Data Protection and Security Laws At-A-Glance: APAC

Here is a quick guide to how Australia, China and South Korea approach data privacy regulations, links along with top-level insight on key principles of each law as well as similarities and differences to GDPR:

Australia

The Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) are Australia’s cornerstone data privacy and protection regulations. These “principles-based” and “technology neutral” laws govern standards, rights and obligations around:

• The collection, use and disclosure of personal information.
• An organization or agency’s governance and accountability.
• Integrity and correction of personal information.
• The rights of individuals to access their personal information.

Unlike GDPR, these regulations only apply to:

• An Australian or Norfolk Island government agency (including ministers, courts and government departments).
• An Australian business with a turnover of more than $3 mn AUD.
• An Australian business with a turnover of less than $3 mn AUD that:
• Trades in personal information,
• Provides health services, or
• Has opted-in to be bound by the APPs.

Since the APPs were enacted in 1988, these regulations have been amended numerous times to enhance protections around consumer data. For example, an amendment was added in 2019 that requires APP entities to provide users access to any personal information it might have on them. In addition, if a business holds inaccurate or out-of-date personal information about an individual, it must correct this information on request. 

The business cannot charge for these services and it must respond within a "reasonable period." Those that fail to do so can be subject to fines. 

Since May 2020, the Privacy Act has been under parliamentary review. Though how the act will be reworked and what new legislation will be added is still unknown, legal experts expect changes to include:

• Strengthening of notification and consent obligations on organizations when collecting personal information in an effort to increase transparency around data use. 
• Shifting the burden of improving privacy from consumers to organizations themselves, in the form of greater fairness and accountability requirements.
• Granting individuals the direct right to litigate a breach of their privacy under the Privacy Act was agreed in-principle by the Government in response to the DPI Report recommendations.
• The adoption or development of an independent certification scheme for privacy compliance for overseas data flows.
• Expanding the scope of legislation to apply to employee records and small businesses.

In addition to commonwealth regulations, most of Australia’s states and territories have their own data protection laws in place, notable exceptions being Western Australia and South Australia. These acts include:

• Information Privacy Act 2014 (Australian Capital Territory)
• Information Act 2002 (Northern Territory)
• Privacy and Personal Information Protection Act 1998 (New South Wales)
• Information Privacy Act 2009 (Queensland)
• Personal Information Protection Act 2004 (Tasmania)
• Privacy and Data Protection Act 2014 (Victoria)

China

In June of 2017, the People's Republic of China (PRC) enacted it’s first data privacy and cybersecurity law, the PRC Cybersecurity Law. Comprising 79 articles in seven chapters, this comprehensive set of regulations covers everything from security requirements for network operators to critical information infrastructure safeguards.

As it pertains to personal information protections, Cybersecurity Law dictates:

• Network product and service providers that collect users’ information are required to inform and obtain consent from the users.
• Network operators are required to collect and use personal information in a legal and proper manner.
• Individuals and organizations must not steal or use other illegal means to obtain personal information
• Network operators must gather and store personal information in accordance with the Law, administrative regulations and their agreements with users.
• Network operators must not disclose, tamper with or destroy collected personal information.
• In an instance where a network operator has violated the Law’s provisions, individuals have the right to request the operator to delete their personal information.
• Departments with legal responsibilities for cybersecurity supervision must ensure that all personal information obtained is kept confidential.

In October of 2020, PRC’s updated Personal Information Security Specification (GB/T 35273-2020) (PI Specification) went into effect. This new voluntary code of conduct outline guidance pertaining to:

• Personal Sensitive Information
• Consent
• Multiple Business Functions
• User Profiling
• Personalized Display
• Third-Party connection management
• PI protection personnel and department
• Personal biometric information
• PI processing record

South Korea

Since enacted in 2011, South Korea’s Personal Information Protection Act (PIPA) has remained one of the strictest and most comprehensive sets of data privacy regulations in the world. Similar to GDPR, it protects privacy rights from the perspective of the data subject and it is comprehensive, applies to most organizations (even government entities) and those who violate these standards face heavy penalties such as substantial fines and even criminal charges. 

Key principles of the act include:

• Transparency & Lawfulness- The personal information processor is obligated to clearly communicate processing purposes and, in a lawful manner, only collect minimum personal information 
• Purpose limitations - personal information can be used only for the purposes specified to the data subject in any applicable consent
• Data minimization - A personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject.
• Retention - processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible. Data must be stored and managed in a safe, secure manner.
• Harm prevention - the dictates that state and local governments shall devise policies to prevent harmful consequences of beyond-purpose collection (i.e. abuse and misuse of personal information).

In addition to PIPA, South Korea has also released “Guidelines for De-identification of Personal Data.” Though these guidelines are not legally binding, they do shed light on how laws and regulations are likely to be interpreted in practice.