Economic ambitions drive Asian data shake-up
Aug24

Economic ambitions drive Asian data shake-up

Data protection has been something of a focus for Asian law-makers recently. Until the last couple of years, there were very few laws or regulations in the region which addressed the issue specifically. This is not to say that there were no laws to protect privacy but, rather, that they tended to come from a number of older statutes or case law, and were in many cases no longer appropriate for countries competing on a global scale in the face of technological advances. That is changing. Driven by economic and commercial ambitions (and not just by protection of consumers), legislators across the region have recognised the need to bring their data protection regimes more in line with international standards. The ASEAN region in particular has become the most active in the world for new data legislation. As a result, organisations based in Asia or that have online platforms targeted at or hosted in Asia are having to wrestle with the new rules. So what does this all mean for businesses? We look here at the three most recent new laws in the region, in the Philippines, Malaysia and Singapore, and the practical steps that businesses will need to take to comply. Some context: economic ambitions as a driver for data policy in Asia Having in place a consolidated data protection law has some clear advantages. There is the obvious benefit to consumers, who will now be subject to a privacy framework that is more in line with that enjoyed by citizens elsewhere, such as in Europe. However, economic ambitions are the key driver. In order to compete on an international scale, countries in the region need to be able to demonstrate that they are “safe” places to do business and that the requirements they impose on organisations are in line with international standards. In order to get themselves on any “white-list” of adequate jurisdictions for data processing, governments have recognised the need to have legislation in place. At a business-to-business level, businesses wanting to source suppliers (e.g. customer call centre providers) or to locate operations in the region (e.g. data centres) need to know that data will be held and processed securely, to the standards that their customers (and their own regulators) expect. The Business Processing Association of the Philippines believes that the legislation will raise the country’s profile as a destination for IT outsourcing projects that involve the handling of sensitive personal data, describing the legislation as “an important step to increasing confidence among foreign investors”. In Singapore, the government’s ambition was to “strengthen and entrench Singapore’s position as a trusted hub for business”. The Philippines: “keystone legislation”...

Read More
Singapore upgrades its cyber-defences
Feb14

Singapore upgrades its cyber-defences

A recent amendment to Singapore’s Computer Misuse Act is designed to enable a “nimble and comprehensive response” to the threat of cyber-attacks. But some argue that the new Government powers are too broad and are open to abuse. We examine the key provisions of the new law and what it might mean for organisations in Singapore and beyond. “Sophisticated and malicious”. “A real and present danger”. “A broad spectrum of attacks and threats”. These are not sensationalist headlines but comments from the Singapore Government’s Second Reading Speech on the Computer Misuse (Amendment) Bill. The language used underlines the level of concern with which the Government views the threat of cyber-attacks. And the Singapore Government is not alone. With the recent high profile hack of the New York Times, and attacks like “Stuxnet” and “Flame” making the news and the World Economic Forum ranking cyber-attacks among the top five global risks, the issue is rapidly moving up the legislative agenda for governments around the world. As such, the new Singapore law could be a glimpse of things to come in other jurisdictions. So what are the key changes to the old legislation and what action might organisations be required to take? New teeth The headline provision of the new law is a broad right for the Singapore Government to compel action in the defence against cyber-attacks. Specifically, the Government can require any person or organisation to “take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”. This power to compel a person or organisation to take action is the key change that the new law brings into effect. Under the previous legislation, the Government was only entitled to authorise a person or organisation to take action. The right to authorise was of course dependent on the relevant person or organisation actually electing to take the measures in question at its discretion. In short, the new law has teeth where the old law did not. But exactly what kinds of measures might organisations be required to take? Proactive and reactive The legislation is drafted broadly. The Government can require the taking of “measures” and compliance with “requirements”. The only condition is that the measures are “as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”. The scope, therefore, is both proactive (to “prevent”) and reactive (to “detect” and “counter”) and could potentially cover both offensive (whether pre-emptive or retaliatory) and defensive actions. But...

Read More