Along with the exponential economic development of many APAC countries, a surge of new or updated data protection laws have seen the light. This is driven by a need to make it easier to do business internationally and facilitate trade. The patchwork of data protection laws made privacy compliance in the region difficult. Over the past two years, no less than 9 countries have completed or started the process of updating their data protection laws. These new laws are often based on common principles, such as those in the OECD guidelines, APEC Privacy Framework, and the GDPR. In this week’s column, ESOMAR’s Professional Standards team provides a short overview of the developments in data privacy laws for the APAC region.
The recent data protection developments in the APAC region can be put into four categories:
- countries which introduced a sectoral privacy law
- countries seeking to expand the scope of a sectoral data protection law
- countries updating their pre-existing, general data protection acts
- countries in the process of introducing a data protection act
In the first category we find Bhutan, whose “Information, Communications and Media Act” came into force in 2018. The Act gives Bhutan a minimal data privacy law, but its coverage regarding privacy does remain extremely limited. The law covers almost all uses of electronic information and enables for the creation of an Infocomm and Media Authority, a partly-independent body with limited authority. Under the Act, it is able to investigate and resolve complaints. The Act also covers offences and compensation in such cases.
India and Indonesia fall into the second category: they both have previously introduced an Act focusing specifically on protecting data in the information technology and/or communication field and are now aiming to turning this initiative into an industry-wide reaching regulation.
The Indian Personal Data Bill was introduced following a landmark ruling on privacy by the Indian Supreme Court, which declared that privacy is an intrinsic part of Article 21 of the Constitution, which protects life and personal liberty. Among other things, the Indian Bill would allow for the creation of an independent regulatory body and heavy penalties in cases of violation. Furthermore, it would apply to both private and government entities in India. Finally, it introduces a data localization requirement, where data will have to be stored on servers located within the country and provide clarifications on the topic of data ownership. Considering the size of the Indian market research industry, this is an important bill to look out for.
The Indonesian Personal Data Protection Bill draws a lot of its features from the GDPR. It widens the scope of sensitive information to include location data from phones and political views and introduces obligations for data controllers and processors. The Bill does not provide for a general data protection authority, but rather each ministry would remain in charge of data protection matters for its own sector.
Kazakhstan, Kyrgyzstan, New Zealand and South Korea, are part of the third category, namely have or are in the process of taking steps to amend a pre-existing privacy law.
The Kazakh law was updated to add a localization requirement: data operators now have to store personal data on the territory of the Kazakh Republic, although it is not clear to whom this rule applies. Regardless, no further restrictions on cross-border transfer of personal data are introduced.
In New-Zealand, a bill amending the 1993 Privacy Act was introduced in March 2018 and as this is being written, is undergoing a second reading in Parliament. It is predicted to be passed in 2019/2020. One of the main changes is to give the Act an extraterritorial scope. The bill will provide for the act to apply to overseas agencies doing business in New Zealand, and also to an individual “not ordinarily resident in New Zealand, who is present in New Zealand, in relation to any action they take, and information they collect, while in New Zealand, regardless of where the information is held or where the relevant individual is located”.
As for South Korea, a bill was introduced in 2018 and is currently under review to amend the 2011 Personal Information Protection Act (PIPA), the original goal of which was to expand on other Acts related to the topic. This bill was part of a series of reforms amending not only the PIPA but also the Network Act, the Location Information Act and the Credit Information Act thus creating a single law covering data protection and privacy. The bill introduces the concept of “pseudonymized data”, expands on the permissible purposes for personal data processing, and permits for the combination of data sets. Furthermore, it provides more enforcement powers for the Personal Information Protection Committee.
Finally, Kyrgyzstan’s 2017 amendment to the Law on Personal Information provided well needed and important legislation related to electronic commerce and was drafted with a view to a better protection for data subjects and enhances security measures related to the protection of data stored electronically. Furthermore, data holders will now have to account for third-parties transfer and register these transfers with the relevant state authorities. The bill also includes the creation of a supervisory authority, although not much information has been given as to when and how this authority is expected to emerge.
In the fourth category, countries in the process of introducing a data protection act, we find Thailand and Pakistan.
The Thai Personal Data Protection Act was just approved earlier this year by the government and was passed into law. It has been given one transitional year for companies and organizations processing personal data to take the necessary measures to become compliant. The law has extraterritorial applicability, covers all personal data and allows both for penalties and for lawsuits in case of a personal data breach. It also gives the right for people to request access to their personal information, and in the case where the data-controller is not complying to the Act, for their data to be deleted, destroyed or anonymized.
The Pakistan Data Protection Bill has been drafted to provides individuals with rights similar to those they could have under the GDPR, i.e. consent giving, security requirements, right of access correction and erasure of one’s personal data, etc. It provides for the creation of an enforcement body, the National Commission for Personal Data Protection, which will be able to receive and decide complaints from individuals, as well as support data processors and controllers in complying with the Act.
For a more exhaustive description or clarification of any of the aforementioned legislation, our data protection officers will be happy to answer all of your questions through our ESOMAR Plus service, an exclusive consultancy package tailored to help with your compliance needs.