Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws
This article covers the key latest data privacy regulations for China, Hong Kong, Japan, South Korea and Singapore in 2020.
(Original article at: https://www.sia-partners.com/en/news-and-publications/from-our-experts/covid-19-has-not-stopped-regulators-progressing-data-privacy)
More stringent Data Privacy regulations are on the horizon Although government agendas have been heavily modified over the course of 2020 due to the COVID pandemic, a few APAC countries have made significant progress and updated their local data privacy laws.
The APAC region remains a challenge for organisations, to keep up with the different updates from many locations but also to create a regional framework and monitor the data privacy implementation. This patchwork of different regulations also brings out stakes to standardize the operations, in particular for sharing personal information across borders. The latest trends in regulations define a tendency to strengthen the regulatory framework but also to align them with GDPR concepts. Numerous local regulations on personal data have recently been updated to be more aligned with the current risks, ensuring better protection of data subjects or a mandatory data breach notification.
China On July 3, 2020, the National People’s Congress released the first draft of the Data Security Law. The Draft Law will then proceed through at least two additional drafting rounds before going to a vote. Although the timing of these next steps is difficult to pinpoint, many analysts predict that the law could be passed by the end of 2020. CRITICAL DATA CLASSIFICATION The Draft Law stipulates that data should be categorized according to potential harms to national security or the public interest. Authorities are expected to create catalogs of critical data, and entities that process those data are expected to designate data security managers to implement additional measures for critical data. EXTRATERRITORIAL SCOPE The Draft Law introduces extraterritorial jurisdiction over foreign entities that engage in data activities inside and outside of China that harm national security or the public interest, and empowers the state to adopt countermeasures against countries that impose restrictive or discriminatory trade and investment safeguards against China. A REVIEW SYSTEM FOR DATA ACTIVITIES A data security review system will be established to examine any data activities that may be deemed to pose risks to national security. The Draft Law does not specify the criteria on which the review will be based. INCREASED SANCTION THRESHOLD Individuals and entities involved in data activities that violate the Law can be fined up to 1 million RMB for failing to correct their behavior.
Hong Kong On January 2020 the Office of the Privacy Commissioner for Personal Data (PCPD) published a Review Paper with proposed amendments of the Personal Data (Privacy) Ordinance (PDPO). THE BREACH NOTIFICATION REQUIREMENT Proposing a mandatory data breach notification mechanism, which would require data users to notify the PCPD and relevant data subjects of data breach incidents. DATA RETENTION POLICY Considering to expressly require the personal data policy of data users to include a data retention policy, so that data users must ensure that the persons concerned are clearly informed of the details of the retention policy. SANCTIONING POWERS Exploring the feasibility of introducing an administrative fine linked to the annual turnover of the data user. REGULATION OF DATA PROCESSORS Imposing legal obligations on them or sub-contractors. For instance, data processors may be required to be directly accountable for personal data retention and security. DEFINITION OF PERSONAL DATA Expanding the definition of “personal data” under the PDPO to cover information relating to an “identifiable” DISCLOSURE OF PERSONAL DATA OF OTHER DATA SUBJECTS Conferring on the Commissioner statutory powers to request the removal of doxxing content from social media platforms or websites, as well as the powers to carry out criminal investigation and prosecution.
Japan Japan has recently started to revise its data privacy law, the Act on the Protection of Personal Information (APPI). The new guidelines are expected for public comment by 2021 and the amendments should become fully enforceable in 2022. BREACH NOTIFICATION REQUIREMENT Companies are required to notify the individual and Personal Information Protection Commission (PPC) as soon as possible through a preliminary report, especially if the breach potentially impacts the violation of individual rights and interests. A second report should follow with more detailed information on the breach and the remediation plan. INCREASED SANCTION THRESHOLD The limits on fines for violations of the Act on the Protection of Personal Information will be increased. For companies, the new threshold has been set at 100 million yen. EXTRATERRITORIAL SCOPE This new amendment clearly defines the scope of the regulation by indicating that the obligations and penalties apply to entities outside of Japan and include entities that process an individual's personal data in Japan. PSEUDONYMIZATION WITHOUT CONSENT Other improvements of this amendment are about expanding the pseudonymization concept to allow transfer to third parties without consent if the data is pseudonymized when handled by the third party.
South Korea In January 2020, the national legislature of South Korea passed a set of amendments on various laws related to the protection of personal data. The Personal Information Protection Act (PIPA), the Network Act and the Credit Information Act have been modified and changes are expected to be implemented by companies in the coming months. PSEUDONYMIZATION WITHOUT CONSENT It allows the processing of pseudonymized information without the consent of the data subject for purposes including statistical compiling, scientific research, and record preservation in the public’s interest. CENTRAL ROLE OF PIPA AND PIPC Transfer of the personal information-related provisions in the Network Act to the PIPA. The Personal Information Protection Commission’s (PIPC) becomes the sole supervisory authority responsible for the enforcement of the PIPA. MEASURES FOR PERSONAL CREDIT INFORMATION Amendments to the Credit Information Act include similar provisions as of the PIPA (e.g. pseudonymization). In addition, it introduces the concept of MyData services (to allow individuals to conduct integrated searches of their own credit information) and specific rights to credit information subjects (e.g. right to transmit their personal credit information to other financial companies).
Singapore The Personal Data Protection Bill was recently introduced in early October with amendments of the Personal Data Protection Act. The enforcement of the Bill is expected in the next few months. BREACH NOTIFICATION REQUIREMENT A mandatory data breach notification must be sent to the authority within 72 hours after detecting the breach. The organization has 30 days to complete an investigation. INCREASED SANCTION THRESHOLD The bill enhances the financial penalties for breaches to up to 10% of the offending organization’s annual turnover or SGD 1 million (whichever is higher). CONSENT The bill expands the scope of deemed consent under two specific circumstances (“contractual necessity” and “notification and opt-out”). Two new exceptions for consent collection are also introduced (“legitimate interests” and “business improvement”). DATA PORTABILITY The bill introduces a new data portability right for the individual, giving the ability to request the transmission of data to other third parties. ANTI-SPAM The bill is tightening anti-spam laws to cover unsolicited messages over instant messaging accounts. The DNC (Do Not Call) provisions will prohibit the sending of messages to telephone numbers obtained through dictionary attacks and address harvesting software.
Where can Sia Partners help?
With nearly 100 data privacy projects already delivered, Sia Partners has a strong understanding of both the regulations and the challenges when implementing them. Sia Partners also has an experienced team with complementary profiles and a global coverage. The main area where Sia Partners can support your company are: Maturity Assessment
Make an inventory of personal data processing activities to be implemented in the record of processing activities
Assess the maturity level of the company with data privacy regulations using Sia Partners’ tool
Develop an action plan (structuring of the work to be done and list of actions for each theme)
Support Data Privacy projects with strong project management capabilities
Perform compliance actions on all identified workstreams (information, consent, contracts, etc.)
Perform project switches from project mode to BAU mode
Data Protection Officer Support
Provide recommendations on complex issues
Represent your company in dealings with third parties
Perform the BAU work and animate the data privacy network inside the company
Define both training and communication plans
Carry out training actions (e-learning, in-class, blended learning, microlearning, etc.)
For more information please contact email@example.com