Data protection has been something of a focus for Asian law-makers recently.
Until the last couple of years, there were very few laws or regulations in the region which addressed the issue specifically. This is not to say that there were no laws to protect privacy but, rather, that they tended to come from a number of older statutes or case law, and were in many cases no longer appropriate for countries competing on a global scale in the face of technological advances.
That is changing. Driven by economic and commercial ambitions (and not just by protection of consumers), legislators across the region have recognised the need to bring their data protection regimes more in line with international standards. The ASEAN region in particular has become the most active in the world for new data legislation. As a result, organisations based in Asia or that have online platforms targeted at or hosted in Asia are having to wrestle with the new rules.
So what does this all mean for businesses? We look here at the three most recent new laws in the region, in the Philippines, Malaysia and Singapore, and the practical steps that businesses will need to take to comply.
Some context: economic ambitions as a driver for data policy in Asia
Having in place a consolidated data protection law has some clear advantages.
There is the obvious benefit to consumers, who will now be subject to a privacy framework that is more in line with that enjoyed by citizens elsewhere, such as in Europe.
However, economic ambitions are the key driver. In order to compete on an international scale, countries in the region need to be able to demonstrate that they are “safe” places to do business and that the requirements they impose on organisations are in line with international standards. In order to get themselves on any “white-list” of adequate jurisdictions for data processing, governments have recognised the need to have legislation in place.
At a business-to-business level, businesses wanting to source suppliers (e.g. customer call centre providers) or to locate operations in the region (e.g. data centres) need to know that data will be held and processed securely, to the standards that their customers (and their own regulators) expect.
The Business Processing Association of the Philippines believes that the legislation will raise the country’s profile as a destination for IT outsourcing projects that involve the handling of sensitive personal data, describing the legislation as “an important step to increasing confidence among foreign investors”. In Singapore, the government’s ambition was to “strengthen and entrench Singapore’s position as a trusted hub for business”.
The Philippines: “keystone legislation” for IT services
The Philippines law came into effect in September 2012.
It was clearly influenced by the Data Protection Directive in Europe and the Asia-Pacific Economic Cooperation (APEC) Information Privacy Framework and many of the definitions follow those used elsewhere. It applies to personal data relating to customers or employees, such as name, age, address and occupation.
As with the European legislation, it has a separate concept of “sensitive” personal information (which includes race, religious belief, political affiliation and health), and this is subject to more stringent requirements. Outsourcing (and, in particular, outsourcing that involves the handling of sensitive personal data) is the clear motivation behind this. The Philippines Information and Communications Technology Office confirmed that, “This measure will enable us to replicate our success in call centers into other BPO segments such as healthcare outsourcing and HR outsourcing, where sensitive data is involved”. It is, however, still too early to say whether IT-dependent businesses in Europe or elsewhere will be convinced.
There are, however, a few aspects of the Philippines law that are more surprising and specific to the Philippines.
First, it applies not just to organisations based in the Philippines but also to organisations that process information about the citizens or residents of the Philippines and have links to the country (including organisations that enter into contracts in the Philippines, have branches there or collect or hold information there). Technically speaking, therefore, it could apply to an e-commerce platform taking orders from Philippines customers. However, as with most extra-territorial legislation, it is not clear how this could be enforced.
Second, it is a lot more stringent in some respects than many other data laws. It is very specific as to the security measures that organisations should have in place, including safeguards to protect systems, a written security policy, a risk assessment and mitigation process and regular monitoring for breaches. Any breaches that do occur and which either involve sensitive personal data or could be used for identity fraud must be notified to the regulator. And failure to comply with the provisions of the Act gives rise to some very significant financial and criminal liabilities (up to 6 years in prison and fines of around USD 25,000 to USD 120,000). There are no “enforcement notices” prior to these sanctions coming into effect, so no real “remedy period” to rely upon.
Finally, the requirements of the Act do not apply to personal information originally collected from non-Philippines residents in accordance with the applicable foreign law (even if that information is subsequently processed in the Philippines). In other words, if the data is collected in, for example, the UK and transferred to the Philippines as part of an outsourcing arrangement, it will not be subject to the Act. Again, the outsourcing industry, and call centre-type operations in particular, are a clear motivation here.
Singapore: building a “trusted hub for business”
Motivated by a desire to establish itself as a global data and cloud services hub, the Singapore legislation was passed in September 2012.
The operative provisions will come into effect in two parts. The “Do Not Call” direct marketing obligations come into effect on 2 January 2014 and the remaining provisions come into effect on 2 July 2014.
The key definitions largely mirror those seen elsewhere. There is no separate category of “sensitive personal data”, unlike in the Philippines, Malaysia or Europe.
The obligations are generally in line with those in Europe and will come as no great surprise. “Standard” requirements regarding notice and consent all apply. There have been mixed interpretations as to the territorial scope but it is certainly not as openly extra-territorial as the Philippines and any kind of extra-territorial enforcement would be a challenge for the authorities. One key difference is that there are broad carve-outs under the Singapore Act for publicly-available data about individuals and business contact details.
Unlike the Philippines, the Singapore law does have specific obligations for transferring data outside of the country. Organisations cannot do so other than to a place that has an equivalent standard of protection. It is not yet known whether the Singapore government will go down the path of providing for approved contractual principles between transferor and transferee and/or whether it will draw up a list of approved countries/companies. Our view is that we will see increasing convergence with the approach in Europe, given the aim of Singapore becoming a “white-list” jurisdiction for data processing.
One practical obligation to note is that each organisation will need to appoint a data protection officer. This individual will be the main point of contact for the regulator and their details must be made publicly-available, although they will not have any personal liability.
The “Do Not Call” requirements that will be of particular interest to organisations who engage in direct marketing, whether by telephone or SMS. The Act establishes a “Do Not Call” register, allowing subscribers to register their phone number, upon which organisations may not send a marketing message to that number. In practice, each organisation must submit a list of telephone numbers it plans to contact. The registry will then indicate which they may contact, and the organisation can rely on this information for a period of 30 days. Marketing teams operating in Singapore will need to build this into their processes to ensure compliance.
There are also some fairly heavy sanctions for breach. Officers of an organisation can be held personally liable. There are fines of up to SGD 10,000 for offences in relation to the “Do Not Call” register and up to SGD 1 million for failure to meet the other obligations. Certain breaches can lead to imprisonment of up to three years.
Malaysia: finally in effect
There was considerable delay in the implementation of the Malaysian Personal Data Protection Act but the operative provisions finally came into effect on 16 August 2013. A three month sunrise period will run until 14 November 2013 to allow companies and organisations to get ready for compliance.
A key reason for the delay was that no regulator had been appointed (which was itself because of the Malaysian election). However, we now know that the rules will be enforced by the Personal Data Protection Department, to be re-branded in 2014 as the Personal Data Protection Commission. Questions have been asked about the independence that the Commission will have from the government, not least because the regulator is, under the Act, directly responsible to the minister
Again, there is some potential for extra-territorial effect. The law applies to a person established in Malaysia or a person who uses equipment in Malaysia, which could therefore apply to companies with servers in Malaysia. Again, it is not clear how enforcement would work against offshore operators.
There are also some direct marketing obligations. A customer can, at any time, require an organisation to cease using (or not to begin using) personal data for direct marketing. This effectively amounts to an “unsubscribe” right. There are also potentially obligations on organisations to register as “data users”, although this only applies to those types of data user that are specified by the regulator, and no such specification has yet been provided.
In most other respects, the obligations mirror those in Europe and elsewhere and will contain few big surprises for international organisations.
The sanctions for breach are, like those in the Philippines and Singapore, potentially very serious, with fines of around USD 165,000 and/or two years imprisonment, and the possibility of officers of the company being personally liable.
Other “ones to watch”
Singapore, Malaysia and the Philippines are not alone in recognising the potential economic and commercial benefits of data protection legislation.
Hong Kong has had laws in place for much longer but recently updated them, specifically in relation to direct marketing. The latest rules in South Korea, now seen as one of the strictest data protection regimes in the world, have been in effect since September 2011. China has issued Decisions over the last year with new rules requiring consent, transparency and security. Taiwan implemented new laws in October 2012. And Thailand has had a new law under development for some time.
Plenty of new laws – but what do organisations need to be doing now?
We know what the new rules are and we know when they are going to come into effect. What do organisations need to be doing now to make sure they are compliant? Two categories of organisation will need to be on top of the new rules.
The first will be those organisations that only have a presence in one or more of these jurisdictions and who have not, until now, been directly subject to legislation of this kind. These organisations will need to establish exactly what data they use in their business, how they use it, who they share it with and where it is stored, with a view to putting in place processes to ensure compliance. In other words, they will need to complete the kinds of corporate compliance exercises that companies in Europe went through when the laws there came into effect.
The second category of organisations are those that are already based in jurisdictions that have comprehensive legal frameworks in place, such as Europe, but whose corporate group has a presence in Asia, works with suppliers in Asia or targets Asian consumers. Many of these organisations will already be very familiar with navigating data protection regimes and this change will simply mean that their Asian operations will need to brought into line with their approach elsewhere (if they are not already). It is important in this context to remember that although there are strong similarities between the new laws in Asia and those in Europe, there are also some important differences in policy, approach, and potentially enforcement, to bear in mind.
With these new laws in mind, many organisations will be taking the decision that now is a good time to consider their approach to compliance, whether as part of a global data protection audit or a purely regional, Asia-specific, exercise.
This article was originally published in E-Commerce Law & Policy.