It is critical in considering how to manage the collection and handling of data globally to have a good understanding of the regulatory environment and how it applies to your organisation's activities and requirements.
To date, organisations have tended to focus on the data protection regulations in Europe and the United States on the basis that there was limited regulation in Asia.
The landscape is rapidly changing. We are witnessing a strengthening of existing laws and the introduction of new laws across Asia.
It is important for any regional or global organisation to be acutely aware of the evolving regulatory requirements in Asia as they can impact on how an organisation handles its own data but also how it handles its customer data.
Hong Kong, Australia and New Zealand are still the only countries with comprehensive principle based data protection legislation of broad application. Hong Kong and Australia are both undergoing reviews and have issued proposed amendments to their data protection laws.
The Government of Hong Kong released the
Personal Data (Privacy) Amendment Bill 2011 on 8 July 2011 for consultation. The Bill focuses on the collection and use of personal data in direct marketing and the unauthorised sale of personal data (
see alert) following a recent high profile case regarding the sale of personal data for direct marketing purposes (
see alert). It creates various new offences and introduces higher penalties for breach.
In Australia, there has been an extended review process with the Australian Law Reform Commission recommending in 2008 a number of changes to Australian data protection laws. Draft legislation has been issued in relation to a new standardised set of privacy principles as well as in relation to credit law reforms. The next proposed stages of reform include increased enforcement powers, expanding the law to include provisions for mandatory breach notification and a tort of invasion of privacy as well as the removal of the employee record, small business and media exemptions. It is unclear as to when the proposed amendments may come into effect.
Malaysia and Taiwan passed broad principles based legislation in 2010 but in each case the legislation has not as yet come into effect.
Singapore has just released in September 2011 a position paper for comment with respect to the proposed implementation of a broad principles based data protection law (
see alert). To date, there has only been a Voluntary Model Code in place in Singapore for the private sector.
The Singaporean Government has been driven by both public and economic interests to consider the implementation of a broad principles based data protection regime.
This is a common theme across the region. Countries in the region are competing for business and need to be able to demonstrate that they are aware of the concerns and regulatory requirements organisations need to meet globally.
India adopted in April 2011 the
Security Practices and Procedures and Sensitive Information Rules under the Information Technology Act 2000. The Rules impose wide-ranging privacy obligations on any company that collects, receives, stores, possesses, deals or handles personal information including a requirement for prior consent for the processing or disclosure of sensitive personal information. The Indian Government issued in August a clarification that the requirement for consent to process or disclose sensitive personal information does not apply to outsourcers.
China has a more diversified approach to the protection of data. There are provisions regarding the protection of data contained in China's tort liability law and criminal law as well as under various industry specific regulations. There are also a number of laws that prohibit the reproduction, access or dissemination of prohibited information. What constitutes "prohibited information" is defined very broadly. More recently, China has issued for comment various draft rules in relation to the protection of personal information. The status of these is uncertain.
Navigating the data protection laws, regulations and rules in existence globally is complex. It is a matter of managing risk and determining the best way to maximise compliance with the requirements in the most cost effective and efficient manner. Each organisation has different requirements and needs. It is important therefore to understand what data is being collected, how it is being handled and where it might be transferred.
This knowledge then needs to be overlaid with an understanding of the legal requirements in each relevant jurisdiction and how best to address these. This is a continual challenge for organisations but it is possible to develop solutions that are workable and assist in minimising risk. It does require, however, close attention to this ever evolving area of the law.
