Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws

Although government agendas have been heavily modified over the course of 2020 due to the COVID pandemic, a few APAC countries have made significant progress and updated their local data privacy laws.

The APAC region remains a challenge for organisations, to keep up with the different updates from many locations but also to create a regional framework and monitor the data privacy implementation. This patchwork of different regulations also brings out stakes to standardize the operations, in particular for sharing personal information across borders.

The latest trends in regulations define a tendency to strengthen the regulatory framework but also to align them with GDPR concepts. Numerous local regulations on personal data have recently been updated to be more aligned with the current risks, ensuring better protection of data subjects or a mandatory data breach notification.

On July 3, 2020, the National People’s Congress released the first draft of the Data Security Law. The Draft Law will then proceed through at least two additional drafting rounds before going to a vote. Although the timing of these next steps is difficult to pinpoint, many analysts predict that the law could be passed by the end of 2020.

CRITICAL DATA CLASSIFICATION

The Draft Law stipulates that data should be categorized according to potential harms to national security or the public interest. Authorities are expected to create catalogs of critical data, and entities that process those data are expected to designate data security managers to implement additional measures for critical data.

EXTRATERRITORIAL SCOPE

The Draft Law introduces extraterritorial jurisdiction over foreign entities that engage in data activities inside and outside of China that harm national security or the public interest, and empowers the state to adopt countermeasures against countries that impose restrictive or discriminatory trade and investment safeguards against China.

A REVIEW SYSTEM FOR DATA ACTIVITIES

A data security review system will be established to examine any data activities that may be deemed to pose risks to national security. The Draft Law does not specify the criteria on which the review will be based.

INCREASED SANCTION THRESHOLD 

Individuals and entities involved in data activities that violate the Law can be fined up to 1 million RMB  for failing to correct their behavior.

On January 2020 the Office of the Privacy Commissioner for Personal Data (PCPD) published a Review Paper with proposed amendments of the Personal Data (Privacy) Ordinance (PDPO).

THE BREACH NOTIFICATION REQUIREMENT

Proposing a mandatory data breach notification mechanism, which would require data users to notify the PCPD and relevant data subjects of data breach incidents.

DATA RETENTION POLICY

Considering to expressly require the personal data policy of data users to include a data retention policy, so that data users must ensure that the persons concerned are clearly informed of the details of the retention policy.

SANCTIONING POWERS 

Exploring the feasibility of introducing an administrative fine linked to the annual turnover of the data user.

REGULATION OF DATA PROCESSORS

Imposing legal obligations on them or sub-contractors. For instance, data processors may be required to be directly accountable for personal data retention and security.

DEFINITION OF PERSONAL DATA

Expanding the definition of “personal data” under the PDPO to cover information relating to an “identifiable”

DISCLOSURE OF PERSONAL DATA OF OTHER DATA SUBJECTS

Conferring on the Commissioner statutory powers to request the removal of doxxing content from social media platforms or websites, as well as the powers to carry out criminal investigation and prosecution. 

Japan has recently started to revise its data privacy law, the Act on the Protection of Personal Information (APPI). The new guidelines are expected for public comment by 2021 and the amendments should become fully enforceable in 2022.

BREACH NOTIFICATION REQUIREMENT

Companies are required to notify the individual and Personal Information Protection Commission (PPC) as soon as possible through a preliminary report, especially if the breach potentially impacts the violation of individual rights and interests. A second report should follow with more detailed information on the breach and the remediation plan.

INCREASED SANCTION THRESHOLD 

The limits on fines for violations of the Act on the Protection of Personal Information will be increased. For companies, the new threshold has been set at 100 million yen. 

EXTRATERRITORIAL SCOPE

This new amendment clearly defines the scope of the regulation by indicating that the obligations and penalties apply to entities outside of Japan and include entities that process an individual's personal data in Japan.

PSEUDONYMIZATION WITHOUT CONSENT

Other improvements of this amendment are about expanding the pseudonymization concept to allow transfer to third parties without consent if the data is pseudonymized when handled by the third party.

In January 2020, the national legislature of South Korea passed a set of amendments on various laws related to the protection of personal data. The Personal Information Protection Act (PIPA), the Network Act and the Credit Information Act have been modified and changes are expected to be implemented by companies in the coming months.

PSEUDONYMIZATION WITHOUT CONSENT

It allows the processing of pseudonymized information without the consent of the data subject for purposes including statistical compiling, scientific research, and record preservation in the public’s interest.

CENTRAL ROLE OF PIPA AND PIPC

Transfer of the personal information-related provisions in the Network Act to the PIPA. The Personal Information Protection Commission’s (PIPC) becomes the sole supervisory authority responsible for the enforcement of the PIPA.

MEASURES FOR PERSONAL CREDIT INFORMATION

Amendments to the Credit Information Act include similar provisions as of the PIPA (e.g. pseudonymization). In addition, it introduces the concept of MyData services (to allow individuals to conduct integrated searches of their own credit information) and specific rights to credit information subjects (e.g. right to transmit their personal credit information to other financial companies). 

The Personal Data Protection Bill was recently introduced in early October with amendments of the Personal Data Protection Act. The enforcement of the Bill is expected in the next few months.

BREACH NOTIFICATION REQUIREMENT

A mandatory data breach notification must be sent to the authority within 72 hours after detecting the breach. The organization has 30 days to complete an investigation.

INCREASED SANCTION THRESHOLD 

The bill enhances the financial penalties for breaches to up to 10% of the offending organization’s annual turnover or SGD 1 million (whichever is higher).

CONSENT

The bill expands the scope of deemed consent under two specific circumstances (“contractual necessity” and “notification and opt-out”). Two new exceptions for consent collection are also introduced (“legitimate interests” and “business improvement”).

DATA PORTABILITY

The bill introduces a new data portability right for the individual, giving the ability to request the transmission of data to other third parties. 

ANTI-SPAM

The bill is tightening anti-spam laws to cover unsolicited messages over instant messaging accounts. The DNC (Do Not Call) provisions will prohibit the sending of messages to telephone numbers obtained through dictionary attacks and address harvesting software.

With nearly 100 data privacy projects already delivered, Sia Partners has a strong understanding of both the regulations and the challenges when implementing them. Sia Partners also has an experienced team with complementary profiles and a global coverage.

The main area where Sia Partners can support your company are:

Maturity Assessment 

• Make an inventory of personal data processing activities to be implemented in the record of processing activities
   
• Assess the maturity level of the company with data privacy regulations using Sia Partners’ tool
   
• Develop an action plan (structuring of the work to be done and list of actions for each theme)

Implementation Support

• Support Data Privacy projects with strong project management capabilities

• Perform compliance actions on all identified workstreams (information, consent, contracts, etc.)

• Perform project switches from project mode to BAU mode

Data Protection Officer Support

• Provide recommendations on complex issues

• Represent your company in dealings with third parties

• Perform the BAU work and animate the data privacy network inside the company

Training Support

• Define both training and communication plans

• Carry out training actions (e-learning, in-class, blended learning, microlearning, etc.)

For more information please contact vincent.kasbi@sia-partners.com