In our last editorial we covered key challenges for achieving and maintaining GDPR compliance by and beyond 25 May 2018. We recognise however that there is a fair amount of GDPR fatigue around and a danger of overlooking key legal and regulatory requirements relating to data in other jurisdictions. Therefore, in this editorial we focus on other important regulatory issues around data, particularly in APAC.
The example of e-payments
Data is a key asset across industries and data protection laws and regulations come into play across the spectrum. Take the example of e-payment - a hot topic for most jurisdictions in APAC. A growing range of businesses are investigating the e-payment opportunities and risks for their business. Players in the e-payment space come from a large range of industries including financial institutions, payment processors, telecommunications companies, ride share businesses, marketplace operators and consumer product companies. Core to many e-payment offerings is being able to access merchants and customers in multiple jurisdictions. In developing their e-payment offerings, these businesses are needing to keep a close eye on regulation of data. High priorities to watch are the rules for protecting data and any notification of breach, as well as restrictions on where or how the data must be stored.
Evolving personal data protection laws in APAC
Global and regional businesses are grappling with the evolving nature of personal data protection laws in APAC. Law-makers in several jurisdictions in APAC have been developing new or updating existing laws for handling and protecting data. These laws are mainly targeting personal data and cybersecurity. And, they are all a bit different.
Here is a sample of new and developing issues. In Australia, mandatory data breach notification requirements started in February 2018 (our flowchart guide to reporting is here). The regulator recently reported on notification activity to date (our alert here). In the Philippines, its Personal Data Protection Act has been progressively rolled out requiring regulated organisations to meet registration and reporting requirements. For Thailand, its Data Protection Bill is under development and has recently undergone a consultation process. Singapore is currently contemplating several changes to its personal data protection laws. It is hard to keep up.
Alongside personal data protection regimes, businesses also need to keep up with the development of cybersecurity laws. Most jurisdictions have laws making hacking or other unauthorized attacks on a computer network illegal. Building on this, there is a new wave of cybersecurity laws imposing obligations on regulated businesses to protect their infrastructure against cybersecurity threats and report cybersecurity incidents. New laws in jurisdictions like Singapore are directed at regulating critical infrastructure supporting the delivery of essential services (see here for further details). Other jurisdictions like China have taken a much broader approach to who is regulated. Thailand and Vietnam have released draft cybersecurity laws for consultation. The ability to make payments securely is obviously critical to e-payment offerings.
Data localisation requirements
A key question is checking which personal data and cybersecurity laws contain a data localisation requirement. This may be a requirement to keep all instances of the data onshore or ensure that an instance of the data and potentially a back-up is kept onshore. A check on current and proposed localisation requirements for China, Vietnam and Indonesia shows a range of regulatory approaches.
Localisation requirements trigger key businesses decisions such as whether to restructure existing operations, install local servers or make other changes to a business model. For a region like APAC, localisation requirements can be a key deciding factor on whether to expand the business into a jurisdiction. For example, is the business prepared to spend on local infrastructure or restructure their e-payment offering to meet localisation requirements in a single jurisdiction? That may be a very difficult decision given the rapid expansion of internet access to the APAC region expected in the next few years, particularly within ASEAN where there has been much focus on digitisation initiatives.
The challenge for law-makers on data protection regulation
There is much for businesses to think about around data regulation. The same is true for law-makers. Many law-makers acknowledge this challenge. In APAC, we are seeing from law makers and regulators a strong interest in engaging with industry to better understand technology and seek industry views on what laws regulating data should look like.
From the government's perspective, the government is trying to balance protection of data and essential services with facilitating economic development. Governments know that if they are too hard to do business with, then development risks going elsewhere. On the flip side, governments also know that they risk losing investment and facing public criticism if they are perceived as lacking in data protection measures.
Data Protection - an evolving landscape
In summary, in exploring opportunities like the rollout of e-payment offerings to multiple jurisdictions, please beware of the gaps between jurisdictions and the complex and evolving landscape in where data is stored in addition to how it must be handled and protected. We invite you to browse the 2018 edition of our Global Privacy Handbook which provides detailed overviews of the data protection standards in over 50 countries. As illustrated by the Handbook, businesses operating across multiple jurisdictions will likely need to accommodate several regulatory approaches to personal data protection. This observation is very true for APAC.