In this first issue in our Asia Data Protection Series, we give an overview of the key data protection and privacy laws of some of the important jurisdictions in Asia and set the backdrop for other topics we will cover in later issues.
Diverse Data Protection Regimes in Asia
Over the past two decades, personal data has become an increasingly valuable resource, serving as fuel for the meteoric rise of many of the largest companies and brands across the world. However, with the potential harm that misuse of such data can cause, many countries, including countries in Asia, have started to regulate the processing of personal data.
With countries taking diverse and varied approaches, the global data protection landscape is, unsurprisingly, extremely complex—especially in Asia. Unlike the EU, which has the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) in place to set the foundation and key principles of the data protection landscape in the European Economic Area, the data protection landscape in Asia is far more fragmented. In fact, there are close to 50 countries in the Asia region, each with different laws and legal systems.
Some of the key jurisdictions in the region, and their key laws governing data protection, include:
- The People’s Republic of China (PRC): Personal Information Protection Law (CN PIPL) (the PRC also has other data protection laws, including the Data Security Law and the Cybersecurity Law, which have a different focus from the CN PIPL)
- Hong Kong: Personal Data (Privacy) Ordinance (HK PDPO)
- Japan: Act on the Protection of Personal Information (JP APPI)
- Singapore: Personal Data Protection Act (SG PDPA)
- South Korea: Personal Information Protection Act (SK PIPA)
Although the broad aim of data protection regulations of countries in Asia may be similar to that under the GDPR (i.e., to regulate the processing and use of personal data), each jurisdiction’s data protection regime also possesses distinct characteristics based on that jurisdiction’s cultural, legal and economic circumstances; no consensus or uniform data protection standard exists across the region. For example, a country more focused on promoting innovation may have a more permissive data protection regime than does a country that values the privacy of individuals as a fundamental legal right.
Thus, while many Asian jurisdictions’ laws may borrow from concepts under the GDPR (such as consent, data subject access rights and protection), these concepts may be interpreted and applied differently in each country, leading to significant differences between the GDPR and laws in Asia.
An example of a difference between data protection concepts under the GDPR and laws in AsiaUnder the GDPR, “consent” is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The definition of “consent” may not be as narrow in Asian jurisdictions, allowing for consent to be provided through appropriate actions on the part of the data subject. In certain jurisdictions, such as Singapore, consent may also be deemed to be given if certain conditions are met (e.g., deemed consent by notification).
Key features of data protection laws in Asia
Although each Asian jurisdiction has its own unique laws, they are generally still based on a set of common data protection principles. Some of these are:
- The scope and definition of personal data: Generally, most data protection laws in Asia focus on the protection of “personal data,” “personal identifiable information” or their equivalents. Although each jurisdiction has its own nuances in the definition of these terms, the key principle is that data protection laws by and large would apply only to data that identifies a unique individual. As a general rule, it is unlikely that personal data that has been anonymized or pseudonymized (such that no individual can be identified) would be covered under these laws.
For example, under the CN PIPL, “personal information” (个人信息) is information that relates to identified or identifiable natural persons, while under the HK PDPO, “personal data” is data that relates directly or indirectly to a living individual and from which it is practicable for the identity of the individual to be directly or indirectly ascertained.
- Data Controllers and Data Processors: Most data protection laws in the region recognize equivalents to “data controllers” and “data processors” under the GDPR. Although each jurisdiction’s laws may use different terminology and have different scopes for these categories, there is nonetheless some consensus across jurisdictions regarding the differences between the categorizations. Data controllers (including their conceptual equivalents under each jurisdiction’s laws) are generally the entities that determine the purposes and means of processing personal data, while data processors (including their conceptual equivalents under each jurisdiction’s laws) are entities that process personal data on behalf of the data controller.
For example, under the CN PIPL, the term “personal information processor” (个人信息处理者) is generally equivalent to a data controller under the GDPR, while the term “entrusted party” (受托人) is generally equivalent to a data processor under the GDPR. Under the SG PDPA, however, the term “organization” includes both data controllers and data processors under the GDPR, while the term “data intermediary” is generally equivalent to a data processor under the GDPR.
- Data Protection Officers: Another common thread across a number of jurisdictions’ laws is the requirement to appoint a data protection officer (DPO) or equivalent. In general, the DPO is responsible for an entity’s compliance with the data protection laws of that country. However, the scope of this position, as well as its obligations and liabilities, differs across jurisdictions. For example, under the SK PIPA, a privacy officer must be designated by personal information controllers and must “comprehensively take[ ] charge of personal information processing.”
Additionally, certain jurisdictions impose personal liability on DPOs. For example, under the CN PIPL, DPOs (referred to as “responsible persons” (直接负责的主管人) under the CN PIPL) may be found to be personally liable under certain circumstances if there is a breach of the obligations under the PIPL. This includes potential financial penalties of between RMB 10,000 and RMB 100,000, or between RMB 100,000 and RMB 1,000,000, in the event that the breach of the obligations under the PIPL is considered “grave.”
- Enforcement options: A key commonality among jurisdictions in Asia is that there are numerous mechanisms that regulators may employ in order to procure and encourage compliance with data protection obligations and to impose penalties when these obligations are breached. Although the specifics may differ across jurisdictions, these include:
- Financial penalties and fines: Regulators may impose financial penalties or fines for noncompliance with obligations set out under data protection laws. The limit of these financial penalties and fines differs, and it is common to see financial penalties that have upper limits pegged to the revenue of an entity (e.g., under the CN PIPL, the maximum fine is RMB 50,000,000 or 5% of annual turnover of the preceding year).
- Ordering remedial actions: Regulators may be empowered to direct data controllers (or their equivalents) to take certain remedial actions to address an ongoing breach. For example, under the HK PDPO, the Commissioner of the PCPD is empowered to specify the steps that a data user must take to remedy and, if appropriate, prevent any recurrence of a contravention of the HK PDPO.
- Suspension of business: In certain jurisdictions, regulators may also be empowered to issue an order of suspension of business. The key example here is the CN PIPL, under which the regulator may issue an order for suspension of the business or operation for rectification, and notify other appropriate authorities in charge, for the cancellation of any business permits of licenses.
- Undertakings: In select jurisdictions, regulators are also empowered to accept undertakings from data controllers that are allegedly in breach of their obligations under the law. The key example here is the SG PDPA, under which the regulator in Singapore is empowered to accept undertakings from organizations that have potentially contravened the SG PDPA that set out a remediation plan addressing any systemic shortcomings within the organization to ensure compliance with the SG PDPA on a continual basis.
We will be covering some of these key features in greater detail in future installments of the Asia Data Protection Series.
Extraterritorial jurisdiction of laws
One point that bears special note is the extraterritoriality of data protection laws, which contributes significantly to the complexity of the data protection regulatory landscape in Asia.
Although many laws and regulations tend to be scoped to apply only within the national borders of each jurisdiction, given the ease with which data flows internationally, many jurisdictions’ data protection laws and regulations assert some degree of extraterritorial jurisdiction.
Examples of extraterritorial data protection laws
For the EU, the GDPR claims extraterritorial jurisdiction in certain situations (e.g., where a non-EU data controller offers goods or services to individuals in the EU).
For the PRC, the CN PIPL applies to activities outside of the PRC where certain conditions are met, including where there is the processing of personal data for the purpose of analyzing and evaluating the behaviors of natural persons within the PRC’s borders.
For Singapore, although the SG PDPA does not expressly provide for extraterritorial application, it is worded in a manner to suggest that it has extraterritorial jurisdiction.
Of course, there are compelling reasons for each country to claim extraterritorial jurisdiction over the processing and handling of data—including issues of national security—so it should come as no surprise that many countries enact laws that reach beyond their borders.
This patchwork of laws unfortunately complicates how organizations should handle situations involving the processing of personal data where numerous different laws would potentially apply. We’ll be taking a closer look at this complex topic in a future installment of the Asia Data Protection Series. At this juncture, however, it suffices to say that no one-size-fits-all approach exists, and every organization will have its unique solution, based on its business model as well as the locations in which it has a legal or business presence, among other factors.
In a nutshell, the fragmented nature of the legal landscape in Asia and the extraterritoriality of data protection laws of each country have created a complex web of data protection laws that is neither easy nor convenient to understand and manage. Whether a bug or a feature, this is the backdrop of the Asia data protection landscape that companies and businesses (especially those with a multinational presence) have to work with.
As we dive into select topics in future installments of the Asia Data Protection Series, it will be important to bear in mind these issues that distinguish the data protection landscape in Asia from that in other regions, and how these issues affect the interpretation and understanding of each Asian jurisdiction’s laws and regulations.
For comprehensive insights and assistance on all privacy, data protection and cybersecurity legal issues, feel free to contact our dedicated Privacy, Security & Data Innovations team. At Loeb & Loeb we are highly proficient at assisting our clients through challenging legal issues and are well-placed to support our clients in their global legal and compliance needs.