Across Asia and indeed APAC more generally, there is a growing body of law and regulation in the area of cross-border personal data transfers which are not necessarily covered simply by GDPR 'baselines'.
Taking the approaches of six major Asian economies by way of example, it's easy (if not surprising) to see there are major differences in legal approach, implementation and enforcement across Asia. Having said that, despite the differences, the concepts used in most Asian jurisdictions will be familiar to privacy specialists in Europe. Definitions of data and the principles that govern it are analogous to those of the GDPR and the trend is clearly in the direction of closer alignment.
The review below is a snapshot and not intended to be comprehensive. Differences in the definition of personal data and categories of sensitive personal data exist in every jurisdiction. Similarly, exemptions to all or part of the transfer restrictions and requirements exist in many jurisdictions in emergency situations or to facilitate legal proceedings or journalism.
India's current privacy regime is set out in the Information Technology Act, 2000 (IT Act) but the Personal Data Protection Bill (PDP) currently under scrutiny will, if passed, introduce comprehensive changes to the way personal data is protected in India. Given the likely success of the PDP we look at current Indian transfer requirements and at what will happen if the PDP becomes law.
Under the PDP, certain types of personal data can be designated as 'critical personal data' by the central government and will be precluded from export beyond India in most cases. A stronger emphasis on obtaining data subject consent to a transfer of sensitive data (in addition to other requirements) marks the PDP out as even stricter in some respects than the GDPR.
At present the ability to transfer to a jurisdiction deemed 'adequate' is unclear. The IT Act allows transfer to any jurisdiction which "ensures the same level of data protection that is adhered to by the body corporate as provided for under [the IT Act]" but there is no mechanism for anybody to make an adequacy decision. This leaves data exporters to take the decision, and the risk of it, themselves.
Under the PDP the Data Protection Authority of India (DPAI) will be able to assess adequacy of a country, entity, or international organisation. The central government will be empowered to make a similar decision in respect of exports of critical personal data.
At present Indian law does not require data subject consent for the transfer of personal data (including sensitive personal data). Consent may be used as a basis for such a transfer but it will not be sufficient if the importing country does not offer standards of protection at least equivalent to those in India.
The PDP will offer a broader definition of sensitive personal data including financial data, data about caste, tribe, religious and political belief or affiliation as sensitive personal data. Under the new regime consent to transfer will become essential (but as currently, not sufficient) to permit a transfer in most circumstances.
Current law seems to permit self-assessment for intra-company transfers but does not provide any criteria for the assessment.
Under the PDP only the DPAI or, in the case of exports of critical personal data, the central government, will be permitted to assess adequacy.
No certification schemes are in current operation or proposed in the PDP.
Neither contractual arrangements nor Binding Corporate Rules (BCRs) are expressly provided for under the IT Act but, under the PDP, a contract in a form approved by the DPAI will be sufficient to permit a transfer of sensitive personal data (where consent has been obtained) and transfers made "pursuant to an intra-group scheme approved by the [DPAI]" will also be permitted.
Following the mutual finding of adequacy between Japan and the EU in early 2019, data transfers became more straightforward. While the two regimes remain distinct, recent amendments to the Act on Protection of Personal Information (the APPI) that apply only to data transferred under the EU adequacy decision, will bring them closer together when the changes come into force (likely to be in 2022). The changes include an expansion of the extraterritorial effect of the APPI and a new mechanism to allow EU residents to file complaints with Japan’s data protection authority if public authorities in Japan unlawfully access their data.
Japan has a mutual finding of adequacy with the EU which means that personal data can be transferred between Japan and EU Member states, subject to processing conditions being satisfied without the need for an additional legal mechanism.
The Personal Information Protection Commission of Japan (the PPC) can whitelist foreign countries it has assessed as having equivalent privacy standards as those of Japan.
Data subject consent to international transfers is usually required, though exceptions may apply. For consent to be valid, the data subject must be clearly informed that the personal information will be transferred to a third party in a foreign country, and be provided with all the information necessary to make an informed decision to consent.
Organisations cannot self-assess the acceptability of an international transfer; such powers are reserved to the PPC.
Transfers may take place on the basis of contractual terms or BCRs if they "ensure, in relation to the handling of personal data by the person who receives the provision, the implementation of measures in line with the purpose of the provisions under APPI by an appropriate and reasonable method".
The South Korean privacy regime places a heavy focus on the responsibilities of public bodies as well as those of private entities. A number of legislative provisions cover data privacy requirements. The Personal Information Protection Act (PIPA) is the most significant of these with the Network Act also containing important provisions largely focused on Internet Service Providers.
The focus of the South Korean privacy regime is on consent to processing and particularly data transfers, with few limited exceptions.
There is no provision for an adequacy finding or whitelisting of countries or organisations to be made under PIPA.
Although data subject consent is generally required for exports of personal data from South Korea, it is not required for some types of outsourcing work (a distinction not common in other jurisdictions).
There is no option under PIPA for an organisation to self-certify a transfer of personal data as being secure or permitted.
Although the legislation does not expressly require any specific transfer mechanism to be used to export personal data from South Korea, there are requirements in respect of technical measures to be adopted to ensure the security of data which cannot be guaranteed outside of a contractual arrangement between exporter and importer. No form of model clauses are in use in South Korea and BCRs are not formally recognised.
Data privacy in the People's Republic of China is largely governed by the Cyber Security Law of 2016 which restricts transfers of personal data both within and beyond national borders and requires informed consent to a transfer in most cases. Numerous sector-specific regulations apply in addition to the Cyber Security Law and generally override it in case of conflict.
Separate privacy regimes operate in Hong Kong and Macau, each of which is closer in nature to EU privacy law.
There are no current arrangements in place with any other countries. The regulator, the Cyberspace Administration, has no authority to make adequacy assessments.
Data subject consent is essential for most data transfers originating in China and although consent can be implied in a few scenarios, it must usually be explicit proactive consent. Consent alone will not be sufficient to permit a transfer and compliance with security standards in both the transfer and the destination country will be required.
The Cyber Security law does not permit self-assessment of transfer risks by organisations, instead requiring relevant government agencies (depending on the sector) to conduct transfer security assessments.
Sector-specific regulations apply to ensure the legality of data transfers and apply over the general law; areas that are specifically regulated include banking and healthcare. New Cross-Border Transfer Assessment measures (still in draft) will require a contract to be in place between data exporters and importers, with required terms that are comparable to those of the EU standard contractual clauses.
In Thailand the relatively new Personal Data Protection Act 2019 (the PDPA) replaced a largely sector-specific approach to privacy regulation. The PDPA takes a more liberal approach than that adopted by most Asian countries, permitting exports to any country with adequate levels of protection, with a number of exemptions potentially applying to negate the adequacy requirements. Although approved, the PDPA will not come into force until 31 May 2021.
Thailand's newly created Personal Data Protection Committee will be empowered under the PDPA to "announce and establish criteria for providing protection of personal data which is sent or transferred to a foreign country or international organisation". It is expected that the Committee (yet to be formed at time of writing) will clarify its own interpretation of its powers and practice in respect of adequacy.
Data subject consent is not required to permit personal data exports to countries with adequate privacy protections. However, in the absence of adequate privacy protections in the export destination, informed consent can provide a lawful basis for a transfer.
The PDPA as drafted does not exclude the possibility of self-assessment of transfers by exporting organisations, but it is expected that the Personal Data Protection Committee will rule on this possibility when it clarifies its own powers when the PDPA comes into force in 2021.
Unusually for Asia, BCRs are expressly provided for in the new PDPA. To be effective as a transfer basis, they need to be reviewed and approved by the Personal Data Protection Committee.
Contractual transfer mechanisms are not expressly provided for in the PDPA but it is likely that contractual terms will be accepted as a basis for ensuring adequate security and other measures under which a transfer would be allowed.
Singapore's Personal Data Protection Act of 2012 and its accompanying 2014 Regulations set out the standards that must be met before an international transfer of personal data from Singapore can be made.
A data exporter must take steps to ensure that the recipient of the personal data is bound by legally enforceable obligations to ensure the data is protected by standards that are comparable to the protection available in Singapore.
An exporting organisation has to show it has taken appropriate steps to ascertain the security of data transferred and to put legally enforceable safeguards in place.
Singapore's Personal Data Protection Committee can issue guidance on how to make an assessment but there is no formal adequacy granting or whitelisting process.
Data subject consent is not a requirement in Singapore, although if informed consent is obtained, it can be used as a basis to permit transfers of personal data to countries that would not otherwise be deemed to offer adequate privacy protections.
The PDPA permits data exporters to make their own assessments of the level of protection for personal data in the country of import and whether those protections can be deemed adequate, without such finding data subject consent will potentially be required.
Singapore offers a number of options to data exporters looking for a transfer mechanism. Like Thailand, Singapore expressly provides for the option to use BCRs in the PDPA. Contractual arrangements are also acceptable as a transfer mechanism providing certain safeguards are built in.
Since 2020, the PDPA Regulations also permit a data exporter to rely on a data importer having a "specified certification", (specifically the APEC PRP System and the APEC CBPR System).
It is clear from the snapshot above that harmonisation is still very much on the 'wish list'. Should we be surprised by that? Well, no. In the first place, there is no supranational body equivalent to the EU in Asia. In the second, even the GDPR has not achieved the level of harmonisation it promised.
The GDPR has, however, established a more common baseline which exerts a degree of influence that can be seen in Asia, and there lies the 'bear-trap' because influences and similarities are just that. Prematurely seeing them as indicators of greater harmonisation and overlap can lead to a localised risk.
We can, though, see meaningful developments at an ASEAN level with the launch of ASEAN Model Contractual Clauses (MCCs) which are similar to the EU SCCs.
The MCCs are voluntary template contractual terms intended to provide for a form of contractual adequacy between parties transferring personal data across borders. Using them and complying with their underlying obligations should help the parties ensure that the transfer of personal data is conducted in a manner that complies with the ASEAN Member States’ (AMS) legal and regulatory requirements and protects the data of data subjects based on the principles of the ASEAN Framework on Personal Data Protection (2016). This is an important move from ASEAN to promote trust among its citizens in the ASEAN digital ecosystem although individual country law still needs to be respected.
While the MCCs are primarily designed for intra-ASEAN flows of personal data, parties may adapt them to make them work for transfers between businesses intra-country, or importantly for transfers to non-AMS jurisdictions, particularly those with legal regimes based on the principles of the APEC Privacy Framework or OECD Privacy Guidelines.
With South Korea recently joining Japan in the fold of EU adequacy, the words 'watch this space' have never been more relevant as far as data privacy laws around transfers across Asia are concerned.
Chris Jeffery looks at data transfers and other issues in the context of M&A deals.
2 of 6 Insights
Debbie Heywood looks at the EDPB recommendations on supplementing data transfer tools to help protect personal data exported to third countries.
3 of 6 Insights
Debbie Heywood looks at cross-border transfers of clinical trial data in the UK and the EU.
4 of 6 Insights
5 of 6 Insights
Paul Voigt looks at the pros and cons of the new draft SCCs.
6 of 6 Insights