Data Governance in APAC: Findings

I. Introduction

The APAC region has been at the vanguard of digitisation, digital innovation, and digital governance.[1] However, differences in legal regimes in the region have meant that any regional or global privacy initiatives such as the APEC Privacy Framework,[2] APEC Cross Border Privacy Rules System (CBPR),[3] or the Osaka Declaration of Digital Economy[4] do not have universal uptake.

Our blog series has examined the data protection frameworks in six countries in the APAC region, namely Australia, Singapore, Japan, Vietnam, Indonesia, and Malaysia. These jurisdictions have some common themes and significant differences, especially when it comes to local storage requirements. This can pose a barrier to the free flow of data in an increasingly-interconnected global economy. In this concluding post, we compare the data protection frameworks in these APAC countries with India to trace commonalities and differences.  We begin with the varied legal landscape in these countries (II), and move on to processing and other obligations imposed on data controllers (III);the rights guaranteed to individuals (IV); rules governing cross-border data flows (V);the enforcement framework (VI); and the exemptions given to state agencies (VII). Part VIII concludes.

II. Legal landscape

The countries in the APAC region are some of the world’s fastest growing economies. Given their role in the global data value chain, APAC governments across the board are bolstering their data protection frameworks. Australia, Singapore, Japan, and Malaysia already have fairly robust data protection laws.[5] Although Vietnam and Indonesia only have sectoral regulations on privacy and data protection, the governments have published draft decrees/draft laws that seek to consolidate data-related obligations. India too, is similarly placed, with a standalone data protection law in the pipeline. India’s Personal Data Protection Bill (“PDP Bill”) is currently under consideration by a joint committee of the Parliament.[6]

III. Data processing and other obligations

Scope of the data protection law

The Indian PDP Bill governs both private organisations and public entities/ governments.[7] This approach is consistent with the GDPR and is a positive step, since the State, through its various welfare and other programs, collects and processes a large amount of personal data of individuals. The Indian experience stands out particularly since many APAC countries such as Singapore, Japan, and Malaysia do not cover the central government or government agencies as part of their data protection laws.

Data classification

All the APAC countries in this series, except Vietnam[8] and Indonesia[9] carve out a special category of sensitive data. Such sensitive data attracts heightened notice and consent requirements.

Notice and consent

Most APAC countries require consent for collection of personal data. Notably, Australia and Japan do not ordinarily require consent for collection of personal data,[10] although individuals must be given notice as soon as practicable after such collection.[11] Most consent-based jurisdictions also have exceptions to allow processing on grounds other than consent.

The PDP Bill in India makes notice and consent the bedrock for processing personal data, while laying out various conditions under which data can be processed without consent.[12] Similar to Australia, Singapore, and Malaysia, [13] consent can be withdrawn in India, after the individual is made aware of the potential consequences of her withdrawal.[14]

Purpose limitation

All jurisdictions in our series have some form of purpose limitation requirement. Most, such as Japan, Vietnam, Indonesia, and Malaysia make it clear that consent is linked to a specific purpose communicated to individuals. Fresh consent is needed for using the personal data for a secondary purpose (separate from the original purpose).[15] This is similar to the Indian approach, where ‘data fiduciaries’ must process personal data only for the purpose consented to by the individual.[16]

Security

The six APAC countries, as well as India, require organisations to put in place reasonable security arrangements to protect against the unauthorized access, collection, use, and disclosure of personal data in their possession or control.

Data breach notification

As the digital economy grows, and data is increasingly stored and processed online, the risk of data breaches and cyber-attacks has increased exponentially. Some countries such as Australia and Indonesia have already enacted a mandatory data breach notification scheme. In Australia, data controllers must notify the regulator when an ‘eligible data breach’ has occurred, and notify the individual as long as it is practicable.[17] In Indonesia, organisations must report breaches to individuals as well.[18]

Others such as Singapore and Malaysia are considering proposals to make data breach reporting mandatory. Still others, such as Japan and Vietnam, only have voluntary guidance on data breach notification. The PDP Bill in India requires data fiduciaries to notify the regulator,, the Data Protection Authority (“DPA”) – and the DPA then decides if this information should be communicated to individuals.[19]

IV. Individual Rights

All APAC countries in our series grant certain rights to individuals regarding their data, as does the Indian PDP Bill.

While all the countries provide rights to access and correction of data, India is one of the few countries in this list to propose to grant the right of data portability and the right to be forgotten to individuals.

V. Cross border data flows

The cornerstone of the Osaka Declaration is the free flow of data, and this is reflected most clearly in the Australian and Japanese laws, which permit cross-border transfer of data with consent, or if the recipient country has an equivalent standard of data protection.[21] Singapore permits cross-border transfers under similar conditions, and in fact, allows data controllers to seek exemptions from the regulator from these requirements, under certain conditions.[22]

Malaysia permits the cross-border flow of data with the caveat that the recipient country has to be included in a whitelist issued by the government, based on the recommendations of the regulator.[23] If however, individuals consent to the transfer, or the transfer is necessary for the performance of a contract/legal proceeding/to avoid adverse action/in public interest, then data controllers can transfer data to a country that is not included in the whitelist.

Amongst the countries in our series, Vietnam currently has some of the strictest data localisation requirements – domestic and foreign cyberspace service providers who process personal data (including the data generated by service users and about their relationships) in Vietnam must store this personal information in the country for a period specified by the government.[24] However, there are reports that the government is considering narrowing the reach of these provisions.[25] In Indonesia, while cross-border data transfer is permitted, an implementation plan for the data transfer and an implementation report post-transfer has to be submitted to the Minister.[26]

India has proposed local storage/ processing restrictions. Unlike any other country, its restrictions are related to the classification of data into personal data (that can be always be transferred across borders), sensitive personal data (that can be transferred under limited conditions, but has to additionally be stored in India), and critical personal data (which has not been defined in the Bill, and has to be stored and processed almost exclusively in India).[27]

Sector-specific localisation requirements exist in some of the countries in the APAC region. For instance, in Australia, electronic health records cannot be stored or processed outside the country.[28] In India too, the RBI has imposed a similar data localisation restriction for the storage of payments data.[29]

VI. Enforcement framework

Not all countries in our series have established dedicated regulators for enforcement. In Vietnam and Indonesia, a government ministry is responsible for enforcement and hearing complaints, which can impact the efficacy of the enforcement machinery. The other countries (Australia, Japan, Singapore and Malaysia) have dedicated regulators that can hear complaints, investigate non-compliances, issue decisions, and award penalties or fines. The PDP Bill in India proposes a new regulatory authority and sets out a detailed framework for enforcement and penalties.

VII. Use of personal data by law enforcement agencies

The Indian government has wide powers to exempt any of its agencies from any or all data protection obligations under the PDP Bill for several reasons, such as security of the State or public order. The other APAC countries do not have such wide exemptions (although some countries such as Japan and Singapore do not govern government agencies under the same law as private organisations).[30] Though Australia has exemptions for law enforcement agencies, the exemption is limited to certain obligations such as providing the right to access,[31] and data breach notification[32] and not the entirety of the law.  

Further, data protection laws do not provide a full insight into the powers granted to law enforcement agencies when they act in national security interest. For instance, in Australia and Vietnam, law enforcement agencies can order service providers to decrypt data. In Singapore, the Minister for Communications and Information can issue directions to the regulator or the telecom licensee to take control of telecommunication systems or stop/delay/censor messages. Japan is an outlier insofar as it regulates the actions of law enforcement agencies far more strictly than other countries. Judicial and parliamentary oversight have been built into the surveillance system there.

VIII. Conclusion

Free flow of data across borders requires countries to sign up to some form of a shared vision of data governance. The EU for instance, only allows data to be transferred to countries that have been deemed ‘adequate’. This has already had some impact in the APAC region. Japan and New Zealand have received adequacy approvals from the EU, based on their strong data protection guarantees, allowing personal data to move freely between the regions.[33] The APAC region is home to some of the fastest growing economies in the world. A common, minimum baseline for data protection will help facilitate cross-border data flows and encourage countries with relatively weak data protection laws to update their regimes.

Authored by the Ikigai team. For more on topic, please reach out to us at contact@ikigailaw.com.


[1] Fredrik Erixon, European Centre for International Political Economy, Embracing Innovation and Economic Development: A Policy Perspective for the Asia-Pacific Region, available at https://ecipe.org/wp-content/uploads/2017/05/ECIPE_FErixon_AsiaDigital_XPRINT.pdf

[2] https://www.apec.org/Publications/2017/08/APEC-Privacy-Framework-(2015)

[3] APEC Privacy Framework (2015), available at https://www.apec.org/About-Us/About-APEC/Fact-Sheets/What-is-the-Cross-Border-Privacy-Rules-System

[4] Osaka Declaration on Digital Economy, available at https://www.meti.go.jp/press/2019/06/20190628001/20190628001_01.pdf

[5] Privacy Act, 1998 (Australia); Personal Data Protection Act, 2012 (Singapore); Act on the Protection of Personal Information (Japan) (“APPI”); and Personal Data Protection Act, 2010 (Malaysia).

[6] The Personal Data Protection Bill, 2019 (“PDP Bill”), available at http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf

[7] Though government agencies are also ‘data fiduciaries’, the central government retains the power to exempt government agencies from the law for several purposes, such as public order, national security, the interests of integrity and sovereignty of India, etc. under Clause 35 of the PDP Bill.

[8] See generally, Decree 33/2002/ND-CP (March 28, 2002) (Vietnam). See also, Linklaters, Data Protected: Vietnam, available at https://www.linklaters.com/en/insights/data-protected/data-protected—vietnam.

[9] See generally, Electronic Information and Transactions Law No. 11 of 2008, available at http://www.flevin.com/id/lgso/translations/JICA%20Mirror/english/4846_UU_11_2008_e.html.

[10] Australian Privacy Principles 3.1, 3.2 and 3.3(a), Privacy Act, 1988; Article 17(1), Act on the Protection of Personal Information (Japan). See also, DLA Piper, Data Protection Laws of the World: Indonesia, available at https://www.dlapiperdataprotection.com/index.html?t=definitions&c=ID.

[11] Australian Privacy Principle 5.1, Privacy Act, 1988; Article 18, APPI (Japan).

[12] Sections 7, 11, 12-15, PDP Bill, 2019 (India).

[13] Office of the Australian Information Commissioner (OAIC), Australian

Privacy Principles Guidelines: Privacy Act, 1988 (2019), available at https://www.oaic.gov.au/assets/privacy/app-

guidelines/app-guidelines-july-2019.pdf, at 4. See also Section 16, PDP Act (Singapore) and Section 38, PDP Act (Malaysia).

[14] Sections 11(2)(e) read with 11(6), PDP Bill, 2019 (India).

[15] Articles 15 and 16, APPI (Japan); Articles 17(1) read with 18(1), Law on Network Information Security (Vietnam); Article 28(f), PDP Regulation (Indonesia); and Section 39, PDP Act (Malaysia).

[16] Sections 5(b), PDP Bill, 2019 (India).

[17] Section 26WL(2), Privacy Act, 1998, which lists out the circumstances under which the notification requirement is activated. See also Section 26WK(3)(d) read with Section 26WR(4)(d), Privacy Act, 1998 (Australia).

[18] Article 28(c), PDP Regulation (Indonesia).

[19] Section 25, PDP Bill, 2019 (India).

[20] In Australia, individuals should have the option to not identify themselves or to use pseudonyms when dealing with an organisation (unless the collection of data is authorised by law, or a court orders to deal with identified individuals, or it would be impractical for the entity to deal with individuals who have not identified themselves).

[21] APP 8.2(a)(i), APP 8.2(b), Privacy Act, 1988 (Australia); Article 24, APPI (Japan).

[22] Section 26, PDP Act (Singapore). Further information regarding the format for application, advisory guidelines etc. see PDPC, Exemption Requests, available at https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Exemption-Requests.

[23] Section 129, PDP Act (Malaysia).

[24] Article 26, LCS (Vietnam).  The law defines cyberspace service providers as domestic and foreign entities providing telecommunication services, internet services, and value-added services.

[25] Data localisation requirements narrowed in Vietnam’s cybersecurity law, Business Times (October 2019), available at https://www.businesstimes.com.sg/asean-business/data-localisation-requirements-narrowed-in-vietnams-cybersecurity-law

[26] Article 22, PDP Regulation (Indonesia).

[27] Sections 33-34, PDP Bill, 2019 (India).

[28] Section 77, My Health Records Act, 2012, available at https://www.legislation.gov.au/Details/C2017C00313.

[29] RBI issues clarificiation on data localisation circular, MoneyControl, (June, 2019), available at https://www.moneycontrol.com/news/economy/policy/rbi-issues-clarifications-on-data-localisation-circular-4141331.html.

[30] Section 35, PDP Bill, 2019 (India).

[31] APP 12.3(i), Privacy Act, 1988 (Australia).

[32] Section 26WN, Privacy Act, 1998 (Australia).

[33] Deloitte, Unity in Diversity: The Asia Pacific Privacy Guide (2019), available at https://www2.deloitte.com/content/dam/Deloitte/nz/Documents/risk/apac-privacy-guide-interactive.pdf

Challenge
the status quo

Bringing what's next...