Asia privacy developments – What do multinationals need to know?

The privacy laws in Asia are being transformed. In the past 12 months, several key jurisdictions, including Australia, the PRC, India, Indonesia, Japan, Thailand, and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. This includes:

• Australia: Which has amended its Privacy Act 1988 and introduced the Telecommunications Regulations 2021 and the Security of Critical Infrastructure Act 2018
• The PRC: Which has enacted the Personal Information Protection Law (“PIPL”)
• Indonesia: Which has passed its long awaited Data Protection Law
• Japan: Which has updated the Act on Protection of Personal Information
• Thailand: Which has introduced the Personal Data Protection Act B.E. 2562 (2019)
• Vietnam: Which has very recently passed Decree No. 13/2023/ND-CP

We explore some of the key themes from these developments and consider what impact these new regulations may have on businesses operating within this region.

Similar to the GDPR but not the same

Many jurisdictions in Asia are borrowing concepts from GDPR in their data privacy regimes but with local differences and concepts which, in some cases, go beyond the equivalent position under GDPR.

For example, in the PRC, the PIPL mirrors a majority of the principles under the GDPR. It grants a variety of data subjects rights, defines specific legal bases for processing of personal data, uses the concepts of data controller and data processor, and requires designations of data protection officer and local representative. However, there are a number of key differences. This includes the PRC’s cross-border transfer restrictions (see more on this below) as well as additional requirements on privacy notices which go and beyond that of GDPR.

Other jurisdictions such as Indonesia, Thailand and Vietnam also borrow heavily from GDPR but again with local variations. For example, the Vietnamese law imports the GDPR concepts of “data controller” and “data processor” but introduces a new concept of “data controller and processor” – a party that both decides purposes and means, as well as directly processes personal data.

This means that organisations in Asia which already have embedded GDPR processes will still need to carefully assess these new incoming laws and understand which areas require additional compliance work.

For organisations in Asia which don’t have embedded GDPR processes, the compliance lift is much greater. You will need to undertake a new compliance program in order to ensure your organisation is on track to comply with these brand new data privacy laws.

Cross-border transfer rules and data flows

Governments and regulators are also turning their focus on cross-border transfer of personal data.

Taking Japan as an example, organisations must obtain prior consent from a relevant data subject for any transfer of personal data to a third party in a foreign jurisdiction, unless

1. that jurisdiction’s data protection system is considered as having an adequate level of protection as Japan by the Personal Information Protection Commission (“PIPC”), or
2. the third party has established a sufficient data protection system that meets the standards established by the PIPC.

In practical terms, an organisation seeking to obtain consent must provide the data subject with information that the data subject can use to assess the proposed transfer. This includes:

• the name of the jurisdiction to which the personal data will be transferred,
• an outline of the data protection system of the jurisdiction to which the personal data will be transferred, and
• the data protection measures established in the third party.

Indonesia’s new law also includes restrictions on cross border transfer and mandates that organisations ensure that the country where the personal data is being exported to has a level of data protection equal to or higher Indonesia’s new law. This final position is actually watered down compared to data localisation obligations in a previous draft of Indonesia’s Personal Data Protection Bill.

For cross-border transfer of personal data out of Vietnam, the organisation transferring data abroad must undertake a transfer impact assessment and also enter into a legally binding document that sets out the data exporter’s and data importer’s responsibilities with respect to the transfer of data from Vietnam.

Furthermore, the party transferring data abroad must submit the impact assessment to the Department of Cyber Security and High-Tech Crime Prevention. Note however that the Law on Cyber Information Security contains mandatory data localisation requirements on local and foreign providers of telecommunications services, internet services and value-added services. These are not amended by the new developments in Vietnam.

Finally, we have explored China’s new data export regime and new SCCs in detail which you can find here, here and here.

These developments mean that organisations will need to carefully assess their cross-border data flows in Asia to determine the restrictions that they will need to comply with.

Any organisations which also have operations in the EU – and have group wide EU SCCs in place – will still need to assess how those SCCs can be incorporated into the organisation’s compliance process on cross-border transfers in Asia.

Extra-territorial effect

Another common theme (such as in the PRC and Thailand) is to apply extra-territorial provisions similar to those in GDPR. Those laws apply not only to the processing of personal data within those jurisdictions, but also on an extra-territorial basis if data processing activities: (i) relate to the offering of products or services to individuals located within such jurisdiction; or (ii) relate to the monitoring of the behaviour of such individuals within such jurisdiction.

Furthermore, in Australia, the Full Federal Court of Australia held that there was a prima facie case that activities undertaken by offshore social media providers can amount to carrying on business and collecting personal information in Australia. While this decision is under appeal, it is expected that the outcome of this case will significantly impact the extra-territorial application of Australia’s amended Privacy Act 1988.

The increase in extra-territorial effect means that organisations based in Asia will need to carefully assess which laws will apply to that organisation and whether a risk-based approach might be possible. If, for example, the organisation has no subsidiary or on-the-ground operations in that jurisdiction, any enforcement by a regulator in that market might be legally and practically challenging.

All backed up significant new sanctions

These obligations are supported by significant new sanctions, with some countries adopting the GDPR approach turnover based fines. For example:

• Australia: The maximum penalty for breaching data privacy laws increased from AUD2.2 million (approximately US$1.47 million) to the greater of: (i) AUD50 million (approximately US$33.45 million); (ii) three times the value of the benefit obtained from such breach; or (iii) if such value cannot be determined, 30% of turnover during the turnover period in which the breach occurred.
• Singapore: Singapore’s penalty cap was increased to SGD1 million (approximately US$0.75 million) or 10% of an organisation’s annual turnover for organisations with an annual local turnover exceeding SGD10 million (approximately US$7.5 million), whichever is higher.
• The PRC: Similarly in the PRC, a fine of up to RMB50 million (approximately US$7.2 million) or 5% of turnover for the preceding year could be imposed.
• Japan: While Japan did not adopt such a percentage-based cap, the maximum fine for violation of data privacy laws increased significantly from JPY300,000 (approximately US$2,200) to JPY100 million (approximately US$0.74 million).

In addition, in some jurisdictions responsible officers could face personal liability. For example, a fine of up to RMB1 million (approximately US$0.14 million) could be imposed on responsible officers in the PRC.

The magnitude of potential enforcement means that data privacy issues will soon become (if not already) a board level issue for many organisations in Asia requiring organisations to invest significantly in their compliance with such laws.

Please reach out to us if you have any questions. Stay tuned for further updates as we see them.