Moving towards Europe: recent trends in Asia-Pacific data protection law
Data protection laws in Asia-Pacific are nothing new: Australia’s Privacy Act predated the European Union’s Data Protection Directive by eight years. However, the region now appears to be on the verge of a minor revolution in data protection regulation. In the wake of the European Union’s General Data Protection Regulation (the “GDPR”), which set a new standard for the protection of personal data, several Asia-Pacific countries have strengthened, or have proposed to strengthen, their data protection laws by borrowing various concepts from the GDPR. Nicholas Blackmore, Special Counsel at Kennedys, provides a brief tour of some recent trends and developments in data protection law across Asia-Pacific.
While the Privacy Act has not changed, it has been a busy year for legislative proposals in Australia. In March, the Morrison government proposed to strengthen enforcement of the Privacy Act and impose additional requirements on social media platforms. These proposals were made prior to the federal election in May, in which the Morrison government returned. In August, the Australian Competition and Consumer Commission ("ACCC") recommended extensive reforms to privacy law in its Digital Platforms Inquiry report.
The Morrison government’s pre-election proposals included increasing the maximum civil penalties for serious and repeated breaches of the Privacy Act from their current level of A$2.1 million (US$1.5 million) (already the highest in the Asia-Pacific region) to the greater of:
- A$10 million (US$7 million);
- three times the value of the benefit obtained from the breach; or
- 10% of a corporation’s annual domestic turnover.
The concept of linking civil penalties to an entity’s annual turnover is already a feature of the GDPR.
The ACCC recommendations included several concepts borrowed from the GDPR, including:
- strengthening existing requirements to notify individuals how an organisation will collect, use and disclose their personal information at the time of collection;
- strengthening the requirements for obtaining valid consent from individuals, including requiring “opt-in” rather than “opt-out” consent;
- providing individuals with a right to require that their personal information be deleted (the so-called “right to be forgotten”).
The government has already introduced a law which will introduce a “consumer data right” in the banking, telecommunications and energy industries. If requested by a consumer, retail service providers in these industries will be required to make the consumer’s personal information available to other service providers in an open format. The effect of the law should be somewhat similar to the “data portability” right in the GDPR.
New Zealand is replacing its venerable Privacy Act 1993 with a new Privacy Bill. The new Bill is currently before Parliament and, if passed, is slated to come into effect on 1 March 2020.
The two most significant changes under the new Bill will be the introduction of a mandatory data breach notification scheme and of restrictions on the transfer of personal information outside New Zealand.
The data breach notification scheme will be similar to that adopted by Australia in 2018. Data breaches must be notified to the Office of the Privacy Commissioner and to affected individuals as soon as practicable, if it is reasonable to believe that the breach has caused serious harm, or is likely to cause serious harm, to an individual. This is very similar to the standard for a notifiable data breach under Australian law.
The restrictions on the transfer of personal information outside New Zealand are similar to those in many other data protection laws. Broadly speaking, an entity may only disclose personal information to a recipient outside of New Zealand if:
- the relevant individual has consent after being expressly informed of the transfer and the associated risks;
- the recipient is subject to the laws or a country or a binding scheme which is “white listed” by the Privacy Commissioner;
- the entity reasonably believes that the recipient is subject to comparable privacy laws to the Bill; or
- the entity reasonably believes that the recipient is required to protect the personal information in a way that is comparable to the Bill (e.g. pursuant to an agreement between the entity and the recipient or a binding scheme).
The new law also makes clear that it applies to foreign entities that carry on business in New Zealand, which was not clear under the existing law. The law notes that an entity may still carry on business in New Zealand even if it does not have a local office. As such, it is possible that the law may apply to e-commerce businesses which supply goods and services to New Zealanders from outside the country.
The Bill also strengthens the enforcement powers of Privacy Commissioner and increase civil penalties for breach from their current maximum of NZ$2,000 (US$1,200) to NZ$10,000 (US$2,400). However, this would still be among the lowest maximum penalties for breach of a data protection law in any Asia-Pacific jurisdiction.
Thailand recently introduced its first data protection law, meaning that the whole of the Malay Peninsula is now subject to data protection regulation. The new Personal Data Protection Act came into effect on 27 May 2019, but will not be enforced until 27 May 2020, giving businesses one year to become compliant. The Office of the Personal Data Protection Commission, which will enforce the new law, is currently being set up.
The new Act applies to both the public and private sectors. It also expressly provides that it applies to any data processing by foreign entities that relates to offering goods or services to individuals located in Thailand or monitoring individuals located in Thailand. If this wording looks familiar, it is because it is borrowed from the GDPR. Over the past year, Asia-Pacific businesses which have suppliers or customers in the European Union have been seeking advice on how the GDPR applies to them. Those who have suppliers or customers in Thailand will now need to undertake a similar exercise.
Like New Zealand’s new law, the Act also restricts the transfer of personal data outside Thailand and requires the mandatory notification of data breaches.
The law requires notification of any data breach that is likely to result in a risk to the rights and freedoms of individuals to the Commission and to the affected individuals. It requires breaches to be notified to the regulator within 72 hours of the entity becoming aware of the breach. This makes Thailand the second country in Asia-Pacific (after the Philippines) to impose a 72 hour notification requirement.
In addition to the rights of access and correction of personal data that are common to most data protection laws, the new Thai law also provides individuals with a right to request deletion of their personal data – a right which has become known in the European Union as the “right to be forgotten”.
The new law also provides for civil penalties up to THB500,000 (US$16,000) and imposes criminal penalties for serious breaches.
Despite its status as the world’s largest provider of information technology services, India has lacked a data protection law. The Information Technology Act 2000 was subject to various legal challenges and never actively enforced. India has been preparing the Personal Data Protection Bill since 2018, and following the re-election of the Modi government, the new Bill is likely to be introduced shortly.
The new law applies to both the public and private sectors. It also expressly provides that it applies to any data processing by foreign entities that relates to offering goods or services to individuals located in India or monitoring individuals located in India. Like Thailand, India has borrowed this formulation from the GDPR. Businesses outside of India which have suppliers or customers in the country will now need to consider how the new Bill will affect them.
A controversial feature of the new Bill are the data localisation requirements. Entities would be required to keep at least one copy of all personal data processed by them in the country. The Government would have the power to exempt some classes of non-sensitive personal data from this restriction. Personal data classed as “critical” by the Government would not be permitted to be transferred outside of India at all. Other data could be transferred outside of India, if the transfer is:
- made subject to standard contractual clauses or intra-group schemes approved by the Data Protection Authority;
- to a country that has been “white listed” by the Government; or
- approved by the Data Protection Authority.
Under the draft Bill, obtaining the consent of the individual to the transfer would not be sufficient: the transfer also must fit within one of the above categories.
Industry groups have expressed concern that the requirements will make it difficult to offer e-commerce and cloud-based services to consumers in India. News reports in July indicated that the Government was considering further limiting this requirement.
The Bill requires that an entity must notify the Data Protection Authority of any data breach which is likely to cause harm to any affected individual. The notification must be made as soon as possible, and the Authority also has the power to specify a timeframe for the notification of breaches. Once the breach is notified, the Authority will determine whether the entity is also required to notify affected individuals.
Like the Thai law, the Bill provides individuals with a “right to be forgotten”. The Bill also contains a right to data portability, similar to that in the GDPR. This right allows individuals to request a copy of their personal data in a structured, common, machine-readable format, so that they can easily take that data to another organisation.
The Bill contains a number of governance requirements that are similar to those in the GDPR – to undertake data protection impact assessments, to keep records of data processing activities, to undergo annual audits of their data processing practices, and to appoint a data protection officer – but these requirements will only apply to businesses which are classed as “significant data fiduciaries” by the Data Protection Authority.
Finally, the Bill provides for civil penalties for breach of up to:
- INRs 150 million (US$2 million); or
- 4% of the entity’s worldwide annual turnover,
whichever is greater. Again, the concept of linking civil penalties to an entity’s annual turnover is borrowed from the GDPR.
Singapore’s Personal Data Protection Commissioner announced in March that the Government intends to amend the Personal Data Protection Act 2012 to include a mandatory breach notification scheme based on that in the GDPR.
The scheme would apply to private sector organisations only, but to date, there are few other details regarding the specific of the scheme, either in terms of what kinds of data breaches would be notifiable or the required timeframe for notification.
Finally, Japan was granted an adequacy decision by the European Commission earlier this year. The decision means that businesses in the European Economic Area can transfer personal data to recipients in Japan without restriction. The decision follows amendments to Japan’s data privacy laws in 2017. Japan becomes the second country in Asia-Pacific to have been granted an adequacy decision, after New Zealand.
While different jurisdictions in Asia-Pacific have different priorities and directions for the development of their data protection laws, what is clear is a consistent strengthening of data protection laws throughout the region, and in particular, a move towards the standards set in the GDPR. Many of the features of the new laws and amendments to existing law are borrowed from or inspired by similar features in the GDPR, for example:
- mandatory data breach notification schemes in New Zealand, Thailand, India and Singapore;
- restrictions on transferring data across borders in New Zealand, Thailand and India;
- the right to be forgotten in Thailand and India;
- the right to data portability in India, and a similar right in Australia;
- record-keeping and other governance requirements in India;
- civil penalties based on an entity’s annual revenue in Australia and India.
This move towards the European model is explained partly by the fact that the GDPR is the strictest data protection law in the world and has thereby become the gold standard for legislators worldwide to copy. However, Japan’s recent success in obtaining an adequacy decision suggests another reason. India and Singapore, as the European Union’s ninth and fourteenth largest trading partners, could benefit significantly from a European Commission adequacy decision. While we have previously written about the diminishing popularity of adequacy decisions, it is possible that at least some countries in Asia-Pacific may be drafting their data protection laws with that goal in mind.
For businesses in Asia-Pacific, it is becoming increasingly important and increasingly difficult to maintain compliance with the region’s data protection laws. Not only do businesses need to comply with the data protection laws of their home jurisdiction, but as more jurisdictions adopt data protection laws with extraterritorial effect, they will increasingly also need to comply with the laws of other countries in which they deal with consumers or employees. More countries are restricting the transfer of data outside their jurisdiction, and a few are imposing requirements for data localisation. Following a data breach, it can be a complex exercise to determine which countries require notification to regulators and individuals.
Kennedys has extensive expertise in advising its clients on how to comply with the data protection laws of multiple Asia-Pacific jurisdictions and the GDPR.