A review of Data Protection and Cybersecurity Laws for the Asia-Pacific Region.
Singapore
The Personal Data Protection Commission (PDPC) in Singapore is the authority responsible for administering and enforcing the Personal Data Protection Act (PDPA). The regulation was implemented in phases, the last one has come into force on 2 July 2014.
The PDPA is a general umbrella that holds many government laws concerning the collection and use of individual personal data (stored in digital or non-digital forms). PDPA gives the right to individuals to protect their data and govern how businesses can use personal data collected from consumers for legitimate purposes. To comply with the PDPA Act, there are different requirements that each company needs to comply with – according to the industry it belongs to – when collecting and processing personal data.
Japan
Directly after enforcing the implementation of GDPR law in the EU, Japan, and the European Union agreed to recognize each other’s data protection laws as providing sufficient protection for an individual’s personal information. This allows enterprises working in both the EU and Japan to exchange personal information freely without any legal barrier. The framework for mutual and easy transfer of personal data between Japan and the European Union has come into force, on 23 January 2019.
The Personal Information Protection Commission (PPC) (https://www.ppc.go.jp/en) is an independent official authority responsible for protecting the rights and interests of individuals in the privacy and supervise the use and retain of consumer personal data by businesses. PPC is also responsible for international cooperation between Japan and other jurisdictions in the area of data protection laws.
Vietnam
In January 2019, Vietnam cybersecurity law came into force. This law imposes many restrictions on domestic and foreign companies working or wanting to work in the Vietnam market. For instance, all companies offering internet and telecommunications services or any other service related to internet or telecommunication technology (such as cloud storage providers, social networking sites like Facebook and Twitter, Instant Messaging services like WhatsApp, online payment systems, online merchants, domain name and hosting providers, online gaming, email providers) that operate in Vietnam cyberspace and process/retain information about Vitamin users, must have a physical local branch or a representative in Vietnam. The law also requires such companies to store the processed data of the Vietnam users for a period specified by the Vietnamese government. The data localization element of the law is considered the toughest part in the regulation, as it requires storing processed data in certain geographical locations within the country or handling this info to authorities, as a result, virtual companies (operate completely online) cannot offer its services in the Vietnam market.
It is not clear whether the Vietnamese government has the required resources, expertise and tools to enforce such strict regulation. However, we can expect to see more countries in the region move to apply similar rules to the Vietnamese government, which is somehow similar to the Chinese cybersecurity regulations that impose tight control over the internet and on all companies operating in the Chinas cyberspace.
China
In China, there are many regulations – issued by different government bodies or ministries – related to cybersecurity and internet control laws. However, in this article, I will focus on the regulations related to the protection of user personal information.
The China Personal Information Security Specification which went into force in 2017, is the Chinese version of the EU GDPR and the first specifications issued to protect Chinese citizen’s personal data. Published by the Standardization Administration of China, this specification addresses the collection, transfer, and disclosure of Chines citizen personal information. It also defines the terms under which businesses can collect/share personal information about users, how to store and process this info in addition to required procedures to handle security incidents.
An update – or a draft measures – of this specification was issued in June 2019 and mainly addresses the transfer of important personal information across the borders. The draft measures imposed the following terms on companies operating in the Chinese cyberspace and handle Chinese personal information:
- Require network operators in China to conduct a security assessment of their systems that reveal the risks associated with the transfer of personal information outside the borders, and handle these assessments to the local cyberspace administration authority. This requirement raises concerns between foreign companies operating in China. As to meet this regulation, companies may be required to reveal sensitive information and/or critical business secrets such as source code of their programs/applications, critical information about their systems (e.g. encryption mechanism) to the authorities.
- Important data breaches should be reported properly to the authority without any delay. It also requires companies processing Chinese citizen’s information to have an incident response plan, conduct regular cybersecurity training of its employees, and if an incident took place, companies should cooperate with the authorities to investigate the incident and collect related digital evidence.
- Important personal data should be stored locally within China unless the business has passed the required security assessments imposed by official authorities among other terms. For data affecting national security and/or have a negative effect on public interest, it cannot transfer outside borders under any condition. For companies offering online services (e.g. WhatsApp) or other value-added services in the Chinese market, they must store their data locally on Chinese servers, otherwise, they are not allowed to conduct business in the Chinese market.
All companies operating in China or wanting to access the Chinese market should be familiar with the updated draft measures of the China Personal Information Security Specification. When a company cannot adhere to the draft measures requirements (especially the security assessment part), data localization becomes mandatory to remain operational in this market.
Thailand
The Thai government released the Personal Data Protection Act (PDPA) on May 27, 2019, with the law is going to take effect on May 27, 2020. The Thai PDPA has extended the scope of its geographical application to include any company outside Thailand that process or store personal data of the Thai citizens as a part of the services/products offered, regardless of whether there is a payment or not.
After reading the law, I conclude that the Thai government has adopted a similar approach to GDPR when defining the obligations of companies concerning collecting and safeguarding personal data of individuals. The following are the main key points of the Thai PDPA:
- There should be a legal basis for collecting the data from the consumer. In some instances, the legal basis can be a clear consent (see Figure 2) from the consumer itself made in a written statement or via other electronic means. The consumer also should have the right to revoke access or update his/her data at any time and has the right to know the purpose of collecting or disclosure of his/her Personal Data. Organizations should not collect personal data that they do not need it to offer the specified product/service for the consumer.
- The act imposes a notification requirement regarding any data breach that must execute within 72 hours after the organization becomes aware of it. The affected consumer should also notify if the breach constitutes a high risk on his/her data.
- For some type of businesses, the law requires them to have a local representative in Thailand.
- Data Controller cannot send consumer personal data outside the Thailand border without proper consent from the data owner unless the destination country has proper privacy and data protection laws or this transfer is permitted by law.
- Breaching the PDPA law may result in serious, civil, criminal and administrative penalties that reach up to THB5m (more than USD 153000.0).
- The law allows the Data Controller who collects personal data of Thai consumers before enforcing this act (before 27 May 2020) to continue using it under the following two conditions:
- Give consumers a withdraw method to stop using their data, and
- If the consumer grants permission to the Data Controller to continue using his/her data, data should be used for the original purpose it was collected for and not for anything else.
Although the Thai PDPA is modeled on the EU GDPR, there are some key differences between both laws that make GDPR strongest in terms of enforcing strong protection of individual data. For example, PDPA does not explicitly set rules to control the automatic processing of personal data which is used to create a profile for internet users. PDAP also does not strictly detail the obligations of the Data Controller and the Data Processor similar to GDPR.
Conclusion
Entities doing business or looking to invest in the Asia-Pacific region market should be aware of the different data protection and cybersecurity laws are enforced by different countries in the region. Organizations should also update their legal consents -when collecting personal information from consumers- and develop privacy policies to reflect the requirements imposed by these laws. In some countries, data localization is required when your work involves collecting and retaining sensitive personal information about local consumers, please refer to further reading below for a more comprehensive review of the data protection and cyber security law associated with each countries.
Further reading
- APEC (Asia-Pacific Economic Cooperation) Privacy Framework https://www.apec.org/Publications/2017/08/APEC-Privacy-Framework-(2015)
- For more information about Singapore PDPA, please visit The Personal Data Protection Commission (PDPC): https://www.pdpc.gov.sg
- The original copy of Vietnam cybersecurity law can be found here: http://tulieuvankien.dangcongsan.vn/he-thong-van-ban/van-ban-quy-pham-phap-luat/luat-an-ninh-mang-so-242018qh14-ngay-1262018-hieu-luc-thi-hanh-tu-ngay-01012019-4474 | unofficial translation of the law can be found here: https://data.allens.com.au/pubs/pdf/priv/cupriv22jun18.pdf
- The official PDF of the Regulation (EU) https://gdpr-info.eu
Dr. Varin Khera
Dr. Khera is a veteran cybersecurity executive with more than two decades worth of experience working with information security technology, models and processes. He is currently the Chief Strategy of ITSEC Group and the Co-founder and CEO of ITSEC (Thailand). ITSEC is an international information security firm offering a wide range of high-quality information security services and solutions with operation in Indonesia, Malaysia, Philippines, Singapore, Thailand and Dubai.
Previously the head of cyber security Presales for NOKIA, Dr. Khera has worked with every major telecom provider and government in the APAC region to design and deliver security solutions to a constantly evolving cybersecurity threat landscape.
Dr. Khera holds a Doctor of Information Technology (DIT) from Murdoch University, a Postgraduate Certificate in Network Computing from Monash University and a Certificate of Executive Leadership from Cornell University.
Dr. Khera was one of the first professionals to be awarded the prestigious Asia Pacific Information Security Leadership Awards (ISLA) from ISC2 a world-leading information security certification body under the category of distinguished IT Security Practitioner for APAC.