2014 saw a large number of significant developments in data privacy laws across Asia-Pacific. However, unsurprisingly there has not been a consistent approach across Asia-Pacific towards the development of data privacy legislation, and some countries have made little visible progress. This article summarises some of the key changes in data privacy regulations and legislation in various jurisdictions across Asia-Pacific in 2014.
Australia’s data privacy regulatory landscape changed significantly in 2014. On 12 March 2014, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 came into force and introduced strong protections in relation to data privacy. This legislation replaced existing data privacy laws with a single set of privacy principles, referred to as the Australian Privacy Principles (APPs). Among other things, the APPs prescribe that entities can only use information for the purposes that it was collected and also require entities to take appropriate steps to protect information before it is disclosed overseas. If an entity breaches the APPs, that entity could be fined up to AUD$1.7 million for each breach.
There is no single law that deals with protection of personal data across the whole of China. Instead, there are a number of different laws, including the Chinese Constitution, which protect personal information as well as established industry-specific rules relating to the collection by electronic means of peoples’ personal information. For example, businesses providing Internet information services are required to comply with data privacy laws issued by Ministry of Industry and Information Technology.
China issued a number of new regulations in 2014 with respect to data protection, and we have summarized some of these below.
In March 2014, a new regulation came into effect requiring all companies providing goods and services within China to collect, use and disclose consumers’ personal data in accordance with a specific set of rules. These rules include only collecting personal information with the consumers’ consent and making clear to the consumers the purpose of the collection of personal data and what it will be used for. Penalties for breach of these rules include fines of up to RMB 500,000 and revocation of a company’s business license.
New rules were also issued in March 2014 which set out a regulatory framework for the protection of personal data in relation to the postal and delivery services in China. The aim of the rules is to prevent the loss and unauthorised disclosure of personal data and to ensure that the employees of postal and delivery services are properly trained in understanding their data protection obligations.
Hong Kong’s Personal Data Protection Ordinance (PDPO) came into force in 1996, making it one of the most established privacy regimes in Asia-Pacific (an English language translation is available here). Hong Kong implemented a significant reform of the PDPO in 2012, and in 2013 Hong Kong implemented a direct marketing regime widely considered to be amongst the most stringent in the world.
2014 was not a year of big changes for data protection legislation in Hong Kong. However, Hong Kong’s privacy commissioner (the Commissioner) is actively enforcing the legislation, naming and shaming companies found to be in breach and issuing guidelines on various matters. Some notable examples of enforcement and guidance which may impact businesses operating in Hong Kong are:
- In October 2014, the Commissioner introduced comprehensive guidance for financial institutions on how to handle customers’ personal data. This guidance covers collection, processing, storage and use of personal data and direct marketing and contains a number of helpful practical examples. The full guidance can be downloaded here.
- The Commissioner handed down the first prison sentence ever imposed in Hong Kong for breach of the PDPO. The sentence was given in December 2014 to an insurance agent for making false statements during a data privacy investigation in 2012. We expect that this will mark the start of stricter enforcement of privacy legislation in Hong Kong.
- Section 33 of the PDPO contains provisions which restrict the transfer of personal data outside Hong Kong. To date, these provisions have not been brought into force. However, on 29 December 2014, the Commissioner released guidance on cross-border transfers. This guidance recommends the use of model clauses for cross-border transfers, but states that the clauses would not need to be used verbatim (unlike the European model clauses) and can be amended to fit the relevant business situation. Although this guidance suggests that the cross-border restrictions in Section 33 of the PDPO will come into force soon, the Commissioner makes it clear that no date for implementation has been fixed. The full guidance can be found here.
- In November 2014, the Commissioner released a best practice guide for the development of mobile applications to ensure that applications collect and process personal data in compliance with the PDPO. The guidance focuses on “privacy by design” and includes a checklist to consider how best to develop an app that protects personal data of users. The full guidance can be found here.
Indonesia has no consolidated privacy law and, despite discussions in 2013 to consider implementation of consolidated legislation, none was released in 2014.
In April 2014, the Asia Pacific Economic Co-operation (APEC) approved Japan as the third APEC nation to have met the conditions for participation in the APEC Cross-Border Privacy Rules System. This system is designed to develop global interoperability of organisations’ consumer data protection measures.
In June 2014, Japan announced a number of proposed changes to Japan’s Personal Information Protection Act 2003 (the Act). An English language translation of the full policy outline setting out the proposed changes can be found here. The aim of the proposed amendments is to facilitate the use of personal data while still protecting the privacy of individuals. The amendments include:
Mechanisms that allow transfers of personal data without consent An expansion of the definition of “personal information” Introduction of a new category of “sensitive information” requiring special protection The establishment of an independent third party organisation to enforce and monitor the Act
A bill to amend the Act is expected to pass in 2015
The data privacy regime in Macau is closely linked to the European data protection regime, as it was implemented in Portugal (please click here for a link to an English language translation of the Macau Personal Data Protection Act 8/2005). There have been no significant developments in 2014, but given the close links to the European regime, it will be interesting to see whether the Macanese regime is updated to reflect the proposed European changes when they are implemented in Europe.
2014 is the first year in which the Malaysian Personal Data Protection Act (the PDPA), an English language translation of which can be found here, has been in force since its enactment on 15 November 2013. Although there have not been any significant developments during 2014, companies are still adjusting to the new legislation and taking steps to ensure compliance.
Myanmar does not have a comprehensive data privacy law. There is existing legislation (e.g. e-commerce rules) which afford some protection to personal data, but there is no single piece of legislation protecting personal information.
New Zealand has established legislation that follows the EU approach to data protection. In 2012, the European Commission formally recognised the adequacy of personal data protection law in New Zealand, making the country’s Privacy Act the first and currently the only law in Asia to be recognized as adequate by the EU.
In 2014, the government of New Zealand announced its proposal to improve upon the existing data privacy legislation to enhance existing protections for personal data. Among other suggestions, the proposals would (i) create new offences and increase fines, (ii) increase the powers of New Zealand’s Privacy Commissioner to enforce the data privacy legislation, and (iii) would clarify the law surrounding cross-border data transfers. However, although this will represent a significant development, a specific time frame for the reforms has not yet been announced.
The Philippines has specific data protection legislation which came into effect in 2012. This legislation provides for the establishment of the National Privacy Commission to oversee and enforce data privacy. However, this commission has not yet been set up.
2014 has been a particularly significant year for data privacy in Singapore. On 2 July 2014, Singapore fully implemented the provisions of the Singapore Personal Data Protection Act 2012 (the PDPA). The PDPA applies to all companies in Singapore but does not apply to government organisations.
The PDPA sets out the obligations which organisations must comply with concerning the collection, use and disclosure of personal information. At a high level, among other obligations, organisations must (i) notify individuals before they collect their data of the purposes for which they intend to collect, use or disclose personal data about an individual, (ii) only collect, use or disclose personal data for reasonable purposes given the circumstances or those that have been notified to the individual, and (iii) only collect, use or disclose the personal data of an individual if that individual has given his or her consent.
The Do Not Call provisions in the PDPA place strict limits on direct marketing by phone, including a prohibition on marketing by telephone (including calls, SMS messages and any other message to any Singapore telephone number) where the telephone number is listed on a do not call register.
The PDPA provides the Personal Data Protection Commission ( the Commission) with a range of tools that the Commission can use to investigate alleged breaches of the PDPA and enforce the PDPA. Sanctions for breaching obligations under the PDPA include fines of up to S$1 million and imprisonment for up to three years. Despite the fact that the PDPA was only recently fully implemented, the Commission has already flexed its powers against a tuition agency which was held to be in breach of the Do Not Call provisions. The tuition agency and its director were each fined S$39,000 for sending marketing SMS messages to individuals registered on the Do Not Call Registry.
For more details of the PDPA and how it has been enforced in Singapore please see our post “Enforcement of the Personal Data Protection Act in Singapore”.
South Korea’s data privacy regime, already widely considered to be the strictest in Asia-Pacific, became even tighter with the Amended Personal information Protection Act (“PIPA”), which came into force on 7 August 2014.
Under PIPA, companies will need to obtain data subject consent in order to transmit advertising information by email. In addition, companies must disclose the identities of any third party data processors and must report all data breaches to data subjects and, where over 10,000 data subjects are affected, must notify the Ministry of Security and Public Administration, with stricter notification provisions applicable to online providers of information and online communications services under the “Promotion of Information and Communications Network Utilization and Information Protection (IT Network Act)”.
The South Korean regime is subject to extensive enforcement mechanisms, including the right for data subjects to bring class action suits against offenders. PIPA implements strict penalties for failure to protect customer data, including fines of KRW ?100 million (approximately US$90,000) and imprisonment of up to 10 years.
PIPA also introduces tax incentives for companies to invest in fighting cyber-attacks.
The Personal Information Protection Act has been in force since 2012 and regulates the collection, processing and use of personal data by both the public and private sectors. The legislation provides strong protection of personal data; however, because these rules have not been in force for a long time, the extent to which this legislation will be enforced is still not clear.
Taiwanese regulators recently investigated major smartphone companies, including Chinese company Xiaomi, for breach of data protection laws (please click here for a link to our article regarding the investigation of this data breach in Singapore). Media outlets reported that Xiaomi phones had a default feature which collected address book data without users’ consent and Xiaomi said it would change this. In December 2014, regulators cleared these companies of any breach of data protection laws; however, regulators requested that mobile phone makers improve security surrounding the transmission of information.
Thailand does not have a comprehensive law relating to data protection. There is some existing legislation which sets out what specific industries can and cannot do with personal data. For example, laws applicable to the telecommunications industry prohibit a telecommunications operator from collecting sensitive personal information.
A draft Personal Information Protection Act is with the Office of the Public Sector Development Commission. There have been no further updates on the current status of this draft act, and, in light of the military taking over power in 2014, it is uncertain whether this draft will progress in the near future.
Vietnam does not have a comprehensive data privacy protection law. However, there are a number of laws dealing with data protection. For example, electronic personal data is regulated by Law of Information Technology and Law on Electronic Transactions.
A draft law on information safety, which covers cybersecurity and use of personal data, is under review by the government of Vietnam. The current status of this draft is not clear.
In 2014, the government of Vietnam issued new laws which replace and consolidate existing laws relating to the information communication technology sector. These new laws set out fines for breaches by companies and individuals of telecommunications and internet regulations, including fines for failing to protect electronic personal data. For example, a company will be fined if it collects, processes or uses an individual's personal information without his or her consent, or if it discloses personal information collected from a social network site without prior consent of the relevant individual.