Across Asia and indeed APAC more generally, there is a growing body of law and regulation in the area of cross-border personal data transfers which are not necessarily covered simply by GDPR ‘baselines’.
India’s current privacy regime is set out in the Information Technology Act, 2000 (IT Act) but the Personal Data Protection Bill (PDP) currently under scrutiny will, if passed, introduce comprehensive changes to the way personal data is protected in India. Given the likely success of the PDP we look at current Indian transfer requirements and at what will happen if the PDP becomes law.
Following the mutual finding of adequacy between Japan and the EU in early 2019, data transfers became more straightforward. While the two regimes remain distinct, recent amendments to the Act on Protection of Personal Information (the APPI) that apply only to data transferred under the EU adequacy decision, will bring them closer together when the changes come into force (likely to be in 2022). The changes include an expansion of the extraterritorial effect of the APPI and a new mechanism to allow EU residents to file complaints with Japan’s data protection authority if public authorities in Japan unlawfully access their data.
The South Korean privacy regime places a heavy focus on the responsibilities of public bodies as well as those of private entities. A number of legislative provisions cover data privacy requirements. The Personal Information Protection Act (PIPA) is the most significant of these with the Network Act also containing important provisions largely focused on Internet Service Providers. The focus of the South Korean privacy regime is on consent to processing and particularly data transfers, with few limited exceptions.
Data privacy in the People’s Republic of China is largely governed by the Cyber Security Law of 2016 which restricts transfers of personal data both within and beyond national borders and requires informed consent to a transfer in most cases. Numerous sector-specific regulations apply in addition to the Cyber Security Law and generally override it in case of conflict. Separate privacy regimes operate in Hong Kong and Macau, each of which is closer in nature to EU privacy law.
In Thailand the relatively new Personal Data Protection Act 2019 (the PDPA) replaced a largely sector-specific approach to privacy regulation. The PDPA takes a more liberal approach than that adopted by most Asian countries, permitting exports to any country with adequate levels of protection, with a number of exemptions potentially applying to negate the adequacy requirements. Although approved, the PDPA will not come into force until 31 May 2021.
Singapore’s Personal Data Protection Act of 2012 and its accompanying 2014 Regulations set out the standards that must be met before an international transfer of personal data from Singapore can be made. A data exporter must take steps to ensure that the recipient of the personal data is bound by legally enforceable obligations to ensure the data is protected by standards that are comparable to the protection available in Singapore.
Source: Global Data Hub news