Data Protection and Cybersecurity Laws in the Asia-Pacific Region
The number of people using the internet is increasing, with over one million users accessing the internet for the first time every day. Cybersecurity Ventures predicts that there will be 6 billion internet users by 2022 (75 percent of the projected global population of 8 billion), and the usage rate will further increase to 90 percent of the world's population by 2030.
Apart from sales and trade, the majority of internet users utilize it for socializing and interacting with peers online. For instance, there were 3.8 billion social media users in January 2020, which represents a 9 percent increase from the previous year. The advancements in internet and related communication technologies enable easy access to information from anywhere on the planet. For example, an online merchant operating in Thailand can offer their services to customers residing in the European Union and the United States. In order to address the dissemination of personal information, including financial, medical, and other types of personal data, worldwide through the internet, appropriate legal regulations need to be established to protect the personal data of citizens and the digital assets of organizations while working online.
Following the implementation of the General Data Protection Regulation (GDPR) in the European Union (which came into effect on May 25, 2018), which governs data protection and privacy in EU countries and regulates the transfer of personal data outside the European Union and EEA, an increasing number of countries worldwide are reviewing and strengthening their data protection and cybersecurity laws to address the new regulations. While the GDPR is an EU regulation, companies operating outside the EU must be mindful of its implications to avoid any violations when dealing with or processing the personal data of EU citizens. In this article, I will provide a brief overview of the cybersecurity and personal data protection laws implemented in major countries within the Asia-Pacific region. It's important to note that laws pertaining to cybersecurity and internet privacy are regularly updated due to the ever-changing nature of technology and the development of relevant laws in other jurisdictions and trade partner countries.
CLASSIFICATION OF PERSONAL INFORMATION IN ITS RELATIONSHIP WITH COMMUNITY LIFE OR PERSONAL LIFE.
We can differentiate them into two types of individual personal information:
Personally Identifiable Information (PII) or Sensitive Personal Information (SPI) refers to any information that, on its own or when combined with other information, can uniquely or semi-uniquely identify a specific individual. Examples include full name, date of birth, social media usernames, curriculum vitae and work experience, government-issued identification (such as passport, driver's license, and social security number), email address, telephone number, mailing address, property information, records and content of communication, personal photos, biometric data, credit card numbers, bank account numbers, and any other factors that can uniquely identify someone.
Anonymous information: This type of information is not directly related to an individual, and therefore cannot be used to distinguish someone online or offline. Examples of such information include ethnicity, nationality, language used, gender, blood type, physical characteristics (height, weight, age, hair color, skin color, tattoos), income level, geographic location (country, GPS coordinates), and online browsing activities such as browsing behavior, clicked links, and browsing history.
The Data Controller is a legal entity (individual, public authority, agency, private company) that independently or in partnership with other entities determines the purpose of collecting and processing consumer personal data (consumer is also known as "Data Subject" in most Data Protection laws). The Controller is the entity that directs the activities of the Data Processor.
Data Controller is the legal entity (individual, public authority, agency, private company) that independently or in partnership with other entities determines the purpose of collecting and processing consumer personal data (consumer is also known as "Data Subject" in most Data Protection laws). The Controller is the entity that directs the activities of the Data Processor.
Data Processor is a legal entity (individual, public authority, agency, private company) that processes, stores, or transmits personal data on behalf of the Data Controller. The Data Processor can only use the types of data collected as specified by the Data Controller and is typically required to conduct audits of all processing activities. I will provide an example to explain this concept: many websites use third-party services to display advertisements and collect statistical information about their users. For instance, when you visit a website (such as the CNN website) that uses Google Analytics to analyze visitor behavior, the CNN website is considered the Data Controller while Google Analytics is the Data Processor. Another example is when a website uses a service provider for email marketing campaigns. The original website visited by the user is the Data Controller, while the email marketing service provider used to send emails and track user engagement is the Data Processor.
Data protection laws impose different obligations on Data Controllers and Data Processors. For example, under the GDPR (see Figure 1), the Controller is primarily responsible for obtaining consent and regulating access to consumer data. The Controller is also responsible for ensuring the validity, fairness, and transparency of information and maintaining the confidentiality of personal data. The Controller must select Data Processors that comply with GDPR requirements.
Now that we understand the differences between PII and other types of anonymous information related to individuals, as well as the distinction between Data Controllers and Data Processors, we will begin discussing the main regulations regarding cybersecurity and data protection in key countries within the Asia-Pacific region.
Singapore
The Personal Data Protection Commission (PDPC) in Singapore is the authority responsible for managing and enforcing the Personal Data Protection Act (PDPA). The regulations were implemented gradually, with the final phase coming into effect on July 2, 2014.
The PDPA serves as a comprehensive framework governing the collection and use of individuals' personal data, whether stored in digital or non-digital form. It grants individuals rights to protect their data and regulates how businesses can use the personal data collected from consumers for legitimate purposes. To comply with the PDPA, different requirements must be met by each company based on its industry when collecting and processing personal data.
Japan
Shortly after the implementation of the GDPR in the European Union, Japan and the EU agreed to recognize each other's data protection laws, providing adequate protection for individuals' personal information. This enables companies operating in the EU and Japan to freely exchange personal information without legal barriers. The framework for mutually beneficial and smooth transfer of personal data between Japan and the EU began to be enforced on January 23, 2019.
The Personal Information Protection Commission (PPC) (https://www.ppc.go.jp/en) is the official independent authority responsible for protecting the rights and interests of individuals in terms of privacy and overseeing the use and storage of consumer personal data by businesses. The PPC also facilitates international cooperation between Japan and other jurisdictions in the field of data protection laws.
Vietnam
In January 2019, Vietnam implemented its cybersecurity law, which imposes numerous restrictions on both domestic and foreign companies operating or intending to operate in the Vietnamese market. For instance, all companies offering internet and telecommunications services or any other services related to internet or telecommunications technology (such as cloud storage providers, social networking sites like Facebook and Twitter, instant messaging services like WhatsApp, online payment systems, e-commerce platforms, domain name and hosting providers, online gaming, email services) operating in Vietnam's cyberspace and processing/storing information about users from Vietnam must have a physical local branch or representative office in Vietnam. The law also requires these companies to store data processed from Vietnamese users for a specified period determined by the Vietnamese government. The data localization provisions in the law are considered one of the most stringent aspects of the regulation, as it mandates that processed data be stored in specific geographical locations within the country or be handed over to authorities. As a result of these regulations, virtual companies (operating solely online) are unable to offer their services in the Vietnamese market.
It remains unclear whether the Vietnamese government possesses the necessary resources, expertise, and tools to enforce such stringent regulations. However, it is likely that more countries in the region will implement similar rules to Vietnam, resembling China's cybersecurity regulations that impose strict control over the internet and all companies operating in China's cyberspace.
China
In China, there are numerous regulations issued by various government bodies or ministries concerning cybersecurity and internet control. However, in this article, I will focus on regulations related to the protection of user personal information. The China Personal Information Security Specification, which came into effect in 2017, is China's version of the EU's GDPR and the initial requirement issued aims to protect the personal data of Chinese citizens. Published by the Standardization Administration of China, this specification addresses the collection, transfer, and disclosure of personal information of Chinese citizens. It also defines requirements for businesses to collect/share personal information about users, how to store and process this information, as well as procedures necessary to handle security incidents.
Updates, or draft measures, of this specification were issued in June 2019, primarily addressing the cross-border transfer of important personal information. The draft measures impose the following requirements on companies operating in China's cyberspace and handling the personal information of Chinese citizens:
Requiring network operators in China to conduct security assessments of their systems that involve the transfer of personal information across borders and submit these assessments to the local cyberspace administration authorities. This requirement has raised concerns among foreign companies operating in China, as compliance may require them to disclose sensitive and/or critical business secrets, such as source code of programs/applications or important system information (like encryption mechanisms), to the authorities.
Significant data breaches must be reported promptly to the authorities without delay. It also mandates that companies processing the information of Chinese citizens have incident response plans, conduct regular cybersecurity training, and in case of incidents, cooperate with the authorities to investigate the incidents and collect related digital evidence.
Critical personal data must be stored locally in China unless the business organization has passed the required security assessments by official authorities and meets other requirements. For data that affects national security and/or negatively impacts public interests, data cannot be transferred outside the territorial borders under any circumstances. For companies offering online services (such as WhatsApp) or other value-added services in the Chinese market, they must store their data locally on Chinese servers. Otherwise, they are not permitted to conduct business in the Chinese market. All companies operating in China or seeking access to the Chinese market should be aware of the latest draft measures of the China Personal Information Security Specification. When companies cannot comply with the requirements in the draft measures (especially the security assessment part), data localization becomes mandatory to continue operations in the market.
Thailand
The Thai government enacted the Personal Data Protection Act (PDPA) on May 27, 2019, which will come into effect on May 27, 2020. The PDPA in Thailand has expanded its geographic scope to include any company outside of Thailand that processes or stores personal data of Thai citizens as part of the services/products offered, regardless of whether there is a payment system or not. After reviewing the law, I conclude that the Thai government has adopted a similar approach to the GDPR in defining the obligations of companies regarding the collection and security of personal data. Here are some key points of the Thai PDPA:
The collection of consumer data must be based on clear legal grounds, for example, legal grounds can include explicit consent (see Figure 2) from the consumer themselves made in written statements or through other electronic means. Consumers also have the right to withdraw access to or update their data at any time and have the right to know the purpose of collecting or disclosing their personal data. Organizations should not collect personal data that they do not need to offer products/services intended for consumers. The law imposes requirements for business organizations to make notifications in the event of a data breach within 72 hours after the organization becomes aware of it, and affected consumers must also be notified if the breach poses a high risk to their data. For certain types of businesses, the law requires them to have a local representative in Thailand. Data Controllers cannot transfer consumer personal data outside the borders of Thailand without proper consent from the data owners, unless the destination country has adequate privacy and data protection laws or the data transfer is legally allowed. Violations of the PDPA rules can result in serious civil, criminal, and administrative penalties, reaching up to THB 5 million (over USD 153,000). The law allows Data Controllers who collected personal data of Thai consumers before the enforcement of the rules (before May 27, 2020) to continue using the data with the following two conditions:
Providing data withdrawal options for consumers who wish to stop the use of their data, and if consumers give permission to Data Controllers to continue using their data, the data must be used for the original purpose of collection and not for other purposes. Although the PDPA in Thailand was crafted by taking the GDPR of the EU as an example, there are some key differences between the two laws, making GDPR the toughest law in terms of enforcing strong protection of individual data. For example, the PDPA does not explicitly set rules for controlling the automated processing of personal data used to create profiles for internet users. The PDPA also does not strictly detail the obligations of Data Controllers and Data Processors as the GDPR does.
Conclusion
Business entities operating or seeking to invest in the Asia-Pacific region should be aware of the differences in data protection and cybersecurity laws implemented by various countries in the region. Organizations should also update their legal agreements - when collecting personal information from consumers - and establish privacy policies that reflect the requirements imposed by these laws. In some countries, data localization is required when your work involves collecting and storing sensitive personal information about local consumers. Please read the articles below for a more comprehensive review of data protection and cybersecurity laws related to each country.