Asia
Global Privacy Regulations
China
BDO Local Resources
Partner, National Head of Forensic and Cyber Advisory Services
法证与网络安全咨询服务部 全国主管合伙人
Law: Personal Information Protection Law (Chinese), Data Security Law (Chinese)
Regulator(s): The Cyberspace Administration of China (‘CAC’)
Adequacy Agreement with GDPR: No
Measures Announced
Overview
On 20 August 2021, China passed the PIPL – its first comprehensive data protection legislation. China begins enforcement on 1 November 2021. The law established personal information processing rules, data subject rights, and obligations for personal information processors. Additionally, on 10 June 2021 the National People’s Congress of the People’s Republic of China (‘NPC’) approved the Data Security Law, which entered enforcement on 1 September 2021. Other laws the take personal data protection into account include the Cybersecurity Law of 2016 and the Standard GB/T 35273-2020 on Information Security Technology – Personal Information Security Specification.
Operators that collect, analyze, store, transmit, query, utilize, delete, and provide personal information or important information overseas during the design, production, sales, operation and maintenance, and management of automobiles within the territory of the People’s Republic of China.
Organizations must comply with relevant laws and regulations and the requirements of the regulation. Using local data storage to separate the China local data from other countries is recommended. Proper separation of duties should be implemented over the system and data access as a matter of standard appropriate risk management approaches.
China has recently, over the past year, liberalized the use global crypto technologies by companies operating within their borders. And new regulations require or recommend the encryption of certain personal information for commercial purposes, with specific focus on Blockchain and quantum encryption methods.
Data Protection Authority Focus
The focus of the CAC is to provide data protection to its citizens and requires companies to comply with its obligations.
- On 16 September 2021 the revised Law on Protection of Minors went into effect. The law requires the protection of privacy and personal information for minors. Information handlers that process data through the Internet must follow principles of lawfulness, justification, and necessity. This applies to the processing of information for minors under the age of 14.
- On 15 September 2021 the Provincial Communications Administration of Quinghai announced that it organised a special campaign to rectify camera network security in the information and communications industry across the province. They goal is to combat violations of laws and regulations such as the use of camera security violations that infringe on citizens’ personal privacy.
- On 10 September 2021 the National Information Security Standardisation Technical Committee of China (‘TC260’) solicited participants for five national standards – Privacy Protection Information Technology Security Evaluation Guideline, Big Data Service Security Capability Requirements, and the authentication requirements for mechanisms using a cryptographic check function and technology based on cryptographic tokens.
Fines for violators of the PPL are up to 50 million Yuan (about $7.7 million) or 5% of annual revenue. The law goes into effect on 1 November 2021 and BDO believes that this will be the focus of the CAC.
Hong Kong
BDO Local Resources
Law: Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 ('PDPO')
Regulator(s): The Office of the Privacy Commissioner for Personal Data ('PCPD')
Adequacy Agreement with GDPR: No
Measures Announced
Overview
The Personal Data (Privacy) Ordinance ('PDPO') was passed in 1995 and took effect from December 1996 (except for specific provisions). It is one of Asia's longest-standing comprehensive data protection laws. It has its origins in the August 1994 Law Reform Commission Report entitled Reform of the Law Relating to the Protection of Personal Data[1]. The reform recommended that Hong Kong introduce a new privacy law based on the OECD Privacy Guidelines 1980 to ensure adequate data protection to retain its status as an international trading center and affect human rights treaty obligations.
In September 2021, the PCPD published frequently asked questions (‘FAQs’) and answers regarding the European Commission’s Standard Contractual Clauses (‘SCCs’) for the transfer of data from the EU to non-EU regions. The FAQs focused on the implementation framework of the new SCCs and third-country party obligations. The PCPD stated, ‘The New SCCs will be relevant to a local entity in Hong Kong if the obligations under the GDPR apply to it as an exporting party on an extra-territorial basis’s[2].
Data Protection Authority Focus
The PDPO applies to both the private and the public sectors, and it is technology-neutral and principle-based. The Data Protection Principles (‘DPPs’ or ‘DPP’), contained in Schedule 1 to the PDPO, outline how data users should collect, handle and use personal data, complemented by other provisions imposing further compliance requirements.
Principles of PDPO include DPP1 Purpose and Manner of Collection; DPP2 Accuracy and Duration of Retention; DPP3 Use of Data; DPP4 Data Security; DPP5 Openness and Transparency; DPP 6 Access and Correction. Contravention of a DPP is not an offence, and however, contravention of specific provisions of PDPO is an offence.
In September 2021, the Kowloon City Magistrates’ Court convicted an estate agent for violating the PDPO (Cap. 486). The estate agent called a data subject months after he opted out and requested that no further direct marketing calls be made to them. The estate agent received a fine of HK$15,000 (approximately €1,631 or $1,927). While this is a relatively small penalty, individuals need to understand that they are responsible for protecting data subjects' privacy.
Contravention of an enforcement notice issued by the Privacy Commissioner for Personal Data is also an offence that may result in a maximum fine of HK$50,000 and imprisonment for two years.
Subsequent convictions can result in a maximum penalty of HK$100,000 and imprisonment for two years.
[1] Logon Software & Services, Hong Kong’s Personal Data (Privacy) Ordinance PDPO
[2] The Office of the Privacy Commissioner for Personal Data, Understanding the European Commission’s New Standard Contractual Clauses for Transfer of Personal Data from EU to Non-EU Regions, September 2021
India
BDO Local Resources
Law: (Pending) Personal Data Protection Bill, 2019, Information Technology Act, 2000 (Amended 2008)
Regulator(s): The Data Protection Authority of India (Central Government) - pending
Adequacy Agreement with GDPR: No
Measures Announced
Overview
In 2017 the India Supreme Court declared privacy a fundamental right because of the Puttaswamy case[1]. In 2018, the Government released a draft Personal Data Protection Bill, which is derived from the GDPR. A revised bill was proposed in 2019 and was introduced to the lower house of the Indian Parliament. India originally planned to pass that bill in 2020, but delays have been encountered.
India is awaiting the approval of the Personal Data Protection Bill (PDPB) in parliament. Once approved and enacted, the privacy laws in India will take a dramatic change, like those of GDPR or CCPA or equivalent privacy laws. Data protection awareness is increasing drastically in India, especially after digital transformation and the digital payment ecosystem.
India is also home to Aadhaar, the world's most extensive biometric ID system. Indian citizens use Aadhaar cards to access various services, such as opening bank accounts, obtaining mobile SIM cards, and government welfare schemes. The voluntary use of Aadhaar was upheld in 2019 when a law was passed allowing for the voluntary use of Aadhaar.
Data Protection Authority Focus
The PDPB underwent public, and industry comments and is awaiting parliament review and enactment. Due to the COVID-19 pandemic, delays occurred.
[1] In the Supreme Court of India, Civil Original Jurisdiction, Writ Petition (Civil) No. 494 of 2012, Justice K.S. Puttaswamy (Retd.) and another (Petitioner) versus Union of India and Others (Respondents)
Singapore
BDO Local Resources
Gerald Tang | Email
Law: Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA')
Regulator: Personal Data Protection Commission ('PDPC')
Adequacy Agreement with GDPR: no
Measures Announced
Overview
On November 2, 2020, Singapore’s legislature finally approved amendments to the Personal Data Protection Act (PDPA). The proposed changes include:
- NEW mandatory data breach notification requirement
- Organizations are now required to notify the PDPC within three calendar days after the data breach is assessed to be notifiable, of violations that result in or are likely to result in significant harm to the affected individuals or are of a substantial scale (more than 500 affected individuals).
- An organization is required to assess once it has ‘credible grounds to believe that a data breach has occurred.’ It is therefore necessary to document steps taken once the company is aware of the breach to justify the time taken to do this assessment.
- Organizations are also required to notify the affected individuals as soon as practicable.
- Expanded scope of ‘deemed consent’
- Consent to the processing of personal data will now be deemed to have been obtained based on contractual necessity: where the data processing is reasonably necessary to perform a contract; or
- notification and opt-out: where reasonable steps have been taken to notify individuals of the purpose of the data processing and they are given a reasonable period to opt out. To rely on this ground, organizations are required to first conduct a risk and impact assessment to determine that processing is unlikely to have an adverse effect on the individuals.
Data Protection Authority Focus
Organizations are required to notify both PDPC and the affected individuals as soon as practicable upon discovering a data breach. Companies with an annual turnover in Singapore exceeding S$10 million can now be fined up to 10% of this turnover.
United Arab Emirates
BDO Local Resources
Law: No Federal Law
Regulator: No Federal Regulator
Adequacy Agreement with GDPR: no
Measures Announced
Overview
Currently the UAE does not have a country wide privacy legislation, however, there are discussions of such a law. Multiple sectoral data protection and security laws exist, including Federal Law by Decree No. 3 of 2003 Regarding the Organisation of the Telecommunication Sector, Federal Law by Decree No. 5 of 2012 on Combating Cybercrimes (13 August 2012), Federal Law No. 18 of 1993: Commercial Transactions Law, and the UAE Federal Law No. 2 of 2019.
A few jurisdictions have specific laws apply such as DIFC Data Protection Law[1] and the ADGM Data Protection Law[2]. Along with this there are privacy laws in general and some specific standards for healthcare sector[3].
Data Protection Authority Focus
In the last 12 months, we have seen more than two Data Protection laws updated significantly in UAE (i.e., DIFC Data Protection Law and ADGM Data Protection Regulation). We have also seen updates to standards for the healthcare sector too such as the Department of Health (DOH) Abu Dhabi’s - Abu Dhabi Healthcare Information and Cyber Security Standards (ADHICS). These legislations cover not only the data protection angle but also the data privacy aspects too. In the next couple of years, we believe we may expect UAE to have its country-wide data privacy and protection legislation.
Regarding the jurisdiction-specific data privacy and protection laws implemented, they tend to incorporate the learnings from various legislations implemented elsewhere in the world, including EU's GDPR and have specific articles related to needs of the UAE. Consensus to meet global requirements is why the ADGM became the first in the gulf country to join the Global Privacy Assembly's International Enforcement Cooperation Working Group ('IECWG').
We have also seen much effort put in by the authorities to educate the organizations and public about the legislation in force and how to comply with the same. Further, specific guidance materials have also been made available to the organizations and people who can implement the controls specific to the legislation. This guidance material also incorporates some self-service questionnaires, which can clarify the usual confusions such as FAQs.
The jurisdictions have a proper organizational structure to cater to the current requirements. Fines vary in number. For example, DIFC Data Protection Law has a maximum fine of USD 100,000 for an administrative breach and scope for more considerable (unlimited) fines for more serious violations. For ADGM Data Protection Law, the penalties are capped at USD 28 Million for significant data breaches.
[1] Dubai International Financial Centre, DIFC Data Protection
[2] Abu Dhabi Global Market, ADGM Enacts its New Data Protection Regulations, 2021
[3] BDO UAE, A Snapshot of DIFC Data Protection Law (DPL) 2020, Data Privacy in UAE, July 2020