Unity in Diversity The Asia Pacific Privacy Guide July 2019 The Asia Pacific Privacy Guide
Contents
Introduction iii
Emerging trends across the region vi
Privacy guides by territories 4
Australia 6
Brunei Darussalam 10
Cambodia 12
China 13
Hong Kong 17
India 22
Indonesia 24
Japan 28
Lao People’s Democratic Republic 31
Malaysia 33
Mongolia 36
Myanmar 37
New Zealand 39
Papua New Guinea 42
The Philippines 44
Singapore 49
South Korea 52
Sri Lanka 56
Taiwan 58
Thailand 62
Vietnam 65
Comparison matrix 68
Regulatory landscape table 69
Table of primary privacy regulation and regulator 70
Contacts 73
ii The Asia Pacific Privacy Guide
Introduction
iii iv The Asia Pacific Privacy Guide
Introduction
The Asia Pacific region is home to some of the world’s fastest growing economies and businesses that are a critical link in the global information economy and supply chain. Organisations in the Asia Pacific also increasingly move information across borders as they look to leverage the different skill sets and capabilities across the region and serve customers globally in the borderless digital economy. More than ever, organisations need to keep informed of the changing and diverse privacy regulatory landscape to minimise their privacy risk, maintain and build trust with customers and build sustainable and productive business networks.
Working locally, thinking globally While business and technology are increasingly without borders, privacy laws certainly are not. Like the cultures they emanate from, privacy laws differ considerably across the Asia Pacific. This tension between global business needs and local legal requirements gave rise to the OECD’s privacy principles back in 1980, but 39 years later there is still considerable work to do before we can begin to imagine a future where privacy laws are ‘harmonised’. In developing or strengthening privacy legislation, many countries in the Asia Pacific region have taken inspiration from the European Union (EU) General Data Protection Regulation (GDPR), by either adopting, or planning to adopt, similar or more stringent regulations. An example can be found in Japan, whereby in 2019 it received an adequacy approval from the European Commission, enabling frictionless data sharing between the EU and Japan. In many respects, the GDPR has been the most successful privacy law to date in terms of moving towards global harmonisation and having an impact right across the Asia Pacific region, directly and indirectly.
Introducing this Guide This Deloitte Asia Pacific Privacy Guide, in its second edition, expands on the original and highlights more granular privacy considerations when handling personal information. The intended audience for this guide are business, risk and compliance specialists who may have privacy management within their remit, but who may not have a deep understanding of the nuances in privacy requirements across the Asia Pacific.
We hope it will be a solid starting point to help guide you in your role but we always encourage consultation with a privacy specialist. Given this is a point in time snapshot of the privacy framework in the region, and to ensure you have the most up-to-date information on requirements, please follow the links to the official resources we have provided for each location, where available.
All information presented within this guide is accurate and up to date as at June 2019.
v The Asia Pacific Privacy Guide
Emerging trends across the region
vi The Asia Pacific Privacy Guide
The Asia Pacific region is key to the world’s business, technological and innovation value chain, with many global corporations leveraging the suppliers and workforce from its varied nations. Jurisdictions such as mainland China, Taiwan, Japan and South Korea are pioneering technologies and processes that leverage personal information for their continued economic success. Singapore, Hong Kong, Tokyo and Sydney are global banking and business hubs. India, the Philippines and Malaysia are leaders in global business support. Understanding that the region must continue to compete in the global market, and at the digital frontier, has led to a rapid development in privacy law and governance. As such, a number of trends have emerged.
Trend 1: Governments are Trend 2: Asia Pacific countries are Trend 3: Alignment across strengthening their privacy seeking an ‘adequacy decision’ the region law frameworks from the EU The Asia Pacific Economic Cooperation The varying levels of personal information Since the GDPR came into effect, many (APEC) Cross Border Privacy Rules (CBPR) protection requirements across the region businesses have had to re-examine their system was developed to build customer, have raised challenges for organisations, privacy postures. More stringent rules business and regulator trust in the cross in particular when sharing information for cross border data transfers mean border flow of personal data. Businesses across borders. The rapid growth of businesses have had to uplift their privacy participating in the CBPR system are globalisation coupled with the exponential capabilities. An ‘Adequacy’ decision from required to create privacy policies and creation and use of data to fuel business has the European Commission enables the free frameworks consistent with the APEC Privacy left some jurisdictions in the region with a flow of data between the EU and countries Framework. Once certified by accountability privacy governance debt that they are considered ‘adequate’. Many are currently agents, it will create a similar impact as racing to settle. seeking to strengthen their laws to obtain an having adequacy under the EU GDPR by adequacy decision, including South Korea, enabling cross-border data flows. For example: the Philippines and Taiwan. This will mean •• India and Indonesia are currently reviewing less restrictions on the cross-border transfer Adopting the CBPR system will mean their privacy frameworks to consolidate of personal data for businesses operating organisations will be able to demonstrate several laws and regulations into single, within those locations. Currently, New to their customers that a minimum level of comprehensive privacy laws. Zealand and Japan are the only countries protection of personal information has been adopted. This may be a key differentiator •• Thailand has recently passed a new data within the Asia Pacific region with an with competitors. protection and privacy legislation that is a adequacy decision. significant improvement on the current law.
•• New Zealand and Malaysia are currently reviewing their privacy laws to update provisions to align with the technological developments, expectations of individuals and global standards.
How can you prepare? How can you prepare? How can you prepare? •• Implement a process to identify and •• Assess your third party •• Consider whether your organisation assess the impact new regulations management program in has privacy protections in place or guidelines may have on your relation to data protection and that are aligned with the standards business in the jurisdictions that you breach management. promoted by self-regulatory operate in. initiatives such as the APEC Cross- •• Assess whether your third parties Border Privacy Rules. •• Consider commissioning a privacy are compliant with your third party health check to understand agreements and relevant laws. •• Consider consolidating your how your organisation’s privacy organisation’s data management •• Ensure the required levels of framework aligns with the practices when operating across protection and controls are expectations of regulators. multiple jurisdictions so that they implemented when transferring align with best practice regionally •• Implement a data monitoring data cross-border. and/or globally. program and maintain an inventory of personal data that maps data flows within the organisation and to/ from third parties throughout the information lifecycle.
1 The Asia Pacific Privacy Guide
Trend 4: Mandatory data breach Trend 5: Greater recognition for notification laws the rights of individuals As business in the region becomes There has been an improvement in the increasingly digitalised and processes recognition of the right to privacy in the are moved online, cyber-attacks and data digital age with respect to how individuals breaches are becoming as great a risk here as can access or control their data. The rise in they are anywhere else in the world. The rise data breaches and privacy-related incidents of data breaches globally, in frequency and has facilitated discussion around how volume, has put pressure on governments much control people really have over their to introduce mandatory data breach personal information and consequently notification requirements. In early 2018, raised awareness among the general Australia enacted a mandatory data breach public. There has been a push for more notification scheme. Malaysia, Singapore, comprehensive rights for individuals, New Zealand and Thailand are currently such as the right to request suspension of looking to introduce a mandatory notification processing and the right to erasure. scheme for data breaches. India and Thailand have drafted bills that introduce comprehensive rights that significantly augment the current rights available to individuals. Most prominently, the right to data portability has become almost necessary for many countries that wish to participate in a data-driven economy with initiatives such as open banking. Australia, India and Singapore have started to look into introducing such an initiative to meet the demands of consumers in the market.
How can you prepare? How can you prepare? •• Consider creating a data breach •• Consider being more transparent response plan using the guidance with your customers regarding how provided by the regulators who have you use their data. jurisdiction over your business. •• Implement a process for customers •• In order to ensure your plan meets to communicate to your the most stringent data breach organisation in the event that laws and all relevant provisions are they would like to exercise a considered, review your data breach right in relation to their personal response plan. information, such as to access or correct their personal information. •• Understand your risk culture and ensure staff within your organisation are aware of their role in responding to a data breach.
2 3 The Asia Pacific Privacy Guide
Privacy guides by territories
Australia Japan The Philippines
Brunei Darussalam Lao PDR Singapore
Cambodia Malaysia South Korea
China Mongolia Sri Lanka
Hong Kong Myanmar Taiwan
India New Zealand Thailand
Indonesia Papua New Guinea Vietnam
4 “Privacy has come into even sharper focus as one of the top priorities for organisations and the public alike, in Australia and around the world.”
– Angelene Falk Information and Privacy Commissioner (Australia)
5 The Asia Pacific Privacy Guide
Australia
Privacy in Australia is primarily regulated Considerations through a comprehensive federal law, Definition of •• Privacy Act reforms: Australia introduced centred on principles known as the personal information mandatory data breach reporting in Australian Privacy Principles (‘APPs’). The February 2018. Since then, there has been The Privacy Act defines ‘personal Commonwealth Privacy Act 1988 (Cth) a 712% increase in the number of information’ as information or an (‘Privacy Act’) applies to private sector reported data breaches and 964 eligible opinion about an identified individual, entities with an annual turnover of at least data breaches from 1 April 2018 to or an individual who is reasonably AU $3 million and all Federal Government 31 March 2019.1 identifiable whether the information agencies. Most states and territories in or opinion: Australia (excluding Western Australia •• Open banking: Open banking will officially •• is true or not; and and South Australia) have their own privacy begin in Australia from 2020 introducing laws, which are applicable to a consumer data right (CDR), helping •• is recorded in a material form or not. state government agencies. individuals to easily compare products and services by giving them greater control Sensitive information is recognised Personal information is also protected under over their information to extract it. This as a specific type of personal other legislation including the Workplace will be a gradual roll out, impacting the information, which includes Surveillance Acts and Health Records Acts, larger banks first. Banks will be expected information or an opinion about an which are governed at the State level. to make credit card, debit card, deposit individual’s racial or ethnic origin, and transaction account data available political opinion, religious beliefs, Primary legislation: Privacy Act 1988 (Cth) under the open banking regime. As a sexual orientation or criminal record, result, consumer financial institutions are health information and tax file rethinking their approach to privacy. number information.
•• Federal Government Agencies Privacy Code (the Code): The Code, effective from Collection and notice July 2018, sets out specific requirements for Federal Government agencies to Personal information, other than sensitive implement privacy governance. For information, should only be collected if example, the Code requires agencies to it is reasonably necessary for a specified have a privacy management plan, appoint purpose. Sensitive information must not be a privacy officer and privacy champions, collected unless certain conditions are met. and undertake a privacy impact This may occur where consent has been assessment (PIA) for all high risk projects. collected from the individual or if collection is required by law. If an organisation •• Online privacy: There are no laws or receives unsolicited personal information, regulations in Australia specifically relating it is required to determine whether the to online privacy. If cookies or other information should be retained, de-identified similar technologies, collect personal or destroyed. information, the organisation is required to comply with the Privacy Act for collection, At or before the time of collection, or as soon use, disclosure and storage. The Privacy as practicable, an organisation is required Commissioner provides detailed guidelines to provide notification to individuals. on this.2 Notification must include details of the organisation, the purpose for which personal information is collected, who the personal information will be shared with, what rights individuals will have over that information (i.e. access, correction etc.) and how they can 1 The Office of the Australian Information exercise their rights. Commissioner, Notifiable Data Breach Scheme 12-Month Insights Report.
2 https://www.oaic.gov.au/images/documents/ 6 privacy/applying-privacy-law/app-guidelines/APP- guidelines-combined-set-v1.pdf The Asia Pacific Privacy Guide
Use and disclosure Data breach notification
Personal information can only be used for On the 22nd of February 2018, the mandatory data breach notification regime the original purpose it was collected for, commenced in Australia. The Commissioner and data subjects must be notified for unless certain conditions are met – for breaches concerning personal information, credit reporting information, credit eligibility example, if an individual consents to a information and tax file numbers. secondary use of their personal information or if further use is required by law. If the Requirements organisation uses or discloses personal information for a secondary purpose, the •• Organisations must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of data breaches likely individual should be provided with a written Threshold for to result in serious harm to an individual. notice of use or disclosure. reporting •• Serious harm is not defined in legislation. However, the OAIC provides Direct marketing guidance for interpreting and assessing serious harm.3 If personal information is used for direct marketing, organisations are •• If an organisation suspects a data breach meets the threshold, an assessment must be conducted within 30 days. required to ensure: Time frame •• Organisations must notify the OAIC and affected individuals as soon •• Communications include a simple means as practicable. and at no cost to opt out. •• When there are reasonable grounds to believe a data breach that •• Requests to opt out are honoured. Who to notify meets the threshold has occurred, the Commissioner and affected individuals must be notified. Data retention and destruction •• Notification must include the contact details of the organisation, a Personal information must be kept up Content description of the breach, types of information concerned and steps to date, complete and accurate. The to be undertaken by individuals. information should not be kept longer than is necessary to fulfil the purpose it was collected for. If no longer required for a particular purpose, the information should Cross-border data transfer Regulators and regulatory be securely destroyed or de-identified. landscape Personal information can only be transferred to another organisation outside of Australia The OAIC is the Australian regulator of Individual rights where reasonable steps have been taken privacy led by the Australian Information Individuals have the right to: by the transferring organisation to ensure Commissioner. The Commissioner’s roles the overseas recipient does not breach the and responsibilities involve: •• Be informed of their rights prior to Privacy Act. collection and use of their personal •• Conducting investigations into acts, which information through notification. may breach the Privacy Act. Governance •• Access and correct their personal •• Managing complaints about the handling information, and organisations must Organisations are not required to appoint of personal information. a data protection officer (DPO). However, respond within 30 days or inform •• Providing privacy advice to the public, the Commissioner has recommended individuals that they are unable to do so government agencies and businesses. within the timeframe. that organisations appoint a DPO as good practice. Organisations must manage personal information in an open and Security transparent way. Reasonable steps must be Organisations must take reasonable steps to taken to implement practices, procedures protect personal information from misuse, and systems to ensure organisations comply. interference, loss, unauthorised access, This may involve dealing with inquiries from modification and disclosure. The Privacy individuals and maintaining a clear, up-to- Commissioner provides guidance on what date and accessible privacy policy. is considered reasonable in the context of securing personal information.4
3 https://www.oaic.gov.au/agencies-and- organisations/guides/data-breach-preparation- and-response 7 4 https://www.oaic.gov.au/agencies-and- organisations/app-guidelines/chapter-11-app-11- security-of-personal-information The Asia Pacific Privacy Guide
Cases Penalties
•• 2017 – A telecommunications company •• The Commissioner will investigate an act or refused to provide a former journalist practice that may interfere with the privacy with metadata following a right of access of an individual and a complaint about the request. As a result, the Commissioner, on act or practice has been made. behalf of the journalist, argued for a broad •• The Commissioner may also investigate interpretation of personal information any breaches of the Privacy Act on its in court. Specifically, it was argued that own initiative (where an individual has not any information which is able to identify made a complaint). an individual should be protected under the Privacy Act. The Federal Court ruled •• Where the Commissioner undertakes an in favour of the telecommunications investigation of a complaint which is not company and the Administrative Appeals settled, it is required to ensure that the Tribunal because the request to access results of that investigation are publicly pertained to information about the service available. This is undertaken by provided by the company as opposed to publishing the investigation report on the journalist himself. the OAIC website.
•• 2018 – In April, the acting Commissioner •• After investigating a complaint, the launched a formal investigation into Commissioner may dismiss the a social media company following complaint or find the complaint confirmation that the information of over substantiated and make declarations that 300,000 Australian users may have been the organisation rectify its conduct or acquired and used without authorisation. that any loss or damage suffered by the individual is compensated.
•• Fines of up to AU $420,000 for an individual and AU $2.1 million for corporations may be requested by the Commissioner and imposed by the Courts for serious or repeated privacy breaches.
Terminology
Terminology Definition
‘Agency’ refers to Australian government (and Norfolk Island government) Agency agencies, but does not include State and Territory agencies.
An ‘APP entity’ is defined to be an agency or organisation required to comply APP entity with the Australian Privacy Act 1988.
An ‘organisation’ is defined as: •• An individual (including a sole trader) •• A body corporate Organisation •• A partnership •• Any other unincorporated association, or •• A trust unless it is a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State
8 The Asia Pacific Privacy Guide
Relevant laws, regulations and standards
Law, regulation Industry Regulator Applicability or standard
Office of the Australian Information Freedom of Information Act 1982 Government Government Commissioner (OAIC)
Office of the Australian Information My Health Records Act 2012 Health sector Health care providers Commissioner (OAIC)
Office of the Australian Information Credit providers (CP) and Credit Privacy Credit (Reporting Code) 2014 Financial services Commissioner (OAIC) reporting bodies (CRBs)
Prudential Practice Guide CPG 235 Australian Prudential Regulation Financial Services Financial Services Managing Data Risk Authority (APRA)
Prudential Standard CPS 234 Information Australian Prudential Regulation Financial Services Financial Services Security Authority (APRA)
Australian Communications and Media SPAM Act 2003 (Cth) All Comprehensive Authority
Office of the Australian Information Telecommunications carriers Telecommunications Act 1977 Telecommunications Commissioner (OAIC) and carriage service providers
Telecommunications (Interception and Office of the Australian Information Telecommunications carriers Telecommunications Access) Act 1979 Commissioner (OAIC) and carriage service providers
Workplace Surveillance Act (NSW) 2005 All NSW Industrial Relations Commission Employers
Workplace Privacy Act (ACT) 2011 All WorkSafe ACT Employers
Surveillance Devices (Workplace Privacy) All Victoria Police Employers Act 2006 (VIC)
Health Records and Information Privacy Information and Privacy Commission Public and private sectors All Act (NSW) 2002 (NSW) handling health information
Public and private sectors Health Records Act (VIC) 2001 All Health Complaints Commissioner (VIC) handling health information
Health Records – Privacy and Access Act Public and private sectors All ACT Human Rights Commission (ACT) 1997 handling health information
Privacy and Personal Information Information and Privacy Commission State based public sector Government Protection Act 1998 (NSW) (NSW) agencies
Office of the Australian Information State based public sector Information Privacy Act 2014 (ACT) Government Commissioner (OAIC) agencies
Privacy and Data Protection Act 2014 Office of the Victorian Information State based public sector Government (VIC) Commissioner agencies
Office of the Information Commissioner State based public sector Information Privacy Act 2009 (QLD) Government (QLD) agencies
State based public sector Information Privacy Principles (SA) Government State Records of South Australia agencies
Office of the Information Commissioner State based public sector Information Act (NT) Government (NT) agencies
Information and Protection Act 2004 State based public sector Government Tasmanian Ombudsman (TAS) agencies
9 The Asia Pacific Privacy Guide
Brunei Darussalam
The protection of personal information is Considerations Use and disclosure currently guided by the Data Protection Online verification portal development: The individual must be informed and have Policy 2014 (DPP), which applies to In March 2018, the Prime Minister’s Office provided consent to the agency prior to any agencies. However, a Minister at the Prime revealed a plan to establish an online use or disclosure taking place. However, Minister’s Office acknowledged that an portal to limit the spread of fake news on where it is impracticable to obtain the improved legal framework to social media, amidst data misuse cases individual’s consent, a legal guardian or protect personal data is required, especially globally and within neighbouring power of attorney can provide consent on given the implications arising from Asia Pacific countries. their behalf. This also applies where personal well-known global data breaches related to data will be used and/or disclosed to a third social media platforms.5 party, except where: Definition of personal data In January 2019, the Minister of Transport •• The collection, use or disclosure is and Info-communications confirmed The DPP defines personal data as data, clearly in the interest of the individual that he was appointed as the Minister whether true or not, about an individual and it is impracticable to obtain the responsible for cyber security of the nation, who can be identified: individual’s consent. encompassing safeguarding of personal •• from the data; or •• Legal, medical or security reasons make data. Brunei’s awareness and direction it impossible or practical to obtain consent. moving towards privacy and personal data •• from the data combined with other protection regulations has primarily risen as information which the agency holds or •• An emergency that threatens life, health or a response to cities holding more personal is likely to come into possession of. security of an individual exists. data of its citizens. •• The data is generally publicly available. Further, the Brunei government has Collection and notice •• Use or disclosure is necessary to render a considered privacy and data protection Personal data should be collected where service applied for by the individual. frameworks from neighbouring countries, necessary by fair and lawful means. This including Malaysia and Singapore, to •• Disclosure is made to an institution, whose includes the requirement to obtain consent incorporate in their own design of laws and purpose is for the conservation of records from the individual. Collection should be regulations for the future. However, the of historic or archival importance, and limited to fulfil specific purposes. progression of this anticipated legislative disclosure is for such purpose. reform is yet to be formerly announced. At or before the time of collection or as soon as practicable, agencies should Individual rights Primary legislation: Data Protection communicate to individuals the purpose Policy 2014 Individuals have the right to: for collection and how the data will be used •• Be informed of their rights prior to and disclosed. However, if the purpose for collection and the intended use of their collection has not been provided initially, personal data. agencies should provide this to the relevant individual prior to use. •• Access their personal data.
Data retention and destruction Security
Personal data should be retained only if it Agencies should ensure all data is protected, is necessary to fulfil the purpose for which regardless of its held format, to prevent it was collected. However, agencies can accidental or unlawful loss, unauthorised develop internal policies, guidelines and access, disclosure, use or modification. In procedures for the retention and destruction doing so, it is important for employees to of data. Upon destroying data, reasonable also be made aware of the significance to care should be exercised by agencies to maintaining data confidentiality. Methods of prevent unauthorised access. protection may be physical, organisational and/or technological.
10 5 https://thescoop.co/2018/05/10/brunei-calls- legal-framework-protect-user-data-online/ The Asia Pacific Privacy Guide
Data breach notification Relevant laws, regulations and standards
Although the DPP does not specify requirements for data breach notification, it Law/ regulation or Industry Regulator Applicability does state that non-compliance with the DPP standard should be reported to the administrator by Personal designated agency officers. information controllers, APEC Privacy Framework Cross-border data transfer All APEC individuals, 2015 organisations Agencies are only permitted to transfer and member personal data to a party outside of Brunei if: economies •• There is a reasonable belief that the recipient is subject to a law, binding ASEAN Framework on scheme or contract, which upholds Personal Data Protection All ASEAN Participants principles for fair data handling 2016 substantially similar to the DPP; Computer Misuse Act 2007 All Minister of Finance Persons •• The individual has provided consent; (revised) •• It is necessary for contract performance or Electronic Transactions Act Minister of Finance/ pre-contractual obligations; and All Persons 2008 (revised) Controller •• Reasonable steps have been taken to The board of directors ensure the data will not be used, held or Tabung Amanah Pekerja Act Employment/ Employees and of theLembaga Tabung disclosed by the recipient inconsistent 1999 Retirement employers to the DPP. Pekerja (LTAP)
Governance Terminology Agencies must designate an officer to ensure the agency complies with its privacy policy. Terminology Definition
Regulators and regulatory Administrator Refers to the E-Government National Centre. landscape Any government ministry or department including educational institutions Agency Currently, there is no regulator for privacy. and statutory body. However, the DPP guidance is regulated by the Minister at the Prime Minister’s The Controller of Certification Authorities appointed under section 41(1) and includes a Deputy or an Assistant Controller of Office (‘Authority’) and the Minister of Controller Transport and Info-communications who Certification Authorities appointed under section 41(2) of the Electronic have recently been appointed for upholding Transactions Act 2008. responsibilities and expectations related to Data Information in electronic or manual form. cyber security within Brunei. Any person, a citizen or permanent resident of Brunei Darussalam, Roles and responsibilities of the authority Employee employed under a contract of service or apprenticeship or other and administrator involve: agreement to work for an employer. •• Administering and enforcing the DPP in The person whom an employee entered into a contract of service or addition to providing regular reports. Employer apprenticeship with. •• Promoting government awareness. Individual A natural person to whom the data relates to, living or deceased. •• Performing non-compliance or breach related investigations and providing ASEAN member states including the Telecommunications and IT Ministers recommendations to remedy or prevent of Brunei Darussalam, the Kingdom of Cambodia, the Republic of such occurrences. Participants Indonesia, the Lao People’s Democratic Republic, Malaysia, the Republic •• Providing consultancy, advisory, technical, of the Union of Myanmar, the Republic of the Philippines, the Republic of managerial and/or other special services. Singapore, the Kingdom of Thailand and the Socialist Republic of Vietnam. •• Advising the government on the above Personal A person or organisation who controls or instructs another person or matters and representing the information organisation to collect, hold, process, use, transfer or disclose personal government internationally. controller information. •• Conducting research and promoting educational activity.
11 The Asia Pacific Privacy Guide
Cambodia
Cambodia does not currently have legislation Considerations specifically providing for the protection of •• Sector-specific regulation: While there personal information. Information privacy is no national privacy legislation, there are is currently only covered by sector-specific sector-specific regulations that regulate laws, which contain provisions protecting customer data. For example, in the customer and confidential information but banking and financial sector, there are laws not specifically personal information. A law is to prohibit the disclosure of confidential currently being drafted to provide information and specific requirements for individuals with the right to access their correction and security of consumer data. personal information. •• New e-commerce legislation: An e-commerce law is currently in draft to regulate online electronic transactions and contains provisions that address consumer data and data protection.
•• Proposed access to information law: Cambodia is proposing to introduce a freedom of information law to enable individuals to request access to information held by public bodies.
Relevant laws, regulations and standards
Law, regulation or Industry Regulator Applicability standard
Law on Ministry of Post and Telecommunications Telecommunications Telecommunications Telecommunications organisations and individuals 2015
Law on Cyber National Bank of Banking and financial Security (24/2018/ Banking and Finance Cambodia institutions QH14)
Law on Information National Bank of Credit reporting institutions Technology Banking and Finance Cambodia handling consumer data (67/2006/QH11)
12 The Asia Pacific Privacy Guide
China
When operating in China, organisations Considerations should be aware of the complexity of the Definition of personal •• Law across sectors, provinces and regulatory landscape. China has a complex information nationally: Organisations are required web of regulations and rules and this varies to adhere to and stay up to date with the Personal information is defined as depending on the location. There are also obligations prescribed under law and any information which can be used other requirements in sector-specific laws regulations. Guidelines are also published to identify a person, either separately which address the protection of personal to support the laws, and organisations are or combined with other information. information. also required to adhere to these. Staying This can include information contained within electronic records. Examples The protection of personal information is informed of developments in regulations of personal information are: a natural regulated by the People’s Republic of China and guidelines is imperative to operating person’s name, date of birth, personal Cybersecurity Law 2017 (‘CSL’). The CSL has in China. identification information, address and broad application and applies to network •• Increasing awareness of privacy rights: telephone number. operators – most businesses that operate The Chinese public are increasingly aware with a computer network e.g. intranet – and of their privacy rights, particularly following critical information operators. high profile court cases. For example, a Collection and notice consumer rights group recently took legal China’s rapid adoption of technologies, action against a technology company for Network operators must collect such as artificial intelligence and biometric infringing upon the rights of its users by personal information: technology, has given rise to a privacy collecting excessive personal information •• In a legal and proper manner. specific law. However, the timeframe for without consent.6 this law is yet to be publicly announced. The •• Where necessary i.e. information must focus of this anticipated law will be directed •• Applications: The National Principal not be collected unless it relates to the heavily towards protecting biometric data, Security Committee, China Consumers network operator’s services. given the prevalence of surveillance cameras Association, China Internet Association •• In accordance with agreements created and facial recognition technology within the and China Cyberspace Security Association between users. country. were commissioned to form the “APP Governance Working Party” on the •• Upon approval/ consent by the person to Primary legislation: People’s Republic of 25th of January 2019 and subsequently which the information applies to. China Cybersecurity Law 2017 released the “Guideline to Self-assessment of App Collection and Use of Personal Upon collecting personal information, Information” on the 1st of March 2019. network operators are required to provide users with a notification, which specifies: •• The purpose of collection.
•• How information will be collected.
•• How information will be used.
6 https://www.scmp.com/tech/china-tech/ 13 article/2127045/baidu-sued-china-consumer- watchdog-snooping-users-its-smartphone The Asia Pacific Privacy Guide
Use and disclosure Data breach notification
Personal information must only be used Data breach notification to the regulator and affected individuals is mandatory. for the original purpose for which it was collected or for a directly related purpose. Requirements Network operators can use information outside of this scope for a new purpose, so Where there is a reasonably foreseeable real risk of harm or damage long as voluntary and explicit consent has from a breach. This is determined by: been provided by the user. •• The amount and kinds of information leaked Direct marketing •• Circumstances of the breach itself The CSL does not explicitly refer to direct •• The likelihood of identity theft or fraud marketing. However, it is recognised that •• Whether the information is adequately encrypted, anonymised or network operators must not illegally provide otherwise rendered inaccessible information to others without the approval of the person whose personal information is Threshold for •• Whether the breach is ongoing and if there will be further exposure of collected. This requirement does not apply reporting personal information where the information is de-identified and •• Whether the breach is an isolated incident or a systematic problem cannot be recovered. •• Whether information has been retrieved before being accessed or copied Data retention and destruction •• Whether effective mitigation or remediation was conducted after the breach Personal information must be accurate, kept up to date and should not be kept longer •• The ability of users to avoid or mitigate possible harm than necessary to fulfil the purpose for •• A reasonable expectation of users’ privacy which it was collected. •• Network operators should provide notification as soon as practicable, Time frame except where law enforcement agencies have requested delay for Individual rights investigative purposes. Individuals have the right to: Depending on the circumstances, network operators should notify: •• Be informed of their rights prior •• Affected users to collection and use of their •• Law enforcement agencies personal information. Who to notify •• Relevant regulators •• Request correction and removal of their personal information. •• Any other parties who can take remedial action to mitigate impact of the breach
Security Depending on circumstances, notification should include:
Network operators must take practicable •• A general description, including the time and duration of the breach steps to protect personal information and its discovery from unauthorised or accidental access, •• The source of the breach and types of personal information involved processing, erasure, loss or use. Such steps •• An assessment of the risk of harm presented may include implementing controls, such as Content •• A description of measures taken to prevent further harm encryption and multi-factor authentication. •• The network operator’s contact information •• Information and advice about further steps which users should take •• Whether law enforcement agencies and other relevant parties have been notified
14 The Asia Pacific Privacy Guide
Cross-border data transfer Relevant laws, regulations and standards
Network operators can only transfer personal information once users have Law, regulation or standard Industry Regulator Applicability been informed and have authorised for the Decision on Strengthening Network Operators All CAC transfer to occur. However, any information Online Information Protection and CIIOs collected and generated within China must stay within its borders. If information is GB/T 35273—2017 Information required to be transferred outside of China, Technology – Personal All CAC All organisations a security assessment must be conducted in Information Security accordance with measures formulated by the Specification Cyberspace Administration of China (CAC). National Standard of Information Security Technology – Guideline Governance for Personal Information Network Operators All CAC The appointment of a DPO is not required. Protection within Information and CIIOs However, a network operator or CIIO must System for Public and be appointed. Commercial Services
Regulators and regulatory landscape Terminology
The CAC is the regulator of privacy within China led by the Director. The Director’s Terminology Definition roles and responsibilities involve: Any industry-related operators, such as public communications and Critical •• Creating cyberspace policy. information services, energy, transport, water conservancy, finance, public information services, e-government, and other important industries, where breaching •• Acting as the central internet regulator. infrastructure their information infrastructure would result in serious damage to national operators (CIIO) •• Providing regulatory oversight and security, national economy and people’s livelihood and public interests. censorship. Any system composed of computers or other information terminals and Network related equipment, which execute procedures of information collection, Cases storage, transmission, exchange and processing.
•• 2018 – An online forum, microblogging Network Any owners or managers of the network and network service providers. site and social media messaging app operator were summoned by the CAC for failing to block various types of illegal internet information, described as vulgar and harmful.
•• 2019 – The CAC ordered telecommunication operators to shut down services for up to 8,000 mobile applications which were said to have stolen users’ personal information.
Penalties
Orders to correct, warnings and fines may be issued under the CSL, depending on what article has been breached. However, any serious breach may result in fines of up to ¥1,000,000.
15 “Organisations should uphold the attitude of the three Data Stewardship Values for handling personal data. Such approach would not only reinforce consumer trust but also exemplify organisations’ commitment to personal data privacy protection and realise the principle of accountability, thereby elevating their reputation and increasing their competitiveness.”
– Stephen Kai-yi Wong Privacy Commissioner for Personal Data (Hong Kong)
16 The Asia Pacific Privacy Guide
Hong Kong
Hong Kong has one of the most Considerations comprehensive privacy regimes in Asia, Definition of •• International legislation: Taking with a principles-based law supported personal data inspiration from international regulations, and enforced by the Office of the Privacy the Commissioner has demonstrated an Personal data is defined as Commissioner of Personal Data (PCPD). The intention to review international privacy information that: primary privacy legislation was enacted in laws and bring the PDPO into alignment. In • relates to a living person (known as a 1996 in response to the European Union • particular, the EU GDPR and China’s cyber data subject); Data Protection Directive and underwent security laws are on the radar major reform in 2012 to incorporate •• can be used to, directly or indirectly, of the Commissioner. additional provisions. In response to multiple identify them; and data breaches and the changing global •• Review of the PDPO: The Commissioner is •• is in a form in which accessing or privacy regulatory landscape, the regulator is looking to review the PDPO following major processing the data is practicable. currently reviewing the PDPO. data leaks and cyber-attacks in Hong Kong. One consideration is increasing penalties The PDPO does not define ‘sensitive’ Primary legislation: Personal Data for non-compliance (the current maximum (Privacy) Ordinance (PDPO) data. However, there are codes of is HK$50,000). practice issued to regulate data such as •• Industry regulators: Industries have Hong Kong Identification Card numbers increased their focus on cyber security and unique identifiers, including and privacy. Industry regulators like the passport numbers and Security and Futures Commission (SFC) patient numbers. have included data protection clauses in The Commissioner has issued their framework to ensure proper data specific guidance on biometric data, handling practices. stating that data can only be collected •• A turn towards data ethics: Following when necessary, and with free and high profile breaches in 2018, the informed consent to collect it from the Commissioner has declared that ‘[d]ata data subject. ethics can … bridge the gap between legal requirements and the stakeholders’ expectations.’ The Commissioner Collection and notice has recently published a research The collection of data must be: report supporting an Ethical •• In a lawful and fair manner. Accountability Framework. •• Directly related to an activity of the data user.
•• Necessary, but not excessive, for the related purpose.
Organisations are required to provide information to the individual about whether it is mandatory to give the data and the consequences of not providing it. Data subjects must be notified of the purpose of collection and use, and the classes of persons to whom the data may be transferred.
17 The Asia Pacific Privacy Guide
Use and disclosure Individual rights
Personal data can only be used for the Data subjects have the right to: original or a directly related purpose, unless •• Be informed of their rights at, or prior voluntary and explicit consent is provided by to, collection and use of their data, the the data subject for the new purpose. retention period, the security measures in protecting their data and how they can If personal data is used or disclosed for a raise an access and correction request. new purpose (i.e. a purpose other than the purpose for which the data was to be used at •• Access and correct personal data: the time of the collection or a directly related organisations must respond to requests purpose), prescribed consent must be within 40 days or inform the individuals obtained from the data subject. Prescribed that they are unable to do so within consent means express consent given the timeframe. voluntarily which has not been withdrawn in writing. Security
Direct marketing Organisations must take practicable steps to If personal data is used for direct marketing, protect personal data from unauthorised or explicit consent needs to be collected from accidental access, processing, erasure, loss the data subject, however, silence does not or use. The following factors constitute consent. should be considered:
Bundled consent, where the data subject •• Kind of data and the harm when data is must provide personal data in order to inadequately protected access the product or service, is not a valid •• Security measures incorporated into data form of consent. storage equipment
The data subject is required to be •• Secure transmission of data informed of: •• Physical location of the data storage •• The intention to use their information for •• Measures for assurance of integrity, direct marketing. prudence and competence of people who •• Types of data that will be used. could access data •• What the marketing will be about. •• Method for the data subject to communicate consent for the intended use. •• Withdrawal of consent is allowed at any time.
If personal data is being sent to a third party for direct marketing, the data subject’s consent needs to be in writing.
Data retention and destruction
Personal data is required to be kept up to date and accurate, and should not be kept longer than necessary to fulfil the purpose for which it is collected.
The Privacy Commissioner’s Office has provided guidance on retention of CV’s for unsuccessful job applicants. The Equal Opportunities Commission’s Codes of Practices on Employment recommend retention of employment application records for at least one year. The Privacy Commissioner considers this retention period to be reasonable for the purpose of responding to any claim of discrimination.7
18 7 https://www.pcpd.org.hk/english/resources_ centre/publications/guidance/fact2_hrm_2.html The Asia Pacific Privacy Guide
Data breach notification Cross-border data transfer
There is currently no requirement to notify data subjects or the PCPD of a data breach. Organisations can only transfer personal However, the PCPD could conduct an investigation relating to a breach and issue an data if data subjects are informed when enforcement notice if appropriate. The Commissioner has recommended voluntary personal data is collected that: notification in the event of a data breach. •• Their personal data may be transferred; and
Voluntary guidance •• The classes of people to whom it may be Threshold for Reasonably foreseeable real risk of harm or damage from breach, transferred to. reporting depending on: The PDPO prohibits cross border transfer •• Kind of personal data leaked of data except in specified circumstances. •• Amount of personal data involved However, that provision has not yet been •• Circumstances of data breach enacted. The PCPD currently provides a ‘Guidance on Personal Data Protection in •• Likelihood of identity theft or fraud Cross-border Data Transfer’8 to outline best •• Whether leaked data is adequately encrypted, anonymised or practices for the cross-border transfer of otherwise rendered inaccessible data. For example, the PCPD recommends •• Whether data breach is ongoing and if there will be further exposure organisations review data transfer of data agreements and to keep an inventory of •• Whether the breach is an isolated incident or systematic problem personal data. •• In the case of physical loss, whether personal data has been retrieved before accessed or copied Governance •• Whether effective mitigation or remediation was conducted There is no mandatory requirement to after breach appoint a data protection officer. •• Ability of data subjects to avoid or mitigate possible harm However, the PCPD advocates for •• Reasonable expectation of personal privacy of data subjects companies to be accountable for the protection of personal data to build trust Time frame As soon as practicable with clients, enhance reputation and •• Except where law enforcement agencies have requested delay for increase competitiveness. investigative purposes
Who to notify (Depending on circumstances) Regulators and regulatory •• Affected data subjects landscape •• Law enforcement agencies The Office of the Privacy Commissioner for Personal Data (PCPD) is the independent •• Commissioner statutory privacy regulator tasked with •• Relevant regulators enforcement of the PDPO. The PCPD’s roles •• Other parties who can take remedial actions to mitigate the impact of and responsibilities include: the breach •• Enforcement
Content (Depending on circumstances) •• Monitoring and supervising compliance •• General description •• Promotion of education, training and •• Data, time and duration of breach best practice •• Date and time breach discovered •• Corporate governance •• Source of breach •• Meeting changing needs relating to •• Types of personal data involved technological developments, trends •• Assessment of risk of harm from breach and expectations •• Description of measures taken to prevent continued breach •• Organisation’s contact information for more information/assistance •• Information and advice on further steps data subjects should take •• Whether law enforcement agencies, PCPD and other parties have been notified
19 8 https://www.pcpd.org.hk/english/resources_ centre/publications/files/GN_crossborder_e.pdf’ The Asia Pacific Privacy Guide
Cases Relevant law, regulations and standards
•• 2017 – The Kowloon City Magistrates’ Court found that a company director was Law, regulation or Industry Regulator Applicability held personally liable and convicted for standard failing to comply with a lawful requirement Personal Data Privacy All PCPD Data users (in this case, a summons) of the Privacy Ordinance Commissioner and fined HK$3,000. Code of Practice on the •• 2018 – The Tuen Mun Magistrates’ Court Identity Card Number and fined a supermarket chain HK $3,000 for other Personal Identifiers: All PCPD Data users using personal data in direct marketing Compliance Guide for Data without obtaining consent. Users •• 2018 – In November, the Commissioner Authorised found reasonable grounds to believe Control measures for Banking and institutions under there was a ‘contravention of a HKMA customer data protection Finance the Banking requirement under the law’ by an Ordinance airline and commenced a compliance investigation (ongoing). Credit providers Code of Practice on Banking and and credit PCPD Penalties Consumer Credit Data Finance referencing agency A serious breach of the PDPO may result Code of Practice on Human in financial penalties of up to HK $1m and All PCPD Employers imprisonment of up to five years if an Resource Management individual is found personally liable for Guidance on Personal Data the violation. Protection in Cross-border All PCPD Data users data Transfer
Guidance on Collection and All PCPD Data users Use of Biometric Data
SFC Compliance with the Licensed Banking and Personal Data (Privacy) SFC corporations Finance Ordinance under SFC
Terminology
Terminology Definition
Codes of Practical guidance in respect of requirements under this Personal Data Practice (Privacy) Ordinance.
A person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. The data Data users user is liable as the principal for the wrongful act of its authorised data processor.
Ordinance Legislative enactments.
20 “The digital economy should aim to benefit citizens. With proliferation of information and digital technologies, the technology sector should strengthen citizen safety and security in the digital environment. Moreover, user awareness towards their privacy has been on the rise. We will see consumers making more privacy- conscious decisions and associating certain brands that provide greater privacy controls as better options.”
– Rama Vedashree 21 CEO of Data Security Council of India The Asia Pacific Privacy Guide
India
A specific privacy law does not exist in India. Considerations Use and disclosure However, the Information Technology Constitutional right to privacy: The Organisations must only use sensitive Act 2000 presently governs the protection Supreme Court delivered a judgment in information for the purpose declared when of personal information, specifically relation to constitutional rights. It was it was collected. Consent must be obtained electronic data and transactions. The interpreted that the right to privacy is an before disclosing sensitive information prominence of data use has placed privacy extension of the right to life provided by unless required under contract or where and data protection high on the national the Constitution. This includes the right of necessary to comply with a legal obligation. agenda and is key to India’s growth and an individual to exercise control over his An organisation may be legally required to economic development. For example, the or her personal data. As a result, there is provide personal or sensitive information government has expressed an inclination an obligation to ensure the protection of a to government agencies for purposes towards creating a digital health technology citizen’s right to privacy. such as verifying identification, preventing, ecosystem by releasing the draft Digital detecting and investigating cyber incidents, Information Security in Healthcare Act or administering punishment. (DISHA), the primary focus of which is to Definition of personal regulate the process of collection, storing, information transmission and use of the digital Data retention and destruction health data. Personal information is defined as information relating to a natural person, Organisations must not retain sensitive information for longer than necessary. As a result, a new data protection law, directly or indirectly, in combination known as the Data Protection Bill 2018, with other available information or likely has been drafted. The Data Protection Bill to be available with a body corporate, Individual rights 2018, in combination with the Draft National capable of identifying a person. Individuals have the right to: E-Commerce Policy, proposes to strengthen the protection of personal information Sensitive information is defined as •• Access, correct and amend their and consumer rights, as well as impose information provided to a corporation personal information. related to an individual’s password, conditions on cross-border data transfers •• Refuse and withdraw consent for the financial information, physical, by requiring data fiduciaries to store data in use of personal information at any time. India. They will help to regulate the use of physiological and mental health personal data collected, disclosed, shared condition, sexual orientation, medical Security or processed in India or in connection to records and history, or biometric business within India. The Bill introduces information. Organisations must demonstrate stringent requirements related to mandatory compliance with reasonable security data breach notification, consent to be practices and procedures. This can be obtained prior to collection and individual Collection and notice achieved by implementing and documenting privacy rights. Organisations must obtain written consent comprehensive information security from individuals prior to collection. They programs and policies containing adequate Primary legislation: Information must also take reasonable steps to notify the controls for the business’ information assets. Technology Act 2000 individual concerned that their information For example, the international standard is being collected, the purpose of collection ISO 27001 is recognised as a standard that and details of the recipient. Organisations organisations must comply with. must provide a privacy policy to the individual and publish it on their website. Sensitive information must not be collected by organisations unless necessary for a lawful purpose connected with a business function.
22 The Asia Pacific Privacy Guide
Data breach notification Relevant laws, regulations and standards
Data breach notification is not required under the Act. However, an incident may Law, regulation or Industry Regulator Applicability be voluntarily reported to the Computer standard Emergency Response Team (CERT) by service Electronic Health Record Health Ministry of Health and Individuals providers, intermediaries, data centres, Standards For India 2016 Family Welfare (MHFW) body corporate and any other person. CERT is a national agency, which has been The Clinical Establishments Health MHFW State granted power under the Act to respond to (Registration and governments, cybersecurity incidents. Notification content Regulation) Act 2010 persons, the may include: Authority, clinical establishments •• Time of the incident
•• Symptoms observed The Draft National Electronic Department for Promotion The Indian E-Commerce Policy, 2019 commerce of Industry and Internal Government •• Information regarding the affected Trade as a whole and system/s or network/s entities within
•• Actions taken to mitigate damage The Information Technology All The Central Government Body corporates •• Other relevant technical information, such (Reasonable security of India and persons in as the security systems used practices and procedures India and Sensitive Personal Data or Information) Rules 2011 Cross-border data transfer
Organisations can transfer sensitive information to receivers adhering to the Terminology same level of data protection, where required by law, under contract or consent has been obtained. Terminology Definition
Includes a hospital, maternity home, nursing home, dispensary, clinic, Regulators and sanatorium or an institution by whatever name called that offer services, regulatory landscape Clinical facilities requiring diagnosis, treatment or care for illness, injury, deformity, There is no dedicated privacy regulator in establishment abnormality or pregnancy in any recognised system of medicine India. However, adjudicating officers are established and administered or maintained by any person or body of appointed by the government to determine persons, whether incorporated or not. contraventions with the ITA and its Rules, and can impose penalties. Any adverse event related to cybersecurity that violates a security Cyber incident policy. Such event may involve unauthorised access or DDoS amongst other forms. Cases
•• 2016 – A pathology lab had over 35,000 electronic medical records leaked. As a consequence, the laboratory erased all records and closed 250 of its centres in Mumbai in addition to over 10,000 collection points across India.
•• 2018 – An Indian government database holding personal information (including biometrics and demographic data, such as fingerprints and iris scans amongst names, addresses etc.) for over 1 billion citizens and its authority suffered a data breach. The World Economic Forum Global Risks Report 2019 labelled this breach as ‘the largest data breach’ ever. Privacy concerns arose in relation to the corresponding mobile application concerning significant flaws within the app. A student was arrested for accessing this database without authorisation in August 2017. 23 The Asia Pacific Privacy Guide
Indonesia
Privacy and data protection is currently Considerations Collection and notice governed by provisions across a set of •• A constitutional right to privacy is Personal data should only be collected if it regulations. The regulations include: contained within Indonesia’s Constitution. is relevant and suitable for the purpose for •• The Government Regulation No. 82 of 2012 which it was collected. (‘Gov. Reg. 82’) •• A proposed comprehensive data protection framework currently in Consent is required for the collection, use, •• Electronic Information and Transactions draft: A comprehensive law on data processing and transfer of personal data. Law No. 11 of 2008 (‘EIT Law’) protection (Bill on the Protection of Private Consent must be express and in writing, and •• MOCI Regulation No. 20 of 2016 Personal Data/ PDP Draft Law) is being to be provided manually or electronically. (Protection of Personal Data in an prepared jointly by the Ministry of Law In order to obtain consent, an electronic Electronic System) (‘MOCI Regulation’) and Human Rights and the Ministry of system provider provides a consent form Communication and Informatics (MOCI). prior to collection. Parents or legal These regulations only apply to personal If passed, the law will become the first guardians can provide consent in cases data on electronic systems. comprehensive law in Indonesia to deal where the individual is not capable of explicitly with data privacy. providing consent, such as minors or A comprehensive law is currently in draft and disabled persons. will consolidate privacy and data protection •• National regulating authority: While there are various authorities presently requirements into a single legislation. Notice must be provided to individuals at operating with privacy related functions, the time the personal data is collected. The there is no privacy regulator. MOCI is notice should include: presently considered the main regulatory body. MOCI operates with the function of •• Details about the current and possible overseeing data protection activities within future purposes for collection of personal Indonesia. The draft data protection law data; and introduces a Commission with functions to •• The organisation’s contact details. ensure protection of personal data. Use and disclosure
Definition of personal Personal data can only be used and data processed in accordance with the purpose Personal data is defined as data of an provided in the notice when personal data individual which is stored, maintained was collected. and kept accurate. Further, personal data can only be used after In addition, a further definition is its accuracy and suitability has been verified. provided for ‘certain data of an The electronic system operator (ESO) must individual’, which is any information that obtain consent from an individual for data to is correct, actual and can directly or be handled or disclosed to a third party. indirectly identify an individual.
Data retention and destruction
An ESO that provides services to public bodies must establish a data centre and disaster recovery centre in Indonesia.
Personal data is to be deleted upon expiry of the storage period provided at time of collection, unless it is still required for the intended purpose, or when the data owner has made a request to do so. 24 The Asia Pacific Privacy Guide
Individual rights Data breach notification
Individuals have the right to: There is a mandatory data breach notification requirement for operators of electronic •• Submit complaints to the Minister of systems. The regulatory authority of the sector in which the ESO operates and the affected Communication and Informatics (MOCI) data owners must be notified if there is a potential to cause loss. regarding the failure of an ESO to protect personal data. Requirements •• Access and update their personal data without interference. •• The operator must notify individuals if the breach has potential to cause loss to the individual. •• Request a historic view of the data Threshold for collected by the ESO. reporting •• The operator must notify if any failure, serious system interference or disturbance equates to the breach of personal data. •• Request destruction of their personal data handled by the ESO. •• The operator must notify the affected individuals no later than 14 days after the breach was identified. Exceptions apply to the above rights, which Time frame mainly refer to situations where other laws •• The operator must notify the relevant authority of the sector in which and regulations request an ESO to perform they operate in immediately. differently. •• Electronic system operators must notify: ––Data subjects. Security Who to notify ––Supervising and regulatory authority of the relevant sector, or An exhaustive list of ESO obligations for law enforcement. maintaining security is contained within both Gov. Reg.82 and the MOCI Reg. 20. •• The operator is to provide, in writing, to affected individuals: Content Broadly, regulations impose an obligation for ––The cause of the personal data breach. organisations to: •• Obtain certification of its electronic systems to ensure compliance. Governance Cases
•• Maintain the correctness, validity, There is no requirement for the appointment 2018 – An investigation was launched into confidentiality, accuracy, relevance and of a DPO. the alleged data breach where a company compatibility with the purpose personal is believed to have obtained the personal data was collected for. Regulators and regulatory data of one million Indonesian users from landscape a social media platform. The scandal is believed to have affected up to 87 million Cross-border data transfer There is currently no national data users worldwide. A class action lawsuit The transfer of data outside of Indonesia protection authority for privacy in Indonesia. was commenced against the social media must comply with reporting and The MOCI governs the regulations company in an Indonesian District Court. coordination requirements. The following covering data protection relating to electronic systems. MOCI carries the must be reported: Penalties ability to investigate matters, which involve •• The name of the country to which the unlawful handling of personal and Breaches of the MOCI Reg or Reg 82 will information will be transferred to confidential information, and have power to attract administrative sanctions, such as •• Details of the recipient impose administrative sanctions verbal or written warnings, temporary such as fines. suspension of processing activities and •• Details about the transfer itself public announcements. The EIT Law imposes including the intended date and criminal penalties for certain violations, such purposes of the transfer as unlawful access. Consent must also be obtained for transfer.
Parties may enter into data transfer agreements, however there is no mandatory clause or approved content that needs to be incorporated into the agreements.
The transfer of personal data managed by an ESO at a government institution must be coordinated with the MOCI or the authorising institution and comply with prevailing laws and regulations regarding cross-border exchange of personal data. 25 The Asia Pacific Privacy Guide
Key laws, regulations and standards
Law, regulation or Industry Regulator Applicability standard
Financial Service Authority Financial Services Financial service Regulation No. 1/ Financial services Authority providers POJK.07/2013
Government Regulation No. 82 of 2012 (Provisions Electronic system All MOCI of Electronic System and operators Transactions)
Law No. 11 of 2008 on Electronic system Electronic Information and All MOCI operators Transactions (EIT Law)
Law No. 19 of 2016 on Electronic system All MOCI Amendment of EIT Law operators
Law on Health No. 36/2009 Health Ministry of Health Health providers
Law on Telecommunication Telecommunications No. Telecommunications MOCI service providers 36/1999
MOCI Regulation No. 20 of 2016 (Protection of Electronic system All MOCI Personal Data on Electronic operators Systems)
Terminology
Terminology Definition
Any private person, state operator, enterprise, or element of society who Electronic makes available, manages, and/or operates an electronic system either system operator privately or communally for the electronic system’s users for his/her own (ESO) benefit, or a third party’s benefit.
26 “Businesses are required to more strictly manage personal information, as their increasingly globalised operations result in more frequent transmission of such data between (Japan and) overseas.”
– Harumichi Yuasa Professor at the Institute of Information Security Yokohama
27 The Asia Pacific Privacy Guide
Japan
In Japan, privacy is regulated by the Act Considerations Collection and notice on the Protection of Personal Information EU adequacy: On the 23rd of January 2019, The APPI refers to the collection of personal (‘APPI’). The APPI is a comprehensive the European Commission confirmed its information as proper acquisition. PIHBOs privacy law, administered by the Personal adequacy decision for Japan, which finds must not obtain personal information by Information Protection Commission (‘PPC’), that the scope of data protection in Japan deceit or improper means. PIHBOs must and applies to personal information handling and the EU are equivalent. This decision will promptly and explicitly inform the principal business operators (‘PIHBO’) to protect the create, develop and facilitate opportunities whose personal information was acquired interests of principals. for European and Japanese businesses to of the utilisation purpose, including where The PPC has issued an interim draft report, share data. The decision was supported by the purpose has changed. However, this which revealed plans for Japan to revise its supplementary Rules that strengthened notice requirement does not apply in cases existing personal information protection the APPI. The supplementary rules included where there exists an urgent need to protect law in 2020. The focus will be to introduce a additional protection for new types of human life, body or fortune, or where the right to be forgotten, which would be applied sensitive personal information. utilisation purpose was previously disclosed cross Japan’s borders. to the public.
Primary legislation: Act on the Protection PIHBOs must obtain the principal’s consent of Personal Information 2017 Definition of before collecting sensitive information. personal data Consent is not required where: •• Information is required by laws and Personal information is defined as regulations. information, which relates to a living individual, and can fall within any of the •• There is a need to protect human life, body following: or fortune and it is difficult to obtain the principal’s consent. •• Where containing a name, date of birth or other description, in vocal or •• There is a special need to enhance public written format, through drawing or hygiene or promote the fostering of electromagnetic record, to include healthy children and it is difficult to obtain scenarios where the information can the principal’s consent. be collated with other information to identify a specific individual •• Government and/or enforcement related cooperation is required and obtainment •• Where containing an individual of the principal’s consent would interfere identification code with such performance.
The APPI also defines special care- •• The information is publically available. required personal information •• Prescribed by cabinet order. (‘sensitive information’), which includes personal information comprising of an individual’s race, creed, social status, Use and disclosure medical history, criminal record, fact of Personal information must be used for a having suffered damage by a crime, or specific purpose stipulated at the time of other descriptions. collection. However, personal information can be used for a new purpose if consent is obtained from the principal or where any of the above exceptions (provided in collection and notice) apply.
28 The Asia Pacific Privacy Guide
Data retention and destruction Data breach notification
Personal information must be kept accurate While there is no mandatory breach reporting scheme, the PPC provides voluntary guidance and up to date to the extent that it is (Guidelines for the Act on Protection of Personal Information) for PIHBOs to undertake necessary to achieve its purpose. assessment, remediation and reporting of breaches as best practice.
PIHBOs are required to delete personal information, without delay, once the Voluntary guidance utilisation purpose has been fulfilled. Where there is a reasonably foreseeable real risk of harm or damage Specific industry codes and standards also from breach, depending on: specify requirements for the retention and •• Kind and amount of personal information leaked destruction of personal information. •• Circumstances of data breach
Individual rights •• Likelihood of identity theft or fraud
Individuals have the right to: •• Whether leaked information is adequately encrypted, anonymised or •• Be informed of their rights prior to otherwise rendered inaccessible collection and use of their Threshold for •• Whether the data breach is ongoing and if there will be personal information. reporting further exposure •• Request correction, rectification and/ •• Whether the breach is an isolated incident or a systematic problem or deletion of their personal information held by PIHBOs. •• In the case of physical loss, whether personal information has been retrieved before accessed or copied •• Object to processing by lodging a utilisation cease request, based on •• Whether effective mitigation or remediation was conducted after reasonable grounds. the breach
•• Lodge complaints to the PPC or any other •• Ability of principals to avoid or mitigate possible harm authorised entity about the handling of •• The reasonable expectation of a principal’s personal privacy their personal information. •• As soon as practicable, except where law enforcement agencies have Time frame Security requested a delay for investigative purposes
PIHBOs must take necessary and •• Affected data subjects appropriate actions to protect personal •• Commissioner information from leakage, loss or damage. Who to notify For example, PIHBOs must exercise •• Relevant regulators or law enforcement agencies necessary and appropriate supervision •• Other parties who can take remedial action to mitigate the impact over employees who handle personal information, to prevent unauthorised access •• Information involved, time, date, duration and discovery of the breach or misuse. •• Source of breach
Cross-border data transfer •• Assessment of risk of harm from the breach •• Description of measures taken to prevent continued breach Personal information must not be Content transferred to a third party unless consent •• Organisation’s contact information for more information/assistance has been obtained from the principal or any one of the above exceptions apply, as •• Information and advice on further steps principals should take provided within ‘Collection and notice’. •• Whether law enforcement agencies and other parties have been notified Personal information may be transferred outside of Japan where: •• Consent is obtained from the principal.
•• The foreign state has privacy laws which are considered equivalent to Japan.
•• The foreign party maintains an internal personal information protection system consistent with standards set by the PPC.
29 The Asia Pacific Privacy Guide
Regulators and regulatory Relevant laws, guidelines and rules landscape
The regulator is the Personal Information Law, guideline or rule Industry Regulator Applicability Protection Commission (PPC). Act on the Protection of Public Sector PPC National government Personal Information held by bodies The Commissioner’s roles and Administrative Organs responsibilities include: •• Formulating and promoting policy Act on the Protection of Public Sector PPC Independent Personal Information held by administrative agencies •• Supervising Independent Administrative •• Mediating complaints Agencies
•• International cooperation Act on Specified Commercial Commerce Japan Consumer Organisations Transactions Affairs Agency •• Public relations Act on the Regulation of Commerce Ministry of Internal Organisations •• Conducting personal information Transmission of Specified Affairs and protection assessments Electronic Mail Communications •• Issuing accreditations to organisations APPI Supplementary Rules for All PPC Business operators •• Reporting the Handling of Personal Data handling personal data Transferred from the EU of EU data subjects
Cases Enforcement Rules for the Act All PPC Personal information •• 2018 – Several online retailers on the Protection of Personal handling business encountered a data breach when Information operators and principals hackers targeted weaknesses on the Guidelines for the Act on All PPC Personal information retailers’ websites. Approximately 15,000 Protection of Personal handling business customers were affected where credit card Information (PPC Notices operators and principals information was compromised including No. 6-9 of 2016) individual names, expiration dates and security codes. The Japan Consumer Credit Association estimated total losses Terminology from stolen credit card related personal information at ¥18.7 billion in 2018 alone. Terminology Definition
•• 2019 – A marketing research company Prescribed by cabinet order to include any character, letter, number, operating in Tokyo suffered a leak of over Individual symbol or other codes, which are able to identify a specific individual 570,000 records of personal information, identification code and can be assigned to the use of services or purchase of goods sold or including email addresses, passwords and provided to an individual or stated in a card or other document. phone numbers. Personal A car manufacturer made a A person providing a personal information database for use in business •• 2019 – information public notification for a data breach but excludes a central government organisation, a local government handling business caused by third party attackers through and an incorporated (local or not) administrative agency. operator its dealerships. The breach was limited to unauthorised access of computer Principal A specific individual identifiable through personal information. systems, which led to compromised Utilisation The purpose of use for the personal information that is provided to an personal information of over 3.1 million purpose individual at the time of collection/ acquisition. customers, including names, birth dates and employment information. Penalties
Penalties for business operators can include: •• Up to one year imprisonment or a •• Up to six months imprisonment or a maximum fine of ¥500,000 for disclosing maximum fine of ¥300,000 for a business personal information for the purpose of operator failing to submit or providing illegal profit. false reports to the PPC upon request.
•• Up to six months imprisonment or a •• Penalties may also apply to maximum fine of ¥300,000 for a business representatives of a business operator, such as an individual employee. operator violating an order from the PPC. 30 The Asia Pacific Privacy Guide
Lao People’s Democratic Republic
Lao PDR has some basic regulation in place Security to protect personal information. The Law Definition of personal A data administration authority is required on Prevention and Combating Cyber Crime information to maintain the security of its systems (Cybercrime Law) 2015 prohibits the use Personal data refers to the electronic to protect data. The security measures of personal information which may cause data of an individual, legal entity or required include: reputational harm to an individual. organisation. •• Using technical systems to secure the data Further, the Law on Electronic Data •• Inspecting and evaluating risk of data Protection 2017 (EDPL) contains Collection and notice systems on an annual basis requirements around personal information Personal data can only be collected by an collection, storage, maintenance, use, individual, legal entity or organisation where •• Investigating incidents that have caused or dissemination, transfer, access, amendment, it is approved by the data owner. may cause serious impact update and deletion of electronic data. The individual, legal entity or organisation Regulators and regulatory Primary legislation: The Law on Electronic must inform the data owner of the purpose landscape Data Protection 2017 for collection. The Ministry of Posts and Telecommunications (MPT) is responsible Use and disclosure for the administration of the EDPL. The Ministry has duties such as developing A data administration authority can use or policy, enforcing the provisions through disclose personal data where the data owner administrative measures and regularly has approved the purpose for which it will be reporting electronic data protection used or disclosed, unless required otherwise activities to the government. by law.
Data retention and destruction Penalties Individuals, legal entities or organisations Personal data must be deleted: found to violate the provisions of the EDPL • When requested by the data owner. • can be fined up to 15,000,000 Kip. The •• When it is no longer required for the regulator also has powers to enforce the purpose it was collected for. law through administrative measures, such as disciplinary sanctions, warnings and re- educational measures. Individual rights
Data owners have the right to: •• Request access or update their personal data.
•• Request deletion of personal data.
31 The Asia Pacific Privacy Guide
Relevant laws, regulations and standards
Law, regulation or standard Industry Regulator Applicability
Framework on Personal Data All ASEAN Participants and organisations Protection
Guidelines on the Implementation of the Law All MPT Data managers on Electronic Data Protection 2018
Instruction on Computer Security under the Law on All MPT Businesses Prevention and Combating of Cyber Crime
Law on Prevention and Persons, legal entities and Combating Cyber Crime 2015 All MPT organisations (The Cybercrime Law)
Individuals, legal entities, state Law on Electronic Ministry of Science organisations and agencies, All Transactions 2012 and Technology international organisations and civil society
Lao PDR Penal Law 2005 All All individuals within Lao PDR government
Terminology
Terminology Definition
Data owner Individual, legal entities or organisations that own the electronic data.
Electronic data An individual, legal entity or organisation responsible for administrating the administration electronic data which mainly are ministries, data centre through internet, authorities telecommunication service providers and banks.
32 The Asia Pacific Privacy Guide
Malaysia
Malaysia is governed by a comprehensive Considerations Collection and notice privacy regime, based on the provisions Data user registration: There is Personal data can only be collected where of Personal Data Protection Act 2010 a requirement for data users to be necessary or for a lawful purpose, which is (‘PDPA’). The PDPA is principles-based registered before processing personal directly related to and not excessive of, one and applies to any person who processes data. Registration certifications are valid or more of the data user’s activities. and has control over or authorises for one year after which registration must the processing of personal data within be renewed. Data users who require A data user must provide notice to the data commercial transactions, namely data registration fall within key industries, subject as soon as practical to notify them of users. The Act does not apply to Federal including communications, banking and the following: and State government bodies, personal financial institutions, insurance, health, •• Types of data collected data processed outside of Malaysia (unless tourism and hospitalities, transportation, intended to be used for processing in •• The purpose for collection education, direct selling, services, real estate Malaysia) and credit reporting agencies. •• Information about the data as a source and utilities. •• Data subject rights to access, request The Privacy Commissioner has introduced a correction and lodge complaints public consultation paper to introduce a data breach notification scheme. Definition of personal •• Whether the data will be disclosed to third information parties and whom The review of the PDPA commenced in late Personal data includes any information •• Ways to limit the use and processing 2018 and is expected to reach Parliament that: of the data by mid-2019 to align with global legislation •• Whether supplying the data is voluntary such as the General Data Protection •• Relates, directly or indirectly, to a data or not and what consequences will arise if Regulation (GDPR). subject. data is not provided •• The data subject can be identified or Primary legislation: Personal Data identifiable from, alone or combined Protection Act 2010 (‘PDPA’) with other information held under Use and disclosure possession of the data user. Data users should take reasonable steps to ensure that personal data is accurate, Sensitive data is personal data, which complete, not misleading and kept up to consists of: date. Personal data cannot be processed •• Information about the physical or by data users unless the data subject has mental health or condition of a data provided consent to such processing. subject. Processing of personal data occurs for: •• Political opinions. •• Contract performance, which the data •• Religious or other similar beliefs. subject is a party to or intends to enter into. •• Compliance with any other legal obligation. •• Protecting the interest of the data subject. •• The administration of justice.
Data users must not process sensitive data unless it is necessary to protect the data subject’s vital interests and where consent cannot be obtained.
Personal data cannot be disclosed without the consent of the data subject for any purpose other than or directly related to the purpose specified at the time of collection. 33 The Asia Pacific Privacy Guide
Data retention and destruction Cross-border data transfer Cases
Data users have the responsibility to take Personal data cannot be transferred outside •• 2017 – In May, a private college was reasonable steps to ensure personal data of Malaysia unless otherwise provided by charged by the PDPD for processing is either destroyed or permanently deleted the Minister upon recommendation of the personal data of a former employee if and once it is no longer required for the Commissioner and by notification published without a valid certificate of registration, purpose for which it was collected for. in the Gazette, or where one of the following which is a breach under section 16 of the conditions is met: PDPA and is the first case where a data Individual rights •• The data subject has provided consent user has been charged under the Act.
Data subjects have the right to: •• Transfer is necessary for contract •• 2017 – Malaysia’s largest data breach, affecting more than 46 million mobile •• Be informed of their rights prior to performance between the data user phone subscribers from the country’s collection and use of their personal and subject biggest mobile service provider, occurred data through notification. •• The data user has taken reasonable from 2014 and was reported in 2017. •• Access and correct personal data held by grounds and exercised due diligence to Personal data was advertised for sale on the data user. ensure personal data will not be processed the dark web and on a technology news in contravention of the PDPA website. Additionally, the personal data of •• Withdraw consent to data processing. 80,000 individuals was leaked from well- For example, data subjects may prevent •• Transfer is necessary to protect the vital known health organisations. Types of data processing where it is likely to cause interests of the data subject or is within offered for sale included mobile, home damage or distress, or where processing is the public interest as determined by and work numbers, identification card for direct marketing purposes. the Minister numbers, residential and work addresses and SIM card data. Security Regulators and regulatory landscape •• 2018 – Personal data of over 1 million Data users are required to take steps to university students and alumni from a The Personal Data Protection Department ensure personal data is protected from local university was breached through (PDPD) and the Malaysian Communications loss, misuse, modification, unauthorised or a leak online. Types of data involved in and Multimedia Commission (MCMC) jointly accidental access or disclosure, alteration this breach include names, student IDs, hold responsibility as regulators for privacy or destruction. For example, the Personal addresses, mobile phone numbers, and data protection in Malaysia: Data Protection Standard 2015 states that campus codes and names, program codes all employees must be registered if they •• MCMC is led by the Minister and course level details. process personal data. Further, data users •• PDPD is led by the Personal Data should provide sufficient guarantees to Protection Commissioner Penalties data subjects regarding the technical and organisational security measures, which will The Commissioner’s roles and Violations of the PDPA are punishable with govern data processing. In doing so, steps responsibilities involve: criminal liability and can include fines and/ must also be taken to ensure compliance or imprisonment, depending on the section •• Advising the Minister on national personal with the above and data users should of the Act breached. Where the processing data policy. consider the following: of personal data does not comply with the •• Harm likely to arise from the above •• Implementing and enforcing the PDPA. Personal Data Protection Principles in the PDPA, punishment may be imposed in the implications •• Monitoring and supervising compliance nature of a fine not exceeding RM 300,000 or with the PDPA. •• Where the data is stored in the nature of imprisonment for a term not exceeding 2 years, or both. •• Security and other measures to ensure •• Investigating complaints. reliability, integrity and competence of The Personal Data Protection Advisory personnel who have access to the data Committee also plays a role in the regulatory •• Measures to ensure secure transfer landscape by advising the Commissioner on of the data matters relating to personal data protection and the enforcement of the Act.
34 The Asia Pacific Privacy Guide
Relevant laws, regulations and standards
Standard Industry Regulator Applicability
Personal Data Protection All Commissioner Data users Standard 2015
Terminology
Terminology Definition
Any person who processes and has control over or authorises the Data user processing of personal data within commercial transactions.
35 The Asia Pacific Privacy Guide
Mongolia
The law pertaining to privacy and data Considerations Cases protection in Mongolia is limited. The •• Open data: In 2013, Mongolia 2018 – A group of hackers infiltrated a Personal Secrecy (Privacy) Act 1995 contains implemented an open government Mongolian government data centre which limited protections for the privacy of partnership initiative by joining the Open was used to compromise government individuals but only as it relates to certain Government Partnership to increase resources, including government websites. categories of information, which gives it a transparency and reduce corruption. This narrow scope. It provides protections of was followed by an open data initiative in ‘personal secrets’, which are categorised 2014 which included open data projects into information such as correspondence, across multiple government agencies. health, property, family and other secrets prescribed by law. Disclosure of that •• Organisational privacy: The Organisation information is generally prohibited except Secrets Act 1995 allows organisations to for national security purposes and to protect designate data, including personal data public health or legitimate interests. not covered in the main privacy legislation, as ‘organisational secrets’ which require protection. This law restricts their use and disclosure with associated offences for breach, indirectly creating an obligation for information security.
Relevant laws, regulations and standards
Law, regulation and Industry Regulator Applicability standard
Criminal Code of Mongolia All N/A Everyone
Information Transparency and the Freedom of All N/A Everyone Information Act
Law of Mongolia on All N/A Everyone Telecommunications
Organisations’ Secrets Act All N/A Organisations 1995
Personal Secrecy (Privacy) All N/A Everyone Act 1995
36 The Asia Pacific Privacy Guide
Myanmar
While Myanmar does not have specific Considerations Use and disclosure privacy laws, the Law Protecting the Privacy •• Government power: Prohibitions under Unless otherwise provided, no person shall: and Security of the Citizen, enacted in the Law Protecting the Privacy and March 2017, prohibits the interception of a •• Have their communication with another Security of Citizens can be bypassed citizen’s electronic communications, private person or related equipment intercepted with permission from the President correspondences and physical privacy, or disturbed. or a government body. Also, the unless otherwise warranted by an order. Telecommunications Law empowers •• Request or obtain personal This law applies to public bodies such as the Ministry of Communications and telecommunications or any the Ministry of Home Affairs (MOHA) and Information Technology (MCIT) to control other electronic data from government departments. The law is not and access information transmitted by telecommunication operators. comprehensive due to a lack of provisions telecommunication services and their to govern how personal information should •• Open, search, seize or destroy another equipment. be managed throughout the information person’s private correspondences, such as lifecycle. •• Defamation and social media: The an envelope, package or parcel. Telecommunications Law and the Law Citizens specifically should not be held under Protecting the Privacy and Security of surveillance, spied on nor investigated to the Citizens have been used, primarily by the extent that their privacy, security and/or government officials, to argue defamation dignity would be disturbed. where social media users for example have posted criticising comments in relation to the State or its officials. Regulators and regulatory landscape Relevant laws, regulations and standards The MOHA and the Ministry of Communications and Information Law, regulation and Industry Regulator Applicability Technology (MCIT) are the shared regulators standard of privacy within Myanmar and must undertake roles and responsibilities All people, departments and together to: Telecommunications organisations within the Union, and Telecommunications MICT •• Protect the privacy and security of citizens Law all Myanmar citizens outside of the from damage unless provided for by country existing law.
•• Receive and handle complaints in Terminology accordance with this law.
Terminology Definition Cases
Any Government Ministry or Department including educational 2015 – An employee from a Agency institutions and statutory body. telecommunications company was terminated after sharing a customer’s call Data Information in electronic or manual form. log outside of the company. The company pursued legal action against the ex- A person or organisation who controls or instructs another Personal Information employee for breaching her employment person or organisation to collect, hold, process, use, transfer or Controller contract and its code of conduct. disclose personal information.
37 “Privacy and data protection is about the ability to exercise autonomy and control over your personal information. Clearing the slate, and removing data collected at an earlier time, under different terms and conditions, for different purposes, is an expression of that autonomy and control.”
– John Edwards Privacy Commissioner (New Zealand)
38 The Asia Pacific Privacy Guide
New Zealand
In New Zealand, privacy is primarily regulated Considerations •• Guidelines for landlords and tenants: by the Privacy Act 1993 (‘Privacy Act’), which The Office of the Privacy Commissioner •• Tort law: Courts have developed a tort contains principles on how agencies should (OPC) has produced guidelines for where a person can sue another for collect, use, disclose, store, retain and landlords inspired by guidance from a breach of privacy. This was notably provide access to personal information. This the Canadian Office of the Privacy demonstrated in the case of Hosking v framework is comprehensive and Commissioner, which outlines what Runting (2004). The tort contains two principles-based. information should and should not be elements, which must be proven. First, collected when deciding whether an there must exist a reasonable expectation The Privacy Commissioner is currently individual will be a suitable tenant or of privacy in accordance with the facts reviewing this Act as a result of growing not. For example, the collection of bank of the case. Second, there must be concerns for protection of personal statements to determine an individual’s an occurrence of publicity, which is information in the digital environment. ability to pay rent is permissible. However, considered highly offensive to an objective The Bill is currently in its second reading. collecting bank statements to determine reasonable person. The burden of proof The Privacy Act will better align to certain money management style is unfair and rests upon the victim’s ability to prove the requirements contained within the GDPR, unreasonably intrusive. notably mandatory data breach notification. breach caused real harm, distress New offences, increased penalties and or humiliation. Definition of personal greater enforcement power for the •• Adequacy status: In 2012, the European information Commissioner will also be incorporated into Commission formally declared that the law as part of this Bill. New Zealand law provides an adequate Personal information includes any standard of data protection for the information about an identifiable Primary legislation: Privacy Act 1993 purposes of European Union (EU) law. individual, such as a name, date of This means that personal data can be birth, address, biometric information transferred from any of the 27 EU member and/or gender etc. If there is a states to New Zealand for processing reasonable chance someone could without further safeguards required. be identified from the information, However, the EU will be re-evaluating it is personal information. This also New Zealand’s adequacy status upon applies to individuals whose death amendments made to the Privacy Act. is maintained pursuant to the Birth, Deaths, Marriages, and Relationships •• Unique identifiers:Unique identifiers, Registration Act 1995, or any former Act. such as customer, driver’s licence and passport numbers, must not be assigned to individuals unless necessary for the agency to carry out any of its functions efficiently. Also, agencies are prohibited from requesting a unique identifier from an individual unless disclosure is required for a purpose related or directly related to the assignment of the identifier.
39 The Asia Pacific Privacy Guide
Collection and notice Security
Personal information can only be collected An agency is required to ensure personal information is protected against loss, misuse, where necessary for a lawful purpose and disclosure, unauthorised use or unauthorised disclosure through reasonable security directly from the individual. safeguards while considering physical, electronic, operational, transmission and destruction- related security. At the time of collection, or as soon as possible, agencies must take reasonable Individual rights steps to notify individuals of the following: •• The occurrence of collection Individuals have the right to: •• Be informed of their rights prior to collection and the intended use of their •• Purpose of collection personal information. •• Intended recipients •• Access and correct personal information held about them. •• Contact details of the collector and holder of information An agency may refuse to disclose personal information for a range of reasons. For example, if the disclosure is not authorised by the individual concerned or where the disclosure would •• Any law requiring collection, and if so, lead to a serious threat to public health or safety. whether it is voluntary or mandatory If an agency refuses to correct personal information, the individual can request a statement to •• Possible consequences if all or part of the be attached to the original information saying why correction was refused. information is not provided
• Their rights to access and correct • Data breach notification information collected and held about them Data breach notification is not mandatory. However, the Office of the Privacy Commissioner (OPC) provides guidance about responding to a data breach as best practice. This is Use and disclosure summarised in the table below.
An agency must not use or disclose personal Voluntary guidance information without taking reasonable steps to validate that it is accurate, complete, •• Reporting should occur where personal information has been relevant, up to date, and not misleading. The inappropriately accessed, collected, used or disclosed. The following agency must not use the information for a factors should be considered: purpose other than the one it was ––Legal and contractual obligations to the individual collected for. Threshold for ––Risk of harm to the individual reporting Personal information must not be ––Whether there is a reasonable risk of identity theft or fraud, disclosed unless: physical harm, significant humiliation or loss of dignity, damage to the individual’s reputation or relationships •• Associated with, or directly related to, the original purpose of collection ––Whether the individual has the ability to avoid or mitigate possible harm •• Information was obtained from a publicly available publication •• Agencies should provide notification as soon as possible so that Time frame individuals can take steps to protect themselves and regain control of •• It is directed to and approved by the their information individual concerned •• The OPC should also be notified in the event of a data breach. •• Approved by the Privacy Commissioner •• Notification should also be made directly to affected individuals by Data retention and destruction Who to notify phone, letter, email or in person.
Personal information must be destroyed •• Alternatively, if direct notification can cause further harm, indirect once its purpose for collection has notification should be made through websites, notices or media been fulfilled. Notification should include: •• Details about the incident and types of compromised personal information
•• Actions taken by the agency to control or reduce harm Content •• Steps to inform, guide and protect individuals
•• Contact information for enquiries, complaints and the OPC
•• Appropriate support when necessary e.g. advice on changing passwords 40 The Asia Pacific Privacy Guide
Cross-border data transfer Regulators and regulatory Recent cases landscape Once transferred, personal information •• 2018 – In March, the Commissioner should not be held, used or disclosed unless The PCO is the New Zealand regulator of claimed that a social media website it falls within or is directly related to the privacy led by the Privacy Commissioner. breached provisions of the Privacy Act for scope of the original purpose for collection. The Commissioner’s roles and failing to respond to an individual’s request Security controls must be in place to ensure responsibilities include: for information and cooperating with the personal information is safeguarded from •• Making public statements on investigation. The Commissioner deleted misuse or disclosure to another party. privacy matters his social media account after a decade of use, due to his privacy concerns. The OPC has the power in exceptional cases •• Inquiring and investigating matters, to restrict cross-border transfer of personal such as complaints, which may affect •• 2018 – In December, the Sensible information from New Zealand by issuing a individual privacy Sentencing Trust (SST) falsely labelled transfer prohibition notice if: a man as a convicted paedophile on its •• Endorsing and promoting website. The Commissioner referred the •• It believes the receiving party does not privacy understanding complaint to the Director of Human Rights provide protections contained within or Proceedings and publicly named the SST in comparable to the Privacy Act •• Monitoring privacy impacts of new technologies and new legislation accordance with the PCO’s naming policy •• The transfer would likely contravene the to warn the public of the SSTs inadequate basic principles set out by the OECD •• Developing codes of practice within approach to privacy. with regard to using and security specific industries and sectors personal information •• Monitoring and assessing government data matching programmes Governance
Agencies are required to appoint a privacy Relevant laws, regulations and standards officer. The privacy officer is responsible for: •• Encouraging compliance with the Law, regulation or standard Industry Regulator Applicability Privacy Act •• Dealing with requests made to the agency, Civil Defence National Public sector OPC Agencies such as access and correction Emergencies (Information Sharing) Code 2013 •• Working with the Commissioner in relation to investigations Credit Reporting Privacy Credit Reporting OPC Credit reporters Code Penalties Health Information Privacy Health OPC Health agencies The Privacy Commissioner prefers to settle Code 1994 a complaint by conciliation and mediation Justice Sector Unique Public sector OPC Justice sector agencies in the first instance. If a complaint cannot Identifier Code be settled in this way, a formal investigation may be conducted to form an opinion. Superannuation Schemes Superannuation OPC Superannuation The Privacy Commissioner does not have Unique Identifier Code agencies the power to issue a formal ruling or determination and cannot begin prosecution Telecommunications Telecommunications OPC Telecommunications proceedings or impose a fine. The proposed Information Privacy Code agencies Privacy Amendment Bill will increase the penalty for non-compliance with investigations from the Office of the Privacy Commissioner from NZ $2,000 to $10,000.
The opinion outlined by the Privacy Commissioner is not legally binding but is highly persuasive. If the opinion is that there has been an inference with privacy, the Privacy Commissioner may refer the matter to the Director of Human Rights who may then decide to take the complaint to the Human Rights Review Tribunal (HRRT). The Tribunal will hear the complaint and its decision is legally binding. It can award damages to a maximum of NZ $350,000 for breaches of privacy. The most the HRRT has 41 awarded thus far for a privacy matter is NZ $168,000. The Asia Pacific Privacy Guide
Papua New Guinea
Papua New Guinea does not presently Cases provide legislation for the regulation of Definition of personal 2018 – The PNG government announced privacy. However, the Cybercrime Code data intentions to ban its citizens from using Act 2016 exists to help regulate activities, Personal information has not been an international social media site in crimes and offences, conducted through defined. However, ‘data’ has been order to identify ‘fake users’ and study electronic systems and devices, or in other defined to include any representation the effects which the website has on its words, information and communication of facts, concepts, information (being population. Communication Minister Sam technologies (ICT). Examples of closely either text, audio, video, audio-visual Basil announced his motivation for the related offences include illegal interception, or images) machine readable code ban, which includes protecting the privacy unauthorised access or hacking and or instructions, in a form suitable for of PNG’s users of the site amidst a global data interference. processing in an electronic system or personal information data breach. Basil also device, including a program suitable to highlighted that previous privacy scandals cause an electronic system or device to involving the site demonstrate concerning perform a function. vulnerabilities for PNG citizens and residents on their personal data and exchanges when Furthermore, ‘sensitive data’ has been using social networking sites. However, the defined to include any data or content concern behind the ban is wider than the whether in writing, images, audio, visual, potential threat of data breaches themselves audio visual or in any other form: from Basil’s perspective. •• that is potentially detrimental or damaging to the person who is the subject of such information or personal data; or
•• data that is classified or intended for restricted use or specified persons only; or
•• data relating to the State, politics and the military, or corporate secrets, or data that is otherwise not available to the public.
Relevant laws, regulations and standards
Law, regulation and Industry Regulator Applicability standard
Cybercrime Code Act Organisations and All Government 2016 individuals
Protection of Private Government Communications Act Government Government agencies 1973
42 “In a disruptive era of digital transformation, a compliance-centric mindset among personal information controllers and processors would not be enough if our goal is to truly protect the digital Filipino. What we need is to institutionalise a sense of accountability and ethics in the handling of personal data in our organizations.”
– Raymund Enriquez Liboro Privacy Commissioner and Chairman (The Philippines)
43 The Asia Pacific Privacy Guide
The Philippines
In the Philippines, privacy and data Considerations Collection and notice protection is governed by the Data •• Extraterritorial jurisdiction: The Act When collecting personal information, data Privacy Act of 2012 (DPA), which provides applies to the processing of personal must be: comprehensive protections for personal information belonging to Philippine information. It is supported by the •• Collected only for a specific and legitimate citizens in and outside of the Philippines, Implementing Rules and Regulations of the purpose determined and declared. and to organisations that are based in, Data Privacy Act of 2012. In comparison to its carry out business in or process personal •• Accurate, relevant and kept up to date neighbours, the Philippines has one of the information collected or held by an entity where necessary for the declared purpose. stronger privacy regimes in the Asia Pacific in the Philippines. region. With a rapidly growing IT, digital •• Adequate and not excessive in relation to economy and population of social media •• Distinguishes between controller the declared purpose. users, the Government and privacy regulator and processor: The DPA distinguishes •• De-identified when no longer necessary has a mandate to protect the privacy of between ‘personal information controller’ for the declared purpose. individuals and ensure the free flow and ‘personal information processor’. The of information. accountability is placed on the controller The data subject is entitled to be for personal information under its informed of: Primary legislation: Data Privacy Act control or custody, including information of 2012 •• The purpose for which the personal transferred to a third party for processing. information is being collected.
•• Provisions specific to Government: •• The scope and method of processing. The Act imposes specific requirements for government entities to transmit data •• The recipients or classes of recipients to to third parties and imposes additional whom personal data will be disclosed. penalties on government officials who •• Methods to access data. breach the Act while carrying out their duties. •• The identity and contact details of the data controller.
Definition of personal •• The period for which the data will information be stored.
•• Personal information is defined as any •• Any rights the data subject may have. information, whether in material form Data subjects shall be notified and given an or not, from which the individual can opportunity to withhold consent in case of be identified by the entity holding the any changes to the information declared to information, or when put together the data subject since consent was sought. with other information.
•• Sensitive information, which is afforded additional protections, refers to personal information about an individual, such as race, ethnic origin, marital status, age, religion, philosophical or political affiliations, health, education, genetic or sexual life, legal proceeding, criminal history, social security number, health records, tax records, and classified information.
44 The Asia Pacific Privacy Guide
Use and disclosure Data retention and destruction Individual rights
Personal information must be accurate Personal data must only be retained for as The data subject is entitled to: and relevant. It must only be processed long as necessary: •• Be informed of what personal fairly, lawfully, in a way compatible with the •• To fulfil the purpose for collection information is being processed, purposes declared purpose and in a manner that and processing. for processing, scope and method of ensures appropriate privacy and security processing, retention period, information •• For the purposes of legal proceedings. safeguards. Processing of personal data shall recipients, identity of the controller, adhere to the principles of transparency, •• For legitimate business purposes. date that the data was last accessed or legitimate purpose and proportionality. modified and their rights. Personal data must be disposed securely in Processing personal information is only a way that does not allow further processing, •• Access to personal information: where lawful and permitted where the data subject unauthorised access or sharing to third the data was collected from, names has consented, or it is necessary: parties or the public. and addresses of recipients, manner •• For the processor to fulfil a contract with of processing, reasons for disclosure the data subject. The law provides for personal data to be and information about automated data stored and processed for longer periods for processing where the data will likely be the •• For the controller to comply with historical, statistical or scientific purposes sole basis for a decision affecting the legal obligations. if organisational, physical and technical data subject. security measures are implemented. Data •• To protect the data subject’s life •• Request deletion or suspension of that is aggregated and not identifiable may and health. processing or where the data subject be kept for longer than necessary to fulfil has established that their information is •• To respond to a national emergency, the purposes for which it was collected incomplete, outdated, falsely or unlawfully uphold public order and safety, or fulfil and processed. Personal data must not be obtained, being used for unauthorised functions of a public authority. retained for future use where no purpose purposes, no longer necessary for the has been determined. •• As the legitimate interests of the controller declared purposes, withdraws consent or or third parties override the data objects to the processing. subject’s rights. Security •• Be indemnified for any damage Sensitive information must not be processed Controllers must implement reasonable sustained due to inaccurate, incomplete, unless the data subject has consented, or it and appropriate organisational, physical outdated, false, unlawfully obtained or is necessary: and technical measures to protect unauthorised use of personal information. personal information from accidental or •• To fulfil rights or obligations under existing •• Data portability: the right to obtain unlawful destruction, alteration, disclosure laws and regulations. a copy of personal data undergoing or processing, natural disasters and processing in an electronic or structured •• To protect the life and health of the data human dangers. They should ensure form to allow for further use. subject or another person. implementation of safeguards to protect their computer network, such as •• To achieve the lawful and non-commercial Individual rights do not apply where the following: objectives of public organisations. personal information is used only for the •• A security policy on processing needs of scientific and statistical research, •• For purposes of medical treatment, and personal information and provided that their information is not adequate level of protection is ensured. used to determine decisions regarding the •• Identify and assess reasonably foreseeable data subject. •• For the protection of lawful rights and vulnerabilities in its networks interests of individuals. •• Take corrective mitigating action Consent to the processing of personal and against security incidents that can lead sensitive information must be freely given, to a breach specific, informed, and evidenced by written, •• Regularly monitor security breaches and electronic or recorded means. prevention processes
Sensitive personal information maintained by the Government should be secured as far as practicable, with the use of standards recommended by industry and the Commission.
45 The Asia Pacific Privacy Guide
Data breach notification Cross-border data transfer
There is a mandatory requirement to notify the National Privacy Commission (NPC) and data Private Sector subjects in the event of a data breach concerning personal information. The NPC may exempt Before sharing data, controllers must obtain a controller from notification if it is in the public interest. consent from the data subject and provide details of the transfer including relevant All data breaches should be documented through written reports, which include the facts data, recipients and the data subject’s rights. of the incident, effects of the incident and the remedial actions taken by the controller to Consent is required even when the data respond to the breach. is to be shared with an affiliate or parent company, or similar relationships. Requirements Data-sharing for commercial purposes, •• Controllers must notify the NPC and affected data subjects when including direct marketing, is to be covered sensitive information or other information is: by a data-sharing agreement, which Threshold for ––Likely to enable identity fraud. establishes adequate safeguards for data reporting ––Acquired by an unauthorised person. privacy and security. The data-sharing ––Likely to give rise to a real risk of serious harm to the data subject. agreement shall be subject to review by the Commission, on its own initiative or upon •• Within 72 hours of the knowledge of or reasonable belief that a breach Time frame complaint of data subject. has occurred. Public sector •• The National Privacy Commissioner. Who to notify Data-sharing between government agencies •• Affected data subjects. pursuant to a public function or service shall be covered by a data-sharing agreement •• Nature of the breach, chronology of events, an estimate of guaranteeing compliance with the Act, persons affected. including safeguards for data privacy and •• Type of personal data affected. security. The data-sharing agreement shall Content be subject to review by the Commission, on •• Remedial steps taken by the controller. its own initiative or upon complaint of •• Contact information of a data protection officer that may provide further data subject. information to the Commission or data subjects, Governance
A data protection officer (DPO) must be Cases designated by controllers and processors •• 2018 – A fast food company’s customer database was accessed by an unknown engaging in the processing of personal unauthorised person. The NPC’s investigation revealed that the database’s protection was information of individuals if they fall within not up to date and that some personal information was unencrypted. The NPC ordered the territorial scope of the Act. the company to: suspend data processing until its security vulnerabilities were addressed, An organisation may outsource the function submit a security plan, employ ‘privacy by design’ in its infrastructure upgrade, conduct a of a DPO. However, the designated DPO PIA and file a monthly progress report with the NPC until the issues outlined were resolved. at the controller or processor remains •• 2018 – A social media platform discovered a vulnerability on its website whereby accounts accountable and must oversee the were compromised, exposing personal and sensitive information. The company did not performance of the outsourced DPO. notify users individually as it did not consider the breach as likely to give rise to a real risk of serious harm. It instead notified users about the rectification updates through an in-app Regulators and regulatory message. The NPC considered that a real risk of serious harm was likely to result from the landscape breach. The company was ordered to: submit a more comprehensive data breach report to the NPC, notify data subjects with sufficient details of the breach and risks, provide identity The National Privacy Commission (NPC) is theft insurance and credit monitoring services, establish a help desk for assisting affected tasked with monitoring compliance with the data subjects and provide evidence of compliance of the orders. Act, responding to complaints, investigating incidents, regularly publishing laws relating •• 2018 – A fast food restaurant chain’s website was infiltrated, exposing sensitive personal to data protection, coordinating with information. The company had not notified affected data subjects at the time that it notified regulators in other countries and imposing the NPC. They were ordered to: notify affected data subjects and highlight the risk of identity administrative penalties. fraud, conduct a privacy impact assessment (PIA), explain to the NPC why it should not take action against the company for its failure to notify the affected data subjects within 72 hours and provide materials to aid the NPC’s investigation including its privacy policy and existing security recommendations that had not been implemented before the breach was discovered.
46 The Asia Pacific Privacy Guide
Penalties
A violation of the data privacy provisions may attract financial penalties and/or terms of imprisonment. For example, the processing of personal information without consent or authorisation under law can lead to a penalty of up to PHP 2,000,000 or a term of imprisonment between one to three years, and PHP 4,000,000 or a term of imprisonment between three to six years for unauthorised processing of sensitive information.
Relevant law, regulation or standard
Law, regulation or standard Industry Regulator Applicability
Implementing Rules and All National Privacy Controllers and processors Regulations of the Data Commission of personal information Privacy Act
NPC Circular 16-01 – Security Public National Privacy Government agencies of Personal Data in sector Commission Government Agencies
Terminology
Terminology Definition
Consent Freely given, specific and informed indication of will.
An individual whose personal, sensitive personal, or privileged Data subject information is processed.
A person or organisation who controls the collection, holding, processing or use of personal information, or instructs another person or organisation to collect, hold, process, use, transfer or disclose Personal personal information on his or her behalf. information controller Excluding: a person or organisation who is following instructions of another person or organisation and individuals who collect, holds, process or use personal information in connection with the individual’s personal, family or household affairs.
Personal Any natural or juridical person to whom a personal information information controller may outsource the processing of personal data pertaining to processor a data subject.
The Rules Implementing Rules and Regulations of the Data Privacy Act of 2012.
47 “We believe that the commercial value in data requires that it be properly safeguarded and when data is shared, the right practices are adopted. If not properly handled, loss or misuse of customers’ personal data can lead to disastrous consequences for commercial reputation and sometimes even legal consequences. The preferred approach is to work with like-minded countries to establish good standards and to build stable and trusted bridges upon which data can travel.”
– Tan Kiat How Commissioner of the Personal Data Protection Commission (Singapore)
48 The Asia Pacific Privacy Guide
Singapore
As an innovation hub, Singapore is quick to Considerations adopt new technologies and has recognised Definition of personal •• Proposed mandatory data breach the need to balance an individual’s privacy information notification law: A mandatory breach with business innovation. Singapore has notification scheme has been proposed The PDPA defines ‘personal data’ as data a comprehensive privacy framework to be introduced through an amendment about an individual, living or deceased, governed by the Personal Data Protection to the Personal Data Protection Act. There who can be identified: Act 2012 (PDPA), supported by additional is currently no proposed date for the •• From that data, or from other data to regulations, such as the Personal Data introduction of the scheme. The intention which the organisation has or is likely Protection (Enforcement) Regulations and to introduce a mandatory scheme follows to have access to. Personal Data Protection Regulations. The a review of the state of the current laws to public sector is governed by a separate •• Whether the data is true or not. address the evolving needs of businesses framework that closely follows the PDPA. and individuals after several high-profile The Singaporean government is currently The PDPA does not apply to: data breaches. in the process of reviewing its current •• Personal data within a record that has privacy framework and is expected to •• Data portability: A discussion paper been in existence for at least make amendments to the law, such as the was released by Singapore’s Personal 100 years. introduction of a mandatory data breach Data Protection Commission and the •• Personal data about an individual who notification requirement. Competition and Consumer Commission has been deceased for more than of Singapore detailing the need to facilitate 10 years. Primary legislation: Personal Data data flows between service providers Protection Act 2012 (PDPA) which will give greater rights to individuals. •• Business contact information for business purposes. •• Data protection in the public sector: The public sector is subject to similar standards as the private sector. The Public Sector (Governance) Act 2018 and the Collection and notice Government Instructions Manual contain Personal data should only be collected measures to govern protection of personal where consent has been provided and it is data, which are aligned with the PDPA. for a purpose a reasonable person would consider appropriate in the circumstances. The individual must be notified of the purpose of collection.
However, consent is not required where the collection is: •• Necessary for national interest.
•• In response to an emergency.
•• Necessary for a purpose clearly in the interest of the individual.
•• Solely for artistic or literary purposes.
An organisation must make a reasonable effort to ensure that the collected personal data is accurate and complete. This is especially important if the personal data is used by the organisation to make a decision that may affect the individual or it is disclosed to another organisation.
49 The Asia Pacific Privacy Guide
Use and disclosure Data retention and destruction Individual rights
Personal data can only be used and An organisation must not retain personal Individuals have the right to: disclosed in accordance with the purpose it data, or ensure steps are taken to de-identify •• Be notified of collection, use or was collected for and where it is a purpose the data, as soon as it can be reasonably disclosure of their data for a a reasonable person would consider assumed that retention of the data no longer particular purpose. appropriate in the circumstances. The serves the purpose it was collected for, or individual must provide consent for the use any business or legal purpose. •• Withdraw their consent by giving and disclosure. reasonable notice to the organisation. Although the PDPA does not prescribe •• Access their personal information: upon An individual may be deemed to consent for specific retention period of personal data, request, an organisation must provide a purpose if they have voluntarily provided there may be specific industry-standard access to the individual’s information, personal data for that purpose and it is requirements that may apply. in addition to details about how the reasonable that data would be provided in information is used or disclosed, as soon that instance. Security as reasonably possible. An organisation must protect personal Direct marketing •• Correct their personal information: data, within their possession or control, The PDPA applies to all marketing activities, upon request, an organisation must with adequate and reasonable security such as electronic marketing, which involve correct any error or omission in an arrangements to prevent the unauthorised the collection, use or disclosure of personal individual’s data, where that data is in the access, collection, use, disclosure or similar data. If an organisation conducts any possession or control of the organisation, risks. However, the PDPA is not prescriptive telemarketing activities, they must also and without charging a fee for the in the particular security measures that abide by the Do-Not-Call (DNC) provisions of correction. If the organisation is unable to are required. the PDPA. correct the personal data within 30 days, individuals should be informed within When sending marketing communications 30 days. to a Singaporean telephone number, Data breach notification an organisation must obtain clear and unambiguous consent from the individual There is no mandatory notification requirement for data breaches. However, the Personal prior to sending the communications. Data Protection Commission (PDPC) has provided guidelines for the voluntary notification of Evidence of the individual’s consent must be data breaches. available for easy reference. When consent In the event of a suspected data breach, an individual may make a complaint to the PDPC or is not obtained, organisations must check initiate civil action against an organisation. the telephone number is not listed on the DNC Register, which is managed by the Commission. When contacting individuals, Voluntary guidance the organisation must identify themselves and provide clear, accurate and up to date •• Organisations should conduct an assessment of the breach within 30 days of Threshold becoming aware of a potential breach. contact information. Individuals may apply for • Where the breach might cause public concern and where there is a risk of to the Commission to add or remove their reporting • telephone number from the DNC Register. significant harm to a group of individuals.
The PDPA will apply to marketing messages •• Organisations are advised to report to the PDPC as soon as practicable and when the sender of the message was or no longer than 72 hours after establishing the breach is likely to result in Time is present in Singapore at the time the significant harm to individuals. frame message was sent, and when the recipient of •• If sensitive information is involved, organisations are advised to the message was or is present in Singapore report immediately. when the message was accessed. •• Individuals whose personal data may have been affected by the breach. Who to The Spam Control Act (SCA) regulates •• The PDPC. notify electronic marketing activities. This includes •• Any other third parties affected, e.g. banks, credit card companies, or police. the sending of unsolicited commercial communications in bulk, using electronic •• Extent of the data breach. mail, SMS or MMS. •• The type of personal data affected. •• The amount of personal data affected. •• The cause or suspected cause of the data breach. •• Steps the organisation has taken to manage the risk and/or rectify Content the breach. •• Information on whether individuals have been notified. •• Further steps to be taken by the organisation. 50 •• Contact information of a person that affected persons or the PDPC can contact for further information. The Asia Pacific Privacy Guide
Cross-border data transfer Penalties
Cross-border data transfer is allowed if the A violation of any of the data protection provisions by an organisation can attract a fine of up offshore third party has comparable privacy to SG $1 million. There are further penalties for violations of the Do-Not-Call provisions, which protections in place. This can be achieved by may also attract a term of imprisonment. data transfer agreements or consent from the individual. Exemptions to the PDPA may Relevant laws, regulations and standards be granted by the PDPC. Law, regulation, Industry Regulator Applicability Governance standard
An organisation is required to appoint one Computer Misuse Commissioner of Individuals and All or two DPOs to be responsible for ensuring Act Police organisations compliance with the privacy laws. The DPO is not required to be a citizen or resident of Applies to 11 vital Singapore, but it is recommended that they sectors, such as Critical information energy, information Cybersecurity infrastructure are contactable from Singapore, available Cybersecurity Act during Singapore business hours and have communications, Commissioner organisations and data a Singapore telephone number. The contact health care and users information of the DPO must be financial services. publicly available. Personal Data Protection Personal Data Organisations and data Regulators and regulatory (Composition All Protection users landscape of Offences) Commissioner Regulations 2013 The Personal Data Protection Commission (PDPC) has the power to: Personal Data Personal Data •• Prohibit the collection, use or disclosure of Protection (Do Organisations and data All Protection personal data that breaches any provision Not Call Registry) users Commissioner of the Act. Regulations 2013
•• Destroy personal data that has been Personal Data Personal Data collected in breach of the provisions of Protection Organisations and data All Protection the Act. (Enforcement) users Commissioner Regulations 2014 •• Refuse the right to access or correct personal data. Personal Data Personal Data Organisations and data Protection All Protection •• Enforce financial penalties (not exceeding users Regulations 2014 Commissioner SG $1 million). Personal Data Personal Data Protection Organisations and data Cases All Protection (Appeal) users Commissioner •• 2018 – Hackers stole sensitive health Regulations 2015 records of 1.5 million hospital patients and 160,000 outpatient prescription records. Public Sector Minister for A financial penalty of SG $250,000 was (Governance) Act Public sector Communications and Public sector agencies imposed on the healthcare institution 2018 Information for failing to make reasonable security Infocommunications arrangements to protect personal data. Spam Control Act All Media Development Organisations 2007 •• 2018 – A sports association was fined Authority SG $30,000 for unauthorised disclosure of personal data. It was found that the national identification numbers of up to 782 minors was published in a document on the association’s website. The identification numbers could be used to identify individuals when the contents were copied and pasted onto another document.
51 The Asia Pacific Privacy Guide
South Korea
As a data-driven economy and world Considerations Collection and notice leader in information communications and •• Embracing technology: South Korea is Personal information can be technology, South Korea has one of the most embracing and developing technology, collected where: comprehensive privacy frameworks, which such as big data, artificial intelligence, contains principles and policies to protect •• Consent has been provided by a autonomous objects, virtual and personal information and provide rights to data subject. augmented realities, IoT and robotics. data subjects. •• Required by law. •• Global influences: South Korea aims Privacy is regulated by the Personal to align its privacy framework to global •• Required for the processor to carry out Information Protection Act 2011 (‘PIPA’), standards by seeking the adequacy status work under laws and regulations. which is comprehensive, principles-based from the European Commission to be able •• Necessary to execute and perform a and applies to personal information to freely transfer information between contract with the data subject. processors (‘processors’). South Korea and the EU. •• Necessary for the protection of the data Primary legislation: Personal Information •• APEC: In 2017, South Korea became part subject or a third party, such as a legal Protection Act 2011 of the APEC Cross-Border Privacy Rules representative, from danger to life, body or System, designed to strengthen regional economic profits. privacy law enforcement. Processors must establish a personal information processing policy, such as Definition of personal a privacy policy, and disclose it to data information subjects as well as making it available for •• Personal information pertains to public access. a living person and can be used to identify an individual. Examples When obtaining consent, data subjects must of personal information include a be provided with notice of the following, person’s name, image or resident including where modified, in an explicitly registration number. Information will recognisable manner: also be considered personal if it can •• Purpose of and use for collection. be combined with other information •• Types of information collected. to identify a specific individual. •• Period for use and retention. •• Sensitive data includes information such as, and related to, an ideology, •• Right to refuse consent and any belief, membership of a trade union implications arising from refusal. or political party, political mindset, health and sexual life. Sensitive data also includes any other personal information which is likely to cause harm to the privacy of a data subject.
52 The Asia Pacific Privacy Guide
Use and disclosure Data retention and destruction Security
Processors must process personal Personal information must be kept up-to- Processors must prevent personal information: date, complete and accurate. If the processor information from loss, theft, forgery, •• In a lawful and fair manner. is required by law to retain the information, disclosure, alteration, damage and they must store and manage that particular destruction by implementing technical, •• In accordance with the specified and information separate from other managerial and physical measures, such as: intended purpose. personal information. •• Controlling access and restricting authority to access Provided the information is unidentifiable Processors must destroy the information and consent was provided for an intended without delay once the intended purpose •• Adopting encryption technology purpose, exceptions apply where: has been fulfilled or when the information is •• Installing, maintaining and upgrading no longer necessary. security programs, storage and locks •• The purpose is likely to infringe upon the data subject’s interests. •• Developing an internal management plan •• Preserving log-on records •• It is required for legal proceedings or used as part of statistics and/or academic Data breach notification research. Data breach notification is a requirement which processors must adhere to, as provided by Provided the information is unidentifiable the PIPA. and consent was provided for that purpose. Requirements Personal information must be used with the aim to: •• Processors must notify the Minister of Public Administration and Threshold for •• Minimise the possibility of infringing the Security (MPAS) and aggrieved data subjects once becoming aware reporting data subject’s rights. that personal information has been leaked.
•• Maintain trust between data subjects. •• Processors must provide notification without delay. This is interpreted to be “within five days” under regulatory guidance, Sensitive data except for certain sectors that provide their own specific reporting Time frame Sensitive data cannot be processed unless: requirements. For example, information and communication service •• Explicitly required or permitted by laws providers (‘ICSP’) must notify the Communications Commissioner and regulations; or within 24 hours.
•• Consent has been obtained •• MPAS Who to notify •• Aggrieved data subjects Direct marketing Data subjects must be notified if personal •• Notification must include: data will be used to promote or sell goods ––The kind of information leaked or services. ––When and how the information was leaked Individual rights ––Remedies which can be undertaken by the data subject to Content minimise damage Data subjects have the right to: ––Countermeasures and remedial procedures to be undertaken •• Be informed of their rights and how the by the processor information will be used. ––Details for contact points, such as a help desk, to •• Request access, correction and erasure report damage to their personal information.
53 The Asia Pacific Privacy Guide
Cross-border data transfer Regulators and regulatory landscape Personal information can only be shared with third parties where any one of the The Personal Information Protection following conditions has been satisfied: Commission (PIPC) is the primary regulator •• Where consent has been provided by a for privacy within South Korea. data subject. The PIPC is responsible for: •• Where required by law. •• Protecting personal information.
•• Where required for the processor to carry •• Ensuring personal information is fairly out work under laws and regulations. collected and legitimately processed.
•• Where necessary to execute and perform •• Monitoring data protection violations. a contract with the data subject. •• Mediating to redress damage caused •• Where necessary for the protection of by violations. the data subject or a third party, such as a legal representative, from danger to life, •• Ensuring data protection laws are properly body or economic profits. interpreted and applied.
When transferring personal information to Cases third parties, processors must inform the data subject of the recipient, purpose for •• 2014 – A travel agency used personal sharing, type of personal information information for commercial purposes shared, period of use and retention, and without the data subject’s consent and was individual rights. ordered to pay ₩300,000 as compensation for mental distress, and advised to provide For the purposes of transferring personal an educational program to employees information across borders, processors about personal information of customers. must obtain explicit consent from the data •• 2015 – After completing a consent form subject and must not enter into contracts for his spouse, Mr X discovered that the contrary to the PIPA. hospital collected his resident registration number, which was prohibited under Governance the PIPA, unless specifically permitted The processor concerned must designate a by a relevant law or for urgent needs of privacy officer, who is responsible for: the data subject, Mr X, or a third party. The hospital was required to correct its •• Protecting, controlling and managing consent form to conform with the PIPA personal information and implement a plan to prevent •• Establishing and implementing personal reoccurrence through privacy awareness information protection plans educational programmes.
•• Surveying processing practices and improve shortcomings regularly Penalties
•• Managing complaints Fines of up to 100 Million and imprisonment of up to 10 years may be •• Building internal controls systems issued as punishment for breaches within •• Preparing and implementing the Act primarily by the Ministry. However, education programmes other bodies, including the PIPC, may undertake enforcement activities. •• Taking and reporting immediate corrective measures, if necessary. For data breaches caused by intentional or negligent violations of information and communications services providers, data subjects may claim compensation of up to 3Million.
54 The Asia Pacific Privacy Guide
Relevant Laws, regulations and standards
Law, regulation or Industry Regulator Applicability standard
Act on the Development of Cloud Computing and Minister of Science, ICT and Future Commercial cloud All Protection of its Users Planning computing service providers 2015
Act on Promotion of Information and Information and Information and Korean Communications Communications Network communications service Communication Commission (KCC) Utilization and Information providers Protection 2001
Act on the Protection Location information and Use of Location All KCC businesses Information 2010
Credit Information Use Financial services Financial Services Commission Credit information providers and Protection Act 1995
Enforcement Decree of the Act on Promotion Information and of Information and Telecommunications KCC communications service Communications Network providers Utilization and Information Protection
Enforcement Decree of Ministry of the Interior and Safety, the Personal Information Data controllers and All Personal Information Protection Act (Presidential Decree processors Commission (MISPIPC) No.28355)
Personal Information Data controllers and All MISPIPC Protection Act 2011 processors
Terminology
Terminology Definition
Data subject An individual identifiable by/the subject of information processed.
Information and Licenced telecommunications business operators and other persons who provide information communications or act as an intermediate to provide information commercially by utilising services provided by a services providers telecommunications business operator.
Personal Public institutions, legal persons, organisations or individuals that process personal information information directly or indirectly for official or business purposes. processor
The collection, generation, connecting, interlocking, recording, storage, retention, value-added Processing processing, editing, retrieval, output, correction, recovery, use, provision, disclosure or destruction of personal information and other similar activities.
Information pertaining to data subjects’ ideology, belief, trade union / political membership, Sensitive data political opinions, health, sexual life or other personal information likely to infringe privacy.
55 The Asia Pacific Privacy Guide
Sri Lanka
There is a growing need to protect personal Considerations Regulators and regulatory information for individuals in Sri Lanka with landscape •• Digital identities: A national digital an increasing population that is able to identity scheme, incorporating electronic The Information and Communication access the internet and social media. identity cards and passports, concerning Technology Agency (ICTA) is responsible for: Sri Lanka does not currently have a specific primarily biometric data, was launched in privacy regime, however there are a •• Overseeing e-laws and helping to regulate 2019 to enable citizens to transact securely number of laws in place to govern the use electronic data and documents within online, help prevent identity fraud and of electronic records and communications. electronic transactions; and other related scams. Although the Sri Lankan Constitution does •• Implementing data protection policies for not provide explicit reference for a right to •• Internet and social media use: Currently, the future privacy, the Telecommunications Minister 34% of the population use the internet. has confirmed that a Data Privacy Act will be This amounts to 7.13 million people, of introduced to Parliament in 2019.9 which 6.2 million are active social media users. As social media use increases, the need for greater governance is also required. It is not uncommon for access to social media to be blocked.
•• Privacy reform: The ICTA is looking to adopt a data protection code of practice under the existing Information Communication Technology Act 2003. However, no timeframe has been provided for when this will occur. There are also plans to enact a Cyber Security Act and a Data Protection Act (DPA) while also establishing a high level security agency for Sri Lanka and empowering the Sri Lanka Computer Emergency Readiness Team (SLCERT) within 2019.
9 https://economynext.com/Sri_Lanka_ 56 data_privacy_bill_to_parliament_in_three_ months-3-13895-10.html The Asia Pacific Privacy Guide
Relevant laws
Law Coverage/ industry Regulator Applicability
Minister in charge of Computer Crimes Act 2007 Cybercrimes Data subjects Science and Technology
Electronic Transaction Electronic contracts and N/A Originators and addressees Act 2006 certification services
Information and Communications Technology All ICTA ICTA Act 2003
Right to Information (RTI) Right to Information Act 2016 All Citizens Commission
Telecommunication The Telecommunication Telecommunication Telecommunications officers Regulatory Commission of Act 1996 transmissions and operators Sri Lanka
Terminology
Terminology Definition
Addressee The person intended by the originator to receive the communication.
Citizen A body, whether incorporated or unincorporated.
Operator A person authorised by license to operate a telecommunication system.
A person, by who or on whose behalf, the communication purports to have been sent or Originator generated prior to receipt or storage.
Telecommunications Any person employed, permanently or temporarily, in connection with any officer telecommunication service provided by an operator.
57 The Asia Pacific Privacy Guide
Taiwan
In Taiwan, personal information is protected Considerations under the Personal Information Protection Definition of personal •• Increasing discourse and public Act (PIPA) and is enforced by industry information awareness of privacy rights: The Ministry regulators and local government authorities. of Justice is currently considering the •• Personal information is defined as The law applies to private entities as well as interaction of privacy rights and big data. any information that may be used to government bodies. Even though the benefits of big data identify a natural person, directly or indirectly. It includes: the name, date When drafted, the PIPA considered the have been recognised, there is a struggle of birth, ID card number, passport European Union Data Protection Directive to balance the increasing awareness of number, characteristics, fingerprints, (Directive 95/46/EC). Taiwan recently joined privacy rights and the desire to control marital status, family, education, the Asia-Pacific Economic Forum’s Cross how personal information is being used occupation, medical record, medical Border Privacy Rules system, making it only by organisations. There is ongoing debate treatment, genetic information, sexual the 7th APEC member to do so. regarding whether data subjects have the right to opt out of having their de-identified life, health examination, criminal Primary legislation: Personal Information information used by organisations to record, contact information, financial Protection Act perform analysis. conditions and social activities.
•• GDPR: The extra-territorial reach of GDPR •• The PIPA recognises a special has, as with many other countries, a category of personal information that significant effect on businesses in Taiwan. must not be collected, processed Taiwanese exports to the EU amounted or used, which includes medical to US$7.07 billion in the first quarter of records, medical treatment, genetic 2018, and imports from the EU amounted information, sexual life, health to US$7.64 billion. As such, there is a examination and criminal records. significant relationship with European However, there are exceptions that businesses. In particular, the technology may apply in limited circumstances. industry will need to re-examine their privacy laws to ensure a similar standard is upheld. Collection and notice
•• Establishment of Personal Data Personal information should only be Protection Office: In 2018, the National collected if it is: Development Council established the •• Respectful of the rights and interests of Personal Data Protection Office. The the data subject focus of the office will be to address GDPR •• Following the principle of ‘bona fide’ issues and coordinate with the relevant authorities. It is also working towards •• Reasonable and fair obtaining an adequacy decision from the • Limited to the purpose of collection European Union for having an adequate • level of protection for cross-border When collecting personal information, transfer of personal data between the the organisation is required to inform EU and Taiwan. data subjects of the organisation’s name, purpose of collection, classification of data, uses of data, the data subject’s rights and consequences if they choose not to provide the personal information.
58 The Asia Pacific Privacy Guide
Use and disclosure Data retention and destruction Individual rights
Personal information must only be used Personal information may be retained while Data subjects have the right to: by businesses if it is in compliance with the the purpose of processing or use exists, •• Access their data: including review, copy specific purpose of collection, and should or during the term of use. The information and add to or correct their data. The comply with one of the following: can be retained after this period if consent organisation is obligated to do this unless •• It is in accordance with law is provided in writing, it is necessary for there is a national security concern, it is a performance of job duties or statutory duty for a government agency, •• There is a contract or a quasi-contract with legally required. or there is material interest of the data the data subject processor or third party. •• Voluntarily provided by the data subject or Security •• Object to processing of their data: the data has been lawfully made public Agencies must ensure the security of They can ask the organisation to cease •• Used for research by an academic personal data to prevent it from being collection, processing and use of data. research institution or used for public stolen, altered, damaged, destroyed, lost or •• Request deletion of data: if the purpose interests on statistics by a government disclosed. Some guidance is provided in the for processing no longer exists, data agency (however, the information must be PDPA Enforcement Rules for considerations subjects can request their data be deleted, de-identified) to be made for security measures, such as unless it is necessary for a government mechanisms to evaluate risk and manage •• Consent has been obtained agency’s function, or the individual personal data, mechanisms to respond consents to their data being retained. •• Does not harm the rights and interests of to data breaches, internal procedures for the data subject collection, processing and use of data, •• Make a complaint to data protection information security and personnel, and authorities about misuse of their Government agencies must only process education and training. personal information. personal information for a specific purpose and in compliance with at least one of the following: Data breach notification
•• Consent has been obtained While there is no requirement under the PIPA to notify the regulator for breaches of personal •• Does not harm rights and interests information, there are notification requirements under sectoral laws including for the government, financial and telecommunications sectors. •• Processing is within scope of job functions provided by laws and regulations Under the PIPA, there is a mandatory requirement to notify data subjects affected by a data breach. However, there are specific exceptions to the above processing requirements for agencies, such as if processing is necessary for public Requirements interest or to prevent harm on rights and •• If a data breach has occurred, the breach must be investigated and interests of other people. reported to the data subject by mail, email, fax, or in an advertisement.
When disclosing to third parties, •• There is no requirement to inform any regulator of a data breach organisations are required to ensure the occurring under the PIPA. Note, that regulators may require notification protection of personal information. If separately: information is shared to third parties, the Threshold for ––Financial Supervisory Commission requires organisations to organisation and third party are both liable reporting notify in case of a breach that may affect business operations or for data breaches by the third party. many customers. Direct marketing ––Ministry of Health and Welfare requires notifications if there is a Direct marketing may only be conducted breach related to biobanks. with consent, and an opt-out mechanism ––Ministries of the Interior and Economic Affairs also have must be in place should the user no longer notification requirements. wish to take part. Individuals must be Time frame •• No strict time frame – after investigation of the incident. informed of their right to object to use of their personal information for •• Affected data subjects. marketing purposes. Who to notify •• Regulator is not required to be notified.
•• The occurrence of a data breach.
Content •• Steps that have been taken by the organisation or government agency to resolve the incident.
59 The Asia Pacific Privacy Guide
Cross-border data transfer Cases Penalties
Cross-border transfers are generally •• 2017 – The FSC investigated an insurance Regulatory bodies are able to enforce the permitted. There are no data transfer agency that mailed personal information PIPA on private sector organisations by agreement requirements. However, the to third parties unintentionally, and found ordering them to remedy violations. If this following exceptions apply: that this was caused by errors in the does not occur, administrative fines up to •• Biological specimens in a biobank software used to send notices. A penalty NT$200,000 may be imposed. Criminal was given (NT$50,000 for the organisation sanctions may be imposed in exceptional •• International transmission of biobank data and responsible party) for failure to report cases, such as where a person makes an must be approved by the the breach in the required timeframe. unlawful profit for himself or a third party relevant authority by illegally changing or deleting personal •• 2017 – An insurance agency was found to information files. This violation may attract •• Financial Supervisory Commission be non-compliant, being penalised by the imprisonment of up to 5 years or a fine of up approval is required to outsource FSC for failure to inform data subjects in to NT$1,000,000, or both. retail operations accordance with notification requirements •• Telecommunications providers cannot when collecting their information. transfer data to China •• 2018 – A large bank was fined NT$2,000,000 by the FSC for a data breach If one of the following has occurred when the caused by a failure in the internal control non-government agency transmits personal system to maintain information security, information internationally, the government which allowed for administrator access to authority in charge of the subject industry be broad and not properly managed. may limit its action where: •• It involves major national interests. Relevant laws, regulations and standards •• National treaty or agreement specifies otherwise. Law, regulation or Industry Regulator Applicability •• The country receiving personal information standard lacks proper regulations towards the protection of personal information and it Act Governing Financial Electronic payment might harm the rights and interests of Electronic Payment Banking and Finance Supervisory institutions as defined the party. Institutions Commission under the Act Employment Service •• International transmission of personal All Ministry of Justice All information is made through an indirect Act method in which the provisions of this law Banks, insurance Financial may not be applicable. Financial Holding companies and Banking and Finance Supervisory Company Act securities firms under Commission Governance the Act
Agencies are not required to appoint a data Freedom of Government agencies protection officer. However, government Government Public sector Ministry of Justice disclosing personal agencies are required to hire personnel for Information Law information the security and maintenance of files. Human Biobank Ministry of Health Medical and Sciences Biobank operators Management Act and Welfare Regulators and regulatory landscape Any institution in Ministry of Health which physicians There is no single regulatory agency to Medical Care Act Medical and Welfare conduct the practice oversee and enforce the provisions of the of medicine PIPA. However, the Ministry of Justice is tasked as the drafting and interpreting Pharmaceutical Affairs Ministry of Health Pharmaceutical Medical and Sciences agency of the PIPA in order to provide Act and Welfare organisations guidance for other supervisory agencies and regulators to enforce the provisions.
60 The Asia Pacific Privacy Guide
Terminology
Terminology Definition
Person or public/private legal entity that controls collection, storage, Data users processing or use of personal data.
Actions to record, input, store, compile, correct, duplicate, retrieve, Data processing delete, output, connect or internally transmit information to establish or use a personal information file.
Data use Any other personal information use not defined under data processing.
Agency or administrative juridical person at central or local government Government agency level which may exercise sovereign power.
Non-government All persons, juridical persons or groups other than those that are agency government agencies.
Organisation Refers to any non-government agency or government agency.
61 The Asia Pacific Privacy Guide
Thailand
After much anticipation, and nearly a decade Considerations of proposed privacy legislation being on Definition of personal •• Extraterritorial reach: Data controllers the agenda, the Personal Data Protection data and data processors will be subject Act is now effective from 27 May 2019. to the PDPA where their processing •• The PDPA defines personal data as Organisations will be given one year to activities relate to the offering of goods any data that can directly or indirectly become compliant with the legislation. This or services, or monitoring of behaviour of identify a living person. legislation will provide a comprehensive data subjects in Thailand, even where the framework for privacy governance, with •• ‘Sensitive data’ is recognised as a controller or processor is not located themes largely drawn from the GDPR. special category of personal data with in Thailand. additional protections. It includes Thailand also has sector-specific privacy laws •• Government surveillance: The National data relating to ethnicity, race, political and regulations which provide protection for Legislative Assembly has also recently opinions, religious or philosophical specific types of information, such as approved a draft Cybersecurity Act that beliefs, sexual behaviour, criminal credit information. provides obligations for organisations records, health records, genetic to protect information, particularly data, labour union membership and Primary legislation: Personal Data organisations dealing with critical biometric data. Protection Act information infrastructure. It aims to address cyber threats and Use and disclosure national security. Personal data must only be used for the •• Digitisation: The current vision for purpose or purposes it was collected. In Thailand’s economic growth, called addition, a data controller must receive ‘Thailand 4.0’, pushes for a move towards consent from a data subject for the use or a digital economy. Part of this initiative disclosure of their information. Consent involves amending the Electronic must be express and given in writing or Transaction Act for e-signatures and a through electronic means. Consent is not Digital ID Bill for digital authentication. required where use or disclosure of personal data is: Collection and notice •• For a benefit relating to planning, Collection of personal data should be statistic or making consensus by restricted to data that is necessary, lawful government agencies. and relevant to the activities of the •• For the benefit of investigation by officials data controller. in accordance with law.
The collection of sensitive data without •• To prevent danger to a person’s life consent is prohibited, unless it is: or health. •• Necessary to prevent harm to life, body •• Data that has been lawfully disclosed to or health. the public. •• Necessary to comply with laws for public •• Prescribed by law, court or interest in health care or labour protection. Ministerial Regulation. Before or at the time of collection, the data •• Third parties receiving personal data from controller must provide notification to data controllers can only use or disclose individuals. Notification must include: the the data in accordance with the purpose or purpose of collection, the type of personal purposes given at the point of collection. data collected, period of retention, who personal data may be disclosed to, rights of the data subject and contact information of the data controller. 62 The Asia Pacific Privacy Guide
Data retention and destruction Data transfer Regulators and regulatory landscape Personal data must be destroyed when: A controller can only transfer personal data •• No longer legally required to be retained; to foreign countries when: The Personal Data Protection Committee’s •• The PDPC has determined that the country (PDPC) roles and responsibilities will involve •• It is no longer relevant or necessary for the or organisation has adequate personal tasks such as preparing a strategic plan to purpose of collection; or data protection measures (to be defined promote data protection, providing advice •• The data subject has withdrawn consent. by the PDPC). on compliance with the law, performing prescribed duties under the law, prescribing However, destruction is not required under •• The transfer complies with cross border measures or guidelines, interpreting and certain conditions, such as where it is kept transfer guidance provided by the PDPC. deciding on issues, enforcing the law and to prove a legal claim, or it is necessary for imposing penalties. However, there are exceptions, such as freedom of information, public interest or where the transfer: compliance with a legal obligation. In addition, there will be a supporting •• Of personal data is required by law. body acting as an expert committee. Their roles and responsibilities involve tasks Individual rights •• Has been consented to by a data subject such as considering complaints made and they have been informed of the Data subjects have the right to: under the PDPA, investigating alleged receiving country’s lack of adequate violations, mediating disputes, performing •• Be informed of their rights prior to the privacy protections. collection and use of their data. prescribed duties under the law, imposing •• Is necessary for the performance administrative penalties, and issuing •• Request access to their personal data of contract. orders to controllers or processors for remedial action. •• Data portability: data subjects can ask •• Is in accordance with an agreement for a copy of their data in a widely used between a controller and another entity format such that it may be processed in for the benefit of a data subject. Cases an automated method, unless it is not •• 2018 – The identity documents of around technically feasible. •• Is necessary to prevent damage to life, body, or health of the data subject or 45,000 customers of a mobile network •• Request erasure when the controller other persons. were found to be stored on a public- does not comply with PDPA. Data subjects facing storage service. The Thai National can request that their personal data be •• Is necessary for substantial public Broadcasting and Telecommunications deleted, destroyed, temporarily suspended interest purposes. Commission ordered the company to or anonymised. compensate customers for damage Governance suffered as a result, in accordance with civil Security and criminal laws. Data controllers and processors are An organisation must implement required to appoint a data protection •• 2018 – Two major banks reported that a appropriate security measures to prevent officer (DPO) when: total of 123,000 customers had their data stolen by cyber attackers. Following this loss, unauthorised access, use, alteration •• Collection, use or transfer of personal data or disclosure of personal data. The security involves regular monitoring of personal incident, the Bank of Thailand instructed measures must be reviewed when necessary data or systems, i.e. most organisations all Thai banks to focus on uplifting cyber or when technology changes to ensure with an online presence. security policies and create compensation appropriate level of security is maintained. regimes for financial damage stemming •• Personal data is processed on a from data breaches. large scale. Data breach notification •• Their core activities involve processing of Penalties Under the PDPA, there is a mandatory sensitive data. requirement to report data breaches to the Non-compliance with the PDPA can Personal Data Protection Committee (PDPC) amount to: and notify data subjects. The PDPC has yet •• Administrative fines (up to THB 5 million). to publish guidance on the reporting of data breaches. •• Criminal penalties for directors held personally liable for non-compliance Further, certain sectors and industries have (imprisonment up to one year and/or fines specific notification requirements, such as up to THB 1 million). for electronic payment service providers and •• Punitive damages. telecommunication operators. Example of penalty: The unlawful collection of personal data causing damage to another person may attract a penalty of up to THB 300,000 and/or 6 months imprisonment for the individual responsible. 63 The Asia Pacific Privacy Guide
Relevant laws, regulations and standards
Law, regulation or standard Industry Regulator Applicability
National Broadcasting and Television Sound and television Telecommunications Telecommunications Business Operation Act 2008 broadcasting businesses Commission
Credit information Credit Information Business Credit Information Financial companies, data controllers Act 2002 Protection Committee and processors
Financial Institutions Act Financial Ministry of Finance Financial businesses 2008
Notification on the Electronic Transactions Commission on Policy and practice Statement Public sector N/A Government agencies on Personal Data Protection of a Government Agency B.E. 2553 2010
Official Information Act 1997 Public sector N/A State agencies
National Telecommunications Licensed telecommunication Telecommunications Telecommunications Business Act 2001 businesses Commission
Terminology
Terminology Definition
Data controller Natural or legal person that solely, or jointly, are responsible for information processing.
Data processor Natural or legal person that processes information on behalf of an information controller.
64 The Asia Pacific Privacy Guide
Vietnam
Vietnam does not have a comprehensive Considerations legislative regime or regulatory body Definition of •• Increased priority for cyber security. responsible for privacy. There are varied personal data In 2018, Vietnam enacted the Law on requirements relating to the protection of Cybersecurity (24/2018/QH14), which •• Personal information is defined personal information across a number increases the power granted to the State broadly by the NIS Law as information of laws. to investigate users and censor content relating to the identity of a specific person. The personal information The Law on Network Information Security published online by individuals. owner is the person identified by the (86/2015/QH13) (‘NIS Law’), also widely •• Data localisation. The NIS Law establishes personal information. referenced as the Law on Cybersecurity, stricter requirements for foreign service establishes the most comprehensive providers operating in Vietnam, including •• There is no specific definition of requirements and definitions regarding data localisation in certain circumstances. sensitive information under this the protection of personal information. Businesses that collect and process the law. However, certain definitions These requirements apply to individuals personal data of Vietnamese citizens are of personal information found in and organisations engaged in information required to maintain a physical office and alternate laws do reference specific technology application and store the data in Vietnam. types of information as requiring development activities. protection. For example, the Collection and notice Decree on E-Commerce extends There are a number of laws and regulations to ‘information contributing to that apply to certain sectors and types The NIS Law requires that when collecting identifying a particular individual, of transactions, such as the Law on personal information, organisations and including his/her name, age, home Protection of Consumers’ Rights, the Law on individuals must collect personal address, phone number, medical Information Technology and the Decree on information only after obtaining the information, account number, E-Commerce, which may apply to personal consent of the information owner on the information on personal payment information. scope and purpose of the information transactions and other information collection and use. that the individual wishes to Primary legislation: Law on Network keep confidential.’ Information Security (86/2015/QH13) (‘NIS Law’)
65 The Asia Pacific Privacy Guide
Use and disclosure Data security Cases
The NIS Law requires that when collecting Organisations are required to take 2016 – An airline’s website was hacked or using personal information, organisations appropriate managerial and technical compromising the personal information of and individuals must only use collected measures to protect personal information 410,000 clients. The information included personal information for any purpose that is collected and stored; and that names, addresses and birth dates. Following different from the initial one only after remedial action is taken to mitigate risks to the incident, the airline updated its external obtaining the personal information that personal information. privacy notice on its website to state that owner’s consent. the company will follow the provisions of the There is also a requirement for information European Union’s General Data Protection They must not share or disclose personal systems to be classified in accordance with Regulation (GDPR) and contact affected information to any third party, unless it is a rating between 1 and 5, based on the individuals in the event of a data breach. agreed by the personal information owner or impacts likely in the event of sabotage The airline has also now appointed a data requested by competent state bodies. to the system. protection officer.
Data localisation Cross-border data transfer The NIS Law includes a requirement for There are no specific restrictions on domestic and foreign service providers who the cross-border transfer of personal process personal information of service information in Vietnam. However, the Law users in Vietnam to store data locally. on Cybersecurity requires that organisations The supporting Draft Decree clarifies that must not share personal information to the service providers that may potentially any third party, unless it is agreed by the be subject to data localisation can include individual or requested by competent services relating to social media, email, state bodies. online payments, online games and There are no specific restrictions or telecommunications. requirements in Vietnam which apply Direct marketing to cross-border transfers of personal information. The NIS Law prohibits organisations and individuals from sending commercial Regulators and regulatory information to a recipient’s electronic landscape address without his/her prior consent, request, or when the recipient refuses it, There is no dedicated privacy or data except for the cases where the recipient is protection regulator in Vietnam. The Ministry obliged to receive the information under of Information and Communications is current laws. primarily responsible for the NIS Law, but may work in conjunction with other The Law on Protection of Consumers’ departments relating to other information Rights also includes a prohibition on the technology and e-commerce laws. harassment of consumers through the marketing of goods and services contrary to The Ministry of Information and the wishes of the consumer. Communications responsibilities extend to the regulation of the press, publishing, Individual rights posts, telecommunications, information technology, electronics, broadcasting, media, The NIS Law provides that individuals foreign information, domestic and national shall have rights to access their personal information, communication infrastructure information being collected, handled or and management of related public services stored by an organisation or individual. on behalf of the Government.
66 The Asia Pacific Privacy Guide
Data breach notification
Data breach notification to a regulator or data subjects is not mandatory. Limited guidance has been provided which can be found in the table below.
Voluntary guidance
Threshold for Data breach reporting is required ‘in the case that an information reporting system is hacked, posing a risk of loss of consumer information’.
The Decree on E-Commerce requires that, ‘information storing units Time frame shall notify the incident to a functional agency within 24 hours after detecting it.’
The Ministry of Industry and Trade, in conjunction with the Ministry of Who to notify Information and Communications are responsible for the Decree on E-Commerce.
There is no specific requirement relating to the content to be included Content in notifications.
Relevant laws, regulations and standards
Law, regulation Industry Responsible Applicability or standard ministry
Organisations and individuals conducting part or the whole of the Decree on Ministry of Industry process of commercial activity by E-Commerce All and Trade electronic means connected to the (52/2013/ND-CP) internet, mobile telecommunications network or other open networks
Vietnamese and foreign enterprises Cybersecurity Task Law on Cyber which provide services on telecom Force, under the Security (24/2018/ All networks and on the internet and Ministry of Public QH14) other value added services in Security cyberspace, in Vietnam
Vietnamese and foreign Law on Ministry of organisations and individuals Information All Information and engaged in information technology Technology Communications application and development (67/2006/QH11) activities in Vietnam.
Any Vietnamese agencies Law on Network organisation, individual; foreign Ministry of Information organisation and individual in All Information and Security (86/2015/ Vietnam who directly involves in or Communications QH13) is related to network information security activities in Vietnam.
Consumers; organisations or Law on Protection individuals trading goods, services; of Consumers’ Ministry of Trade agencies, organisations or individuals All Rights (59/2010/ and Industry involved in activities to protect QH12) the interests of consumers in the territory of Vietnam
67 The Asia Pacific Privacy Guide
Comparison matrix
The table below provides a visual comparison of selected privacy elements covered across the Asia Pacific region.
Location Definition Collection Use and Data Individual rights Security Data breach Data Data of personal and disclosure retention notification transfer protection information/data notice and officer destruction
Request suspension of processing Personal Sensitive Request access Right to be forgotten Data Portability Mandatory Voluntary Guidance
Australia Brunei Darussalam Cambodia •
China
Hong Kong
India • • • •
Indonesia
Japan
Lao PDR
Malaysia •
Mongolia
Myanmar New Zealand • Papua New Guinea The Philippines •
Singapore • •
South Korea
Sri Lanka
Taiwan
Thailand
Vietnam
Key: 68
The law addresses this element There is no law that addresses this element • It is proposed within a draft Bill, but the law is not yet enacted and in force The Asia Pacific Privacy Guide
Regulatory landscape table
The table below provides at a glance the privacy regulatory landscape of locations across the Asia Pacific.
Location Regulation Constitutional Regulator Maximum penalty for privacy right to privacy law breach Financial penalty (up to AU Office of the Australian Information Australia Comprehensive No $2.1 million) and enforceable Commissioner undertakings Brunei Sectoral No Minister at the Prime Minister’s Office None Darussalam Cambodia Sectoral Yes None None Information Personal liability and/or criminal China Yes Cyberspace Administration of China security law sanctions The Office of the Privacy Commissioner for Personal liability and/or criminal Hong Kong Comprehensive Yes Personal Data sanctions Information Personal liability and/or criminal India Yes Non-privacy specific security law sanctions Information Ministry of Communication and Information Indonesia Yes None security law Technology Personal liability and/or criminal Japan EU adequacy Yes Personal Information Protection Commission sanctions Lao People’s Information Democratic No Ministry of Posts and Telecommunications None security law Republic Personal Data Protection Department and Personal liability and/or criminal Malaysia Comprehensive No Malaysian Communications and Multimedia sanctions Commission Mongolia Sectoral Yes Non-privacy specific None Ministry of Communications and Information Myanmar Sectoral Yes None Technology Financial penalty (up to New Zealand EU adequacy No Privacy Commissioner’s Office NZ $350,000) and codes of practice Personal liability and/or criminal The Philippines Comprehensive Yes National Privacy Commission sanctions Papua New Information Yes None None Guinea security law Personal liability and/or criminal Singapore Comprehensive No Personal Data Protection Commission sanctions Personal liability and/or criminal South Korea Comprehensive Yes Personal Information Protection Commission sanctions Information Information and Communication Technology Sri Lanka No None security law Agency Personal liability and/or criminal Taiwan Comprehensive Yes Personal Data Protection Office sanctions Personal liability and/or criminal Thailand Comprehensive No Personal Data Protection Committee sanctions Information Vietnam Yes Ministry of Information and Communications None security law 69 The Asia Pacific Privacy Guide
Table of primary privacy regulation and regulator
Location Legislation Regulator
Office of the Australian Information Commissioner Australia Privacy Act 1988 (Cth) https://www.oaic.gov.au/
Minister at the Prime Minister’s Office Brunei Data Protection Policy 2014 http://www.pmo.gov.bn
Cambodia The Constitution of the Kingdom of Cambodia N/A
People’s Republic of China Cybersecurity Law Cyberspace Administration of China China 2017 http://www.cac.gov.cn./
The Office of the Privacy Commissioner for Personal Data Hong Kong Personal Data (Privacy) Ordinance 1996 https://www.pcpd.org.hk/
India Information Technology Act 2000 N/A
The 1945 Constitution of the Republic of Ministry of Communication and Information Technology Indonesia Indonesia https://www.kominfo.go.id/
Act on the Protection of Personal Information Personal Information Protection Commission Japan 2017 https://www.ppc.go.jp/en/
Ministry of Posts and Telecommunications Lao PDR Law on Electronic Data Protection 2017 https://www.mpt.gov.la/
Personal Data Protection Department http://www.pdp.gov.my Malaysia Personal Data Protection Act 2010 Malaysian Communications and Multimedia Commission https://www.mcmc.gov.my/
Mongolia Personal Secrecy (Privacy) Act 1995 N/A
Ministry of Home Affairs http://www.myanmarmoha.org/ Law Protecting the Privacy and Security of the Myanmar Citizen 2017 Ministry of Communications and Information Technology http://www.mcit.gov.mm/
The Office of the Privacy Commission New Zealand Privacy Act 1993 https://www.privacy.org.nz/
70 The Asia Pacific Privacy Guide
Constitution of the Independent State of Papua New Guinea N/A Papua New Guinea
National Privacy Commission The Philippines Data Privacy Act of 2012 https://www.privacy.gov.ph/
Personal Data Protection Commission Singapore Personal Data Protection Act 2012 https://www.pdpc.gov.sg/
Personal Information Protection Commission South Korea Personal Information Protection Act 2011 http://www.pipc.go.kr/cmt/main/english.do
Information and Communication Technology Agency Sri Lanka N/A https://www.icta.lk/
Taiwan Personal Information Protection Act 2010 Personal Data Protection Office
Thailand Personal Data Protection Act Personal Data Protection Committee
Ministry of Information and Communications Vietnam Law on Network Information Security https://english.mic.gov.vn/Pages/home.aspx
71 The Asia Pacific Privacy Guide
Acknowledgements
We would like to thank the following Deloitte professionals for their support and contribution to this publication:
Margaret Austen Sebastian Le Cat Ilana Singer Analyst Senior Analyst Manager Australia Australia Australia
Paul Casey Eric Leo Imogen Smith-Waters Senior Analyst Director Senior Analyst Australia Australia Australia
Marie Chami Richard Li James M Walton Manager Analyst Partner Australia Australia Singapore
Erika Chin Brad Lin Jasmin Wong Manager Director Senior Analyst Australia Hong Kong Australia
Sung Kyo Cho Max Lin Phoebe Wong Director Director Manager South Korea Taiwan Hong Kong
Nakul Chopra Joanne Lu Vincent Yin Senior Manager Director Analyst India New Zealand Australia
Karen Grieve Toshiyuki Oba Sun Hee You Director Senior Manager Director Australia Japan South Korea
Ho Kyoo Hahn Pauline Pang Maria Zotti Senior Manager Senior Analyst Analyst South Korea Australia Australia
Div Jamdagni Herbert Rollom Analyst Manager Australia The Philippines
Kwon ho Ka Pedro Saa Manager Senior Analyst South Korea Australia
72 The Asia Pacific Privacy Guide
Contacts
Manish Sehgal David Batch Frank Xiao Partner Partner Partner Asia Pacific Australia China and Hong Kong +91 124 679 2723 + 61 2 8260 4122 +86 108 512 5858 [email protected] [email protected] [email protected]
Manish Sehgal Haruhito Kitano Anu Nayar Partner Partner Partner India Japan New Zealand +91 124 679 2723 +81 80 3591 6426 +64 2 1207 9573 [email protected] [email protected] [email protected]
Anna Marie Pabellon Young Soo Seo Chia-Han Wu Partner Partner Partner Southeast Asia South Korea Taiwan +63 2 581 9038 +82 2 6676 1929 +886 2 4051 6888 [email protected] [email protected] [email protected]
73 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their related entities provide services in Australia, Brunei Darussalam, Cambodia, East Timor, Federated States of Micronesia, Guam, Indonesia, Japan, Laos, Malaysia, Mongolia, Myanmar, New Zealand, Palau, Papua New Guinea, Singapore, Thailand, The Marshall Islands, The Northern Mariana Islands, The People’s Republic of China (incl. Hong Kong SAR and Macau SAR), The Philippines and Vietnam, in each of which operations are conducted by separate and independent legal entities.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2019 Deloitte Asia Pacific Services Limited