Pending Data Protection and Security Laws At-A-Glance: APAC

In our continuing quest to provide a global overview of cyber-related legislation and regulation we have focused on the latest laws protecting PII in the United States, Regulation through Global Data Protection and Security Laws, and APAC Data Protection and Security Laws. This is an overview of 3 soon-to-be-enacted regulations that will change the APAC data privacy legal landscape.

CHINA

On June 1, 2021, the National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment will go into effect. According to global law firm Detons, “The Guidance aims to guide the assessment of the potential impacts on individuals’ rights and interests as well as the effectiveness of security protective measures adopted when carrying out personal information processing activities, which is similar to the data protection impact assessment (“DPIA”) under the EU General Data Protection Regulation (GDPR).”

Draft PIPL

On October 21, 2020, a draft PRC Personal Information Protection Law (Draft PIPL) was published for review. Similar in many ways to GDPR, the PIPL, if passed, will require:

• Organizations outside China that fall within the PIPL’s scope are required to appoint representatives or establish entities within China responsible for the protection of personal information.
• Personal Information Processors are required to perform and maintain a record of risk assessments where processing activity may have a significant impact on individuals, including international transfers of personal information, processing of sensitive personal information, automated decision-making, and disclosure of personal information to third parties.
• That the processing of personal information must be lawful. In other words, there must be a legal basis for processing data such as consent.
• Individuals are informed that processing is happening, to restrict or object to the processing of their data, and to obtain a copy of, update, or delete their information.

Furthermore, it outlines strict requirements for international transfers of personal information. In addition, penalties for noncompliance have yet to be finalized but are so far rather austere. Proposed sanctions include the suspension of business activities and revocation of business permits or licences, the “blacklisting” of companies and fines up to 5% of a company’s yearly earnings. 

JAPAN

On June 5, 2020, the Japanese legislature passed several amendments (“Amendment Act”) to the Act on Protection of Personal Information of Japan (“APPI”) created to expand protections for personal data and impose new obligations on all businesses that use personal data for business purposes, including non-profit organizations.

Slated to go into effect the spring of 2022, one of the major changes it will bring about are new provisions expanding an individual’s rights to require the deletion or disclosure of personal information (‘PI’):

• where there is a possibility of violating the data subject’s rights or legitimate interests.
• in the event of a breach of the APPI via transfer to a 3rd party.
• to include short-term data which is kept for 6 months or less; and
• allowing the data subject to request the format of the disclosure of their data, including in a digital format.

India

Inspired by GDPR, India’s Personal Data Protection Bill (PDP) was introduced to overhaul India’s current data protection regulations outlined in the Information Technology Act of 2000. As that act was mainly concerned with ensuring the legal recognition of e-commerce within India, it does not include specific legislation on data protection aside from establishing the right to compensation for improper disclosure of personal information.

According to the bill’s preamble, the goal of PDP is to “create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.” Similar to GDPR, PDP establishes data privacy as a fundamental right and calls for the creation of an independent new regulatory authority, the Data Protection Authority (DPA), to carry out this law. 

In terms of how PDP and GDPR differ, you can find a comprehensive comparison of the two laws here. In summary though, the differences can be boiled down into 3 key areas:

• India’s central government retains the power to exempt any government agency from the bill’s requirements for reasons such as national security.
• The government now has the right to order firms to share any of the non-personal data they collect with the government.
• Personal and sensitive data must be stored and processed in India. Though there are exceptions to these rules, PDP’s restrictive regulations pose a number of challenges for organizations looking to do business in India and are, therefore, one of the most hotly contested provisions in the bill. 

Though DLA Piper expects the law to go into effect in late 2021, other legal experts aren’t so sure. Ongoing backlash pertaining to a number of its more restrictive provisions have resulted in multiple revisions and delays.  In addition to the issues surrounding data localization mentioned before, the bill “has also attracted criticism on various grounds such as the exceptions created for the state, the limited checks imposed on state surveillance, and regarding various deficiencies in the structures and processes of the proposed Data Protection Authority,” according to The Hindu.