The challenge for anyone doing business in the Asia-Pacific region is the ever-expanding number of countries initiating data privacy/cybersecurity requirements in the region, some with significant penalties for failure to follow. It would be one thing if they lined up to the GDPR perfectly, but each seems to have its own flavor, unique requirements and purpose. Several have pretty standard GDPR obligations, like data subject notifications, consent requirements, retention and security requirements. But several have very unique applications, such as, to name a few:

  • China’s lack of a ‘legitimate interest’ as a legal basis for processing, its much broader restrictions on moving data outside of China and its requirement to have a local Data Privacy Representative responsible for compliance with PRC laws;
  • Japan’s heightened concerns over collection of national identification in contrast with easier ability to transfer to processors;
  • Korea’s restrictions on moving data outside of Korea, as well as its 24 hour breach notification rules;
  • The application of both Philippine and Vietnamese data privacy laws to the personal data of their respective citizens living abroad; and
  • Each jurisdiction with its own definition of what is a data breach and when/if/to whom it is notifiable.

Below, we have prepared a comparison of the regional data privacy/cybersecurity laws across a set of consistent categories, such as:

  • Obligations on collecting/handling/transporting data;
  • A data subject’s right to query/modify;
  • Cross-border obligations;
  • Breach notification requirements; and
  • Penalties.

We have also included whether a country allows discovery and/or class action litigation, as that can factor in risk considerations.

Please click the link below on your country of interest.

AUSTRALIA

Name of Law:  The Australian Privacy Act 1988 (“APA”), with Notifiable Data Breach Scheme (22Feb’18).

Data Privacy Authority: Office of the Australian Information Commissioner (OAIC). Discovery and class actions permitted.

Restrictions on Collecting, Handling, and/or Transporting Personal Data: 

  • Notify before collecting, or as soon as practicable: who collects, purpose, consequences of not, disclosure locally and overseas, and entity’s privacy policy.
  • Sensitive Info: only with consent unless required by law. Government IDs specially protected.
  • Direct marketing only with consent or reasonable expectation AND with opt-out option.

Individual Query/Modification Right: Yes

Cross-Border Application: Must take reasonable steps to ensure recipient will meet APA or rely on a foreign jurisdiction with analogous privacy laws that an Australian could enforce. Liability for failure, unless individual can enforce rights consistent with the APA, or with consent.

Breach Notification:  Required to individual and OAIC when ‘unauthorized disclosure’ (includes ‘access’) or ‘loss’ of PI ‘likely to result in serious harm’ to individuals. Remedial action may remove serious harm. An assessment is required to be completed within 30 days. Notification is required as soon as practicable after a breach is identified.

Preventative Obligations Required: Must take reasonable steps to protect information.

Other Comments:  Penalties up to AU$444k (individual) or US$2.2M (corporations) under the Privacy Act

Local SPB DP/Cyber Team: Scott Warren (Regional), Chris Rosario, Connor McClymont

PEOPLE’S REPUBLIC OF CHINA

Name of Law: Cyber Security Law (’17); Data Security Law (effective 10‘21); Personal Information Protection Law (effective 11‘21) and industry-specific regulations.

Data Privacy Authority: The Cyberspace Administration of China [CAC] (though particular industries can have their own). No discovery (but seizures and broad duty to cooperate with the government). No Class Action, but Data Subject may sue and the burden of proof shifts.

Restrictions on Collecting, Handling, and/or Transporting Personal Data:  Processing only under legal bases, which does NOT include ‘legitimate business purpose’. Has extra-territorial application.

Individual Query/Modification Right: Data Subject Rights to access/correct/delete/informed notification for consent/limits on retention.

Cross-Border Application: There are two main categories of Personal Information, both of which require informed and separate consent of the individual in order to export.

  • Critical Information Infrastructure and large amounts of Personal Information must be kept locally, unless the company clears a CAC assessment.
  • All other Personal Information must clear a government assessment, or pass a qualified third party certification, or be transferred pursuant to standard contractual clauses (still being drafted).

No transfer to foreign law enforcement or for a judicial proceeding allowed without approval of Chinese authorities.

Breach Notification: Breach notification to authorities and Data Subject where Personal Information ‘has been or may be divulged, tampered with or lost’. Data Subject notification is not required if harm to the Data Subject can be avoided, but may be ordered by the authorities.

Preventative Obligations Required: Must have compliance program, employee training, a cyber-incident security response plan and organize drills.

Other Comments:

  • Offshore entities must have a Data Privacy Representative in China and notify the authorities;
  • Data Privacy Impact Assessments are required when processing Sensitive Personal Information or with significant impact on the Data Subject, automatic decision making, providing Personal Information to 3rd parties OR overseas
  • Data Privacy Officer is required when data exceeds a quantity (yet to be specified)
  • Foreign Personal Information moved to China is subject to China laws
  • Small Enterprises are to receive special rules (TBD)

Penalties:

  • Up to 5% of prior year’s turnover or RMB50M (@US$7.5M)
  • May receive an Order to cease services or restrict export of data or cancellation of business license
  • Potential criminal liability if the violation infringes the rights of a ‘large number’ of individuals, or a violation of public security
  • Data Subject has right to sue. Once done, the burden of proof shifts.
  • In addition, where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the PRC in terms of protection of Personal Information, the PRC may take reciprocal measures against such country or region as the case may be.

Local SPB DP/Cyber Team:  Scott Warren (Regional), Lindsay Zhu, Katherine Fan

HONG KONG

Name of Law:  The Personal Data (Privacy) Ordinance (“PDO”, 1996), latest amendment 20 Apr’18.

Data Privacy Authority: Privacy Commissioner for Personal Data. Can have discovery. No class action.

Restrictions on Collecting, Handling, and/or Transporting Personal Data:

  • Must set out the purpose of gathering personal data for the data subject to provide consent and their rights as to that data;
  • Affirmative consent should be obtained for transfer outside of Hong Kong, to third parties or for direct marketing purposes;
  • Personal data should be kept only for as long as it is needed and then securely destroyed. No right to be forgotten and no special categories of Personal Data.

Individual Query/Modification Right: Yes. Response due within 40 days.

Cross-Border Application: Section 33 of the Ordinance not yet in operation, but will require affirmative written consent and promise to keep data as secure as if in HK.

Breach Notification:  None currently applicable

Preventative Obligations Required: Personal Data must be securely retained and testing is required; must have privacy policies and guidelines for employees and consumers.

Other Comments:   Fines and/or prison possible for failure to follow an Enforcement Notice of Privacy Commissioner or for breach of the direct marketing provisions.

Local SPB DP/Cyber Team: Scott Warren (Regional), Nick Chan, Hin Han Shum

INDIA

Name of Law: Currently no general data privacy laws, other than an Information Technology Act (2011), which requires consent, reasonable security to protect, restrictions in transfer and other rights as to sensitive personal information, which includes passwords, health, biometrics, financial info, etc. Must appoint a Grievance Officer.

The Personal Data Protection Bill (’19) is not a law yet. It applies to personal data collected in India, irrespective of where the entity is located. Under the proposed bill, the following are PROPOSED:

  • It proposes the creation of the Data Protection Authority of India.
  • Consent must be free, informed, specific, clear and capable of being withdrawn.
  • Cross-Border transfer: Originally, must keep one copy of all PD in India. New draft (7’19) would require only ‘critical data’ to be stored and processed in India only. The definition of what is ‘critical data’ still needs clarity.
  • Breach notification: required in a timely matter to DPA and to the individual.
  • Privacy by Design requirements exist
  • Fines: 4% global turnover

SPB Local DP/Cyber Team:  Scott Warren (Regional), Local Counsel

JAPAN

Name of Law: The Act on the Protection of Personal Information (2003) and amendments (last 6’20 with implementation by 6’22). Revised Guidelines released 8’21.

Is there a Data Privacy Authority: Yes. Personal Information Protection Committee. No discovery. No Class Action.

Restrictions on Collecting, Handling, and/or Transporting Personal Data: Extra-territorial effect

  • Affirmative consent is required for the collection of Sensitive Personal Information.
  • Usually, must get informed consent after providing details, and have contract in place before providing to a third party. However, excluded from the definition of a third party is sharing data with a processor for a designated purpose.
  • Broader initial consent possible if notified via Privacy Policy and Website Notice.

Individual Query/Modification Right: Broad rights similar to GDPR

Cross-Border Application: Transfers may only be made to countries with ‘an adequate level of data privacy protection’ as deemed by the privacy authority and with contractual obligations in place.  Informed consent is required except in a few settings.

Breach Notification: To the PIPC when there is a ‘leakage, loss or damage and other situation concerning the insurance of security’ of Personal Information if there is a ‘large possibility of harming an individual’s rights and interests’.  Data Subject notification required except when ‘necessary alternative action is taken to protect a principal’s rights and interests’.

Preventative Obligations: Must establish an organizational structure for Personal Information protection (policies, Data Privacy Officer), implement a tangible measures to protect Personal Information (such as periodic testing, etc) and training.

Other Comments: MyNumber (National ID) has heightened collection/storage/breach notice regulations. For all Personal information, the company must take reasonable steps required to protect and secure, including testing and employee supervision.

Penalties: New Amendment raises to up to @US$1m and/or 1 year in prison

SPB Local/Cyber Team: Scott Warren, Miki Kamiya

PHILIPPINES

Name of Law:  Data Privacy Act (2012), full compliance due from 8Mar’18

Data Privacy Authority: National Privacy Commission [NPC].  Ministries may investigate.

Restrictions on Collecting, Handling, and/or Transporting Personal Data: Must have a legitimate purpose (such as execution of a contract) and/or free, specific and informed consent.  Detailed privacy notice requirements. Many must register the data processing systems with the NPC.

Individual Query/Modification/Deletion Right: Yes

Cross-Border Application: Applies to data within or outside of the Philippines (P) if by a P established entity or entity with links to P, is about a P citizen/resident or processing occurs in P. Consent required as well as contractual obligation placed on receiving party.

Breach Notification:  Yes to NPC and data subject w/in 72 hours, only if as to the acquisition of sensitive Personal Information or other information that may be used to enable identify fraud, where the risk is real and may result in serious harm.

Preventative Obligations Required: Yes- organizational, physical and technical measures required.

Penalties: up to PHP5M ($95,000) and/or 6 years imprisonment including on responsible corporate officers.  Civil remedies available.

Local SPB DP/Cyber Team: Scott Warren (Regional), Local Counsel

Search Blogs for These Keywords: [Philippines Data Privacy, Philippines Cybersecurity, Philippines Data Privacy Act]

REPUBLIC OF KOREA (SOUTH KOREA)

Name of Law: The Personal Information Protection Act (2011), amended in 2020, and implementing regulations.  No discovery. Modified Class Action allowed.

Is there a Data Privacy Authority: Yes – The Personal Information Protection Commission.

Restrictions on Collecting, Handling, and/or Transporting Personal Data:

  • Consent needed unless necessary for contractual duty, legit business purpose, compliance with law or overriding interest of the individual. Must be informed before receiving consent as to purpose, items collected, retention period, any third parties to receive the data and rights to refuse.
  • Must distinguish between required and optional consent. May not deny service if data not required.
  • Separate consent is required for collection of Sensitive Information and other unique info such as passport, driver’s license (unless permitted by law). Collection and handling of national ID requires express legal authority (i.e. consent is not a legitimate legal basis).

Individual Query/Modification Right: Yes

Cross-Border Application:  Separate consent required when transferring to any overseas third parties (i.e. controller-controller transfer). But separate consent not required for ‘outsourcing’ to 3rd parties overseas (i.e. controller-processor transfer). If the Personal Information is in relation to providing online/mobile services, separate consent is not required for outsourcing as long as the necessary disclosure is made in the privacy policy, by email or other similar methods.

Breach Notification: If related to online/mobile services, must notify the individual and Data Privacy Authority within 24 hours, regardless of the size of the breach. Otherwise, must notify individuals ‘without delay’. If over 1,000 data subjects affected, must notify data protection authority ‘without delay’.

Preventative Obligations: must implement appropriate methods, administered by a Personal Information Manager, to keep information safe, track its usage and comply with the law. Must keep data for only as long as required.

Other Comments:

  • Korea is a member of Cross-Border Privacy Rules System and has received a preliminary Adequacy Decision from the EU.
  • PIPA amendment in 2020 introduced the concept of pseudonymized data, which can be collected and handled for limited purposes (e.g., statistical purposes or scientific research) without the consent of the data subjects.

SPB Local/Cyber Team: Scott Warren (Regional), Stephen Pak, Local Counsel

SINGAPORE

Name of Law: Personal Data Protection Act (‘12) amended in ‘20, Cybersecurity Act (‘18), Personal Data Privacy Regulations and Guides (‘21)

Data Privacy Authority: Personal Data Protection Commission (PDPC).  Discovery by PDPC.  No class action.

Restrictions on Collecting, Handling, and/or Transporting Personal Data:

  • Consent required unless necessary for performance of a contract, legitimate interests, business improvement, research. Individual to be notified of the purpose of collection and disclosure.
  • Cannot require broader collection than necessary. Failure to opt out may not be considered consent.
  • Personal Data cannot be retained once it is no longer necessary for legal or business purposes.

Individual Query/Modification Right: Yes. Data portability provided under new amendment. Consent may be withdrawn on a proactive basis.

Cross-Border Transfers: need either PDPC approval or establish that the overseas recipient is bound by law/contract/binding instrument to a standard comparable to PDPA.

Breach Notification: to PDPC within 3 days if it is ‘likely to result in significant harm’ to individual, involves the Personal Data of more than 500 people, or involves designated Personal Data; Notice to Individuals is to be made ‘as soon as practicable’.

Preventative Obligations Required:

  • An organization must take reasonable security steps to protect the Personal Data. Data Privacy Impact Assessments are encouraged.
  • Fines of up to SG$1 million or 10% of annual turnover in Singapore (organizations); up to SG$10,000 and/or imprisonment up to 1 year (individuals).

Other Comments:  Direct Marketing restrictions exist.  New Cybersecurity Law imposes many new obligations on those deemed part of the critical infrastructure.

SPB Local DP/Cyber Team:  Scott Warren (Regional), Julia Yeo

TAIWAN

Name of Law:  The Taiwan Personal Data Protection Act (“PDPA”) with Enforcement Rules from the Ministry of Justice.

Data Privacy Authority: National Development Council/Personal Data Protection Office. Discovery in the form of ‘Dawn Raids’.

Restrictions on Collecting, Handling, and/or Transporting Personal Data: 

  • Need statutory reason (such as execution of a contract) or informed consent.
  • Must inform identity of collector, purpose, type of data collected, the term and use of the data, the persons who may use, the data subject’s rights and the consequences of failure to provide.
  • Sensitive Personal Data requires written consent.

Individual Query/Modification Right: Individual right to request deletion or stopping.

Cross-Border Application: May be restricted if to a country without sound legal protection, affecting data subjects interests, or illegal or against national interests.

Breach Notification:  to individual if PD ‘stolen, leaked or illegally altered, or any other infringement incident’. To be given in the ‘appropriate manner’ after investigation. No requirement to authorities, except for certain industries (e.g. financial, etc.).

Preventative Obligations: Need ‘appropriate measures’ to protect including data mapping, risk assessments, incident response plan and data security personnel.

Penalties up to US$16k (Administrative), $33k/5 years imprisonment Criminal (corporation).

Local SPB DP/Cyber Team: Scott Warren (Regional), Local Counsel

THAILAND

Name of Law:  Personal Data Protection Act (‘19), effective 31May’21, but decree postponing enforcement until 1Jun’22 has been issued. Implementing regulations are still being issued.

Data Privacy Authority: Personal Data Protection Committee to be established.  No Discovery.  Class action suits enabled for data subjects.

Restrictions on Collecting, Handling, and/or Transporting personal Data: Data controller must rely on legal bases, such as consent, legitimate interest, contractual obligation, etc. Express consent required for sensitive data.  Transport out of Thailand only with consent or in accordance with applicable law based on guidelines to be set.

Individual Query/Modification/Deletion/Portability Right: Yes

Cross-Border Application: Yes – Applies to anyone offering goods or services in Thailand or monitoring any personal data within Thailand.

Breach Notification:  Yes, though details are still being determined.

Preventative Obligations Required: Yes – ‘appropriate security measures’ are required

Other Comments:  Local Data Privacy Officer in Thailand required in certain instances.

Penalties: Administrative fines up to THB5m (US$150k); Criminal penalties up to THB1m and/or 1 year imprisonment. Punitive damages may be double the actual damages.

Local SPB DP/Cyber Team:  Scott Warren (Regional), Local Counsel

VIETNAM

Name of Law:  Law on Cybersecurity (amended 12Jun’18), took effect 1Jan’19. Draft personal data protection decree is out for public comment since 2’21.

Data Privacy Authority: Ministry of Information and Communications/Ministry of Public Security.  Ministries may investigate. No civil discovery.

Restrictions on Collecting, Handling, and/or Transporting Personal Data: Requires consent and publishing protection policy.

Individual Query/Modification/Deletion Right:  Yes, with duty to indemnify for damage.

Cross-Border Application: Applies to PD in or out of Vietnam if it relates to data subjects in Vietnam or Vietnamese nationals. Transfer to another entity requires consent.

Breach Notification:  No

Preventative Obligations Required: requires an adequate level of protection and technical standards.

Data Localizations: applies to services over the internet re: PD, user’s relationships or other data created by users in Vietnam. Requires a branch or representative office in Vietnam.

Other Comments:

  • Broad State Secrets definition with many regulations. State Secrets includes any important content relating to politics, defense, security, economy, science, technology, or other subjects designated by the gov’t.
  • Localization Detail: Only applies to entities doing e-commerce, SNS, online gaming and email services or others that analyze PD about users in Vietnam.
  • If above Foreign entity must:
    • Establish offices in Vietnam;
    • Store the personal information of Vietnamese users and “other important data” in Vietnam
    • Perform a security assessment prior to any cross-border data transfer; and
    • Bring their technology products involving cyber services into compliance with “quality assurance” standards before they can be released to the market.
  • Domestic entities must maintain at least one server in Vietnam
  • Still awaiting implementing decrees
  • The Law prohibits any activity that could disrupt national security or public order or adversely impact the reputation of any organization or individual.

Penalties: up to VND50M ($2,000)/individual and/or 3 years imprisonment.

Local SPB DP/Cyber Team: Scott Warren (Regional), Local Counsel