Carbon Accounting Management Platform Benchmark…
Beyond the pandemic, we continue to witness major changes in the APAC’s data privacy landscape. This year alone, new regulations are expected to be drafted or implemented in APAC countries. With an increasing need for regulation to protect data privacy, what should we expect to change in 2021?
For a look at what has changed in the second half of the year, please read our next installment: A look at APAC Data Privacy Laws in the second half of 2021
In October 2020, the Australian government released an issue paper that outlined current privacy laws and sought feedback on potential issues relevant to reform the Privacy Act 1988 [1].
The review covers the following areas [2]:
The Australian government is currently reviewing the comments received from the consultation, which ended in late November 2020 and plans to issue a discussion paper in 2021 to seek specific feedback on preliminary outcomes [1].
In October 2020, the National People's Congress (NPC) released a draft of the Personal Information Protection Law (PIPL) [3] for public comment. The draft Personal Information Protection Law (“Draft Law”) was open for public consultation until the 19th November, 2020. Once it comes into force, it will be China’s first comprehensive law on the protection of personal data. The legislation is expected to be enacted in 2021.
In January 2020, the Hong Kong Constitutional and Mainland Affairs Bureau published a discussion paper regarding the review of the Personal Data (Privacy) Ordinance (“PDPO”). Nothing has been implemented since then. However, in a recent speech given by the Privacy Commissioner in January 2021, she indicated that the Privacy Commissioner for Personal Data (PCPD) is working closely with the Hong Kong Government in proposing legislative amendments to the PDPO [4].
The discussion paper focuses on areas that have gained traction globally, such as a mandatory data breach notification obligation and Hong Kong specific data privacy issues for example., an increase in doxxing cases [5]. For details of the discussion paper, please refer to our previous article Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws [6].
The Information Technology Act, which came into force in 2000, is at present still ruling and governing data protection in India [7].
In 2019, the Personal Data Protection (“PDP”) Bill was introduced into Indian legislature, which will overhaul the personal data protection and regulatory regime in India. There are a number of provisions in the bill that raise significant concerns for some industries, particularly with respect to:
In addition, the bill outlines severe penalties for law violations, corporate liability, and private rights of action, including class actions. The bill is currently under review by a Joint Parliamentary Committee and may undergo significant changes to its current form. The committee’s report has been delayed twice because of the pandemic. The PDP bill is expected to come into effect towards the end of 2021 [8].
In August 2011, a ‘Press Note’ Technology (Clarification on the Privacy Rules) was issued by India’s Ministry of Communications and Information, which stated that anyone outsourcing service providers/organizations providing services relating to the collection, storage, dealing or handling of sensitive personal information, located within or outside India, is not subject to collection and disclosure of information requirements to PDP [8].
The Act on Protection of Personal Information (“APPI”) was amended on 5th June 2020 and will come into force in Spring 2022 [10]. In our previous article, we mentioned some of the key aspects of the Amendment, additional changes are summarized below:
Currently, the APPI provides individuals with the right to request businesses to stop using, or erase, personal data. The Amendment Act expands individual rights to apply when: (i) the business uses personal data in improper ways, (ii) there is no need for the business to use the personal data, (iii) a data breach occurs, and (iv) when legitimate interests of data subjects are interfered with by use of the personal data [11].
The Amendment removes the exemption on any personal data that is deleted within six months, meaning that the data subject rights now apply to personal data regardless of the length of time [11].
The Act narrows the scope of personal data that may be transferred pursuant to the Opt-Out exemption by excluding (i) personal data that is illegally obtained, and (ii) personal data that is provided to the business based on an opt-out provision [11].
Under the Amendment Act, companies engaging in data transfers are required to enter agreements that specifically address the consent requirements and also to disclose the record of the third-party transfer [11].
There are three primary data privacy laws in Korea:
Other than the key changes made to PIPA, which were covered in the previous article, below are the key amendments to the Network Act and the Credit Information Act.
Deletion and Transfer of provisions similar to or overlapping with the PIPA
The amendments to the Network Act remove the provisions which are similar to, or overlapping with, the PIPA so that the general law of PIPA can be prioritised. Among the provisions deleted from the Network Act, those that differ from the PIPA or exist only in the Network Act are transferred to Chapter 6 of the PIPA [13].
To secure credit data protection, the amendments adopt certain provisions under the PIPA with changes appropriate to the financial sector. The Credit Information Act is a special act to the PIPA, meaning that the amended Credit Information applies over the amended PIPA in the case of any conflict between them [13].
The amendment introduces the conceptual framework of pseudonymisation and anonymisation. If a data expert institution designated by the Financial Service Commission (“FSC”) confirms that certain information has been properly pseudonymised or anonymised, such information is deemed to have been processed such that it cannot be used to identify an individual. In addition, as under the amended PIPA, pseudonymised data can be used or provided without the consent of the credit data subject for statistics preparation, research and record preservation for public interest [13].
The amended Credit Information Act allows certain financial service providers to notify the credit data subject solely of a summary of important matters when obtaining the consent of the credit data subject, unless otherwise required by the credit data subject [13].
The amended Credit Information Act enhances the rights of the credit data subject by introducing the right to data portability, the right to object, and the right to be informed concerning automated decision making and profiling [13].
The amended Credit Information Act expands the award of punitive damages for intentional or grossly negligent leakage of credit information up to five times the amount of compensatory damages.
For our 2020 updates on data privacy laws in China, Hong Kong, Japan, South Korea and Singapore, please refer to our previous article Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws [6]
With nearly 100 data privacy projects already delivered, Sia Partners has a strong understanding of both regulations and challenges faced when implementing them. Sia Partners also has an experienced team with complementary profiles and global coverage.
For details of our offerings, please visit our Data Privacy page.
References
[1] Australian Government Attorney-General’s Department - Review of the Privacy Act 1988
[2] Australian Government Attorney-General’s Department - Privacy Act Review Issues Paper
[3] The Personal Information Protection Law of the People 's Republic of China
[5] Legislative Council Panel on Constitutional Affairs: Review of the Personal Data (Privacy) Ordinance
[6] Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws
[7] The Personal Data Protection Bill, 2019: All You Need to Know
[8] Data Protection Laws of the World
[9] Transformation of Data Landscape in Asia
[10] Personal Information Protection Commission
[12] Personal Data Protection Laws in Korea
[13] Amendments to Three Data Privacy Laws in Korea and the Implications