Data Privacy Newsletter: Data Privacy Landscape In Asia – April 2023
Introduction
Data Privacy laws are becoming increasingly important in today’s digital age, especially in Asian region where the rapid growth of technology and the internet has raised concerns about the protection of personal data. Businesses operating in the Asian region and processing personal data need to be compliant with the data privacy laws and regulations of the countries in which they are operating. Any non-compliance with the requirements of the applicable data privacy laws can result in legal and financial consequences, including fines, penalties, loss of customer trust and reputational damage. In this newsletter, we will discuss a few data privacy laws in Asia and how they are evolving to keep pace with the changing technological landscape.
The European Union’s GDPR is the most popular privacy law in the world, however, is not the first. The Asian countries of Singapore, Japan and Malaysia have passed privacy laws several years before the GDPR was passed.
Singapore
Singapore was one of the first countries in Asia to introduce a data privacy legislation. The government of Singapore enacted the Personal Data Protection Act (the “PDPA”) in 2012, which became effective in the year 2014. The PDPA was the first comprehensive data privacy law in Singapore and regulates the collection, use, and disclosure of personal data by organizations in Singapore. Singapore already has sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act.
The PDPA’s objectives are twofold, firstly it recognizes the need to protect an individuals’ personal data and secondly mandates the organizations and businesses to collect, use or disclose personal data for legitimate and reasonable purposes.
The PDPA has regulated the data flow among businesses and provided protection to personal data from misuse which has helped build trust in businesses handling personal data.
Scope of the PDPA
The PDPA is applicable to all personal data stored in electronic and non-electronic formats, with a few exceptions. The PDPA applies to all organisations that process personal data. (An ‘organisation’, for the purposes of the PDPA, is defined as any individual, company, association, or body of persons, corporate or unincorporated.)
Obligations and Extra-territorial Applicability
The PDPA has extraterritorial applicability and applies to businesses who collect, use and disclose personal data of residents in Singapore and such business may or may not have physical presence in Singapore. The businesses are required to implement reasonable security measures and safeguards such as minimizing the personal data collected, encrypting or deletion of personal data after use, functional separation, access controls and technical and organizational measures (organization level policies, processes, and security controls) to lower the risks of any adverse use of personal data. In the event a data breach occurs, businesses are required to respond to such a data breach and also notify the PDPC and the affected individuals.
Personal Data Protection Commission
The PDPA has established the Personal Data Protection Commission (the “PDPC”) as the regulatory authority governing data protection in Singapore. The PDPC is responsible for investigation and enforcement of the provisions of the PDPA. The PDPC also publishes advisory guidelines on the interpretation of the PDPA.
Do Not Call (DNC) Registry
The Do Not Call (“DNC”) registry is a notable feature of the PDPA which expressly prohibits organizations from sending unsolicited telemarketing messages to individuals who have registered their telephone numbers with the DNC registry. The DNC registry allows individuals to opt-out of receiving marketing messages and calls from all or selected categories of organizations, such as banking, insurance, property, and education.
The DNC registry has helped to reduce the number of unsolicited telemarketing messages and calls received by individuals in Singapore. It has also encouraged organizations to adopt better practices in their telemarketing activities and respect individuals’ preferences for not receiving unsolicited marketing messages and calls.
Penalties
The PDPC levies penalties and fines on businesses for non-compliance with the provisions of the PDPA. The administrative penalties may include warnings, directions to cease or rectify the contravention, and orders to comply with the PDPA. The PDPC also levies financial penalties on
businesses if they are found to have breached the PDPA. Financial penalties of up to S$1 million (approx. USD 750,000) or 10% of their annual turnover for each breach, whichever is higher may be levied by the PDPC.
Japan
In the year 2003, Japan enacted the Act on the Protection of Personal Information (“APPI”) which became one of the first data protection laws in Asia. The APPI aims to provide protection to the personal information of the individuals in Japan and states the requirements for businesses for collecting, handling, processing of personal information. The APPI has been amended from time to time, to align it with international privacy standards, particularly the EU’s GDPR. In the year 2019, Japan became the first Asian country that was granted an adequacy status by the European Commission indicating that the data protection laws in Japan provide the necessary protection to personal information.
Scope
All businesses handling personal information of individuals are subject to the APPI. The APPI has an extraterritorial applicability and applies to all businesses, either based in Japan or outside Japan.
Personal Information Protection Commission
The APPI is administered and enforced by the Personal Information Protection Commission (“PPC”), a central agency that acts as a supervisory governmental organization on issues of privacy protection. The PPC’s is responsible for ensuring appropriate handling of personal information, receive reports of data breaches and initiate investigate for such data breaches, issue advisories, coordinate with foreign data regulators.
Obligations and Data breach notifications
The businesses that collect, use, handle, disclose personal information are required to publish a privacy policy that clearly states the purpose of collection and use of personal information. Businesses are required to implement technical and organization level security measures and safeguards to protect the personal information that they process. Businesses are also required to set up organization level processes and procedures to promptly respond to data subject requests. The APPI previously recommended that the PPC and data subjects be notified in case of a data breach. The APPI was amended in the year 2020 to make the data breach notification a legal requirement. In the event a business operator becomes aware of a data breach, they are obligated to notify the PPC as soon as possible and also submit a report stating the causes of breach and the corrective actions taken (For clarity, a business operator is any business handling personal information, similar to the role of a data processor or data controller as under the GDPR).
Penalty
The maximum fines have increased significantly with time. In the year 2017, the maximum fines were limited to ¥500,000 (approx. USD 4000), which have now been increased to ¥100 million (approx. USD 815,000). There is also a fine for submitting false reports to the PPC, up to ¥500,000 (approx. USD 4000).
Malaysia
Malaysia enacted the Personal Data Protection Act, 2010 (the “PDPA”) in the year 2010 and it came into force in the year 2013. The PDPA came into force more than 5 years before the EU GDPR, and it is notable that the GDPR shows some resemblance of the PDPA. The PDPA regulates the processing of personal data in commercial transactions and provides individuals with certain rights such as the right to access and correct their personal data. The PDPA defines Processing in a very broad manner to cover a wide range of activities, including using, disseminating, collecting, recording, and/or storing personal data.
Scope
The PDPA applies to persons, businesses, organizations, and websites in Malaysia that process or have control over processing of personal data. The applicability of the PDPA is restricted to the private sector and does not apply to the public sector, federal, or state governments. The PDPA does not apply to data processed outside Malaysia unless it will be further processed in Malaysia.
Obligations on businesses
Businesses need to take reasonable and practical steps to protect personal data from loss, misuse, modification unauthorized or accidental access or disclosure, alteration or destruction. Businesses are required to implement the necessary technical and organizational security measures governing the processing activity and take reasonable steps to ensure compliance with those measures. Businesses need to ensure that the personal data collected for any purpose shall be retained only for the duration for fulfilling the purpose.
Personal Data Protection Commissioner
The PDPA has established the Personal Data Protection Commissioner (the “Commissioner”) as the regulator and enforcer of the PDPA. The Commissioner has the power to investigate complaints and breaches of the act, issue orders to businesses to comply with the act, and impose penalties for non-compliance.
Penalties and fines
The penalties for non-compliance of the PDPA can include fines of up to RM500,000 (approx. USD 113,600) and/or imprisonment of up to three years. In addition, businesses may be liable to pay compensation to individuals who have suffered harm as a result of the breach of obligations under the PDPA.
Conclusion
To conclude, privacy laws in Asia are evolving to keep pace with the changing technological landscape. While some countries like Singapore, Japan and Malaysia have been at the forefront of privacy protection, others like India, Indonesia and Vietnam are beginning to establish their privacy regimes. The upcoming Indian privacy law is a significant step towards protecting the privacy and data of Indian citizens. With the increasing digitization of India and the rise of data-driven technologies, such a law is necessary to safeguard personal information from potential misuse and abuse. The law is expected to regulate the collection, storage, and use of personal data by companies and government agencies, giving individuals more control over their data. While the implementation of the law may face some challenges, its overall impact is expected to be positive for the Indian society and economy in the long run.
Non-compliance with privacy laws can have a significant impact on businesses. With the increasing awareness of privacy and data protection, customers are becoming more concerned about how their personal data is being used and protected. It is high time business in India that provide services to clients in the Asian region, ensure that their current organization level data privacy practices are aligned with the compliance requirements of the data protection laws of the countries discussed above. Investment in privacy compliances is no more considered only as a compliance cost but is also considered as a business enabler and a return of investment.