A stricter regime for profiling07 June 2016
2015: The Turning Point for Data Privacy Regulation in Asia?
The past year saw a number of significant regulatory developments, in particular the implementation of new, comprehensive "European-style" privacy laws in Singapore and Malaysia, the amendment of China's consumer protection law to include data privacy principles and increased financial penalties in South Korea.
Equally importantly, there were significant data security and data privacy breaches and enforcement actions across the region in 2014, with privacy mishaps consistently featuring in Asian headlines as they have elsewhere in the world. These developments have meant immediate consequences in the form of regulatory action, sanctions and adverse publicity for those investigated or found to be on the wrong side of the law. These high profile incidents are also proving to have a broader impact by raising public awareness of privacy issues to levels never before seen and emboldening regulatory authorities to pursue complaints more aggressively and issue more prescriptive technical guidance directed at achieving compliance.
Turning to developments in specific countries:
Perhaps against expectation, a rapid sequence of legislative reforms in recent years have shown a serious resolve by China to move the country towards a more comprehensive data privacy regime.
In 2014, the scope of legislative reform continued to have its primary focus on the protection of consumers' online data, beginning in January with the State Administration for Industry and Commerce issuing its "Measures for the Administration of Online Transactions" addressing a range of e-commerce and m-commerce issues, including new more specific controls relating to transaction data. In March, data privacy principles were enshrined in the country's consumer protection law, taking China much closer to a comprehensive approach to regulation.
The seriousness of China's commitment to privacy law was demonstrated in the high profile prosecution of the principals of the ChinaWhys business investigation service, culminating in the sentencing in August of Peter Humphrey to two and a half years' prison time for offences relating to the sale of illegally obtained personal information.
As electronic and mobile commerce and social media continue their explosive growth in China through 2015, we expect data privacy to continue to register in China's headlines and policy initiatives.
Hong Kong's Privacy Commissioner for Personal Data is very much an activist regulator. He publicly comments on developments in privacy law abroad and continues to press for wider ranging regulation enforcement powers under the PDPO. This activist approach continued throughout 2014. In February, the Commissioner published his "Privacy Management Programme: A Best Practice Guide" that urges a comprehensive, "top down" approach to company data privacy policies and procedures that represent a significant step change to many companies' approach to compliance. Later in the year he applied significant focus to the financial services industry and data processing by mobile apps and argued for an expansion of the "Do Not Call" registry to include live calls. In December, he initiated an open letter to seven of the world's leading app marketplaces calling on them to make app privacy policies available to users prior to downloading and followed this up with the publication of guidance directed at mobile app developers in Hong Kong.
The Commissioner concluded a busy year with the publication of guidance to businesses exporting personal data from Hong Kong. Hong Kong's section 33 export controls have never been brought into force, so the guidance has been prepared primarily with a view to assisting businesses in preparing for its eventual implementation. It is clear that the implementation of section 33 envisaged by the Commissioner will raise significant compliance challenges for Hong Kong businesses and regional businesses that are hubbed there.
There was much to the wider picture in Hong Kong in 2014. Hong Kong's electoral reform protests raised fresh concerns about government access to data held by ISPs and other service providers and whether additional steps to ensure transparency are needed. We expect to see these issues come to the fore in 2015.
Japan's Personal Information Protection Act (the "PIPA") dates back to 2003 and stands as one of Asia's oldest laws in this area. The last 12 months saw a series of high profile data security breaches and revelations of unlawful sales of personal data in Japan. Japan Airlines revealed the hacking of up to 750,000 individuals' personal data stored on its frequent flyer systems and education services provider Benesse found that its systems had been hacked by a contract engineer who sold up to 20 million customer records. These incidents and mounting public concerns about data privacy have led the Japanese government to propose extensive reforms to the existing law. In 2014, the government announced its outline for revisions to the PIPA and plans to submit the bill to the National Diet in January 2015. The proposed reforms include:
- expanding the definition of "personal data" to include biometric information such as fingerprint data and face recognition data;
- "sensitive" information such as an individual's race, creed, social status and criminal record will be separately protected; and
- an independent authority would be established to enforce the laws and regulations and would be given stronger powers than each industry ministry currently has.
The Japanese courts produced some eye-catching decisions in 2014. In October, the Tokyo District Court ordered Google Japan to remove search results that hinted at a man's relations with a criminal organisation after he complained his privacy rights were violated. The decision echoes a closely watched decision by the European Union’s highest court in May 2014, which found that individuals have a right to ask search engine companies to prevent certain results related to them from showing up - essentially "a right to be forgotten".
Singapore implemented its comprehensive "European-style" Personal Data Protection Act ("PDPA") in two stages in January and July 2014 and has made a "running start" from there, handing down its first fines under the new law in August. Although the fines paid by a tuition agency found to have breached Singapore's "Do Not Call" registry requirements were relatively small (SDG 39,000), the fact that a director faced personal liability as part of the prosecution highlights the authorities' willingness to take the new law seriously. Singapore's new Personal Data Protection Commission has also been very active in taking public consultations about specific requirements under the law and publishing extensive explanatory guidance for businesses and consumers alike.
Singapore's new law has been enacted with some of the stiffest penalties for data privacy offences in the region, with fines of up to S$1 million (USD800,000). It is also clear that the new Commission will be resourced to enforce the law, a view reinforced in November by the announcement that it would be appointing a panel of digital forensic experts to help investigate data security breaches.
There are economic motives informing the new law. Singapore has drawn an explicit link between the implementation of data privacy regulation and its national ambitions to be a leading high tech hub in the region, including in areas such as data analytics. In December, the Infocomm Development Authority launched a "Data Discovery Challenge" that seeks to promote the combination of public and private datasets through a newly created Federated Dataset Registry platform. This initiative also coincided with an announcement by the National Research Foundation of plans to create a 3-dimensional model of the island state by 2017 as part of a "Virtual Singapore" project. The announcements of both of these initiatives made reference to the need to comply with the PDPA.
South Korea has firmly established itself as one of the toughest jurisdictions for data privacy compliance in the world, but perhaps with good reason. The country has had a difficult run of data security breaches, with reports estimating that up to 80 percent of Koreans have experienced the theft of their personal details in the past decade. 2014 saw that trend continue with the hacking of up to 20 million accounts at three separate credit card companies, including the details of South Korean president Park Geun-hye. With reports that the country is seriously evaluating the re-issuing of new national identity card numbers to all citizens over the age of 17, it is clear that South Korea will continue to make data privacy regulation a legislative priority.
Little wonder then that multinational businesses find the data privacy regime in South Korea to be amongst the most challenging in the region to deal with. Provisions of the over-arching Personal Information Protection Act and the IT Network Act (which regulates the collection and use of personal information by any commercial enterprise that sells or markets its goods or services online) are supplemented by sector-specific laws, creating a very difficult compliance environment. The legislation is also backed up with extensive enforcement measures, including provision for data subject class action suits against offenders. South Korea already had Asia's first revenue-based penalties with fines of up to 1% of revenues possible under the IT Network Act. In new measures effective from the end of 2014, those penalties have been increased and fines of up to 3% of all revenues directly or indirectly relating to the breach, may now be imposed. While there have so far been no reported penalties imposed under these latest changes, this month has seen an announcement by the Korea Communications Commission (the "KCC") - the nation’s top telecommunications and Internet regulator - of plans to inspect Google Korea and other leading location-based services providers to assess their compliance.
In a further example of how Asia's law-makers and regulators are increasingly drawing from the example set by their European counterparts, in 2014 the KCC set up a task force to study potential "right to be forgotten" reforms that would make it easier for South Koreans to get their personal information removed from the Internet.
2015 and beyond
2014 saw the "European model" of data privacy regulation grow even more influential in Asia. As "privacy by design", "rights to be forgotten" and other advanced regulatory concepts gain traction, it is clear that law-makers, regulators and courts in the region are becoming more sophisticated in how they address privacy issues, with an unmistakable push towards heavier regulation and more expansive interpretations of existing laws.
We also expect more debate to emerge as 2015 progresses. A number of commentators believe that by enacting increasingly strict data privacy regimes, the APEC member economies are frustrating the purposes pursued in agreeing their 2005 Privacy Framework, the formal impetus for many of the new privacy laws enacted in the region in recent years. The motives for that framework are expressly stated to be economic: the desire to encourage public confidence in e-commerce and in cross-border data transfers. By enacting aggressive regulation, critics say, regional businesses will be de-incentivised to develop and exploit innovative electronic and mobile commerce platforms, engage technology service providers and reap the benefits of consolidated processing centres in high-tech hubs and shared services centres. By enacting national data walls, Asian lawmakers are applying the European model in a manner that is even more restrictive than its European inspiration, which fixes a data wall around the European Economic Area as a whole, but not any individual country within it.
The APEC Privacy Framework was never intended to set a literal template law for member economies to follow – it is a set of guiding principles. Each of the laws discussed in this article are very different from one another in their form, substance and interpretation, reflecting different national legislative agendas, priorities and policy goals and different cultures and experiences. We expect to see a maturing of data privacy regimes in coming years as regulators face some of the same problems, co-operate with one another more, develop trust and, we would hope, move towards greater harmonisation and principles of mutual recognition. These are, however, very early days and we expect 2015 to be an eventful one.
This article was first published in Data Protection Law & Policy in January 2015.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016