NVIDIA x Sia Partners Exclusive Event
This article covers the key latest data privacy regulations for Australia, China, Hong Kong, India, Japan, Singapore and South Korea for the second half of 2021. We continue to witness changes in APAC's data privacy laws with new regulations coming into effect in China and India.
In October 2021, the Australian government released a discussion paper containing proposals for the future reform of the Privacy Act 1998 (“Privacy Act”). They also released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2011 (“Online Privacy Bill”) which is aimed at improving the protection of personal information, and expanding the extra-territorial scope of the Privacy Act and improving penalties for non-compliance.
The proposals under the discussion paper on the Privacy Act covers the following areas:
The Online Privacy Bill is applicable to social media services, data brokerage firms and certain large online platforms operating in Australia and covers the following areas [1] [2]:
The Australian government is currently receiving comments and questions with regards to the Discussion paper or any other relevant matter until 10th January 2022.
The Personal Information Protection Law (“PIPL”) passed by the Standing Committee of the National People’s Congress of the People Republic of China on 20th August 2021, came into force on 1st November 2021. In our previous article, some key aspects of the PIPL were mentioned.
In addition, to assist the general public and businesses in Hong Kong to better understand the personal information protection regime in Mainland China, the Office of the Privacy Commissioner for Personal Data (“PCPD'') published a booklet on 18th November 2021, entitled “Introduction to the Personal Information Protection Law of the Mainland'' (''Introduction”). [3] [4]
On 15th November 2021, the Cyberspace Administration of China (“CAC”) released their draft data security laws designed to strengthen the security of its internet data.
The draft covers the following areas:
Not to mention that companies trying to list in Hong Kong maybe also required to undergo a cybersecurity review if the listing may affect national security.
The draft security law is currently opened to the public for comments until 13th December 2021.
On 8th October 2021, the Personal Data (Privacy) (Amendment) Ordinance 2021 (the “Amendment Ordinance”) was published to combat doxxing acts that are intrusive to personal data privacy.
The objectives of the Amendment Ordinance include the criminalisation of doxxing acts, empowering the Privacy Commissioner for Personal Data (“Privacy Commissioner”) to perform any criminal investigations and institute prosecutions for doxxing acts and related offences, granting the Privacy Commissioner statutory powers to order the cessation of disclosure of doxxing messages. PCPD has also published the Implementation Guidelines for the Amendment Ordinance and a hotline has been setup to handle any inquiries or complaints related to doxxing.
After two years since its introduction in 2019, the Joint Parliamentary Committee (“JPC”) has finally adopted the draft report of the JPC on the Personal Data Protection (“PDP”) Bill introduced in 2019. In our previous article, we mentioned some key aspects of the draft report.
In August 2021, Japan’s Personal Information Protection Commission (“PPC”) published Guidelines related to the 2020 Amendments on its Act on the Protection of Personal Information (“APPI”). The Guidelines aim to provide clarity on previously identified unclear aspects in both the existing Act and 2020 amendments.
The Guideline covers the following areas:
The 2020 Amendment Guidelines specify that the APPI’s application will be extended to all entities in a foreign country handling any personal information, Personally Referable Information, Pseudonymously Processed Information or Anonymously Processed Information that relates to data subjects in Japan, in relation to the supply of goods or services to any data subjects in Japan.
Mandatory breach reporting to the PPC or designated authority and data subjects is a new regulation under the 2020 Amendments. As such, the Guidelines try to define as much as possible the conditions that would require reporting and indicate the measures to be taken in the event of the breach.
The Guidelines provide supervision regarding the definition, usage, processing and sharing of Pseudonymously Processed Information and Personally Referable Information, both of which were previously introduced in the 2020 Amendments.
The Guidelines provide more information regarding the new obligations for third party data transfer both domestically and internationally. For example, listing out the relevant verification obligations before the commencement of data transfer and transparency involved when obtaining the consent of the data subject.
The Guidelines also explain the claims process based on the extended individual rights introduced in the 2020 Amendment.
On 19th May 2021, the Japanese government released its 2021 Amendments to its APPI (“2021 Amendments”). The amendments seek to consolidate various individually enacted data protection laws across different governmental and national agencies including independent administrative institutions with the APPI and designate nationwide rules for local governments. The 2021 Amendments have been enacted but its effective date is to be decided.
On 14th September 2021, the Personal Data Protection Commission (“PDPC”) has published its revised guides: (1) Guide on developing a Data Protection Management Programme – so as to incorporate best practices in accountability to support organisations' personal data protection policies and processes (2) Guide on Data Protection Impact Assessments.
On 16th June 2021, the European Commission launched the process towards the adoption of the adequacy decision for the transfer of personal data to the Republic of Korea. This means that additional safeguards would not be required when transferring European Union personal data to South Korea. The draft adequacy decision assumes that there is a certain level of data protection to be provided under the GDPR. Additional safeguards to be enforced by the Personal Information Protection Committee (“PIPC”) were also discussed and they are focused on strengthening the data protection level.
For previous updates on data privacy laws in China, Hong Kong, Japan, South Korea and Singapore, please refer to our previous articles Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws and An Update on Data Privacy Laws in the APAC Region in 2021
With nearly 100 data privacy projects already delivered, Sia Partners has a strong understanding of both the regulations and the challenges when implementing them. Sia Partners also has an experienced team with complementary profiles and global coverage.
The main areas where Sia Partners can support your company are:
For details of our offerings, please visit our GDPR page.
https://www.lexology.com/library/detail.aspx?g=4d293c53-4478-4e00-a3d1-…
https://consultations.ag.gov.au/rights-and-protections/online-privacy-b…
https://www.pcpd.org.hk/tc_chi/resources_centre/publications/books/file…
https://www.pcpd.org.hk/english/news_events/media_statements/press_2020…