An Update on Data Privacy Laws in the APAC Region in 2021

For a look at what has changed in the second half of the year, please read our next installment: A look at APAC Data Privacy Laws in the second half of 2021

Review on the Privacy Act 1988

In October 2020, the Australian government released an issue paper that outlined current privacy laws and sought feedback on potential issues relevant to reform the Privacy Act 1988 [1].  

The review covers the following areas [2]:

• The scope and application of the Privacy Act
• Efficacy in protecting personal information and providing a practical, and proportionate, framework for promoting good privacy practices
• Individual direct rights of action to enforce privacy obligations
• Whether a statutory tort for serious invasions of privacy should be introduced into Australian law
• The impact and effectiveness of the notifiable data breach scheme
• The effectiveness of enforcement powers and mechanisms
• Feasibility of an independent certification scheme

The Australian government is currently reviewing the comments received from the consultation, which ended in late November 2020 and plans to issue a discussion paper in 2021 to seek specific feedback on preliminary outcomes [1].

In October 2020, the National People's Congress (NPC) released a draft of the Personal Information Protection Law (PIPL) [3] for public comment. The draft Personal Information Protection Law (“Draft Law”) was open for public consultation until the 19th November, 2020. Once it comes into force, it will be China’s first comprehensive law on the protection of personal data. The legislation is expected to be enacted in 2021.

Scope of Application

• Activities conducted in Mainland China by organizations and individuals who handle personal information
• Activities conducted by organizations located outside of Mainland China who handle personal information of persons residing in Mainland China

Cross-border Transfer and Responsibilities by Personal Information Handlers (PIH)

• For Critical Infrastructure Information Operators (CIIO) and PIH that handle personal information outside Mainland China for business needs, the CIIO and PIH must meet the following conditions:
  • Store personal information collected and generated within the territory of the People's Republic of China (PRC)
  • Pass a pre-event security assessment and obtain separate consent

Legal Basis of Personal Information Processing

• Obtain personal consent, however, this obligation is waived in the following cases:
  • When necessary for performing legal obligations, in response to a public health emergency or for protecting a natural person’s life, health, and property safety in an emergency;
  • When processing personal information for public interests such as news coverage;
  • Other circumstances as stipulated by laws or regulations.

In January 2020, the Hong Kong Constitutional and Mainland Affairs Bureau published a discussion paper regarding the review of the Personal Data (Privacy) Ordinance (“PDPO”). Nothing has been implemented since then. However, in a recent speech given by the Privacy Commissioner in January 2021, she indicated that the Privacy Commissioner for Personal Data (PCPD) is working closely with the Hong Kong Government in proposing legislative amendments to the PDPO [4].

The discussion paper focuses on areas that have gained traction globally, such as a mandatory data breach notification obligation and Hong Kong specific data privacy issues for example., an increase in doxxing cases [5]. For details of the discussion paper, please refer to our previous article Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws [6].  

The Information Technology Act, which came into force in 2000, is at present still ruling and governing data protection in India [7]. 

In 2019, the Personal Data Protection (“PDP”) Bill was introduced into Indian legislature, which will overhaul the personal data protection and regulatory regime in India. There are a number of provisions in the bill that raise significant concerns for some industries, particularly with respect to:

1. Extraterritorial provisions of the proposed law; 
2. Limited legal bases for processing personal data;
3. Restrictive rules for cross-border transfers of sensitive and “critical” personal data;
4. Burdensome breach notification obligations;
5. Additional obligations imposed on certain types of data controllers and social media companies [9].

In addition, the bill outlines severe penalties for law violations, corporate liability, and private rights of action, including class actions. The bill is currently under review by a Joint Parliamentary Committee and may undergo significant changes to its current form. The committee’s report has been delayed twice because of the pandemic. The PDP bill is expected to come into effect towards the end of 2021 [8].

In August 2011, a ‘Press Note’ Technology (Clarification on the Privacy Rules) was issued by India’s Ministry of Communications and Information, which stated that anyone outsourcing service providers/organizations providing services relating to the collection, storage, dealing or handling of sensitive personal information, located within or outside India, is not subject to collection and disclosure of information requirements to PDP [8].

The Act on Protection of Personal Information (“APPI”) was amended on 5th June 2020 and will come into force in Spring 2022 [10]. In our previous article, we mentioned some of the key aspects of the Amendment, additional changes are summarized below:

Enhancement of Individual Rights

Currently, the APPI provides individuals with the right to request businesses to stop using, or erase, personal data. The Amendment Act expands individual rights to apply when: (i) the business uses personal data in improper ways, (ii) there is no need for the business to use the personal data, (iii) a data breach occurs, and (iv) when legitimate interests of data subjects are interfered with by use of the personal data [11].

Expanded Scope Of Personal Data Subject To The APPI

The Amendment removes the exemption on any personal data that is deleted within six months, meaning that the data subject rights now apply to personal data regardless of the length of time [11].

Limitation On ‘’Opt-out’’ Exemption for Third-party Transfer

The Act narrows the scope of personal data that may be transferred pursuant to the Opt-Out exemption by excluding (i) personal data that is illegally obtained, and (ii) personal data that is provided to the business based on an opt-out provision [11].

Additional Obligation When Transferring Information of Data Subjects to a Third Party

Under the Amendment Act, companies engaging in data transfers are required to enter agreements that specifically address the consent requirements and also to disclose the record of the third-party transfer [11].

There are three primary data privacy laws in Korea:

1. The Personal Information Protection Act (“PIPA”) enacted in 2011 and further amended in 2020;
2. The Act on the Promotion of the Use of the Information and Communications Network and Information Protection (the “Network Act”);
3. The Credit Information Use and Protection Act (the “Credit Information Act”). The PIPA is the general law that regulates general matters of data protection, whereas the Network Act and the Credit Information Act focus more on sectors [12].

Other than the key changes made to PIPA, which were covered in the previous article, below are the key amendments to the Network Act and the Credit Information Act.

Key Aspects of The Amendments To The Network Act and Their Implications

Deletion and Transfer of provisions similar to or overlapping with the PIPA

The amendments to the Network Act remove the provisions which are similar to, or overlapping with, the PIPA so that the general law of PIPA can be prioritised. Among the provisions deleted from the Network Act, those that differ from the PIPA or exist only in the Network Act are transferred to Chapter 6 of the PIPA [13].

Key Aspects Of The Amendments To The Credit Information Act And Their Implications

Relationship With PIPA

To secure credit data protection, the amendments adopt certain provisions under the PIPA with changes appropriate to the financial sector. The Credit Information Act is a special act to the PIPA, meaning that the amended Credit Information applies over the amended PIPA in the case of any conflict between them [13].

Use of Big Data by Pseudonymisation or Anonymisation

The amendment introduces the conceptual framework of pseudonymisation and anonymisation. If a data expert institution designated by the Financial Service Commission (“FSC”) confirms that certain information has been properly pseudonymised or anonymised, such information is deemed to have been processed such that it cannot be used to identify an individual. In addition, as under the amended PIPA, pseudonymised data can be used or provided without the consent of the credit data subject for statistics preparation, research and record preservation for public interest [13].

Changes to Consent Requirement

The amended Credit Information Act allows certain financial service providers to notify the credit data subject solely of a summary of important matters when obtaining the consent of the credit data subject, unless otherwise required by the credit data subject [13].

Rights of the Data Subject

The amended Credit Information Act enhances the rights of the credit data subject by introducing the right to data portability, the right to object, and the right to be informed concerning automated decision making and profiling [13].

Increased Punitive Damage

The amended Credit Information Act expands the award of punitive damages for intentional or grossly negligent leakage of credit information up to five times the amount of compensatory damages.

For our 2020 updates on data privacy laws in China, Hong Kong, Japan, South Korea and Singapore, please refer to our previous article Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws [6]

With nearly 100 data privacy projects already delivered, Sia Partners has a strong understanding of both regulations and challenges faced when implementing them. Sia Partners also has an experienced team with complementary profiles and global coverage.

The main area where Sia Partners can support your company are:

Data Maturity Assessment and Implementation

• Make an inventory of personal data processing activities to be implemented in the record of processing activities
• Assess the maturity level of the company with data privacy regulations using Sia Partners’ tool
• Develop an action plan (structuring of the work to be done and list of actions for each theme)
• Implementation support to close compliance gaps
• Perform compliance actions on all identified workstreams (information, consent, contracts, etc.)
• Support Data Privacy projects with strong project management capabilities

Data Protection Officer Support

• Provide data compliance advice on complex issues
• Represent your company when dealing with third parties
• Perform BAU work and animate the data privacy network within the company

Training Support

• Define both training and communication plans
• Carry out training actions (e-learning, in-class, blended learning etc.)

For details of our offerings, please visit our Data Privacy page. 

References

[1] Australian Government Attorney-General’s Department - Review of the Privacy Act 1988

[2] Australian Government Attorney-General’s Department - Privacy Act Review Issues Paper

[3] The Personal Information Protection Law of the People 's Republic of China

[4] Privacy Commissioner Ms Ada CHUNG Lai-ling delivered opening remarks at the meeting of the Legislative Council Panel on Constitutional Affairs, 18 January 2021

[5] Legislative Council Panel on Constitutional Affairs: Review of the Personal Data (Privacy) Ordinance

[6] Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws

[7] The Personal Data Protection Bill, 2019: All You Need to Know

[8] Data Protection Laws of the World

[9] Transformation of Data Landscape in Asia

[10] Personal Information Protection Commission

[11] Japan Enacts Significant Amendments to its Data Privacy Law, Opening the Door to Restrictions on Foreign Businesses Doing Business in Japan

[12] Personal Data Protection Laws in Korea

[13] Amendments to Three Data Privacy Laws in Korea and the Implications