Navigating Data Protection in the Asia-Pacific Region

Your inquiry met with our response, and in this article, we will delve into the Data Protection Laws of the APAC region. In August 2023, India passed the Digital Personal Data Protection Act (DPDP), a significant law for data protection globally. This comes as part of a broader trend in the Asia-Pacific region, where countries like China, Indonesia, Sri Lanka, and Vietnam have also enacted comprehensive data privacy regulations in recent years.

Inspired by GDPR, Brazil’s LGPD, and California’s CCPA, these laws grant citizens data rights and impose measures like extraterritorial processing and breach notifications. However, these regulations have notable differences, with China’s PIPL emphasizing data sovereignty and localization, contrasting with India’s DPDP, which avoids such requirements.

The move towards greater data transparency supports market growth while respecting data rights and corporate responsibilities, making Asia-Pacific an important region for businesses to monitor regarding data privacy regulations.

GDPR: The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a robust data protection law established by the European Union (EU) to harmonize and fortify data privacy rights for individuals within the EU and European Economic Area (EEA).

GDPR aims to empower individuals with greater control over their personal data and sets clear obligations for organizations that collect store, and process such data. It ensures personal data is handled securely and transparently, safeguarding individuals’ privacy rights.

Geographically, GDPR applies to all EU member states and extends its reach to the EEA, encompassing Iceland, Liechtenstein, and Norway. It also impacts organizations outside the EU/EEA that process the personal data of individuals within these regions.

GDPR has inspired global data protection laws and standards, serving as a blueprint for similar regulations in various countries and regions. Examples include the CCPA? or California Consumer Privacy Act in the United States, Canada’s PIPEDA or Personal Information Protection and Electronic Documents Act, Brazil’s General Data Protection Law (LGPD), and the Data Protection Act 2018 in the United Kingdom.

These laws reflect GDPR’s core principles, emphasizing individual rights, data minimization, transparency, accountability, and breach notification requirements. They signify a global movement towards more robust data protection measures to uphold privacy in our increasingly digital world.

California: Privacy Rights Act

California’s landmark California Consumer Privacy Act (CCPA), enacted in 2018, is a pioneering data protection law in the United States. The CCPA addresses many data privacy concerns and applies to online and offline personal information, setting it apart from other state-level privacy laws.

Key features of the CCPA include:

• Comprehensive Data Rights: Californian consumers are granted extensive data rights, including access, deletion, and opt-out of the sale of their personal information.
• Scope: The CCPA applies to businesses that meet specific criteria, including those with annual gross revenues exceeding $25 million or those that buy, receive, or sell the personal information of 50 thousand or more consumers, households, or devices.
• Consumer Protections: The CCPA imposes obligations on businesses to provide transparent privacy notices, honor consumer rights, and refrain from discriminating against consumers who realize their privacy rights.
• Opt-Out of Sale: Consumers can opt out of selling their personal information to third parties.
• Enforcement and Penalties: The California Attorney General enforces the CCPA, and violations can result in fines and penalties.
• California Privacy Rights Act (CPRA): Building upon the CCPA, the CPRA (passed in 2020) introduces additional consumer rights and imposes stricter business obligations. The CPRA is a law that enhances and amends the California Consumer Privacy Act (CCPA). Approved by California voters as Proposition 24 in November 2020, the CPRA expands privacy rights and imposes stricter obligations on businesses handling personal information.

The CCPA represents a significant step toward strengthening consumer privacy rights in the digital age. Its influence extends beyond California, serving as a model for other states and contributing to ongoing discussions surrounding federal data privacy legislation in the United States. The law underscores California’s commitment to advancing consumer privacy protections and holding businesses accountable for responsible data practices.

India: Digital Personal Data Protection Act

India’s DPDP, enacted in August 2023, marks a significant addition to Asian data protection laws after a six-year journey toward comprehensive regulation. Despite opposition, this legislation is a milestone for both India and data privacy.

Unique features of the DPDP include abandoning traditional terms like “data subject” and “data controller” and focusing solely on digital information. Here are the key highlights of the DPDP:

• Equal Coverage: Applies to both public and private entities within India, including foreigners.
• International Data Flows: Allows unrestricted international data transfers.
• Data Rights: Includes access, correction, erasure, consent withdrawal, grievance redressal, and proxy nomination.
• Missing GDPR-like Rights: Lacks certain rights such as data portability similar to GDPR.
• Protection for Children: Specifically safeguards minors (under 18) against targeted advertising.
• Compliance Requirements: Mandates independent audits and periodic Data Protection Impact Assessments (DPIAs).
• Penalties: Noncompliance fines range from USD 120 to approximately USD 30 million.

India’s DPDP is a noteworthy addition to global data protection frameworks, emphasizing digital privacy while addressing unique regulatory needs.

Vietnam: Decree on the Protection of Personal Data

Vietnam’s Decree No. 13/2023/ND on Personal Data Protection, passed in 2023 and effective immediately from July 1, 2023, follows two years of public consultations and governmental negotiations to finalize the law.

This regulation includes data localization provisions. Both Vietnamese and foreign corporations are subject to compliance, and international data transfers require individual consent, completion of an impact assessment, and submission to the Ministry of Public Security. Due to cross-border data transfers, global corporations entail frequent Data Protection Impact Assessments (DPIAs).

In addition to data localization and sovereignty principles, the Decree includes the following key points:

• Personal Data Classification: Differentiate between Personal and Sensitive Personal Data without separate handling mandates.
• Data Subject Rights: These include the right to know, consent, access (within 72 hours), correct, delete, restrict, object, withdraw consent, and claim damages.
• Explicit Consent: Requires explicit and verifiable consent; silence or non-response does not indicate consent. Consent and privacy notices must transparently explain data processing implications.
• Data Breach Reporting: Mandates reporting to the Ministry of Public Security within 72 hours of a data breach.
• Duties on Data Subjects: Introduces loosely defined requirements for individuals to protect their own data, making Vietnam unique alongside India in imposing duties on individuals, albeit with limited explanation.

Vietnam’s Decree establishes a robust framework for personal data protection, emphasizing consent, transparency, and prompt breach reporting while introducing innovative aspects such as duties on data subjects.

China: Personal Information Protection Law

China introduced the Personal Information Protection Law (abbreviated PIPL) in late 2021, replacing a complex array of data privacy laws with a comprehensive framework. Effective since November 1, 2021, PIPL stands out among recent Asian data protection laws for its distinct approach compared to the GDPR.

While PIPL grants individuals rights to access, correct, delete, and port their data, its focus leans more towards regulatory oversight rather than progressive data rights and corporate responsibility. Key features of PIPL include:

• Definition of Personal Information (PI): Encompasses any recorded data linked to an identifiable person in China, excluding irreversible anonymized data.
• Sensitive Personal Information (SPI): Includes biometric data and other information deemed potentially harmful if misused, subject to additional restrictions and protections.
• Exemptions for Personal/Family Matters: Certain provisions exempt personal information processed for personal or family matters.
• Data Localization: Some data must be stored within China, although limited transfers abroad are permitted under specific conditions.
• Opt-Out Requirements: Mandates opt-out options for targeted ads and automated decision-making processes.
• Organizational Obligations: Organizations must appoint a Data Protection Officer (DPO), conduct regular audits and Data Protection Impact Assessments (DPIAs), and promptly report data breaches to relevant authorities.

China’s PIPL establishes a stringent regulatory framework for personal data protection, emphasizing data localization, transparency in data processing, and organizational accountability through mandatory appointments and compliance measures.

Japan: Act on the Protection of Personal Information

Japan’s Act on the Protection of Personal Information (abbreviated APPI) was initially enacted in 2003, marking one of Asia’s earliest data protection laws. Since then, the Japanese Parliament has continuously monitored data privacy concerns, leading to significant amendments, including a notable update in mid-2022.

The recent changes to APPI introduced several key adjustments:

• Expanded Scope: The law now applies to any business handling the personal data of Japanese individuals, regardless of their location.
• Consent for Data Transfers: Businesses must obtain opt-in consent from individuals or establish protective measures before transferring personal data outside Japan.
• Sensitive Data Category: A new category called “special care-required personal information” includes data like sexual orientation, religion, race, and health status, requiring prior consent for collection or use, akin to GDPR principles.
• Personal Related Information: This category covers data related to individuals but not strictly personal (e.g., cookies, IP addresses). While consent is not required for collection, companies must provide a privacy policy.
• Data Breach Reporting: Companies must report to the Personal Information Protection Commission breaches involving sensitive data, unjustly collected data, or data affecting over 1,000 individuals.
• Penalties: The updated law introduces higher penalties, with maximum fines reaching $930,000 for fraudulent data leaks or employee misuse.

These changes demonstrate Japan’s ongoing commitment to enhancing personal data protection, aligning with global privacy standards like GDPR, and strengthening penalties to deter data breaches and misuse. The amendments reflect Japan’s proactive approach to adapting data protection laws to evolving technological landscapes and emerging privacy challenges.

Indonesia: The Personal Data Protection Law

Indonesia’s Personal Data Protection Law, passed in late 2022, represents the nation’s first comprehensive legislation governing digital and non-digital data departure from India’s DPDP, which solely addresses digital information.

Scheduled to take effect in October 2024, the PDP Law aligns closely with international data privacy standards, drawing significant inspiration from the GDPR. Key provisions of the law include:

• Comprehensive Data Rights: Individuals in Indonesia are granted extensive data rights, including the right to initiate legal action for privacy breaches.
• Cross-Border Data Transfers: The PDP Law permits cross-border data transfers under certain conditions.
• Corporate Obligations: Companies must conduct Data Protection Impact Assessments (DPIAs) and appoint Data Protection Officers (DPOs).
• Penalties for Violations: Law violations carry monetary penalties and potential imprisonment (4-6 years), profit seizure, damages payments, and other sanctions against corporations.
• Establishment of Data Protection Authority: A dedicated Data Protection Authority will oversee law enforcement.

Specific regulations apply to different sectors:

• Telecommunications: Prohibits unauthorized tapping and mandates the confidentiality of transmitted information.
• Public Information: Public bodies are restricted from freely disclosing personal information such as medical or financial records.
• Banking and Capital Markets: Banks must obtain approval from the Indonesian Financial Services Authority for transferring customer data outside Indonesia.

Indonesia’s Personal Data Protection Law signifies a significant step toward enhancing data privacy. It introduces comprehensive individual rights and stringent obligations for businesses across various sectors. The law reflects Indonesia’s commitment to aligning with global data protection standards and fostering a robust data privacy ecosystem.