Transferring Personal Data in Asia:
A path to legal certainty and regional convergence
This Comparative Review sets out proposals for how Asian public stakeholders may promote legal certainty and greater consistency between their respective laws and regulations on cross-border transfers of personal data in the region. Despite differences between the philosophies and the regulatory structures of each regime, there exist enough connecting points between national frameworks which lawmakers, governments, and data protection regulators can capitalize on, so as to promote and ensure responsible data flows between jurisdictions. Interoperability would be further enhanced by a common movement to align the standards by which legal grounds, mechanisms, and schemes for data transfers should be assessed. Alignment should be with a similarly high level of data protection so as to improve the situation of individuals and facilitate multi- jurisdictional compliance, as well as regulatory cooperation. Alignment not just to a regional standard but to global standards is a worthwhile goal, especially given the integration of Asian economies in global trade and the increased privacy expectations of the Asian public. This Review is supported by a comprehensive comparative Table of the rules relating to the transfer of personal data in 14 Asian jurisdictions.
May 2020
Index
Why this Review? ______3 Key Findings ______5 Collective Benefits of Legal Certainty & Convergence ______9 Serializing the Causes of Legal Uncertainty & Fragmentation ______10 Paths of Convergence in a Period of Intensive Law Reform ______12 Analysis of Asia’s Frameworks & Recommendations for Convergence ______13 Overview of Main Rules & Principles ______14 Consent ______22 Status in Asia______24 ‘Adequacy’ & ‘White Lists’______27 Status in Asia______29 Self-Assessment by the Exporting Organisation______33 Status in Asia______33 Contractual Safeguards ______37 Status in Asia______40 Binding Corporate Rules ______44 Status in Asia______45 Certification ______48 Status in Asia______50 APEC Cross Border Privacy Rules______53 Status in Asia______55 Codes of Conduct ______58 Status in Asia______60 Exemptions & Additional Legal Grounds for Transfers ______63 Status in Asia______65 Data Transfer Mechanisms & Localisation Laws ______71 Status in Asia______73 Overarching Policy Considerations ______76 Acknowledgments ______78
2
All the stakeholders which face the challenge of Why this implementing these regulations, primarily industry and data protection regulators, acknowledge this necessity. Legal uncertainty and Review? inconsistency between data protection frameworks have important repercussions on their respective actions—and, directly or Published in May 2018, ABLI’s Compendium of indirectly, on the situation of the individuals reports on the Regulation of Cross-border Data whose personal data is transferred across the Flows in Asia showed how, in this region as Asian borders. elsewhere, national data strategies generally ABLI wrote this Comparative Analytical Review recognise the need for rules regarding cross- and its supporting document—a Comparative 1 border personal data transfers. Table on Laws, Bills, and Regulations on Personal In May 2020, just two years after this first Data Transfers in Asia, on which the Review is publication, law reform or law review has been based—with the ambition to contribute to announced, or is under way in virtually all of the removing such uncertainty and unclarity in the fourteen legal regimes covered in our project. laws of the region. Nearly all Asian Data Protection Laws contain 1. ABLI’s Comparative Analytical Review: specific provisions applicable to cross-border data Promoting Convergence and Interoperability flows, and some jurisdictions are currently This Review was suggested to ABLI by Asian data modifying their data protection frameworks to protection regulators and governments, who clarify their application to such transfers. have expressed an interest in receiving This trend is fuelled by the increasing relevance, comparative information to fuel their efforts to in Asia, of regional or international data increase the compatibility or ‘interoperability’ of protection frameworks with a strong focus on their legal and regulatory frameworks on personal international flows of personal data, including the data flows. Privacy Guidelines of the Organisation for Law practitioners and industry have further Economic Co-operation and Development expressed support to ABLI’s efforts, which (OECD), the European Union’s General Data ‘introduce an additional analytical layer to the Protection Regulation (EU GDPR), Asia-Pacific conversation’ to which Asian Governments are Economic Cooperation (APEC) Privacy currently taking part to identify common Framework, Association of Southeast Asian approaches to data protection between different Nations (ASEAN) Framework for Data Protection, regions.2 and data-related clauses in trade agreements and economic partnerships, among others. ABLI’s Data Privacy Project thus features among the reasons ‘why multinational organisations Yet, the regulation of cross-border data flows have good reason to hope for some measure of remains a key area which requires greater clarity harmonisation of compliance standards, including and consistency between data privacy laws and practical solutions for cross-border data transfers’ regulations in Asia. in the APAC region.3
2 Derek Ho, ‘Mastercard: Dealing with the 1 Clarisse Girot (ed), Regulation of Cross-Border complexity of data protection’, Asia Outlook, Transfers of Personal Data in Asia (Asian October 2019 Business Law Institute, 2018).
3
The primary objective of this Review is therefore Primary authority of non-English speaking to provide lawmakers, governments, and countries might be simply lacking or be outdated regulators in Asia who are currently drafting, as laws change rapidly and translations in other reviewing, or implementing data transfer languages do not keep up. Commercial sources provisions in their respective jurisdictions with a are expensive, and translations by government comparative overview and analysis of the transfer entities, when they exist, are still for principles, legal grounds, mechanisms, and informational purposes only. Only the most schemes that operate in the laws of their regional organised business organisations have the partners and neighbours. organisational and financial capacities to follow up on law and rulemaking and make translations In particular, it is hoped that the Review will be to the benefit of their members. useful to those public stakeholders who are seeking constructive ways to enhance the This asymmetric level of information makes it compatibility of their respective frameworks by: particularly difficult for new entrants, in particular for SMEs, whether local or foreign, to assess their • including in Data Protection Laws or compliance risk. It also creates the risk that regulatory guidance the full range of available governments, lawmakers and regulators miss on cross-border transfer mechanisms to enable feedback from lines of business that cannot afford accountable global data flows; the costs of familiarisation through local • permitting existing and widely accepted specialists. It makes it significantly harder for civil exceptions and derogations to such society actors like academics and NGOs to voice restrictions. specific views. As well, it is hoped that it will help to promote the This is why, in addition to this Review, ABLI has need to improve legal certainty in the application decided to publish the entire Comparative Table of personal data transfer restrictions, including on Asian Laws and Regulations on Personal Data data localisation requirements. Transfers which it has drawn up to inform its analysis, for the benefit of all. 2. ABLI’s Comparative Table on Laws, Bills, and Regulations on Data Transfers in Asia: Improving The information extracted from the Table to write Availability and Accessibility of Asian Laws and this Review is current as at 28 May 2020. Regulations The Table is published in the form of a Working A recurring difficulty for stakeholders in Asia is Document and will be updated on ABLI’s website simply gaining access to laws, regulations, and when new laws or regulations are passed. regulatory guidance on data privacy and data transfers in the region.
4
4. Convergence is achievable at multiple levels: Key Findings Legal uncertainty, differences and inconsistencies could be removed (or at least significantly alleviated) through ongoing law reform, implementation of regulations, or issuance of ad 1. Collective benefits of legal certainty and hoc regulatory guidance, depending on the convergence: Enhancing legal certainty and the circumstances. Specifically, some gaps could be compatibility of data transfer frameworks both filled by confirmation by the regulators that within and between jurisdictions has a direct, specific data transfer mechanisms (e.g. collective positive impact on the respective certification or codes of conduct) can be read into positions of organisations, individuals, and general provisions of some laws (e.g. ‘taking regulators in relation to cross-border data flows. reasonable steps’, ‘comparable safeguards’, or It is an indispensable complement to any regional ‘reasonable precautions’). Bridging such gaps or international initiative intended to facilitate would enhance the compatibility of Asian legal responsible data flows in the Asian region. systems not only with each other, but also with 2. Major areas of differences: The mapping other regional systems, primarily in Europe and reveals several major areas of difference between the Americas. jurisdictions: 5. Alignment on common standards: Comparisons also show that the most jurisdictions’ laws remain • the rules relating to cross-border data flows silent on the standards by which legal grounds, can be underpinned by fundamentally mechanisms, and schemes for data transfers different logics, which preclude looking for should be assessed (e.g. conditions for obtaining ambitious convergence options with some valid consent, assessment criteria for white lists, legal regimes; content of contracts, internal rules, operation of • while there is overlap between legal regimes, certification schemes, codes of conduct, etc.). there are differences in their regulatory While the alignment of mechanisms is ‘good structures which impact the compliance enough’ from the perspective of doing business, process; such standards should be defined consistently • the coverage of legal grounds and across jurisdictions for convergence to be truly mechanisms (i.e. the number available in each effective. jurisdiction) varies; and 6. Global standards: Interoperability would be • implementation approaches also vary even further enhanced by a common movement to where data transfer provisions appear align these standards with a similarly high level of consistent. data protection to improve the situation of individuals and facilitate multi-jurisdictional Any of these variations have great practical compliance, as well as regulatory cooperation. implications for organisations that operate in Alignment not just to a regional standard but to multiple jurisdictions and export data across global standards is a worthwhile goal, especially borders. given the integration of Asian economies in global Compliance would be greatly facilitated by trade and the increased privacy expectations of ensuring maximum overlap between Asian legal the Asian public. systems regarding acceptable data transfer Ensuring consistency between global, regional mechanisms and schemes. and sub-regional frameworks is necessary to 3. Potential for convergence: The Review shows avoid adding more layers of complexity. the potential for convergence in many transfer 7. Guiding principles for data transfer provisions of the Data Protection Laws, in mechanisms: Comparative analysis of Asian laws, particular for interoperability of contracts, combined with international data protection binding corporate rules, and certification (in standards, leads to the conclusion that: multiple forms) – and statutory exemptions which are recognised or could be recognised as valid in • any data transfer mechanism must consist in a all or a large majority of Asian jurisdictions. legally binding arrangement;
5
• any data transfer mechanism must maintain There would be traction in seeking to make the and build upon the existing privacy same set of contractual safeguards compatible protections set out in the national legislation between Asian jurisdictions, and beyond. and be consistent with principles enshrined in Convergence would be advanced if regulators international frameworks and best practices; would agree to a set of contractual data privacy • data subjects’ rights must remain enforceable and security controls, while allowing for flexibility overseas; and in implementation. Those clauses should be detailed enough to be useful (e.g. description of • adequate supervisory mechanisms must apply envisaged transfers; applicable data protection to the scheme or instrument to ensure principles; warranties, rights and obligations of effective compliance. the parties; complaints and compliance 8. Consent: Consent appears to be an adequate mechanisms; liability and enforceability by third legal basis for personal data transfers only in parties; recourse of individuals; applicable law; residual circumstances, and in any case not for and dispute resolution). recurrent or systematic transfers. Lawmakers There is a common expectation that transfer should refrain from making consent compulsory agreements should make special provisions for in all circumstances, and provide that other the recourse of individuals whose data are solutions offering substantive protection may transferred, although there is no uniformity on constitute an alternative legal basis for transfers. how such rights should be protected in practice. All solutions should be put on equal footing. 11. Binding corporate rules: ‘Binding Corporate Greater coherence between the conditions in Rules’ (BCRs) are recognised as a valid data which consent-based transfers can take place in transfer mechanism in a majority of the Asian legal systems should be sought. The level of jurisdictions covered in this Review. Until now the details and the methods of providing consent strengths and limitations of BCRs have been should be addressed not in the law itself, but assessed only in the European context where they preferably in guidance issued of a dialogue have originally developed, and which are partly between relevant stakeholders, which would irrelevant in an Asian context. factor in the risk of conflict between different consent requirements in the region. Leaving procedural and administrative aspects (i.e. prior authorisation by the authority) aside, 9. Assessment of the level of protection in the expansion of the experience on BCRs into destination country: There could be some multiple Asian jurisdictions could be explored, traction in developing the interoperability of data starting with determining whether there is a protection frameworks in the region through demand for this mechanism from companies positive assessment findings (‘adequacy’), or the operating in Asia. recognition of the same set of substantive ‘adequacy’ principles adopted under multiple 12. Certification: There is a significant potential Asian laws. But this option requires careful for convergence in the establishment of national consideration of the respective strengths and certification mechanisms which would enable limitations of the ‘adequacy’ and ‘white list’ overseas organisations to demonstrate that they approach in Asia. adduce acceptable safeguards to transfer data under different Asian personal data protection Self-assessment by the exporting organisation of frameworks. This option is interesting to explore the destination country’s level of protection in Asia as leading personal information appears to be unrealistic in practice and not management certification schemes already particularly useful to ensure the compatibility of operate in key jurisdictions like Japan or South data protection frameworks, particularly in the Korea, and more recently in Singapore. absence of clear criteria by which such an assessment should be made in most countries. In legal regimes where certification schemes are recognised or contemplated for data transfers the 10. Contractual safeguards: Contracts are the laws are broad enough to allow for certification most promising avenue of cooperation for by leading international standards or schemes increasing the compatibility of Asian data transfer such as ISO/IEC 27701, or regional standards like regimes. APEC CBPRs or under EU GDPR (Art 42).
6
Asian governments and regulators need to work occurring overseas; criteria for accreditation of together on the certification criteria to be the monitoring body that will ensure compliance approved by the regulatory authority; the criteria with the Code, to ensure equality in for accreditation of certification bodies to ensure independence, competence, adequate equality in independence, competence, adequate resourcing, and accountability; the identification resourcing, and accountability; the identification of sufficient and clear benefits of signing up to a of sufficient and clear benefits of certification to Code to ensure that organisations obtain a return ensure organisations obtain a return on the on the investment to joining that Code. investment to obtain certification. Regulatory 15. Exemptions: Specific legal grounds that allow focus should be on the implementation of the personal data to flow in circumstances strictly only schemes likely to create such motivation. provided by law or regulation exist in virtually all 13. Cross Border Privacy Rules: The APEC Cross jurisdictions of this Review. Most of them take the Border Privacy Rules (CBPRs) and the APEC form of statutory exemptions or derogations from Privacy Recognition for Processors (PRP) systems the main rule applicable to data transfers (e.g., might benefit from a ‘network effect’ in Asia if consent, adequacy). more jurisdictions would join and activate either Prima facie the different lists of national or both systems, but also if more organisations exemptions look very similar but, in effect, vary would identify benefits to certify to them. significantly so that seemingly related provisions Refining the business case of joining CBPRs would are, in fact, difficult to compare. Ensuring greater entail clarifying the interrelationship between harmonisation among exemptions will allow the CBPRs and the applicable local privacy laws, same approach to be used in the same set of considering the sectors in which organisations circumstances across several or all jurisdictions. operate, and their geographical footprint. Other Whilst exceptions related to matters of factors include how the certification would help sovereignty might not lend themselves to organisations earn the trust of their customers harmonisation, at least the harmonisation of and business partners; and support the more ‘neutral’ exceptions should be considered. implementation of internal privacy management Convergence efforts is to be guided by commonly programmes. agreed rules of interpretation, such as that 14. Codes: Several Asia Pacific jurisdictions could exemptions must be interpreted ‘narrowly’ so recognise that an exporting organisation may that that the exception does not become the rule. discharge its data transfer obligations where an 16. Administrative exemptions: In some overseas organisation adheres to a locally jurisdictions organisations may solicit individual approved Code of conduct or Privacy Code. This exemptions from compliance with the data option is interesting to explore in Asia as Privacy transfer principles. Such exemptions are usually Codes already play an important role to granted upon request, by notification, and subject supplement the data protection frameworks of to specified terms and conditions (e.g. sunset several jurisdictions in the region. clause). Convergence could be advanced if Asian Such recognition would be subject to the legally regulators would consider transposing the binding nature of the Code and the conclusion of rationale behind such exemptions into their own a contract between both the exporting and frameworks, subject to similar conditions and importing organisations to ensure that the with particular attention to the interests of safeguards of the Code (in particular, those individuals. concerning the rights of data subjects) are applied 17. Data transfer mechanisms and localisation and enforced in the receiving jurisdiction. laws: Several jurisdictions currently implement, or To build coherent policies on such Codes, Asian are considering the implementation of so-called governments and regulators need to work localisation measures in the Asian region. This together on several building blocks: the criteria by area of the law is marked by uncertainty, which such Codes may be approved; the particularly in jurisdictions where sweeping conditions under which Codes may be found localisation obligations apply and where the state legally binding in multiple jurisdictions; of the law is in constant flux. determination of appropriate recourse mechanisms for individuals in case of breach
7
There would be great added value in clarifying the interplay between transfer provisions in general
Data Protection Laws and localisation obligations mandated in specific sectoral laws or regulations. This would include clarifying the extent of parity between ‘traditional’ data transfer mechanisms recognised in most jurisdictions and the conditions for approval of data transfers by the public authorities. The scope of such localisation measures, the circumstances in which exemptions are permitted, and the regulatory expectations as to the practical consequences of mandating the localisation of some categories of data (i.e. server mirroring or other measures) should be clarified. Entry into force periods must be of significant duration to allow organisations to take the necessary compliance measures, and extensions and adaptations should be possible on request. Similar and consistent standards should be applied to localisation requirements in regulations applying to different sectors.
8
In contrast, compliance with laws prescribing Collective different conditions for collecting, storing or transferring data can force companies to adopt sub-optimal, hence increasingly vulnerable IT Benefits of Legal infrastructures, with significant cybersecurity risks attached. Certainty & Yet, it is not necessarily the case that data subjects’ interests are demonstrably advanced by such measures through, for example, enhanced Convergence control over the use of their personal data, improved data security or regulatory oversight. Despite differences in cultural norms and 2. Removing legal uncertainty, gaps between variations in regulatory models, Asian laws, and complexity in cross-border compliance jurisdictions share a mutual interest in bridging with Data Protection Laws is in the interests of gaps, enhancing legal certainty and the individuals. Variations in scope, differences compatibility of personal data transfer between substantive data protection rights and frameworks, both within and between obligations, and between regulatory policies on jurisdictions. data flows impede the effective cross-border implementation of individuals’ data protection Efforts of convergence will have a collective rights, or limit capacities for effective regulatory positive impact on the respective positions of oversight as their data goes across borders. organisations, individuals, and regulators in relation to cross-border data flows. As well, multiplication of compliance efforts across jurisdictions constrains organisations’ 1. A unified set of data transfer mechanisms internal privacy resources, which could otherwise and schemes across multiple Asian jurisdictions be used to improve substantive data protection would facilitate compliance with data transfer practices to benefit individuals. This includes the obligations by organisations to which multiple operational costs of planning in the face of legal frameworks apply. regulatory uncertainty, adapting business, This would enable such organisations to choose compliance functions and transactional the legal grounds, mechanisms, and schemes that structures to conflicting data protection or are the best suited to their needs and also to rely localisation requirements across different on the same solution for each category of data jurisdictions. transfer in each jurisdiction, avoiding unnecessary Variations in the level of protection of duplication of compliance efforts from one individuals—be they in their capacity as citizens jurisdiction to the next. or consumers—per country reduces public Legal certainty on data transfer mechanisms confidence and consumer trust, in both local and would further allow organisations to streamline overseas dealings. Public stakeholders must their accountability measures internally, but also expect that citizens will increasingly question why greatly improve the time and efforts required to their national level of personal data protection negotiate and enable data transfers with other might be ‘lagging behind’ and falling short of organisations. implementing international standards, particularly in relation to the regulation of cross- This is significantly important to SMEs and start- border data flows. ups who do not have the resources and experience of dealing with complex regulation as 3. Compatible legal frameworks also help the large MNCs do. In this sense, legal certainty and community of Authorities to rely on other convergence level the playing field. jurisdictions’ learnings and approaches to implementation. Harmonisation or greater coherence between national legal frameworks, in particular in relation to the regulation of cross- border data flows, helps reduce gaps between them and thus facilitates regulatory cooperation and consistent regulatory action.
9
However, contact points exist even between the Serializing the two types of regimes, which could anchor some actions of convergence—for instance, by clarifying the extent of parity between data Causes of Legal transfer mechanisms in ‘traditional’ data protection regimes and the conditions for Uncertainty & approval of specific personal data transfers by the public authorities (see Data Transfer Fragmentation Mechanisms & Localisation Laws➺). Such clarification would be particularly useful with regard to data transfer regimes which combine both regulatory purposes, like the Data Seeking convergence and strengthening the Protection Bill of India. consistency of legal regimes relating to cross- border data flows requires to go back to the root 2. Factors of divergence also operate between of their differences. similar regimes that do not purport to significantly restrict cross-border data flows. Both this Comparative Review and the Comparative Table are helpful in that they reveal Most Data Protection Laws in operation in the the different causes of fragmentation between region frame data transfers provisions as a data transfer rules in the region. They therefore general prohibition subject to a list of exceptions, make it possible to identify the different types of primarily obtaining the individual’s consent to the policy and legal responses that can eliminate, or transfer (‘consent-first’ regimes, e.g. Japan, and at least attenuate legal fragmentation and South Korea) or sending data to jurisdictions with uncertainty, and consequently the different an adequate level of protection (‘adequacy-first’ stakeholders (mainly Parliaments, governments, regimes, e.g. Macau SAR, Malaysia, and Thailand). data protection regulators) which have the Others take the general approach that transfers capacity to provide corresponding solutions, at should be permitted in principle but impose a their respective levels. requirement of ‘accountability’ according to which entities which transfer personal 1. The most important factor of divergence is information to overseas recipients must ensure certainly the fact that the rules relating to cross- that they handle that personal information border data flows can be underpinned by consistently with the requirements of local laws fundamentally different logics. (‘accountability principle’) (e.g. Australia and Whilst most jurisdictions have adopted, or are Philippines). contemplating the adoption of such rules 3. Different default positions in the general Data to promote responsible data flows and avoid the Protection Law do not preclude looking for circumvention or undermining of local legislative convergence options, especially when obligations protections by transferring personal data relating to personal data transfers may be overseas, in some jurisdictions data transfer discharged in similar conditions. restrictions are primarily motivated by the principle of digital sovereignty and/or by the However, the mapping done in this Review intention to enable access by the law reveals three major areas of difference between enforcement authorities to specific categories of jurisdictions: personal data. In the second case, personal data First, while there is overlap between legal regimes must generally be kept on shore subject to (for example, in that the majority of regimes governmental review, over and above obtaining recognise the role of consent and contracts as the data subject’s consent or implementing data permitted transfer mechanisms), differences transfer mechanisms like contracts, for instance. between the structures of data transfer regimes Removing such a fundamental difference impact the compliance process (e.g. whether the between regulations underlaid by the intention to regime is ‘consent-first’, ‘adequacy-first’ or ‘equal promote free data flows on the one hand, and basis’ versus ‘accountability-based’). concerns of national security and sovereignty on the other hand, is unrealistic.
10
Second, the coverage of legal grounds and 4. Any of these variations have great practical mechanisms may also differ, i.e. the number of implications for organisations that operate in mechanisms available in each jurisdiction is multiple jurisdictions and export data across different, or it is not certain to what extent they borders—as multiple legal frameworks would are in overlap. consequently apply in cumulation, and the variance and inconsistency between jurisdictions In some jurisdictions such coverage seems to be makes the ability to apply a consistent set of limited by intention, but it could be extended in compliance processes highly challenging. jurisdictions that follow the same regulatory pattern depending on the decision of the This diversity in implementation is amplified by regulator to take a more or less liberal the fact that Asian legal systems have been interpretation of concepts such as ‘transfers developed at different times, under the influence subject to reasonable safeguards’, for instance. of fluctuating priorities, and by reference to different regional frameworks (or to successive In jurisdictions that implement the ‘accountability versions of the same frameworks). principle’ and endorse a liberal approach to data flows, ambiguity may lie in the absence of an The absence of permanent, effective pan-Asian explicit admission that some mechanisms or coordination mechanisms to monitor regional schemes are effective (or not) to discharge this developments and ensure legal consistency principle. between different legal frameworks is another important missing element to remove Third, implementation approaches also vary, even fragmentation in the area of data protection and where data transfer provisions appear consistent privacy. (e.g. subsequent guidance or subsidiary legislation may be more prescriptive on the It is hoped that this Review can contribute to approach to obtaining consent in one jurisdiction advancing this regional discussion, by providing versus another). comparative information and suggestions which public stakeholders may use in their respective As a result, it is often impossible to provide clear- jurisdictions. cut solutions to many of the compliance issues that organisations ask themselves when navigating this area of the law in a cross-border context.
11
Law reform is underway in Australia, Hong Kong Paths of SAR, Japan, Malaysia, New Zealand, Philippines, Singapore, and was just concluded in South Korea, where implementing regulations are in a Convergence in a phase of public consultation. Plans to adopt new baseline data protection Period of regimes are made in China and Vietnam. Localisation rules and sectoral data transfer Intensive Law regimes are in flux in several countries. Delays and unpredictability in law-making, the Reform time needed for dust to settle following such data protection reforms are further causes of legal uncertainty. Over the past years, a majority of Asian However, this time also offers a rare window of governments, lawmakers and regulators have opportunity to dry up some sources of worked to implement into their national legal uncertainty and enhance the compatibility of systems high-level principles issued from Asian Data Protection Laws. frameworks such as the APEC Privacy Framework and the ASEAN Framework for Data Protection, This Comparative Review shows how uncertainty, but also principles, concepts and mechanisms differences and inconsistencies can be removed found in the EU GDPR. (or at least significantly alleviated) through ongoing law reform, implementation of A complementary way of achieving the desired regulations, or the issuance of ad hoc regulatory objective of regional consistency is to complete guidance. this high-level approach with a ‘bottom-up’ approach to legal convergence, by doing ‘the hard Specifically, some gaps could be filled by and prosaic work (…) of sifting through the thicket confirmation by regulators that specific data of national laws and regulations to identify points transfer mechanisms (e.g. certification and codes of commonality and areas where reform is of conduct) can be read into general provisions of required’.4 some laws (e.g. ‘taking reasonable steps’, ‘comparable safeguards’ or ‘reasonable This Review and the Comparative Table contain precautions’). useful information, recommendations and analyses to take this last step. This Comparative Review further shows that there is great potential for interoperability of Major data protection reforms are currently some mechanisms in current laws. In particular, happening in the region. Data Protection Bills contracts, binding corporate rules, and were introduced in the Parliaments of India and certification (in multiple forms). Indonesia in December 2019 and January 2020, just a few months after the adoption of the new Data Protection Law of Thailand.
4 The Honourable The Chief Justice Sundaresh
12
Analysis of Asia’s Frameworks & Recommendations for Convergence
Index Specific instruments that do not fall into these categories have therefore not been considered (e.g. Overview of Main Rules international agreements). & Principles …………………………………….14 Exclusion of sectoral laws. Sector-specific Consent …………………………………….22 requirements (e.g. in telecom, banking, credit ‘Adequacy’ and ‘White reporting, or health sectors) have not been Lists’ …………………………………….27 considered as part of this Review so as to avoid too Self-Assessment by the wide a field of comparison. Exporting Organisation Data localisation. Specific data transfer restrictions …………………………………….33 have been considered in jurisdictions that otherwise Contractual Safeguards have, or would still have, cross-sectoral data …………………………………….37 localisation requirements (China, India, Indonesia Binding Corporate Rules and Vietnam), including in the two jurisdictions in …………………………………….44 this Review without a baseline Data Protection Law or Bill yet (China and Vietnam). Localisation laws are Certification …………………………………….48 understood as measures which broadly mandate APEC Cross Border that organisations must store and/or process Privacy Rules …………………………………….53 personal data generated within their territory, even Codes of Conduct …………………………………….58 where adequate data transfer mechanisms (e.g. contracts) have been implemented and/or the Exemptions & consent of the individual has been obtained. Additional Legal Grounds for Transfers …………………………………….63 Legislative proposals considered. Given the Data Transfer substantial legislative activity currently taking Mechanisms & place in the area of personal data protection and Localisation Laws …………………………………….71 privacy in Asia, this Review includes legislative proposals that should soon be passed into law in
select key jurisdictions. Preliminary notes: Jurisdictions covered. The jurisdictions assessed in this Review are those covered in ABLI’s Data Privacy Project (see https://abli.asia/projects/data-privacy- project): Australia, China, Hong Kong SAR, India, Indonesia, Japan, Macau SAR, Malaysia, New Zealand, Philippines, Singapore, South Korea, Thailand, and Vietnam. Legal grounds, mechanisms, schemes considered. The legal grounds, mechanisms, and schemes for transfers considered in this Review are: • Firstly, those most commonly found in data protection regimes globally, including recently promulgated Data Protection Laws that have taken inspiration from EU GDPR; and • Secondly, those considered for inclusion in Asian regional frameworks—including the ASEAN Digital Data Governance Framework.
13
Privacy Act 1988, s 16C: If an entity discloses Overview of Main personal information about an individual to an overseas recipient and APP 8.1 applies to the disclosure of the information, the entity is Rules & Principles accountable for any acts or practices of the overseas recipient that would breach the APPs in relation to the information. This section presents an overview of the baseline provisions which are applicable to personal data Chapter 8 of the Australian Privacy Principles transfers in fourteen jurisdictions. Guidelines (APP Guidelines) (Cross-border disclosure of personal information) published by It shows how virtually all Asian Data Protection the Office of the Australian Privacy Information Laws contain specific provisions applicable to Commissioner (OAIC) outlines how the OAIC will cross-border flows of personal data. interpret APP 8. Most of them frame such provisions as a general The focus of APP 8 is on the ‘disclosure’ of prohibition subject to a list of exceptions, personal information to overseas recipients, as primarily obtaining the individual’s consent to the opposed to the ‘use’ of the information. While transfer (‘consent-first’ regimes, e.g. Japan, South neither ‘use’ or ‘disclosure’ is defined in the Korea) or sending data to jurisdictions with an Privacy Act, an entity ‘discloses personal ‘adequate’ or ‘comparable’ level of protection information when it makes it accessible or visible (‘adequacy-first’ regimes, e.g. Macau SAR, to others outside the entity and releases the Malaysia, and Thailand). subsequent handling of the personal information Others take the general approach that transfers from its effective control’ (APP Guidelines, para should be permitted in principle but impose a B.64). requirement of ‘accountability’ according to China which entities which transfer personal information to overseas recipients must ensure Cybersecurity Law (CSL) 2016, NPC 12, Art 42 that they handle that personal information Informed consent of the individual is necessary consistently with the requirements of local laws to transfer or disclose any persona data to a (‘accountability principle’) (e.g. Australia, third party (inside or outside China). Philippines). CSL, Art 37 (in force) Below we consider how these main principles and rules may be discharged in each jurisdiction. ‘Critical Information Infrastructure Operators’ (CIIOs) must store personal information and We also consider specific data transfer restrictions ‘important data’ collected and generated in China that take the form of cross-sectoral data localisation and may transfer such information and data requirements in select jurisdictions. overseas only for business needs and upon Australia security assessment by the relevant authorities. Privacy Act (1988), Australian Privacy Principle Art 37 of the CSL to be combined with: (APP) 8.1 (‘Accountability Principle’) Personal Information Security Specification Before an entity discloses personal information to issued by the National Information Security an overseas recipient, the entity must ‘take such Standardisation Technical Committee (TC260) steps as are reasonable in the circumstances to (GB/T 35273/2020), Art 9(8) (entry into force ensure that the overseas recipient does not breach October 1, 2020) the APPs (other than APP 1) in relation to that With regard to the cross-border transfer of information.’ personal information collected and generated in China, the personal information controller shall comply with the requirements of relevant national regulations and standards.
14
Draft Cross-Border Transfer Assessment The International Transfer Guidance adopted by measures of the Cyberspace Administration of the Hong Kong Privacy Commissioner serves as a China (pending, latest draft version 13 June 2019) practical guide for data users to implement s 33. The draft Measures are applicable to all ‘Network Note: Operators’ (not only CIIOs) and ‘personal Whilst s 33 PDPO is not yet in force, the Privacy information’. ‘Network operators’ are ‘owners Commissioner has all along been working closely and administrators of networks and network with all stakeholders including the Government service providers’ (CSL Art 76). on its implementation. The prior draft Measures (April 2017, revised in Further to the Government’s findings in its May and August 2017) provided for a self- Business Impact Assessment consultancy assessment of the contemplated transfers and conducted in 2016-2018, the Privacy that the authorities would make such Commissioner engaged a consultant in November assessments only in specific cases. The latest draft 2018 to provide specialist views addressing and (June 2019) comes back on this position and ameliorating the potential impact on businesses requires that all network operators must apply for in future implementation of s 33 of the PDPO. a security assessment of the contemplated transfers to the provincial branch of the CAC for Amongst various recommendations, the Privacy review (i.e. no differentiation depending on Commissioner has announced that it will publish sensitivity levels). an updated data transfer guidance in mid-2020 with enhanced user-friendliness and additional Sectoral localisation obligations prevail over guidance towards organisational data users, Art 37 of the CSL, e.g. in banking, insurance, credit especially the SMEs, by introducing two sets of reporting, health and genetics, online taxi new recommended model clauses (including data booking and location apps. (see Data Transfer transfers between ‘data user and data user’ as Mechanisms & Localisation Laws➺) well as ‘data user and data processor’) for their Hong Kong SAR adoption in formulating transfer agreements. Personal Data (Privacy) Ordinance (Cap. 486) India (Act in force) 1995 (amended), s 33 (not yet in force) Information Technology Act, 2000 (IT Act), s 43A Guidance on Personal Data Protection in Cross- Information Technology Rules of the IT Act, 2011 border Data Transfer (‘International Transfer (IT Rules), IT Rule on s 43A (IT Rule 7) Guidance’) (December 2014) Section 43A and IT Rule 7 apply exclusively to Transfers of personal data to overseas ‘sensitive personal data’. jurisdictions are forbidden unless one of a number of conditions is met (equal basis). Sensitive personal data may flow out of India when: These conditions include: • the information provider has consented to the • transfer to a white list jurisdiction; transfer; or • the data subject has consented to the • the transfer is necessary for the performance transfer; of a contract. • transfer is for avoidance or mitigation of In any circumstances, the same level of data adverse action against the data subject; and protection must apply to the data in the country • the data user has taken all reasonable of destination (IT Rule 7). precautions and exercised all due diligence to Sensitive personal data or information consists of: ensure that the personal data concerned are ‘information relating to; given equivalent protection to that provided for by the Ordinance. (i) password; Other statutory exemptions can apply. (ii) financial information such as bank account or credit card or debit card or other payment instrument details;
15
(iii) physical, physiological and mental health (viii) genetic data; condition; (ix) transgender status; (iv) sexual orientation; (x) intersex status; (v) medical records and history; (xi) caste or tribe; (vi) Biometric information; (xii) religious or political belief or affiliation; or (vii) any detail relating to the above clauses as (xiii) any other category of data specified by the provided to body corporate for providing service; Authority under section 22. and Critical personal data may be processed only in (viii) any of the information received under above India, with exceptions (s 34(2)). clauses by body corporate for processing, stored or processed under lawful contract or otherwise’ Critical personal data is undefined and may be (IT Rule 3). notified as such by Government regulation. Data localisation provisions may prevail over the Personal data that is neither sensitive nor critical data transfer rules in s 43A and IT Rule 7 in specific under the Data Protection Bill would be free to sectors including banking, telecom, and health transfer (on the assumption that there is legal (see Data Transfer Mechanisms & Localisation basis for the processing in the first place). Laws➺) Other requirements to store and/or process in India (Bill) India would apply in case of the cumulative application of localisation requirements for Data Protection Bill, ss 33 and 34 (introduced in sectors including banking, telecom, and health Lok Sabha on December 10, 2019) (same as above). More sectoral obligations to As in the framework currently in force, ss 33 and localise data are currently in draft, e.g. in the draft 34 would not apply to all transfers of personal e-pharmacy rules. Localisation obligations were data but only to transfers of ‘sensitive’ and removed from the draft e-commerce policy in ‘critical’ personal data for the purpose of June 2019 (in anticipation of their displacement processing. to the Data Protection Bill). Sensitive personal data ‘may be transferred Indonesia (in force) outside India for the purpose of processing but Law No. 11 of 2008 on Electronic Information and shall continue to be stored in India’ (s 33(1)), and Transactions (EIT Law), Art 26 additional conditions apply (s 34(1), see below). Regulation No.20 of 2016 of the Ministry of Sensitive personal data means personal data Communication and Information (MCI 20/2016), revealing, related to, or constituting, as may be Arts 21 and 22 applicable— (s 3(35)): Electronic System Providers (ESPs) may transfer (i) passwords; data only: (ii) financial data; • with the individual’s consent; and (iii) health data; • following ‘coordination’ with the Ministry. (iv) official identifier; The coordination requirement seems closer to a (v) sex life; notification requirement than to a prior approval, but sometimes regulatory scrutiny is applied.5 (vi) sexual orientation; (vii) biometric data;
5 See Danny Kobrata, ‘Jurisdictional Report: Indonesia’ in Regulation of Cross-Border Transfers of Personal Data in Asia (Asian Business Law Institute, 2018) at 151.
16
Government Regulation No.71 of October 2019 • the recipient acts in conformity with a system (GR71), Arts 20 and 21 (replacing Government established by standards prescribed by the Regulation No. 82 of 2012 (GR82)) Personal Information Protection Commission of Japan (Art 24); Specific localisation rules apply to ESPs for Public Purposes or ESPs for Private Purposes, • one of a series of statutory exceptions apply respectively (see Data Transfer Mechanisms & (Art 23(1)). Localisation Laws➺) Transfers to other than ‘third parties’ are not Indonesia (Bill) covered by Art 24 and consent requirements do not apply. Data Protection Bill, Art 49 (introduced in Parliament on 28 January 2020) Under the APPI, the following entities are deemed not to be third parties: Data transfers outside the territory of Indonesia may take place only in four series of • a company that enters into a merger, a circumstances presented as alternatives: company split or a business transfer with the data controller; • the level of protection in the country if destination is equal to, or higher than in the • data processors; or Act; • a company designated to jointly use the • international agreements apply; personal information with the controller. • a contract offering appropriate safeguards is Macau SAR in place between the parties; and Personal Data Protection Act, 2005 (PDPA), Arts • the data subject has consented to the 19 and 20 transfer. The transfer of personal data to a destination These provisions will be later specified in a outside the Macau SAR may only take place Government Regulation. subject to compliance with the PDPA and provided the legal system in the destination to Notes: which they are transferred ensures an adequate The Data Protection Bill will overwrite Art 26 of level of protection (Art 19(1)). the EIT Law but will not affect pre-existing data Transfers to other destinations may take place protection provisions in so far as they are not only if specific conditions are complied with, and contradictory with the Bill and are not specifically must be either notified to, or authorised by the regulated by it (Art 79). Office of Personal Data Protection (Art 20): The localisation provisions in GR71 (above) and • the data subject has given his consent the requirement of coordination with the unambiguously to the proposed transfer; Ministry (MCI 20/2016, Art 22(1)) would therefore not be impacted by the Bill. • the controller adduces adequate safeguards with respect to the protection of the privacy The current version of the Bill does not institute a and fundamental rights and freedoms of Data Protection Authority. It is not clear to which individuals and with respect to their exercise, entity in the Government (beyond MCI) the particularly by means of appropriate implementation of the provisions of the future contractual clauses; Law would be left. • Japan that transfer is necessary in varied contexts relating to the conclusion or performance of Act on the Protection of Personal Information, contracts, or the implementation of pre- 2016 (APPI), Art 24 contractual measures; Transfers of personal information are subject to • necessary or legally required on varied obtaining the individual’s consent, unless: statutory grounds (e.g. important public • the country of destination has an equivalent interest grounds, or for the establishment, level of protection (Art 24); exercise of defence of legal claims);
17
• necessary in order to protect the vital New Zealand (Act in force) interests of the data subject; and Privacy Act 1993, Part 11A (Transfer of Personal • is made from a public register. Information outside New Zealand), s 114B The analysis carried out in the context of such international transfers of personal information procedures6 appears in decisions published on are permitted, as long as the legal requirements the OPDP’s website.7 in the Information Privacy Principles (IPPs) in Part 2 of the Privacy Act and appropriate Malaysia conditions for privacy protection are observed. Personal Data Protection Act 2010 (PDPA), s 129 However, in exceptional circumstances the Data transfers outside Malaysia may in principle Privacy Commissioner may prohibit a transfer to take place only to places specified by the Minister another State when: where there is in force any law which is • the personal information has been received substantially similar to, or that serves the same from another State and will be transferred to purposes as the PDPA or which ensures an a third State where it will not be subject to a adequate level of protection which is at least law providing comparable safeguards to the equivalent to the level of protection afforded by Privacy Act; and the PDPA. • the transfer would be likely to breach the basic Transfers to other destinations may take place principles of national application set out in the only if: OECD Guidelines. • the data subject has consented to the The Fact sheet on Part 11A of the Privacy Act transfer; published by the Commissioner sets out certain • reasonable precautions were taken by the matters that the Commissioner must consider in data user; and exercising the discretion to prohibit a transfer, including by showing ‘legal regimes that might be • statutory or regulatory exemptions apply. thought likely to offer comparable safeguards to ‘The Minister’ refers to the Minister ‘charged with the Privacy Act’. the responsibility for the protection of personal Privacy Act, s 3(4) (applicable to e.g. cloud storage data’, currently the Communications and overseas). Where an agency holds information— Multimedia Minister (PDPA s 4). (a) solely as agent; or (b) for the sole purpose of On 14 February 2020, the Malaysian Personal safe custody; or (c) for the sole purpose of Data Protection Commissioner (‘Commissioner’) processing the information on behalf of another has issued a Public Consultation Paper on the agency—and does not use or disclose the review of the PDPA. information for its own purposes, the information shall be deemed to be held by the agency on As part of the ongoing review exercise, the whose behalf that information is so held or, as the Commissioner is considering issuing a guideline to case may be, is so processed. address the mechanism and implementation of cross-border transfers. If implemented, it is New Zealand (Bill) unclear whether transfers which comply with the Privacy Bill, Information Privacy Principle 12 (IPP transfer mechanisms set out in the said guidelines 12) will be recognised as permissible under the PDPA. IPP 12 is to be combined with IPP 11 (‘Limits of disclosure of personal information’).
6 On the operation of these procedures, see 7 For instance, Opinion No.0016/P/2018/GPDP Graça Saraiva, ‘Jurisdictional Report: Macau on the establishment of the CTM (Macau SAR’ in Regulation of Cross-Border Transfers of Telecommunications Company) (HK) Data Personal Data in Asia (Asian Business Law Centre and the transfer of data from Macao to Institute, 2018) at 202. Hong Kong and the respective notification and authorisation procedures.
18
If data that may be legally transferred based on Proposed amendments to s 21 in House Bill IPP 11 is transferred to an overseas recipient, the No. 5612 introduced in the House of ‘exporting agency’ would need to satisfy one of Representatives on 25 November 2019 do not the criteria set out in IPP 12(1): modify the legal regime applicable to international transfers (but for additional • the individual concerned authorises the transparency requirements on transfers). disclosure; IRRs rule IV: A specific provision applies to data • the foreign person or entity is carrying on sharing (s 20, General Principles for Data Sharing). business in New Zealand, and the agency The provision applies to data sharing in the believes, on reasonable grounds, that the private sector and between government foreign person or entity is subject to the Bill; agencies. • the agency believes on reasonable grounds IRRs rule X: Specific provisions apply to that: outsourcing and subcontracts (ss 43 and 44). o the foreign person or entity is subject to Singapore privacy laws that, overall, provide comparable safeguards to those in the Bill; Personal Data Protection Act 2012 (PDPA) s 26 (‘Transfer Limitation Obligation’ or ‘TLO’) o the foreign person or entity is a participant in a prescribed binding scheme, or is An organisation shall not transfer any personal subject to privacy laws of a prescribed data to a country or territory outside Singapore country; and except in accordance with requirements prescribed under the PDPA to ensure that o the foreign person or entity must protect organisations provide a standard of protection to the information in a way that, overall, personal data so transferred that is comparable provides comparable safeguards to those to the protection under the PDPA. in the Bill. Personal Data Protection Regulations 2014, Part Privacy Bill, Part 8 (‘Prohibiting onward transfer of III, Regs 8-10, to be read with: personal information received in New Zealand from overseas’) replicates the provisions of PDPC Advisory Guidelines (AG) on Key Concepts s 114B relating to transfer prohibition notices in in the Personal Data Protection Act, Chapter 19 the current Privacy Act (see above). For the purposes of s 26 of the PDPA, a Philippines transferring organisation must take appropriate steps to ascertain whether, and to ensure that, Data Privacy Act of 2012 (DPA) s 21 the recipient of the personal data in that country There are no specific provisions on international or territory outside Singapore (if any) is bound by transfers in the DPA or its Implementing Rules and legally enforceable obligations (in accordance Regulations (IRRs). with PDPA reg 10) to provide to the transferred personal data a standard of protection that is at The general rule in s 21 (‘Accountability Principle’) least comparable to the protection under the Act. is that ‘any controller is responsible for personal information under its control and custody, On 28 May 2020 PDPC has amended the PDPA including information that has been transferred to Regulations to recognise that a recipient third parties for processing, whether domestically organisation holding a ‘specified certification’, i.e. or internationally, subject to cross-border the APEC CBPR System, and the APEC PRP System arrangement and cooperation’. would be taken to have met such legally enforceable requirements. (see APEC Cross Moreover, regarding data transfer for processing Border Privacy Rules➺). s 21(a) requires the controller to use ‘contractual or other reasonable means to provide a PDPC Advisory Guidelines on Key Concepts in the comparable level of protection while information Personal Data Protection Act, Chapter 6, paras is being processed by a third party’. 6.22–6.23 (‘Cloud Services’, revised 9 October 2019).
19
An organisation that engages a Cloud Service Art 17 of the PIPA will remain applicable to all data Provider (CSP) as a data intermediary controllers with the exception of ICSPs to which (‘processor’) to provide cloud services is the specific provisions of Art 39(12) will apply. responsible for complying with the TLO in respect Art 17 of the PIPA has been amended to include a of any overseas transfer of personal data in using new para 4. Under this new provision, a controller the CSP’s cloud services. This is regardless of will be allowed to provide personal data to whether the CSP is located in Singapore or another controller without the data subject’s overseas. consent in conditions to be prescribed by South Korea Presidential Decree, ‘within a scope that is reasonably related to the original purpose of Personal Information Protection Act (PIPA) Art 17 collection’ and ‘after considering whether the is the baseline provision on data transfers. The data subject’s rights would be infringed upon PIPA is complemented by Enforcement Decree of and/or measures to secure the integrity of the PIPA. personal information have been properly taken.’ Network Act Art 63 is the specific provision However, it is too early to tell if the Enforcement relating to data transfers by Internet Content Decree would remove consent requirements for Service Providers and recipients of data collected overseas transfers in specific circumstances. by ICSPs (Extended ICSPs).8 The Network Act is complemented by Enforcement Decree of 2. The PIPA and the Network Act are currently Network Act (especially Art 67). enforced by the Ministry of the Interior and Safety and the Korean Communications Commission An overarching principle in South Korea’s data (KCC), respectively. protection statutes is that express user consent is required to transfer personal data to third parties The Personal Information Protection Commission whether located locally or overseas. (PIPC) will take over these roles on 4 August 2020. The PIPC will be responsible for the adoption of Limited exceptions to consent requirements the implementing regulations of both Acts. apply in specific circumstances provided by statute, specifically in relation to overseas 3. Other statutes (e.g. Credit Information Act, controller-processor transfers for delegation of Location Information Act) may also apply. processing (outsourcing). Thailand Notes: Personal Data Protection Act (27 May 2019) 1. On 4 February 2020, major amendments to (PDPA) s 28 (entry into force postponed until 31 PIPA, Network Act, and Credit Information Act May 2020) were promulgated (entry into force: 5 August Under the new PDPA data transfers may freely 2020). take place to a foreign country or international The amended PIPA will include a new Chapter 6 organisation that have adequate data protection (Special Provisions for the Processing of Personal standards, and in accordance with the data Information by ‘ICSPs’ and ‘extended ICSPs’) protection rules prescribed by the Data importing the data protection provisions of the Protection Committee. Network Act which are not harmonised with Exceptions to the ‘adequacy’ requirement apply those set forth in the PIPA, including Art 63 in four series of circumstances (equal basis): relating to international data transfers. • the data subject’s consent has been obtained; Art 63 of the Network Act will remain into force until it is displaced and renumbered Art 39(12) in • specific statutory exemptions apply; PIPA on 4 August 2020.
8 On the respective scopes of PIPA and Network Regulation of Cross-Border Transfers of Act, in addition to the concepts of ICSPs and Personal Data in Asia (Asian Business Law Extended ICSP, see Park Kwang Bae, Institute, 2018) at 343. ‘Jurisdictional Report: Republic of Korea’ in
20
• the receiving organisation provides ‘suitable As at 20 May 2020, the proposal still contains an protection measures which enable the outline of the Draft Data Protection Decree; the enforcement of the data subject’s rights’; drafter (i.e., the Ministry of Public Security) is tasked with working on detailed content for each • the receiving organisation has put in place a provision as outlined and is expected to release a ‘Personal Data Protection Policy’ applicable to draft ‘in 2020’.11 overseas data transfers. Cybersecurity Law (CSL) 2018, Art 26(3) Note: The entry into force of the PDPA was scheduled 27 May 2020. However, the entry into Concurrently, Art 26(3) of the CSL impose force of several parts of the law, including s 28, localisation obligations on certain categories of has been postponed to 31 May 2021. online service providers (see Data Transfer Mechanisms & Localisation Laws➺). Until then, sectoral laws may apply. Going beyond the general case, data privacy provisions exist in several other areas of law, such as sector-specific regulations or license conditions, in provisions setting out protections for certain categories of information, or in requirements specific to certain professions (e.g., as relevant to personal health information, credit bureaus, telecommunications licensees, securities companies, and financial institutions).9 Vietnam Consent as a common principle Currently, Vietnam does not have a baseline legislation relating to personal data flows, but various texts apply.10 A common principle in the different texts that contain data protection provisions (in the absence of baseline data protection legislation) is that consent by the data subject is necessary to transfer data, irrespective of the implementation of data transfer mechanisms by the data exporter. Draft Data Protection Decree A proposal for a Draft Data Protection Decree was released on 27 December 2019 which would contain provisions on overseas data transfers.
9 David Duncan, ‘Jurisdictional Report: Thailand’ 11 in Regulation of Cross-Border Transfers of ‘Proposal to develop a Decree on personal data Personal Data in Asia (Asian Business Law protection’, released by the MPS on the e- Institute, 2018) at 388. Government portal on 27 December 2019:
21
In addition, in some systems (e.g. China and the Consent Data Protection Bill of India), consent alone is not a sufficient ground for data transfers—at least for transfers of specific categories of data, and other Obtaining an individual’s consent to transfer their conditions (e.g. approval by the public authority, data is a central building block of the vast majority implementation of additional data protection of data transfer regimes considered in this measures) apply. Review. Secondly, standards relating to consent also differ Consent requirements effectively play a role in from country to country. relation to overseas data transfers in Australia, Certainly, the general conditions for valid consent China, Hong Kong SAR, India, Indonesia, Japan, overlap across jurisdictions—i.e. by and large all Macau SAR, Malaysia, Philippines, Singapore, jurisdictions now require that consent must be South Korea, Thailand and Vietnam. The ‘free’, ‘specific’ (or ‘unbundled’), ‘informed’, and importance of consent requirements will be ‘unambiguous’. confirmed when the Data Protection Bills of India and Indonesia, and the Bill amending the Privacy These qualifications interoperate with the provisions relating to the definition of consent Act of New Zealand are passed. that applies throughout the Data Protection Law, Structural differences behind apparent for instance for the list of situations (or legal basis) commonalities in which personal data may be legally collected However, many differences emerge behind an and used, the circumstances in which personal image of apparent unity. In fact, there are such information may be used or disclosed for a important differences in the way ‘consent’ purpose other than the purpose it was collected requirements work in these different settings that for, the collection of so-called ‘sensitive data’ (in they effectively cancel out its potential jurisdictions where this category is recognised), advantages in terms of convergence actions - in children’s data, etc. any case for ongoing and systematic transfers However, these general requirements may vary at which underlie most fundamental business implementation level. To provide only two processes. examples: Firstly, a distinction must be made according to • A common acceptation of the term the legal force accorded to the individual’s ‘unambiguous consent’ is that consent should consent and its positioning in the structure of be express, possibly given in writing. However, each legal system. in some jurisdictions (e.g. Australia and Depending on the system, the individual’s prior Singapore), consent can occasionally be consent is: ‘deemed to be given’ or ‘implied’ from the facts of the case, which may include failure to • a systematic requisite for transferring data opt-out in some, but not all, circumstances. It (irrespective of, e.g., the implementation of a is possible that a similar interpretation could transfer mechanism like a contract, or the be retained in relation to data transfers in existence of a comparable level of protection other jurisdictions, but most jurisdictions have in the overseas destination); not provided such clarification. • a requirement in principle subject to a series • The concept of ‘informed consent’, which of exceptions (which may be more or less requires to provide different elements of limited); information to individuals before they express • one alternative among many different legal their consent in relation to data transfers, also grounds for transfers; or gives rise to variations in implementation. • irrelevant for an organisation to discharge its For example, in Australia and Thailand the data transfer obligations properly. exporting organisation should expressly ‘inform’ the individual that the same level of protection provided for under their respective domestic regimes will no longer apply after the data has been transferred overseas.
22
A comparable provision is to be soon adopted in Looking for ad hoc convergence actions New Zealand. In this context, it is certain that any form of legal Singapore, on the other hand, requires that the harmonisation of Asian data transfer laws around exporting organisation must give the individual a consent requirements is illusory. ‘reasonable summary in writing of the extent to This does not however preclude considering ad which the personal data to be transferred to that hoc, targeted convergence actions, which may country or territory will be protected to a standard allow organisations to resort to the consent comparable to the protection’ under Singapore solution in circumstances where consent can be law. In practice, save for specifically identified given lawfully and personal data can be transfers to a particular organisation, it is difficult transferred responsibly. to provide such information in sufficient detail, given that each recipient will likely have The following considerations should be weighed implemented different ways of protecting the in the balance: personal data. • lawmakers should refrain from making Thirdly, law reform processes tend to provide that consent compulsory in all circumstances and for consent to be valid, it must be freely-given, provide that other solutions may constitute an specific, informed but also ‘revocable’. alternative legal basis (in particular, specific This trend emphasises the need for individuals to commitments made by organisations). For the have real choice and control over their personal reasons mentioned above, consent will be an data and how it is used, and consequently adequate legal basis for data transfers only in companies must have mechanisms and residual circumstances, and in any case not for procedures in place to remove personal data recurrent or systematic transfers; from their database upon an individual’s request. • there would be real added value in seeking Whilst there may be a willingness to accept greater coherence between the conditions in consent as (literally) a tick box exercise in which consent-based transfers can take place formality in some jurisdictions, the trend towards in Asian legal systems. ‘revocable consent’ yet makes consent There is a shared concern across systems that unworkable as a legal ground for recurring consent requirements should not be turned into transfers in practice, unless organisations have a meaningless ‘tick the box’ exercise with no value twin servers, one onshore and one offshore, to for individuals, in terms, for instance, of enhanced allow data subjects to ‘toggle’ between where control and oversight, or facilitating the exercise they want their data - which is not how companies of their rights, and at the same time to avoid are currently setting themselves up. erecting huge operational barriers for In such cases, obligations requiring consent for organisations. overseas data transfers may effectively require In this respect, it is suggested that mandating in ‘localisation by default’ because where an the law itself how consent is to be provided is not individual refuses or withdraws his consent, the a viable option. question naturally arises—even where such an interpretation is far removed from the The level of details and the methods of providing consent would be better addressed in the context lawmaker’s original intention—whether the law requires servers on the ground. of a dialogue between industry and regulators which could lead to, e.g. the adoption of common Thus, it is common that practitioners advise findings by different national regulators on the organisations that rely on ongoing and systematic same case studies, or in the adoption of ‘Privacy transfers of data for their operations to use Codes’. The risk of conflict between different another method of data transfer (in practice, the consent requirements in the region could be alternative written data transfer agreement factored in such a dialogue. route)—to the extent that other mechanisms are available.
23
Status in Asia Hong Kong SAR YES (optional) For each jurisdiction, the applicability of consent under the Data Protection Law or Bill is expressed A ‘data user’ may transfer personal data to a place as YES (required) or YES (optional), where the outside Hong Kong when the data subject has individual’s consent is a systematic requirement consented in writing to the international transfer that may be waived only exceptionally or is one (PDPO, s 33(2)(b)). among several legal bases for transfers. It is Consent should be voluntarily given and not been expressed as NO, where obtaining the individual’s withdrawn by the data subject in writing consent is irrelevant in the structure of the (International Transfer Guidance, p.5). applicable legal regime. India (Act in force) Australia YES (optional) YES (optional) Sensitive personal data covered by the IT Rules Accountability principle in APP 8.1 does not apply may be transferred when the person has where the individual consents to the cross-border consented to the transfer, including third-party disclosure after the entity informs the individual data processors. This rule applies to both that APP 8.1 will no longer apply (APP Guidelines domestic and international data transfers at para. 8.27 ff). (IT Rule 7). The four key elements of consent are (APP In any circumstances the data subject’s consent is Guidelines, Chapter B ‘Key Concepts’, para. B.35): not in itself a sufficient legal ground to transfer • the individual is adequately informed before personal data to an overseas country, and the giving consent; level of protection that will apply to that data in the country of destination must be the same as • the individual gives consent voluntarily; the level of protection provided for under the IT • the consent is current and specific; and Rules (IT Rule 7). • the individual has the capacity to understand India (Data Protection Bill) and communicate their consent. YES (required) Each of these key elements are explained in detail Personal data qualified as ‘sensitive’ under the Bill in the APP Guidelines (B.36-58). may only be transferred outside India when China explicit consent is given by the data principal for such transfer (s 34(1)). YES (required) As in the framework currently in force consent is Informed consent of the individual is necessary to necessary but not sufficient for international transfer or disclose any persona data to a third transfers and additional measures apply (Bill, party (inside or outside China) (CSL Art 41). s 34(1)(a) or (b)). Consent may be obtained through ‘proactive’ (i.e. There are no legal consequences attached to the voluntary) personal actions but may occasionally collection of the individual’s consent with regard be implied from the data subject’s actions to the transfer of either critical personal data (Guidelines for Cross-Border Data Transfer (which must in principle stay on shore) or of Security of the National Information Security personal data which is neither sensitive nor Standardisation Technical Committee (TC260), critical (which is free to transfer, here again on the August 2017). assumption that there is legal basis for the Limited exceptions to consent for international processing in the first place). transfers may apply, but ‘security assessment’ requirements will in any case remain applicable.
24
Indonesia (in force) • The third exception is in relation to the YES (required) interconnection or so-called combination of data (PDPA, Art 4-1(10)), which is also subject The written consent of the ‘data owner’ is to the prior authorisation of OPDP. required to send his/her personal data outside Malaysia the territory of Indonesia, unless specific regulations apply (MCI 20/2016, Art 21(1)). YES (optional) Express opt-in is not explicitly required by Consent may operate as an exception to the Art 21(1) but is derived from MCI 20/2016 requirement that transfers may take place only to Art 1(4). places specified by the Minister (PDPA s Indonesia (Bill) 129(2)(a)). New Zealand (Act in force) YES (optional) NO (neither optional nor required) Transfers may take place if there is written approval from the owner of the personal data (Bill Consent would not currently appear to waive the Art 49(d)). Consent can also be verbal, provided requirements of existing privacy safeguards in the that it is recorded. country of destination. Japan The Privacy Act does not mention it, nor the YES (optional) Privacy Commissioner’s Fact Sheet on Part 11A. New Zealand (Bill) Consent is required, unless exceptions apply (APPI Art 24). YES (optional) For consent to be valid, the data subject must be An agency A may disclose personal information to clearly informed that the personal information a foreign person or entity B if the individual will be transferred to a third party in a foreign concerned ‘authorises the disclosure to after country, and be provided with all the information being expressly informed by A that B may not be necessary to decide whether to consent (e.g. the required to protect the information in a way that, foreign jurisdiction is identified or identifiable, or overall, provides comparable safeguards to those the circumstances in which such data transfer will in this Act’ (Bill IPP12(1)(a)). take place have been clarified). Philippines Macau SAR YES (optional) YES (optional) Data subject’s consent is neither required nor Unambiguous consent to data transfer may mentioned as a method for the data controller to derogate to the absence of adequate protection discharge its responsibility ‘for personal in destination country (PDPA Art 20(1)). information under its control and custody’ in the meaning of s 21 of the DPA. Such transfer must be notified to OPDP. However, the lawful criteria under ss 12 and 13 There are, however, three cases in which the data apply with equal force to data sharing, whether subject’s consent is not sufficient to transfer the data outside Macau:12 within or outside the Philippines. Consent is an example of such lawful criteria. Hence, it may be • The first two exceptions refer to sensitive considered as an option to transfer data overseas. data and to credit data (PDPA, Art 22(1)), Also, ‘data sharing shall be allowed in the private whose processing is subject to the prior sector if the data subject consents to data authorisation of the OPDP. Processing sharing’, and other conditions apply (data sharing (including transfer) of these two categories of shall be covered in a data sharing agreement) data is subject to prior authorisation by the (IRRs Rule 20(b), Principles for Data Sharing). OPDP, unless authorised by law;
12 Graça Saraiva, ibid at 206.
25
Consent for data sharing shall be required even • delegating processing; and when the data is to be shared with an affiliate or • onward transfer of data already transferred mother company, or similar relationships outside Korea to a third country. (s 20(b)(1)). Where personal information is sent abroad with Singapore consent, the provider shall also take ‘protective YES (optional) measures prescribed by Presidential Decree’ The requirements of PDPA s 26 may be satisfied if (Enforcement Decree of Network Act, Art 67). The the transferring organisation obtains the Presidential Decree has yet to be adopted. individual’s consent to the effect of transferring Currently user consent is required for transferring the data (Reg 9(3)(a)). data for outsourcing under the Network Act, but Consent cannot be used to waive the consent is not required for outsourcing under requirement of existing privacy safeguards in the PIPA. This distinction will be abolished when the country of destination. new framework kicks in on 5 August 2020. Consent will generally not be required for An individual is not taken to have consented to outsourcing purposes under either PIPA or the transfer of the individual’s personal data to a Network Act. country or territory outside Singapore (PDPA Reg 9(4)) if — Art 63 of the Network Act will be displaced and renumbered to PIPA (new Art 39(12)) on 5 August (a) The individual was not, before giving his 2020. consent, given a reasonable summary in writing of the extent to which the personal Thailand data to be transferred to that country or YES (optional) territory will be protected to a standard Under the recently adopted PDPA, obtaining the comparable to the protection under the data subject’s consent is one of the circumstances Act; in which the data controller may derogate to the (b) the transferring organisation required the rule that transfers may take place only to a individual to consent to the transfer as a destination country or international organisation condition of providing a product or service, that has adequate data protection standards unless the transfer is reasonably necessary (PDPA, s 28(2)). to provide the product or service to the Where consent is obtained, data subject must be individual; or informed of the inadequate data protection (c) The transferring organisation obtained or standards of the destination country or attempted to obtain the individual’s international organisation. consent for the transfer by providing false The conditions for obtaining valid consent are or misleading information about the defined in PDPA s 19 (‘General provisions’). transfer, or by using other deceptive or misleading practices. Vietnam South Korea YES (required) YES (required) A common principle in the different texts that contain data protection provisions (in the Consent is required to transfer personal data to absence of baseline data protection legislation) is any third party, whether locally or overseas (PIPA, that consent by the data subject is necessary to Art 17(1). Specific consent must be sought for transfer data, irrespective of the implementation transferring data overseas (PIPA, Art 17(3)). of data transfer mechanisms by the data Conditions for obtaining valid consent are exporter. prescribed in PIPA (Arts 17(2), 22).
‘ICSPs’ must obtain data subject’s consent (Network Act, Art 63), for: • providing data to third parties;
26
These jurisdictions generally permit transfers of ‘Adequacy’ & personal data to countries or organisations that ensure a roughly equivalent (‘comparable’, ‘adequate’, ‘substantially similar’ or ‘equal or ‘White Lists’ higher’) level of protection. This assessment would take the form of the Today, many data protection laws subject data adoption of ‘white lists’ by the public authorities transfers to the principle that ‘someone’ (most in the laws of four jurisdictions (Hong Kong SAR, often a public authority, sometimes the Japan, Macau SAR, and Malaysia) and two Bills transferring organisation) assesses the level of (India and New Zealand). protection in the country of destination with The Acts of Singapore and Thailand provide that regard to the processing of the imported data and the public authorities could set out the criteria for finds this level of protection satisfactory for assessing the level of protection in foreign compliance with the data transfer rules applicable jurisdictions in guidelines or ad hoc regulations to the data exporter. but do not literally provide for the adoption of When a public authority issues a positive finding white lists (such would be the intention in with regard to the level of protection of an Thailand, but in any case, not in Singapore). overseas jurisdiction, the latter may be The possibility of adopting a white list seems considered as providing an ‘adequate’, uncertain in the current wording of the Bill of ‘comparable, or ‘similar’ level of protection and Indonesia but should be clarified in a future put on a so-called ‘white list’, on the model of EU regulation. GDPR (Art 45). Malaysia’s PDPA currently allows for putting The geographical factor also plays a role in countries on white lists but to date has not legislations that do not follow the ‘adequacy- adopted such lists. An announcement was made model’ but are based on the OECD Privacy after a Consultation Paper sought feedback from Guidelines which allow data transfer restrictions the public on a draft white list of countries to where a country does not ‘substantially observe which personal data originating in Malaysia may the Guidelines’ or where the re-export of such be freely transferred.13 To-date the while list has data would circumvent its domestic privacy not been issued. and Malaysia is considering legislation, or for certain categories of personal removing this possibility in future amendments to data for which the destination country provides the PDPA. no ‘equivalent protection’. Recent developments in Asia The geographical factor in data transfer laws and regulations in Asia Recent developments indicate that there could be some traction in developing the The assessment of the level of protection offered interoperability of data protection frameworks in to an individual’s data at its destination is a the region through positive assessment findings, building block of the current data transfer or at least through the recognition of the same set regimes of eight jurisdictions (Australia, Hong of (substantive) principles adopted under Kong SAR, Japan, Macau SAR, Malaysia, New multiple Asian laws. For instance: Zealand, Singapore, and Thailand) and of the contemplated data transfer regimes of three jurisdictions (India, Indonesia and New Zealand).
Data to Places outside Malaysia) Order 2017’. 13 Public Consultation Paper No. 1/2017, ‘Personal Data Protection (Transfer of Personal
27
• On January 23, 2019, the Personal Information There would further be a great degree of Protection Commission of Japan14 and the geopolitical and economic interest from both European Commission15 announced the EU and India in granting the latter an adequacy adoption of mutual adequacy decisions, status ‘that would benefit investment, trade thereby creating the first mutual system for and security cooperation’.18 data flows that allows businesses to send Challenges of the ‘adequacy-model’ in Asia personal data back and forth between the EEA and Japan without the need to implement This option requires careful consideration of the additional data transfer mechanisms. respective strengths and limitations of the ‘adequacy’ and ‘white list’ approach in Asia.19 • Similar negotiations have been held between the EU and the Republic of Korea since 2015. In particular, accommodating jurisdictions with different approaches to data protection and data • Following the adoption of the EU-Japan flows in the region can be challenging. adequacy decision, the Dubai International Financial Centre (DIFC) has placed Japan on its Moreover, the capacities to commit a certain own white list (although the ‘supplementary level of resource to monitor such assessments rules’ negotiated to apply to EU data over time can be limited in some jurisdictions. transferred in Japan do not extend to Dubai As well, the criteria by which such an assessment 16 residents). is to take place are only rarely specified by either • New Zealand (which obtained EU adequacy the Data Protection Laws (whether passed or in status in December 2012) is updating its draft), their implementing regulations, or Privacy Act in order to ensure that it continues guidelines issued by the data protection to meet that adequacy standard. The law regulators. reform process includes the reinforcement of To promote interoperability, convergence should the Privacy Commissioner’s powers with not be done on the lowest common denominator regard to data transfers and contemplates (‘any data protection law’) but take account of the ‘prescribing countries and/or binding schemes’ most developed data protection frameworks of as providing comparable safeguards to those the region. in the Act (IPP 12).17 At the same time, the most advanced adequacy • In India, the White Paper released by the criteria mentioned in EU GDPR Art 45, as Justice BN Srikrishna Committee on 27 interpreted by the European Court of Justice and November 2017 generally opined that the the European Data Protection Board, are not fully adequacy test is ‘particularly beneficial’, and transposable to an Asian context. the proposed Data Protection Authority of India should therefore be able to determine it to ensure ‘a smooth two-way flow of information critical to a digital economy’.
14 ‘85th Personal Information Protection 16 “Adequate Data Protection Regimes’ Dubai Commission’, Personal Information Protection International Financial Centre, 2020 Commission, 18 January 2019
28
In the absence of a regional body to coordinate They require that all network operators must this creates a risk that different jurisdictions will apply for a security assessment of the draw contradictory conclusions regarding the contemplated transfers to the provincial branch same destination, which would be neither useful of the CAC for review (i.e. no differentiation nor desirable with regard cross-border depending on sensitivity levels). compliance and implementation of individuals’ It does not appear that the security assessment rights. will explicitly include an assessment of the level of Such practical concerns must be factored in the personal data protection in third countries assessment of the workability of such geography- (contrary to what was contemplated in a previous based solutions in some jurisdictions. version of the draft Measures). Hong Kong SAR Status in Asia YES For each jurisdiction, the applicability of White Data may freely flow to a place designated by the Lists or Adequacy Findings for data transfers is Privacy Commissioner for Personal Data (PCPD) as expressed as: having a ‘law substantially similar to or serving the • YES or NO where the legal regime either same purpose as’ the PDPO (i.e., a ‘White List confirms or excludes their applicability; Jurisdiction’) (PDPO s 33(2)(a)). • UNCERTAIN where the legal regime fails to Such place is specified by notice in the Gazette address the point straightforwardly; and (s 33(3)). • CONCEIVABLE where clarification could be India (Act in force) provided in implementing regulations or UNCERTAIN guidance, but the regulator (when there is one) has not provided such clarification. Sensitive personal data or information covered by the IT Rules may be transferred outside India only Australia to a foreign country that ‘ensures the same level NO of data protection that is adhered to by the body corporate as provided for under’ the IT Rules (IT The OAIC does not endorse ‘white lists’ or Rules, Rule 7). ‘adequacy findings’ so a subjective assessment by the APP entity exporting the data is required However, Rule 7 does not clarify by whom this under APP 8.1. assessment shall be made, nor the criteria by which the level of protection shall be assessed. China India (Bill) NO YES Where due to business requirements it is ‘truly necessary’ to provide personal information Different requirements apply depending on the outside PRC, CIIOs shall follow the measures nature of the personal data to be transferred. jointly formulated by the State cybersecurity and With regard to sensitive personal data, the informatization departments and the relevant Central Government, after consultation with the departments of the State Council (unless laws or Data Protection Authority of India (DPAI), may regulations provide otherwise) to conduct a allow the transfer to a country or, such entity or cross-border transfer security assessment (CSL class of entity in a country or, an international Art 37). organisation that provides an adequate level of The Cyberspace Administration of China (CAC) is protection (Bill, s 34(1)(b)): due to issue implementing regulations for the • having regard to the applicable laws and requirements in Art 37 of the CSL. The latest draft international agreements; and Cross-Border Transfer Assessment measures released by CAC (draft version 13 June 2019) are • when such transfer shall not prejudicially applicable to all ‘Network Operators’ (not only affect the enforcement of relevant laws by CIIOs) and ‘personal information’. authorities with appropriate jurisdictions.
29
With regard to critical personal data, the Central In considering whether to put specific countries Government may deem a transfer of critical on a ‘white list’, the PPC makes a judgment relying personal data to be permissible to a country or, on a series of ‘judgmental standards’ for the any entity or class of entity in a country or to an assessment of this level of protection: international organisation, when (Bill, s 34(2)(b)): • there are statutory provisions or codes • it has previously found that the country, equivalent to those relating to the obligations organisation, entity provides adequate of personal information handling business protection; and operators defined under the APPI, and the policies, procedures and systems to enforce • the transfer does not prejudicially affect the compliance with these rules can be security and strategic interest of the State. recognised; However, the Bill does not clarify by whom this • there is an independent personal data assessment shall be made, nor the criteria by protection authority, and the authority has which the level of protection shall be assessed. ensured necessary enforcement policies, Indonesia (Law in force) procedures and systems; UNCERTAIN • the necessity for a foreign country designation can be recognised as in Japan’s national It is not known if the Ministry of Communication interest; and Information (MCI) would assess the level of protection in certain countries (e.g. countries • mutual understanding, collaboration and co- with data protection laws) in the context of the operation are possible; and, coordination provided in MCI 20/2016 (Arts 21 • establishing a framework to pursue mutual and 22). smooth transfer of personal information, Indonesia (Bill) while seeking the protection thereof, is 20 CONCEIVABLE possible. Transfers may take place to a country or These standards were applied by the PPC in its international organisation that ‘has a personal decision of 18 January 2019, recognising that the data protection level that is equal to or higher European Union has established a ‘personal than this law ‘(Bill, Art 49(a)). information protection system’ based on standards equivalent to the standards of APPI in However, the Bill does not mention which entity regard to the protection of an individual’s rights in the government should make that assessment, and interests in Japan. and by which criteria. Such details would be provided in future regulations. Macau SAR Japan YES YES The Office of Personal Data Protection (OPDP) may decide that the legal system in the The Personal Information Protection Commission destination to which they are transferred ensures (PPC) of Japan can whitelist a foreign country an adequate level of protection (PDPA, Art 19(2) establishing a ‘personal information protection and (3)). system’ recognised to have equivalent standards to the standards in regard to the protection of an The adequacy of the level of protection shall be individual’s rights and interests in Japan (APPI Art assessed in the light of all the circumstances 24). surrounding a data transfer operation or set of data transfer operations.
20 Kaori Ishii and Fumio Shimpo, ‘Jurisdictional Report: Japan’ in Regulation of Cross-Border Transfers of Personal Data in Asia (Asian Business Law Institute, 2018) at 182.
30
Particular consideration shall be given to: However, the Privacy Commissioner may prohibit a transfer ‘if the information has been, or will be, • the nature of the data; received in New Zealand from another State and • the purpose and duration of the proposed is likely to be transferred to a third State where it processing operation or operations; will not be subject to a law providing comparable safeguards to this Act’ and ‘the transfer would be • the place of origin and place of final likely to lead to a contravention of the basic destination; principles of national application’ set out in Part 2 of the OECD Guidelines Governing the Protection • the rules of law, both general and sectoral, in of Privacy and Transborder Flows of Personal Data force in the destination in question; and (Privacy Act s 114B(1)(b), and Schedule 5). • the professional rules and security measures There is no formal process for recognising if the which are complied with in that destination receiving jurisdiction meets standards of (Art 19(2)). comparability at present. Such transfer need not be authorised by, or New Zealand (Privacy Bill) notified to the OPDP. YES Malaysia An agency may disclose personal information to a YES foreign person or entity if it believes on The ‘Minister’ (see below), upon the reasonable grounds that the recipient is ‘subject recommendation of the Commissioner, may to privacy laws of a prescribed country’ (IPP specify any place outside Malaysia to where data 12(1)(e)). may freely flow, where: ‘Prescribed country’ means a country specified in • there is in that place in force any ‘law which is regulations made under s 212B of the Bill. The substantially similar to this Act, or that serves responsible Minister may recommend to the the same purposes as PDPA’; or Governor-General the making of such regulations only if he/she is ‘satisfied that the countries have • that place ensures an adequate level of privacy laws that, overall, provide comparable protection in relation to the processing of safeguards to those in this Act’. personal data which is ‘at least equivalent to Philippines the level of protection afforded by PDPA’ (PDPA s 129(1)). NO ‘The Minister’ refers to the Minister ‘charged with Neither DPA nor IRRs refer to ‘white lists’ or the responsibility for the protection of personal ‘adequacy findings’, etc… . data’, currently the Communications and Proposed amendments to s 21 in House Bill No. Multimedia Minister (PDPA s 4). 5612 introduced in the House of Representatives The Commissioner is considering removal of the on 25 November 2019 do not modify the legal whitelist provisions above as part of the ongoing regime applicable to international transfers. PDPA review exercise. New Zealand (Act in force) NO The Privacy Act does not provide for the possibility to adopt white lists.
31
Singapore The provisions of ss 15(6) and 28, combined, seem to imply that the Committee may put some CONCEIVABLE jurisdictions or organisations which match the The general rule is that the exporting organisation standards defined by the Committee on a ‘white has taken ‘appropriate steps to ascertain list’, also by inference from Art 45(1) of EU GDPR whether, and to ensure that, the recipient of the after which the Act is modelled. personal data in that country or territory outside However, this possibility would have to be Singapore (if any) is bound by legally enforceable clarified by the Committee when it is obligations to provide to the transferred personal established. data a standard of protection that is at least comparable to the protection under the Act’ Vietnam (PDPA s 26). NO The Minister for Communications and None of the different texts that contain data Information could make regulations and PDPC protection provisions (in the absence of baseline could issue Advisory Guidelines setting out the data protection legislation) mention this criteria for assessment, but the PDPA does not possibility, nor is it known if the proposal for a literally provide for the adoption of white lists and Draft Data Protection Decree which would such would not be the intention. contain provisions on overseas data transfers South Korea would mention it. NO Neither the current framework on data transfers (in PIPA or Network Act), nor the amended Acts refer to ‘white lists’, ‘adequacy findings’, etc. However, it is anticipated that the newly amended PIPA could be further amended to cater for this possibility in the future. Thailand CONCEIVABLE In the event that the data controller sends or transfers the personal data to a foreign country, unless an exemption applies, the destination country or international organisation that receives such personal data must have an ‘adequate data protection standard’, and the transfer must be carried out in accordance with the rules for the protection of personal data as prescribed by the Committee (PDPA s 28). The Personal Data Protection Committee has the power ‘to announce and establish criteria for providing protection of personal data which is sent or transferred to a foreign country or international organisation’ (PDPA s 16(5)). It is also competent to decide on ‘problems with regard to the adequacy of data protection standards’ of a destination country or international organisation (PDPA s 28, last para).
32
For the purpose of achieving legal convergence in Self-Assessment Asia, self-assessment by the exporting organisation itself is not particularly useful as it does not ensure the compatibility of data by the Exporting protection frameworks—or then only Organisation superficially. Even where self-assessment is recognised as a valid option for cross-border data transfers, clear guidance is required on how the assessment is to Self-assessment by the exporting organisation of be done and who is qualified to do it. the destination country’s level of protection is currently possible in Australia, Hong Kong SAR, Singapore and (under its Privacy Bill) New Status in Asia Zealand. For each jurisdiction, the possibility for an In contrast, self-assessment is excluded in Japan, organisation to do a self-assessment of the level Macau SAR, Malaysia and (under its Data of data protection in a destination country is Protection Bill) India. expressed as: Whether self-assessment is available in Thailand • YES or NO where the legal regime either is not clear and still remains uncertain under confirms or excludes their applicability; Indonesia’s Data Protection Bill. The uncertainty in these two jurisdictions could be clarified by • UNCERTAIN where the legal regime fails to implementing further regulations or regulatory address the point straightforwardly; and guidance. • CONCEIVABLE where clarification could be Law practitioners have expressed the view that provided in implementing regulations or individually assessing the ‘adequacy’ of every guidance, but the regulator (when there is other country’s privacy regime creates a one) has not issued such clarification. substantial practical burden, especially when the Australia law does not list substantive standards to establish that the law of another jurisdiction YES offers a substantially similar level of data APP 8.1 does not apply where the entity protection.21 reasonably believes that the recipient is subject to Industry groups have also argued that such ‘a law, or binding scheme’ that is overall assessment is unrealistic and risks becoming ‘substantially similar to the way in which the APPs immediately obsolete due to changing protect the information’, and there are circumstances on the ground and that, if such a mechanisms available to the individual to enforce task were achievable and the necessary expertise that protection (APP 8.2(a)). and language skills available, the theoretical legal ‘adequacy’ of a particular regime does not address issues such as actual compliance, enforcement or enforceability in the evaluated jurisdictions.22
21 Peter Leonard, ‘Jurisdictional Report: Australia’ 22 Essential Legislative Approaches for Enabling in Regulation of Cross-Border Transfers of Cross-Border Data Transfers in a Global Personal Data in Asia (Asian Business Law Economy: Centre for Information Policy Institute, 2018) at 52. Leadership White Paper, 25 September 2017 at
33
China the data transfer restrictions. Mere subjective belief will not suffice. A data user must be able to NO demonstrate its grounds of belief are reasonable Where due to business requirements it is ‘truly if challenged. Reference may be made to the necessary’ to provide personal information methodology adopted by the Commissioner in outside China, CIIOs shall follow the measures compiling the White List (International Transfer jointly formulated by the State cybersecurity and Guidance at 4). informatization departments and the relevant India (Act in force) departments of the State Council (unless laws or regulations provide otherwise) to conduct a UNCERTAIN cross-border transfer security assessment Sensitive personal data or information covered by (Cybersecurity Law Art 37). the IT Rules may be transferred outside India only The CAC is due to issue implementing regulations to a foreign country that ‘ensures the same level for the requirements in Art 37 CSL. The latest of data protection that is adhered to by the body draft Cross-Border Transfer Assessment corporate as provided for under’ the IT Rules (IT measures released by CAC (draft version June 13, Rules, Rule 7). 2019) are applicable to all Network Operators However, Rule 7 does not clarify whether this (not only CIIOs) and personal information. assessment shall be made by the exporting The prior draft Measures (April 2017, revised in organisation, nor the criteria by which the level of May and August 2017) provided for a self- protection shall be assessed. assessment of the contemplated transfers and India (Data Protection Bill) that the authorities would make such assessments only in specific cases. It is possible NO that such ‘self-assessment’ could have included Only the Central Government can make positive an assessment of the level of protection of the assessments based on either ss 4(1)(b) or 34(2)(b) country of destination. of the Bill. However, the last draft of June 13, 2019 comes Indonesia (Law in force) back on this position and requires that all Network Operators must apply for a security UNCERTAIN assessment of the contemplated transfers to the It is not known if the assessment by an ESP that provincial branch of the CAC for review (i.e. no the data transfers take place to countries with a differentiation depending on sensitivity levels). certain level of protection (e.g. countries with Hong Kong SAR data protection laws) would be a positive factor if regulatory scrutiny were applied in the context of YES the coordination provided in Regulation 20/2016, A data user may transfer data to jurisdictions Arts 21 and 22. which have not been white listed by PCPD where Indonesia (Bill) it has ‘reasonable grounds for believing that there is in force in the place of transfer a law which is CONCEIVABLE substantially similar to or serves the same purpose The country or international organisation has ‘a as’ the PDPO (PDPO s 33(2)(b)). personal data protection level that is equal to or To satisfy such requirement, a data user is higher than this law’ (Bill, Art 49(a)). expected to undertake professional assessment Since the Bill does not mention which entity and evaluation on its own of the data protection should make that assessment, it is conceivable regime where the intended recipient is located. that the data exporter can make his own Such assessment should take into consideration assessment. However, it is doubtful if such were various factors including the scope of application the intention of the Government. The Bill also of the data privacy regime, the existence of does not mention by which criteria this equivalent provisions of the Data Protection assessment should be made. Principles in the Ordinance, the data subjects’ Such specifications would be provided in future rights and redress, the level of compliance and regulations.
34
Japan Philippines NO NO Only the PPC can make positive assessments (i.e. Neither the DPA nor the IRRs mention the level of put a foreign country on a white list) (APPI Art 24). data protection in an overseas destination as a relevant factor for a controller to assess its Macau SAR responsibility for transferring personal NO information under its control and custody, in the It is for the public authority to decide whether ‘a meaning of DPA s 21. legal system ensures an adequate level of Singapore protection’ (PDPA Art 19(2) and (3)). YES The adequacy of the level of protection shall be Assessment of the standard of protection in the assessed in the light of all the circumstances country or territory of destination may be done surrounding a data transfer operation or set of by the exporting organisation itself (PDPA, s 26). data transfer operations. Regarding Cloud Services, for instance, the PDPC Particular consideration shall be given to: Guidelines have clarified that an organisation • the nature of the data, ‘should ensure that any overseas transfer of personal data as a result of engaging a CSP will be • the purpose and duration of the proposed done in accordance with the requirements under processing operation or operations, the PDPA’, namely, the organisation could ensure • the place of origin and place of final that the CSP it uses ‘only transfers data to destination, locations with comparable data protection regimes’, or has legally enforceable obligations to • the rules of law, both general and sectoral, in ensure a comparable standard of protection for force in the destination in question, and the transferred personal data (PDPC Guidelines, • the professional rules and security measures Chapter 8, para. 8.4). which are complied with in that destination South Korea (Art19(2)). NO Such transfer need not be authorised by, or notified to OPDP. Neither the current nor the amended framework currently cater for this possibility. Malaysia Thailand NO CONCEIVABLE Only the Minister can make related specifications (PDPA s 129(1)). In the event that the data controller sends or transfers the personal data to a foreign country, New Zealand (Law in force) unless an exemption applies, the destination NO country or international organisation that receives such personal data must have an The Privacy Act does not cater for this possibility. ‘adequate data protection standard’, and the New Zealand (Privacy Bill) transfer must be carried out in accordance with YES the rules for the protection of Personal Data as prescribed by the Committee (PDPA, s 28). An agency may disclose personal information to a foreign person or entity if ‘it believes on The Personal Data Protection Committee has the reasonable grounds that the recipient is subject to power ‘to announce and establish criteria for privacy laws that, overall, provide comparable providing protection of personal data which is safeguards to those in’ the Privacy Act (IPP sent or transferred to a foreign country or 12(1)(c)). international organisation’ (PDPA, s 16(5)).
35
The wording of ss 16(5) and 28, combined, do not appear to rule out the possibility that the exporting organisation may self-assess the level of protection in the country of destination, provided it follows the criteria and rules prescribed by the Committee. However, this possibility would have to be clarified by the Committee when it is established. Vietnam NO None of the different texts that contain data protection provisions (in the absence of baseline data protection legislation) mention this possibility. It is not known if the proposed Draft Data Protection Decree would contain provisions on data transfers that would mention it.
36
Although there is no hard information on this Contractual point, in effect, contracts would be the most widely used transfer mechanism, in Asia and globally (even when data transfer obligations Safeguards could be discharged otherwise). There would thus be great traction in seeking to ‘Contracts’ and ‘data transfer agreements’ which make contractual safeguards compatible provide that the personal data will be subject to between Asian jurisdictions, and beyond. appropriate safeguards after their transfer to Regulatory guidance and model clauses overseas jurisdictions are widely recognised as a valid means for an organisation to discharge their Substantive guidance has been issued by Asian obligations under data transfer provisions regulators on contractual measures for cross- globally. border data transfers, which is often a mix of recommendations for transfer for processing Back in 2000, the OECD already noted that ‘the purposes or for other purposes. idea of using contracts for Trans-Border Data Flows has been around for some time’, citing the In practice, it would appear that the different sets Council of Europe Model Contract (1992) later of EU Standard Contractual Clauses (SCCs) are revised by the International Chamber of often used as a reference, with adaptations. Commerce (ICC).23 However, EU SCCs are sometimes considered excessive, relative to the situations in jurisdictions This recognition builds on the admission that with no data protection legislation. Such clauses contractual provisions that address compliance generally would then impose additional with a data controller’s privacy policies and obligations and liability on data exporters in practices belong to the standard safeguards that comparison to what is applicable to the data are often necessary in relationships with other exporter by virtue of statute.24 data controllers, including where their responsibility is shared in a cross-border context. This appreciation could evolve, however, as more Data Protection Laws are passed in the region. Wide recognition of the validity of contracts on Model clauses and detailed guidance on the personal data transfer in Asia content of contracts are generally recognised by Ten jurisdictions (Australia, Hong Kong SAR, practitioners as useful to alleviate the significant Japan, Macau SAR, Malaysia, New Zealand, burden involved with writing contracts (or Philippines, Singapore, South Korea, and deciding whether to accept contracts prepared by Thailand) explicitly or implicitly recognise that others), especially if the parties are willing to appropriate safeguards may be provided by adopt model contractual clauses verbatim (where ‘transfer contracts’ or ad hoc contractual they are available). provisions where processing is the purpose of For this reason, several regulators in the region data transfer. have issued model contractual clauses (e.g. Hong Four other jurisdictions (China, India, Indonesia Kong SAR) or guidelines (e.g. Australia and and New Zealand) are contemplating explicit legal Singapore), which are fairly prescriptive on the recognition of contractual provisions for this protections which such contracts should contain. purpose, although in different configurations. Recently, the Hong Kong Privacy Commissioner has announced that it will publish an updated data transfer guidance in mid-2020 with enhanced user-friendliness and additional
23 OECD (2000), ‘Trans-border Data Flow 24 David Duncan, ibid at 121. Contracts in the Wider Framework of Mechanisms for Privacy Protection on Global Networks’, DSTI/ICCP/REG(99)15/FINAL, OECD Digital Economy Papers, No. 66, OECD Publishing, Paris at 14.
37
guidance towards data users, especially SMEs, by By contrast, a right for an individual to enforce a introducing two sets of new recommended model contractual right through an ability to institute clauses (including data transfers between ‘data legal proceedings is unlikely to be regarded as an user and data user’ as well as ‘data user and data effective enforcement mechanism in Australia.25 processor’) for their adoption in formulating data The issues affecting the recourse of the individual transfer agreements. under B to B contracts have been considered in On 11 May 2020, the Office of the Privacy detail by the OECD,26 building in particular (but Commissioner of New Zealand has announced not only) on the experience of the negotiations that it is working on developing a model set of between the EU and the International Chamber of contract clauses for New Zealand agencies, on Commerce on the EU SCCs eventually adopted in which it will publicly consult in August 2020. 2001, 2004 and 2010. It is also worth underlining that ASEAN Members Transfers to ‘processors’ are contemplating the development of ad hoc In practice, all Asian laws require contracts for model clauses for data transfers as one of the framing data transfers to (sub)processors (or components of the ASEAN Cross-border Data ‘intermediaries’ or ‘contractors’, depending on Flow Mechanism. applicable terminology), particularly for the Recourse of the individual purpose of overseas processing, outsourcing and storage (e.g. a Service Agreement or other Our comparative Review shows that there is a instrument meeting the same requirements). common expectation that transfer agreements should make special provisions for the recourse of The relationship between the parties must be individuals whose data are transferred. governed by a ‘contract’ or ‘legal act’ that stipulates in particular that the processor shall act However, there is no uniformity on how such only on instructions from the controller and that rights should be protected in practice. Depending the obligations referred shall also be incumbent on the legal systems under consideration, the on the processor. Sub-processing is possible only interests of individuals may be protected in varied with the prior agreement of the data controller. ways, such as: Occasionally, there are provisions for a set of • an explicit requirement that data protection requirements that should be included in guarantees should be enforceable by data outsourcing or subcontracting agreements, subjects through a third-party beneficiary including those involving data transfers, e.g. in clause (e.g. Hong Kong SAR, Macau SAR, Philippines, a global hub for the Business Thailand and China’s draft cross border Processing Outsourcing (BPO) industry. transfer assessment measures); Cloud Service Providers (CSPs) • a right to obtain compensation for breach of the contract (e.g. Hong Kong SAR, China’s Guidance on transfer contracts concluded with draft cross border transfer assessment overseas parties for processing must usually be measures); read in complement to guidance on Outsourcing or Cloud Computing dealing in particular with • a general provision that the protection of the issues related to the responsibility of the data data subject’s rights should be ‘effective’, exporter (for instance, issues relating to liability including in relation to onward transfers (data and indemnity, or provisions that set out how protection bill of India); and personal data is to be erased or returned to data users upon data user requests, contract • a requirement that data sharing agreements completion or contract termination). shall ‘uphold rights of data subjects’ (Philippines).
26 OECD (2000), ‘Trans-border Data Flow 25 ‘Australian Privacy Principles Guidelines’, Office Contracts in the Wider Framework of of the Australian Information Commissioner, Mechanisms for Privacy Protection on Global July 2019 at paras 8.25–8.26. Networks’, ibid at 17.
38
Several jurisdictions (e.g. Singapore, South Korea • warranties, rights and obligations of the and Hong Kong SAR) have thus published parties (including with regard to management guidance (general or sectoral) in relation to of data breach notification procedures); contractual arrangements with CSPs and, in particular, the parties’ respective responsibilities • measures to ensure that the data protection regarding data privacy and personal data transfer rights of individuals are implemented regulations. overseas; A common rule is that any organisation that • recourse of individuals, complaints and engages a CSP is responsible for complying with compliance mechanisms; obligations in respect of any overseas data • transfers in using the CSP’s cloud services. liability and enforceability by third parties; Paths of convergence • applicable law; and Contracts certainly are the most promising • dispute resolution. avenue of cooperation for increasing the At the same time, model contracts or standard compatibility of Asian data transfer regimes. clauses should allow for flexibility in They are recognised as a valid transfer implementation (e.g. allowing for data protection mechanism in all jurisdictions and in contrast with clauses to be inserted into master or multi-party more complex, innovative schemes, their agreements; allowing variation of model clauses enforceability as a binding legal instrument is to accommodate different industries and sectors certain under any national framework, including or specific data, etc). in a cross-border context. Moreover, their To strike this balance, regulators may build on geographical reach is not limited. various work that has been undertaken in this Convergence would therefore be advanced if area including: regulators would agree to a set of contractual • the long history of contractual solutions for data privacy and security controls that data transfers;27 organisations may implement to establish sufficient levels of protection for data leaving • the substantive experience developed in their jurisdictions. This could be useful in creating other regions, namely in Europe (i.e., either a greater variety of options for the transfer of EU SCCs approved by the European data internationally—provided global, regional Commission, or clauses adopted by the and sub-regional frameworks are consistent to national authorities under EU GDPR Art 46) avoid adding more layers of complexity. and recommendations made by cross-border Based on a comparative analysis of applicable businesses on their implementation; requirements in the region, such contractual • the existing guidance issued by Asian controls should contain at least the following regulators on such matters, for instance in information: Australia, Hong Kong SAR, and Singapore;
• description of envisaged transfers; • lessons to be learnt from work ongoing • applicable data protection principles; on model contractual clauses at ASEAN in the context of the implementation of the ASEAN cross border data transfer mechanism;28 and
27 OECD (2000), ‘Transborder Data Flow 28 Key Approaches for ASEAN Cross-border Data Contracts in the Wider Framework of Flows Mechanism adopted at the 19th ASEAN Mechanisms for Privacy Protection on Global Telecommunications and Information Networks’, ibid at 14 Technology Ministers’ Meeting (TELMIN), Vientiane, October 2019.
39
• data protection clauses used in specific The draft Measures set out the terms and industries (e.g. Cloud computing, health, conditions required to be in contracts between banking and finance, and BPO). data transferors and offshore data recipients (Arts 13–16). The combination of contracts with other data transfer mechanisms considered in this study, The detailed obligations are broadly similar to the such as BCRs, codes of conduct, or certification, EU SCCs, with differences relating to could also be explored. compensation to data subjects and onward transfers. Data subjects should be beneficiaries under the contract but could also obtain Status in Asia compensation in case of breach by any of the For each jurisdiction, the applicability of parties or both (unless the parties can prove that Contractual Safeguards for data transfers under they are not liable, thus reverting the burden of the Data Protection Law or Bill is expressed as: proof). • YES where the legal regime explicitly confirms Hong Kong SAR their applicability; YES • NO where the legal regime is silent on their ‘Enforceable contract clauses’ may constitute applicability; ‘reasonable precautions’ and ‘due diligence’ to • UNCERTAIN where the legal regime fails to ensure that the data will not be transferred in address the point straightforwardly; and contradiction with s 33 PDPO (s 33(2)(f); International Transfer Guidance, incl. • CONCEIVABLE where clarification could be Recommended Model Clauses, p.7). Since the provided in implementing regulations or contractual provision has been twinned with the guidance, but the regulator (when there is due diligence requirement, a contract alone is one) has not provided such clarification. usually not sufficient in practice. Australia In 2014 the PCPD published a set of YES Recommended Model Clauses for transfers outside Hong Kong which distinguish between To discharge the Accountability Principle in APP ‘core clauses’ (parties’ obligations, liability and 8.1 it is generally expected that an APP entity will indemnity, settlement of disputes, termination) enter into an enforceable contractual and ‘additional clauses’ (on third party rights and arrangement with the overseas recipient that additional obligations of the transferee). requires the recipient to handle personal information in accordance with the APPs (APP However, the Privacy Commissioner has Guidelines, para. 8.16). announced that it will publish an updated data transfer guidance in mid-2020 with enhanced Contractual measures under s 95B will generally user-friendliness and additional guidance satisfy the requirement in APP 8.1. (APP towards organisational data users, especially the Guidelines at para. 8.18). SMEs, by introducing two sets of new China recommended model clauses (including data transfers between ‘data user and data user’ as YES well as ‘data user and data processor’) for their The draft Cross-Border Transfer Assessment adoption in formulating transfer agreements. measures provide that the elements to be The current clauses may be adapted and/or notified to the provincial CAC for assessing the included in a data transfer agreement. Parties are security of the transfer must provide, among advised to make adaptations or additions others, ‘the contract entered into between the according to their own commercial needs. These network operator and the recipient’ (Art 4). clauses can be incorporated into a wider The contract will be part of the elements assessed agreement such as an outsourcing agreement. by CAC, with a focus on whether the terms of the The clauses may be adapted into a multi-party contract can fully safeguard the legitimate rights agreement. and interests of the data subject.
40
India (Act in force) Japan UNCERTAIN YES It is unclear whether contractual protections Transfers may take place on the basis of a between the exporting and importing contract if such a contract ‘ensures, in relation to organisations would be considered as a valid the handling of personal data by the person who means for a data exporter to demonstrate that receives the provision, the implementation of the ‘same level of data protection’ applies in the measures in line with the purpose of the provisions country of destination as in India in the meaning under APPI by an appropriate and reasonable of IT Rule 7. method’ (APPI Art 24). India (Data Protection Bill) Macau SAR YES YES (For sensitive personal data only, s 34(1)(a)) The OPDP may authorise transfers where the controller adduces ‘adequate safeguards’, Sensitive data may be transferred for the purpose ‘particularly by means of appropriate contractual of processing where the transfer is made clauses’ (Art 20(2)). ‘pursuant to a contract approved by the Authority’ which makes the provisions for: Such transfer must be authorised by OPDP. (i) effective protection of data principal’s Malaysia rights, including in relation to onward YES (implicit) transfers; and The data user should ‘take all reasonable (ii) liability of the data fiduciary for harm precautions and exercise all due diligence’ to caused due to non-compliance. ensure that the data will be adequately protected Consent requirements would still apply (Bill, overseas, which implicitly refers to the conclusion s 34(1)). of contracts (PDPA s 129(2)(f)). Indonesia (Law in force) Contracts are further mentioned as such safeguards in sectoral Codes of conduct approved UNCERTAIN by the Commissioner. It is not known if the existence of ad hoc New Zealand (Act in force) contractual provisions relating to the level of data protection applied by the importing organisation YES in the country of destination would be a positive Contractual provisions governing handling of factor in the context of ensuring ‘coordination personal data are common although they are not with the Ministry’ under Art 22 of MCI 20/2016. mentioned in the Privacy Act itself. Indonesia (Bill pending) The EU model clauses are referred to in the Fact YES Sheet on Part 11A of the Privacy Act 1993 as ‘associated schemes established under the The transfer may take place when there is ‘an international instruments which, although not agreement’ between the Personal Data Controller being privacy laws of a State, may nonetheless and a third party outside the territory of the provide comparable safeguards.’ Unitary State of the Republic of Indonesia (Bill, Art 49(c)).
41
New Zealand (Bill pending) Singapore YES YES An agency may disclose personal information to a ‘Legally enforceable obligations’ that provide a foreign person or entity if it believes on level of protection comparable to PDPA include reasonable grounds that the recipient is ‘required obligations that can be imposed on the recipient to protect the information in a way that, overall, by ‘a contract’ (PDPC Reg.10(1)(b)). provides comparable safeguards to those in this Any contract must (PDPC Reg.10(2); PDPC AG, Act (for example, pursuant to an agreement Chapter 19.2): entered into’ between agency and recipient) (IPP 12(1)(f)). (i) require the recipient to ‘provide to the personal data transferred to the recipient a Philippines standard of protection that is at least YES (implicit) comparable to the protection under the PDPA’; and Neither DPA nor IRRs explicitly provide that the implementation of contractual safeguards can (ii) specify ‘the countries and territories to discharge the responsibility of an organisation for which the personal data may be exporting ‘personal information originally under transferred under the contract’. its custody or its control’. In setting out contractual clauses that require the However, this is subsumed in s 21 DPA and s 44 recipient to comply with a standard of protection IRRs that specify data protection requirements for ‘at least comparable to the protection under the Outsourcing Agreements and contemplate both PDPA,’ a transferring organisation should local and international data sharing. minimally set out protections with regard to ‘areas of protection’ listed in a table provided in IRRs s 20(b)(2) prescribes that data sharing ‘for PDPC AG (Chapter 19.5 of PDPC AG). commercial purposes, including direct marketing, shall be covered by a data sharing agreement.’ Regarding the Cloud Services industry, an organisation may be considered to have taken The data sharing agreement shall establish appropriate measures to comply with the TLO by adequate safeguards for data privacy and security ensuring that ‘the recipients (e.g. data centres or and uphold rights of data subjects. It shall be sub-processors) in these locations are legally subject to review by the Commission, on its own bound by similar contractual standards’29 initiative or upon complaint of data subject. (Chapter 8 of PDPC AG (‘Cloud Services’)). Regarding data transfer for processing s 21(a) DPA requires the controller to use ‘contractual or other reasonable means to provide a comparable level of protection while information is being processed by a third party’.
29 See In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 and Spize Concepts Pte Ltd [2019] SGPDPC 22 (4 July 2019) at paras. 25 and ff.
42
South Korea Contracts could offer ‘suitable protection measures which enable the enforcement of the YES data subject’s rights, including effective legal Neither the current nor the amended PIPA or remedial measures’ if the rules and methods to be Network Act explicitly refer to contracts for data prescribed and announced by the Committee so transfers. However, the interpretation is that allow. contracts are necessary. Vietnam The PIPA does not require the data exporter to NO enter into a contract, nor does it specifically mention the use of contracts for overseas data The conclusion of contracts for transfers (locally transfers, but it prohibits the importer from or to overseas) is standard practice but currently ‘entering into a contract which would not be not required by law. compliant with applicable laws.’ It is not known if the proposal for a Draft Data The Network Act requires certain items to be Protection Decree would contain provisions on included in a contract for the transfer of personal overseas data transfers which would mention information, irrespective of the status of the contracts. recipient (local or foreign). The Enforcement Decree also provides that ICSPs must, in advance, reach an agreement on the ‘protective measures’ which will be applied by the overseas recipient and reflect such agreement ‘in the relevant contract’ (Art 67(3)). Such measures include: • technical and administrative measures for protecting personal information; • measures for settling grievances and resolving disputes on the infringement of personal information; and • other measures necessary for protecting users’ personal information. Referring to these provisions, it is generally interpreted that a data exporter shall conclude a contract with the importer, as well as obtain the user’s consent. Thailand YES (implicit) When PDPA Chapter 3 comes into force data may be transferred to a foreign country or international organisation in the absence of an adequacy decision where the receiving controller or processor provides ‘suitable protection measures which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Committee’ (PDPA s 29(3)).
43
• ‘BCR-Processors’ (BCR-P) apply to data Binding Corporate received from a Controller subject to data transfer restrictions which is not a member of the group and then processed by the Rules concerned group members as Processors and/or Sub-processors. ‘BCRs’, ‘internal rules’, ‘intra-group schemes, Transfers may take place on the basis of BCRs policy or safeguards for intra-group transfers’ (or within a group of undertakings, or ‘group of equivalent terminologies, hereinafter ‘BCRs’) are enterprises engaged in a joint economic activity’ now also recognised (or could be recognised) as a (EU GDPR Art 4(20)). valid data transfer mechanism in several Asian BCRs are required to be approved by the data Data Protection Laws. There could thus be protection authority (DPA) in each EU Member traction in seeking to make BCRs compatible State in which the organisation will rely on the between multiple Asian jurisdictions, and beyond, BCRs, in accordance with the so-called subject to an expression of business interest. consistency mechanism if the approval process BCRs have been developed in the EU as a cross- involves DPAs from more than one Member State border transfer mechanism consistent with the (Art 63). To that extent, they are a form of transfer requirements in Directive 95/46/EC (Art certification 25), now in EU GDPR (Art 47). Given the cost of implementing BCRs (both in They are data protection policies adhered to by terms of finance and resourcing) in comparison companies for transfers of personal data within a with using e.g. model contracts, BCRs are group of undertakings or enterprises. Their key beneficial for companies that do so many elements are fairly standardised under EU law. complex transfers globally that they become cost- Similar to a code of conduct, they ensure effective. For the same reason, they are usually compliance with local law, as well as adequate considered maladapted to SMEs. In the long run, protection for data transferred across borders. experience would show that—at least in an EU They establish uniform internal rules for context—compliance costs will generally be less transferring personal data across the corporate than the cost of other ways of handling complex group and are binding on all relevant entities and intra-group transfers.30 personnel in the group. BCRs and internal rules in Asian laws They also require a comprehensive privacy Several Asian Data Protection Laws allow cross- program and compliance infrastructure, including border transfers based on ‘internal rules’ or governance mechanisms, data protection officers ‘binding corporate rules’ that provide for uniform (DPOs), policies and procedures, training and and high-level protection and privacy compliance communication, audits and assessments and, in by all local entities of a multinational group, general, follow the essential elements of among other data transfer mechanisms and accountability and corporate compliance schemes. programs. Such rules are explicitly recognised as a valid data Under EU law there exist two types of BCRs: transfer mechanism in the laws of, or regulatory • ‘BCR-Controllers’ (BCR-C) are suitable for guidance issued in six jurisdictions (Australia, framing transfers of personal data from Hong Kong SAR, Japan, New Zealand, Singapore, Controllers subject to transfer restrictions to and Thailand) and in India’s Data Protection Bill. other Controllers or to Processors (established BCRs could further be read in the laws of Macau overseas) within the same group; and SAR, Malaysia and Philippines, as well as the Data Protection Bills of Indonesia and New Zealand.
30 Data Protection and Privacy 2019 (Allen & porate_and_m_and_a/data_protection/data_p Overy, 2019) rotection_and_privacy_november_2019.pdf> 44 Unique among our Review (but somehow consistent with the European experience), Status in Asia Thailand’s PDPA and India’s Data Protection Bill For each jurisdiction, the applicability of Binding require that any such rules are approved by the Corporate Rules for data transfers under the Data public authority prior to implementation. Protection Law or Bill is expressed as: However, no particular clarification has been • YES where the legal regime explicitly confirms provided in any of these jurisdictions on whether their applicability; different types of BCRs (i.e., BCR-C or BCR-P) would be acceptable, or if transfers may take • NO where the legal regime is silent their place on the basis of BCRs only within a group of applicability; undertakings, or within a larger group of • UNCERTAIN where the legal regime fails to enterprises engaged in a joint economic activity address the point straightforwardly; and on the model of EU GDPR Art 4(20). • CONCEIVABLE where clarification could be Exploring the potential of BCRs in Asian laws provided in implementing regulations or Up until now, Asian regulators have tended to guidance, but the regulator (when there is steer away from promoting the use of binding one) has not provided such clarification. corporate rules. In fact, the strengths and Australia limitations of BCRs have been assessed only in the European context where they have originally YES developed, and which are often irrelevant in an APP 8.1 does not apply where the entity 31 Asian context. Rather than an opposition to reasonably believes that the recipient is subject to such a solution in principle, however, it would a ‘binding scheme that is overall substantially seem that the lack of interest can be attributed to similar to the APPs’, and there are mechanisms the perception that BCRS are an ‘EU solution’ that available to the individual to enforce that cannot be readily transposed into Asia, in protection (APP 8.2(a)). particular because of the administrative requirements applicable under the EU An overseas recipient may be subject to a binding cooperation procedure. scheme where, for example, it is ‘subject to Binding Corporate Rules (BCRs)’ (APP Guidelines, Leaving the administrative aspects aside, the para 8.21) expansion of BCRs into Asia could be explored, starting with determining whether there is a China demand for this mechanism from companies UNCERTAIN operating in Asia (irrespective of whether they have already put such rules in place for personal The draft Cross-Border Transfer Assessment data transfers from their EU entities). measures provide that the elements to be notified to the provincial CAC for assessing the security of the transfer must provide, among others, ‘the contract entered into between the network operator and the recipient’ (Art 4). In contrast, Art 13 of the draft measures refers to ‘the contracts or other legally binding measures (‘the Contracts’)’. One could argue that BCRs, if they are effectively ‘binding’ under Chinese law and contain the required elements in the draft measures, could be a positive factor for the purpose of the security assessment by CAC. 31 Because BCRs have to be approved by EU Data process of coordinating several, if not all EU Protection Authorities, the process can take a DPAs within the same procedure. long time (one year in average), due to the 45 Hong Kong SAR Indonesia (Bill pending) YES CONCEIVABLE ‘Adopting internal safeguards, policy and It is not certain that BCRs would be covered by Art procedures for intra-group transfers’ can 49(b) providing that transfers can take place constitute ‘reasonable precautions’ and ‘due when there is ‘an agreement’ between the diligence’ to satisfy the conditions for transfers controller and an overseas third party, for under s 33 of the PDPO (cf. PDPO s 33(2)(f) and instance when an intra-group agreement would PCPD’s International Transfer Guidance at 7). support the BCRs. Such clarification would need to be made by further implementing regulations India (Act in force) or guidance. UNCERTAIN Japan It is unclear whether the existence of binding YES corporate rules within a company group or a group of companies involved in joint economic Transfers may take place on the basis of internal activity would be considered as a valid means for rules if such internal rules ‘ensure, in relation to a data exporter to demonstrate that the ‘same the handling of personal data by the person who level of data protection’ applies in the country of receives the provision, the implementation of destination as in India in the meaning of IT Rule 7. measures in line with the purpose of the provisions under APPI by an appropriate and reasonable India (Data Protection Bill) method’ (APPI Art 24). YES Macau SAR Sensitive personal data may be transferred for the CONCEIVABLE purpose of processing where the transfer is made ‘pursuant to an intra-group scheme approved by It is uncertain, but conceivable that the OPDP the Authority’ which makes the provision for: could take the decision to authorize a transfer based on the consideration that BCRs or internal • effective protection of data principal’s rights, rules would constitute ‘adequate safeguards’ in including in relation to onward transfers; and the meaning of Art 20 PDPA. • liability of the data fiduciary for harm caused Such transfer would have to be authorised by due to non-compliance. OPDP. Consent requirements still apply (s 34(1)). Malaysia This provision applies to ‘sensitive personal data’ CONCEIVABLE (Bill s 34(1)(a)) but does not apply to ‘critical personal data’, nor to data that is neither It is uncertain, but conceivable that the sensitive nor critical under the Bill. Commissioner would recognise BCRs and internal rules as ‘reasonable precautions’ and measures of Indonesia (Law in force) ‘due diligence’ in the meaning of s 129(2)(f) of the UNCERTAIN PDPA. It is not known if the existence of BCRs or New Zealand (Act in force) corporate rules that bind the importing YES organisation to ensure a certain level of data protection in the country of destination would be BCRs are not mentioned in the Privacy Act itself a positive factor in the context of ensuring but they are referred to in the Fact Sheet on Part ‘coordination with the Ministry’ (MCI 20/2016, Art 11A of the Privacy Act 1993 as ‘associated 22). schemes established under the international instruments which, although not being privacy laws of a State, may nonetheless provide comparable safeguards.’ 46 New Zealand (Privacy Bill) BCRs may only be used for recipients that are related to the transferring organisation (Reg YES 13(3)(c)). An agency may disclose personal information to a ‘Recipients’ are related to the transferring foreign person or entity if it believes on organisation if (Reg 13(3)(d)): reasonable grounds that the recipient is ‘required to protect the information in a way that, overall, • the recipient, directly or indirectly, controls provides comparable safeguards to those in this the transferring organisation; Act’ (Bill, IPP12(1)(f)). • the recipient is, directly or indirectly, BCRs would likely qualify as such ‘comparable controlled by the transferring organisation; or safeguards’ as an extension of current regulatory • guidance (see above). the recipient and the transferring organisation are, directly or indirectly, under the control of Philippines a common person. CONCEIVABLE South Korea It is conceivable that the implementation of BCRs NO can discharge the responsibility of an organisation under s 21 of DPA for exporting ‘personal Neither the currently applicable nor the amended information originally under its custody or its framework refer to BCRs. control’, including for processing. Thailand It is also conceivable that BCRs for processors YES (explicit) could qualify as ‘reasonable means’ under s 21(a) When PDPA Chapter 3 comes into force, personal of DPA which provides that controller should use data may be transferred to an overseas ‘contractual or other reasonable means to provide destination in the absence of an adequacy a comparable level of protection while decision where a ‘Personal Data Protection Policy information is being processed by a third party’. regarding the sending or transferring of personal Singapore data to another data controller or data processor YES who is a foreign country,’ and in ‘the same affiliated business, or in the same group of ‘Legally enforceable obligations’ that provide a undertakings, in order to jointly operate the level of protection comparable to PDPA in the business or group of undertakings’ (PDPA, S29(1) meaning of S26 include obligations that can be and (2)). imposed on the recipient by ‘binding corporate rules’, which may be adopted in ‘instances where Such policies must be ‘reviewed and certified’ by a recipient is an organisation related to the the Office of the Personal Data Protection transferring organisation and is not already Committee. subject to other legally enforceable obligations in Vietnam relation to the transfer’ (PDPC Reg 9). NO BCRs must (PDPC Reg10(3); PDPC AG, Chapter None of the different texts that contain data 19.2): protection provisions (in the absence of baseline (i) require every recipient of the transferred data protection legislation) mention this personal data to provide to the personal possibility, nor is it known if the proposal for a data transferred to the recipient a Draft Data Protection Decree which would standard of protection that is at least contain provisions on overseas data transfers comparable to the protection under the would mention it. PDPA; and (ii) specify the recipients of the transferred personal data to which the BCRs apply; the countries and territories to which the data may be transferred; and the rights and obligations provided by the BCRs. 47 Certification for data transfers in Asian laws Certification In fact, today few jurisdictions have effectively taken the necessary steps to bring about this second advantage, in Asia or globally. Voluntary data protection certification mechanisms, data protection seals and privacy However, this Review reveals a significant trust marks are set to play an important role in potential for convergence in the establishment of modern accountability frameworks for data national certification mechanisms for overseas protection and they offer promising perspectives organisations to demonstrate that they adduce for interoperability, in Asia and globally. ‘reasonable precautions’, ‘appropriate’, ‘adequate’, or ‘comparable safeguards’, to In recent years an increasing number of transfer personal data under different Asian data jurisdictions (Japan and South Korea among protection frameworks. pioneers) have worked towards establishing certification schemes, to help organisations In other words, it is possible for convergence of demonstrate compliance with local data certification regimes to occur, so that a single protection regulations. organisation can be certified under multiple Asian frameworks—and potentially more—in the not In practice, the concepts of certification, seals and too distant future. trust-marks are equivalent (although different elements of the certification process can be Non-binding, self-regulatory certification separated and performed by different actors). mechanisms cannot de facto operate under the They are all party attestation of conformity to a relevant data transfer provisions in several defined set of norms by third-party certification jurisdictions (e.g., Australia, Singapore, and bodies that are held accountable by independent Thailand), since it is generally necessary that authorities to assure competence and certification schemes must be ‘enforceable’ to be impartiality. used in such circumstances. Broadly speaking there are three potential But the admission of binding certification advantages to organisations who obtain privacy schemes to discharge data transfer obligations is certifications: explicit in Australia, Japan, Singapore, and in the Data Protection Bill of New Zealand. It is further • it is a way of demonstrating compliance with implicit in Philippines and Thailand. the national Data Protection Law to businesses, individuals and regulators, in a For now, such an admission is unclear but practical way (‘accountability’); conceivable in the laws of Hong Kong SAR, Macau SAR, New Zealand and the Data Protection Bill of • it would be a competitive business advantage Indonesia. It is also conceivable, although more and ‘buying factor’ when it comes to choosing remotely, in the Data Protection Bill of India. vendors in their supply chain;32 and It was expected that reference to certification • eventually, under circumstances to be defined would be inserted into the data transfer per legal regime, certification by an provisions of the Network Act of Korea, but such organisation to a national scheme in an reference was eventually removed from the overseas jurisdiction would enable that version of the Act promulgated in January 2020. organisation to discharge the data transfer In Asian jurisdictions where certification schemes obligations to which it is subject when it seeks are recognised or contemplated for data transfers to transfer personal data from that the laws are broad enough to allow for jurisdiction. certification by leading international standards or schemes such as the new standard ISO/IEC 27701:2019 on Privacy Information Management 32 ‘From Privacy to Profit: Achieving Positive 48 System (PIMS), which can potentially facilitate assessment of certification criteria in the data data flows not just from one-country-to-many- protection field; country, but data flows from most-country-to- • determination of appropriate recourse most-country. mechanisms for individuals in case of breach They could also interlace with other regional occurring overseas; certification schemes (namely under Art 42 EU • the criteria for accreditation of certification GDPR, or APEC CBPRs—see APEC Cross Border bodies to ensure equality in independence, Privacy Rules➺), provided the level of protection competence, adequate resourcing, and provided by these schemes is aligned with accountability; and national data protection requirements. • the identification of sufficient and clear It is worth underlining that ASEAN Members are benefits of certification to ensure also contemplating the development of an ad hoc organisations obtain a return on the certification scheme as one of the components of investment to obtain certification, and focus the ASEAN Cross-border Data Flow Mechanism. on the implementation of the only schemes Current plans are to articulate the ASEAN likely to create such motivation. mechanism with the APEC CBPR system. Motivation for certifying to one specific scheme Conditions for interoperability of privacy would be greater if that certification scheme can certification schemes demonstrate accountability for many, if not all, For the public authorities, privacy certification privacy regulations, and audit once and certify for mechanisms present many challenges at both accountability in many countries simultaneously. conception and implementation level, starting From a regional policy perspective, it is therefore with defining who/what can be certified (e.g. important: organisations, individuals, products, processes or services, or parts of those), who will deliver the • to avoid overlap and proliferation of certification, for how long, what certification certifications so as to not create confusion in scheme criteria must contain, and who will the minds of consumers and stakeholders, or supervise the scheme. make it less attractive for organisations seeking certification;34 and At the same time, they must ensure that the schemes are relevant to the target audience, • to enable the alignment of such schemes not interoperable with other standards, and scalable just to a sub-regional or regional standard but for application to different size or type of to global standards, in acknowledgement of organisations.33 the fact that relevant stakeholders (industry To build coherent certification programs that may associations, SMEs and large enterprises) ultimately underpin legal mechanisms regulating seem to favour international standards over 35 cross-border flows in the region, it is suggested national ones. that Asian governments and regulators need to Work is needed on all the above points to ensure work together on three building blocks, namely: that Asian certification schemes will become interoperable among one another and with other • the certification criteria to be approved by the global or regional schemes. regulatory authority, building on the guidance and knowledge from other fields and especially technical standards to carry out the 35 Irene Kamara, Ronald Leenes, Eric Lachaud, 33 Guidance of the UK Information Kees Stuurman (TILT), Marc van Lieshout, Commissioner’s Office (ICO) on GDPR Gabriela Bodea (TNO), Report to the European Certification 49 Status in Asia Hong Kong SAR CONCEIVABLE For each jurisdiction, the applicability of certification for data transfers under the Data It is conceivable that the PCPD could consider if Protection Law or Bill is expressed as: certification mechanisms, privacy seals and trust marks can constitute ‘reasonable precautions’ • YES where the legal regime explicitly confirms and ‘due diligence’ to satisfy the conditions for their applicability; transfers under s 33 PDPO (s 33(2)(f)). • NO where the legal regime is silent on their The International Transfer Guidance (p.7) applicability; provides that ‘non-contractual oversight and • UNCERTAIN where the legal regime fails to auditing mechanisms may be adopted to monitor address the point straightforwardly; and the transferees’ compliance with the data protection requirements under the Ordinance’. • CONCEIVABLE where clarification could be provided in implementing regulations or India (Act in force) guidance, but the regulator (when there is UNCERTAIN one) has not provided such clarification. It is unclear whether national certifications Australia delivered to overseas organisations would be CONCEIVABLE considered as a valid means for a data exporter to demonstrate that the ‘same level of data APP 8.1 does not apply where the entity protection’ applies in the country of destination as reasonably believes that the recipient is subject to in India in the meaning of IT Rule 7. a ‘binding scheme that is overall substantially similar to the APPs’, and there are mechanisms India (Bill) available to the individual to enforce that NO protection (APP 8.2(a)). The Bill does not mention the possibility for an An overseas recipient may be subject to a binding exporting organisation to discharge the data scheme where, for example, it is ‘subject to an transfer requirements in s 34 of the Bill by industry scheme’ that is enforceable once entered providing safeguards through an approved into, irrespective of whether the recipient was certification mechanism, nor does it envisage the obliged or volunteered to participate or subscribe set-up of a privacy certification scheme in India. to the scheme (APP Guidelines para 8.21). Certification could belong to such binding The closest reference to a certification scheme is in s 29(5) which envisions the assigning of a ‘data schemes, subject to the existence of adequate trust score’ to ‘Significant Data Fiduciaries’ (to be enforcement mechanisms, among other notified as such by the Government based on conditions. s 26(1)) to indicate the level of protection they An overseas recipient may not be subject to a provide. Though these could be given to overseas binding scheme where the recipient can opt out organisations operating in India it does not of the binding scheme without notice and without appear that they will be used in the context of returning or destroying the personal information cross border data transfers. (APP Guidelines at para 8.22). The ‘demonstrable verification mark’ envisioned China in s 28(4)) (‘Social Media Intermediaries’ must NO provide an option to users registering from India or using their services in India for voluntary The draft Cross-Border Transfer Assessment certification of their accounts, which will be Measures do not include overseas certification marked with such a demonstrable certification schemes in the relevant assessment factors. marks) is unrelated to the implementation of data An information security certification scheme run transfer provisions in the Bill. by the Information Security Certification Centre of China is operating but is not a strict equivalent of existing data protection trust marks or other privacy seals in the region. 50 Although it does not appear to be the intention, it It has been confirmed that personal information is yet possible (at least conceptually) that transfers may take place under APPI Art 24 if a certification of an organisation located in a third personal information handling business operator country to a privacy certification scheme in India, is certified under the CBPRs (see APEC Cross coupled with ad hoc contractual engagements Border Privacy Rules➺). between the parties, would be an admissible Macau SAR ‘agreement’ for the purpose of s 34(1)(a). CONCEIVABLE Likewise, an international or ad hoc bilateral agreement for certification could be concluded, It is conceivable, but not confirmed that the OPDP which would later operate within s 34(1)(b)(i) (for would take the decision to authorise a transfer sensitive personal data) or s 34(2)(b) (for critical based on the consideration that Certification personal data) of the Bill. Schemes would constitute ‘adequate safeguards’ in the meaning of Art 20(2) of the PDPA. Indonesia (Law in force) Malaysia UNCERTAIN CONCEIVABLE It is not certain if the existence of a certification scheme that would bind the importing It is conceivable, but not confirmed that organisation to ensure a certain level of data certification to a privacy scheme or the obtaining protection in the country of destination would be of a privacy mark by an overseas organisation may a positive factor in the context of ensuring constitute ‘reasonable precautions’ and measures ‘coordination with the Ministry’ (MCI 20/2016, of ‘due diligence’ in the meaning of s 129(2)(f) of Art 22). the PDPA. Such clarification could be provided by the Commissioner. Indonesia (Bill) New Zealand (Act in force) CONCEIVABLE UNCERTAIN Currently the Data Protection Bill does not envisage the set-up of a certification scheme in Regulatory guidance issued by the Privacy Indonesia, and it is uncertain if certification in Commissioner does not explicitly refer to trust Indonesia by an organisation located in a third marks and privacy seals as ‘associated schemes country, coupled with ad hoc contractual established under the international instruments engagements between the parties, would be an which, although not being privacy laws of a State, admissible ‘agreement’ for the purpose of may nonetheless provide comparable safeguards’ Art 49(b). under Part 11A of the Privacy Act 1993. However, this does not rule out the possibility The Privacy Trustmark in New Zealand further has that an international or ad hoc bilateral no legal standing and is not articulated with Part agreement for certification could be concluded 11A of the Privacy Act, although it might be used under Art 49(b) and would later operate within by a foreign agency as a means to provide Art 49(c). evidence about its good privacy practices. Japan New Zealand (Privacy Bill) YES YES (implicit) Transfers may take place on the basis of a Adherence of the overseas recipient to a certification if a person who receives the recognised certification scheme could be provision of personal data has obtained ‘a considered as a part of considering whether the recognition based on an international framework foreign person or entity is ‘required to protect the concerning the handling of personal information’, information in a way that, overall, provides which includes (but is not limited to) CBPRs (APPI comparable safeguards to those in the Privacy Art 24). Act’ (Bill, IPP12(1)(f)). 51 Philippines South Korea CONCEIVABLE NO It is conceivable, but not confirmed under either Neither the current data transfer provisions in DPA or IRRs that the obtaining of (either local or PIPA, nor Art 63 in the Network Act (to be soon overseas) certification can help an organisation transferred to PIPA and renumbered Art 39(12)) discharge its responsibility for exporting ‘personal expressly refer to certification mechanisms for information originally under its custody or its data transfers. control’, and so ‘including information that has The amendment Bill to the Network Act originally been transferred to third parties for processing’ provided that consent requirements would be under s 21(a) of the DPA. waived ‘where the overseas recipient of the Likewise, it is conceivable, but not confirmed that transfer has been certified under the Personal it could qualify as ‘reasonable means to provide a Information Management System (‘PIMS’) comparable level of protection while information certification scheme [now ‘ISMS-P’] or other is being processed by a third party’ under s 21(a). certification designated by KCC’ but this reference was eventually rejected by the National Singapore Assembly. YES Thailand ‘Legally enforceable obligations’ that provide a CONCEIVABLE level of protection comparable to PDPA in the meaning of s 26 of the PDPA include obligations When PDPA Chapter 3 comes into force, in the that can be imposed on the recipient by the local absence of adequacy, ‘personal data protection law of the country of destination, a contract, policy’, or other applicable exemptions, transfers binding corporate rules or ‘any other legally are allowed where the controller or processor binding instrument’. provides ‘suitable protection measures which enable the enforcement of the data subject’s On 28 May 2020 PDPC has amended the PDPA rights, including effective legal remedial measures Regulations to recognise certification, including according to the rules and methods as prescribed to the APEC CBPR and PRP Systems, as valid data and announced by the Committee’ (DPA s 29). transfer mechanisms under s 26 of the PDPA. Certification could be among alternative solutions Regarding Cloud Services, the PDPC Guidelines for data transfers which constitute such ‘suitable (Chapter 8, para 8.7) provide that where the protection measures’ if the rules and methods contract between an organisation and its CSP prescribed by the Committee so allow. does not specify the locations to which a CSP may transfer the personal data processed and leaves it Vietnam to the discretion of the CSP, the organisation may NO be considered to have taken appropriate steps to comply with the Transfer Limitation Obligation by None of the different texts that contain data ensuring that: protection provisions (in the absence of baseline data protection legislation) mention the • The CSP based in Singapore is certified or possibility of privacy certification for data accredited as meeting relevant industry transfers, nor is it known if the proposal for a standards; and Draft Data Protection Decree which would • The CSP provides assurances that all the data contain provisions on overseas data transfers centres or sub-processors in overseas would mention it. locations that the personal data is transferred to comply with these standards. 52 Such flows are subject to oversight by the AA APEC Cross (which would have recourse by law or contract) and home Privacy Enforcement Authority (PEA) of the exporting organisation or the PEA in another Border Privacy participating jurisdiction (directly or through co- Rules operation with the home jurisdiction authority). Details on the operation of both systems are available on the dedicated CBPRs website.37 The APEC Cross Border Privacy Rules system An important point for organisations is that CBPRs (CBPRs) and its sister system, the APEC Privacy does not displace the domestic law of a Recognition for Processors (PRP) system, are participating economy. In the context of this voluntary, principles-based privacy certification Review, whose purpose is to promote the mechanisms for data controllers (and in the case compatibility of national legal frameworks on of the PRP, for data processors) in participating personal data transfers, the key consideration is APEC member economies, based on the nine thus whether CBPR certification, whilst it cannot APEC Privacy Principles developed in the APEC represent compliance with applicable local Privacy Framework.36 privacy laws, can still be useful to discharge at least data transfer requirements under multiple Since APEC CBPRs is a form of certification, this Asian Data Protection Laws. section articulates with the previous section on ‘Certification’. This factor is important for businesses to assess whether the benefits of the certification outweigh Operation of the CBPR system its costs (human and financial costs, as well as Organisations within APEC economies seeking liabilities incurred). Cf. the return on the certification under these mechanisms must have investment to obtain certification (see their data protection practices and procedures ‘Conditions for interoperability of privacy assessed as compliant with the program certification schemes’ in ↩). requirements by an APEC- recognised ‘Accountability Agent’ (AA) in the CBPR member countries—state of play jurisdiction in which they have their principal At governmental level, different situations co- place of business. exist. Where an APEC member economy’s legislative To date, certification under the CBPRs for the framework either: purpose of compliance with data transfer rules has been recognised in Japan, and the scheme is • does not place broad restrictions on the flow also operational in Singapore following the of the personal data; or appointment of their respective AAs. Japan • explicitly recognises the APEC CBPR as a Institute for Promotion of Digital Economy and mechanism to transfer personal data to a Community (JIPDEC)—a non-profit foundation for recipient organisation, development of key IT technologies and policies—is Japan’s AA. The Infocomm Media then personal data from across the participating Development Authority (IMDA)—a statutory APEC membership may flow to the organisation board of the Singapore government—acts as under the certification. Singapore’s AA.38 36 For ease of reference the term ‘CBPRs’ will 37 Cross Border Privacy Rules System, 2020 generally be used to cover both systems. 53 Certification under CBPRs has not yet been However, APEC economies participating in the formally recognised as a means of complying with CBPR would be exploring options for expanding South Korea’s data transfer requirements, but the the reach of the CBPR given the interest among scheme is now operational following the industry and other stakeholders to have a global appointment of Korea Internet & Security Agency solution for cross-border data transfers. (KISA)—a suborganisation of the Ministry of Options under consideration include: Science and ICT—as South Korea’s AA. The same situation exists in Australia and the • that non-APEC economies adopt similar Philippines, each of whom have become certifications that are interoperable with the members of the CBPR system in 2018 and CBPR; and 2019 respectively, but who are yet to appoint • that the CBPR be globalised and opened up for their respective AAs. participation by all qualifying countries. New Zealand is not part of the CBPR Refining the business case of joining CBPRs for system today. However, the possibility that organisations certification under CBPRs can satisfy impending data transfer provisions may be read into the CBPRs (and PRP) might benefit from a ‘network Privacy Bill of New Zealand. effect’ in Asia if more jurisdictions would join and activate either or both systems, and As APEC members Hong Kong SAR, Malaysia and more organisations would identify such benefits Thailand could join the system, although to-date to certify to them, whether in terms of legal they have not officially expressed an interest to compliance, enhancement of privacy do so. CBPR certification for the purpose of management programmes (PMP), and gaining compliance with data transfer rules is not shares in market competition. expressly referred to (but not expressly excluded) in the current laws of Hong Kong SAR, Malaysia As seen above, recently more Asian jurisdictions and Thailand. have joined the system and the system still has room for expansion. The offices of the Privacy Commissioners of New Zealand and Hong Kong SAR (both of which are However, until now take up of the CBPR system APEC members) are members of the APEC Cross- has been comparatively low at company level in Border Privacy Enforcement Arrangement the region. Refining the business case of joining (CPEA)39 (a pre-condition for membership in the the system would thus be worthwhile for system) and could, in principle, submit an organisations operating from this particular application to join the CBPRs. region. At the moment CBPR certification seems to be Namely, this would entail clarifying the excluded under the laws of China and Vietnam interrelationship between CBPRs and the and the Data Privacy Bill of Indonesia (all three applicable local privacy laws (including data APEC economies which could in principle join the transfer restrictions where they apply), CBPR system but have not indicated an interest in considering the sectors in which of organisations joining). operate, and their geographical footprint (and consequently the multiple laws to which those India and Macau SAR are not APEC economies and organisations are subject). therefore cannot currently join the system. 39 The APEC CPEA aims, among other things, to provide mechanisms to promote effective cross-border cooperation between authorities in the enforcement of privacy law, including through referrals of matters and through parallel or joint investigations or enforcement actions. 54 This point would be all the more useful that more Hong Kong SAR data protection laws are being passed in the NO region, which include data transfer restrictions. Hong Kong SAR is an APEC economy and the Other factors unrelated to data transfers include Office of the Privacy Commissioner for Personal how the certification will help organisations: Data is a participant to the CPEA. • earn the trust of their customers and business However, Hong Kong SAR has not yet expressed partners; and an intention to join the CBPR or PRP systems, • implement internal privacy management hence the CBPR or PRP cannot be used to programmes, among others. demonstrate compliance with the requirements of s 33 of PDPO. Status in Asia India (Act in force and Bill) NO In the list below, jurisdictions are marked as: India is an observer to the CPEA but is currently • YES, if they have joined the system as CBPR not an APEC economy, hence the CBPRs or PRP member countries and either have an existing cannot be used to demonstrate compliance with legislative framework in place to recognise the the requirements of Rule 7 under current law, or CBPR; or have recognised CBPR as a transfer s 34 of the Bill. mechanism, where applicable restrictions exist; and Indonesia (Law in force and Bill) • NO, if: NO o they are not a member of APEC economy Indonesia is an APEC economy but as at April 2020 and thus cannot join the CBPR system; or has not expressed an intention to join APEC CBPRs, hence certification to the CBPRs or PRP o in respect of those jurisdictions that are cannot be used to demonstrate compliance with members of APEC, they have expressed no the requirements under Art 21 MCI 20/2016 or interest in joining the system, and hence a Art 49 of the Bill. unilateral recognition of CBPR as a sufficient mechanism for transfer is Japan remote or unlikely. YES Australia Japan's application to participate in CBPRs was YES endorsed by APEC and effective April 25, 2014. Australia was endorsed as a participating JIPDEC was appointed as Japan’s Accountability economy in the CBPR system on 23 November Agent in January 2016. 2018. PPC has recognized that CBPRs are a ‘certification The system has not yet been implemented in on the basis of an international framework Australia, and no Accountability Agent has been regarding personal information handling’ that appointed to operate in Australia. provide a level of protection equivalent to the APPI under Art 24. Additional requirements apply The Office of the Australian Information to onward transfers of data originating from the Commissioner (OAIC) will be responsible for EU under CBPRs. regulating the CBPR system in Australia, once implemented. Macau SAR China NO NO Macau SAR is not an APEC economy, hence cannot join CBPRs or PRP. China is an APEC Member Economy but as at April 2020 has not indicated an intention to join CPEA or the CBPR system or PRP. 55 Malaysia Singapore NO YES Malaysia is an APEC economy but as at April 2020 On 20 February 2018 Singapore has joined the has not expressed an intention to join the CBPR APEC CBPR and PRP systems, and on 17 July 2019 system. the Infocomm Media Development Authority (IMDA) was appointed as Singapore’s New Zealand Accountability Agent and three Assessment NO Bodies (AB) have been selected as independent New Zealand is an APEC economy but as at April bodies to assess that an organisation’s data 2020 has not expressed an intention to join APEC protection practices conform to the CBPR CBPRs. requirements. However, IPP 12 provides for the New Zealand On 28 May 2020 PDPC has amended the PDPA Government to prescribe binding cross-border Regulations to recognise certification under privacy schemes such as CBPRs as a ‘prescribed CBPRs or PRP as compliant with s 26 of the PDPA. binding scheme’ under the Privacy Act. South Korea If New Zealand prescribes a binding scheme YES under the Privacy Bill this will be done through IPP The participation of South Korea in the CBPR 12(1)(d) which provides that an agency may system was approved on 12 June 2017. disclose personal information to a foreign person or entity if it believes on reasonable grounds that The Korea Internet & Security Agency (KISA) was the recipient is a participant in a ‘binding scheme’, appointed CBPR Accountability Agent in January i.e. ‘an internationally recognised scheme in which 2020 but certification is not yet open pending the the participants agree to be bound by a) specified publication of KISA’s CPBR checklist. measures for protecting personal information Plans to articulate Korea’s renowned Privacy that is collected, held, used, and disclosed; and b) Information Management System certification mechanisms for enforcing compliance with those scheme (aka ‘PIMs’), now ‘Information Security measures’. Management System-Personal’ (aka ‘ISMS-P’) and ‘Prescribed binding scheme’ means a binding CBPRs were announced. However, these plans scheme specified in regulations made under s have become unclear since reference to the 212A by Order of the Governor-General (New ISMS-P scheme (and certification generally) in Zealand’s Head of State). relation to cross border data transfers was eventually removed from the Bill. Philippines Thailand YES NO On 20 September 2019 the Philippines National Privacy Commission announced it has filed its Thailand is an APEC economy but as at April 2020 notice of intent to join the APEC CBPR system. The has not expressed an intention to join APEC Joint Oversight Panel approved the Philippines’ CBPRs. application to join the system on 9 March 2020. CBPRs or PRP could eventually be among The system will be implemented when an alternative solutions for data transfers in the Accountability Agent is appointed to operate in absence of adequacy, BCRs, or another Philippines. exemption, if the rules and methods as prescribed and announced by the Committee for ‘suitable NPC would later recognise that CBPRs are part of protection measures which enable the the mechanisms by which the controller use enforcement of the data subject’s rights, including ‘reasonable means to provide a comparable level effective legal remedial measures’ under s 39(3) of protection while information is being processed PDPA so allow. by a third party’ under s 21(a) of the DPA. 56 Vietnam NO Vietnam is an APEC economy and at some point, it had expressed an interest in joining the APEC CPEA, as well as CBPRs, but to-date it has not formalised any decision to that effect. 57 Such recognition now exists in EU GDPR, which Codes of Conduct provide that adherence to codes, together with binding and enforceable commitments, can demonstrate that data importers located outside ‘Codes of Conduct’, ‘Codes of Practice’ or ‘Privacy the EU have implemented adequate safeguards in Codes’ (hereinafter, Codes) drawn up by industry order to permit transfers under Art 46(e) of EU associations and other representative bodies are GDPR. very useful instruments to help organisations It is therefore worth exploring if codes could ‘tailor-make’ general data protection provisions effectively offer an alternative mechanism for to their specific sectors and needs. managing international transfers to and from Asian Voluntary adherence to such codes can create jurisdictions. market efficiencies. The association or industry Codes for personal data transfers in Asia body creating them conducts extensive reviews of any applicant seeking membership or otherwise To date, none of the jurisdictions considered in this desiring to claim compliance with the code. This Review explicitly provide that an exporting saves an organisation, for example, from having to organisation may discharge its data transfer conduct its own assessment of a potential obligations where an overseas organisation provider’s systems, since the organisation can (‘controller’ or ‘processor’) adheres to a locally simply identify providers or processors who are approved, non-binding, code. already deemed to satisfy the requirements of the However, some legal systems are considering code and rely on the association to ensure recognising codes—at least on paper—as valid for compliance.40 such purposes, subject to: Broadly speaking there are two potential • the legally binding nature of the code; and advantages to the organisations that sign up to a code and the profession, industry or sector to • the conclusion of a contract between both which the code applies (which are broadly similar the exporting and importing organisations to to those of obtaining certification): ensure that the safeguards of the code (in particular, those concerning the rights of data • it is a way of demonstrating compliance with subjects) are applied and enforced in the the national Data Protection Law to receiving jurisdiction. businesses, individuals and regulators, in a practical way (‘accountability’); and In effect, subject to conditions of enforceability, it is conceivable that compliance with a highly • it would be a competitive business advantage regulated code of practice would constitute and ‘buying factor’ when it comes to choosing ‘reasonable precautions’, ‘comparable safeguards’, vendors in their supply chain; and a ‘binding scheme’ or equivalent test in Australia, • eventually, under circumstances to be defined Hong Kong SAR, Japan, Macau SAR, Malaysia, per legal regime, signing up to a code Philippines, Singapore, and Thailand), in addition to registered or approved and monitored in an the Data Protection Bills of New Zealand, India and overseas jurisdiction would enable that Indonesia. organisation to discharge the data transfer Convergence would be advanced if regulators obligations to which it is subject when it seeks would agree to a set of conditions that such codes to transfer personal data from that should implement to establish sufficient levels of jurisdiction. protection for data leaving their jurisdictions. 40 Rita Heimes, ‘Part 9: Codes of conduct and Professionals, 2016) certifications’ in The Top 10 Operational 58 ‘Privacy codes’ in Asia • In Malaysia, the Commissioner may either This option is all the more interesting to explore in issue, or approve and issue Codes of Practice, and publish them in a Register (PDPA Art 23). Asia as privacy codes already play an important Several codes have been published, for role to supplement the data protection instance in the Banking and Financial Sector,43 frameworks of several jurisdictions in the region, for instance: or in the Insurance and Takaful Industry in Malaysia.44 The Commissioner may form and • In Australia, the Information Commissioner designate ‘data user forums’ to the effect of can approve and register enforceable codes preparing such codes, ‘in recognition of the which are developed by entities on their own fact that separate sectors or industries may initiative or on request from the Information have specific industry practices in relation to Commissioner, or developed by the the manner in which personal data is handled, Information Commissioner directly. The codes and/or may have deployed unique are ‘disallowable legislative instruments’ technologies which require specific data which do not replace the relevant provisions protection rules.’ (Introduction, Para. 1.3 of of the Privacy Act, but operate in addition to Codes of practice adopted by the the requirements of the Privacy Act (Privacy Commissioner). Act, Part IIIB); Regulators may thus build on the substantive • In Hong Kong SAR, the Commissioner may experience developed on such Codes in specific issue and approve Codes of Practice ‘for the countries, as well as on: purpose of providing practical guidance in • The guidance issued by regional regulators on respect of any requirements’ imposed under such matters, such as the Guidelines for PDPO on ‘data users’ (PDPO, Part III). The developing codes developed by the Office of Commissioner has issued several Codes of the Australian Information Commissioner Practice, especially on Consumer Credit (OAIC) (September 2013);45 Data;41 • Lessons to be learnt from work ongoing on • The Privacy Commissioner of New Zealand has Codes of Conduct under EU GDPR;46 issued several Codes of Practice under the Privacy Act, which have become part of the • Lessons to be learnt from specific law and which modify the privacy principles in industries (e.g. cloud computing) on the relation to specific industries.42 The Codes will conditions for uptake and the development of have to be updated to reflect changes under sectoral codes of conduct, at the national, the Privacy Bill (including consideration of regional, or global level.47 changes for the new IPP12 relating to the disclosure of information to overseas agencies under the Privacy Bill); 41 Code of Practice on Consumer Credit Data 1988 (September 2013). (2013). 46 E.g., Guidelines of the European Data 42 Health Information Privacy Code (1994), Credit Protection Board 1/2019 on Codes of Conduct Reporting Privacy Code (2004), and Monitoring Bodies under Regulation Telecommunications Information Privacy Code 2016/679. (2003). 47 For instance, the code of practice developed by 43 Personal Data Protection Code of Practice for the cloud computing industry in New Zealand the Banking and Financial Sector (January with assistance and input from the Cloud 2017). Security Alliance (CSA) and Office of the New Zealand Privacy Commissioner; or the 44 Code of Practice on Personal Data Protection experience of the Cloud Security Alliance on for the Insurance and Takaful Industries in developing a Code of conduct for GDPR Malaysia (February 2017). compliance (November 2017). 45 Guidelines of the Office of the Australian Information Commissioner for developing codes issued under Part IIIB of the Privacy Act 59 Conditions for interoperability of Codes of • to avoid overlap and proliferation of Codes so Conduct as data transfer mechanisms as to not create confusion among consumers and stakeholders or make it less attractive for Codes of conduct and certification are regulatory organisations contemplating signing up;49 mechanisms that borrow heavily from each other, and in fact the procedural aspects of both • to enable the alignment of such Codes not just mechanisms are also similar.48 to a sub-regional or regional standard but to The suggestions relative to the key factors that global standards (although they must remain can promote the interoperability of Certification scalable). Schemes in Asia are thus partly transposable to this Section. Status in Asia To build coherent policies on such codes that may For each jurisdiction, the applicability of Codes of ultimately underpin legal mechanisms regulating conduct under the Data Protection Law or Bill is cross-border flows in several jurisdictions, it is expressed as:50 suggested that Asian governments and regulators • NO where the legal regime is silent on the need to work together on several building blocks: applicability of Codes; • the criteria by which such Codes may be • UNCERTAIN where the legal regime fails to approved; address Codes straightforwardly; and • the conditions under which Codes may be • CONCEIVABLE where clarification could be found legally binding in multiple jurisdictions provided in implementing regulations or (since voluntary Codes are not eligible for data guidance, but the regulator (when there is transfers in any jurisdiction)—e.g. through one) has not provided such clarification. contracts; Australia • determination of appropriate recourse mechanisms for individuals in case of breach CONCEIVABLE occurring overseas; (Provided the Code is effectively binding on the • the criteria for accreditation of the monitoring overseas organisation) body that will ensure compliance with the While APP 8.1 does not apply where the entity Code, to ensure equality in independence, reasonably believes that the recipient is subject to competence, adequate resourcing, and a ‘binding scheme that is overall substantially accountability; similar to the APPs’, and ‘there are mechanisms • the identification of sufficient and clear available to the individual to enforce that benefits of signing up to a Code to ensure that protection’ (APP 8.2(a)), the Privacy Act does not organisations obtain a return on the mention the possibility for an organisation to investment to joining that Code. discharge the requirements of APP 8.1 by providing safeguards through a non-binding code Flowing from the last point, from a regional policy of conduct or practice. perspective it is important: 48 CIPL Discussion Paper, ‘Codes of Conduct and 50 As noted above (see Codes for personal data Monitoring Bodies in GDPR’, 29 March April transfers in Asia), none of the jurisdictions 2019, p. 3. considered in this Review explicitly provide that an exporting organisation may discharge its data 49 CIPL Discussion Paper, ‘Certifications, Seals and transfer obligations where an overseas Marks under the GDPR and Their Roles as organisation (‘controller’ or ‘processor’) Accountability Tools and Cross-Border Data adheres to a locally approved, non-binding, Transfer Mechanisms’, April 2017, p. 4. Code. Hence, no jurisdiction is marked with YES. 60 An overseas recipient may be subject to a binding 50(1)) and that codes of practice may include scheme where, for example, it is ‘subject to a ‘transfer of personal data outside India pursuant privacy code’ that is enforceable once entered to section 34’ (s 50(6)(q)). into, irrespective of whether the recipient was However, the Bill does not envision the possibility obliged or volunteered to participate or subscribe for an exporting organisation to discharge the to the scheme (APP Guidelines, para 8.21). requirements in s 34(1) by providing safeguards However, such a code does not replace APPs, but through an approved code of practice. operates in addition to the requirements of the APPs. It is also uncertain (but not unconceivable) that compliance with a code registered in India by an An overseas recipient may not be subject to a law organisation located in a third country, coupled or binding scheme where the recipient can opt with ad hoc contractual engagements between out of the binding scheme without notice and the parties, would be an admissible ‘agreement’ without returning or destroying the personal for the purpose of s 34(1)(a). information (APP Guidelines at para 8.22). Indonesia (Law in force) China UNCERTAIN NO It is not certain if adherence of the importing The draft Cross-Border Transfer Assessment organisation to a local code that would ensure the Measures do not consider adherence to a code of application of a certain level of data protection in conduct as a relevant factor in the security the country of destination would be a positive assessment to be carried out by CAC or its local factor in the context of ensuring ‘coordination branches. with the Ministry’ of Information and Hong Kong SAR Communication under Art 22 of MCI 20/2016. CONCEIVABLE Indonesia (Bill) It is conceivable that the PCPD could consider if CONCEIVABLE compliance with a highly regulated industry’s It is uncertain, yet conceivable that compliance code of practice would constitute ‘reasonable with a code of conduct in Indonesia by an precautions’ and ‘due diligence’ to satisfy the organisation located in a third country, coupled conditions for transfers under s 33 PDPO. with ad hoc contractual engagements between The International Transfer Guidance provides that the parties, would be an admissible ‘agreement’ ‘non-contractual oversight and auditing for the purpose of Art 49(c) of the Bill. mechanisms may be adopted to monitor the Japan transferees’ compliance with the data protection requirements under the Ordinance’ (at 7). NO India (Act in force) Adherence to a code of conduct is not included in the examples of action which the recipient might UNCERTAIN take to be in conformity with a system established It is unclear whether adherence by an overseas by reference to standards set by the PPC under organisation to a locally approved code of APPI Art 24. conduct could be considered as a valid means for Macau SAR a data exporter to demonstrate that the ‘same level of data protection’ applies in the country of CONCEIVABLE destination as in India in the meaning of IT Rule 7. It is uncertain, but conceivable that the OPDP India (Data Protection Bill) could authorise a transfer based on the consideration that a code of conduct would UNCERTAIN constitute ‘adequate safeguards’ in the meaning The Bill provides that the Authority shall, by of PDPA Art 20(2). regulations, specify codes of practice ‘to promote Such transfer would have to be authorised by good practice of data protection and facilitate OPDP. compliance with the obligations of this Act’ (s 61 Malaysia Singapore CONCEIVABLE CONCEIVABLE It is conceivable, but not confirmed by the ‘Legally enforceable obligations’ that provide a Commissioner that adherence of the overseas level of protection comparable to PDPA in the recipient to a code of conduct may be considered meaning of s 26 include obligations that can be as ‘reasonable precautions’ and measures of ‘due imposed on the recipient by the local law of the diligence’ in the meaning of s 129(2)(f) of the country of destination, a contract, binding PDPA. corporate rules or ‘any other legally binding instrument’. It is conceivable that codes of Section 23 of the PDPA describes the conditions conduct could constitute such ‘legally binding under which codes of conduct may be drafted and instruments’ under s 26 of the PDPA. registered with the Commissioner but these provisions are unrelated to those relating to data South Korea transfers. NO New Zealand (Act in force) Neither the current nor the amended framework UNCERTAIN (PIPA or Network Act) refer to codes to discharge obligations in relation to overseas data transfers Neither the Privacy Act nor the Regulatory at this stage. Guidance issued by the Privacy Commissioner explicitly refer to codes of conduct as ‘associated Thailand schemes established under the international CONCEIVABLE instruments which, although not being privacy laws of a State, may nonetheless provide When PDPA Chapter 3 comes into force, in the comparable safeguards’ in the meaning of absence of adequacy, personal data protection Part 11A of the Privacy Act. policy, or other applicable exemptions, transfers are allowed where the controller or processor New Zealand (Privacy Bill) provides ‘suitable protection measures which CONCEIVABLE enable the enforcement of the data subject’s rights, including effective legal remedial measures It is possible that voluntary adherence of the according to the rules and methods as prescribed recipient to a code could contribute to an agency and announced by the Committee’ (PDPA s 29). believing on reasonable grounds that the foreign person or entity is subject to ‘comparable Codes could be among alternative solutions for safeguards’ in the meaning of IPP12(1)(f) of the data transfers which constitute such ‘suitable Bill. protection measures’ if the rules and methods prescribed by the Committee so allow. Philippines Vietnam CONCEIVABLE NO It is conceivable, but not confirmed under the DPA or the IRRs if adherence of a data recipient to None of the different texts that contain data a code can discharge the responsibility of the protection provisions (in the absence of baseline exporting organisation for ‘personal information data protection legislation) mention Codes, nor is originally under its custody or its control’, and so it known if the proposal for a Draft Data ‘including information that has been transferred Protection Decree which would contain to third parties for processing’ under s 21 of the provisions on overseas data transfers would DPA. mention them. Section 7(j) of the DPA provides that the NPC has the function to ‘review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers.’ Section 7(j) does not make a reference to the role which such codes can play in relation to data transfers to third parties. 62 • necessary to comply with national laws and Exemptions & regulations (e.g. Australia, Japan and New Zealand’s Data Privacy Bill); Additional Legal • required or authorised under international agreements relating to information sharing Grounds for (e.g. Australia, New Zealand and Indonesia’s Data Protection Bill); Transfers • necessary for law enforcement by the national authorities (e.g. Australia, Hong Kong SAR, Japan, India’s Data Protection Bill, and New Specific legal grounds that allow data to flow in Zealand’s Privacy Bill); circumstances strictly provided by law or regulation exist in virtually all jurisdictions of our • for the purposes of judicial activities and Review. enforcement (e.g. Australia, Hong Kong SAR, Macau SAR, Malaysia, India’s Data Protection Many of them take the form of statutory Bill, and New Zealand’s Privacy Bill); and exemptions or derogations from the main rule applicable to data transfers (e.g., consent and • national security or defence (e.g. Australia), or adequacy). The term of exemption can however in the national or public interest (e.g. Macau be inappropriate in systems where data transfers SAR, Malaysia, Singapore, Thailand, and New are permissible by default subject to satisfying Zealand’s Privacy Bill). their respective accountability principles, since Transfers may also be free in specific there is in place no transfer restriction to be circumstances where they are necessary for the exempted from, or to make exception to, in those performance of a contract at the request and/or jurisdictions. in the interest of the individual (e.g. Hong Kong Even then, the same concepts operate. For SAR, Macau SAR, Malaysia, Singapore, and instance, data sharing shall be allowed ‘when it is Thailand). expressly authorised by law’ in Philippines (DPA Other exemptions pertain e.g. to the transfer of s 21(a)), while transfers ‘authorised by law or an de-identified data for statistics and research international agreement’ cannot be prohibited by (Hong Kong SAR) or to the necessity of child the New Zealand Privacy Commissioner protection (Japan), etc. (Privacy Act, s 114B(3)). Differences behind apparent commonalities Commonalities in concepts Prima facie the different lists of national Transfers of personal data to overseas exemptions look very similar but, in effect, vary jurisdictions are always possible when they are significantly so that seemingly related provisions necessary: are, in fact, difficult to compare. • to protect the vital interests of individuals; or As mentioned earlier, exemptions may apply to • to prevent or fight a serious threat to public different rules and principles for transfers in each health or safety. jurisdiction. For example, the exemptions may apply to the consent requirements under South Related provisions are found in Australia, China, Korea’s law, to the existence of an adequate level Hong Kong SAR, Japan, Macau SAR, Malaysia, of protection overseas under Thai law, or to the Singapore and Thailand), as well as the Privacy Bill ‘accountability principle’ under Australian law of New Zealand and the Data Protection Bill of (cf. ‘Serializing the Causes of Legal Uncertainty & India (although, only in relation to critical Fragmentation’↩). personal data). Other exemptions shared—implicitly or explicitly—by several jurisdictions apply where the transfer is: 63 Some exemptions are common to most local Data Common rules of interpretation Protection Laws, but not all of them are in Convergence efforts could be guided by the complete overlap, and some concepts (e.g. public commonly agreed rules of interpretation that: interest, necessary for law enforcement) could be interpreted differently. The ‘research’ exemption • exemptions must be interpreted ‘narrowly’ applicable to de-identified data in Hong Kong (i.e., Hong Kong SAR) or applied in PDPO and India’s Bill, the necessity of child ‘exceptional’ circumstances (i.e., Japan); protection in Japan or the localisation of a missing person in Australia, for instance, have no direct • exemptions are subject to a test of equivalent in other jurisdictions, although the ‘reasonableness’ or where it is not ‘reasonably regulators and the courts might accept to read practicable’ (see, for instance, the tests in the same concepts into wider exemptions. Australia, Hong Kong SAR and New Zealand’s Privacy Bill); and It is not only exemptions from the data transfer requirements that must be considered. The • appropriate safeguards for data privacy and transfer restrictions may apply to all types of security must be provided where transfers are personal data, or to specific types of data only allowed under national laws and regulations (e.g., sensitive or critical personal data in India). or international agreements (e.g. Philippines) so as to preserve the consistency of the wider As well, restrictions on the general scope of the data protection framework. laws necessarily flow through to exemptions from data transfer requirements.51 These ‘upstream’ Exemptions from data transfer rules by the exemptions also vary among the jurisdictions of Authority this Review (see, for example, exceptions for Finally, in some jurisdictions (e.g. Malaysia, ‘publicly available information’ in Singapore and Singapore and India’s Data Protection Bill) the Australia; exclusion of ‘non-commercial’ activities data protection regulators or the government in Malaysia). may exempt organisations from compliance with Sometimes, different standards apply to data specific provisions of the Data Protection Law, processed overseas or originating from overseas sometimes including the data transfer principles. (e.g., New Zealand, Philippines, Data Protection Such exemptions are usually made upon request, Bill of India). by notification, and subject to specified terms and conditions. Ensuring greater harmonisation among exemptions will allow the same approach to be Exemptions may be granted on an individual or used in the same set of circumstances across collective basis (e.g. ‘class of users’ in Malaysia). several or all jurisdictions. The scope of exemptions granted by the Whilst exceptions related to matters of authorities varies, however. sovereignty (e.g. national or public interest, Some of them are broad and may cover any national security or defence) might not lend provision in the Data Protection Law. Others are themselves to harmonisation, at least the more targeted and relate only to specific harmonisation of more ‘neutral’ exceptions (e.g. purposes, and/or to specific categories of data. performance of a contract and vital interests, For instance, exemptions from any provisions in etc.) should be considered. the Data Protection Bill of India are possible when The current Covid-19 crisis certainly provides the the Authority is satisfied that the processing is right conditions to collectively test the contours necessary for ‘research, archiving or statistical of exemptions relating to public health and purposes’, under specific conditions including de- safety, protection of the vital interests of identification and absent any risk of significant individuals, and research. harm to the individual (Bill s 38). 51 UNCTAD report, ‘Data protection regulations and international data flows’, ibid at 8. 64 Comparisons also reveal that the standards applicable to administrative exemptions from the Status in Asia applicability of data transfer provisions do not In this section we consider the specific overlap. circumstances defined by statute under which For instance, in September 2017 Singapore’s data may flow from Asian jurisdictions, Personal Data Protection Commission announced irrespective of the implementation of data that it would create regulatory sandboxes on the transfer mechanisms or schemes, the level of basis of s 26(2) PDPA to exempt organisations protection in the country of destination, or from the transfer limitation obligation, subject to obtaining the data subject’s consent. specific criteria. An exemption may be granted For each jurisdiction, the admission that personal subject to such conditions as the PDPC may data transfers may take place in such situations is specify in writing and may be revoked at any time expressed as: by the PDPC. • STATUTORY EXEMPTION, where the law lists a Organisations must provide exceptional and series of circumstances in which it appears compelling reason(s), accompanied with necessary to derogate to the main data evidence of the reason(s) why the organisation is transfer rules in the Data Protection Law or Bill unable to comply with– in this particular case– (e.g., consent, adequacy); s 26 of the DPA. • EXEMPTION BY THE AUTHORITY, OR BY THE In contrast, in India some provisions might be GOVERNMENT, where the law leaves a certain excluded, but the data transfer restrictions would latitude to the public authorities to authorise in any case remain applicable to any organisation organisations to derogate from the data participating in the regulatory sandbox to be transfer rules in specific circumstances; or created by the Data Protection Authority of India (Bill s 40). • ADDITIONAL LEGAL GROUND, where such situations are recognised in the law but Convergence could be advanced if Asian operate autonomously with the main data regulators would consider transposing the transfer rules, instead of in the form of rationale behind such exemptions into their own exemptions or derogations. frameworks, subject to similar terms and conditions. Where no exemption from the default position applies, the applicable data transfer regime is This possibility could be envisaged in particular marked as NO. for exemptions relating to categories of organisations. Australia This pre-supposes that the motives of decisions to STATUTORY EXEMPTION exempt organisations from specific obligations or APP 8.1 does not apply to the transfer of personal principles would be made public to enable information to an overseas recipient where comparisons between jurisdictions’ approaches (APP 8.2): to implementation. • the disclosure is required or authorised by or As well, it would be appropriate to provide under an Australian law or a court/tribunal explicitly that key obligations (e.g., transparency, order; security, performance of data protection impact • the disclosure is required or authorised under assessments– in particular when sensitive data is an international agreement relating to concerned, fair and reasonable processing) still information sharing to which Australia is a are to be complied with. party; 65 • the disclosure is necessary for an enforcement The transfer may also take place when the user related activity; has reasonable grounds for believing that, in all the circumstances of the case (PDPO s 33(2)(d)): • a ‘permitted general situation’ (Privacy Act s 16A) exists in relation to the disclosure of the (i) the transfer is for the avoidance or information by the entity, which is necessary mitigation of adverse action against the to: data subject; o lessen or prevent a serious threat to the (ii) it is not practicable to obtain the consent in life, health or safety of any individual, or to writing of the data subject to that transfer; public health or safety; and o in relation to suspected unlawful activity or (iii) if it was practicable to obtain such consent, serious misconduct; the data subject would give it. o locate a person reported as missing; This exemption has a narrow application (International Transfer Guidance at p.6). o for a diplomatic or consular function or activity; and India (Act in force) o for certain Defence Force activities outside NO Australia. No exception applies to the consent requirement China or the requirement that the same level of data protection must apply in the country of NO destination in s 43A and IT Rule 7. Art 9.5 of the Personal Information Security India (Data Protection Bill) Specification GB/T-35273/2020 provides for exemptions from the default requirement to STATUTORY EXEMPTIONS obtain consent from personal information Varied exemptions to the data transfer provisions subjects to ‘transfer their data’ (e.g. for fulfilment (Chapter VII) are provided in Chapter VIII of the of obligations under laws and regulations by the Bill (‘Exemptions’). controller; national security and national defense; public safety, public health, and significant public With regard to statutory exemptions, s 36 (a) to interests; criminal investigation, prosecution, (d) provide that in particular the data transfer trial, and judgment enforcement, etc.). restrictions in Chapter VII of the Bill will not apply when data transfer of any personal data is However, this provision is only in relation to necessary for the purposes of— domestic transfers. Neither the Personal o Information Security Specification nor the current law enforcement; version of the Draft Cross-Border Transfer o legal proceedings; Assessment measures mention if any overseas o exercise of any judicial function; data transfers may be exempted from this assessment procedure, or from the consent or o domestic purposes; or contract requirements. o journalistic purposes. Hong Kong SAR Further, critical personal data may be transferred STATUTORY EXEMPTIONS outside India to a person or entity providing health or emergency services where necessary for The prohibition against transfers of personal data prompt action (s 34(2)(a)). Such transfer must be to places outside Hong Kong does not apply notified to the Authority (s 34(3)). where the personal data is exempted from Data Protection Principle 3 of the PDPO (i.e. use EXEMPTION BY THE AUTHORITY limitation requirement), such as prevention of Organisations may be exempted by the DPAI from crimes, legal proceedings, protection of health, the application of any provision of the Bill statistics and research (where the resulting (including Chapter VII on data transfer statistics or research does not identify the data restrictions) for the purposes of research, subjects), and emergency situation (PDPO archiving, or statistical purposes, irrespective of s 33(2)(e)). 66 the nature of the personal data, provided specific Indonesia (Bill) conditions are complied with. ADDITIONAL LEGAL GROUND The DPAI may, by notification, exempt such class Transfers may take place when ‘there are of research, archiving, or statistical purposes from international agreements between the countries’ the application of any of the provisions of this Act, (Art 49(b)). However, the Bill does not clarify the as may be specified by regulations (s 38). It must nature or the content of the agreements which be satisfied that: would be covered by this provision. (a) the compliance with the provisions of the Japan Act shall disproportionately divert resources from such purpose; STATUTORY EXEMPTIONS (b) the purposes of processing cannot be Transfers may take place without the user’s achieved if the personal data is consent in the following circumstances (APPI Art anonymised; 23(1)): (c) the data fiduciary has carried out de- (i) cases based on laws and regulations; identification in accordance with the (ii) cases in which there is a need to protect a code of practice specified under s 50 and human life, body or fortune, and when it is the purpose of processing can be difficult to obtain a principal's consent; achieved if the personal data is in de- identified form; (iii) cases in which there is a special need to enhance public hygiene or promote (d) the personal data shall not be used to fostering healthy children, and when it is take any decision specific to or action difficult to obtain a principal's consent; and directed to the data principal; and (iv) cases in which there is a need to cooperate (e) the personal data shall not be processed in regard to a central government in the manner that gives rise to a risk of organisation or a local government, or a significant harm to the data principal. person entrusted by them performing EXEMPTION BY THE CENTRAL GOVERNMENT affairs prescribed by laws and regulations, and when there is a possibility that Bill s 37 (‘BPO exemption’) grants the power to obtaining a principal's consent would the Central Government to exempt certain data interfere with the performance of the said processors from all or part of the Act (including affairs. Chapter VII) for the processing of personal data of data principals (individuals, ed.) outside India, Macau SAR pursuant to any contract entered into with any STATUTORY EXEMPTIONS person outside the territory of India, including any company incorporated outside the territory of A transfer of personal data to a destination in India, by any data processor or any class of data which the legal system does not ensure an processors incorporated under Indian law. adequate level of protection may be allowed where the transfer (PDPA Art 20(1)): Indonesia (Law in force) (1) is necessary for the performance of a contract NO between the data subject and the controller Currently no exception to consent or additional or the implementation of pre-contractual legal ground apply for transfers outside the measures taken in response to the data territory of Indonesia. subject’s request; (2) is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the controller and a third party; 67 (3) is necessary or legally required on important EXEMPTION BY THE AUTHORITY public interest grounds, or for the A data user or class of users may be exempted establishment, exercise of defence of legal from all or part of the PDPA (including PDPA s 129) claims; by decision of the Minister following the prior (4) is necessary in order to protect the vital opinion of the Commissioner (PDPA s 46(1)). interests of the data subject; New Zealand (Act in force) (5) is made from a register which according to STATUTORY EXEMPTIONS laws or administrative regulations is intended to provide information to the public and The Commissioner may not prohibit a transfer if it which is open to consultation either by the is (Privacy Act s 114B(3)): public in general or by any person who can (a) required or authorised by or under any demonstrate legitimate interest […]. enactment; or Such transfers must in any case be notified to (b) required by any convention or other OPDP. instrument imposing international Malaysia obligations on New Zealand. STATUTORY EXEMPTIONS This same policy should follow through to the Privacy Bill (Part 8 of the Privacy Bill: Prohibiting Transfers of personal data may take place to onward transfer of personal information received other non-adequate destinations if (PDPA s in New Zealand from overseas) 129(3)(b)–(h)): New Zealand (Privacy Bill) (a) [...] (b) the transfer is necessary for the STATUTORY EXEMPTIONS performance of a contract between the No restriction applies to overseas data transfers: data subject and the data user; (c) the transfer is necessary for the conclusion • if it is ‘not reasonably practicable in the or performance of a contract between the circumstances’ to comply with the data user and a third party which— requirements of IPP 12(1) (IPP 12(2)); and (i) is entered into at the request of the • the disclosure of the information is necessary data subject; or (IPP 10(1)(e)): (ii) is in the interests of the data subject; (i) to avoid prejudice to the maintenance (d) the transfer is for the purpose of any legal of the law by any public sector agency, proceedings or for the purpose of obtaining including prejudice to the prevention, legal advice or for establishing, exercising detection, investigation, prosecution, or defending legal rights; and punishment of offences; or (e) the data user has reasonable grounds for (ii) for the enforcement of a law that believing that in all circumstances of the imposes a pecuniary penalty; or case— (i) the transfer is for the avoidance or (iii) for the protection of public revenue; or mitigation of adverse action (iv) for the conduct of proceedings before against the data subject; any court or tribunal (being proceedings (ii) it is not practicable to obtain the that have been commenced or are consent in writing of the data reasonably in contemplation); or subject to that transfer; and (f) if it was practicable to obtain such consent, • the disclosure of the information is necessary the data subject would have given his to prevent or lessen a serious threat to (IPP consent; […] 10(1)(f)): (g) the transfer is necessary in order to protect (i) public health or public safety; or the vital interests of the data subject; or (h) the transfer is necessary as being in the (ii) the life or health of the individual public interest in circumstances as concerned or another individual. determined by the Minister. 68 Moreover, the same policy as in Privacy Act s • the personal data is data in transit (Reg 114B(3) (see above) should follow through to Part 9(3)(f)); 8 of the future law (‘Prohibiting onward transfer of personal information received in New Zealand • the personal data is publicly available in from overseas’) to the effect that the Singapore (Reg 9(3)(g)); or Commissioner may not prohibit a transfer if it is: • the transfer of personal data is necessary for a (a) required or authorised by or under any use or disclosure in certain situations where enactment; or the consent of the individual is not required under the PDPA (Third and Fourth Schedule), (b) required by any convention or other such as use or disclosure necessary to respond instrument imposing international to an emergency that threatens the life, health obligations on New Zealand. or safety of an individual. The transferring Philippines organisation will also need to take reasonable steps to ensure that the data will not be ‘used ADDITIONAL LEGAL GROUND or disclosed by the recipient for any other No exception is provided to the accountability purpose’ (Reg 9(3) and PDPC AG, Chapter 19). principle in s 21 of the DPA. EXEMPTION BY THE AUTHORITY However, s 20(a) of the IRRs (General principles PDPC may, on the application of any organisation, for data sharing) provides that data sharing shall by notice in writing exempt the organisation from be allowed ‘when it is expressly authorized by any requirement prescribed pursuant to s 26(1) in law’, provided that ‘there are adequate respect of any transfer of personal data by that safeguards for data privacy and security, and organisation (PDPA s 26(2)). processing adheres to principle of transparency, legitimate purpose and proportionality. In September 2017 the PDPC announced that it would create ‘regulatory sandboxes’ on the basis Mutatis mutandis this provision is applicable to of this Section to exempt organisations from the the transfer of personal data out of the transfer limitation obligation, and subject to Philippines when such transfer is provided by law. specific criteria. Singapore An exemption granted under s 26(2) may be STATUTORY EXEMPTIONS granted subject to such conditions as the PDPC Transfers of personal data would be allowed to may specify in writing and may be revoked at any organisations that do not provide a standard of time by the PDPC. protection to personal data that is comparable to Organisations should provide exceptional and the protection under PDPA in the meaning of s 26 compelling reason(s), accompanied with when: evidence of the reason(s) why the organisation is unable to comply with—in this particular case— • the transfer of personal data is necessary for PDPA s 26. the performance of a contract between the individual and the transferring organisation, or South Korea to do anything at the individual’s request with STATUTORY EXEMPTIONS a view to the individual entering into a contract with the transferring organisation Consent requirements are exempted for overseas (Reg 9(3)(b)); data transfers only in specific circumstances listed by statute. • the transfer of personal data is necessary for the conclusion or performance of a contract For now, explicit exceptions exclusively pertain to between the transferring organisation and a ‘controller-processor’ transfers (for ‘entrustment third party which is entered into at the of management or storage’) which are carried out individual’s request (Reg. 9(3)(c) or which a by ICSPs and Extended ICSPs under the Network reasonable person would consider the Act. contract to be in the individual’s interest (Reg Under Art 63(2) of the Network Act consent is not 9(3)(d)); required where the delegation by the ICSP is ‘necessary for the performance of the contract on 69 the provision of information communication (5) to prevent or suppress a danger to the life, services and for user’s convenience’ (and the body, or health of the data subject or other other relevant conditions under the Network Act persons, when the data subject is incapable have been satisfied) in terms of controller- of giving the consent at such time; processor cross-border transfer. Art 63(2) will (6) necessary for carrying out the activities in remain in force until 4 August 2020, until it is relation to substantial public interest. displaced to PIPA (new Art 39(12)). Vietnam An amended version of Art 63 of the Network Act will be displaced to PIPA as a new Art 39(12), with NO the omission of the requirement that the transfer Under current law a data exporter cannot transfer is ‘necessary for the performance of the contract personal information of data subjects in Vietnam on the provision of information communication to another person (in- or outside Vietnam) unless services and for user’s convenience’. otherwise provided for by Vietnamese law or Thus, the dual test of necessity for contractual consented to by the data subject. performance and user convenience for At this stage it is not known if the proposal for a controller-processor transfers in the current Draft Data Protection Decree which would version of Network Act will no longer apply to contain provisions on overseas data transfers ICSPs and extended ICSPs. would provide for exemptions similar to those in Under the amended PIPA (Art 17(4)), a controller place in other jurisdictions. will be allowed to provide personal data to another controller without the data subject’s consent in conditions to be prescribed by Presidential Decree: ‘within a scope that is reasonably related to the original purpose of collection’ and ‘after considering whether the data subject’s rights would be infringed upon and/or measures to secure the integrity of the personal information have been properly taken.’ However, it is too early to tell if the Enforcement Decree would remove consent requirements for overseas transfers in specific circumstances. Thailand STATUTORY EXEMPTIONS Under the new PDPA transfers may take place to countries or international organisations without adequate data protection standards, if the transfer is (PDPA s 28): (1) for compliance with the law; (2) […] (3) necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; (4) for compliance with a contract between controller and other persons or legal persons for the interests of the data subject; 70 Thus defined, ‘data localisation’ in some countries Data Transfer constitutes a bottleneck for some Internet- enabled services and industries. Localisation strategies have thus triggered virulent opposition Mechanisms & from corporations, civil society actors, foreign stakeholders, industry associations, and Localisation Laws governments that have declared their support for cross-border data transfers. Discussing the policies which undergird such Several Asian jurisdictions have implemented or obligations is beyond the remit of this Review, are considering implementing so-called ‘data which is focused on improving legal certainty and localisation’ measures. These measures broadly enhancing compatibility between Asian mandate that organisations must store and/or frameworks on cross-border personal data flows. process personal data generated within their territory, even where specific data transfer However, even from this perspective alone, mechanisms (e.g., contracts) have been several observations can be made. implemented and/or the consent of the individual Improving legal certainty and predictability in the has been obtained by the organisation. Data application of localisation rules exports may take place in derogation to such localisation measures only in specific First, this area of the law is marked by uncertainty, circumstances, and normally after approval by a particularly in jurisdictions where sweeping public authority. localisation obligations apply and where the state of the law is in constant flux. Since localisation provisions increasingly appeal to the principle of digital sovereignty or purport As a result, organisations within the scope of such to enable access by law enforcement to specific measures find themselves subject to an obligation categories of personal data, other factors than of compliance which can be challenging to satisfy the protection of privacy weigh in the assessment due to the legal uncertainty which prevails in this done by the public authority. area. The policies underlying these requirements, their In fact, we observe that over the past years, the implications, and the arguments of stakeholders laws and regulations imposing such obligations arguing both for or against them, have been have been subject to constant change across the exposed in detail elsewhere.52 region. The unpredictability that resulted has been the cause of much disarray for companies, Such measures can be contrasted with both local and foreign. ‘traditional’ data transfer provisions found in Data Protection Laws, which are not effectively At least clarifying the scope and impact of such designed to keep data on shore but to avoid localisation measures would significantly improve circumvention or undermining of local legislative the situation for organisations intending to protections through overseas personal data transfer data across borders in the region, to transfers.53 Such obligations can be discharged by acknowledge for the fact that the additional organisations without ex ante oversight of each constraints put on the collection and processing transfer by the authority, e.g. by implementing of such data require strictly circumscribing their one of the mechanisms considered in this Review conditions for implementation. (contracts, BCRs, etc...). 52 See, for instance, Arindrajit Basu, Elonnai 53 Cf. the original explanatory memorandum to Hickok, and Aditya Singh Chawla, The the OECD Privacy Guidelines, Part 3, at para. 17 Localisation Gambit: Unpacking Policy (Basic principles of international application: Measures for Sovereign Control of Data in India free flow and legitimate restrictions). (The Centre for Internet and Society, India; 19 March 2019) at 24. 71 In particular, this requires clarifying: Nevertheless, there would be great added value in the clarification of the interplay between • the key concepts which underpin data transfer provisions in general Data Protection localisation requirements (e.g., ‘sensitive’ or Laws (both the national Data Protection Law and ‘important’ data); it is suggested that the list the Data Protection Laws of other jurisdictions) of data covered by the law should be closed and localisation obligations mandated in specific and defined in the relevant statute (rather sectoral laws or regulations. than be extendable by further regulations or other subordinate instruments); This would include, for instance, clarifying the extent of parity between ‘traditional’ data • the circumstances in which exemptions are transfer mechanisms recognised in other permitted; and so minimum transparency on jurisdictions (e.g., contracts, BCRs, certification, the processing of exemption requests is codes, level of protection in the country of necessary–both on the application procedure, destination, etc.) and the conditions for approval and on precedent decisions made in similar of data transfers by the public authorities. circumstances; and Comparative analysis reveals that appropriate • the regulatory expectations as to the practical and accessible complaint and redress consequences of mandating the localisation of mechanisms should remain provided for, some categories of data (i.e. whether including effective legal remedial measures. localisation requires server mirroring or other As well, similar and consistent standards should measures such as backup servers). be applied to localisation requirements in Entry into force periods should be sufficiently regulations applying to different sectors. long to allow organisations to take the necessary The current Covid-19 situation has amplified the compliance measures, and extensions and necessity of making all the clarifications adaptations should be possible on request. suggested above. Combining derogations to localisation rules and First, driven by the urgency of the Covid-19 crisis, data transfer mechanisms in Data Protection multinational clinical trials are more important Laws than ever before. But localisation requirements, Second, co-existence of both types of personal combined with the data transfer provisions and data transfer restrictions (i.e., localisation other requirements in multiple Data Protection requirements and data transfer provisions in the Laws, pose significant barriers to compliance.54 Data Protection Law) in several Asian legal systems can be a source of confusion for Second, Business Continuity Plans (BCPs) rely on stakeholders. the capacity of offshore personnel to remotely support systems where on-shore personnel are For efforts toward legal convergence to succeed not able to support their systems during in practice, it is critically important to make lockdowns. Alternatively, in a worst-case explicit the purposes that these different rules scenario, the majority of personnel may become serve. infected which results in both in-country primary Whilst the objective of aligning those data and backup data centres having to go transfer requirements guided by a concern of offline. The inability to process or store data dilution of data protection rules seems attainable, offshore is a critical factor in the assessment it is more elusive when data transfer restrictions of the risks attached to the systems going are inspired by domestic concerns that do not down in some jurisdictions. reconcile with the promotion of compatibility among Asian data transfer frameworks. 54 John Childs-Eddy, ‘How to comply with data data-localization-regulations-amid-covid-19s- localization regulations amid COVID-19’s impact/>. impact’, IAPP news, April 28, 2020, 72 With regard to cross-border transfers of data Status in Asia collected and generated in China, Art 9(8) (‘Cross- Here we exclusively consider four legal systems border Transfer of Personal Information’) only where sweeping localisation obligations apply provides that the personal information controller cross-sector to online activities (e.g. ‘network ‘shall comply with the requirements of relevant providers’) will impact the future data protection national regulations and standards’. laws in those jurisdictions. Sectoral or targeted Draft Cross-Border Transfer Assessment localisation requirements which may apply in Measures of the Cyberspace Administration of other jurisdictions (electronic health records in China Australia; tax information in New Zealand; or personal credit information in South Korea, for The draft Measures are still pending (latest instance) are not considered here, except where version dated 13 June 2019). they articulate with broader localisation The latest draft expands the scope of the transfer requirements. measures in Art 37 of the CSL to all Network China Operators (not only CIIOs) and personal information. Cybersecurity Law (CSL) Art 37 Network operators are ‘owners and CIIOs must store personal information and administrators of networks and network service ‘important data’ collected and generated in China providers’ (CSL Art 76). and may transfer such information and data overseas only for business needs and upon Network Operators must apply for a security security assessment by the relevant authorities. assessment of the contemplated transfers to the provincial branch of the CAC for review (i.e. no Where due to business requirements it is ‘truly differentiation depending on sensitivity levels). necessary’ to provide personal information outside of the PRC, CIIOs shall follow the Note: Sectoral localisation obligations prevail over measures of State Network Information Art 37 of the CSL, e.g. in banking, insurance, and Department and State Departments (unless laws credit reporting; health and genetics; online taxi or regulations provide otherwise) to conduct a booking; and location apps.55 cross-border transfer security assessment. Recently significant amendments were made with Personal Information Security Specification regard to the People’s Bank of China’s Personal (TC260) (GB/T 35273/2020) Art 9(8) Financial Information Protection Technical Specification (‘PFI Specification’) (2020)56 and the The Specification issued by the National Regulation on the management of Human Information Security Standardisation Technical Genetic Resources adopted by the State Council Committee (TC260) will enter into force on 1 (2019).57 October 2020. 55 Kemeng Cai, ‘Jurisdictional Report: China’ in 57 Regulation of Human Genetic Resources of the Regulation of Cross-Border Transfers of State Council (中华人民共和国人类遗传资源管理条例) Personal Data in Asia (Asian Business Law No. 717 dated 28 May 2019 Institute, 2018) at 65 (current as at May 2018). 73 India Data Protection Bill (2019) Current law Sensitive personal data ‘may be transferred outside India for the purpose of processing but Data must be stored and/or processed in India in shall continue to be stored in India’ (s 33(1)), and exception to s 43A and Rule 7 of the IT Act where additional conditions apply (s 34(1)). specific localisation requirements apply in sectors including banking, telecom, and health:58 ‘Sensitive personal data’ is defined in s 3(36) and includes financial personal data. • the Reserve Bank of India’s Notification on ‘Storage of Payment System Data’ (6 The list may be expanded by Government April 2018);59 regulation. • the Department of Industrial Policy and Critical personal data may be processed only in Promotion’s ‘Consolidated Foreign India, with exceptions (s 34(2)). Direct Investment Policy’ (28 August ‘Critical personal data’ is undefined and may be 60 2017); notified as such by Government regulation. • the Department of Telecommunications’ Indonesia Unified Access License; Government Regulation No.71 of 2019 (GR71) • the Companies Act, 2013 and its Arts 20 and 21, repealing Government Regulation Regulations; No. 82 of 2012 (GR82) (October 2019) • the ‘Insurance Regulatory and ‘Electronic Service Providers (ESPs) for Public Development Authority of India Purposes’ may not process or store data outside (Outsourcing of Activities by Indian Indonesia (with exceptions, i.e. unless the storage Insurers) Regulations, 2017’ (6 May technology is not available in Indonesia (Art 20)) 61 2017); and (subject to further implementing regulations). • the Ministry of Communications & ‘ESPs for Private Purposes’ may manage, process Information Technology’s ‘National and/or store electronic system or electronic data Telecom M2M Roadmap’ (May 2015).62 inside or outside Indonesia (Art 21(1)), subject to: Draft e-Pharmacy Regulations were released in • the obligation to ensure effective compliance 2018 which would impose that data generated or with GR71 (Art 21(2)); and mirrored through e-pharmacy portal should be • to enable access to the data by the public localised in India, but a final version has not been authorities (Art 21(3)). published yet. Further implementing regulations are to be provided by the Government. 58 See Amber Sinha and Elonnai Hickok, 61 Insurance Regulatory and Development ‘Jurisdictional Report: India’, ibid at 129. Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017 (Ref No: 59 ‘Storage of Payment System Data’ (Circular F.No. IRDAI/Reg/5/142/2017, 6 May 2017) DPSS.CO.OD. No 2785/06.08.005/2017-18 74 Further, ESPs that are deemed to have ‘strategic There should further be legal bases for a full electronic data’ (for now undefined) must backup determination on the three following factors:63 records to ‘a certain data centre’ (Art 99(3)). Regulatory guidance will be needed on the • such an enterprise provides regulated services location of such data centres and whether (Art 26(1)(a)); ‘Private ESPs’ are included in the scope. • such an enterprise carries out activities of In the financial sector, the Financial Service collecting, using, analysing and processing the Authority may adopt specific regulations relating regulated types of data (Art 26(1)(b)); and to the transfers of personal data (Art 21(4)). • such an enterprise has been notified that the The concept of ‘data categorisation’ in the service it provides is being used to commit previous draft of GR71 was removed from the acts of violation of Vietnamese laws, but it has text. not undertaken measures to stop and apprehend those acts (Art 26(1)(c)). Vietnam The regulated services and types of data (data of Cybersecurity Law, Art 26(3) service users in Vietnam, generated by service Art 26(3) of the CSL is applicable to ‘domestic and users in Vietnam, and on the relationships of foreign enterprises providing services on service users in Vietnam), the relevant authorities telecommunication networks or the internet or and the modalities of notification are further value-added services in cyberspace in Vietnam specified in the draft. with activities of collecting, exploiting, analysing, The period for the storage of data would be at and processing personal information data, data least twelve (12) months (Art 27(3)). on the relationships of service users, or data generated by service users in Vietnam’. Such enterprises must store such data in Vietnam for a specified period to be stipulated by the Government. Foreign enterprises referred to in Art 26(3) are required to set up branches or representative offices in Vietnam. Art 26(4) further provides that the Government shall provide detailed regulations on Art 26(3). Draft Implementation Decree A Draft Decree implementing the requirements of Art 26(3) of the CSL is expected in 2020. Based on the latest available version of the draft (21 August 2019), storing data and/or having branches or representative offices in Vietnam is required for foreign service providers only for specific purposes, i.e. ‘protection of national security, social order and safety, social ethics and health of the community’ (Chapter 5, Art 26). 63 Thomas J. Treutler, Giang Thi Huong Tran, 75 Data protection frameworks should recognise the Overarching Policy validity of specific transfer instruments by applying the same ‘reading grid’ to all (i.e., contracts, BCRs, certification, codes of conduct, Considerations etc.), so that they provide the same safeguards, in whichever data transfer scenario they are applied. Diversity of mechanisms to be recognised for compliance with data transfer regulations The same criteria should be shared across legal systems in order to promote legal certainty, Overall, the options for managing cross-border convergence and interoperability. data transfers under data protection laws are many and varied. At the global level, ‘most Broadly put, Asian laws combined with available countries adopt a mixture of these measures and guidance provide that any data transfer allow businesses considerable leeway in mechanism should ensure a continuing level of managing their own cross-border transfers’,64 protection overseas, consistent with international since no single mechanism stands out as entirely data protection and privacy standards as well as positive. the objects of the national data protection law. Moreover, the appropriateness of a legal ground With regard to data transfers, comparative or mechanism for a given transfer scenario will analysis of Asian laws, combined with depend on the context, business relationships international data protection standards, leads to and data use. the conclusion that: Contributors to ABLI’s Data Privacy Project and • any data transfer mechanism must consist in a industry generally underline the importance of legally binding arrangement; ensuring that numerous mechanisms and legal • any data transfer mechanism must maintain bases to frame data transfers should be included and build upon the existing privacy in any privacy law. This diversity is part of the protections set out in the national legislation, regulatory flexibility needed to accommodate the while being consistent with principles different economies, legal systems, and levels of enshrined in international frameworks and development of data protection frameworks in best practices; Asia. • data subjects’ rights must remain enforceable Convergence would be greatly facilitated by overseas; this implies that appropriate and ensuring maximum overlap between Asian legal accessible complaint and redress mechanisms systems regarding acceptable data transfer are provided for, including effective legal mechanisms and schemes. remedial measures; and • adequate supervisory mechanisms must apply Common standards to recognize the validity of to the scheme or instrument to ensure transfer mechanisms or schemes effective compliance of transferring Convergence would be advanced if the organisations with their obligations under implementation of these mechanisms and national laws. schemes would be subject to comparable Enforcement mechanisms conditions so that they can be used for compliance in multiple jurisdictions.65 An enforcement mechanism should meet two key requirements: • it should be accessible to the individual; and • it should have effective powers to enforce the privacy or data protections in the legally binding arrangement. 64 UNCTAD report, ‘Data protection regulations 65 Park Kwang Bae, ‘Jurisdictional Report: and international data flows’, ibid at 14. Republic of Korea’, ibid at 369. 76 It is understood that a range of mechanisms may Like security and accountability, data protection satisfy those requirements, ranging from a and privacy are a central component of digital regulatory body similar to the local data trust, the keystone on which the digital evolution protection regulator, to an accredited dispute and the productive use of new technologies resolution scheme, an independent tribunal or a rest,68 so it must now be taken for granted that court with judicial functions and powers.66 sustainable convergence in this area of law will only be achieved if a high level of data protection Factors that may be relevant in deciding whether and privacy is implemented in the legal systems there is an effective enforcement mechanism of the region. include whether the mechanism:67 Alignment not just to a regional standard but to • is independent of the overseas recipient that global standards is a worthwhile goal, especially is required by the law or binding scheme to given the integration of Asian economies in global comply with the privacy or data protections; trade and the increased privacy expectations of • has authority to consider a breach of any of the Asian public. the privacy or data protections in the arrangement; Ensuring consistency between global, regional and sub-regional frameworks is necessary to • is accessible to an individual, for example, the avoid adding more layers of complexity. existence of the arrangement is publicly known, and can be accessed by individuals directly and without payment of any unreasonable charge; • has the power to make a finding that the overseas recipient is in breach of the arrangement and to provide a remedy to the individual; and • is required to operate according to principles of procedural fairness. The mechanism may be a single mechanism or a combination of mechanisms. It may be established by the law or binding scheme that contains the privacy or data protections, or by another law or binding scheme. Alternatively, the mechanism may take effect through the operation of cross-border enforcement arrangements between the appropriate regulatory authorities. Alignment on global standards Finally, an important assumption shared by ABLI’s interlocutors is that neither regulatory competition, nor simplification should be done at the expense of privacy itself. 66 OECD Privacy Framework, Para 17(b), p.30. 68 Bhaskar Chakravorti and Ravi Shankar Chaturvedi, ‘Digital Planet 2017: How 67 OAIC APP ‘Guidelines, Chapter 8: APP 8 — Competitiveness and Trust in Digital Economies Cross-border disclosure of personal Vary Across the World’, The Fletcher School, information’, on ‘Mechanisms to enforce Tufts University, July 2017, p. 28. privacy protections’, p.9. 77 Acknowledgments Asian Business Law Institute The Asian Business Law Institute is indebted to the The Asian Business Law Institute is a following Data Protection and Privacy Commissions neutral, non-profit permanent that have expressed their support of this Review, institute based in Singapore and provided comments or clarifications on their dedicated to providing practical respective national frameworks: guidance in the field of Asian legal development and • Office of the Australian Information promoting the convergence of Asian business laws. Commissioner (OAIC), Australia; The Asian Business Law Institute seeks to address • Privacy Commissioner for Personal Data (PCPD), key problems resulting from legal diversity in Asia Hong Kong SAR; identified by stakeholders in the public and private sectors. ABLI’s long-term strategic direction is set by • Personal Information Protection Commission a Board of Governors, chaired by the (PIPC), Japan; Honourable the Chief Justice Sundaresh Menon of the Supreme Court of Singapore. The Board of • Office for Personal Data Protection (OPDP), Governors comprises representatives of the Macau SAR; judiciaries of Australia, China, Singapore and India • Office of the Privacy Commissioner (OPC), New and other internationally renowned legal experts. Zealand; Since 2017, the Asian Business Law Institute has • National Privacy Commission (NPC), undertaken a multi-stakeholder project focusing on Philippines; the regulation of international data transfers in 14 Asian jurisdictions, in collaboration with a wide • Personal Data Protection Commission (PDPC), range of stakeholders including law practitioners, Singapore; and industry representatives and academics, and with • Personal Information Protection Commission input from the Data Protection and (PIPC), South Korea. Privacy Commissions and governments of the region which are currently working on, or reviewing, their With special thanks for their personal contributions respective data protection frameworks. to: Emi Christensen, Aleksandra The-Tjoan, Aki Cheung, Mari Sonoda, Ken Chongwei Yang, Michael The Data Privacy Project is led by Dr Clarisse Girot, Harrison, Leandro Angelo Aguirre, Angela Butalid, Senior Fellow with the Asian Business Law Institute. Evelyn Goh, Eunice Lim, and Huynik Kim. More information on the Project is available at This Review was edited with the invaluable https://abli.asia/. assistance of Dominic Paulger. We gratefully acknowledge the individual contributions of Charmian Aw (Reed Smith, Singapore), Kemeng Cai (Han Kun Law, China), Dr Yanqing Hong (Peking University, China), Mark Parsons (Hogan Lovells, Hong Kong), Elonnai Hickok (Center for Internet and Society, India), Danny Kobrata (K&K Advocates, Indonesia), Deepak Pillai (Christopher & Lee Ong, Malaysia), Jj Disini (Disini Law Office, Philippines), Ken Chia (Baker & Mc Kenzie, Singapore), Park Kwang Bae (Lee & Ko, Korea), David Duncan (Tilleke & Gibbins, Thailand), Prapanpong Khumon (Chulalongkorn University, Thailand), Waewpen Piemwichai (Tilleke & Gibbins, Vietnam), Derek Ho, Annabel Lee, Eric Chung, Marcus Bartley-Johns, Alex Li, and Larry Liu. All responsibility for content remains with the Asian Business Law Institute. 78 • EXEMPTION BY THE AUTHORITY, OR BY THE GOVERNMENT, METHODOLOGY TABLE KEYS where the law leaves a certain latitude to the public authorities to authorise organisations to derogate from the Jurisdictions covered Consent data transfer rules in specific circumstances; or The jurisdictions assessed in this Review are those covered in For each jurisdiction, the applicability of consent under the • ADDITIONAL LEGAL GROUND, where such situations are ABLI’s Data Privacy Project: Australia, China, Hong Kong SAR, Data Protection Law or Bill is expressed as: recognised in the law but operate autonomously with the India, Indonesia, Japan, Macau SAR, Malaysia, New Zealand, main data transfer rules, instead of in the form of • YES (required) or YES (optional), where the individual’s Philippines, Singapore, South Korea, Thailand, and Vietnam exemptions or derogations. consent is a systematic requirement that may be waived See https://abli.asia/projects/data-privacy-project only exceptionally or is one among several legal bases for Where no exemption from the default position applies, the Legal grounds, mechanisms, schemes considered transfers; applicable data transfer regime is marked as NO. Comparative Table of Laws and • NO, where obtaining the individual’s consent is irrelevant The legal grounds, mechanisms, and schemes for transfers in the structure of the applicable legal regime. Regulations considered in this Review are: Adequacy, white lists; Self-assessment of the level of on Cross-Border Personal Data Flows • Firstly, those most commonly found in data protection TABLE OF CONTENTS protection in the country of destination; Contractual regimes globally, including recently promulgated Data in Asia safeguards; Binding Corporate Rules; Certification; Codes of Protection Laws that have taken inspiration from EU GDPR; conduct AUSTRALIA...... 2 (Working Document, May 28, 2020) and For each jurisdiction, the applicability of such mechanisms or • Secondly, those considered for inclusion in Asian regional CHINA ...... 2 schemes for data transfers under the Data Protection Law or frameworks— including the ASEAN Digital Data Bill is expressed as: Governance Framework. HONG KONG SAR ...... 3 PRESENTATION • YES where the legal regime explicitly confirms their Specific instruments that do not fall into these categories have applicability; INDIA (Act in force) ...... 4 therefore not been considered (e.g. international agreements). This document consists in a comparative Table on the Laws • NO where the legal regime is silent on their applicability; Exclusion of sectoral laws INDIA (Bill) ...... 5 and Regulations relative to cross-border transfers of Sector-specific requirements (e.g. in telecom, banking, credit • UNCERTAIN where the legal regime fails to address the personal data in fourteen Asian jurisdictions. INDONESIA (Law in force) ...... 6 reporting, or health sectors) have not been reviewed in this point straightforwardly; and This Table was originally drafted to support the write-up by Review so as to avoid too wide a field of comparison. • ABLI of a comparative review of those laws and regulations CONCEIVABLE where clarification could be provided in INDONESIA (Bill) ...... 7 implementing regulations or guidance, but the regulator (also available at https://abli.asia), with the following Data localisation and data transfer mechanisms (when there is one) has not provided such clarification. JAPAN ...... 7 objectives: In this table we include sweeping localisation obligations o APEC Cross Border Privacy Rules (CBPRs) revealing the different causes of legal fragmentation that apply cross-sector to online activities (e.g. ‘network MACAU SAR ...... 8 between such provisions in the region; providers’) in four legal systems (China, India, Indonesia, In this Section, jurisdictions are marked as: and Vietnam). o identifying the collective benefits of legal convergence • YES, if they have joined the system as CBPR member MALAYSIA ...... 8 and certainty in this area of the law for organisations to Sectoral or targeted localisation requirements (e.g., countries and either have an existing legislative framework NEW ZEALAND (Act in force) ...... 9 which multiple legal frameworks apply, individuals electronic health records; tax information; or personal in place to recognise the CBPR; or have recognised CBPR as whose personal data is transferred across borders, and credit information) are not considered here, except in those a transfer mechanism, where applicable restrictions exist; and NEW ZEALAND (Bill) ...... 10 privacy regulators in the context of ensuring regulatory four jurisdictions where they articulate with broader localisation requirements and the data protection law (in cooperation and consistent regulatory action; and • NO, if they are not a member of APEC economy and thus PHILIPPINES ...... 11 force or in draft). o setting out proposals for how Asian public stakeholders cannot join the CBPR system; or in respect of those Legislative proposals considered jurisdictions that are members of APEC, they have SINGAPORE ...... 11 may promote legal certainty and greater consistency expressed no interest in joining the system, and hence a between their respective data transfer regimes in the Given the substantial legislative activity currently taking unilateral recognition of CBPR as a sufficient mechanism for SOUTH KOREA ...... 12 region. place in the area of personal data protection and privacy in transfer is remote or unlikely. Asia, this Review includes legislative proposals that should THAILAND ...... 13 A recurring difficulty for stakeholders in Asia is simply soon be passed into law in select key jurisdictions (India, Exemptions, additional legal grounds gaining access to laws, regulations, and regulatory guidance Indonesia, New Zealand). In this section we consider the specific circumstances defined VIETNAM ...... 14 on data privacy and data transfers in the region. ABLI has by statute under which data may flow from Asian jurisdictions, therefore decided to publish this Table, which it has drawn irrespective of the implementation of data transfer up to inform its analysis, for the benefit of all. mechanisms or schemes, the level of protection in the country of destination, or obtaining the data subject’s consent. The table is current as at 28 May 2020 and will be regularly updated on ABLI’s website. For each jurisdiction, the admission that personal data transfers may take place in such situations is expressed as: • STATUTORY EXEMPTION, where the law lists a series of circumstances in which it appears necessary to derogate to the main data transfer rules in the Data Protection Law or Bill (e.g., consent, adequacy); 1 Jurisdictions Self-Assessment by Relevant Laws and Consent White Lists, Binding Corporate Rules APEC Cross Border Privacy Exemptions & Additional Organisation of Overseas Contractual Safeguards Certification Codes of Conduct Regulations Adequacy Findings (BCRs) Rules (CBPRs) Legal Grounds for Transfers Level of Protection Main Principle and Exceptions AUSTRALIA YES (optional) NO YES YES YES CONCEIVABLE YES CONCEIVABLE DEROGATIONS TO APP 8.1 The accountability principle in The OAIC does not endorse ‘white APP 8.1 does not apply where the To discharge APP 8.1 it is generally APP 8.1 does not apply where the APP 8.1 does not apply where the Australia was endorsed as a (provided the code is effectively APP 8.1 does not apply to the APP 8.1 does not apply where the lists’ so a subjective assessment is entity reasonably believes that the expected that an APP entity will entity reasonably believes that the entity reasonably believes that the participating economy in the CBPR binding on the overseas transfer of personal information to Privacy Act (1988) individual consents to the cross- required under APP 8.1. recipient is subject to ‘a law, or enter into an enforceable recipient is subject to a ‘binding recipient is subject to a ‘binding system on November 23, 2018. organisation) an overseas recipient where (APP border disclosure after the entity binding scheme’ that is overall contractual arrangement with the scheme that is overall substantially scheme that is overall substantially 8.2): Australian Privacy Principle 8.1 informs the individual that APP 8.1 ‘substantially similar to the way in overseas recipient that requires similar to the APPs’, and there are similar to the APPs’, and there are The CBPR system has not yet been While APP 8.1 does not apply (APP 8.1) Accountability Principle. will no longer apply (APP which the APPs protect the the recipient to handle personal mechanisms available to the mechanisms available to the implemented in Australia, and no where the entity reasonably - the disclosure is ‘required or Before an entity discloses personal Guidelines at para. 8.27 ff.). information’, and there are information in accordance with the individual to enforce that individual to enforce that Accountability Agent has been believes that the recipient is authorised by or under an information to an overseas mechanisms available to the APPs (APP Guidelines para. 8.16). protection (APP 8.2(a)). protection (APP 8.2(a)). appointed to operate in Australia. subject to a ‘binding scheme that is Australian law or a court/tribunal recipient, the entity must ‘take Consent means ‘express consent or overall substantially similar to the order’; individual to enforce that The OAIC will be responsible for such steps as are reasonable in the implied consent’ (Privacy Act protection (APP 8.2(a)). Where an Australian government An overseas recipient may be An overseas recipient may be APPs’, and ‘there are mechanisms circumstances to ensure that the s 6(1)). agency discloses personal subject to a binding scheme where, subject to a binding scheme where, regulating the CBPR system in available to the individual to - the disclosure is required or overseas recipient does not breach information to a recipient that is for example, it is ‘subject to for example, it is ‘subject to an Australia, once implemented. enforce that protection’ (APP authorised under an ‘international the APPs (other than APP 1) in The four key elements of consent agreement relating to information engaged as a contracted service Binding Corporate Rules (BCRs)’ industry scheme’ that is 8.2(a)), the Privacy Act does not relation to that information.’ are (APP Guidelines, Chapter B ‘Key provider, the agency must take (APP Guidelines, para 8.21) enforceable once entered into, mention the possibility for an sharing to which Australia is a Concepts’, Para. B.35): contractual measures to ensure irrespective of whether the organisation to discharge the party’; S16C: If an entity discloses that a contracted service provider recipient was obliged or requirements of APP 8.1 by personal information about an - the individual is adequately - the disclosure is necessary for an informed before giving consent; does not do an act, or engage in a volunteered to participate or providing safeguards through a enforcement related activity; individual to an overseas recipient practice that would breach an APP subscribe to the scheme (APP non-binding code of conduct or and APP 8.1 applies to the - the individual gives consent if done by that agency (S95B). The Guidelines, para 8.21) practice. - a ‘permitted general situation’ disclosure of the information, the voluntarily; contract must contain provisions to exists in relation to the disclosure entity is accountable for any acts ensure that such an act or practice An overseas recipient may be of the information by the entity, or practices of the overseas - the consent is current and is not authorized by a subcontract subject to a binding scheme where, i.e. the disclosure is necessary to: recipient that would breach the specific; and (S95B(3). for example, it is ‘subject to a APPs in relation to the information. privacy code’ that is enforceable 1. lessen or prevent a serious - the individual has the capacity to Contractual measures under once entered into, irrespective of threat to the life, health or safety Chapter 8 of the Australian Privacy understand and communicate their section 95B will generally satisfy whether the recipient was obliged of any individual, or to public Principles Guidelines (APP consent. the requirement in APP 8.1. (APP or volunteered to participate or health or safety (S16A(1), Item 1); Guidelines) (Cross-border Guidelines, para 8.18). subscribe to the scheme (APP Each of these key elements are disclosure of personal information) Guidelines, para 8.21). 2. in relation to suspected unlawful published by the Office of the explained in detail in the APP activity or serious misconduct; Australian Privacy Information Guidelines (B.36-58). However, such a code does not Commissioner (OAIC) outlines how replace APPs, but operates in 3. locate a person reported as the OAIC will interpret APP 8. addition to the requirements of the missing; APPs. Note regarding ‘use’ and 4. for a diplomatic or consular ‘disclosure’ of personal An overseas recipient may not be function or activity; information: subject to a law or binding scheme 5. for certain Defence Force where the recipient can opt out of activities outside Australia. The focus of APP 8 is on the the binding scheme without notice ‘disclosure’ of personal and without returning or information to overseas recipients, destroying the personal as opposed to the ‘use’ of the information (APP Guidelines at information. While neither ‘use’ or para 8.22). ‘disclosure’ is defined in the Privacy Act, an entity ‘discloses personal information when it makes it accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control’ (APP Guidelines, para B.64). CHINA YES (required) NO NO YES (required) UNCERTAIN NO NO NO NO In principle informed consent of The CAC is due to issue The prior draft Measures (April The draft Cross-Border Transfer The draft Cross-Border Transfer The draft Cross-Border Transfer China is an APEC Member Economy The draft Cross-Border Transfer Art 9.5 of the Personal Information the individual is necessary for all implementing regulations for the 2017, revised in May and August Assessment measures provide that Assessment measures provide that Assessment measures do not but has not indicated an intention Assessment Measures do not Security Specification GB/T Cybersecurity Law (CSL) 6 ‘network operators’ to transfer or transfer requirements in Art 37 2017) provided for a self- the elements to be notified to the the elements to be notified to the include overseas certification to join CPEA or CBPRs. consider adherence to a code of 35273/2020 provides for November 2016 (effective June disclose any persona data to a third CSL. assessment of the contemplated provincial CAC for assessing the provincial CAC for assessing the schemes in the relevant conduct as a relevant factor in the exemptions from the default 2017). party (inside or outside China) (CSL, transfers and that the authorities security of the transfer must security of the transfer must assessment factors. security assessment to be carried requirement to obtain consent Art 42). The latest draft measures released would make such assessments only provide, among others, ‘the provide, among others, ‘the out by CAC or its local branches. from personal information subjects Art 37: ‘Critical Information by CAC (dated 13 June 2019) are in specific cases. contract entered into between the contract entered into between the An information security to ‘transfer their data’ (e.g. for Infrastructure Operators’ (CIIOs) Consent may be obtained through applicable to all ‘Network network operator and the network operator and the certification scheme run by the fulfilment of obligations under laws must store personal information ‘proactive’ (i.e. voluntary) personal Operators’ (not only CIIOs) and The last draft of June 13, 2019 recipient’ (Art 4). recipient’ (Art 4). Information Security Certification and regulations by the controller; and ‘important data’ collected and actions but may occasionally be ‘personal information’. They comes back on this position and Centre of China is operating but is national security and national generated in China and may implied from the data subject’s require that all network operators requires that all network operators The contract will be part of the In contrast, Art 13 of the draft not a strict equivalent of existing defense; public safety, public transfer such information and data actions (Guidelines for Cross- must apply for a security must apply for a security elements assessed by CAC, with a measures refer to ‘the contracts or ‘data protection trust marks’ or health, and significant public overseas only for business needs Border Data Transfer Security of assessment of the contemplated assessment of the contemplated focus on whether the terms of the other legally binding measures ‘privacy seals’ in the region. interests; criminal investigation, and upon security assessment by the National Information Security transfers to the provincial branch transfers to the provincial branch contract can fully safeguard the (‘the Contracts’)’. prosecution, trial, and judgment the relevant authorities. Standardisation Technical of the CAC for review (i.e. no of the CAC for review (i.e. no legitimate rights and interests of enforcement, etc.) but this Committee (TC260), August 2017). differentiation is made depending differentiation depending on the data subject. It is possible that Internal Rules, if Where due to business they are effectively ‘binding’ under 2 requirements it is ‘truly necessary’ Limited exceptions to consent for on sensitivity levels). sensitivity levels). The draft sets out the terms and PRC law and contain the required provision is only in relation to to provide personal information international transfers may apply conditions required to be in elements in the draft measures, domestic transfers. outside PRC, CIIOs shall follow the (see next), but security assessment It does not appear that the security contracts between data transferors would be considered adequate for measures of State Network requirements will in any case assessment will explicitly include and offshore data recipients (Arts the purpose of the security The current version of the Draft Information Dept and State Depts remain applicable. an assessment of the level of 13 and 16). assessment by CAC. Cross-Border Transfer Assessment (unless laws or regulations provide personal data protection in third measures does not clearly provide otherwise) to conduct a cross- countries (contrary to what was The detailed obligations are for like exemptions from consent border transfer security contemplated in a previous draft). broadly similar to the EU SCCs, or contract. assessment. with differences relating to compensation to data subjects and Note: Sectoral localisation onward transfers. obligations prevail over Art37 CSL, e.g. in banking, insurance, credit The contract must state the reporting, health and genetics, purpose of the transfer, the types online taxi booking and location of information provided and their apps. storage period. Art37 CSL to be combined with: Data subjects should be beneficiaries under the contract Personal Information Security but could also obtain Specification issued by the compensation in case of breach by National Information Security any of the parties or both (unless Standardisation Technical the parties can prove that they are Committee (TC260) (GB/T not liable, thus reverting the 35273/2020), Art 9(8) (entry into burden of proof). force October 1, 2020) They have the right to be informed With regard to the cross-border and to request copies of such a transfer of Personal information contract. collected and generated in China, the personal information controller ‘shall comply with the requirements of relevant national regulations and standards’. Draft Cross-Border Transfer Assessment measures of the Cyberspace Administration of China (CAC) (pending- draft version June 13, 2019) The draft measures expand the scope of the transfer measures in Art37 CSL to all ‘Network Operators’ (not only CIIOs) and ‘personal information’. Network operators are ‘owners and administrators of networks and network service providers’ (Art 76 CSL). Network Operators must apply for a security assessment of the contemplated transfers to the provincial branch of the CAC for review (i.e. no differentiation depending on sensitivity levels). Note: Sectoral localisation obligations prevail over Art 37 CSL, e.g. in banking, insurance, credit reporting, health and genetics, online taxi booking and location apps. HONG KONG SAR YES (optional) YES YES YES YES CONCEIVABLE NO CONCEIVABLE STATUTORY EXEMPTIONS Data may freely flow to a place A data user may transfer data to ‘Enforceable contract clauses’ may ‘Adopting internal safeguards, It is conceivable that the PCPD Hong Kong SAR is an APEC It is conceivable that the PCPD Exemptions to the principles and A ‘data user’ may transfer personal designated by the PCPD as having jurisdictions which have not been constitute ‘reasonable precautions’ policy and procedures for intra- could consider if certification economy and the Office of the could consider if compliance with a conditions enacted in s33 apply in Personal Data (Privacy) Ordinance data to a place outside Hong Kong been determined to have a ‘law white listed by PCPD where it has and ‘due diligence’ to ensure that group transfers’ can constitute mechanisms, privacy seals and Privacy Commissioner for Personal highly regulated industry’s code of two categories of circumstances. (Cap. 486), s 33 (not yet in force). when the data subject has substantially similar to or serving ‘reasonable grounds for believing the data will not be transferred in ‘reasonable precautions’ and ‘due trust marks can constitute Data is a participant to the CPEA. practice would constitute consented in writing to the the same purpose as’ the PDPO (a that there is in force in the place of contradiction with s 33 PDPO (s diligence’ to satisfy the conditions ‘reasonable precautions’ and ‘due ‘reasonable precautions’ and ‘due - The prohibition against transfers Transfers of personal data to international transfer ‘White List Jurisdiction’) ((s transfer a law which is 33(2)(f); International Transfer for transfers under s 33 PDPO diligence’ to satisfy the conditions However, Hong Kong SAR has not diligence’ to satisfy the conditions of personal data to places outside overseas jurisdictions are (s 33(2)(b)). 33(2)(a)). substantially similar to or serves Guidance, incl. Recommended (s 33(2)(f); International Transfer for transfers under s 33 PDPO (s yet expressed an intention to join for transfers under s 33 PDPO. Hong Kong does not apply where forbidden unless one of a number the same purpose as’ the PDPO (s Model Clauses at 7) Guidance at 7). 33(2)(f)). the CBPR or PRP systems, hence the personal data is exempted of conditions is met (equal basis), Consent should be voluntarily Such place is specified by notice in 33(2)(b). the CBPR or PRP cannot be used to The International Transfer from Data Protection Principle 3 of including: given and not been withdrawn by the Gazette (s 33(3)). In 2014 the PCPD published a set of The International Transfer demonstrate compliance with the Guidance provides that ‘non- the PDPO (i.e. use limitation the data subject in writing To satisfy such requirement, a data Recommended Model Clauses for Guidance (at 7) provides that ‘non- requirements of s 33. contractual oversight and auditing requirement), such as prevention - transfer to a white list user is expected to undertake transfers outside Hong Kong which contractual oversight and auditing mechanisms may be adopted to of crimes, legal proceedings, jurisdiction; (International Transfer Guidance at 5). professional assessment and distinguish between ‘core clauses’ mechanisms may be adopted to monitor the transferees’ protection of health, statistics and - the data subject has consented to evaluation on its own of the data (obligations of the parties, liability monitor the transferees’ compliance with the data research (where the resulting the transfer; protection regime where the and indemnity, settlement of compliance with the data protection requirements under the statistics or research does not intended recipient is located. Such disputes, termination) and protection requirements under the Ordinance’ (at 7). identify the data subjects), and - transfer is for avoidance or assessment should take into ‘additional clauses’ (on third party Ordinance’. emergency situation (s 33(2)(e)). mitigation of adverse action consideration various factors rights and additional obligations of against the data subject; and including the scope of application the transferee). 3 - the data user has taken all of the data privacy regime, the However, the Privacy - The transfer may also take place reasonable precautions and existence of equivalent provisions Commissioner has announced that when the user has reasonable exercised all due diligence to of the DPPs in the Ordinance, the it will publish an updated data grounds for believing that, in all ensure that the personal data data subjects’ rights and redress, transfer guidance in mid-2020 with the circumstances of the case ((s concerned are given equivalent the level of compliance and the enhanced user-friendliness and 33(2)(d)): protection to that provided for by data transfer restrictions. Mere additional guidance towards the Ordinance. subjective belief will not suffice. A organisational data users, (i) the transfer is for the avoidance data user must be able to especially the SMEs, by introducing or mitigation of adverse action Other exemptions can apply. demonstrate its grounds of belief two sets of new recommended against the data subject; The Guidance on Personal Data are reasonable if challenged. model clauses (including data Protection in Cross-border Data Reference may be made to the transfers between ‘data user and (ii) it is not practicable to obtain Transfer (‘International Transfer methodology adopted by the data user’ as well as ‘data user and the consent in writing of the data Guidance’) adopted by the Hong Commissioner in compiling the data processor’) for their adoption subject to that transfer; and Kong Privacy Commissioner in White List (International Transfer in formulating transfer agreements. Guidance at 4). (iii) if it was practicable to obtain December 2014 serves as a The current clauses may be practical guide for data users to such consent, the data subject adapted and/or included in a data would give it. implement s 33. transfer agreement. Parties are The Privacy Commissioner has advised to make adaptations or This exemption has a narrow announced that it will publish an additions according to their own application (International Transfer updated data transfer guidance in commercial needs. These clauses Guidance, at 6). mid-2020 with enhanced user- can be incorporated into a wider friendliness and additional agreement such as an outsourcing guidance towards organisational agreement. The clauses may be data users, especially the SMEs. adapted into a multi-party agreement. Note: PDPO s 33 covers two situations: (i) transfers of personal data from Hong Kong to a place outside Hong Kong; and (ii) transfers of personal data between two other jurisdictions where the transfer is controlled by a Hong Kong data user. INDIA YES (optional) UNCERTAIN UNCERTAIN UNCERTAIN UNCERTAIN UNCERTAIN NO UNCERTAIN NO (ACT IN FORCE) Sensitive personal data covered by In any circumstances sensitive In any circumstances sensitive It is unclear whether contractual It is unclear whether the existence It is unclear whether national India is an observer to the CPEA It is unclear whether adherence by No exception applies to the the IT Rules may be transferred personal data or information personal data or information protections between the exporting of binding corporate rules within a certifications delivered to overseas but is currently not an APEC an overseas organisation to a consent requirement or the when the person has consented to covered by the IT Rules may be covered by the IT Rules may be and importing organisations would company group or a group of organisations would be considered economy, hence the CBPR or PRP locally approved code of conduct requirement that the same level of Information Technology Act, 2000 the transfer, including third-party transferred outside India only to a transferred outside India only to a be considered as a valid means for companies involved in joint as a valid means for a data cannot be used to demonstrate could be considered as a valid data protection must apply in the (IT Act), s 43A data processors. foreign country that ‘ensures the foreign country that ‘ensures the a data exporter to demonstrate economic activity would be exporter to demonstrate that the compliance with the requirements means for a data exporter to country of destination in s 43A and same level of data protection that same level of data protection that that the ‘same level of data considered as a valid means for a ‘same level of data protection’ of Rule 7. demonstrate that the ‘same level IT Rule 7. This rule applies to both domestic Information Technology Rules of is adhered to by the body corporate is adhered to by the body corporate protection’ applies in the country data exporter to demonstrate that applies in the country of of data protection’ applies in the the IT Act, 2011 (IT Rules), IT Rule and international data transfers as provided for under’ Rule 7. as provided for under’ Rule 7. of destination as in India in the the ‘same level of data protection’ destination as in India in the country of destination as in India in on s 43A (Rule 7) (Rule 7). meaning of Rule 7. applies in the country of meaning of Rule 7. the meaning of Rule 7. However, Rule 7 does not clarify by However, Rule 7 does not clarify In any circumstances the data destination as in India in the s 43A and IT Rule 7 apply whom this assessment shall be whether this assessment shall be meaning of Rule 7. exclusively to ‘sensitive personal subject’s consent is not in itself a made, nor the criteria by which the made by the exporting data’. sufficient legal ground to transfer level of protection shall be organisation, nor the criteria by sensitive personal data to an assessed. which the level of protection shall Transfer of non-sensitive personal overseas country, and the level of be assessed. data is free. protection that will apply to that data in the country of destination Specific localisation provisions may must be the same as the level of prevail in sectors including protection provided for under the 1 banking, telecom, and health. IT Rules (Rule 7). Sensitive personal data or information may flow when: i) the information provider has consented to the transfer, or ii) the transfer is necessary for the performance of a contract. In any circumstances, the same level of data protection must apply to the data in the country of destination (Rule 7). Sensitive data or information consists of ‘information relating to; (i) password; (ii) financial information (…) ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of 1 See Amber Sinha and Elonnai Hickok, ‘Jurisdictional Report: India’, in Regulation of Cross-Border Transfers of personal Data in Asia’ (ABLI, 2018), p. 129. 4 the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise’ (Rule 3). INDIA (BILL) YES (required) YES NO YES YES NO NO UNCERTAIN STATUTORY EXEMPTIONS Sensitive personal data may only Different requirements apply Only the Central Government can With regard to sensitive personal (For sensitive personal data only, The Bill does not mention the India is an observer to the CPEA The Bill provides that the Authority Different exemptions to data be transferred outside India when depending on the nature of the make positive assessments based data only, such personal data may s 34(1)(a)) possibility for an exporting but is currently not an APEC shall, by regulations, specify codes transfer provisions flow from Data Protection Bill, Chapter VII explicit consent is given by the data personal data to be transferred. on either s 34(1)(b) or s 34(2)(b). be transferred for the purpose of organisation to discharge the economy, hence the APEC CBPR or of practice ‘to promote good Chapter VIII (‘Exemptions’). (Restriction on transfer of principal for such transfer (s 34(1)). processing where the transfer is Sensitive data may be transferred requirements in s 34 by providing PRP systems could not be used to practice of data protection and personal data outside India), With regard to sensitive personal made ‘pursuant to a contract for the purpose of processing safeguards through an approved demonstrate compliance with s facilitate compliance with the - With regard to statutory ss 33 and 34 (introduced in Lok As in the framework currently in data, the Central Government, where the transfer is made exemptions, s36 provides that the approved by the Authority’ which certification mechanism, nor does 34(1) of the Bill. obligations of this Act’ (s 50(1)) and Sabha on December 10, 2019) force, consent is necessary but not after consultation with the Data makes the provisions for ‘pursuant to an intra-group scheme it envisage the set-up of a privacy that codes of practice may include data transfer restrictions in sufficient for international Protection Authority of India (s 34(1)(a)): approved by the Authority’ which certification scheme in India. ‘transfer of personal data outside Chapter VII will not apply when it is As in the framework currently in transfers and additional measures (DPAI), may allow the transfer to a makes the provision for: India pursuant to s 34’ (s 50(6)(q)). necessary for the purposes of— force, ss 33 and 34 would not apply apply (s 34(1)(a) or (b), see next). country or, such entity or class of i) effective protection of data The closest reference to a to transfers of any personal data entity in a country or, an principal’s rights, including in i) effective protection of data certification scheme is in s 29(5) However, the Bill does not envision - law enforcement; There are no legal consequences principal’s rights, including in but to transfers of ‘sensitive’, but international organisation that relation to onward transfers, and which envisions the assigning of a the possibility for an exporting - legal proceedings; also to ‘critical’ personal data for attached to the collection of the provides an adequate level of relation to onward transfers, and ‘data trust score’ to ‘Significant organisation to discharge the the purpose of processing. individual’s consent with regard to protection (Bill, s 34(1)(b))— ii) liability of the data fiduciary for Data Fiduciaries’ (to be notified as requirements in - exercise of any judicial function; the transfer of either critical harm caused due to non- ii) liability of the data fiduciary for harm caused due to non- such by the Government based on s 34(1) by providing safeguards With regard to sensitive personal personal data (which must in i) having regard to the applicable compliance. - domestic purposes; or compliance. s 26(1)) to indicate the level of through an approved code of data, such data ‘may be transferred principle stay on shore) or of laws and international agreements, protection they provide. Though practice. Consent requirements still apply - journalistic purposes. outside India for the purpose of personal data which is neither and Consent requirements still apply these could be given to overseas processing but shall continue to be sensitive nor critical (which is free (s 34(1)). It is further uncertain (although not (s 34(1)). organisations operating in India it - Critical personal data may further stored in India’ (s 33(1)), and to transfer, here again on the ii) when such transfer shall not unconceivable) that compliance does not appear that they will be be transferred outside India to a additional conditions apply (s assumption that there is legal basis prejudicially affect the with a code of conduct in India by used in the context of cross border person or entity providing health 34(1), see next). for the processing in the first enforcement of relevant laws by an organisation located in a third data transfers. or emergency services where place). authorities with appropriate country, coupled with ad hoc necessary for prompt action (s Sensitive personal data is defined jurisdictions. The ‘demonstrable verification contractual engagements between 34(2)(a)). Such transfer must be in s 3(36) and includes financial mark’ envisioned in s 28(4)) (‘Social the parties, would be an admissible With regard to critical personal notified to the Authority (s 34(3)). personal data. The list may be Media Intermediaries’ must ‘agreement’ for the purpose of expanded by Government data, the Central Government may provide an option to users s 34(1)(a). EXEMPTION BY THE CENTRAL regulation. deem a transfer of critical personal data to be permissible to a country registering from India or using their GOVERNMENT With regard to critical personal or, any entity or class of entity in a services in India for voluntary Bill s 37 (‘BPO exemption’) grants data, such data may be processed country or to an international certification of their accounts, the power to the Central only in India, with exceptions organisation, when (Bill, s which will be marked with such a Government to exempt certain (s 34(2)- see next). Critical personal 34(2)(b))— demonstrable certification marks) data processors from all or part of data is undefined and may be is unrelated to the implementation the Act (including Chapter VII) for notified as such by Government i) it has previously found that the of data transfer provisions. the processing of personal data of regulation. country, organisation, entity provides adequate protection, and Although it does not appear to be data principals (individuals, ed.) Notes: the intention, it is possible (at least outside India, pursuant to any ii) the transfer does not conceptually) that certification of contract entered into with any Personal data that is neither prejudicially affect the security and an organisation located in a third person outside the territory of sensitive nor critical under the strategic interest of the State. country to a privacy certification India, including any company Data Protection Bill would be free scheme in India, coupled with ad incorporated outside the territory to transfer (on the assumption that However, the Bill does not clarify hoc contractual engagements of India, by any data processor or there is legal basis for the by whom this assessment shall be between the parties, would be an any class of data processors processing in the first place). made, nor the criteria by which the admissible ‘agreement’ for the incorporated under Indian law. level of protection shall be purpose of s 34(1)(a). This is in contrast with the transfer assessed. EXEMPTIONS BY THE AUTHORITY provisions in the original version of It is also conceivable that an the Bill (2018), which prescribed international or ad hoc bilateral With regard to sensitive personal specific measures for the transfer agreement for certification could data, the Authority may allow the of personal data that was neither be concluded, which would later transfer of sensitive personal data sensitive nor critical (s 40). operate within s 34(1)(b)(i) (for or class of sensitive personal data sensitive data) or s 34(2)(b) (for necessary ‘for any specific purpose’ Other requirements to store critical data). (s 34(1)(c)). and/or process in India would apply in case of the cumulative Where the processing of any application of localisation personal data (including sensitive requirements for sectors including or critical personal data) is banking, telecom, and health ‘necessary for research, archiving, (same as above). Localisation or statistical purposes’, the obligations were removed from the Authority may exempt such class of draft e-commerce policy in June research, archiving, or statistical 2019 (in anticipation of their purposes from the application of displacement to the Data any of the provisions of the Act Protection Bill). (including s 34) as may be specified by regulations. More sectoral obligations to localise data are currently in draft, The Authority must be satisfied e.g. in the draft e-pharmacy rules. that— (a) the compliance with the provisions of the Act shall disproportionately divert resources from such purpose; (b) the purposes of processing cannot be achieved if the personal data is anonymised; 5 (c) the data fiduciary has carried out de-identification in accordance with the code of practice specified under s 50 and the purpose of processing can be achieved if the personal data is in de-identified form; (d) the personal data shall not be used to take any decision specific to or action directed to the data principal; and (e) the personal data shall not be processed in the manner that gives rise to a risk of significant harm to the data principal. INDONESIA YES (required) UNCERTAIN UNCERTAIN UNCERTAIN UNCERTAIN UNCERTAIN NO UNCERTAIN NO (LAW IN FORCE) The written consent of the ‘data It is not known if the Ministry It is not known if the assessment It is not known if the existence of It is not known if the existence of It is not certain if the existence of a Indonesia is an APEC economy but It is not certain if adherence of the No exception to consent or owner’ is required unless specific would assess the level of by the ESP that the data transfers ad hoc contractual provisions BCRs or corporate rules that bind certification scheme that would as at April 2020 has not expressed importing organisation to a local additional legal ground for regulations apply (MCI 20/2016, protection in certain countries (e.g. take place to countries with a relating to the level of data the importing organisation to bind the importing organisation to an intention to join APEC CBPRs. Code of conduct that would ensure transfers outside the territory of Law No. 11 of 2008 on Electronic Art 21(1)). countries with data protection certain level of protection (e.g. protection applied by the ensure a certain level of data ensure a certain level of data the application of a certain level of Indonesia applies. laws) in the context of the countries with data protection importing organisation in the protection in the country of protection in the country of data protection in the country of Information and Transactions (EIT Express opt-in is not explicitly Law), Art 26 coordination provided in MCI laws) would be a positive factor if country of destination would be a destination would be a positive destination would be a positive destination would be a positive required by Art 21(1) but is derived 20/2016 Art 22. regulatory scrutiny were applied in positive factor in the context of factor in the context of ensuring factor in the context of ensuring factor in the context of ensuring Regulation No.20 of 2016 of the from MCI 20/2016, the context of the coordination ensuring coordination with the coordination with the Ministry coordination with the Ministry coordination with the Ministry Ministry of Communication and Art 1(4). with the Ministry under MCI Ministry under MCI 20/2016 Art under MCI 20/2016 Art 22. under MCI 20/2016 Art 22. under MCI 20/2016 Information (MCI 20/2016), Arts 20/2016 Art 22. 22. Art 22. 21 and 22 Principle: Electronic System Providers (‘ESPs’) may transfer data only with the individual’s consent; and following ‘coordination with the Ministry’ (in the current case the Ministry of Communication and Information, or ‘Kominfo’). The coordination requirement seems closer to a notification requirement than to a prior authorisation but sometimes regulatory scrutiny is applied.2 Government Regulation No.71 of 2019 (GR71), Arts. 20-21 (has replaced Government Regulation No. 82 of 2012 (GR82) in October 2019): ESPs ‘for Public Purposes’ may not process or store data outside Indonesia (with exceptions, i.e. unless the storage technology is not available in Indonesia (Art20) (subject to further implementing regulations). ESPs ‘for Private Purposes’ may manage, process and/or store electronic system or electronic data inside or outside Indonesia (Art21(1)), subject to the obligation to ensure effective compliance with GR71 (Art21(2)) and to enable access to the data by the public authorities (Art21(3)) - (all of which subject to further regulations). ESPs that are deemed to have ‘strategic electronic data’ (for now undefined) must backup records to ‘a certain data centre’ (Art99(3)). Regulatory guidance will be needed on the location of such data centres and whether ‘Private ESPs’ are included in the scope. The Financial Service Authority may adopt specific regulations relating to the transfers of personal data (Art21(4)). 2 Danny Kobrata, ‘Jurisdictional Report: Indonesia’, in Regulation of Cross-Border Transfers of personal Data in Asia’ (ABLI, 2018), p. 151. 6 INDONESIA (BILL) YES (optional) CONCEIVABLE CONCEIVABLE YES CONCEIVABLE CONCEIVABLE NO CONCEIVABLE ADDITIONAL LEGAL GROUND Transfers may take place if ‘there is Transfers may take place to a Transfers may take place to a The transfer may take place when It is not certain, but conceivable The current version of the Bill does Indonesia is an APEC economy but It is not certain, but conceivable Transfers may take place when written approval from the owner of country or international country or international a contract offering appropriate that BCRs would be covered by Art not envisage the set-up of a as at April 2020 has not expressed that compliance with a Code of ‘there are international Data Protection Bill, Art 49 the personal data’ organisation that ‘has a personal organisation that has a personal safeguards has been put in place 49(b) providing that transfers can certification scheme in Indonesia. an intention to join APEC CBPRs. Conduct in Indonesia by an agreements between the countries’ (introduced in Parliament on (Art 49(d)). data protection level that is equal data protection level that is equal between the Personal Data take place when there is a contract organisation located in a third (Art 49(b)). January 28, 2020) to or higher than this law ‘ to or higher than this law’ (Art Controller and a third party outside between the controller and an It is uncertain, but conceivable that country, coupled with ad hoc Consent can also be verbal, (Art 49(a)). 49(a)) the territory of the Unitary State of overseas third party, for instance certification in Indonesia by an contractual engagements between Overseas data transfers may in provided that it is recorded. the Republic of Indonesia (Art when an intra-group agreement organisation located in a third the parties, would be an admissible principle take place only in four It is not certain, but conceivable if Since the Bill does not mention 49(b)). would support the BCRs. country, coupled with ad hoc ‘agreement’ for the purpose of Art series of circumstances presented a public authority can make its own which entity should make that contractual engagements between 49(c). as alternatives: assessment and put countries on assessment, it is conceivable that the parties, would be an admissible ‘white lists’ by way of the data exporter can make his contract for the purpose of Art - the level of protection in the consequence. This would however own assessment. However, it is 49(c). country if destination is equal to, appear to be the original intention doubtful if such were the intention or higher than in the Act of the government. of the Government. However, this does not rule out the (Art 49(a)); possibility that an international or The Bill does not mention which The Bill also does not mention by ad hoc bilateral agreement for - international agreements apply entity in the government should which criteria this assessment certification could be concluded (Art 49(b)); make that assessment, and by should be made. under Art49(b), which would later which criteria. operate within Art 49(c). - a contract offering appropriate Such specifications would be safeguards is in place between the Such specifications would be provided in future regulations. parties (Art 49(c)); provided in future regulations. - the data subject has consented to the transfer (Art 49(d)). These provisions will be later specified in a Government Regulation. Notes: The Data Protection Bill will not affect pre-existing data protection provisions in so far as they are not contradictory with the Bill and are not specifically regulated by it (Art 79). The localisation provisions in GR71 (above) and the requirement of coordination with the Ministry in Art 22(1) of MCI 20/2016 would therefore not be impacted by the Bill. The current version of the Bill does not institute a Data Protection Authority. It is not clear to which entity in the Government (beyond MCI) the implementation of the provisions of the future Law would be left. JAPAN YES (optional) YES NO YES YES YES YES NO STATUTORY EXEMPTIONS Consent is required, unless The PPC can whitelist a foreign Only PPC can make positive Transfers may take place on the Transfers may take place on the Transfers may take place on the Japan's application to participate in Adherence to a code of conduct is Transfers may take place without exceptions apply (Art 24). country establishing a ‘personal assessments (i.e. put a foreign basis of a contract if such a basis of internal rules if such basis of a certification if a person CBPRs was endorsed by APEC and not included in the examples of the user’s consent in specific Act on the Protection of Personal information protection system’ country on a white list) (APPI Art contract ‘ensures, in relation to the internal rules ‘ensure, in relation to who receives the provision of effective April 2014. action which the recipient might circumstances listed in Art 23(1): Information, 2016 (APPI), Art 24 For consent to be valid, the data recognized to have equivalent 24). handling of personal data by the the handling of personal data by personal data has obtained ‘a take to be in conformity with a subject must be clearly informed standards to the standards in person who receives the provision, the person who receives the recognition based on an JIPDEC was appointed as Japan’s system established by reference to (i) cases based on laws and Transfers of personal information that the personal information will regard to the protection of an the implementation of measures in provision, the implementation of international framework Accountability Agent in January standards set by the PPC. regulations; by a ‘Personal Information be transferred to a third party in a 2016. individual’s rights and interests in line with the purpose of the measures in line with the purpose concerning the handling of (ii) cases ‘in which there is a need Handling Business Operator’ foreign country, and be provided Japan (APPI Art 24). provisions under APPI by an of the provisions under APPI by an personal information’ (which (PIHBO) in Japan to third parties with all the information necessary PPC has recognized that CBPRs are to protect a human life, body or appropriate and reasonable appropriate and reasonable includes, but is not limited to a ‘certification on the basis of an fortune, and when it is difficult to located in overseas destinations to decide whether to consent (e.g. In considering whether to put method’ (APPI Art 24). method’ (Art24 APPI). CBPRs) (Art24 APPI). are subject to obtaining the the foreign jurisdiction is identified specific countries on a white list, international framework regarding obtain a principal's consent’; individual’s consent, unless: personal information handling’ that or identifiable, or the the PPC makes a judgment relying Transfers may take place if a (iii) cases ‘in which there is a circumstances in which such data on a series of ‘judgmental personal information handling provide a level of protection - the country of destination has an equivalent to the APPI under Art24 special need to enhance public transfer will take place have been standards’ for the assessment of business operator is certified under hygiene or promote fostering equivalent level of protection (Art clarified). this level of protection:3 the CBPRs (see next). (additional requirements apply to 24); onward transfers of EU data). healthy children, and when it is - there are statutory provisions or difficult to obtain a principal's - the recipient acts in conformity codes equivalent to those relating consent’; and with a system established by to the obligations of personal (iv) cases ‘in which there is a need standards prescribed by the information handling business to cooperate in regard to a central Personal Information Protection operators defined under the APPI, Commission of Japan (PPC) (Art24); government organisation or a local and the policies, procedures and government, or a person entrusted systems to enforce compliance - one of a series of statutory by them performing affairs exceptions apply (Art 23(1)). with these rules can be recognised; prescribed by laws and regulations, and when there is a possibility that Note: - there is an independent personal data protection authority, and the obtaining a principal's consent authority has ensured necessary would interfere with the 3 Profs Kaori Ishii and Fumio Shimpo, ‘Jurisdictional Report: Japan, in Regulation of Cross-Border Transfers of personal Data in Asia’ (ABLI, 2018), p. 182. 7 Transfers to others than ‘third enforcement policies, procedures performance of the said affairs.’ parties’ are not covered by Art 24 and systems; and consent requirements do not apply. - the necessity for a foreign country designation can be Under the APPI, the following recognised as in Japan’s national entities are deemed not to be third interest; parties: - mutual understanding, - data processors; collaboration and co-operation are possible; and, - a company that enters into a merger, a company split or a - establishing a framework to business transfer with the data pursue mutual smooth transfer of controller; or personal information, while seeking the protection thereof, is - a company designated to jointly possible. use the personal information with the controller. These standards were applied by the PPC in its decision of January 18, 2019, recognising that the European Union has established a ‘personal information protection system’ based on standards equivalent to the standards of APPI in regard to the protection of an individual’s rights and interests in Japan. MACAU SAR YES (optional) YES NO YES CONCEIVABLE CONCEIVABLE NO CONCEIVABLE STATUTORY EXCEPTIONS Unambiguous consent to data The public authority may decide It is for the public authority to The OPDP may authorise transfers It is uncertain, but not It is uncertain, but not Macau SAR is not an APEC It is uncertain, but not A transfer to a destination in which transfer may derogate to the that the legal system in the decide whether a legal system where the controller adduces unconceivable that the OPDP could unconceivable that the OPDP could economy, hence cannot currently unconceivable that the OPDP could the legal system does not ensure Personal Data Protection Act absence of adequate protection in destination to which they are ensures an adequate level of ‘adequate safeguards’, ‘particularly take the decision to authorize a take the decision to authorise a join CBPRs or PRP. take the to authorise a transfer an adequate level of protection (2005) (PDPA), Art 19 and 20 destination country (Art20(1)). transferred ensures an adequate protection (Art19(3)). by means of appropriate transfer based on the transfer based on the based on the consideration that a ‘may be allowed’ where (PDPA Art level of protection (Art 19(2) and contractual clauses’ (Art20(2)). consideration that BCRs or internal consideration that Certification Code of conduct would constitute 20(1)): Principle: The transfer of personal Such transfer must in any case be (3)). rules would constitute ‘adequate Schemes would constitute ‘adequate safeguards’ in the data to a destination outside the notified to OPDP. Such transfer must be authorised safeguards’ in the meaning of ‘adequate safeguards’ in the meaning of Art20(2). (1) it is necessary for the MSAR may only take place subject The adequacy of the level of by OPDP. Art20. meaning of Art20(2). performance of a contract to compliance with the PDPA and There are, however, three cases in protection shall be assessed in the Such transfer would have to be between the data subject and the provided the legal system in the which the data subject’s consent is light of all the circumstances Such transfer would have to be Such transfer would have to be authorised by OPDP (Art20(2)). controller or the implementation destination to which they are not sufficient to transfer the data surrounding a data transfer authorised by OPDP. authorised by OPDP. of pre-contractual measures taken transferred ensures an adequate outside Macau: operation or set of data transfer in response to the data subject’s level of protection (Art19(1)). - the first two exceptions refer to operations. request; Transfers to ‘non-adequate’ sensitive data and to credit data Particular consideration shall be (2) it is necessary for the destination countries may take (PDPA, Art 22(1)), whose given to: performance or conclusion of a place only if specific conditions are processing is subject to the prior contract concluded or to be complied with (see next), and must authorisation of the OPDP. - the nature of the data, concluded in the interests of the be either notified to, or authorised Processing (including transfer) of data subject between the these two categories of data is - the purpose and duration of the by the Office of Personal Data proposed processing operation or controller and a third party; Protection (OPDP).4 subject to prior authorisation by the OPDP, unless authorised by operations, (3) it is necessary or legally The analysis carried out in the law; - the place of origin and place of required on important public context of such procedures final destination, interest grounds, or for the appears in decisions published on - the third exception is in relation establishment, exercise of defence the OPDP’s website.5 to the interconnection or so-called - the rules of law, both general and of legal claims; combination of data (PDPA, Art 4, sectoral, in force in the destination 1(10)), which is also subject to the (4) it is necessary in order to in question, and prior authorisation of OPDP. protect the vital interests of the - the professional rules and data subject; security measures which are (5) it is made from a register which complied with in that destination according to laws or administrative (Art19(2)). regulations is intended to provide Such transfer need not be information to the public and authorised by, or notified to OPDP. which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest. Such transfers must be notified to OPDP. MALAYSIA YES (optional) YES NO YES (implicit) CONCEIVABLE CONCEIVABLE NO CONCEIVABLE EXEMPTION BY AUTHORITY Consent may operate as an The Minister, upon the Only the Minister can make related The data user should ‘take all It is not certain, but conceivable It is not certain, but conceivable Malaysia is an APEC economy but It is not certain, but conceivable A ‘data user’ or ‘class of users’ may exception to the requirement that recommendation of the specifications (s 129(1)). reasonable precautions and that BCRs and internal rules are that certification in Malaysia by an as at April 2020 has not expressed that adherence of the overseas be exempted from all or part of the Personal Data Protection Act transfers may take place only to Commissioner, may specify any exercise all due diligence’ to ensure considered as ‘reasonable organisation located in a third an intention to join the CBPR recipient to a code of conduct may PDPA (including s 129) by decision (PDPA) 2010, s 129 places specified by the Minister place outside Malaysia to where that the data will be adequately precautions’ and measures of ‘due country to a privacy scheme or system. be considered as ‘reasonable of the Minister following the prior (s 129(2)(a)). data may freely flow, where: protected overseas, which diligence’ in the meaning of s obtaining a privacy mark may precautions’ and measures of ‘due opinion of the Commissioner Data transfers outside Malaysia implicitly refers to the conclusion 129(2)(f). constitute ‘reasonable precautions’ diligence’ in the meaning of PDPA s (S46(1)). may in principle take place only to a) there is in that place in force any and measures of ‘due diligence’ in 129(2)(f). places specified by the Minister ‘law which is substantially similar STATUTORY EXCEPTIONS 4 On the operation of these procedures, see Graça Saraiva, ‘Jurisdictional Report: Macau SAR, in Regulation of Cross-Border Transfers of personal Data in Asia’ (ABLI, 2018), p. 202. 5 For instance, Opinion No.0016/P/2018/GPDP on the establishment of the CTM (Macau Telecommunications Company) (HK) Data Centre and the transfer of data from Macao to Hong Kong and the respective notification and authorisation procedures. 8 where there is in force any law to this Act, or that serves the same of contracts the meaning of PDPA s 129(2)(f). PDPA s 23 describes the conditions Transfers of personal data may which is substantially similar to, or purposes as PDPA’; or (s 129(2)(f)). under which codes of conduct may take place to other non-adequate that serves the same purposes as be drafted and registered with the destinations if (s 129(3)(b) to (h)): the PDPA or which ensures an (b)that place ensures an adequate Contracts are further mentioned as Commissioner but these provisions adequate level of protection which level of protection in relation to such safeguards in sectoral Codes are unrelated to those relating to (b) the transfer is necessary for the is at least equivalent to the level of the processing of personal data of conduct approved by the data transfers. performance of a contract protection afforded by PDPA. which is ‘at least equivalent to the Commissioner. between the data subject and the level of protection afforded by data user; ‘The Minister’ refers to the PDPA’. (s 129(1)) Minister ‘charged with the (c) the transfer is necessary for the responsibility for the protection of ‘The Minister’ refers to the conclusion or performance of a personal data’, currently the Minister ‘charged with the contract between the data user Communications and Multimedia responsibility for the protection of and a third party which—(i) is Minister (PDPA s 4). personal data’ (S4 PDPA), currently entered into at the request of the the Communications and data subject; or (ii) is in the Transfers by a ‘Data User’ in Multimedia Minister. interests of the data subject; Malaysia to other destinations may take place only if: Note: (d) the transfer is for the purpose of any legal proceedings or for the - The data subject has consented to The Commissioner is considering purpose of obtaining legal advice the transfer; removal of the whitelist provisions or for establishing, exercising or above as part of the ongoing PDPA defending legal rights; - The data user has taken review exercise. reasonable precautions and (e) the data user has reasonable exercised due diligence; or grounds for believing that in all circumstances of the case— - Statutory or regulatory exemptions apply. (i) the transfer is for the avoidance or mitigation of adverse action Notes: against the data subject; On 14 February 2020 the (ii) it is not practicable to obtain Malaysian Personal Data the consent in writing of the data Protection Commissioner subject to that transfer; and (‘Commissioner’) has issued a Public Consultation Paper on (iii) if it was practicable to obtain review of the PDPA. One of the such consent, the data subject suggestions proposed is for would have given his consent; (…) removal of the provisions in s 129 which provide for the issuance of a (g) the transfer is necessary in whitelist by the Minister. order to protect the vital interests of the data subject; or As part of the ongoing review exercise, the Commissioner is (h) the transfer is necessary as considering issuing a guideline to being in the public interest in address the mechanism and circumstances as determined by implementation of cross border the Minister. transfers (Proposed Improvement Suggestion Nr.13). If implemented, it is unclear whether transfers which comply with the transfer mechanisms set out in the said guidelines will be recognised as permissible under the PDPA. NEW ZEALAND NO NO NO YES YES UNCERTAIN NO UNCERTAIN STATUTORY LIMITATION (TO POWER OF COMMISSIONER) (ACT IN FORCE) Consent is neither optional nor The Privacy Act does not provide The Privacy Act does not cater for Contractual provisions governing BCRs are not mentioned in the Regulatory guidance does not New Zealand is an APEC economy Regulatory guidance does not required, and would not currently for the possibility to adopt ‘white this possibility. handling of personal data are Privacy Act itself but they are explicitly refer to trust marks and but as at April 2020 has not explicitly refer to Codes of conduct The Commissioner may not appear to waive the requirements lists’. common although they are not referred to in the Fact Sheet on privacy seals as ‘associated expressed an intention to join as ‘associated schemes established prohibit a transfer if it is Privacy Act 1993, Part 11A of existing privacy safeguards in mentioned in the Privacy Act itself. Part 11A of the Privacy Act 1993 as schemes established under the APEC CBPRs. under the international (s 114B(3)): the country of destination. However, the Commissioner may ‘associated schemes established international instruments which, instruments which, although not (Transfer of Personal Information prohibit a transfer ‘if the The EU model clauses are referred (a) required or authorised by or outside New Zealand), s 114B under the international although not being privacy laws of being privacy laws of a State, may The Privacy Act does not mention information has been, or will be, to in the Fact Sheet on Part 11A of instruments which, although not a State, may nonetheless provide nonetheless provide comparable under any enactment; or International transfers are it, nor the Privacy Commissioner’s received in New Zealand from the Privacy Act 1993 as ‘associated being privacy laws of a State, may comparable safeguards.’ safeguards’ in the meaning of Part Fact Sheet on Part 11A. another State and is likely to be schemes established under the (b)required by any convention or permitted, as long as the legal nonetheless provide comparable 11A of the Privacy Act. transferred to a third State where it international instruments which, The Privacy Trustmark in New other instrument imposing requirements in the privacy safeguards.’ will not be subject to a law although not being privacy laws of Zealand further has no legal international obligations on New principles and appropriate Zealand. conditions for privacy protection providing comparable safeguards a State, may nonetheless provide standing and is not articulated with are observed. to this Act’ and the transfer would comparable safeguards.’ Part 11A of the Privacy Act, This same policy should follow be likely to lead to a contravention although it might be used by a through to the Privacy Bill (Part 8 However, in exceptional of the basic principles of national foreign agency as a means to of the Privacy Bill: Prohibiting circumstances the Privacy application. provide evidence about its good onward transfer of personal Commissioner may prohibit a privacy practices. information received in New transfer to another State when: There is no formal process for recognising the receiving Zealand from overseas). - The personal information has jurisdiction meets standards of been received from another State comparability at present. and will be transferred to a third State where it will not be subject to a law providing comparable safeguards to the Privacy Act; and - The transfer would be likely to breach the basic principles of national application set out in the OECD Guidelines. 9 The Fact sheet on Part 11A of the Privacy Act published by the Commissioner sets out certain matters that the Commissioner must consider in exercising the discretion to prohibit a transfer, including by showing ‘legal regimes that might be thought likely to offer comparable safeguards to the Privacy Act’. Privacy Act, s 3(4) (applicable to e.g. cloud storage overseas). Where an agency holds information— (a) solely as agent; or (b) for the sole purpose of safe custody; or (c) for the sole purpose of processing the information on behalf of another agency— and does not use or disclose the information for its own purposes, the information shall be deemed to be held by the agency on whose behalf that information is so held or, as the case may be, is so processed. NEW ZEALAND YES (optional) YES YES YES YES YES (implicit) CONCEIVABLE CONCEIVABLE ADDITIONAL LEGAL GROUND (BILL) An agency A may disclose personal An agency may disclose personal An agency may disclose personal An agency may disclose personal An agency may disclose personal Adherence of the overseas New Zealand is an APEC economy It is possible that voluntary An organisation A may disclose information to a foreign person or information to a foreign person or information to a foreign person or information to a foreign person or information to a foreign person or recipient to a recognised but as at April 2020 has not adherence of the recipient to a information to organisation B if ‘A entity B if the individual concerned entity if it believes on reasonable entity if it believes on reasonable entity if it believes on reasonable entity if it believes on reasonable certification scheme could be expressed an intention to join Code of conduct could contribute believes on reasonable grounds Privacy Bill, Information Privacy ‘authorises the disclosure to after grounds that the recipient is grounds that the recipient is grounds that the recipient is grounds that the recipient is considered as a part of considering APEC CBPRs. to agency believing on reasonable that B is subject to the Privacy Act, Principle 12 (IPP 12) being expressly informed by A that ‘subject to privacy laws of a subject to privacy laws that, ‘required to protect the ‘required to protect the whether the foreign person or grounds that the foreign person or when it is carrying on business in B may not be required to protect prescribed country’ (IPP 12(1)(e)). overall, provide comparable information in a way that, overall, information in a way that, overall, entity is ‘required to protect the However, IPP12 provides for the entity is subject to ‘comparable New Zealand’ (i.e. exception IPP 12 is to be combined with the information in a way that, safeguards to those in’ the Privacy provides comparable safeguards to provides comparable safeguards to information in a way that, overall, New Zealand Government to safeguards’ in the meaning of applies when for the purposes of IPP 11 (‘Limits of disclosure of overall, provides comparable ‘Prescribed country’ means a Act (IPP12(1)(c)). those in this Act, for example, those in this Act’ (IPP12(1)(f)) provides comparable safeguards to prescribe binding cross-border IPP12(1)(f) the Bill both agencies are New personal information’). safeguards to those in this Act’ (IPP country specified in regulations pursuant to an agreement’ entered those in the Privacy Act’ privacy schemes such as CBPRs as a Zealand agencies anyway) 12(1)(a)). made under s 212B. The Minister into between agency and recipient) BCRs would likely qualify as such (IPP12(1)(f)). ‘prescribed binding scheme’ under (IPP12(1)). If data that may be legally may recommend the making of (IPP 12(1)(f)). ‘comparable safeguards’ as an the Privacy Act. transferred based on IPP11 is There is no formal process for such regulations only if he/she is extension of current regulatory STATUTORY EXEMPTIONS transferred to an overseas recognising if the receiving ‘satisfied that the countries have guidance (above). If New Zealand prescribes a binding recipient, the ‘exporting agency’ jurisdiction meets standards of privacy laws that, overall, provide scheme under the Privacy Bill this No restriction applies to overseas would need to satisfy one of the comparability at present. comparable safeguards to those in will be done through IPP12(1)(d): data transfers if the disclosure of criteria set out in IPP 12(1): this Act’. An agency may disclose personal the information is necessary information to a foreign person or (IPP12(2)): - the individual concerned entity if it believes on reasonable authorises the disclosure, grounds that the recipient is a (i) to avoid prejudice to the maintenance of the law by any participant of a ‘binding scheme, ie - the foreign person or entity is ‘an internationally recognised public sector agency, including carrying on business in New scheme in which the participants prejudice to the prevention, Zealand, and the agency believes, agree to be bound by a) specified detection, investigation, on reasonable grounds, that the measures for protecting personal prosecution, and punishment of foreign person or entity is subject information that is collected, held, offences; or to the bill used, and disclosed; and b) (ii) for the enforcement of a law mechanisms for enforcing - the agency believes on that imposes a pecuniary penalty; compliance with those measures’. reasonable grounds that: or ‘Prescribed binding scheme’ means i) the foreign person or entity is (iii) for the protection of public a binding scheme specified in ‘subject to privacy laws that, revenue; or regulations made under section overall, provide comparable 212A by Order of the Governor- safeguards’ to those in the bill; (iv) for the conduct of proceedings General. before any court or tribunal (being ii) the foreign person or entity is a proceedings that have been participant in a prescribed binding commenced or are reasonably in scheme, or is subject to privacy contemplation); or laws of a ‘prescribed country’; or (f) that the disclosure of the iii) the foreign person or entity information is necessary to prevent must protect the information in a or lessen a serious threat to— way that, overall, provides ‘comparable safeguards’ to those (i) public health or public safety; or in the bill. (ii) the life or health of the individual concerned or another Privacy Bill, Part 8 (‘Prohibiting onward transfer of personal individual; information received in New and: Zealand from overseas’) replicates the provisions of s 114B relating to it is not reasonably practicable in transfer prohibition notices in the the circumstances to comply with current Privacy Act (above). the IPP 12 requirements. 10 STATUTORY LIMITATION (TO POWER OF COMMISSIONER) The same policy as in S114B(3) (above) should follow through to Part 8 of the future law (‘Prohibiting onward transfer of personal information received in New Zealand from overseas’) to the effect that the Commissioner may not prohibit a transfer if it is: (a) required or authorised by or under any enactment; or (b)required by any convention or other instrument imposing international obligations on New Zealand. PHILIPPINES YES (optional) NO NO YES (implicit) CONCEIVABLE CONCEIVABLE YES CONCEIVABLE ADDITIONAL LEGAL GROUND Data subject’s consent is neither Neither DPA nor IRRs mention the Neither DPA nor IRRs mention the Neither DPA nor IRRs explicitly It is conceivable, but not confirmed It is conceivable, but not confirmed On September 20, 2019, the It is conceivable, but not confirmed No exception is provided to the required nor mentioned as a level of data protection in an level of data protection in an provide that the implementation of that the implementation of BCRs under either DPA or IRRs that the Philippines National Privacy under the Act or the IRRs if accountability principle in s 21. Data Privacy Act of 2012 (DPA), method for the data controller to overseas destination as a relevant overseas destination as a relevant contractual safeguards can can discharge the responsibility of obtaining of (either local or Commission announced it has filed adherence of a data recipient to a s 21 discharge its responsibility ‘for factor for a controller to assess its factor for a controller to assess its discharge the responsibility of an an organisation under s 21 DPA for overseas) certification can help an its notice of intent to join the APEC code of conduct can discharge the However, s 20(a) IRRs (General personal information under its responsibility for transferring responsibility for transferring organisation for exporting exporting ‘personal information organisation discharge its CBPR system. The Joint Oversight responsibility of the exporting principles for data sharing) There are no specific provisions on control and custody’ in the personal information under its personal information under its ‘personal information originally originally under its custody or its responsibility for exporting Panel approved the Philippines’ organisation for ‘personal provides that data sharing shall be international transfers in the DPA meaning of s 21. control and custody, in the control and custody, in the under its custody or its control’. control’, including for processing. ‘personal information originally application to join the system on information originally under its allowed ‘when it is expressly but S 21 of the DPA (Accountability meaning of s 21. meaning of s 21. under its custody or its control’, March 9, 2020. custody or its control’, and so authorized by law’, provided that Principle) allows for data sharing However, the lawful criteria under However, this is subsumed in s 21 It is conceivable, but not certain and so ‘including information that ‘including information that has ‘there are adequate safeguards for outside the Philippines’ borders as ss 12 and 13 apply with equal force Proposed amendments to s 21 in Proposed amendments to s 21 in DPA and S44 IRR that specify data that BCRs for processors could has been transferred to third NPC would later recognise that been transferred to third parties for data privacy and security, and long as the lawful criteria in ss 12 to data sharing, whether within or House Bill No. 5612 introduced in House Bill No. 5612 introduced in protection requirements for qualify as ‘reasonable means’ parties for processing’. CBPRs are part of the mechanisms processing’. processing adheres to principle of and 13 are met, and the general outside the Philippines. Consent is the House of Representatives on the House of Representatives on Outsourcing Agreements and under s 21(a) which provides that by which the controller use transparency, legitimate purpose privacy principles are followed. an example of such lawful criteria. 25 November 2019 do not modify 25 November 2019 do not modify contemplate both local and controller should use ‘contractual Likewise, it is conceivable, but not ‘reasonable means to provide a DPA s 7(j) provides that the NPC and proportionality. Hence, it may be considered as an the legal regime applicable to the legal regime applicable to international data sharing. or other reasonable means to certain that the obtaining of comparable level of protection has the function to ‘review, s 21 provides that ‘any controller is option to transfer data overseas. international transfers. international transfers. provide a comparable level of certification could qualify as while information is being approve, reject or require Mutatis mutandis this provision is responsible for personal s 20(b)(2) IRRs prescribes that data protection while information is ‘reasonable means to provide a processed by a third party’ (s modification of privacy codes applicable to the transfer of information under its control and Moreover, Rule 20(b) of the IRRs sharing ‘for commercial purposes, being processed by a third party’. comparable level of protection 21(a)). voluntarily adhered to by personal personal data out of the custody, including information that (General Principles for Data including direct marketing, shall be Philippines when such transfer is while information is being information controllers.’ However, has been transferred to third Sharing) provide that ‘data sharing covered by a data sharing processed by a third party’ under s it does not make a reference to the provided by law. parties for processing, whether shall be allowed in the private agreement.’ The data sharing 21(a). role which such codes might play in domestically or internationally, sector if the data subject consents agreement shall establish adequate relation to subject to cross-border to data sharing’, and other safeguards for data privacy and s 21. arrangement and cooperation’. conditions apply (data sharing shall security, and uphold rights of data be covered in a data sharing subjects. It shall be subject to Moreover, regarding data transfer agreement). review by the Commission, on its for processing s 21(a) requires the own initiative or upon complaint of controller to use ‘contractual or Consent for data sharing shall be data subject. other reasonable means to provide required even when the data is to a comparable level of protection be shared with an affiliate or Regarding data transfer for while information is being mother company, or similar processing s 21(a) DPA requires processed by a third party’. relationships (s 20(b)(1)). the controller to use ‘contractual or other reasonable means to Proposed amendments to s 21 in provide a comparable level of House Bill No. 5612 introduced in protection while information is the House of Representatives on being processed by a third party’. 25 Nov. 2019 do not modify the legal regime applicable to international transfers (but for additional transparency requirements on transfers). Implementing Rules and Regulations (IRRs), Rule IV: A specific provision applies to data sharing (s 20, General Principles for Data Sharing). The provision applies to data sharing in the private sector and between government agencies. IRRs, Rule X: Specific provisions apply to outsourcing and subcontracts (s 43 and s 44). SINGAPORE YES (optional) CONCEIVABLE YES YES YES YES (implicit) YES CONCEIVABLE STATUTORY EXEMPTIONS The requirements of s 26 may be The general rule is that the Assessment of the standard of ‘Legally enforceable obligations’ ‘Legally enforceable obligations’ ‘Legally enforceable obligations’ On 20 February 2018 Singapore ‘Legally enforceable obligations’ The transfer of personal data to satisfied if the transferring exporting organisation has taken protection in the country or that provide a level of protection that provide a level of protection that provide a level of protection has joined the APEC CBPR and PRP that provide a level of protection organisations that do not provide a Personal Data Protection Act organisation obtains the ‘appropriate steps to ascertain territory of destination may be comparable to PDPA include comparable to PDPA in the comparable to PDPA in the systems. comparable to PDPA in the standard of protection to personal (PDPA) 2012, s 26 individual’s consent to the effect of whether, and to ensure that, the done by the exporting organisation obligations that can be imposed on meaning of s 26 include obligations meaning of s 26 include obligations meaning of s 26 include obligations data that is comparable to the transferring the data recipient of the personal data in itself. the recipient by ‘a contract’ (Reg that can be imposed on the that can be imposed on the On 17 July 2019 the Infocomm that can be imposed on the protection under PDPA in the Transfer Limitation Obligation (Reg 9(3)(a)). that country or territory outside 10(1)(b)). recipient by ‘binding corporate recipient by the local law of the Media Development Authority recipient by the local law of the meaning of s 26 is allowed when: (‘TLO’): An organisation shall not Singapore (if any) is bound by Regarding Cloud Services, for rules.’ (s 26), which may be country of destination, a contract, (IMDA) was appointed as country of destination, a contract, transfer any personal data to a legally enforceable obligations to instance, the PDPC Guidelines has adopted in ‘instances where a binding corporate rules or ‘any Singapore’s Accountability Agent. binding corporate rules or “any country or territory outside 11 Singapore except in accordance Consent cannot be used to waive provide to the transferred personal clarified that an organisation - Any contract must (Reg 10(2); recipient is an organisation related other legally binding instrument’. PDPC has also recently amended other legally binding instrument”. - the transfer is necessary for the with requirements prescribed the requirement of existing privacy data a standard of protection that ‘should ensure that any overseas PDPC AG, 19.2): to the transferring organisation Certification could be among these the PDPA Regulations to recognise performance of a contract under PDPA to ensure that safeguards in the country of is at least comparable to the transfer of personal data as a and is not already subject to other legally binding instruments. that a recipient organisation It is conceivable that codes of between the individual and the organisations provide a standard of destination. protection under the Act’ (s 26). result of engaging a CSP will be i) require the recipient to ‘provide legally enforceable obligations in holding a ‘specified certification’, conduct could constitute such transferring organisation, or to do protection to personal data so done in accordance with the to the personal data transferred to relation to the transfer’ (Reg 9). PDPC has recently amended the i.e. the APEC CBPR System, and the ‘legally binding instruments’ under anything at the individual’s request transferred that is comparable to Reg 9(4) provides that an individual The Minister for Communications requirements under the PDPA’, the recipient a standard of PDPA Regulations to recognise that APEC PRP System would be taken s 26 PDPA. with a view to the individual is not taken to have consented to and Information (MCI) could make protection that is at least BCRs must (Reg. 10-3; PDPC AG, a recipient organisation holding a the protection under PDPA. namely, the organisation could to have met such legally entering into a contract with the the transfer of the individual’s regulations and PDPC could ensure that the CSP it uses ‘only comparable to the protection Chapter 19.2): ‘specified certification', including enforceable requirements. transferring organisation (Reg Personal Data Protection personal data to a country or issue Advisory Guidelines setting under the PDPA’; and certification to the APEC CBPR and transfers data to locations with i) require every recipient of the 9(3)b); Regulations 2014, Part III, territory outside Singapore if — out the criteria for assessment. comparable data protection PRP Systems (see next column), Such certification therefore is Regulations (Regs 8-10) ii) specify ‘the countries and transferred personal data to would meet such legally compliant with s 26 PDPA. - the transfer is necessary for the a) The individual was not, before However, the PDPA does not regimes’, or has legally enforceable territories to which the personal provide to the personal data obligations to ensure a comparable enforceable requirements under conclusion or performance of a Personal Data Protection giving his consent, given a literally provide for the adoption of data may be transferred under the transferred to the recipient a s 26 PDPA. contract between the transferring Commission (PDPC) Advisory reasonable summary in writing of white lists and such would in any standard of protection for the contract’. standard of protection that is at transferred personal data (PDPC organisation and a third party Guidelines (AG) on Key Concepts the extent to which the personal case not be the intention. least comparable to the protection Regarding Cloud Services, the PDPC which is entered into at the in the PDPA, Chapter 19 data to be transferred to that Guidelines, Chapter 8, Para. 8.4). - In setting out contractual clauses under the PDPA; and Guidelines (Chapter 8, Para 8.7) that require the recipient to individual’s request (Reg. 9(3)(c) or country or territory will be provide that where the contract which a reasonable person would For the purposes of s 26 of PDPA, a protected to a standard comply with a standard of ii) specify the recipients of the between an organisation and its transferring organisation must take protection ‘at least comparable to transferred personal data to which consider the contract to be in the comparable to the protection CSP does not specify the locations individual’s interest (Reg9(3)(d)); appropriate steps to ascertain under the Act; the protection under the PDPA,’ a the BCRs apply; the countries and to which a CSP may transfer the whether, and to ensure that, the transferring organisation should territories to which the personal personal data processed and leaves - the personal data is data in transit recipient of the personal data in b) the transferring organisation minimally set out protections with data may be transferred; and the it to the discretion of the CSP, the (Reg 9(3)(f)); or that country or territory outside required the individual to consent regard to ‘areas of protection’ rights and obligations provided by organisation may be considered to Singapore (if any) is bound by to the transfer as a condition of listed in a table provided in PDPC the BCRs. have taken appropriate steps to - the data is publicly available in legally enforceable obligations (in providing a product or service, AG (Chapter 19.5). comply with the Transfer Singapore (Reg 9(3)(g)); or accordance with PDPA Reg.10) to unless the transfer is reasonably BCRs may only be used for - Chapter 8 of PDPC AG (‘Cloud recipients that are related to the Limitation Obligation by ensuring - the transfer of personal data is provide to the transferred personal necessary to provide the product that: data a standard of protection that or service to the individual; or Services’): an organisation may be transferring organisation necessary for a use or disclosure in is at least comparable to the considered to have taken (Reg.13(3)(c)). ‘Recipients’ are (a) the CSP based in Singapore is certain situations where the protection under the Act. c) The transferring organisation appropriate measures to comply defined in Reg.13(3)(d)). certified or accredited as meeting consent of the individual is not obtained or attempted to obtain with the TLO by ensuring that (…) relevant industry standards, and required under the PDPA (Third PDPC AG on Key Concepts in the the individual’s consent for the ‘the recipients (e.g. data centres or and Fourth Schedule), such as use PDPA, Chapter 8 (‘Cloud Services’) transfer by providing false or sub-processors) in these locations (b) the CSP provides assurances or disclosure necessary to respond (revised 9 October 2019) misleading information about the are legally bound by similar that all the data centres or sub- to an emergency that threatens transfer, or by using other contractual standards.’6 processors in overseas locations the life, health or safety of an An organisation that engages a deceptive or misleading practices. that the personal data is individual. The transferring Cloud Service Provider (CSP) as a transferred to comply with these organisation will also need to take data intermediary (‘processor’, ed.) standards. reasonable steps to ensure that the to provide cloud services is data will not be ‘used or disclosed responsible for complying with the PDPC has plans to recognise APEC by the recipient for any other TLO in respect of any overseas CBPR and PRP, as well its national purpose’ (Reg 9(3) and PDPC AG, transfer of personal data in using Data Protection TrustMark (DPTM) Chapter 19). the CSP’s cloud services. This is certification as data transfer regardless of whether the CSP is mechanisms under the PDPA. EXEMPTION BY THE AUTHORITY located in Singapore or overseas. PDPC may, on the application of any organisation, by notice in writing exempt the organisation from any requirement prescribed pursuant to s 26(1) in respect of any transfer of personal data by that organisation (s 26(2) PDPA). An exemption granted under s 26(2) may be granted subject to such conditions as the PDPC may specify in writing and may be revoked at any time by the PDPC. Organisations should provide exceptional and compelling reason(s), accompanied with evidence of the reason(s) why the organisation is unable to comply with the PDPA provision(s). SOUTH KOREA YES (required) NO NO NO NO NO YES NO STATUTORY EXEMPTIONS PIPA, Art 17 Neither the current framework on Neither the current nor the Neither the current nor the Neither the current nor the Neither the current data transfer The participation of South Korea in Neither the current nor the Consent requirements are data transfers (in PIPA or Network amended framework cater for this amended Acts explicitly refer to amended framework refer to BCRs. provisions in PIPA and Network the CBPR System was approved on amended framework refer to exempted for overseas data Personal Information Protection Consent is required to transfer Act), nor the amended Acts refer to possibility. contracts for data transfers. Act, nor Art 63 Network Act June 12, 2017. codes of conduct for transfers at transfers only in specific Act No. 16930 (PIPA), Art 17 personal data to any third party, ‘white lists’, ‘adequacy findings’, (eventually Art 39(12) PIPA) this stage. circumstances listed by statute. (amended 4 February 2020) whether locally or overseas etc. However, the interpretation is that expressly refer to certification KISA was appointed CBPR (Art 17(1)). contracts are necessary: mechanisms for data transfers. Accountability Agent in January For now, explicit exceptions PIPA contains the baseline However, it is anticipated that the 2020 but KISA’s CPBR checklist has exclusively pertain to ‘controller- provisions on data transfers from Specific consent must be sought newly amended PIPA could be The PIPA does not require the data The amendment bill to the not been published. processor’ transfers (for South Korea. It is complemented for transferring data overseas (Art further amended to cater for this exporter to enter into a contract, Network Act originally provided ‘entrustment of management or by the Enforcement Decree of 17(3)). possibility in the future. nor does it specifically mention the that consent requirements would Plans to articulate PIMs (now ISMS- storage’) which are carried out by use of contracts for overseas data P) and CBPRs were announced. PIPA No. 28355, Oct. 17, 2017 (to Conditions for obtaining valid be waived ‘where the overseas ICSPs and Extended ICSPs under be further amended). transfers, but it prohibits the recipient of the transfer has been However, these plans have become the Network Act. consent are prescribed in PIPA importer from ‘entering into a unclear since reference to the (Arts 17(2), 22). certified under the Personal Act on the Promotion of contract which would not be Information Management System ISMS-P scheme (and certification Under Network Act Art 63(2) Information and Communications compliant with applicable laws.’ generally) in relation to cross consent is not required where the Network Act, Art 63 (to be (‘PIMS’) certification scheme [now Network Utilization and Data displaced and renumbered as PIPA, ‘ISMS-P’] or other certification border data transfers was delegation by the ICSP is ‘necessary Protection (‘Network Act’), Art 63 The Network Act requires certain eventually removed from the Bill. for the performance of the Art 39(12) on 5 August 2020): items to be included in a contract designated by KCC’ but this (amended 4 February 2020) reference was eventually rejected contract on the provision of ICSPs must obtain data subject’s for the transfer of personal information communication information, irrespective of the 6 See Decision [2019] SGPDPC 22 (Case No DP-1708-B1027, Spize Concepts Pte Ltd), 4 July 2019, Paras. 25 and ff. 12 The Network Act makes specific consent for: status of the recipient (local or by the National Assembly. services and for user’s provisions relating to data foreign). The Enforcement Decree convenience’ (and the other transfers by Internet Content i) providing data to third parties; also provides that ICSPs must, in relevant conditions under the Service Providers (ECSPs) and ii) delegating processing; advance, reach an agreement on Network Act have been satisfied) in recipients of data collected by the ‘protective measures’ which terms of controller-processor ICSPs (Extended ICSPs).7 It is iii) onward transfer of data already will be applied by the overseas cross-border transfer. Art 63(2) will complemented by the transferred outside Korea to a third recipient and reflect such remain in force until 4 August Enforcement Decree of Network country. agreement ‘in the relevant 2020, until it is displaced to PIPA Act (esp. Art 67). contract’ (Art67-3). (new Art 39(12)). Where personal information is sent Data transfer provisions in other abroad with consent, the provider Such measures include: An amended version of Network statutes (e.g. Credit Information shall also take ‘protective measures Act Art 63 will be displaced to PIPA Act, Location Information Act) may prescribed by Presidential Decree’ i) technical and administrative (new Art 39(12)), with the omission also apply. (Enforcement Decree of Network measures for protecting personal of the requirement that the Act, Art 67). information; transfer is ‘necessary for the The overarching principle to all performance of the contract on the data transfer provisions is that Note: ii) measures for settling grievances and resolving disputes on the provision of information express user consent is required to communication services and for Currently user consent is required infringement of personal transfer personal data to third user’s convenience’. parties located overseas. for transferring data for information; outsourcing under the Network Thus, the dual test of necessity for iii) other measures necessary for Limited exceptions to consent Act, whilst it is not required for contractual performance and user requirements apply in specific outsourcing under PIPA. protecting users’ personal information. convenience for controller- circumstances provided by processor transfers in the current This distinction will be abolished statute, specifically in relation version of Network Act will no when the new framework kicks in Referring to these provisions, it is to overseas controller- generally interpreted that a data longer apply to ICSPs and extended processor transfers for on 5 August 2020. Consent will exporter shall conclude a contract ICSPs. delegation of processing generally not be required for with the importer, as well as obtain (outsourcing). outsourcing purposes under either Under the amended PIPA (Art the user’s consent. PIPA or Network Act. 17(4)), a controller will be allowed Notes: to provide personal data to - On 4 February 2020 major another controller without the amendments to PIPA, data subject’s consent in Network Act, and Credit conditions to be prescribed by Information Act were Presidential Decree: ‘within a scope that is reasonably related to promulgated (entry into force: 5 August 2020). the original purpose of collection’ and ‘after considering whether the The amended PIPA will data subject’s rights would be include a new Chapter 6 infringed upon and/or measures to (Special Provisions for the secure the integrity of the personal Processing of Personal information have been properly Information by ‘ICSPs’ and taken.’ ‘extended ICSPs’) importing However, it is too early to tell if the the data protection provisions of the Network Act which are Enforcement Decree would not harmonised with those remove consent requirements for set forth in the PIPA, including overseas transfers in specific Art 63 relating to circumstances. international data transfers. Art 63 of the Network Act will remain into force until it is displaced and renumbered Art39-12 in PIPA on 4 August 2020. Art 17 PIPA will remain applicable to all data controllers with the exception of ICSPs to which the specific provisions of Art39-12 will apply. Art 17 PIPA has been amended to include a new Para.4 (see below). - PIPA and the Network Act are currently enforced by MOIS and KCC respectively. PIPC will take over these roles on 4 August 2020. THAILAND YES (optional) CONCEIVABLE CONCEIVABLE YES (implicit) YES (explicit) CONCEIVABLE NO CONCEIVABLE STATUTORY EXEMPTIONS When PDPA Chapter 3 enters into When PDPA Chapter 3 enters into In the event that the data When PDPA Chapter 3 enters into When PDPA Chapter 3 enters into When PDPA Chapter 3 enters into Thailand is an APEC economy but When PDPA Chapter 3 enters into When PDPA Chapter 3 enters into force, obtaining the data subject’s force, in the event that the data controller sends or transfers the force, data may be transferred to a force, personal data may be force, in the absence of adequacy, as at April 2020 has not expressed force, In the absence of adequacy, force, transfers may take place to Mainly: consent will be one of the controller sends or transfers the personal data to a foreign country, foreign country or international transferred to an overseas personal data protection policy, or an intention to join APEC CBPRs. personal data protection policy, or countries or international circumstances in which the data personal data to a foreign country, unless an exemption applies, the organisation in the absence of an destination in the absence of an other applicable exemptions, other applicable exemptions, organisations without adequate Personal Data Protection Act 2019 controller may derogate to the rule unless an exemption applies, the destination country or adequacy decision where the adequacy decision where a transfers will be allowed where the CBPRs or PRP could eventually be transfers will be allowed where the data protection standards, if the (PDPA), s 28 that transfers may take place only destination country or international organisation that receiving controller or processor ‘Personal Data Protection Policy controller or processor provides among alternative solutions for controller or processor provides transfer would be (s 28): data transfers in the absence of Data transfers may freely take to a destination country or international organisation that receives such personal data must provides ‘suitable protection regarding the sending or ‘suitable protection measures ‘suitable protection measures international organisation that has receives such personal data must have an ‘adequate data protection measures which enable the transferring of personal data to which enable the enforcement of adequacy, BCRs, or another which enable the enforcement of (1) for compliance with the law; place to a foreign country or exemption, if the rules and (…) international organisation that adequate data protection have an ‘adequate data protection standard’, and the transfer must enforcement of the data subject’s another data controller or data the data subject’s rights, including the data subject’s rights, including standards under PDPA (s 28(2)). standard’, and the transfer must be carried out in accordance with rights, including effective legal processor who is a foreign country,’ effective legal remedial measures methods as prescribed and effective legal remedial measures have adequate data protection announced by the Committee for 7 On the respective scopes of PIPA, Network Act, the concepts of ICSPs and Extended ICSPs, see Park Kwang Bae, ‘Jurisdictional Report: Republic of Korea’, in Regulation of Cross-Border Transfers of personal Data in Asia’ (ABLI, 2018), p. 343 13 standards, and in accordance with Where consent is obtained, data be carried out in accordance with the rules for the protection of remedial measures according to and in ‘the same affiliated according to the rules and methods ‘suitable protection measures according to the rules and methods (3) necessary for the performance the data protection rules subject must be informed of the the rules for the protection of Personal Data as prescribed by the the rules and methods as business, or in the same group of as prescribed and announced by which enable the enforcement of as prescribed and announced by of a contract to which the data prescribed by the Data Protection inadequate data protection personal data as prescribed by the Committee (s 28). prescribed and announced by the undertakings, in order to jointly the Committee’ (s 29). the data subject’s rights, including the Committee’ subject is a party, or in order to Committee. standards of the destination Committee (s 28). Committee’ (s 29(3)). operate the business or group of effective legal remedial measures’ (s 29). take steps at the request of the country or international The Personal Data Protection undertakings.’ (ss 29(1) and 29(2)). Certification could be among so allow (s 29(3)). data subject prior to entering into Exceptions to the ‘adequacy’ organisation. The Personal Data Protection Committee has the power ‘to Contracts could constitute ‘suitable alternative solutions for data Codes of conduct could be among a contract; requirement apply in four series of Committee has the power ‘to announce and establish criteria for protection measures which enable Such policies must be ‘reviewed transfers which constitute such alternative solutions for data circumstances: The conditions for obtaining valid announce and establish criteria for providing protection of personal the enforcement of the data and certified’ by the Office of the ‘suitable protection measures’ if transfers which constitute such (4) for compliance with a contract consent are defined in s 19 providing protection of personal data which is sent or transferred to subject’s rights, including effective Personal Data Protection the rules and methods prescribed ‘suitable protection measures’ if between controller and other - the data subject’s consent has (‘General provisions’). data which is sent or transferred to a foreign country or international legal remedial measures’ if the Committee. by the Committee so allow. the rules and methods prescribed persons or legal persons for the been obtained; a foreign country or international organisation’ rules and methods to be prescribed by the Committee so allow. interests of the data subject; - specific statutory exemptions organisation’ (s 16(5)). and announced by the Committee (s 16(5)). so allow. (5) to prevent or suppress a danger apply; It is also competent to decide on to the life, body, or health of the - the receiving organisation It is also competent to decide on ‘problems with regard to the data subject or other persons, provides suitable protection ‘problems with regard to the adequacy of data protection when the data subject is incapable measures which enable the adequacy of data protection standards’ of a destination country of giving the consent at such time; enforcement of the data subject’s standards’ of a destination country or international organisation (s 28, or international organisation (s 28, last para). (6) necessary for carrying out the rights; or last para). activities in relation to substantial - the receiving organisation has put The wording of ss 16(5) and 28, public interest. The provisions of ss 15(6) and 28, combined, do not appear to rule in place a ‘Personal Data Protection Policy’ applicable to overseas data combined, seem to imply that the out the possibility that the transfers. Committee may put some exporting organisation may self- jurisdictions or organisations which assess the level of protection in the The Personal Data Protection match the standards defined by country of destination, provided it Committee has the power ‘to the Committee on a ‘white list’, follows the criteria and rules announce and establish criteria for also by inference from Art 45(1) of prescribed by the Committee. providing protection of personal EU GDPR after which the Act is data which is sent or transferred to modelled. However, this possibility would a foreign country or international have to be clarified by the organisation’ However, this possibility would Committee when it is established. (s 16(5)). have to be clarified by the Committee when it is established. Note: The entry into force of the PDPA was scheduled for 27 May 2020. However, the date of entry into force of most chapters of the law (including s 28) has been postponed to 31 May 2021. Until then, sectoral laws may apply. Going beyond the general case, data privacy provisions exist in several other areas of law, such as sector-specific regulations or license conditions, in provisions setting out protections for certain categories of information, or in requirements specific to certain professions (e.g., as relevant to personal health information, credit bureaus, telecommunications licensees, securities companies, and financial institutions).8 VIETNAM YES (required) NO NO NO NO NO NO NO NO A common principle in the None of the different texts that None of the different texts that None of the different texts that None of the different texts that None of the different texts that Vietnam is an APEC economy but None of the different texts that Under current law a data exporter different texts that currently contain data protection provisions contain data protection provisions contain data protection provisions contain data protection provisions contain data protection provisions has not joined the CBPRs, although contain data protection provisions cannot transfer personal Principle: a common principle in contain data protection provisions (in the absence of baseline data (in the absence of baseline data (in the absence of baseline data (in the absence of baseline data (in the absence of baseline data at some point in time Vietnam (in the absence of baseline data information of data subjects in the different texts that contain (in the absence of baseline data protection legislation) mention this protection legislation) mention this protection legislation) mention this protection legislation) mention this protection legislation) mention the would have expressed an interest protection legislation) mention Vietnam to another person (in- or data protection provisions (in the protection legislation) is that possibility, nor is it known if the possibility, nor is it known if the possibility, nor is it known if the possibility, nor is it known if the possibility of privacy certification in joining the APEC CPEA, as well as Codes, nor is it known if the outside Vietnam) unless otherwise absence of baseline data consent by the data subject is proposal for a Draft Data proposal for a Draft Data proposal for a Draft Data proposal for a Draft Data for data transfers, nor is it known if CBPRs. proposal for a Draft Data provided for by Vietnamese law or protection legislation) is that necessary to transfer data, Protection Decree which would Protection Decree which would Protection Decree which would Protection Decree which would the proposal for a Draft Data Protection Decree which would consented to by the data subject. consent by the data subject is irrespective of the implementation contain provisions on overseas contain provisions on overseas contain provisions on overseas contain provisions on overseas Protection Decree which would contain provisions on overseas necessary to transfer data, of data transfer mechanisms by the data transfers would mention it. data transfers would mention it. data transfers would mention it. data transfers would mention it. contain provisions on overseas data transfers would mention irrespective of the implementation data exporter. data transfers would mention it. them. of data transfer mechanisms by the data exporter.9 A proposal for a Draft Data Protection Decree was released on January 14, 2020 which would contain provisions on overseas data transfers. The proposal only contains an outline of the Draft Decree; the drafter (i.e., the Ministry of Public Security) is working on detailed 8 David Duncan, ‘Jurisdictional Report: Thailand’ in Regulation of Cross-Border Transfers of Personal Data in Asia (Asian Business Law Institute, 2018) at 388. 9 Waewpen Piemwichai, ‘Jurisdictional Report: Vietnam, in Regulation of Cross-Border Transfers of personal Data in Asia’ (ABLI, 2018), at 396. 14 content for each provision as outlined. Cybersecurity Law (CSL) 2018, Art 26(3) Specific online operators must store personal data in Vietnam. Art 26(3) CSL is applicable to ‘domestic and foreign enterprises providing services on telecommunication networks or the internet or value-added services in cyberspace in Vietnam with activities of collecting, exploiting, analysing, and processing personal information data, data on the relationships of service users, or data generated by service users in Vietnam’. Such enterprises must store such data in Vietnam for a specified period to be stipulated by the Government. Foreign enterprises referred to in this clause must have branches or representative offices in Vietnam. Art 26(4) further provides that the Government shall provide detailed regulations on Art 26(3). Draft Decree implementing the requirements of CSL, Art 26(3) (version August 2019) A draft Decree is expected in 2020. The latest version narrows down the scope of CSL. Domestic and foreign businesses that provide a variety of regulated services (defined in Art 26(1)(a)) must store data in Vietnam when: i) it is deemed necessary to protect national security, social order and safety, social ethics, community health (Art 26); ii) they have been notified that the service they provide is being used to commit acts of violation of Vietnamese laws but they have not undertaken measures to stop and apprehend those acts. The regulated services and types of data, the relevant authorities and the modalities of notification are specified in the draft. 15