The State of Data Privacy in Asia-Pacific: A map of the regulatory requirements
Data privacy and protection continue to gather attention with each data breach and new regulations. Some of the news makers recently have been GDPR, Cathay Pacific, and most recently Marriott. Businesses operating in Asia-Pacific face a variety of different Data Privacy laws that can impose significant restrictions on business functions. This article is the first of a two part series on these laws. First, we will examine the current state of data protection and privacy in ten Asia-Pacific (APAC) markets. The next article will compare and contrast these markets against the GDPR, highlighting key differences and overlap.
In our analysis, we focus on the way companies must handle personal data according to local regulatory requirements, especially when cross-border activities are involved. The main objective is to highlight the differences of each country in terms of constraints and restrictiveness of data disclosure, transfer and storage.
The results are quite interesting. Policy-making leaders such as Hong Kong and Singapore do not impose strict requirements when it comes to processing data or cross-border disclosure and storeage. Thailand also shows a low level of restrictiveness, but this is due to limited regulation on data protection or privacy. China and Indonesia present the most restrictive regulatory environments for data and technology. Some aspects of their data regulation remain unclear, with consequent application of the most stringent scenarios by companies, in order to avoid non-compliance issues.
Classifying each country can be difficult as some regulations are left ambiguous and open to interpretation. In these scenarios, we adhere to the international legal community's assessment of the regulation, its interpretation, and impact.
While countries have been classified with different levels of intensity, all classifications pose challenges. Countries identified as being particularly restrictive require significant intra-country compliance efforts. Those lacking data protection laws will require compliance effort to comply with extra-territorial regulations, like GDPR.
Businesses will have to review each countries regulation in-depth to understand the full complexity, but here are some highlights from our research:
Recently, many countries are taking important steps in Data Privacy and Data protection regulations, including introducing more restrictive rules. This is not only a consequence of GDPR, but also the changing digital landscape. With increased connectivity, digital services, and mobile content, governments must keep up with fast evolving trends and ensure protection against growing and sophisticated cyber-crime.
The regulation landscape remains very heterogeneous in the Asia Pacific region. This represents an important challenge for multinational companies that operate in different countries. The top management should consider the positive implications of a general harmonization of rules among their different subsidiaries, which would bring higher transparency, simplification, and efficiency in the data management processes. Although the cost of implementation and maintenance of such a framework could be significant, the risk of data breach or loss should never be underestimated, with negative impacts not only in terms of law enforcement, but above all in terms of image and reputation of the company itself.
Stay tuned for our second article in this series, comparing and contrasting “The State of Data Privacy in Asia-Pacific” against GDPR. For more information regarding data privacy and protection in APAC, you can reference previous Sia Partner articles on GDPR, Data Protection, the Cathay Pacific Data Breach, etc......