The past few months have seen many substantial and interesting developments in data privacy laws and practices across the Asia Pacific region, including significant enforcement activity in Singapore and Hong Kong, important amendments to the Taiwanese data protection law, and further signs of a "right to be forgotten" emerging in Asia. We highlight the major developments across the region. We recommend that organisations handling personal data in Asia Pacific take note of these developments and their potential impact on their existing data privacy practices.
Singapore: PDPA enforcement decisions published for the first time since enactment
For the first time since the data protection obligations in Singapore's Personal Data Protection Act 2012 (PDPA) came into full effect in July 2014, Singapore's Personal Data Protection Commission (PDPC) has published decisions regarding enforcement action. The PDPC has also published advisory guidelines on enforcement of the PDPA. See our overview and analysis of the key points arising from the nine decisions and the guidance here. With the PDPC's active enforcement of the PDPA, organisations are urged to review their data handling practices to ensure compliance with the PDPA.
Hong Kong: New direct marketing case results in community service order
A Hong Kong court has for the first time issued a community service order for contraventions of the direct marketing provisions of the Personal Data (Privacy) Ordinance. This case is significant given the severity of the order, and again places the insurance sector in the spotlight. It also shows the willingness of the court to place a deterrent effect on contraventions of the direct marketing provisions. See our overview and analysis of this decision and its potential impact on direct marketing practices in Hong Kong here. This is another timely reminder to organisations in Hong Kong to review their direct marketing practices.
Taiwan: Significant amendments to data protection law now in effect
A number of amendments to Taiwan's Personal Data Protection Act came into effect on 15 March 2016. This is the first time the legislation has been amended since it came into force in October 2012. The amendments include: changes to the notice/consent rules for collection and use of personal data and sensitive personal data; a broader scope of sensitive personal data; expansion of the grounds for legitimate collection, processing and use of personal data; and new criminal sanctions for intentional breaches of the law. Organisations are encouraged to update their data privacy practices in Taiwan to ensure compliance with the amended law.
Malaysia: New compounding of data privacy offences regulations
The Personal Data Protection (Compounding of Offences) Regulations 2016 have come into force. These provide the option to compound certain offences under the Personal Data Protection Act (PDPA), and establish the relevant procedures for doing so. The Commissioner can offer an organisation that is suspected of certain offences under the PDPA to compound it by paying up to 50% of the maximum fine for that offence by an agreed deadline. as an alternative to prosecution, thus giving an opportunity to reduce potential fines. Organisations should bear this in mind if they become aware of a breach of the PDPA.
South Korea: The path towards recognising the "right to be forgotten"?
South Korea (alongside Japan) has been at the forefront of developments in the region towards a European-style "right to be forgotten". A task force was established by the South Korean communications regulator (the "KCC") in 2014 to consider possible reforms to the South Korean privacy framework to allow individuals in South Korea the right to request online personal information be removed. On 25 March 2016, the KCC published draft guidelines proposing to allow an individual the right to ask for his or her own online postings, photos and videos on social media sites and online forums to be removed, subject to certain conditions. It also proposes equivalent rights for family members or other nominees on behalf of someone who has died. The scheme proposed by the draft guidelines will be trialed before it is formally implemented, but has been widely reported as the first steps towards the introduction of a "right to be forgotten".
Other news in the region
- Australia: Data breaches, information risk and cybersecurity are issues that remain at the forefront of the minds of boards and management. In particular, organisations are maintaining a watching brief on the progress of Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 in the Federal parliament (although upcoming elections in July 2016 are likely to delay further consideration of the bill until late 2016 at the earliest), and the potential penalties for (and reputational damage that may flow from) non-compliance. As presently drafted, the bill will require organisations to notify the Australian Information Commissioner and affected individuals following a ‘serious data breach' (ie, where the loss, unauthorised access or unauthorised disclosure of personal information, credit reporting information, credit eligibility information, or tax file number information puts any of the individuals to whom the information relates at ‘real risk of serious harm’). Read more about the present bill on the Attorney-General's site. Also, the Australian government released in late April a cyber strategy policy which, while a policy document, indicates the Australian government recognises the need for greater investment in cyber security and increased collaboration between public and private sectors.
- The Philippines: despite increased concerns over cybersecurity in the country and worldwide, there has been no update regarding the establishment of the National Privacy Commission, the data privacy regulator tasked with overseeing implementation and enforcement of the Data Privacy Act 2012, nor publication of the long-awaited Implementing Rules and Regulations, leaving a void as to how in practice the law is to be interpreted and enforced. This uncertain situation has provoked criticism, not least from the burgeoning outsourcing industry.
- Impact of recent European developments. Data protection regulators across the region have been watching recent data protection developments in Europe - notably the approval of the new General Data Protection Regulation, the Safeharbour decision and the new Privacy Shield - with interest. While some of the regulators have commented on the possible impact of the European developments on the data privacy laws and practices in the Asia Pacific region, no changes have yet been formally announced.