use of personal information must be expressly disclosed and based on the individual’s consent. Additionally, the law requires foreign companies conducting business in China to store data pertaining to Chinese citizens on servers with the country’s mainland. Companies that fail to comply with the law will face severe financial penalties, possibly including the loss of their ability to conduct business in mainland China.
Along with the enactment of new privacy laws and amendments, Asia-Pacific countries like the Philippines are taking major steps toward ensuring compliance with their privacy laws. For example, following the massive data breach by the Commission on Elections (COMELEC), the Philippines National Privacy Commission found that the COMELEC violated the Data Privacy Act and recommended the criminal prosecution of COMELEC Chairman J. Andres D. Bautista. The Data Privacy Act penalizes accessing sensitive personal information due to negligence, imposes imprisonment from three to six years as well as a fine of up to $80,000 and exposes public officers to disqualification from public office for double the term of imprisonment.
As Asia-Pacific countries increase implementation and enforcement of rigorous privacy laws, it is more important than ever that companies develop comprehensive privacy programs. Failure to create a comprehensive privacy program within the region can potentially result in harsh financial penalties, criminal prosecution, imprisonment and inability to do business within the country.
However, creating a comprehensive privacy program within the Asia-Pacific region can be very difficult because there is no singular and “united” Asia. Each country within the region has its own culture, political agenda and level of economic development. As such, the privacy laws within each of these countries are very different and often inconsistent with one another.
Nevertheless, companies can create a privacy compliance strategy for the Asia-Pacific region’s data protection requirements by taking a regional approach. Although each country within the region has different specific requirements, the privacy laws all rely on the same six core principles: notice, choice, security, access and correction, data integrity and data retention.
First, all laws in Asia require some type of notice obligation that allows individuals to know what personal information is being collected. Second, all laws have a type of consent requirement, although the level of consent varies from country to country. Third, security is a major concern for all Asian countries, and all laws within the region require that companies take reasonable precautions to protect collected personal information. Some countries, such as South Korea, have more detailed rules than others regarding data security standards. Fourth, every privacy law within the region has some element of access and correction that allows individuals to access and correct collected information. However, many Asian countries do not have specific timeframes by which they must respond to access and correction requests. Fifth, all privacy laws emphasize the importance of data integrity and require that organizations that collect personal information ensure their records are accurate, complete and kept up to date for the purposes for which the information will be used. Sixth, all laws in Asia generally have data retention requirements that require personal information be stored only for the time period required to achieve the purpose of the processing.
Additionally, it is important that companies be aware of developing political agendas and economic policies affecting privacy laws within the different Asia-Pacific countries. Some companies are keeping abreast with the changing landscape of Asia-Pacific privacy laws by hiring local experts. For example, many technology companies have expanded into the Asia Pacific region by investing in lobbyist, consultants, lawyers and policy experts to help them better understand and serve the region. Finally, since privacy laws are changing at such a rapid pace within the region, it is important that a company’s data privacy policies be regularly reviewed by management and stakeholders in order ensure continued compliance.
In the past several years, there have been major developments in the Asia-Pacific region with regard to privacy and security laws. As the flow of cross-border information continues to grow, we can expect to see many more changes to privacy laws in the Asia-Pacific region.
About the Author
Nida Hasan is a privacy consultant at Aleada Consulting, where she advises clients on privacy, data protection and information security issues. Nida believes in the importance of utilizing the power of law and technology to manage privacy and data protection risk while creating business value.
Nida holds a J.D. from Chapman University, Dale E. Fowler School of Law, and a B.A. in psychology from the University of California Los Angeles.
