Asia, in its vastness and complexity, doesn’t lend itself to a continental overview. In this post, we’ll look at the Asia-Pacific Economic Cooperation (APEC) member states and move on to the major economic powers.
Even so, we will certainly not be able to cover every single country in Asia. For deeper, country-specific investigations, our two top recommendations are to start with the IAPP and then look at the international law firm DLA Piper’s compendium on “Data Protection Laws of the World.”
Privacy is the very essence of human existence. One wonders why the Indian Supreme Court took so long to reach that conclusion.
–Kalyan C. Kankanala, Fun IP: Fundamentals of Intellectual Property
Let’s begin with the APEC member countries. These are: Australia, Brunei Darussalam, Canada, Chile, China, Hong Kong, China, Indonesia, Japan, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, The Philippines, Russia, Singapore, Republic of Korea, Chinese Taipei, Thailand, The United States, and Vietnam.
APEC developed its voluntary privacy framework in 2004. In 2011 APEC introduced the Cross-Border Privacy Rules (CBPR), injecting a certification process into the mix. CBPR requires businesses to develop and maintain data privacy policies in-line with the APEC Privacy Framework. Once those are in place, then they apply for certification via a local agency. The privacy policies are also required to be enforceable by local law.
APEC has been very careful not to step on the toes of any regional legal jurisdictions; the APEC Privacy Framework and CBPR defer to local law. Instead, they set up a baseline requirement that needs to be voluntarily met and locally certified. By having the certification requirement be enforceable by local law, they create a CBPR country certification component, on top of the business one. In essence, the CBPR creates an analogous system to the old US/EU Privacy Shield agreement, by creating a framework for cross-border privacy law enforcement.
What’s the bottom line for your business? If you are doing business in any of the APEC member countries, then it is in your best interest to be CBPR-certified. Remember, though, that this will not be enough. You must dive deeper into each country’s specific privacy laws and figure out exactly how they affect your business. Below, we’ll examine the local legislation for the top three Asian economies (as ranked by purchasing power parity/gross domestic product): China, India, and Japan. Then we’ll close by looking into Australia’s privacy regulations.
Asia data privacy laws
China passed the Cybersecurity Law of the People’s Republic of China in late 2016. It was quickly followed by several guidelines, the three most important being:
- The Personal Information Security Specification from the National Information Security Standardization Technical Committee (TC260);
- Guidelines on Personal Information Security Impact Assessment from the Draft National Standard of Information Security Technology; and the most recently
- Guidelines on Internet Personal Information Security Protection.
The Cybersecurity Law was the first attempt to coalesce the hundreds of laws, rules, regulations, guidelines, and “strong suggestions” governing the protection of personal information in China. The Personal Information Security Specification is the closest thing to GDPR that China has so far, albeit with a somewhat unfortunate abbreviation, and without establishing a clear individual right to privacy. Below, you’ll find relevant excerpts from both the law and the Personal Information Security Specification.
China, excluding Hong Kong, Macau, and Taiwan. Hong Kong had one of the earliest data privacy laws going back to 1996, now known as the PDPO. Macau has the Personal Data Protection Act of 2005, and Taiwan has their own Personal Data Protection Law since 2010.
According to articles 1 and 2 of the Cybersecurity Law:
Article 1: This Law is formulated in order to: ensure cybersecurity; safeguard cyberspace sovereignty and national security, and social and public interests; protect the lawful rights and interests of citizens, legal persons, and other organizations; and promote the healthy development of the informatization of the economy and society.
Article 2: This Law is applicable to the construction, operation, maintenance, and use of networks, as well as to cybersecurity supervision and management within the mainland territory of the People’s Republic of China.
Meanwhile, the corresponding introduction from the guidelines on Internet personal information security protection outlines its aim to protect data collected by “Personal Information Holders” defined as any entity that “controls and processes personal information.” It is interesting to note that the guideline does not distinguish controller from processor, applying to both of them equally.
In recent years, with the fast development of information technology and the popularization of internet, more and more entities collect and use personal information (PI) in bulk, bringing convenience to people’s life but also producing problems such as illegal collection, abuse, and leakage of PI that seriously threaten PI security.
This Specification targets security challenges to PI and regulates related behaviors by PI controllers during information processing such as collection, retention, use, sharing, transfer, and public disclosure. It intends to restrain the chaos caused by issues like illegal collection, abuse, and leakage of PI, protecting individuals’ lawful rights and interests and society’s public interests to the greatest degree.
Intent and Major Provisions
The intent of the Cybersecurity Law is broad. Its essence, though, is captured by Article 16:
Article 16: The State Council and people’s governments of provinces, autonomous regions, and directly-governed municipalities shall: do comprehensive planning; expand investment; support key cybersecurity technology industries and programs; support cybersecurity technology research and development, application, and popularization; promote secure and trustworthy network products and services; protect intellectual property rights for network technologies; and support research and development institutions, schools of higher learning, etc., to participate in State cybersecurity technology innovation programs.
On the other hand, the intent and provisions of the guidelines are more operationally focused—see, for example, the section below.
4. Basic Principles of Personal Information Security
PI controllers should follow the basic principles below when processing PI:
a) Commensurability of Powers and Responsibilities Principle: Bear responsibility for damage to the lawful rights and interests of the PI subject caused by PI processing.
b) Purpose Specification Principle: Process PI for legal, justified, necessary, and specific purposes.
c) Consent Principle: Obtain authorized consent from the PI subject after expressly providing the PI subject with the information including the purpose, method, scope, and rules of the processing.
d) Minimization Principle: Unless otherwise agreed by the PI subject, only process the minimum types and quantity of PI necessary for the purposes for which the authorized consent is obtained from the PI subject. After the purposes have been achieved, the PI should be deleted promptly according to the agreement.
e) Openness and Transparency Principle: The scope, purposes, and rules, etc., of PI processing should be open to the public in an explicit, intelligible, and reasonable manner, and outside supervision should be accepted.
f) Ensuring Security Principle: Possess the appropriate security capacity taking into account the security risks [the controller] faces, and implement sufficient management and technical measures to safeguard the confidentiality, integrity, and availability of PI.
g) Subject Participation Principle—Provide the PI subject with means to access, correct, and delete the PI, to withdraw consent, and to close accounts.
The guidelines go into specific details for each one of the entries above, as exemplified by the PI collection requirements section:
5.3 Authorized Consent When Collecting Personal Information
Requirements for PI controllers include:
a) Prior to the collection of the PI, clearly provide the information subject with the following information and obtain the authorized consent from the PI subject: the respective types of the PI collected by different operational functions of the products or services; the rules of collecting and using the PI (e.g., purpose of collection and use; manner and frequency of collection; storage location; storage period; [the controller’s] data security capabilities; information related to sharing, transferring, and public disclosure; etc.).
b) When the PI is collected indirectly:
- Require the provider of the PI to explain the information source and confirm the legitimacy thereof.
- Understand the scope of the authorized consent obtained by the provider of the PI regarding the processing of that PI, including the purposes of use, authorized consent provided by the PI subject for transfer, sharing, and public disclosure, etc. If the organization needs to process PI for business needs beyond the scope of the authorized consent, it should obtain explicit consent from the PI subject within a reasonable period after obtaining the PI or prior to the processing of the PI.
The guidelines continue with substantive details on the use, processing, and retention of personal information, and there is also discussion of incident handling. But that is where the guidelines stop. There is no mention of penalties, of a specific regulatory authority that enforces the law, or any indication of an individual’s right to action under either the law or the guidelines.
The guidelines distinguish between personal information (PI) and personal sensitive information (PSI) and define the terms as follows:
3.1 Personal Information (PI)
(is defined as) All kinds of information, recorded by electronic or other means, that can be used, alone or combined with other information, to identify a specific natural person or reflect activities of a specific natural person.
Note 1: PI includes names, dates of birth, identity card numbers, biometric information, addresses, telecommunication contact methods, communication records and contents, account passwords, property information, credit information, location data, accommodation information, health and physiological information, transaction data, etc.
3.2 Personal Sensitive Information
(is defined as) PI that, once leaked, illegally provided, or abused, can threaten personal and property security and/or easily cause personal reputational damage, physical and mental health damage, or discrimination.
Note 1: Personal sensitive information includes identity card numbers, biometric information, bank account numbers, communication records and contents, property information, credit information, location data, accommodation information, health and physiological information, transaction data, and the PI of children 14 years of age or under.
The Cybersecurity Law of the People’s Republic of China also includes a definition of personal information, but almost as an afterthought, in a final section titled “Supplementary Provisions.”
“Personal information” refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including but not limited to natural persons’ full names, birth dates, national identification numbers, personal biometric information, addresses, telephone numbers, and so forth.
While no inclusion criterion is explicitly presented, both the law and the guidelines are clearly intended to cover all Chinese citizens.
There are no exclusions specified.
There is no explicitly defined enforcement agency discussed by the Guidelines. The Cybersecurity Law makes reference to “competent departments” under the “legal responsibility” chapter, of which Article 59 is excerpted in the Penalties section below.
The guidelines make no reference to penalties. The Cybersecurity Law, on the other hand, has a section on “Legal Responsibility,” with a total of 16 articles. Article 59 is a typical example of the discussion.
Article 59: Where network operators do not perform cybersecurity protection duties provided for in Articles 21 and 25 of this Law, the competent departments will order corrections and give warnings; where corrections are refused or it leads to harm to cybersecurity or other such consequences, a fine of between RMB 10,000 and 100,000 shall be levied; and the directly responsible management personnel shall be fined between RMB 5,000 and 50,000.
Where critical information infrastructure operators do not perform cybersecurity protection duties as provided for in Articles 33, 34, 36, and 38 of this Law, the competent departments will order corrections and give warnings; where corrections are refused or it leads to harm to cybersecurity or other such consequences, a fine of between RMB 100,000 and 1,000,000 shall be levied; and the directly responsible management personnel shall be fined between RMB 10,000 and 100,000.
Here is the complete (translated) text for the Cybersecurity Law of the People’s Republic of China and the corresponding translation for the Guidelines on Internet Personal Information Security Protection.
Any business engaged in China is impacted by all these laws, regulations, and guidelines.
Despite the fact that a right to privacy is enshrined in their constitution, digital privacy regulation in India is a surprisingly recent development. Some basic requirements for the handling of personal data are touched on in the country’s Information Technology Act of 2000 and further detailed in a document called Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. But the Indian government has struggled for years to pass legislation that specifically protects digital privacy.
In 2017, the Indian Supreme Court rendered a historic unanimous decision (Puttaswamy v. Union of India ) declared that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”
The judgment in Puttaswamy v. Union of India weighs in at 547 pages long and notes that:
Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state like protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits.
The Personal Data Protection Bill, first introduced into Parliament in 2019, was highly controversial for a number of reasons—most notably because it granted the state the ability to violate its own rules. After failing to pass for several years, the bill was finally rescinded. In late 2022, the Ministry of Electronics and Information Technology replaced the legislation with the Digital Personal Data Protection bill (DPDP).
At the moment it’s unclear whether the DPDP will fare any better in Parliament than its predecessor did. Critics argue that the new legislation does not address many of their key objections to the original bill, such as the protection of the digital privacy of children. Like the failed bill, the DPDP lacks independent oversight and continues to exempt the government from its own regulations. Critics further argue that the draft bill does not meet the standards set by Puttaswamy v. Union of India.
As of January 2023, the draft of DPDP was open for public comment, but it’s too soon to tell what the language will look like by the time the bill is introduced into Parliament.
Japan’s privacy law, the Act of the Protection of Personal Information (APPI) was enacted in 2003. Following a well-publicized series of data breaches, the law was amended in 2015, and the new version took effect in 2017.
Japan; the so-called Amended APPI came into force in May 2017.
The purpose of the bill is articulated in its first article:
Article 1: This Act aims to protect an individual’s rights and interests while considering the utility of personal information including that the proper and effective application of personal information contributes to the creation of new industries and the realization of a vibrant economic society and an enriched quality of life for the people of Japan; by setting forth the overall vision for the proper handling of personal information, creating a governmental basic policy with regard to this, and establishing other matters to serve as a basis for measures to protect personal information, as well as by clarifying the responsibilities etc. of the central and local governments and establishing obligations etc. that a personal information handling business operator shall fulfill, in light of the significantly expanded utilization of personal information as our advanced information- and communication-based society evolves.
Intent and Major Provisions
The law, much like most of the modern privacy laws, has what you would expect in terms of requiring the business operators to specify a data utilization purpose and to not deviate from it, to follow proper data acquisition procedures, to notify the data subject of the data acquiring purpose, to ensure data accuracy and provide for data security, restrict third-party access to the data, and disclose to the public ways that the public can interact with the business with regards to their data.
It is through this obligation of the business operators that the public is granted the various privacy rights, such as correction or deletion of their data, but those rights are limited in scope. For example, the data subject can only request correction or deletion if the data has been used outside of the approved and stated scope or the data was obtained fraudulently.
The law does provide for a right of private action against the business operators, if they fail to comply within two weeks from the initial request for correction, deletion, and so forth.
APPI is fairly explicit in its definitions of personal and sensitive data.
(1) “Personal information” in this Act means that information relating to a living individual which falls under any of each following item:
(i) those containing a name, date of birth, or other descriptions etc. (meaning any and all matters (excluding an individual identification code) stated, recorded or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record (meaning a record kept in an electromagnetic form (meaning an electronic, magnetic or other forms that cannot be recognized through the human senses; the same shall apply in the succeeding paragraph, item (ii)); the same shall apply in Article 18, paragraph (2)); hereinafter the same) whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual)
(ii) those containing an individual identification code
(2) An “individual identification code” in this Act means those prescribed by cabinet order which are any character, letter, number, symbol or other codes falling under any of each following item.
(i) those able to identify a specific individual that are a character, letter, number, symbol or other codes into which a bodily partial feature of the specific individual has been converted in order to be provided for use by computers
(ii) those character, letter, number, symbol or other codes which are assigned in regard to the use of services provided to an individual or to the purchase of goods sold to an individual, or which are stated or electromagnetically recorded in a card or other document issued to an individual so as to be able to identify a specific user or purchaser, or recipient of issuance by having made the said codes differently assigned or, stated or recoded for the said user or purchaser, or recipient of issuance
(3) “Special care-required personal information” in this Act means personal information comprising a principal’s race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal.
The law applies to all Japanese citizens, as well as worldwide businesses that deal with their data.
The central government along with the local governments, and various administrative agencies are excluded from the law.
The law is enforced through the Japanese Personal Information Protection Commission.
The approach to penalties in Japan is very different from those in GDPR and other countries. Penalties are softer, with a staged approach in the interaction between the Personal Information Protection Commission (PIPC) and the business.
First, the PIPC will contact the business directly to discuss the violation and only if the business does not comply, the PIPC will follow up with (in order) an administrative order to submit a report, followed by an administrative advice, followed by an administrative recommendation, and finally ending with an administrative order. If the administrative order is ignored by the business, then they can be fined up to $500,000 yen (about $4.5K U.S.) and/or up to one-year imprisonment.
Here is an English-language version of the law.
Any businesses, irrespective of location, doing business in Japan and dealing with personal data.
Australian regulations bear some resemblance to those of the United States, in that its privacy legislation is a mix of multiple state and territory laws. Quite unlike the United States, however, Australia has had a federal privacy law in the books since 1988. The Federal Privacy Act and the corresponding Australian Privacy Principles apply to businesses that have a minimum revenue threshold of $3M Australian dollars.
Australia; originally passed in 1988, amended in December 2019.
The objectives of the legislation as stated are:
(a) to promote the protection of the privacy of individuals; and
(b) to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities; and
(c) to provide the basis for nationally consistent regulation of privacy and the handling of personal information; and
(d) to promote responsible and transparent handling of personal information by entities; and
(e) to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected; and
(f) to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected; and
(g) to provide a means for individuals to complain about an alleged interference with their privacy; and
(h) to implement Australia’s international obligation in relation to privacy.
Intent and Major Provisions
The pillars of the legislation are the 13 Australian Privacy Principles (APP):
APP 1—Open and transparent management of personal information
APP 2—Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
APP 3—Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
APP 4—Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.
APP 5—Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.
APP 6—Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
APP 7—Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8—Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
APP 9—Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
APP 10—Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11—Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
APP 12—Access to personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13—Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.
The Privacy Act provides for certain explicit rights to Australian citizens, including the right to know how their personal information is being collected, how it will be used, and who it will be disclosed to, provide options for anonymity, grant the right to request your own data, grant the right to opt-out from marketing communications, correct any personal information that is wrong, and file a complaint against a company or agency that they believe have violated the Privacy Act.
The Privacy Act defines personal and sensitive data as follows:
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
sensitive information means:
(a) information or an opinion about an individual’s:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual orientation or practices; or
(ix) criminal record; that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
Any business with annual turnover (aka revenue) of $3M Australian dollars (roughly $2M U.S.); also applies to Australian government agencies.
The Privacy Act does not cover:
a) state or territory government agencies, including a state and territory public hospital or health care facility (which is covered under state and territory legislation) except
i. certain acts and practices related to My Health Records and individual healthcare identifiers
ii. an entity prescribed by the Privacy Regulation 2013
iii. an individual acting in their own capacity, including your neighbours
iv. a university, other than a private university and the Australian National University
v. a public school
b) in some situations, the handling of employee records by an organisation in relation to current and former employment relationships
c) a small business operator, unless an exception applies (see above)
d) a media organisation acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
e) registered political parties and political representatives
The Australian Privacy Commissioner, along with several other agencies is responsible for the enforcement of the act.
Following an investigation by the Australian Privacy Commissioner, and assuming that the offender is determined to have violated the law, the Commissioner may impose penalties ranging from rectification of damages and losses suffered by the consumer to fines of up to $420K Australian dollars for an individual and up to $2.1M Australian dollars for corporations (roughly, $290K and $1.5M U.S. respectively).
Here is the complete text for the Australian Privacy Act.
The effect of the law is worldwide, for any businesses dealing with data of Australian citizens.